@bitkyc08/opencodex 2.0.2 → 2.1.3

package/src/cli.ts

@@ -1,8 +1,10 @@
 #!/usr/bin/env bun
 import { execFileSync, spawn } from "node:child_process";
+import { rmSync } from "node:fs";
 import { restoreNativeCodex } from "./codex-inject";
-import { loadConfig, readPid, removePid, writePid } from "./config";
-import { serviceCommand, stopServiceIfInstalled } from "./service";
+import { codexAutoStartEnabled, getConfigDir, loadConfig, readPid, removePid, saveConfig, writePid } from "./config";
+import { findAvailablePort } from "./ports";
+import { serviceCommand, stopServiceIfInstalled, uninstallServiceIfInstalled } from "./service";
 import { startServer } from "./server";
 import { maybeShowStarPrompt } from "./star-prompt";
 
@@ -17,9 +19,12 @@ Usage:
   ocx start [--port <port>]   Start the proxy server (auto-syncs models to Codex)
   ocx stop                    Stop the proxy AND restore native Codex (plain codex works again)
   ocx restore                 Restore native Codex without stopping (alias: eject)
+  ocx uninstall               Remove service/shim/config and restore native Codex
   ocx service <sub>           Run as a background service (install|start|stop|status|uninstall)
   ocx codex-shim <sub>        Auto-start proxy when \`codex\` launches (install|status|uninstall)
+  ocx ensure                  Ensure the proxy is running and Codex config/cache are current
   ocx sync                    Fetch models from providers and inject into Codex config
+  ocx sync-cache              Refresh Codex's model cache from the active catalog
   ocx status                  Check proxy server status
   ocx login <provider>        OAuth login (xai) — opens browser, stores token in ~/.opencodex/auth.json
   ocx logout <provider>       Remove a stored OAuth login
@@ -55,23 +60,74 @@ async function syncModelsToCodex(port?: number) {
   return result;
 }
 
-async function handleStart(options: { block?: boolean } = {}) {
-  const existingPid = readPid();
-  if (existingPid) {
-    console.error(`⚠️  Proxy already running (PID ${existingPid}). Use 'ocx stop' first.`);
+function parsePortOption(): number | undefined {
+  const portIdx = args.indexOf("--port");
+  if (portIdx === -1) return undefined;
+  const value = args[portIdx + 1];
+  const port = value ? parseInt(value, 10) : NaN;
+  if (!Number.isInteger(port) || port <= 0 || port > 65535) {
+    console.error("Invalid port number");
     process.exit(1);
   }
+  return port;
+}
 
-  let port: number | undefined;
-  const portIdx = args.indexOf("--port");
-  if (portIdx !== -1 && args[portIdx + 1]) {
-    port = parseInt(args[portIdx + 1], 10);
-    if (isNaN(port)) {
-      console.error("Invalid port number");
+function healthHost(hostname?: string): string {
+  return !hostname || hostname === "0.0.0.0" || hostname === "::" ? "127.0.0.1" : hostname;
+}
+
+async function proxyHealthy(port?: number): Promise<boolean> {
+  const config = loadConfig();
+  const p = port ?? config.port ?? 10100;
+  try {
+    const res = await fetch(`http://${healthHost(config.hostname)}:${p}/healthz`, {
+      signal: AbortSignal.timeout(750),
+    });
+    return res.ok;
+  } catch {
+    return false;
+  }
+}
+
+async function waitForProxy(timeoutMs = 8_000): Promise<number | null> {
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    const config = loadConfig();
+    const port = config.port ?? 10100;
+    if (await proxyHealthy(port)) return port;
+    await new Promise(resolve => setTimeout(resolve, 150));
+  }
+  return null;
+}
+
+async function chooseListenPort(requestedPort?: number): Promise<number> {
+  const config = loadConfig();
+  const preferred = requestedPort ?? config.port ?? 10100;
+  const selected = await findAvailablePort(preferred, config.hostname ?? "127.0.0.1");
+  if (selected !== preferred) {
+    console.log(`⚠️  Port ${preferred} is busy; starting opencodex on ${selected}.`);
+  }
+  if (config.port !== selected) {
+    config.port = selected;
+    saveConfig(config);
+  }
+  return selected;
+}
+
+async function handleStart(options: { block?: boolean } = {}) {
+  const existingPid = readPid();
+  if (existingPid) {
+    const config = loadConfig();
+    if (await proxyHealthy(config.port)) {
+      console.error(`⚠️  Proxy already running (PID ${existingPid}). Use 'ocx stop' first.`);
       process.exit(1);
     }
+    removePid();
   }
 
+  const requestedPort = parsePortOption();
+  const port = await chooseListenPort(requestedPort);
+
   const server = startServer(port);
   writePid(process.pid);
 
@@ -96,6 +152,39 @@ async function handleStart(options: { block?: boolean } = {}) {
   }
 }
 
+async function handleEnsure() {
+  let config = loadConfig();
+  if (!codexAutoStartEnabled(config)) {
+    console.log("Codex autostart is disabled.");
+    return;
+  }
+  if (await proxyHealthy(config.port)) {
+    await syncModelsToCodex(config.port).catch(e => {
+      console.error(`⚠️  Model sync skipped: ${e instanceof Error ? e.message : String(e)}`);
+    });
+    console.log(`✅ Proxy running on port ${config.port}`);
+    return;
+  }
+
+  const child = spawn(process.execPath, [process.argv[1], "start"], {
+    detached: true,
+    stdio: "ignore",
+    env: { ...process.env, OCX_SERVICE: "1" },
+  });
+  child.unref();
+
+  const port = await waitForProxy();
+  if (!port) {
+    console.error("❌ Proxy did not become healthy after starting.");
+    process.exit(1);
+  }
+  config = loadConfig();
+  await syncModelsToCodex(config.port ?? port).catch(e => {
+    console.error(`⚠️  Model sync skipped: ${e instanceof Error ? e.message : String(e)}`);
+  });
+  console.log(`✅ Proxy running on port ${config.port ?? port}`);
+}
+
 function killProxy(pid: number): void {
   if (!isProcessAlive(pid)) return;
   if (process.platform === "win32") {
@@ -154,6 +243,58 @@ function handleStop() {
   if (stopFailed) process.exit(1);
 }
 
+async function handleUninstall() {
+  const failures: string[] = [];
+
+  const runStep = (label: string, step: () => void | boolean) => {
+    try {
+      const changed = step();
+      if (changed === false) console.log(`- ${label}: not installed`);
+      else console.log(`✅ ${label}`);
+    } catch (err) {
+      failures.push(label);
+      console.error(`⚠️  ${label} failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  };
+
+  runStep("service removed", () => {
+    stopServiceIfInstalled();
+    return uninstallServiceIfInstalled();
+  });
+
+  runStep("proxy stopped", () => {
+    const pid = readPid();
+    if (!pid) return false;
+    killProxy(pid);
+    removePid();
+    return true;
+  });
+
+  runStep("native Codex restored", () => {
+    const r = restoreNativeCodex();
+    if (!r.success) throw new Error(r.message);
+  });
+
+  try {
+    const { uninstallCodexShim } = await import("./codex-shim");
+    const r = uninstallCodexShim();
+    console.log(r.removed ? "✅ Codex autostart shim removed" : "- Codex autostart shim removed: not installed");
+  } catch (err) {
+    failures.push("Codex autostart shim removed");
+    console.error(`⚠️  Codex autostart shim removed failed: ${err instanceof Error ? err.message : String(err)}`);
+  }
+
+  runStep("opencodex config removed", () => {
+    rmSync(getConfigDir(), { recursive: true, force: true });
+  });
+
+  if (failures.length > 0) {
+    console.error(`\nUninstall finished with ${failures.length} failed step(s): ${failures.join(", ")}`);
+    process.exit(1);
+  }
+  console.log("\n✅ opencodex local state removed. Remove the package with: npm uninstall -g @bitkyc08/opencodex");
+}
+
 function handleStatus() {
   const pid = readPid();
   if (pid) {
@@ -182,9 +323,16 @@ switch (command) {
     console.log("Plain `codex` now runs natively (no proxy).");
     break;
   }
+  case "uninstall":
+  case "remove":
+    await handleUninstall();
+    break;
   case "status":
     handleStatus();
     break;
+  case "ensure":
+    await handleEnsure();
+    break;
   case "login": {
     const { handleLogin } = await import("./oauth/login-cli");
     await handleLogin(args[1]);
@@ -201,6 +349,11 @@ switch (command) {
     await syncModelsToCodex();
     break;
   }
+  case "sync-cache": {
+    const { invalidateCodexModelsCache } = await import("./codex-catalog");
+    invalidateCodexModelsCache();
+    break;
+  }
   case "gui": {
     const cfg = await import("./config");
     const config = cfg.loadConfig();
@@ -248,7 +401,7 @@ switch (command) {
   }
   case "update": {
     const { runUpdate } = await import("./update");
-    runUpdate();
+    await runUpdate();
     break;
   }
   case "help":

package/src/codex-catalog.ts

@@ -150,6 +150,7 @@ export function normalizeRoutedCatalogEntry(entry: RawEntry): RawEntry {
   // runs through native gpt-5.4-mini, so image search is available and verbalized for text-only models.
   entry.web_search_tool_type = "text_and_image";
   entry.supports_search_tool = true;
+  entry.supports_parallel_tool_calls = false;
   return ensureStrictCatalogFields(entry);
 }
 

package/src/codex-history-provider.ts

@@ -0,0 +1,86 @@
+import { existsSync, readFileSync, statSync, utimesSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { Database } from "bun:sqlite";
+import { CODEX_HOME } from "./codex-paths";
+
+const STATE_DB_PATH = join(CODEX_HOME, "state_5.sqlite");
+const RESUMABLE_SOURCES = ["cli", "vscode"] as const;
+
+type CodexHistoryProvider = "openai" | "opencodex";
+
+interface ThreadRow {
+  id: string;
+  rollout_path: string;
+}
+
+function updateSessionMetaProvider(path: string, provider: CodexHistoryProvider): boolean {
+  if (!path || !existsSync(path)) return false;
+  const stat = statSync(path);
+  const raw = readFileSync(path, "utf8");
+  const newline = raw.indexOf("\n");
+  const firstLine = newline === -1 ? raw : raw.slice(0, newline);
+  const rest = newline === -1 ? "" : raw.slice(newline);
+
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(firstLine);
+  } catch {
+    return false;
+  }
+
+  if (!parsed || typeof parsed !== "object") return false;
+  const record = parsed as { type?: unknown; payload?: { model_provider?: unknown } };
+  if (record.type !== "session_meta" || !record.payload || typeof record.payload !== "object") return false;
+  if (record.payload.model_provider === provider) return false;
+
+  record.payload.model_provider = provider;
+  writeFileSync(path, `${JSON.stringify(record)}${rest}`, "utf8");
+  utimesSync(path, stat.atime, stat.mtime);
+  return true;
+}
+
+export function syncCodexHistoryProvider(provider: CodexHistoryProvider, stateDbPath = STATE_DB_PATH): { rows: number; files: number } {
+  if (!existsSync(stateDbPath)) return { rows: 0, files: 0 };
+  const from = provider === "opencodex" ? "openai" : "opencodex";
+  const db = new Database(stateDbPath);
+  try {
+    const placeholders = RESUMABLE_SOURCES.map(() => "?").join(",");
+    const rows = db
+      .query<ThreadRow, string[]>(`
+        SELECT id, rollout_path
+        FROM threads
+        WHERE model_provider = ?
+          AND source IN (${placeholders})
+      `)
+      .all(from, ...RESUMABLE_SOURCES);
+
+    let files = 0;
+    for (const row of rows) {
+      try {
+        if (updateSessionMetaProvider(row.rollout_path, provider)) files++;
+      } catch {
+        /* best-effort; keep DB migration moving even if one old rollout is malformed */
+      }
+    }
+
+    const update = db.transaction(() => {
+      db.query(`
+        UPDATE threads
+        SET has_user_event = 1
+        WHERE source IN (${placeholders})
+          AND trim(coalesce(first_user_message, '')) != ''
+      `).run(...RESUMABLE_SOURCES);
+      db.query(`
+        UPDATE threads
+        SET model_provider = ?
+        WHERE model_provider = ?
+          AND source IN (${placeholders})
+      `).run(provider, from, ...RESUMABLE_SOURCES);
+    });
+    update();
+
+    return { rows: rows.length, files };
+  } finally {
+    db.close();
+  }
+}

package/src/codex-inject.ts

@@ -1,6 +1,7 @@
 import { existsSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
 import { atomicWriteFile, websocketsEnabled } from "./config";
 import { restoreCodexCatalog } from "./codex-catalog";
+import { syncCodexHistoryProvider } from "./codex-history-provider";
 import { CODEX_CONFIG_PATH, CODEX_PROFILE_PATH, DEFAULT_CATALOG_PATH, parseTomlString, readRootTomlString, resolveCodexConfigPath, tomlString } from "./codex-paths";
 import type { OcxConfig } from "./types";
 
@@ -228,14 +229,19 @@ export async function injectCodexConfig(port: number, config?: OcxConfig, option
 
   writeFileSync(CODEX_CONFIG_PATH, content, "utf-8");
   writeFileSync(CODEX_PROFILE_PATH, buildProfileFile(port, catalogPath), "utf-8");
+  const history = syncCodexHistoryProvider("opencodex");
 
   const catalogMessage = catalogPath
     ? `  Codex model catalog: ${catalogPath}\n`
     : `  Codex model catalog not injected because no opencodex catalog file exists yet.\n`;
+  const historyMessage = history.rows > 0
+    ? `  Codex resume history: ${history.rows} thread(s) mapped to opencodex.\n`
+    : "";
   return {
     success: true,
     message: `Injected opencodex as default provider into Codex config.\n` +
       catalogMessage +
+      historyMessage +
       `  All models now route through opencodex proxy (like OpenRouter).\n` +
       `  OpenAI models (gpt-5.5, etc.) are passed through to OpenAI.\n` +
       `  Custom models route to their configured providers.\n` +
@@ -311,10 +317,12 @@ export function removeCodexConfig(): { success: boolean; message: string } {
 export function restoreNativeCodex(): { success: boolean; message: string } {
   const cfg = removeCodexConfig();
   const cat = restoreCodexCatalog();
+  const history = syncCodexHistoryProvider("openai");
   const msg = cat.removed > 0
     ? `${cfg.message} Catalog restored to ${cat.kept} native model(s) (dropped ${cat.removed} proxy-routed).`
     : cfg.message;
-  return { success: cfg.success, message: msg };
+  const historyMsg = history.rows > 0 ? ` Resume history restored to openai (${history.rows} thread(s)).` : "";
+  return { success: cfg.success, message: `${msg}${historyMsg}` };
 }
 
 export function getCodexConfigPath(): string {

package/src/codex-shim.ts

@@ -4,6 +4,30 @@ import { getConfigDir } from "./config";
 
 const SHIM_MARKER = "opencodex codex autostart shim";
 const STATE_PATH = join(getConfigDir(), "codex-shim.json");
+const CODEX_INTERNAL_COMMANDS = [
+  "app-server",
+  "archive",
+  "apply",
+  "cloud",
+  "completion",
+  "debug",
+  "delete",
+  "doctor",
+  "exec",
+  "exec-server",
+  "features",
+  "fork",
+  "help",
+  "login",
+  "logout",
+  "mcp",
+  "plugin",
+  "resume",
+  "review",
+  "sandbox",
+  "unarchive",
+  "update",
+];
 
 interface ShimState {
   platform: NodeJS.Platform;
@@ -51,39 +75,33 @@ function backupPathFor(path: string): string {
 }
 
 export function buildUnixCodexShim(realCodexPath: string, bunPath: string, cliPath: string): string {
+  const internalCommands = CODEX_INTERNAL_COMMANDS.join("|");
   return `#!/usr/bin/env sh
 # ${SHIM_MARKER}
-if [ -z "$OCX_SHIM_BYPASS" ]; then
-  if ! "${bunPath}" "${cliPath}" status 2>/dev/null | grep -q "Proxy running"; then
-    mkdir -p "$HOME/.opencodex"
-    nohup env OCX_SERVICE=1 "${bunPath}" "${cliPath}" start >> "$HOME/.opencodex/shim.log" 2>&1 &
-    i=0
-    while [ "$i" -lt 50 ]; do
-      if "${bunPath}" "${cliPath}" status 2>/dev/null | grep -q "Proxy running"; then
-        break
-      fi
-      sleep 0.1
-      i=$((i + 1))
-    done
-  fi
-fi
+case "$1" in
+  ${internalCommands}|--help|-h|--version|-V)
+    ;;
+  *)
+    if [ -z "$OCX_SHIM_BYPASS" ]; then
+      "${bunPath}" "${cliPath}" ensure >/dev/null 2>&1 || true
+    fi
+    ;;
+esac
 exec "${realCodexPath}" "$@"
 `;
 }
 
 export function buildWindowsCodexShim(realCodexPath: string, bunPath: string, cliPath: string): string {
+  const internalCommandChecks = CODEX_INTERNAL_COMMANDS.map(command => `if /I "%~1"=="${command}" goto run_codex`).join("\r\n");
   return `@echo off\r
 rem ${SHIM_MARKER}\r
 if not "%OCX_SHIM_BYPASS%"=="" goto run_codex\r
-"${bunPath}" "${cliPath}" status 2>nul | findstr /C:"Proxy running" >nul\r
-if %ERRORLEVEL% EQU 0 goto run_codex\r
-if not exist "%USERPROFILE%\\.opencodex" mkdir "%USERPROFILE%\\.opencodex"\r
-start "" /b cmd /c "set OCX_SERVICE=1 && ""${bunPath}"" ""${cliPath}"" start >> ""%USERPROFILE%\\.opencodex\\shim.log"" 2>&1"\r
-for /l %%i in (1,1,50) do (\r
-  "${bunPath}" "${cliPath}" status 2>nul | findstr /C:"Proxy running" >nul\r
-  if not errorlevel 1 goto run_codex\r
-  powershell -NoProfile -Command "Start-Sleep -Milliseconds 100" >nul 2>nul\r
-)\r
+${internalCommandChecks}\r
+if /I "%~1"=="--help" goto run_codex\r
+if /I "%~1"=="-h" goto run_codex\r
+if /I "%~1"=="--version" goto run_codex\r
+if /I "%~1"=="-V" goto run_codex\r
+"${bunPath}" "${cliPath}" ensure >nul 2>nul\r
 :run_codex\r
 "${realCodexPath}" %*\r
 `;
@@ -102,11 +120,39 @@ function writeState(state: ShimState): void {
   writeFileSync(STATE_PATH, JSON.stringify(state, null, 2) + "\n", "utf8");
 }
 
+function writeShim(wrapperPath: string, realCodexPath: string): void {
+  const { bun, cli } = cliEntry();
+  if (process.platform === "win32") {
+    writeFileSync(wrapperPath, buildWindowsCodexShim(realCodexPath, bun, cli), "utf8");
+  } else {
+    writeFileSync(wrapperPath, buildUnixCodexShim(realCodexPath, bun, cli), "utf8");
+    chmodSync(wrapperPath, 0o755);
+  }
+}
+
 export function installCodexShim(): { installed: boolean; message: string } {
   const existing = readState();
-  if (existing && existsSync(existing.wrapperPath) && existsSync(existing.backupPath)) {
+  if (existing && existsSync(existing.wrapperPath) && existsSync(existing.backupPath) && isShim(existing.wrapperPath)) {
+    if (process.platform === "win32" && existing.originalPath && existsSync(existing.originalPath)) {
+      renameSync(existing.originalPath, existing.backupPath);
+      writeShim(existing.wrapperPath, existing.backupPath);
+      writeState({ ...existing, platform: process.platform });
+      return {
+        installed: true,
+        message: `Codex update detected. Backed up new binary and refreshed shim at ${existing.wrapperPath}.`,
+      };
+    }
     return { installed: false, message: `Codex autostart shim already installed at ${existing.wrapperPath}.` };
   }
+  if (existing && existsSync(existing.backupPath) && (!existsSync(existing.wrapperPath) || !isShim(existing.wrapperPath))) {
+    if (existsSync(existing.wrapperPath)) unlinkSync(existing.wrapperPath);
+    writeShim(existing.wrapperPath, existing.backupPath);
+    writeState({ ...existing, platform: process.platform });
+    return {
+      installed: true,
+      message: `Codex autostart shim repaired at ${existing.wrapperPath}. Original remains at ${existing.backupPath}.`,
+    };
+  }
 
   const originalPath = findCodexOnPath();
   if (!originalPath) return { installed: false, message: "Could not find a codex executable on PATH." };
@@ -114,15 +160,9 @@ export function installCodexShim(): { installed: boolean; message: string } {
   const backupPath = backupPathFor(originalPath);
   if (existsSync(backupPath)) return { installed: false, message: `Refusing to overwrite existing backup: ${backupPath}` };
 
-  const { bun, cli } = cliEntry();
   const wrapperPath = process.platform === "win32" ? join(dirname(originalPath), "codex.cmd") : originalPath;
   renameSync(originalPath, backupPath);
-  if (process.platform === "win32") {
-    writeFileSync(wrapperPath, buildWindowsCodexShim(backupPath, bun, cli), "utf8");
-  } else {
-    writeFileSync(wrapperPath, buildUnixCodexShim(backupPath, bun, cli), "utf8");
-    chmodSync(wrapperPath, 0o755);
-  }
+  writeShim(wrapperPath, backupPath);
   writeState({ platform: process.platform, wrapperPath, originalPath, backupPath });
   return { installed: true, message: `Codex autostart shim installed at ${wrapperPath}. Original saved at ${backupPath}.` };
 }
@@ -139,7 +179,11 @@ export function uninstallCodexShim(): { removed: boolean; message: string } {
 export function codexShimStatus(): string {
   const state = readState();
   if (!state) return "Codex autostart shim is not installed.";
-  const wrapper = existsSync(state.wrapperPath) ? "present" : "missing";
+  const wrapper = existsSync(state.wrapperPath)
+    ? isShim(state.wrapperPath)
+      ? "shim present"
+      : "present but not an opencodex shim"
+    : "missing";
   const backup = existsSync(state.backupPath) ? "present" : "missing";
   return `Codex autostart shim: wrapper ${wrapper} at ${state.wrapperPath}; original backup ${backup} at ${state.backupPath}.`;
 }

package/src/config.ts

@@ -1,4 +1,4 @@
-import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from "node:fs";
+import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync, chmodSync } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
 import type { OcxConfig } from "./types";
@@ -10,7 +10,7 @@ let _atomicSeq = 0;
  */
 export function atomicWriteFile(path: string, content: string): void {
   const tmp = `${path}.ocx.${process.pid}.${++_atomicSeq}.tmp`;
-  writeFileSync(tmp, content, "utf-8");
+  writeFileSync(tmp, content, { encoding: "utf-8", mode: 0o600 });
   renameSync(tmp, path);
 }
 
@@ -39,7 +39,22 @@ export function getPidPath(): string {
   return PID_PATH;
 }
 
+export function hardenConfigDir(): void {
+  if (existsSync(OCX_DIR)) {
+    try { chmodSync(OCX_DIR, 0o700); } catch { /* best-effort */ }
+  }
+}
+
+export function hardenExistingSecret(path: string): void {
+  if (existsSync(path)) {
+    try { chmodSync(path, 0o600); } catch { /* best-effort */ }
+  }
+}
+
 export function loadConfig(): OcxConfig {
+  hardenConfigDir();
+  hardenExistingSecret(CONFIG_PATH);
+  hardenExistingSecret(join(OCX_DIR, "auth.json"));
   if (!existsSync(CONFIG_PATH)) {
     return getDefaultConfig();
   }
@@ -53,15 +68,21 @@ export function loadConfig(): OcxConfig {
 
 export function saveConfig(config: OcxConfig): void {
   if (!existsSync(OCX_DIR)) {
-    mkdirSync(OCX_DIR, { recursive: true });
+    mkdirSync(OCX_DIR, { recursive: true, mode: 0o700 });
+  } else {
+    try { chmodSync(OCX_DIR, 0o700); } catch { /* best-effort on existing dir */ }
   }
-  writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  atomicWriteFile(CONFIG_PATH, JSON.stringify(config, null, 2) + "\n");
 }
 
 export function websocketsEnabled(config: Pick<OcxConfig, "websockets">): boolean {
   return config.websockets === true;
 }
 
+export function codexAutoStartEnabled(config: Pick<OcxConfig, "codexAutoStart">): boolean {
+  return config.codexAutoStart !== false;
+}
+
 export function getDefaultConfig(): OcxConfig {
   // Fresh-install default: works out of the box with Codex's ChatGPT OAuth (no API key).
   // gpt-* requests forward the caller's incoming OAuth headers to the ChatGPT backend.
@@ -78,6 +99,7 @@ export function getDefaultConfig(): OcxConfig {
     defaultProvider: "openai",
     subagentModels: [...DEFAULT_SUBAGENT_MODELS],
     websockets: false,
+    codexAutoStart: true,
   };
 }
 
@@ -90,7 +112,11 @@ export function resolveEnvValue(value: string | undefined): string | undefined {
 }
 
 export function writePid(pid: number): void {
-  if (!existsSync(OCX_DIR)) mkdirSync(OCX_DIR, { recursive: true });
+  if (!existsSync(OCX_DIR)) {
+    mkdirSync(OCX_DIR, { recursive: true, mode: 0o700 });
+  } else {
+    hardenConfigDir();
+  }
   writeFileSync(PID_PATH, String(pid), "utf-8");
 }
 

package/src/init.ts

@@ -131,6 +131,17 @@ export async function runInit(): Promise<void> {
     console.log(result.success ? `✅ ${result.message}` : `⚠️  ${result.message}`);
   }
 
+  const shimAnswer = await prompt.ask("Install Codex autostart shim? [Y/n]: ");
+  if (shimAnswer.trim().toLowerCase() !== "n") {
+    try {
+      const { installCodexShim } = await import("./codex-shim");
+      const result = installCodexShim();
+      console.log(result.installed ? `✅ ${result.message}` : `⚠️  ${result.message}`);
+    } catch (err) {
+      console.log(`⚠️  Codex autostart shim skipped: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+
   console.log(`\n🚀 Setup complete! Run 'ocx start' to start the proxy.`);
   prompt.close();
 }

package/src/oauth/store.ts

@@ -1,13 +1,15 @@
 /** OAuth token store at ~/.opencodex/auth.json, keyed by provider name. */
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { existsSync, mkdirSync, readFileSync, chmodSync } from "node:fs";
 import { join } from "node:path";
-import { getConfigDir } from "../config";
+import { getConfigDir, atomicWriteFile, hardenConfigDir, hardenExistingSecret } from "../config";
 import type { OAuthCredentials } from "./types";
 
 const AUTH_PATH = join(getConfigDir(), "auth.json");
 type AuthStore = Record<string, OAuthCredentials>;
 
 export function loadAuthStore(): AuthStore {
+  hardenConfigDir();
+  hardenExistingSecret(AUTH_PATH);
   if (!existsSync(AUTH_PATH)) return {};
   try {
     return JSON.parse(readFileSync(AUTH_PATH, "utf-8")) as AuthStore;
@@ -18,8 +20,12 @@ export function loadAuthStore(): AuthStore {
 
 function persist(store: AuthStore): void {
   const dir = getConfigDir();
-  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-  writeFileSync(AUTH_PATH, JSON.stringify(store, null, 2) + "\n", "utf-8");
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
+  } else {
+    try { chmodSync(dir, 0o700); } catch { /* best-effort on existing dir */ }
+  }
+  atomicWriteFile(AUTH_PATH, JSON.stringify(store, null, 2) + "\n");
 }
 
 export function getCredential(provider: string): OAuthCredentials | null {