v2.0.1
Technical Manual v2.0.1

AI-Assisted
Code Editor

A professional three-panel workstation for local-first development with AI orchestration. Built on data ownership, modular architecture, and autonomous agency.

Read Documentation
Request a Test Session

1. Overview

What is XteVision Coder and who is it for?

1.1 What is XteVision Coder?

XteVision Coder is an AI-assisted code editor and web-based IDE designed for developers who want to build, edit, and manage projects with integrated AI support. It provides a professional three-panel workstation layout with file exploration, code editing, AI chat, live preview, and terminal access—all running locally with support for various AI models.

1.2 Key Capabilities

  • Multi-root workspace management with drag-and-drop file operations
  • Professional code editing powered by Monaco Editor (same engine as VS Code)
  • AI-assisted coding with streaming responses and autonomous agent mode
  • Persistent authenticated sessions with standalone login/register and PostgreSQL-backed session storage
  • Saved AI conversations with titles, rename/search/bookmark controls, and automatic last-session restore
  • Workspace state recovery restoring the active workspace root, open tabs, active tab, and unsaved editor buffers
  • Live preview for HTML/CSS/JS projects with sandboxed iframe rendering
  • Integrated terminal with command allowlist for safe execution
  • Multi-model support for MLX, Ollama, LMStudio, GitHub Copilot, and OpenRouter
  • Smart code merging with diff-based edit application and visual diff preview

1.3 Target Users

  • Developers working with local AI models
  • Teams needing a lightweight, self-hosted IDE
  • Educators teaching programming with AI assistance
  • Anyone wanting a VS Code-like experience in the browser

2. System Architecture

High-level design and communication flow

2.1 High-Level Architecture

┌──────────────────────────────────────────────────────────┐
│                      Browser (Client)                     │
│  ┌────────────────────────────────────────────────────┐  │
│  │               Frontend (Vanilla JS)                 │  │
│  │  ┌────────┐ ┌────────┐ ┌──────┐ ┌────────┐       │  │
│  │  │ File   │ │ Monaco │ │  AI  │ │ Live   │       │  │
│  │  │Explorer│ │ Editor │ │ Chat │ │Preview │       │  │
│  │  └────────┘ └────────┘ └──────┘ └────────┘       │  │
│  └────────────────────────────────────────────────────┘  │
└──────────────────────┬───────────────────────────────────┘
                       │ HTTP/REST API (localhost:5004)
┌──────────────────────┴───────────────────────────────────┐
│                  Python Backend Server                    │
│  ┌──────────┐ ┌────────┐ ┌────────┐ ┌──────────┐ ┌──────────┐ │
│  │ File I/O │ │ Shell  │ │AI Proxy│ │Workspace │ │Auth/Chat │ │
│  └──────────┘ └────────┘ └────────┘ └──────────┘ └──────────┘ │
└──────────────────────┬───────────────────────────────────┘
         ┌───────────┬───────────┬───────────┐
         │           │           │           │
     ┌─────▼──────┐ ┌──▼────────┐ ┌▼──────────┐
     │  File      │ │PostgreSQL │ │ AI Model  │
     │  System    │ │ users +   │ │  Server   │
     │            │ │ sessions  │ │           │
     └────────────┘ └───────────┘ └───────────┘

2.2 Communication Flow

  1. Frontend → Backend: RESTful HTTP requests for file operations, shell commands, and AI proxying
  2. Backend → AI Model: OpenAI-compatible API calls to local or remote model servers
  3. Backend → Frontend: JSON responses with file contents, execution results, or streaming AI responses via SSE
  4. Frontend → User: UI updates, editor changes, chat responses, and terminal output

2.3 Deployment Model

XteVision Coder is designed for local-first development:

  • Runs entirely on the user's machine
  • No cloud dependencies (except optional AI model proxies)
  • Backend serves static frontend files
  • All data stays on the local filesystem

3. Technology Stack

Frontend, backend, and AI integration technologies

3.1 Frontend Technologies

TechnologyVersionPurpose
JavaScript (ES6+)ES2020+Application logic
HTML5-Semantic structure
CSS3-Styling & layout
Monaco Editor0.52.2Code editing
Marked.js-Markdown parsing
Prism.js-Syntax highlighting
html2pdf.js-PDF generation
FontAwesomeFreeIcon library

3.2 Backend Technologies

TechnologyVersionPurpose
Python3.8+HTTP server
http.serverstdlibBase HTTP server
socketserverstdlibTCP threading
subprocessstdlibShell execution
PostgreSQL12+User accounts, auth sessions, and chat sessions
psycopg22.9+PostgreSQL connectivity
argon2-cffi23+Password hashing
PyJWT2.8+Signed Prodigy handoff tokens

3.3 Browser Support

BrowserSupportNotes
Chrome/Edge✅ FullFile System Access API
Firefox⚠️ PartialServer-based I/O
Safari⚠️ PartialLimited file access

4. Installation & Setup

Get XteVision Coder running in minutes

4.1 Prerequisites

  • Python 3.8+ (for backend server)
  • Modern browser (Chrome/Edge recommended)
  • AI model server (optional, for AI features)

4.2 Installation Steps

Step 1: Download

cd /path/to/mlx_coder

Step 2: Install Monaco Editor (Optional)

bash download-monaco.sh

Step 3: Configure AI Server (Optional)

mlx_lm.server --model <your-model-path> --port 5010

Step 4: Install Python Dependencies

pip3 install -r requirements.txt

Step 5: Start XteVision Coder

# Default configuration
python3 server.py

# Custom port
PORT=8080 python3 server.py

# With PostgreSQL-backed authentication
XTEVISION_DB_HOST=192.168.1.4 \
XTEVISION_DB_PORT=5432 \
XTEVISION_DB_NAME=codebase \
XTEVISION_DB_USER=postgres \
XTEVISION_DB_PASSWORD=your-db-password \
python3 server.py

Step 6: Access the Application

http://localhost:5004

4.3 First-Time Setup

  1. Create Account: Use the login/register overlay to create the first standalone Coder user
  2. Open Workspace: Click "Open Folder" to select a project directory
  3. Configure AI: Open Settings (gear icon) and save your preferred AI backend
  4. Start a Session: Use the Sessions toolbar to create, name, and bookmark persistent AI conversations

4.4 Authentication Setup

XteVision Coder now uses cookie-based standalone authentication backed by PostgreSQL. Each user sees only their own saved chat sessions and workspace restoration data.

Required database: the backend expects a PostgreSQL database such as codebase. On startup, Coder creates and migrates the coder schema automatically when the configured database is reachable.
  • XTEVISION_AUTH_COOKIE_NAME: session cookie name, default xtevision_session
  • XTEVISION_AUTH_SESSION_DAYS: cookie lifetime in days, default 14
  • XTEVISION_AUTH_ALLOW_REGISTRATION: enable/disable local sign-up
  • XTEVISION_PRODIGY_SHARED_SECRET: optional shared secret for future trusted Prodigy launch handoff

4.5 OpenRouter Setup

To use OpenRouter as the AI backend:

  1. Open Settings from the right sidebar
  2. Select OpenRouter in the AI Server dropdown
  3. Set the API URL to https://openrouter.ai/api/v1/chat/completions
  4. Choose an OpenRouter model ID such as qwen/qwen3.6-plus-preview
  5. Paste your API key into OpenRouter API Key
  6. Optionally set HTTP Referer and X-OpenRouter-Title

When OpenRouter is selected, XteVision Coder attaches these headers:

  • Authorization: Bearer <OPENROUTER_API_KEY>
  • HTTP-Referer: <configured site URL>
  • X-OpenRouter-Title: <configured site title>

5. Application Structure

Directory layout and module organization

5.1 Directory Layout

mlx_coder/
├── index.html                      # Main HTML entry point
├── style.css                       # Application styles
├── script.js                       # Bootstrap and module loader
├── server.py                       # Python HTTP backend
├── .mlx.json                       # Project state
├── js/
│   ├── modules/                    # Frontend ES6 modules
│   │   ├── state.js                # Global state management
│   │   ├── config.js               # AI configuration and provider-specific settings
│   │   ├── utils.js                # Utility functions
│   │   ├── filesystem.js           # File I/O and workspace
│   │   ├── editor.js               # Monaco Editor initialization
│   │   ├── chat.js                 # AI chat and streaming
│   │   ├── agent.js                # Agent loop and function calling
│   │   ├── auth.js                 # Login/register/logout bootstrap
│   │   ├── sessionPersistence.js   # Chat session autosave and restore
│   │   ├── tools.js                # Tool definitions
│   │   ├── diff.js                 # Diff-based editing
│   │   ├── preview.js              # Live preview and PDF export
│   │   └── ui.js                   # UI rendering and interactions
│   ├── marked.min.js               # Markdown parser
│   ├── prism.min.js                # Syntax highlighter
│   └── html2pdf.bundle.min.js      # PDF generation
├── fontawesome-free-web/           # FontAwesome icons
├── requirements.txt                # Python auth/database dependencies
├── projects/                       # User project files
└── logs/app.log                    # Application log

5.2 State Management

export const state = {
    editor: null,               // Monaco Editor instance
    files: {},                  // File content cache
    openTabs: [],               // Open editor tabs
    activeTabPath: null,        // Active tab path array
    tabDirty: {},               // Dirty state per tab path
    messageHistory: [],         // Active chat message history
    chatSessionId: null,        // Current saved chat session id
    chatSessions: [],           // Available saved chat sessions
    workspaceFolders: new Map() // Open workspace folders
};

6. Core Features

File explorer, code editor, AI chat, preview, and terminal

File Explorer

Multi-root workspace, drag-and-drop operations, context menus, path traversal protection, and three workspace modes (Native, Server, Fallback).

Code Editor

Monaco Editor with 20+ languages, multi-tab editing, IntelliSense, minimap, find/replace, multi-cursor, and code folding.

AI Chat

Streaming and Agent modes, SSE responses, 7 tools, @-mentions, code block actions (Copy, Smart Merge, Insert, Create, Replace), and visual diff previews.

Saved Sessions

Persistent per-user AI sessions with rename, search, bookmark, autosave, and restore of chat history plus workspace/editor state.

Live Preview

HTML rendering in sandboxed iframe, Markdown to HTML conversion, YAML formatting, and PDF export via html2pdf.

Terminal/Shell

LOG and SHELL tabs, 100-entry command history, 40+ command allowlist, blocked patterns defense-in-depth.

Authentication

Standalone browser login, secure session cookies, Argon2-hashed passwords, and future signed Prodigy launch support.

Agent Mode Details

PropertyValue
Max Iterations15 steps per task
Timeout1 hour maximum
Retry Logic3 retries with exponential backoff
Available Toolsread_file, write_file, edit_file, list_files, search_files, run_shell, create_directory

7. Frontend Architecture

Core modules and event system

7.1 Core Modules

state.js - Global State Manager

Centralized state with lazy DOM caching via Proxy and typo detection.

config.js - Configuration Manager

AI server presets, provider-specific request headers, OpenRouter header injection, localStorage persistence, and connection health checking.

utils.js - Utility Functions

Shared helpers: escapeHtml, logToTerminal, safeFetchJson, cleanContent.

filesystem.js - File System Operations

File I/O (native + server), workspace management, drag-and-drop, IndexedDB, AI helpers.

editor.js - Monaco Editor Manager

Monaco initialization, multi-tab management, save operations, dirty state tracking.

chat.js - AI Chat Manager

Message handling, provider-aware request headers, SSE streaming, agent coordination, code block actions, @-mentions, and session-aware message history updates.

agent.js - Agent Engine

Multi-step execution, provider-aware request headers, function calling, tool parsing, retry logic, Copilot protocol.

auth.js - Auth Bootstrap

Login/register/logout flow, startup gating, and auth HUD updates for the protected IDE shell.

sessionPersistence.js - Session Manager

Autosaves chat sessions, restores the latest session, and rehydrates workspace root, tabs, dirty buffers, and bookmarks.

tools.js - Tool Definitions

Tool schemas, execution logic, parameter validation for 7 tools.

7.2 Event System

// Custom event for settings changes
window.dispatchEvent(new CustomEvent('xtevision-settings-changed'));

// Listen for events
window.addEventListener('xtevision-settings-changed', () => {
  // React to settings change
});

7.3 Error Handling

// Global error boundaries for async init
try {
  await checkServerAvailability();
  await connectToServerWorkspace();
} catch (error) {
  logToTerminal(`Init error: ${error.message}`, 'error');
}

8. Backend Architecture

Python server configuration and request handling

8.1 Server Configuration

PORT = int(os.environ.get('PORT', 5004))
PROJECTS_DIR = os.path.join(os.getcwd(), 'projects')
AI_PROXY_TIMEOUT_SEC = 3660
AUTH_COOKIE_NAME = os.environ.get('XTEVISION_AUTH_COOKIE_NAME', 'xtevision_session')
AUTH_DB_HOST = os.environ.get('XTEVISION_DB_HOST', '192.168.1.4')
AUTH_DB_NAME = os.environ.get('XTEVISION_DB_NAME', 'codebase')
PRODIGY_JWT_SECRET = os.environ.get('XTEVISION_PRODIGY_SHARED_SECRET', '')

8.2 Thread Safety

_current_dir_lock = threading.Lock()
_current_dir = os.getcwd()

def get_current_dir():
    with _current_dir_lock:
        return _current_dir

8.3 Auth and Session Storage

The backend initializes a coder PostgreSQL schema containing:

  • users for local and future Prodigy-linked identities
  • auth_sessions for secure session-cookie login state
  • auth_launch_tokens for one-time signed launch handoffs
  • chat_sessions for saved chats, titles, bookmarks, and UI restore payloads

8.4 Request Handler

class CustomHandler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self): # Handle GET
    def do_POST(self): # Handle POST
    def do_OPTIONS(self): # CORS preflight
    def end_headers(self): # Add CORS headers

8.5 AI Proxy Behavior

The backend exposes two AI-related proxy endpoints:

  • /api/proxy for lightweight JSON fetches such as model discovery
  • /api/ai-proxy for full request forwarding to OpenAI-compatible chat endpoints

For OpenRouter, both endpoints forward provider headers and permit openrouter.ai in the proxy allowlist so authenticated model discovery and chat completions work through the backend fallback path.

9. AI Integration

Supported servers, protocols, and function calling

9.1 Supported AI Servers

ServerDefault URLPortNotes
MLXhttp://localhost5010Apple Silicon optimized
Ollamahttp://localhost11434Popular local models
LMStudiohttp://localhost1234GUI-based model server
GitHub Copilothttp://localhost5015Via proxy
OpenRouterhttps://openrouter.ai443Cloud API gateway
CustomUser-definedAnyOpenAI-compatible API

9.2 OpenAI-Compatible Protocol

Endpoint: /v1/chat/completions

{
  "model": "your-model-name",
  "messages": [
    {"role": "system", "content": "You are a coding assistant..."},
    {"role": "user", "content": "Write a function to..."}
  ],
  "stream": true,
  "tools": [{"type":"function","function":{"name":"read_file","parameters":{"file_path":"string"}}}]
}

9.3 Streaming Response Format

Server-Sent Events (SSE):

data: {"choices": [{"delta": {"content": "Hello"}}]}
data: {"choices": [{"delta": {"content": "!"}}]}
data: [DONE]

9.4 Function Calling

Tool Call Parsing (3 formats):

  1. Gemma-style: call:read_file{"file_path": "test.js"}
  2. Structured JSON: {"name": "read_file", "arguments": {...}}
  3. Tagged format:

9.5 Copilot Planner Protocol

When using GitHub Copilot as the backend, the agent uses a JSON-only response format for structured tool calls and follows the planner-execution pattern.

10. Security Model

Five-layer security implementation

10.1 Shell Command Allowlist

40+ approved commands: ls, cat, echo, pwd, mkdir, touch, cp, mv, git, npm, python, node, curl, etc.

Blocked patterns (defense-in-depth):

  • rm -rf / and variants
  • sudo commands
  • chmod 777
  • Pipe to shell: curl ... | sh
  • Fork bombs and filesystem utilities

10.2 Path Traversal Protection

Uses os.path.commonpath() + os.path.realpath() to prevent symlink-based path traversal attacks. All file operations are validated to stay within the workspace root.

10.3 SSRF Protection

AI proxy restricted to approved domains only:

  • localhost, 127.0.0.1, 0.0.0.0
  • 192.168.10.3 (user's local network AI server)
  • openrouter.ai (cloud provider endpoint)

Prevents use of the proxy to access internal network services.

10.4 CORS Hardening

Replaced wildcard CORS with localhost-only origins:

  • http://localhost:5004
  • http://127.0.0.1:5004
  • http://localhost:8080

Prevents malicious websites from making requests to the local server.

10.5 Authentication

XteVision Coder now protects the workspace with standalone browser authentication:

  • Argon2-hashed local passwords stored in PostgreSQL
  • Server-issued session cookies with configurable lifetime
  • Per-user chat/session isolation enforced on the backend
  • Optional future Prodigy launch handoff via signed one-time JWTs

10.6 Data Loss Prevention

  • beforeunload warning: Warns users before closing tab with unsaved changes
  • Settings save without reload: Dispatches custom event instead of page reload
  • Dirty state tracking: Monaco version ID monitors edits
  • Session autosave: chat history, bookmarks, workspace root, and unsaved buffers are persisted per user

11. API Reference

Complete REST API endpoints

11.1 File Operations

POST /api/write-file

Request:
{
  "path": "projects/myapp/src/index.js",
  "content": "console.log('Hello');"
}

Response:
{"success": true, "message": "File written successfully"}

POST /api/read-file

Request:
{"path": "projects/myapp/package.json"}

Response:
{"content": "{...}", "success": true}

POST /api/create-folder

Request:
{"path": "projects/myapp/src/components"}

Response:
{"success": true, "message": "Folder created"}

GET /api/list-files

Response:
{"folders": ["src", "public"], "files": ["index.html", "package.json"]}

POST /api/delete-item

Request:
{"path": "projects/myapp/old-file.js"}

Response:
{"success": true}

POST /api/rename-item

Request:
{"old_path": "projects/myapp/old-name.js", "new_path": "projects/myapp/new-name.js"}

Response:
{"success": true}

11.2 Shell Execution

POST /shell

Request:
{"command": "ls -la"}

Response:
{"output": "total 48\ndrwxr-xr-x ...", "success": true}

11.3 AI Proxy

POST /api/proxy

Forwards requests to configured AI server for model discovery and lightweight operations.

POST /api/ai-proxy

Forwards full chat completion requests to the configured AI backend with provider-specific headers for OpenRouter integration.

11.4 Authentication

GET /auth/me

Returns the authenticated user and backend availability state for the login bootstrap.

POST /auth/register

Creates a new standalone Coder user with username, optional email, and password.

POST /auth/login

Authenticates a local user and returns a session cookie.

POST /auth/logout

Revokes the current auth session and clears the cookie.

11.5 Chat Sessions

GET /api/chat-sessions

Lists the current user's saved chat sessions ordered by bookmark state and recent activity.

GET /api/chat-sessions/current

Returns the latest active chat session for login restore.

POST /api/chat-sessions

Creates a new chat session with title, messages, bookmark state, and serialized UI state.

POST /api/chat-sessions/<id>/save

Updates an existing session with new messages, renamed title, bookmark flag, workspace root, open tabs, and unsaved buffer contents.

POST /api/chat-sessions/<id>/delete

Deletes the selected chat session for the authenticated user.

11.6 Diff Editing

POST /api/edit-file

Request:
{
  "path": "projects/myapp/src/index.js",
  "edits": [{
    "search": "console.log('old')",
    "replace": "console.log('new')"
  }]
}

Response:
{"success": true, "message": "File updated"}

12. Configuration

Environment variables and settings

12.1 Environment Variables

VariableDefaultDescription
PORT5004Backend server port
XTEVISION_AUTH_COOKIE_NAMExtevision_sessionSession cookie name
XTEVISION_AUTH_SESSION_DAYS14Cookie/session lifetime in days
XTEVISION_AUTH_SECURE_COOKIEfalseMarks cookies secure when behind HTTPS
XTEVISION_AUTH_ALLOW_REGISTRATIONtrueEnable or disable local sign-up
XTEVISION_DB_HOST192.168.1.4PostgreSQL host
XTEVISION_DB_PORT5432PostgreSQL port
XTEVISION_DB_NAMEcodebasePostgreSQL database name
XTEVISION_DB_USERpostgresPostgreSQL username
XTEVISION_DB_PASSWORDemptyPostgreSQL password
XTEVISION_PRODIGY_SHARED_SECRETemptyOptional signed Prodigy handoff secret

12.2 localStorage Settings

SettingTypeDescription
xtevision_ai_serverstringSelected AI server preset
xtevision_ai_urlstringAI server API URL
xtevision_ai_modelstringModel name/ID
openrouter_api_keystringOpenRouter API key
openrouter_site_urlstringOpenRouter HTTP-Referer header value
openrouter_site_titlestringOpenRouter X-OpenRouter-Title header value
xtevision_last_filestringLast opened file path

12.3 Database-backed User Data

The following data is no longer stored only in localStorage:

  • User accounts and active auth sessions
  • Saved chat sessions and renamed titles
  • Bookmark state and session activity timestamps
  • Workspace restore metadata, open tabs, and unsaved editor buffers

12.4 AI Server Presets

PresetsURLPort
MLXhttp://localhost5010
Ollamahttp://localhost11434
LMStudiohttp://localhost1234
OpenRouterhttps://openrouter.ai443
Copilothttp://localhost5015

13. Development Guide

Module creation and debugging

13.1 Adding a New Module

// 1. Create js/modules/mymodule.js
import { state, elements } from './state.js';
import { logToTerminal } from './utils.js';

export function initMyModule() {
  logToTerminal('MyModule initialized', 'info');
}

// 2. Import in script.js
import { initMyModule } from './js/modules/mymodule.js';

// 3. Call during initialization
initMyModule();

13.2 Debugging

  • Enable debug logging: localStorage.setItem('debug', 'true')
  • Chrome DevTools: Full source map support for ES modules
  • Network tab: Monitor API requests and responses
  • Console: All errors logged with context

13.3 Testing AI Integration

// Test AI connection from console
const response = await fetch('http://localhost:5004/api/proxy', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: JSON.stringify({
    model: 'test-model',
    messages: [{role: 'user', content: 'Hello'}]
  })
});
console.log(await response.json());

13.4 Cache Busting

All JS modules use ?v=APP_VERSION query parameter for cache busting. Update APP_VERSION in config.js after making changes.

14. Troubleshooting

Common issues and solutions

14.1 Monaco Editor Not Loading

  • Issue: Editor shows error overlay or blank
  • Solution: Run bash download-monaco.sh or check network for CDN access

14.2 AI Connection Failed

  • Issue: "Connection refused" error in LOG terminal
  • Solution: Ensure the AI model server is running on the configured port and save the provider settings again from the AI Backend Settings modal

14.3 Auth Backend Unavailable

  • Issue: Login/register overlay reports auth backend unavailable
  • Solution: Verify PostgreSQL is running, the configured codebase database exists, and the XTEVISION_DB_* variables match the server configuration

14.4 File Save Not Working

  • Issue: Ctrl+S shows error
  • Solution: Verify backend server is running. Check browser console for CORS errors

14.5 Shell Commands Blocked

  • Issue: "Command not allowed" error
  • Solution: Command not in allowlist. Add to ALLOWED_SHELL_COMMANDS in server.py if needed

14.6 Mixed Content Errors

  • Issue: HTTPS page blocking HTTP requests
  • Solution: Access via http://localhost:5004 (no HTTPS). Use shouldForceBackendProxy() detection

14.7 Safari File Access Limited

  • Issue: Can only access selected files
  • Solution: Safari doesn't support File System Access API. Use server-based mode or switch to Chrome/Edge

14.8 Agent Mode Not Responding

  • Issue: Agent loop hangs or times out
  • Solution: Check AI model supports function calling. Increase timeout in AI_PROXY_TIMEOUT_SEC