@gakr-gakr/codex 0.1.0

package/src/app-server/plugin-activation.ts

@@ -0,0 +1,283 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import {
+  type CodexAppInventoryCache,
+  type CodexAppInventoryRequest,
+} from "./app-inventory-cache.js";
+import { CODEX_PLUGINS_MARKETPLACE_NAME, type ResolvedCodexPluginPolicy } from "./config.js";
+import {
+  findOpenAiCuratedPluginSummary,
+  pluginReadParams,
+  type CodexPluginMarketplaceRef,
+  type CodexPluginRuntimeRequest,
+} from "./plugin-inventory.js";
+import type { v2 } from "./protocol.js";
+
+export type CodexPluginActivationReason =
+  | "already_active"
+  | "installed"
+  | "disabled"
+  | "marketplace_missing"
+  | "plugin_missing"
+  | "auth_required"
+  | "refresh_failed";
+
+export type CodexPluginActivationDiagnostic = {
+  message: string;
+};
+
+export type CodexPluginActivationResult = {
+  identity: ResolvedCodexPluginPolicy;
+  ok: boolean;
+  reason: CodexPluginActivationReason;
+  installAttempted: boolean;
+  marketplace?: CodexPluginMarketplaceRef;
+  installResponse?: v2.PluginInstallResponse;
+  diagnostics: CodexPluginActivationDiagnostic[];
+};
+
+export type EnsureCodexPluginActivationParams = {
+  identity: ResolvedCodexPluginPolicy;
+  request: CodexPluginRuntimeRequest;
+  appCache?: CodexAppInventoryCache;
+  appCacheKey?: string;
+  installEvenIfActive?: boolean;
+};
+
+export type CodexPluginRuntimeRefreshResult = {
+  diagnostics: CodexPluginActivationDiagnostic[];
+};
+
+export async function ensureCodexPluginActivation(
+  params: EnsureCodexPluginActivationParams,
+): Promise<CodexPluginActivationResult> {
+  if (params.identity.marketplaceName !== CODEX_PLUGINS_MARKETPLACE_NAME) {
+    return activationFailure(params.identity, "marketplace_missing", {
+      message: "Only " + CODEX_PLUGINS_MARKETPLACE_NAME + " plugins can be activated.",
+    });
+  }
+
+  const listed = (await params.request("plugin/list", {
+    cwds: [],
+  } satisfies v2.PluginListParams)) as v2.PluginListResponse;
+  const resolved = findOpenAiCuratedPluginSummary(listed, params.identity.pluginName);
+  if (!resolved) {
+    const hasCuratedMarketplace = listed.marketplaces.some(
+      (marketplace) => marketplace.name === CODEX_PLUGINS_MARKETPLACE_NAME,
+    );
+    if (!hasCuratedMarketplace) {
+      return activationFailure(params.identity, "marketplace_missing", {
+        message: `Codex marketplace ${CODEX_PLUGINS_MARKETPLACE_NAME} was not found.`,
+      });
+    }
+    return activationFailure(params.identity, "plugin_missing", {
+      message: `${params.identity.pluginName} was not found in ${CODEX_PLUGINS_MARKETPLACE_NAME}.`,
+    });
+  }
+
+  if (resolved.summary.installed && resolved.summary.enabled && !params.installEvenIfActive) {
+    return {
+      identity: params.identity,
+      ok: true,
+      reason: "already_active",
+      installAttempted: false,
+      marketplace: resolved.marketplace,
+      diagnostics: [],
+    };
+  }
+
+  const installResponse = (await params.request(
+    "plugin/install",
+    pluginReadParams(
+      resolved.marketplace,
+      params.identity.pluginName,
+    ) satisfies v2.PluginInstallParams,
+  )) as v2.PluginInstallResponse;
+  const refreshDiagnostics: CodexPluginActivationDiagnostic[] = [];
+  let refreshFailed = false;
+  try {
+    const refreshResult = await refreshCodexPluginRuntimeState({
+      request: params.request,
+      appCache: params.appCache,
+      appCacheKey: params.appCacheKey,
+    });
+    refreshDiagnostics.push(...refreshResult.diagnostics);
+  } catch (error) {
+    refreshFailed = true;
+    refreshDiagnostics.push({
+      message: `Codex plugin runtime refresh failed after install: ${
+        error instanceof Error ? error.message : String(error)
+      }`,
+    });
+  }
+  const authRequired = installResponse.appsNeedingAuth.length > 0;
+  return {
+    identity: params.identity,
+    ok: !authRequired && !refreshFailed,
+    reason: refreshFailed
+      ? "refresh_failed"
+      : authRequired
+        ? "auth_required"
+        : resolved.summary.installed && resolved.summary.enabled
+          ? "already_active"
+          : "installed",
+    installAttempted: true,
+    marketplace: resolved.marketplace,
+    installResponse,
+    diagnostics: [
+      ...refreshDiagnostics,
+      ...installResponse.appsNeedingAuth.map((app) => ({
+        message: `${app.name} requires app authentication before plugin tools are exposed.`,
+      })),
+    ],
+  };
+}
+
+export async function refreshCodexPluginRuntimeState(params: {
+  request: CodexPluginRuntimeRequest;
+  appCache?: CodexAppInventoryCache;
+  appCacheKey?: string;
+}): Promise<CodexPluginRuntimeRefreshResult> {
+  const diagnostics: CodexPluginActivationDiagnostic[] = [];
+  await params.request("plugin/list", {
+    cwds: [],
+  } satisfies v2.PluginListParams);
+  await params.request("skills/list", {
+    cwds: [],
+    forceReload: true,
+  } satisfies v2.SkillsListParams);
+  try {
+    await params.request("hooks/list", {
+      cwds: [],
+    } satisfies v2.HooksListParams);
+  } catch (error) {
+    diagnostics.push({
+      message: `Codex hooks refresh skipped: ${error instanceof Error ? error.message : String(error)}`,
+    });
+  }
+  await params.request("config/mcpServer/reload", undefined);
+
+  if (params.appCache && params.appCacheKey) {
+    params.appCache.invalidate(params.appCacheKey, "Codex plugin activation changed app inventory");
+    const request: CodexAppInventoryRequest = async (method, requestParams) =>
+      (await params.request(method, requestParams)) as v2.AppsListResponse;
+    try {
+      await params.appCache.refreshNow({
+        key: params.appCacheKey,
+        request,
+        forceRefetch: true,
+      });
+    } catch (error) {
+      diagnostics.push({
+        message: `Codex app inventory refresh skipped: ${
+          error instanceof Error ? error.message : String(error)
+        }`,
+      });
+    }
+  }
+
+  return { diagnostics };
+}
+
+export async function ensureCodexAppsSubstrateConfig(params: {
+  codexHome: string;
+  readFile?: (filePath: string, encoding: "utf8") => Promise<string>;
+  writeFile?: (filePath: string, content: string, encoding: "utf8") => Promise<void>;
+  mkdir?: (dirPath: string, options: { recursive: true }) => Promise<unknown>;
+}): Promise<{ changed: boolean; configPath: string }> {
+  const readFile = params.readFile ?? ((filePath, encoding) => fs.readFile(filePath, encoding));
+  const writeFile =
+    params.writeFile ??
+    ((filePath, content, encoding) => fs.writeFile(filePath, content, encoding));
+  const mkdir = params.mkdir ?? ((dirPath, options) => fs.mkdir(dirPath, options));
+  const configPath = path.join(params.codexHome, "config.toml");
+  let current = "";
+  try {
+    current = await readFile(configPath, "utf8");
+  } catch (error) {
+    if (!isEnoent(error)) {
+      throw error;
+    }
+  }
+
+  const next = upsertTomlBoolean(
+    upsertTomlBoolean(current, "features", "apps", true),
+    "apps._default",
+    "enabled",
+    true,
+  );
+  if (next === current) {
+    return { changed: false, configPath };
+  }
+  await mkdir(path.dirname(configPath), { recursive: true });
+  await writeFile(configPath, next, "utf8");
+  return { changed: true, configPath };
+}
+
+export function upsertTomlBoolean(
+  source: string,
+  section: string,
+  key: string,
+  value: boolean,
+): string {
+  const lines = source.replace(/\r\n/g, "\n").split("\n");
+  if (lines.length > 0 && lines.at(-1) === "") {
+    lines.pop();
+  }
+  const sectionHeaderPattern = new RegExp(`^\\s*\\[${escapeRegExp(section)}\\]\\s*(?:#.*)?$`);
+  const anySectionPattern = /^\s*\[[^\]]+\]\s*(?:#.*)?$/;
+  const keyPattern = new RegExp(`^\\s*${escapeRegExp(key)}\\s*=`);
+  const desiredLine = `${key} = ${value ? "true" : "false"}`;
+  const sectionStart = lines.findIndex((line) => sectionHeaderPattern.test(line));
+  if (sectionStart === -1) {
+    const nextLines = [...lines];
+    if (nextLines.length > 0 && nextLines.at(-1)?.trim()) {
+      nextLines.push("");
+    }
+    nextLines.push(`[${section}]`, desiredLine);
+    return `${nextLines.join("\n")}\n`;
+  }
+
+  let sectionEnd = lines.length;
+  for (let index = sectionStart + 1; index < lines.length; index += 1) {
+    if (anySectionPattern.test(lines[index] ?? "")) {
+      sectionEnd = index;
+      break;
+    }
+  }
+  for (let index = sectionStart + 1; index < sectionEnd; index += 1) {
+    if (keyPattern.test(lines[index] ?? "")) {
+      if (lines[index] === desiredLine) {
+        return `${lines.join("\n")}\n`;
+      }
+      const nextLines = [...lines];
+      nextLines[index] = desiredLine;
+      return `${nextLines.join("\n")}\n`;
+    }
+  }
+  const nextLines = [...lines];
+  nextLines.splice(sectionEnd, 0, desiredLine);
+  return `${nextLines.join("\n")}\n`;
+}
+
+function activationFailure(
+  identity: ResolvedCodexPluginPolicy,
+  reason: CodexPluginActivationReason,
+  diagnostic: CodexPluginActivationDiagnostic,
+): CodexPluginActivationResult {
+  return {
+    identity,
+    ok: false,
+    reason,
+    installAttempted: false,
+    diagnostics: [diagnostic],
+  };
+}
+
+function isEnoent(error: unknown): boolean {
+  return Boolean(error && typeof error === "object" && "code" in error && error.code === "ENOENT");
+}
+
+function escapeRegExp(value: string): string {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}

package/src/app-server/plugin-app-cache-key.ts

@@ -0,0 +1,74 @@
+import { createHash } from "node:crypto";
+import {
+  buildCodexAppInventoryCacheKey,
+  type CodexAppInventoryCacheKeyInput,
+} from "./app-inventory-cache.js";
+import { resolveCodexAppServerHomeDir } from "./auth-bridge.js";
+import type { CodexAppServerRuntimeOptions, CodexAppServerStartOptions } from "./config.js";
+
+export type CodexPluginAppCacheKeyParams = Omit<
+  CodexAppInventoryCacheKeyInput,
+  "codexHome" | "endpoint"
+> & {
+  appServer: Pick<CodexAppServerRuntimeOptions, "start">;
+  agentDir?: string;
+};
+
+export function buildCodexPluginAppCacheKey(params: CodexPluginAppCacheKeyParams): string {
+  return buildCodexAppInventoryCacheKey({
+    codexHome: resolveCodexPluginAppCacheCodexHome(params.appServer, params.agentDir),
+    endpoint: resolveCodexPluginAppCacheEndpoint(params.appServer),
+    authProfileId: params.authProfileId,
+    accountId: params.accountId,
+    envApiKeyFingerprint: params.envApiKeyFingerprint,
+    appServerVersion: params.appServerVersion,
+  });
+}
+
+export function resolveCodexPluginAppCacheEndpoint(
+  appServer: Pick<CodexAppServerRuntimeOptions, "start">,
+): string {
+  return JSON.stringify({
+    transport: appServer.start.transport,
+    command: appServer.start.command,
+    args: appServer.start.args,
+    url: appServer.start.url ?? null,
+    credentialFingerprint: fingerprintCodexPluginAppCacheCredentials(appServer.start),
+  });
+}
+
+export function resolveCodexPluginAppCacheCodexHome(
+  appServer: Pick<CodexAppServerRuntimeOptions, "start">,
+  agentDir?: string,
+): string | undefined {
+  const configuredCodexHome = appServer.start.env?.CODEX_HOME?.trim();
+  if (configuredCodexHome) {
+    return configuredCodexHome;
+  }
+  return appServer.start.transport === "stdio" && agentDir
+    ? resolveCodexAppServerHomeDir(agentDir)
+    : undefined;
+}
+
+function fingerprintCodexPluginAppCacheCredentials(
+  startOptions: CodexAppServerStartOptions,
+): string | null {
+  const authToken = startOptions.authToken ?? "";
+  const headers = Object.entries(startOptions.headers)
+    .map(([key, value]) => [key.toLowerCase(), value] as const)
+    .toSorted(([left], [right]) => left.localeCompare(right));
+  if (!authToken && headers.length === 0) {
+    return null;
+  }
+  const hash = createHash("sha256");
+  hash.update("autobot:codex:plugin-app-cache-credentials:v1");
+  hash.update("\0");
+  hash.update(authToken);
+  for (const [key, value] of headers) {
+    hash.update("\0");
+    hash.update(key);
+    hash.update("\0");
+    hash.update(value);
+  }
+  return `sha256:${hash.digest("hex")}`;
+}

package/src/app-server/plugin-approval-roundtrip.ts

@@ -0,0 +1,122 @@
+import {
+  callGatewayTool,
+  type EmbeddedRunAttemptParams,
+} from "autobot/plugin-sdk/agent-harness-runtime";
+
+const DEFAULT_CODEX_APPROVAL_TIMEOUT_MS = 120_000;
+const MAX_PLUGIN_APPROVAL_TITLE_LENGTH = 80;
+const MAX_PLUGIN_APPROVAL_DESCRIPTION_LENGTH = 256;
+
+type ExecApprovalDecision = "allow-once" | "allow-always" | "deny";
+
+export type AppServerApprovalOutcome =
+  | "approved-once"
+  | "approved-session"
+  | "denied"
+  | "unavailable"
+  | "cancelled";
+
+type ApprovalRequestResult = {
+  id?: string;
+  decision?: ExecApprovalDecision | null;
+};
+
+type ApprovalWaitResult = {
+  id?: string;
+  decision?: ExecApprovalDecision | null;
+};
+
+export async function requestPluginApproval(params: {
+  paramsForRun: EmbeddedRunAttemptParams;
+  title: string;
+  description: string;
+  severity: "info" | "warning";
+  toolName: string;
+  toolCallId?: string;
+}): Promise<ApprovalRequestResult | undefined> {
+  const timeoutMs = DEFAULT_CODEX_APPROVAL_TIMEOUT_MS;
+  return callGatewayTool(
+    "plugin.approval.request",
+    { timeoutMs: timeoutMs + 10_000 },
+    {
+      pluginId: "autobot-codex-app-server",
+      title: truncateForGateway(params.title, MAX_PLUGIN_APPROVAL_TITLE_LENGTH),
+      description: truncateForGateway(params.description, MAX_PLUGIN_APPROVAL_DESCRIPTION_LENGTH),
+      severity: params.severity,
+      toolName: params.toolName,
+      toolCallId: params.toolCallId,
+      agentId: params.paramsForRun.agentId,
+      sessionKey: params.paramsForRun.sessionKey,
+      turnSourceChannel: params.paramsForRun.messageChannel ?? params.paramsForRun.messageProvider,
+      turnSourceTo: params.paramsForRun.currentChannelId,
+      turnSourceAccountId: params.paramsForRun.agentAccountId,
+      turnSourceThreadId: params.paramsForRun.currentThreadTs,
+      timeoutMs,
+      twoPhase: true,
+    },
+    { expectFinal: false },
+  ) as Promise<ApprovalRequestResult | undefined>;
+}
+
+export function approvalRequestExplicitlyUnavailable(result: unknown): boolean {
+  if (result === null || result === undefined || typeof result !== "object") {
+    return false;
+  }
+  let descriptor: PropertyDescriptor | undefined;
+  try {
+    descriptor = Object.getOwnPropertyDescriptor(result, "decision");
+  } catch {
+    return false;
+  }
+  return descriptor !== undefined && "value" in descriptor && descriptor.value === null;
+}
+
+export async function waitForPluginApprovalDecision(params: {
+  approvalId: string;
+  signal?: AbortSignal;
+}): Promise<ExecApprovalDecision | null | undefined> {
+  const timeoutMs = DEFAULT_CODEX_APPROVAL_TIMEOUT_MS;
+  const waitPromise: Promise<ApprovalWaitResult | undefined> = callGatewayTool(
+    "plugin.approval.waitDecision",
+    { timeoutMs: timeoutMs + 10_000 },
+    { id: params.approvalId },
+  );
+  if (!params.signal) {
+    return (await waitPromise)?.decision;
+  }
+  let onAbort: (() => void) | undefined;
+  const abortPromise = new Promise<never>((_, reject) => {
+    if (params.signal!.aborted) {
+      reject(params.signal!.reason);
+      return;
+    }
+    onAbort = () => reject(params.signal!.reason);
+    params.signal!.addEventListener("abort", onAbort, { once: true });
+  });
+  try {
+    return (await Promise.race([waitPromise, abortPromise]))?.decision;
+  } finally {
+    if (onAbort) {
+      params.signal.removeEventListener("abort", onAbort);
+    }
+  }
+}
+
+export function mapExecDecisionToOutcome(
+  decision: ExecApprovalDecision | null | undefined,
+): AppServerApprovalOutcome {
+  if (decision === "allow-once") {
+    return "approved-once";
+  }
+  if (decision === "allow-always") {
+    return "approved-session";
+  }
+  if (decision === null || decision === undefined) {
+    return "unavailable";
+  }
+  return "denied";
+}
+
+function truncateForGateway(value: string, maxLength: number): string {
+  return value.length <= maxLength ? value : `${value.slice(0, Math.max(0, maxLength - 3))}...`;
+}