@companyhelm/runner 0.0.13 → 0.0.15

package/README.md

@@ -36,6 +36,14 @@ Check whether the daemon is running:
 companyhelm-runner status
 ```
 
+Open the interactive state DB shell:
+
+```bash
+companyhelm-runner shell
+```
+
+From the shell you can inspect threads and daemon state, and open a Docker bash session inside a selected thread runtime container.
+
 The `status` command prints:
 
 - whether the daemon is running

package/dist/commands/root.js

@@ -58,7 +58,6 @@ const node_crypto_1 = require("node:crypto");
 const node_fs_1 = require("node:fs");
 const node_path_1 = require("node:path");
 const config_js_1 = require("../config.js");
-const startup_js_1 = require("./startup.js");
 const companyhelm_api_client_js_1 = require("../service/companyhelm_api_client.js");
 const buffered_client_message_sender_js_1 = require("../service/buffered_client_message_sender.js");
 const host_js_1 = require("../service/host.js");
@@ -77,6 +76,7 @@ const logger_js_1 = require("../utils/logger.js");
 const path_js_1 = require("../utils/path.js");
 const terminal_js_1 = require("../utils/terminal.js");
 const workspace_agents_js_1 = require("../service/workspace_agents.js");
+const auth_js_1 = require("./sdk/codex/auth.js");
 const COMMAND_CHANNEL_CONNECT_RETRY_DELAY_MS = 1000;
 const COMMAND_CHANNEL_OPEN_TIMEOUT_MS = 5000;
 const TURN_COMPLETION_TIMEOUT_MS = 2 * 60 * 60000;
@@ -1515,6 +1515,28 @@ async function sendHeartbeatResponse(commandChannel, requestId) {
     });
     await commandChannel.send(message);
 }
+async function sendCodexDeviceCode(commandChannel, deviceCode, requestId) {
+    const message = (0, protobuf_1.create)(protos_1.ClientMessageSchema, {
+        requestId,
+        payload: {
+            case: "codexDeviceCode",
+            value: {
+                deviceCode,
+            },
+        },
+    });
+    await commandChannel.send(message);
+}
+async function sendAgentSdkUpdate(commandChannel, sdk, requestId) {
+    const message = (0, protobuf_1.create)(protos_1.ClientMessageSchema, {
+        requestId,
+        payload: {
+            case: "agentSdkUpdate",
+            value: sdk,
+        },
+    });
+    await commandChannel.send(message);
+}
 async function sendThreadUpdate(commandChannel, threadId, status, requestId) {
     const message = (0, protobuf_1.create)(protos_1.ClientMessageSchema, {
         requestId,
@@ -1575,12 +1597,12 @@ async function sendItemExecutionUpdate(commandChannel, threadId, sdkTurnId, sdkI
     });
     await commandChannel.send(message);
 }
-async function buildRegisterRunnerRequest(cfg) {
+async function loadRunnerRegistrationSdks(cfg, logger) {
     const { db, client } = await (0, db_js_1.initDb)(cfg.state_db_path);
     try {
         const configuredSdks = await db.select().from(schema_js_1.agentSdks).orderBy(schema_js_1.agentSdks.name).all();
         if (configuredSdks.length === 0) {
-            throw new Error("No SDKs configured. Run startup before connecting to CompanyHelm API.");
+            return [];
         }
         const models = await db.select().from(schema_js_1.llmModels).orderBy(schema_js_1.llmModels.sdkName, schema_js_1.llmModels.name).all();
         const modelsBySdk = new Map();
@@ -1592,52 +1614,107 @@ async function buildRegisterRunnerRequest(cfg) {
             });
             modelsBySdk.set(model.sdkName, sdkModels);
         }
-        return (0, protobuf_1.create)(protos_1.RegisterRunnerRequestSchema, {
-            agentSdks: configuredSdks.map((sdk) => ({
-                name: sdk.name,
-                models: modelsBySdk.get(sdk.name) ?? [],
-            })),
+        return configuredSdks.map((sdk) => {
+            if (sdk.name !== "codex") {
+                return {
+                    name: sdk.name,
+                    models: sdk.status === "configured" ? (modelsBySdk.get(sdk.name) ?? []) : [],
+                    status: sdk.status === "configured" ? protos_1.AgentSdkStatus.READY : protos_1.AgentSdkStatus.UNCONFIGURED,
+                };
+            }
+            if (sdk.status !== "configured" || sdk.authentication === "unauthenticated") {
+                return {
+                    name: sdk.name,
+                    models: [],
+                    status: protos_1.AgentSdkStatus.UNCONFIGURED,
+                };
+            }
+            try {
+                logger.debug("Refreshing Codex models for runner registration.");
+                return {
+                    name: sdk.name,
+                    models: modelsBySdk.get(sdk.name) ?? [],
+                    status: protos_1.AgentSdkStatus.READY,
+                };
+            }
+            catch (error) {
+                return {
+                    name: sdk.name,
+                    models: modelsBySdk.get(sdk.name) ?? [],
+                    status: protos_1.AgentSdkStatus.ERROR,
+                    errorMessage: (0, refresh_models_js_1.formatSdkModelRefreshFailure)("codex", error),
+                };
+            }
         });
     }
     finally {
         client.close();
     }
 }
-async function hasConfiguredSdks(cfg) {
+async function countSdkModels(cfg, sdkName) {
     const { db, client } = await (0, db_js_1.initDb)(cfg.state_db_path);
     try {
-        const configuredSdks = await db.select().from(schema_js_1.agentSdks).all();
-        return configuredSdks.length > 0;
+        const models = await db.select({ name: schema_js_1.llmModels.name }).from(schema_js_1.llmModels).where((0, drizzle_orm_1.eq)(schema_js_1.llmModels.sdkName, sdkName)).all();
+        return models.length;
     }
     finally {
         client.close();
     }
 }
-async function countSdkModels(cfg, sdkName) {
+async function refreshCodexModelsForRegistration(cfg, logger) {
     const { db, client } = await (0, db_js_1.initDb)(cfg.state_db_path);
+    let codexSdk;
     try {
-        const models = await db.select({ name: schema_js_1.llmModels.name }).from(schema_js_1.llmModels).where((0, drizzle_orm_1.eq)(schema_js_1.llmModels.sdkName, sdkName)).all();
-        return models.length;
+        codexSdk = await db.select().from(schema_js_1.agentSdks).where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex")).get() ?? undefined;
     }
     finally {
         client.close();
     }
-}
-async function refreshCodexModelsForRegistration(cfg, logger) {
+    if (!codexSdk || codexSdk.status !== "configured" || codexSdk.authentication === "unauthenticated") {
+        logger.info("Codex is not configured; registering runner with unconfigured Codex SDK state.");
+        return null;
+    }
     try {
         const results = await (0, refresh_models_js_1.refreshSdkModels)({ sdk: "codex", logger });
         const modelCount = results[0]?.modelCount ?? 0;
         logger.info(`Refreshed Codex models from container app-server (${modelCount} models).`);
+        return null;
     }
     catch (error) {
         const cachedModelCount = await countSdkModels(cfg, "codex");
         const failureMessage = (0, refresh_models_js_1.formatSdkModelRefreshFailure)("codex", error);
-        if (cachedModelCount === 0) {
-            throw new Error(`${failureMessage} Runner startup aborted because no cached Codex models are available; refusing to register zero models.`);
+        if (cachedModelCount > 0) {
+            logger.warn(`${failureMessage} Using ${cachedModelCount} cached Codex model(s) while registering Codex in error state.`);
+        }
+        else {
+            logger.warn(`${failureMessage} Registering Codex in error state with zero models.`);
         }
-        logger.warn(`${failureMessage} Using ${cachedModelCount} cached Codex model(s) from local state instead of registering zero models.`);
+        return failureMessage;
     }
 }
+async function buildRegisterRunnerRequest(cfg, logger, codexRefreshErrorMessage) {
+    const sdks = await loadRunnerRegistrationSdks(cfg, logger);
+    return (0, protobuf_1.create)(protos_1.RegisterRunnerRequestSchema, {
+        agentSdks: sdks.map((sdk) => ({
+            name: sdk.name,
+            models: sdk.models,
+            status: sdk.name === "codex" && codexRefreshErrorMessage
+                ? protos_1.AgentSdkStatus.ERROR
+                : sdk.status,
+            errorMessage: sdk.name === "codex" ? (codexRefreshErrorMessage ?? sdk.errorMessage) : sdk.errorMessage,
+        })),
+    });
+}
+async function buildCodexAgentSdkUpdate(cfg, logger, statusOverride, errorMessage) {
+    const sdks = await loadRunnerRegistrationSdks(cfg, logger);
+    const codex = sdks.find((sdk) => sdk.name === "codex");
+    return {
+        name: "codex",
+        models: codex?.models ?? [],
+        status: statusOverride ?? codex?.status ?? protos_1.AgentSdkStatus.UNCONFIGURED,
+        errorMessage: errorMessage ?? codex?.errorMessage,
+    };
+}
 async function resolveThreadAuthMode(cfg) {
     const { db, client } = await (0, db_js_1.initDb)(cfg.state_db_path);
     try {
@@ -2292,6 +2369,42 @@ async function handleCreateUserMessageRequest(cfg, commandChannel, request, requ
     const trackTurnCompletion = startedFromIdle;
     void executeCreateUserMessageRequest(cfg, commandChannel, request, requestId, threadState, startedFromIdle, trackTurnCompletion, logger);
 }
+async function handleCodexConfigurationRequest(cfg, commandChannel, request, requestId, logger) {
+    try {
+        if (request.authType === protos_1.CodexAuthType.API_KEY) {
+            const apiKey = String(request.codexApiKey ?? "").trim();
+            if (!apiKey) {
+                await sendRequestError(commandChannel, "Codex API key is required.", requestId);
+                return;
+            }
+            await (0, auth_js_1.runCodexApiKeyAuth)(cfg, apiKey, {
+                logInfo: (message) => logger.info(message),
+                logSuccess: (message) => logger.info(message),
+            });
+        }
+        else if (request.authType === protos_1.CodexAuthType.DEVICE_CODE) {
+            await (0, auth_js_1.runCodexDeviceCodeAuth)(cfg, async (deviceCode) => {
+                await sendCodexDeviceCode(commandChannel, deviceCode, requestId);
+            }, {
+                logInfo: (message) => logger.info(message),
+                logSuccess: (message) => logger.info(message),
+            });
+        }
+        else {
+            await sendRequestError(commandChannel, "Unsupported Codex auth type.", requestId);
+            return;
+        }
+        const codexRefreshErrorMessage = await refreshCodexModelsForRegistration(cfg, logger);
+        const sdkUpdate = await buildCodexAgentSdkUpdate(cfg, logger, codexRefreshErrorMessage ? protos_1.AgentSdkStatus.ERROR : protos_1.AgentSdkStatus.READY, codexRefreshErrorMessage ?? undefined);
+        await sendAgentSdkUpdate(commandChannel, sdkUpdate, requestId);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        const sdkUpdate = await buildCodexAgentSdkUpdate(cfg, logger, protos_1.AgentSdkStatus.ERROR, message);
+        await sendAgentSdkUpdate(commandChannel, sdkUpdate, requestId);
+        await sendRequestError(commandChannel, message, requestId);
+    }
+}
 async function runCommandLoop(cfg, commandChannel, commandMessageSink, apiClient, apiCallOptions, logger) {
     for await (const serverMessage of commandChannel) {
         const requestId = extractServerMessageRequestId(serverMessage);
@@ -2313,6 +2426,9 @@ async function runCommandLoop(cfg, commandChannel, commandMessageSink, apiClient
             case "heartbeatRequest":
                 await sendHeartbeatResponse(commandMessageSink, requestId);
                 break;
+            case "codexConfigurationRequest":
+                await handleCodexConfigurationRequest(cfg, commandMessageSink, serverMessage.request.value, requestId, logger);
+                break;
             default:
                 break;
         }
@@ -2503,16 +2619,12 @@ function sendDaemonParentMessage(message) {
 async function runRootCommand(options, runtimeOptions) {
     const logger = (0, logger_js_1.createLogger)(options.logLevel ?? "INFO", { daemonMode: options.daemon ?? false });
     const cfg = buildRootConfig(options);
-    const configuredSdks = await hasConfiguredSdks(cfg);
-    if (!configuredSdks && options.daemon) {
-        throw new Error("No SDKs configured. Daemon mode requires at least one configured SDK.");
-    }
-    if (!configuredSdks) {
-        await (0, startup_js_1.startup)(cfg);
-        (0, terminal_js_1.restoreInteractiveTerminalState)();
-    }
-    await refreshCodexModelsForRegistration(cfg, logger);
-    const registerRequest = await buildRegisterRunnerRequest(cfg);
+    await (0, auth_js_1.ensureCodexRunnerStartState)(cfg, {
+        useDedicatedAuth: options.useDedicatedAuth,
+        logInfo: (message) => logger.info(message),
+    });
+    const codexRefreshErrorMessage = await refreshCodexModelsForRegistration(cfg, logger);
+    const registerRequest = await buildRegisterRunnerRequest(cfg, logger, codexRefreshErrorMessage);
     const apiCallOptions = buildGrpcAuthCallOptions(options.secret);
     if (options.daemon) {
         await (0, daemon_state_js_1.claimCurrentDaemonState)(cfg.state_db_path, process.pid, resolveEffectiveDaemonLogPath(cfg));

package/dist/commands/runner/common.js

@@ -11,6 +11,7 @@ function addRunnerStartOptions(command) {
         .option("--state-db-path <path>", "State database path override (defaults to state.db under the active config directory).")
         .option("--log-path <path>", "Daemon log file override.")
         .option("--use-host-docker-runtime", "Mount host Docker socket into runtime containers instead of creating DinD sidecars.")
+        .option("--use-dedicated-auth", "Preserve existing dedicated Codex auth if already configured; otherwise keep Codex unconfigured on startup.")
         .option("--host-docker-path <path>", "Host Docker endpoint when --use-host-docker-runtime is enabled (unix:///<socket-path> or tcp://localhost:<port>).")
         .option("--thread-git-skills-directory <path>", "Container path where thread git skill repositories are cloned before linking into ~/.codex/skills.")
         .option("-d, --daemon", "Run in daemon mode and fail fast when no SDK is configured.")

package/dist/commands/sdk/codex/auth.js

@@ -1,14 +1,20 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.defaultUseDedicatedCodexAuthDependencies = exports.defaultSetCodexHostAuthDependencies = void 0;
+exports.defaultUseDedicatedCodexAuthDependencies = exports.defaultEnsureCodexRunnerStartStateDependencies = exports.defaultSetCodexHostAuthDependencies = void 0;
 exports.isErrnoException = isErrnoException;
 exports.buildDockerMissingError = buildDockerMissingError;
 exports.ensureDockerAvailable = ensureDockerAvailable;
+exports.extractCodexDeviceCodeFromOutput = extractCodexDeviceCodeFromOutput;
 exports.listCodexStartupAuthOptions = listCodexStartupAuthOptions;
 exports.setCodexHostAuthInDb = setCodexHostAuthInDb;
 exports.setCodexDedicatedAuthInDb = setCodexDedicatedAuthInDb;
+exports.setCodexApiKeyAuthInDb = setCodexApiKeyAuthInDb;
+exports.setCodexUnconfiguredInDb = setCodexUnconfiguredInDb;
+exports.ensureCodexRunnerStartState = ensureCodexRunnerStartState;
 exports.runSetCodexHostAuth = runSetCodexHostAuth;
 exports.runDedicatedCodexAuth = runDedicatedCodexAuth;
+exports.runCodexApiKeyAuth = runCodexApiKeyAuth;
+exports.runCodexDeviceCodeAuth = runCodexDeviceCodeAuth;
 exports.runUseDedicatedCodexAuth = runUseDedicatedCodexAuth;
 const node_child_process_1 = require("node:child_process");
 const node_fs_1 = require("node:fs");
@@ -22,6 +28,11 @@ exports.defaultSetCodexHostAuthDependencies = {
     getHostInfoFn: host_js_1.getHostInfo,
     initDbFn: db_js_1.initDb,
 };
+exports.defaultEnsureCodexRunnerStartStateDependencies = {
+    ...exports.defaultSetCodexHostAuthDependencies,
+    logInfo: () => undefined,
+    useDedicatedAuth: false,
+};
 exports.defaultUseDedicatedCodexAuthDependencies = {
     initDbFn: db_js_1.initDb,
     logInfo: console.log,
@@ -41,6 +52,100 @@ function ensureDockerAvailable(spawnSyncCommand) {
         throw buildDockerMissingError();
     }
 }
+function extractCodexDeviceCodeFromOutput(output) {
+    const normalizedOutput = output.replace(/\u001b\[[0-9;]*m/g, "");
+    const match = normalizedOutput.match(/Enter this one-time code[\s\S]*?\n\s*([A-Z0-9]{4,}(?:-[A-Z0-9]{4,})+)\s*(?:\n|$)/i);
+    return match?.[1]?.trim() ?? null;
+}
+async function runContainerizedCodexLogin(cfg, deps, options) {
+    ensureDockerAvailable(deps.spawnSyncCommand);
+    const configDir = (0, path_js_1.expandHome)(cfg.config_directory);
+    if (!(0, node_fs_1.existsSync)(configDir)) {
+        (0, node_fs_1.mkdirSync)(configDir, { recursive: true });
+    }
+    const destPath = (0, node_path_1.join)(configDir, cfg.codex.codex_auth_file_path);
+    const containerAuthPath = cfg.codex.codex_auth_path;
+    let authCopied = false;
+    let combinedOutput = "";
+    await new Promise((resolve, reject) => {
+        let settled = false;
+        let poll;
+        const cleanup = () => {
+            if (poll) {
+                clearInterval(poll);
+            }
+            deps.spawnSyncCommand("docker", ["rm", "-f", options.containerName], { stdio: "ignore" });
+        };
+        const tryCopyAuthFile = () => {
+            const check = deps.spawnSyncCommand("docker", ["exec", options.containerName, "sh", "-c", `test -f ${containerAuthPath}`], {
+                stdio: "ignore",
+            });
+            if (check.status !== 0) {
+                return false;
+            }
+            const cpResult = deps.spawnSyncCommand("docker", ["cp", `${options.containerName}:${containerAuthPath}`, destPath], {
+                stdio: "ignore",
+            });
+            if (cpResult.status !== 0) {
+                return false;
+            }
+            authCopied = true;
+            cleanup();
+            return true;
+        };
+        const rejectOnce = (error) => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            cleanup();
+            reject(error);
+        };
+        const resolveOnce = () => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            cleanup();
+            resolve();
+        };
+        const child = deps.spawnCommand("docker", options.dockerArgs, { stdio: ["ignore", "pipe", "pipe"] });
+        const handleOutput = (chunk) => {
+            const text = chunk.toString("utf8");
+            combinedOutput += text;
+            options.onOutput?.(combinedOutput);
+        };
+        child.stdout.on("data", handleOutput);
+        child.stderr.on("data", handleOutput);
+        child.on("error", (error) => {
+            if (isErrnoException(error) && error.code === "ENOENT") {
+                rejectOnce(buildDockerMissingError());
+                return;
+            }
+            rejectOnce(new Error(`Failed to start Codex login container: ${error.message}`));
+        });
+        poll = setInterval(() => {
+            if (settled) {
+                return;
+            }
+            if (tryCopyAuthFile()) {
+                resolveOnce();
+            }
+        }, 1000);
+        child.on("exit", () => {
+            if (authCopied) {
+                resolveOnce();
+                return;
+            }
+            if (tryCopyAuthFile()) {
+                resolveOnce();
+                return;
+            }
+            rejectOnce(new Error(`Codex login failed or was cancelled.${combinedOutput.trim().length > 0 ? ` Output: ${combinedOutput.trim()}` : ""}`));
+        });
+    });
+    return destPath;
+}
 function listCodexStartupAuthOptions(cfg, getHostInfoFn = host_js_1.getHostInfo) {
     const options = [
         {
@@ -59,27 +164,55 @@ function listCodexStartupAuthOptions(cfg, getHostInfoFn = host_js_1.getHostInfo)
     }
     return options;
 }
-async function setCodexHostAuthInDb(db) {
+async function upsertCodexSdkState(db, authentication, status) {
     const existingSdk = await db.select().from(schema_js_1.agentSdks).where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex")).get();
     if (existingSdk) {
         await db
             .update(schema_js_1.agentSdks)
-            .set({ authentication: "host" })
+            .set({ authentication, status })
             .where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex"));
         return;
     }
-    await db.insert(schema_js_1.agentSdks).values({ name: "codex", authentication: "host" });
+    await db.insert(schema_js_1.agentSdks).values({ name: "codex", authentication, status });
+}
+async function setCodexHostAuthInDb(db) {
+    await upsertCodexSdkState(db, "host", "configured");
 }
 async function setCodexDedicatedAuthInDb(db) {
-    const existingSdk = await db.select().from(schema_js_1.agentSdks).where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex")).get();
-    if (existingSdk) {
-        await db
-            .update(schema_js_1.agentSdks)
-            .set({ authentication: "dedicated" })
-            .where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex"));
-        return;
+    await upsertCodexSdkState(db, "dedicated", "configured");
+}
+async function setCodexApiKeyAuthInDb(db) {
+    await upsertCodexSdkState(db, "api-key", "configured");
+}
+async function setCodexUnconfiguredInDb(db) {
+    await upsertCodexSdkState(db, "unauthenticated", "unconfigured");
+}
+async function ensureCodexRunnerStartState(cfg, overrides = {}) {
+    const deps = {
+        ...exports.defaultEnsureCodexRunnerStartStateDependencies,
+        ...overrides,
+    };
+    const { db, client } = await deps.initDbFn(cfg.state_db_path);
+    try {
+        const existingSdk = await db.select().from(schema_js_1.agentSdks).where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex")).get();
+        if (deps.useDedicatedAuth) {
+            if (existingSdk?.authentication === "dedicated" && existingSdk.status === "configured") {
+                return;
+            }
+            await setCodexUnconfiguredInDb(db);
+            return;
+        }
+        const hostInfo = deps.getHostInfoFn(cfg.codex.codex_auth_path);
+        if (hostInfo.codexAuthExists) {
+            deps.logInfo(`Detected Codex host auth at ${(0, path_js_1.expandHome)(cfg.codex.codex_auth_path)}; using host auth automatically.`);
+            await setCodexHostAuthInDb(db);
+            return;
+        }
+        await setCodexUnconfiguredInDb(db);
+    }
+    finally {
+        client.close();
     }
-    await db.insert(schema_js_1.agentSdks).values({ name: "codex", authentication: "dedicated" });
 }
 async function runSetCodexHostAuth(cfg, overrides = {}) {
     const deps = { ...exports.defaultSetCodexHostAuthDependencies, ...overrides };
@@ -98,96 +231,93 @@ async function runSetCodexHostAuth(cfg, overrides = {}) {
     return authPath;
 }
 async function runDedicatedCodexAuth(cfg, db, deps) {
-    ensureDockerAvailable(deps.spawnSyncCommand);
-    const port = cfg.codex.codex_auth_port;
-    const socatPort = port + 1;
     const containerName = `companyhelm-codex-auth-${Date.now()}`;
     deps.logInfo("Starting Codex login inside a container...");
-    deps.logInfo("A browser URL will appear -- open it to complete authentication.");
-    const configDir = (0, path_js_1.expandHome)(cfg.config_directory);
-    if (!(0, node_fs_1.existsSync)(configDir)) {
-        (0, node_fs_1.mkdirSync)(configDir, { recursive: true });
-    }
-    const destPath = (0, node_path_1.join)(configDir, cfg.codex.codex_auth_file_path);
-    let authCopied = false;
-    await new Promise((resolve, reject) => {
-        let settled = false;
-        let poll;
-        const rejectOnce = (error) => {
-            if (settled) {
-                return;
-            }
-            settled = true;
-            if (poll) {
-                clearInterval(poll);
-            }
-            deps.spawnSyncCommand("docker", ["rm", "-f", containerName], { stdio: "ignore" });
-            reject(error);
-        };
-        const resolveOnce = () => {
-            if (settled) {
-                return;
-            }
-            settled = true;
-            if (poll) {
-                clearInterval(poll);
-            }
-            resolve();
-        };
-        const child = deps.spawnCommand("docker", [
+    deps.logInfo("A browser URL and device code will appear -- open it to complete authentication.");
+    const destPath = await runContainerizedCodexLogin(cfg, deps, {
+        containerName,
+        dockerArgs: [
             "run",
-            "-it",
             "--name",
             containerName,
-            "-p",
-            `${port}:${socatPort}`,
             "--entrypoint",
             "bash",
             cfg.runtime_image,
-            "-c",
-            `source "$NVM_DIR/nvm.sh"; socat TCP-LISTEN:${socatPort},fork,bind=0.0.0.0,reuseaddr TCP:127.0.0.1:${port} 2>/dev/null & codex`,
-        ], { stdio: "inherit" });
-        child.on("error", (error) => {
-            if (isErrnoException(error) && error.code === "ENOENT") {
-                rejectOnce(buildDockerMissingError());
-                return;
-            }
-            rejectOnce(new Error(`Failed to start Codex login container: ${error.message}`));
-        });
-        poll = setInterval(() => {
-            if (settled) {
-                return;
-            }
-            const check = deps.spawnSyncCommand("docker", ["exec", containerName, "sh", "-c", `test -f ${cfg.codex.codex_auth_path}`], {
-                stdio: "ignore",
-            });
-            if (check.status === 0) {
-                const resolveResult = deps.spawnSyncCommand("docker", ["exec", containerName, "sh", "-c", `echo ${cfg.codex.codex_auth_path}`], {
-                    encoding: "utf-8",
-                });
-                const containerAuthAbsPath = resolveResult.stdout.trim();
-                const cpResult = deps.spawnSyncCommand("docker", ["cp", `${containerName}:${containerAuthAbsPath}`, destPath], {
-                    stdio: "ignore",
-                });
-                if (cpResult.status !== 0) {
-                    rejectOnce(new Error("Failed to extract auth file from container."));
-                    return;
-                }
-                authCopied = true;
-                deps.spawnSyncCommand("docker", ["rm", "-f", containerName], { stdio: "ignore" });
-                resolveOnce();
-            }
-        }, 1000);
-        child.on("exit", () => {
-            if (!authCopied) {
-                rejectOnce(new Error("Codex login failed or was cancelled."));
-            }
-        });
+            "-lc",
+            'source "$NVM_DIR/nvm.sh"; codex login --device-auth',
+        ],
     });
     await setCodexDedicatedAuthInDb(db);
     deps.logSuccess(`Codex auth saved to ${destPath}`);
     return destPath;
 }
+async function runCodexApiKeyAuth(cfg, apiKey, overrides = {}) {
+    const deps = { ...exports.defaultUseDedicatedCodexAuthDependencies, ...overrides };
+    const { db, client } = await deps.initDbFn(cfg.state_db_path);
+    try {
+        deps.logInfo("Starting Codex API key login inside a container...");
+        const containerName = `companyhelm-codex-auth-${Date.now()}`;
+        const destPath = await runContainerizedCodexLogin(cfg, deps, {
+            containerName,
+            dockerArgs: [
+                "run",
+                "--name",
+                containerName,
+                "-e",
+                `CODEX_API_KEY=${apiKey}`,
+                "--entrypoint",
+                "bash",
+                cfg.runtime_image,
+                "-lc",
+                'source "$NVM_DIR/nvm.sh"; printf \'%s\\n\' "$CODEX_API_KEY" | codex login --with-api-key',
+            ],
+        });
+        await setCodexApiKeyAuthInDb(db);
+        deps.logSuccess(`Codex auth saved to ${destPath}`);
+        return destPath;
+    }
+    finally {
+        client.close();
+    }
+}
+async function runCodexDeviceCodeAuth(cfg, onDeviceCode, overrides = {}) {
+    const deps = { ...exports.defaultUseDedicatedCodexAuthDependencies, ...overrides };
+    const { db, client } = await deps.initDbFn(cfg.state_db_path);
+    try {
+        let emittedDeviceCode = null;
+        let onDeviceCodePromise = Promise.resolve();
+        deps.logInfo("Starting Codex device login inside a container...");
+        const containerName = `companyhelm-codex-auth-${Date.now()}`;
+        const destPath = await runContainerizedCodexLogin(cfg, deps, {
+            containerName,
+            dockerArgs: [
+                "run",
+                "--name",
+                containerName,
+                "--entrypoint",
+                "bash",
+                cfg.runtime_image,
+                "-lc",
+                'source "$NVM_DIR/nvm.sh"; codex login --device-auth',
+            ],
+            onOutput: (output) => {
+                const deviceCode = extractCodexDeviceCodeFromOutput(output);
+                if (!deviceCode || emittedDeviceCode === deviceCode) {
+                    return;
+                }
+                emittedDeviceCode = deviceCode;
+                onDeviceCodePromise = Promise.resolve(onDeviceCode(deviceCode));
+            },
+        });
+        await onDeviceCodePromise;
+        await setCodexDedicatedAuthInDb(db);
+        deps.logSuccess(`Codex auth saved to ${destPath}`);
+        return destPath;
+    }
+    finally {
+        client.close();
+    }
+}
 async function runUseDedicatedCodexAuth(cfg, overrides = {}) {
     const deps = { ...exports.defaultUseDedicatedCodexAuthDependencies, ...overrides };
     const { db, client } = await deps.initDbFn(cfg.state_db_path);