npm - @bitkyc08/opencodex - Versions diffs - 2.1.11 → 2.5.0 - Mend

@bitkyc08/opencodex 2.1.11 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.ko.md +24 -1
package/README.md +25 -1
package/gui/dist/assets/{index-DeGNkIT3.js → index-C_EmUrcx.js} +1 -1
package/gui/dist/index.html +1 -1
package/package.json +1 -1
package/src/cli.ts +8 -7
package/src/server.ts +148 -11
package/src/types.ts +2 -0

package/README.ko.md CHANGED Viewed

@@ -171,7 +171,11 @@ npm uninstall -g @bitkyc08/opencodex   # 또는: bun remove -g @bitkyc08/opencod
 ## 설정
-설정 파일은 `~/.opencodex/config.json`에 저장됩니다. 최소 설정 예시:
+설정 파일은 `~/.opencodex/config.json`에 저장됩니다. 파일이 깨진 경우(잘못된 JSON 등)
+opencodex는 `config.json.invalid-<timestamp>`로 백업하고 경고를 출력한 뒤 기본값으로 시작합니다.
+원본 파일이 조용히 사라지는 일은 없습니다.
+최소 설정 예시:
 ```json
 {
@@ -209,6 +213,25 @@ npm uninstall -g @bitkyc08/opencodex   # 또는: bun remove -g @bitkyc08/opencod
 WebSocket 전송은 기본적으로 꺼져 있습니다. Codex가 HTTP/SSE 대신 Responses WebSocket 경로를 사용하게 하려면 `"websockets": true`를 설정하세요.
+### 원격 접근
+기본적으로 opencodex는 `127.0.0.1`(루프백)에 바인딩되며 별도 인증이 필요 없습니다.
+`"hostname": "0.0.0.0"`으로 LAN에 노출할 경우, opencodex는 관리 API(`/api/*`)와 데이터 플레인(`/v1/responses`) 모두에 bearer 토큰을 요구합니다:
+```bash
+export OPENCODEX_API_AUTH_TOKEN="your-secret-token"
+ocx start
+```
+비루프백 바인딩 시 이 환경 변수가 없으면 프록시 시작이 거부됩니다.
+클라이언트(스크립트, 원격 머신)는 모든 요청에 토큰을 포함해야 합니다:
+```
+x-opencodex-api-key: your-secret-token
+```
+토큰은 타이밍 공격 방지를 위해 상수 시간으로 비교됩니다.
 모든 필드에 대한 자세한 내용은 **[설정 레퍼런스](https://lidge-jun.github.io/opencodex/ko/reference/configuration/)** 를 참고하세요.
 ## 문서

package/README.md CHANGED Viewed

@@ -232,7 +232,11 @@ native Codex config/catalog/history, and deletes `~/.opencodex`.
 ## Configuration
-Config lives at `~/.opencodex/config.json`. Here's a typical multi-provider setup:
+Config lives at `~/.opencodex/config.json`. If the file cannot be parsed (e.g. truncated or
+manually broken JSON), opencodex backs it up to `config.json.invalid-<timestamp>`, prints a warning,
+and falls back to defaults — so your original file is never silently lost.
+Here's a typical multi-provider setup:
 ```json
 {
@@ -288,6 +292,26 @@ Local models work too. Point opencodex at any OpenAI-compatible server running o
 WebSocket transport is off by default. Set `"websockets": true` only if you want Codex to advertise and use the Responses WebSocket path instead of HTTP/SSE.
+### Remote access
+By default opencodex binds to `127.0.0.1` (loopback) and requires no extra authentication.
+If you set `"hostname": "0.0.0.0"` to expose the proxy on the LAN, opencodex requires a bearer token
+to protect both the management API (`/api/*`) and the data-plane (`/v1/responses`):
+```bash
+export OPENCODEX_API_AUTH_TOKEN="your-secret-token"
+ocx start
+```
+The proxy refuses to start without this variable when binding beyond loopback.
+Clients (scripts, remote machines) must include the token in every request:
+```
+x-opencodex-api-key: your-secret-token
+```
+The token is compared in constant time to prevent timing attacks.
 opencodex leaves existing Codex resume history untouched by default. This avoids changing Codex's
 local thread index just because the proxy started, but Codex App may hide old OpenAI-backed project
 threads and opencodex-created `exec` threads while `opencodex` is the active provider. If you want