@desplega.ai/agent-swarm 1.63.0 → 1.63.1

package/openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.1.0",
   "info": {
     "title": "Agent Swarm API",
-    "version": "1.63.0",
+    "version": "1.63.1",
     "description": "Multi-agent orchestration API for Claude Code, Codex, and Gemini CLI. Enables task distribution, agent communication, and service discovery.\n\nMCP tools are documented separately in [MCP.md](./MCP.md)."
   },
   "servers": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@desplega.ai/agent-swarm",
-  "version": "1.63.0",
+  "version": "1.63.1",
   "description": "Multi-agent orchestration for Claude Code, Codex, Gemini CLI, and other AI coding assistants",
   "license": "MIT",
   "author": "desplega.sh <contact@desplega.sh>",

package/src/cli.tsx

@@ -255,6 +255,21 @@ const COMMAND_HELP: Record<
     options: "  -h, --help             Show this help",
     examples: [`  ${binName} artifact serve`, `  ${binName} artifact help`].join("\n"),
   },
+  "codex-login": {
+    usage: `${binName} codex-login [options]`,
+    description:
+      "Authenticate Codex via ChatGPT OAuth (browser or manual paste).\nPrompts interactively for the target API URL and a best-effort masked API key, then stores credentials in the swarm API config store for deployed workers.",
+    options: [
+      "  --api-url <url>    Swarm API URL (default: MCP_BASE_URL or http://localhost:3013)",
+      "  --api-key <key>    Swarm API key (default: API_KEY or 123123)",
+      "  -h, --help         Show this help",
+    ].join("\n"),
+    examples: [
+      `  ${binName} codex-login`,
+      `  ${binName} codex-login --api-url https://swarm.example.com`,
+      `  ${binName} codex-login --api-url https://swarm.example.com --api-key <api-key>`,
+    ].join("\n"),
+  },
 };
 
 function printHelp(command?: string) {
@@ -283,6 +298,7 @@ function printHelp(command?: string) {
     ["hook", "Handle Claude Code hook events (stdin)"],
     ["artifact", "Manage agent artifacts"],
     ["docs", "Open documentation (--open to launch in browser)"],
+    ["codex-login", "Authenticate Codex via ChatGPT OAuth"],
     ["version", "Show version number"],
     ["help", "Show this help message"],
   ];
@@ -535,6 +551,10 @@ if (args.showHelp || args.command === "help" || args.command === undefined) {
     port: args.port,
     key: args.key,
   });
+} else if (args.command === "codex-login") {
+  const { runCodexLogin } = await import("./commands/codex-login");
+  const codexLoginArgs = process.argv.slice(process.argv.indexOf("codex-login") + 1);
+  await runCodexLogin(codexLoginArgs);
 } else {
   render(<App args={args} />);
 }

package/src/commands/codex-login.ts

@@ -0,0 +1,263 @@
+/**
+ * `agent-swarm codex-login` — authenticate Codex via ChatGPT OAuth.
+ *
+ * Runs the OAuth PKCE flow (browser redirect to localhost:1455, manual paste
+ * fallback), extracts chatgpt_account_id from the JWT, and stores the
+ * credentials in the swarm API config store at global scope.
+ *
+ * This is a non-UI command (plain stdout, no Ink) — it exits immediately
+ * after completing or failing the OAuth flow.
+ */
+
+import { exec } from "node:child_process";
+import { emitKeypressEvents } from "node:readline";
+
+import { loginCodexOAuth } from "../providers/codex-oauth/flow.js";
+import { storeCodexOAuth } from "../providers/codex-oauth/storage.js";
+
+type PromptTextFn = (label: string, defaultValue: string) => Promise<string>;
+type PromptSecretFn = (label: string, defaultValue: string, helpText?: string) => Promise<string>;
+
+type ResolveCodexLoginConfigDeps = {
+  env?: Record<string, string | undefined>;
+  isInteractive?: boolean;
+  promptText?: PromptTextFn;
+  promptSecret?: PromptSecretFn;
+};
+
+type RunCodexLoginDeps = {
+  resolveConfig?: typeof resolveCodexLoginConfig;
+  login?: typeof loginCodexOAuth;
+  store?: typeof storeCodexOAuth;
+  log?: (message: string) => void;
+  error?: (message: string) => void;
+  exit?: (code: number) => void;
+};
+
+type ParsedCodexLoginArgs = {
+  apiUrl?: string;
+  apiKey?: string;
+  showHelp: boolean;
+};
+
+function parseCodexLoginArgs(args: string[]): ParsedCodexLoginArgs {
+  const parsed: ParsedCodexLoginArgs = { showHelp: false };
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg === "--api-url" && args[i + 1]) {
+      parsed.apiUrl = args[++i]!;
+    } else if (arg === "--api-key" && args[i + 1]) {
+      parsed.apiKey = args[++i]!;
+    } else if (arg === "--help" || arg === "-h") {
+      parsed.showHelp = true;
+    }
+  }
+
+  return parsed;
+}
+
+async function promptTextInput(label: string, defaultValue: string): Promise<string> {
+  const { createInterface } = await import("node:readline");
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+
+  return new Promise<string>((resolve) => {
+    const suffix = defaultValue ? ` [${defaultValue}]` : "";
+    rl.question(`${label}${suffix}: `, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+async function promptHiddenInput(
+  label: string,
+  _defaultValue: string,
+  helpText?: string,
+): Promise<string> {
+  const stdin = process.stdin;
+  const stdout = process.stdout;
+
+  if (!stdin.isTTY || !stdout.isTTY || typeof stdin.setRawMode !== "function") {
+    return promptTextInput(label, "");
+  }
+
+  if (helpText) {
+    stdout.write(`${helpText}\n`);
+  }
+  stdout.write(`${label}: `);
+
+  emitKeypressEvents(stdin);
+  const wasRaw = stdin.isRaw;
+  stdin.setRawMode(true);
+  stdin.resume();
+
+  return new Promise<string>((resolve, reject) => {
+    let value = "";
+
+    const cleanup = () => {
+      stdin.setRawMode(Boolean(wasRaw));
+      stdin.pause();
+      stdin.removeListener("keypress", onKeypress);
+      stdout.write("\n");
+    };
+
+    const onKeypress = (str: string, key: { name?: string; ctrl?: boolean; meta?: boolean }) => {
+      if (key.ctrl && key.name === "c") {
+        cleanup();
+        reject(new Error("Aborted"));
+        return;
+      }
+
+      if (key.name === "return" || key.name === "enter") {
+        cleanup();
+        resolve(value.trim());
+        return;
+      }
+
+      if (key.name === "backspace") {
+        if (value.length > 0) {
+          value = value.slice(0, -1);
+          stdout.write("\b \b");
+        }
+        return;
+      }
+
+      if (!key.ctrl && !key.meta && str) {
+        value += str;
+        stdout.write("*");
+      }
+    };
+
+    stdin.on("keypress", onKeypress);
+  });
+}
+
+export async function resolveCodexLoginConfig(
+  args: string[],
+  deps: ResolveCodexLoginConfigDeps = {},
+): Promise<{ apiUrl: string; apiKey: string }> {
+  const env = deps.env ?? process.env;
+  const parsed = parseCodexLoginArgs(args);
+  const promptText = deps.promptText ?? promptTextInput;
+  const promptSecret = deps.promptSecret ?? promptHiddenInput;
+  const isInteractive = deps.isInteractive ?? Boolean(process.stdin.isTTY && process.stdout.isTTY);
+  const defaultApiUrl = env.MCP_BASE_URL || "http://localhost:3013";
+  const defaultApiKey = env.API_KEY || "123123";
+
+  let apiUrl = parsed.apiUrl ?? defaultApiUrl;
+  let apiKey = parsed.apiKey ?? defaultApiKey;
+
+  if (!parsed.apiUrl && isInteractive) {
+    apiUrl = (await promptText("Swarm API URL", defaultApiUrl)).trim() || defaultApiUrl;
+  }
+
+  if (!parsed.apiKey && isInteractive) {
+    const apiKeyHelp = env.API_KEY
+      ? "Press Enter to use API_KEY from the environment"
+      : "Press Enter to use the default local API key";
+    apiKey =
+      (await promptSecret("Swarm API key", defaultApiKey, apiKeyHelp)).trim() || defaultApiKey;
+  }
+
+  return { apiUrl, apiKey };
+}
+
+function printHelp() {
+  console.log(`
+agent-swarm codex-login — Authenticate Codex via ChatGPT OAuth
+
+Usage:
+  agent-swarm codex-login [options]
+
+Options:
+  --api-url <url>    Swarm API URL (default: MCP_BASE_URL or http://localhost:3013)
+  --api-key <key>    Swarm API key (default: API_KEY or 123123)
+  -h, --help         Show this help
+
+Without flags, the command prompts interactively for the target API URL and
+for the swarm API key using masked input when the terminal supports it.
+
+This command runs the OpenAI Codex OAuth PKCE flow:
+  1. Opens a browser to ChatGPT login
+  2. Receives the authorization code via localhost:1455 callback
+  3. Exchanges the code for access/refresh tokens
+  4. Stores credentials in the swarm API config store
+
+Deployed Codex workers automatically restore these credentials at boot.
+`);
+}
+
+export async function runCodexLogin(args: string[], deps: RunCodexLoginDeps = {}): Promise<void> {
+  const resolveConfig = deps.resolveConfig ?? resolveCodexLoginConfig;
+  const login = deps.login ?? loginCodexOAuth;
+  const store = deps.store ?? storeCodexOAuth;
+  const log = deps.log ?? console.log;
+  const error = deps.error ?? console.error;
+  const exit = deps.exit ?? ((code: number) => process.exit(code));
+
+  if (parseCodexLoginArgs(args).showHelp) {
+    printHelp();
+    return;
+  }
+
+  let browserOpened = false;
+
+  try {
+    const { apiUrl, apiKey } = await resolveConfig(args);
+
+    log("Starting Codex ChatGPT OAuth login...\n");
+    log(`Target swarm API: ${apiUrl}\n`);
+
+    const creds = await login({
+      onAuth: ({ url, instructions }) => {
+        log(`Open this URL in your browser:\n\n  ${url}\n`);
+        if (instructions) {
+          log(instructions);
+        }
+        // Try to open the browser (fire-and-forget, non-fatal)
+        if (!browserOpened) {
+          browserOpened = true;
+          const cmd =
+            process.platform === "darwin"
+              ? "open"
+              : process.platform === "win32"
+                ? "start"
+                : "xdg-open";
+          exec(`${cmd} "${url}"`, (err) => {
+            if (err) {
+              log("(Could not open browser automatically)\n");
+            }
+          });
+        }
+      },
+      onPrompt: async ({ message }) => {
+        return promptTextInput(message, "");
+      },
+      onProgress: (message) => {
+        log(message);
+      },
+      onManualCodeInput: async () => {
+        return promptTextInput("Or paste the authorization code here", "");
+      },
+    });
+
+    log("\nOAuth flow completed successfully!");
+    log(`  Account ID: ${creds.accountId}`);
+    log(`  Expires: ${new Date(creds.expires).toISOString()}`);
+
+    // Store credentials in the swarm API config store
+    log("\nStoring credentials in swarm API config store...");
+    await store(apiUrl, apiKey, creds);
+    log("Credentials stored successfully!");
+
+    log("\nDeployed Codex workers will automatically restore these credentials at boot.");
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    error(`\nError: ${message}`);
+    exit(1);
+  }
+}

package/src/commands/runner.ts

@@ -10,6 +10,7 @@ import {
   generateDefaultToolsMd,
 } from "../prompts/defaults.ts";
 import { configureHttpResolver, resolveTemplateAsync } from "../prompts/resolver.ts";
+import { authJsonToCredentialSelection } from "../providers/codex-oauth/auth-json.js";
 import {
   type CostData,
   createProviderAdapter,
@@ -17,6 +18,7 @@ import {
   type ProviderSession,
   type ProviderSessionConfig,
 } from "../providers/index.ts";
+import { initTelemetry, telemetry } from "../telemetry.ts";
 import type { RepoGuidelines } from "../types.ts";
 import { getContextWindowSize } from "../utils/context-window.ts";
 import { type CredentialSelection, resolveCredentialPools } from "../utils/credentials.ts";
@@ -634,6 +636,33 @@ async function reportKeyUsage(
   }
 }
 
+async function resolveCodexOAuthCredentialInfo(): Promise<CredentialSelection | null> {
+  try {
+    const home = process.env.HOME;
+    if (!home) return null;
+
+    const authFile = Bun.file(`${home}/.codex/auth.json`);
+    if (!(await authFile.exists())) {
+      return null;
+    }
+
+    const auth = JSON.parse(await authFile.text()) as {
+      auth_mode?: string;
+      tokens?: { account_id?: string };
+    };
+
+    if (auth.auth_mode !== "chatgpt" || !auth.tokens?.account_id) {
+      return null;
+    }
+
+    return authJsonToCredentialSelection(
+      auth as Parameters<typeof authJsonToCredentialSelection>[0],
+    );
+  } catch {
+    return null;
+  }
+}
+
 /** Report a rate-limited key to the API (fire-and-forget) */
 async function reportKeyRateLimit(
   apiUrl: string,
@@ -848,6 +877,7 @@ function setupShutdownHandlers(
     }
 
     if (apiConfig) {
+      telemetry.session("ended", { agentId: apiConfig.agentId });
       await closeAgent(apiConfig, role);
     }
     await savePm2State(role);
@@ -1567,6 +1597,20 @@ async function spawnProviderProcess(
 
   const session = await adapter.createSession(config);
 
+  let oauthSelection: CredentialSelection | undefined;
+  if (adapter.name === "codex" && credentialSelections.length === 0) {
+    oauthSelection = (await resolveCodexOAuthCredentialInfo()) ?? undefined;
+    if (oauthSelection && realTaskId) {
+      reportKeyUsage(
+        opts.apiUrl,
+        opts.apiKey,
+        oauthSelection.keyType,
+        oauthSelection,
+        realTaskId,
+      ).catch(() => {});
+    }
+  }
+
   // Set up log streaming
   const logBuffer: LogBuffer = { lines: [], lastFlush: Date.now(), partialLine: "" };
   const shouldStream = opts.apiUrl && opts.runnerSessionId && opts.iteration;
@@ -1874,7 +1918,7 @@ async function spawnProviderProcess(
   });
 
   // Build credential info for rate limit tracking
-  const primarySelection = credentialSelections[0];
+  const primarySelection = credentialSelections[0] ?? oauthSelection;
   const credentialInfo = primarySelection
     ? {
         keyType: primarySelection.keyType,
@@ -2008,7 +2052,7 @@ async function checkCompletedProcesses(
         console.log(`[${role}] Detected error for task ${taskId.slice(0, 8)}: ${failureReason}`);
 
         // If rate-limited and we know which key was used, report it
-        if (credentialInfo && /rate.?limit/i.test(failureReason)) {
+        if (credentialInfo && /rate.?limit|hit your limit/i.test(failureReason)) {
           // Try to extract reset time from the error message (e.g. "resets 3pm (UTC)")
           const parsedResetTime = parseRateLimitResetTime(failureReason);
           const defaultCooldownMs = 5 * 60 * 1000;
@@ -2162,6 +2206,46 @@ export async function runAgent(config: RunnerConfig, opts: RunnerOptions) {
     configureHttpResolver(apiUrl, process.env.API_KEY);
   }
 
+  // Initialize anonymized telemetry (opt-out via ANONYMIZED_TELEMETRY=false)
+  // Workers use HTTP-based config access (cannot import DB directly)
+  {
+    const telemetryApiKey = process.env.API_KEY;
+    await initTelemetry(
+      "worker",
+      async (key) => {
+        if (!telemetryApiKey) return undefined;
+        try {
+          const resp = await fetch(`${apiUrl}/api/config?scope=global&includeSecrets=true`, {
+            headers: { Authorization: `Bearer ${telemetryApiKey}` },
+            signal: AbortSignal.timeout(5_000),
+          });
+          if (!resp.ok) return undefined;
+          const data = (await resp.json()) as { configs: { key: string; value: string }[] };
+          return data.configs.find((c) => c.key === key)?.value;
+        } catch {
+          return undefined;
+        }
+      },
+      async (key, value) => {
+        if (!telemetryApiKey) return;
+        try {
+          await fetch(`${apiUrl}/api/config`, {
+            method: "PUT",
+            headers: {
+              Authorization: `Bearer ${telemetryApiKey}`,
+              "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ scope: "global", key, value }),
+            signal: AbortSignal.timeout(5_000),
+          });
+        } catch {
+          // Silently ignore — telemetry is best-effort
+        }
+      },
+    );
+  }
+  telemetry.session("started", { agentId });
+
   let capabilities = config.capabilities;
 
   // Agent identity fields — populated after registration by fetching full profile

package/src/http/index.ts

@@ -8,12 +8,13 @@ import { ensure, initialize } from "@desplega.ai/business-use";
 import type { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { getEnabledCapabilities, hasCapability } from "@/server";
 import { initAgentMail } from "../agentmail";
-import { closeDb } from "../be/db";
+import { closeDb, getSwarmConfigs, upsertSwarmConfig } from "../be/db";
 import { initGitHub } from "../github";
 import { initGitLab } from "../gitlab";
 import { stopHeartbeat } from "../heartbeat";
 import { initLinear } from "../linear";
 import { startSlackApp, stopSlackApp } from "../slack";
+import { initTelemetry, telemetry } from "../telemetry";
 import { initWorkflows } from "../workflows";
 import { handleActiveSessions } from "./active-sessions";
 import { handleAgentRegister, handleAgentsRest } from "./agents";
@@ -214,6 +215,16 @@ httpServer
       console.error("Failed to load global swarm configs:", e);
     }
 
+    // Initialize anonymized telemetry (opt-out via ANONYMIZED_TELEMETRY=false)
+    await initTelemetry(
+      "api-server",
+      (key) => getSwarmConfigs({ scope: "global", key })?.[0]?.value,
+      (key, value) => {
+        upsertSwarmConfig({ scope: "global", key, value });
+      },
+    );
+    telemetry.server("started", { port });
+
     // Start Slack bot (if configured)
     await startSlackApp();
 

package/src/http/poll.ts

@@ -18,6 +18,7 @@ import {
   upsertChannelActivityCursor,
 } from "../be/db";
 import { fetchChannelActivity } from "../slack/channel-activity";
+import { telemetry } from "../telemetry";
 import { route } from "./route-def";
 import { json, jsonError } from "./utils";
 
@@ -145,6 +146,12 @@ export async function handlePoll(
               conditions: [{ timeout_ms: 300_000 }], // 5 min: polling interval + queue wait
             });
 
+            telemetry.taskEvent("started", {
+              taskId: pendingTask.id,
+              source: pendingTask.source,
+              agentId: myAgentId,
+            });
+
             // Resolve requesting user if available
             const requestedByUser = pendingTask.requestedByUserId
               ? getUserById(pendingTask.requestedByUserId)
@@ -199,6 +206,11 @@ export async function handlePoll(
             for (const candidateId of unassignedIds) {
               const claimed = claimTask(candidateId, myAgentId);
               if (claimed) {
+                telemetry.taskEvent("claimed", {
+                  taskId: claimed.id,
+                  source: claimed.source,
+                  agentId: myAgentId,
+                });
                 return {
                   trigger: {
                     type: "task_assigned",

package/src/http/tasks.ts

@@ -19,6 +19,7 @@ import {
   updateTaskProgress,
   updateTaskVcs,
 } from "../be/db";
+import { telemetry } from "../telemetry";
 import { route } from "./route-def";
 import { json, jsonError } from "./utils";
 
@@ -269,6 +270,14 @@ export async function handleTasks(
         },
       });
 
+      telemetry.taskEvent("created", {
+        taskId: task.id,
+        source: task.source,
+        tags: parsed.body.tags ?? [],
+        hasParent: !!task.parentTaskId,
+        priority: task.priority,
+      });
+
       json(res, task, 201);
     } catch (error) {
       console.error("[HTTP] Failed to create task:", error);
@@ -370,6 +379,14 @@ export async function handleTasks(
       });
     }
 
+    telemetry.taskEvent("cancelled", {
+      taskId: parsed.params.id,
+      source: task.source,
+      agentId: task.agentId ?? undefined,
+      previousStatus: task.status,
+      durationMs: task.createdAt ? Date.now() - new Date(task.createdAt).getTime() : undefined,
+    });
+
     if (task.agentId) {
       updateAgentStatusFromCapacity(task.agentId);
     }
@@ -469,6 +486,16 @@ export async function handleTasks(
 
     if (result.task && !("alreadyFinished" in result && result.alreadyFinished)) {
       const finishEventId = parsed.body.status === "completed" ? "completed" : "failed";
+
+      const durationMs = result.task.createdAt
+        ? Date.now() - new Date(result.task.createdAt).getTime()
+        : undefined;
+
+      telemetry.taskEvent(finishEventId, {
+        taskId: parsed.params.id,
+        agentId: myAgentId,
+        durationMs,
+      });
       ensure({
         id: finishEventId,
         flow: "task",

package/src/providers/codex-adapter.ts

@@ -72,6 +72,8 @@ import {
   getCodexContextWindow,
   resolveCodexModel,
 } from "./codex-models";
+import { credentialsToAuthJson } from "./codex-oauth/auth-json.js";
+import { getValidCodexOAuth } from "./codex-oauth/storage.js";
 import { resolveCodexPrompt } from "./codex-skill-resolver";
 import { createCodexSwarmEventHandler } from "./codex-swarm-events";
 import type {
@@ -792,6 +794,46 @@ export class CodexAdapter implements ProviderAdapter {
         ...(config.env ?? {}),
       };
 
+      // OAuth credential resolution: if no OPENAI_API_KEY is set, try to
+      // restore or refresh ChatGPT OAuth credentials from the config store.
+      // The entrypoint also restores at boot, but this handles cases where
+      // the entrypoint didn't run (local dev) or tokens expired mid-session.
+      if (!process.env.OPENAI_API_KEY && config.apiUrl && config.apiKey) {
+        const authJsonPath = join(os.homedir(), ".codex", "auth.json");
+        let hasAuth = false;
+        try {
+          const fs = await import("node:fs/promises");
+          await fs.access(authJsonPath);
+          hasAuth = true;
+        } catch {
+          // auth.json doesn't exist
+        }
+
+        if (!hasAuth) {
+          const oauthCreds = await getValidCodexOAuth(config.apiUrl, config.apiKey);
+          if (oauthCreds) {
+            try {
+              const fs = await import("node:fs/promises");
+              const authJson = credentialsToAuthJson(oauthCreds);
+              await fs.mkdir(join(os.homedir(), ".codex"), { recursive: true, mode: 0o700 });
+              await fs.writeFile(authJsonPath, JSON.stringify(authJson, null, 2), {
+                mode: 0o600,
+              });
+              bufferedEmit({
+                type: "raw_stderr",
+                content: "[codex] Restored OAuth credentials from config store\n",
+              });
+            } catch (err) {
+              const message = err instanceof Error ? err.message : String(err);
+              bufferedEmit({
+                type: "raw_stderr",
+                content: `[codex] Failed to write auth.json: ${message}\n`,
+              });
+            }
+          }
+        }
+      }
+
       // The SDK's default `findCodexPath()` does `require.resolve("@openai/codex")`
       // from the SDK's own module. When agent-swarm runs as a Bun single-file
       // compiled executable, the bundled SDK can't resolve `@openai/codex` at