@bitkyc08/opencodex 2.1.8 → 2.1.10

package/src/config.ts

@@ -1,6 +1,7 @@
-import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync, chmodSync } from "node:fs";
+import { copyFileSync, existsSync, mkdirSync, readFileSync, renameSync, unlinkSync, writeFileSync, chmodSync } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
+import * as z from "zod/v4";
 import type { OcxConfig } from "./types";
 
 let _atomicSeq = 0;
@@ -14,9 +15,38 @@ export function atomicWriteFile(path: string, content: string): void {
   renameSync(tmp, path);
 }
 
-const OCX_DIR = join(homedir(), ".opencodex");
-const CONFIG_PATH = join(OCX_DIR, "config.json");
-const PID_PATH = join(OCX_DIR, "ocx.pid");
+function resolveConfigDir(): string {
+  return process.env["OPENCODEX_HOME"] || join(homedir(), ".opencodex");
+}
+
+function resolveConfigPath(): string {
+  return join(resolveConfigDir(), "config.json");
+}
+
+function resolvePidPath(): string {
+  return join(resolveConfigDir(), "ocx.pid");
+}
+
+const warnedConfigFallbacks = new Set<string>();
+
+const providerConfigSchema = z.object({
+  adapter: z.string().min(1),
+  baseUrl: z.string().min(1),
+}).passthrough();
+
+const configSchema = z.object({
+  port: z.number().int().min(0).max(65535).default(10100),
+  providers: z.record(z.string(), providerConfigSchema),
+  defaultProvider: z.string().min(1),
+}).passthrough().superRefine((config, ctx) => {
+  if (Object.keys(config.providers).length > 0 && !(config.defaultProvider in config.providers)) {
+    ctx.addIssue({
+      code: "custom",
+      path: ["defaultProvider"],
+      message: "defaultProvider must exist in providers",
+    });
+  }
+});
 
 /**
  * Default featured subagent models (native GPT) seeded on a fresh install and when `subagentModels`
@@ -28,20 +58,21 @@ const PID_PATH = join(OCX_DIR, "ocx.pid");
 export const DEFAULT_SUBAGENT_MODELS = ["gpt-5.5", "gpt-5.4", "gpt-5.4-mini", "gpt-5.3-codex-spark"];
 
 export function getConfigDir(): string {
-  return OCX_DIR;
+  return resolveConfigDir();
 }
 
 export function getConfigPath(): string {
-  return CONFIG_PATH;
+  return resolveConfigPath();
 }
 
 export function getPidPath(): string {
-  return PID_PATH;
+  return resolvePidPath();
 }
 
 export function hardenConfigDir(): void {
-  if (existsSync(OCX_DIR)) {
-    try { chmodSync(OCX_DIR, 0o700); } catch { /* best-effort */ }
+  const dir = getConfigDir();
+  if (existsSync(dir)) {
+    try { chmodSync(dir, 0o700); } catch { /* best-effort */ }
   }
 }
 
@@ -52,27 +83,31 @@ export function hardenExistingSecret(path: string): void {
 }
 
 export function loadConfig(): OcxConfig {
+  const dir = getConfigDir();
+  const configPath = getConfigPath();
   hardenConfigDir();
-  hardenExistingSecret(CONFIG_PATH);
-  hardenExistingSecret(join(OCX_DIR, "auth.json"));
-  if (!existsSync(CONFIG_PATH)) {
+  hardenExistingSecret(configPath);
+  hardenExistingSecret(join(dir, "auth.json"));
+  if (!existsSync(configPath)) {
     return getDefaultConfig();
   }
   try {
-    const raw = readFileSync(CONFIG_PATH, "utf-8");
-    return JSON.parse(raw) as OcxConfig;
-  } catch {
+    const raw = readFileSync(configPath, "utf-8");
+    return configSchema.parse(JSON.parse(raw)) as OcxConfig;
+  } catch (error) {
+    warnAndBackupInvalidConfig(configPath, error);
     return getDefaultConfig();
   }
 }
 
 export function saveConfig(config: OcxConfig): void {
-  if (!existsSync(OCX_DIR)) {
-    mkdirSync(OCX_DIR, { recursive: true, mode: 0o700 });
+  const dir = getConfigDir();
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
   } else {
-    try { chmodSync(OCX_DIR, 0o700); } catch { /* best-effort on existing dir */ }
+    try { chmodSync(dir, 0o700); } catch { /* best-effort on existing dir */ }
   }
-  atomicWriteFile(CONFIG_PATH, JSON.stringify(config, null, 2) + "\n");
+  atomicWriteFile(getConfigPath(), JSON.stringify(config, null, 2) + "\n");
 }
 
 export function websocketsEnabled(config: Pick<OcxConfig, "websockets">): boolean {
@@ -112,18 +147,20 @@ export function resolveEnvValue(value: string | undefined): string | undefined {
 }
 
 export function writePid(pid: number): void {
-  if (!existsSync(OCX_DIR)) {
-    mkdirSync(OCX_DIR, { recursive: true, mode: 0o700 });
+  const dir = getConfigDir();
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
   } else {
     hardenConfigDir();
   }
-  writeFileSync(PID_PATH, String(pid), "utf-8");
+  writeFileSync(getPidPath(), String(pid), "utf-8");
 }
 
 export function readPid(): number | null {
-  if (!existsSync(PID_PATH)) return null;
+  const pidPath = getPidPath();
+  if (!existsSync(pidPath)) return null;
   try {
-    const raw = readFileSync(PID_PATH, "utf-8").trim();
+    const raw = readFileSync(pidPath, "utf-8").trim();
     const pid = parseInt(raw, 10);
     if (isNaN(pid)) return null;
     try {
@@ -140,7 +177,30 @@ export function readPid(): number | null {
 
 export function removePid(): void {
   try {
-    const { unlinkSync } = require("node:fs");
-    unlinkSync(PID_PATH);
+    unlinkSync(getPidPath());
   } catch { /* ignore */ }
 }
+
+function warnAndBackupInvalidConfig(configPath: string, error: unknown): void {
+  if (warnedConfigFallbacks.has(configPath)) return;
+  warnedConfigFallbacks.add(configPath);
+
+  const backupPath = backupInvalidConfig(configPath);
+  const reason = error instanceof z.ZodError
+    ? error.issues.map(issue => `${issue.path.join(".") || "config"}: ${issue.message}`).join("; ")
+    : error instanceof Error ? error.message : String(error);
+  const backupNote = backupPath ? ` A backup was written to ${backupPath}.` : "";
+  console.error(`Could not load opencodex config at ${configPath}: ${reason}. Using default config.${backupNote}`);
+}
+
+function backupInvalidConfig(configPath: string): string | null {
+  if (!existsSync(configPath)) return null;
+  const backupPath = `${configPath}.invalid-${new Date().toISOString().replace(/[:.]/g, "-")}`;
+  try {
+    copyFileSync(configPath, backupPath);
+    try { chmodSync(backupPath, 0o600); } catch { /* best-effort */ }
+    return backupPath;
+  } catch {
+    return null;
+  }
+}

package/src/debug.ts

@@ -1,10 +1,11 @@
 // Opt-in frame-drop visibility. The streaming path is intentionally quiet (no unconditional
 // console output), so this no-ops unless OCX_DEBUG_FRAMES=1. Lets a malformed/chunk-split
 // upstream frame be detected instead of silently truncating content.
-const DEBUG_FRAMES = process.env.OCX_DEBUG_FRAMES === "1";
+function debugFramesEnabled(): boolean {
+  return process.env.OCX_DEBUG_FRAMES === "1";
+}
 
 export function debugDroppedFrame(adapter: string, payload: string): void {
-  if (!DEBUG_FRAMES) return;
-  const preview = payload.length > 200 ? `${payload.slice(0, 200)}…` : payload;
-  console.error(`[ocx:frame-drop] ${adapter}: ${preview}`);
+  if (!debugFramesEnabled()) return;
+  console.error(`[ocx:frame-drop] ${adapter}: dropped malformed upstream frame (payload redacted, bytes=${payload.length})`);
 }

package/src/oauth/chatgpt.ts

@@ -0,0 +1,150 @@
+import { OAuthCallbackFlow } from "./callback-server";
+import type { OAuthController, OAuthCredentials } from "./types";
+import { generatePKCE } from "./pkce";
+
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const AUTH_URL = "https://auth.openai.com/oauth/authorize";
+const TOKEN_URL = "https://auth.openai.com/oauth/token";
+const SCOPE = "openid profile email offline_access api.connectors.read api.connectors.invoke";
+const CALLBACK_PORT = 1455;
+const CALLBACK_PATH = "/auth/callback";
+const ORIGINATOR = "opencodex";
+
+export function decodeJwtPayload(token: string): Record<string, unknown> | undefined {
+  const parts = token.split(".");
+  if (parts.length !== 3 || !parts[1]) return undefined;
+  try {
+    return JSON.parse(Buffer.from(parts[1], "base64url").toString("utf8")) as Record<string, unknown>;
+  } catch {
+    return undefined;
+  }
+}
+
+export function extractAccountId(idToken?: string, accessToken?: string): string | undefined {
+  for (const token of [idToken, accessToken]) {
+    if (!token) continue;
+    const payload = decodeJwtPayload(token);
+    if (!payload) continue;
+    if (typeof payload.chatgpt_account_id === "string") return payload.chatgpt_account_id;
+    const ns = payload["https://api.openai.com/auth"];
+    if (ns && typeof ns === "object" && typeof (ns as Record<string, unknown>).chatgpt_account_id === "string") {
+      return (ns as Record<string, unknown>).chatgpt_account_id as string;
+    }
+    const orgs = payload.organizations;
+    if (Array.isArray(orgs) && orgs[0] && typeof orgs[0].id === "string") return orgs[0].id as string;
+  }
+  return undefined;
+}
+
+export function extractEmail(idToken?: string, accessToken?: string): string | undefined {
+  for (const token of [idToken, accessToken]) {
+    if (!token) continue;
+    const payload = decodeJwtPayload(token);
+    if (!payload) continue;
+    if (typeof payload.email === "string") return payload.email.toLowerCase();
+  }
+  return undefined;
+}
+
+function credsFromToken(data: Record<string, unknown>): OAuthCredentials {
+  const idToken = typeof data.id_token === "string" ? data.id_token : undefined;
+  const accessToken = data.access_token as string;
+  return {
+    access: accessToken,
+    refresh: (data.refresh_token as string) ?? "",
+    expires: Date.now() + ((data.expires_in as number) ?? 3600) * 1000,
+    accountId: extractAccountId(idToken, accessToken),
+    email: extractEmail(idToken, accessToken),
+  };
+}
+
+export class ChatGPTOAuthFlow extends OAuthCallbackFlow {
+  #verifier = "";
+  forceLogin = false;
+
+  constructor(ctrl: OAuthController) {
+    super(ctrl, {
+      preferredPort: CALLBACK_PORT,
+      callbackPath: CALLBACK_PATH,
+      callbackHostname: "localhost",
+      callbackBindHostname: "127.0.0.1",
+      redirectUri: `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`,
+    });
+  }
+
+  async generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }> {
+    const pkce = await generatePKCE();
+    this.#verifier = pkce.verifier;
+    const params = new URLSearchParams({
+      response_type: "code",
+      client_id: CLIENT_ID,
+      redirect_uri: redirectUri,
+      scope: SCOPE,
+      code_challenge: pkce.challenge,
+      code_challenge_method: "S256",
+      state,
+      codex_cli_simplified_flow: "true",
+      originator: ORIGINATOR,
+    });
+    params.set("id_token_add_organizations", "true");
+    if (this.forceLogin) params.set("prompt", "login");
+    return {
+      url: `${AUTH_URL}?${params}`,
+      instructions: "Complete ChatGPT login in your browser.",
+    };
+  }
+
+  async exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials> {
+    if (!this.#verifier) throw new Error("ChatGPT PKCE verifier not initialized");
+    const resp = await fetch(TOKEN_URL, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        client_id: CLIENT_ID,
+        code,
+        redirect_uri: redirectUri,
+        code_verifier: this.#verifier,
+      }).toString(),
+    });
+    if (!resp.ok) {
+      const errDesc = await safeErrorDescription(resp);
+      throw new Error(`ChatGPT token exchange failed: ${resp.status} ${errDesc}`);
+    }
+    return credsFromToken((await resp.json()) as Record<string, unknown>);
+  }
+}
+
+function safeErrorDescription(resp: Response): Promise<string> {
+  return resp.text().catch(() => "").then(text => {
+    try {
+      const parsed = JSON.parse(text) as { error?: string; error_description?: string };
+      return [parsed.error, parsed.error_description].filter(Boolean).join(": ") || `HTTP ${resp.status}`;
+    } catch { return `HTTP ${resp.status}`; }
+  });
+}
+
+export async function loginChatGPT(ctrl: OAuthController, opts?: { forceLogin?: boolean }): Promise<OAuthCredentials> {
+  const flow = new ChatGPTOAuthFlow(ctrl);
+  if (opts?.forceLogin) flow.forceLogin = true;
+  return flow.login();
+}
+
+// Note: uses form-urlencoded per OAuth 2.0 spec (RFC 6749 §6).
+// Codex-rs uses JSON for refresh — intentional divergence; both accepted by auth.openai.com.
+export async function refreshChatGPTToken(refreshToken: string): Promise<OAuthCredentials> {
+  const resp = await fetch(TOKEN_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      client_id: CLIENT_ID,
+      refresh_token: refreshToken,
+    }).toString(),
+  });
+  if (!resp.ok) {
+    const errDesc = await safeErrorDescription(resp);
+    throw new Error(`ChatGPT refresh failed: ${resp.status} ${errDesc}`);
+  }
+  return credsFromToken((await resp.json()) as Record<string, unknown>);
+}

package/src/oauth/index.ts

@@ -1,16 +1,20 @@
 import type { OAuthController, OAuthCredentials } from "./types";
 import type { OcxConfig, OcxProviderConfig } from "../types";
 import { loadConfig, resolveEnvValue, saveConfig } from "../config";
+import { maskEmail } from "../privacy";
 import { getCredential, saveCredential } from "./store";
 import { loginXai, refreshXaiToken } from "./xai";
 import { ANTHROPIC_OAUTH_BETA, loginAnthropic, refreshAnthropicToken } from "./anthropic";
 import { loginKimi, refreshKimiToken } from "./kimi";
+import { loginChatGPT, refreshChatGPTToken } from "./chatgpt";
 import { deriveOAuthDefaultModel, deriveOAuthProviderConfig } from "../providers/derive";
 
 const REFRESH_SKEW_MS = 60_000;
 
+export interface LoginOpts { forceLogin?: boolean }
+
 interface OAuthProviderDef {
-  login(ctrl: OAuthController): Promise<OAuthCredentials>;
+  login(ctrl: OAuthController, opts?: LoginOpts): Promise<OAuthCredentials>;
   refresh(refreshToken: string, signal?: AbortSignal): Promise<OAuthCredentials>;
   /** provider entry written into config.json on first login. */
   providerConfig: OcxProviderConfig;
@@ -48,6 +52,12 @@ export const OAUTH_PROVIDERS: Record<string, OAuthProviderDef> = {
     providerConfig: oauthConfig("kimi"),
     defaultModel: oauthDefaultModel("kimi"),
   },
+  chatgpt: {
+    login: loginChatGPT,
+    refresh: (rt) => refreshChatGPTToken(rt),
+    providerConfig: { adapter: "openai-responses", baseUrl: "https://chatgpt.com/backend-api/codex", authMode: "forward" as const },
+    defaultModel: "gpt-5.4",
+  },
 };
 
 export function isOAuthProvider(name: string): boolean {
@@ -178,10 +188,10 @@ export function upsertOAuthProvider(config: OcxConfig, provider: string): void {
 }
 
 /** Run the login flow, persist the credential + upsert the provider entry to disk, return cred. */
-export async function runLogin(provider: string, ctrl: OAuthController): Promise<OAuthCredentials> {
+export async function runLogin(provider: string, ctrl: OAuthController, opts?: LoginOpts): Promise<OAuthCredentials> {
   const def = OAUTH_PROVIDERS[provider];
   if (!def) throw new Error(`Unknown OAuth provider: ${provider}`);
-  const cred = await def.login(ctrl);
+  const cred = await def.login(ctrl, opts);
   saveCredential(provider, cred);
   const config = loadConfig();
   upsertOAuthProvider(config, provider);
@@ -195,18 +205,31 @@ export async function runLogin(provider: string, ctrl: OAuthController): Promise
  * error surfaced via getLoginStatus().
  */
 const loginState = new Map<string, { error?: string; done: boolean }>();
+const loginAbort = new Map<string, AbortController>();
 
-export function getLoginStatus(provider: string): { loggedIn: boolean; email?: string; error?: string } {
+export function getLoginStatus(provider: string): { loggedIn: boolean; email?: string; error?: string; done: boolean } {
   const cred = getCredential(provider);
   const st = loginState.get(provider);
-  return { loggedIn: !!cred, email: cred?.email, error: st?.error };
+  return { loggedIn: !!cred, email: maskEmail(cred?.email) ?? undefined, error: st?.error, done: st?.done ?? false };
 }
 
 export function clearLoginState(provider: string): void {
+  loginAbort.get(provider)?.abort("cleared");
+  loginAbort.delete(provider);
   loginState.delete(provider);
 }
 
-export async function startLoginFlow(provider: string): Promise<{ url: string; instructions?: string }> {
+export function cancelLoginFlow(provider: string): boolean {
+  const ctrl = loginAbort.get(provider);
+  const existing = loginState.get(provider);
+  if (!ctrl && (!existing || existing.done)) return false;
+  ctrl?.abort("cancelled");
+  loginAbort.delete(provider);
+  loginState.set(provider, { done: true, error: "Login cancelled" });
+  return true;
+}
+
+export async function startLoginFlow(provider: string, opts?: LoginOpts): Promise<{ url: string; instructions?: string }> {
   const def = OAUTH_PROVIDERS[provider];
   if (!def) throw new Error(`Unknown OAuth provider: ${provider}`);
   const existing = loginState.get(provider);
@@ -214,6 +237,8 @@ export async function startLoginFlow(provider: string): Promise<{ url: string; i
     throw new Error(`A login for ${provider} is already in progress`);
   }
   loginState.set(provider, { done: false });
+  const abort = new AbortController();
+  loginAbort.set(provider, abort);
   return new Promise((resolve, reject) => {
     let urlResolved = false;
     const ctrl: OAuthController = {
@@ -222,16 +247,19 @@ export async function startLoginFlow(provider: string): Promise<{ url: string; i
         resolve({ url, instructions });
       },
       onProgress: () => {},
+      signal: abort.signal,
     };
     // Background: runLogin persists the credential + upserts the provider entry to disk config.
-    runLogin(provider, ctrl)
+    runLogin(provider, ctrl, opts)
       .then(() => {
+        loginAbort.delete(provider);
         loginState.set(provider, { done: true });
         // Local-token import (grok-cli / Claude Code keychain) completes WITHOUT firing onAuth —
         // resolve so the GUI call returns instead of hanging.
         if (!urlResolved) resolve({ url: "", instructions: "Logged in via an existing local CLI/keychain token — no browser needed." });
       })
       .catch((e: unknown) => {
+        loginAbort.delete(provider);
         const msg = e instanceof Error ? e.message : String(e);
         loginState.set(provider, { done: true, error: msg });
         if (!urlResolved) reject(e);

package/src/oauth/store.ts

@@ -4,15 +4,19 @@ import { join } from "node:path";
 import { getConfigDir, atomicWriteFile, hardenConfigDir, hardenExistingSecret } from "../config";
 import type { OAuthCredentials } from "./types";
 
-const AUTH_PATH = join(getConfigDir(), "auth.json");
 type AuthStore = Record<string, OAuthCredentials>;
 
+function authPath(): string {
+  return join(getConfigDir(), "auth.json");
+}
+
 export function loadAuthStore(): AuthStore {
+  const path = authPath();
   hardenConfigDir();
-  hardenExistingSecret(AUTH_PATH);
-  if (!existsSync(AUTH_PATH)) return {};
+  hardenExistingSecret(path);
+  if (!existsSync(path)) return {};
   try {
-    return JSON.parse(readFileSync(AUTH_PATH, "utf-8")) as AuthStore;
+    return JSON.parse(readFileSync(path, "utf-8")) as AuthStore;
   } catch {
     return {};
   }
@@ -25,7 +29,7 @@ function persist(store: AuthStore): void {
   } else {
     try { chmodSync(dir, 0o700); } catch { /* best-effort on existing dir */ }
   }
-  atomicWriteFile(AUTH_PATH, JSON.stringify(store, null, 2) + "\n");
+  atomicWriteFile(authPath(), JSON.stringify(store, null, 2) + "\n");
 }
 
 export function getCredential(provider: string): OAuthCredentials | null {

package/src/privacy.ts

@@ -0,0 +1,11 @@
+export function maskEmail(value: string | null | undefined): string | null {
+  if (!value) return null;
+  const at = value.indexOf("@");
+  if (at <= 0) return value;
+  const local = value.slice(0, at);
+  const domain = value.slice(at + 1);
+  if (!domain) return value;
+  if (local.length === 1) return `*@${domain}`;
+  if (local.length === 2) return `${local[0]}*@${domain}`;
+  return `${local[0]}***${local[local.length - 1]}@${domain}`;
+}

package/src/router.ts

@@ -11,7 +11,7 @@ const MODEL_PROVIDER_PATTERNS: Record<string, string[]> = {
   anthropic: [
     "claude-", "claude-sonnet-", "claude-opus-", "claude-haiku-",
   ],
-  openai: [
+  chatgpt: [
     "gpt-", "o1-", "o3-", "o4-",
   ],
   groq: [