@kodelyth/codex 2026.5.40 → 2026.5.42

package/src/app-server/app-inventory-cache.test.ts

@@ -0,0 +1,176 @@
+import { describe, expect, it, vi } from "vitest";
+import {
+  CodexAppInventoryCache,
+  buildCodexAppInventoryCacheKey,
+  serializeCodexAppInventoryError,
+} from "./app-inventory-cache.js";
+import type { v2 } from "./protocol.js";
+
+describe("Codex app inventory cache", () => {
+  it("returns missing while scheduling one coalesced app/list refresh", async () => {
+    const cache = new CodexAppInventoryCache({ ttlMs: 100 });
+    const request = vi.fn(async (_method: "app/list", params: v2.AppsListParams) => {
+      return {
+        data: [app(params.cursor ? "app-2" : "app-1")],
+        nextCursor: params.cursor ? null : "next",
+      } satisfies v2.AppsListResponse;
+    });
+
+    const key = buildCodexAppInventoryCacheKey({ codexHome: "/codex", authProfileId: "work" });
+    const read = cache.read({ key, request, nowMs: 0 });
+    expect(read.state).toBe("missing");
+    expect(read.refreshScheduled).toBe(true);
+
+    const snapshot = await cache.refreshNow({ key, request, nowMs: 0 });
+    expect(snapshot.apps.map((item) => item.id)).toEqual(["app-1", "app-2"]);
+    expect(request).toHaveBeenCalledTimes(2);
+
+    const fresh = cache.read({ key, request, nowMs: 50 });
+    expect(fresh.state).toBe("fresh");
+    expect(fresh.refreshScheduled).toBe(false);
+    expect(fresh.snapshot?.apps.map((item) => item.id)).toEqual(["app-1", "app-2"]);
+  });
+
+  it("can read missing inventory without scheduling app/list", async () => {
+    const cache = new CodexAppInventoryCache({ ttlMs: 100 });
+    const request = vi.fn(async () => {
+      return {
+        data: [app("app-1")],
+        nextCursor: null,
+      } satisfies v2.AppsListResponse;
+    });
+
+    const read = cache.read({
+      key: "runtime",
+      request,
+      suppressRefresh: true,
+    });
+
+    expect(read.state).toBe("missing");
+    expect(read.refreshScheduled).toBe(false);
+    expect(request).not.toHaveBeenCalled();
+  });
+
+  it("uses stale inventory for the current read while still refreshing asynchronously", async () => {
+    const cache = new CodexAppInventoryCache({ ttlMs: 10 });
+    const request = vi.fn(async () => {
+      return {
+        data: [app(`app-${request.mock.calls.length}`)],
+        nextCursor: null,
+      } satisfies v2.AppsListResponse;
+    });
+    const key = "runtime";
+    await cache.refreshNow({ key, request, nowMs: 0 });
+
+    const stale = cache.read({ key, request, nowMs: 11, suppressRefresh: true });
+    expect(stale.state).toBe("stale");
+    expect(stale.snapshot?.apps.map((item) => item.id)).toEqual(["app-1"]);
+    expect(stale.refreshScheduled).toBe(true);
+
+    const refreshed = await cache.refreshNow({ key, request, nowMs: 11 });
+    expect(refreshed.apps.map((item) => item.id)).toEqual(["app-2"]);
+  });
+
+  it("records refresh errors without discarding the last successful snapshot", async () => {
+    const cache = new CodexAppInventoryCache({ ttlMs: 1 });
+    const key = "runtime";
+    await cache.refreshNow({
+      key,
+      nowMs: 0,
+      request: async () => ({ data: [app("app-1")], nextCursor: null }),
+    });
+
+    await expect(
+      cache.refreshNow({
+        key,
+        nowMs: 2,
+        request: async () => {
+          throw new Error("app list failed");
+        },
+      }),
+    ).rejects.toThrow("app list failed");
+
+    const read = cache.read({
+      key,
+      nowMs: 2,
+      request: async () => ({ data: [app("app-2")], nextCursor: null }),
+    });
+    expect(read.snapshot?.apps.map((item) => item.id)).toEqual(["app-1"]);
+    expect(read.diagnostic?.message).toBe("app list failed");
+  });
+
+  it("omits challenge HTML when serializing app/list errors", () => {
+    const error = new Error(
+      'failed to list apps: Request failed with status 403 Forbidden: <html><script src="/backend-api/connectors/directory/list?__cf_chl_tk=secret-token"></script></html>',
+    );
+    const serialized = serializeCodexAppInventoryError(error);
+
+    expect(serialized.message).toBe(
+      "failed to list apps: Request failed with status 403 Forbidden: [HTML response body omitted]",
+    );
+  });
+
+  it("forces a post-install refresh past an older in-flight app/list", async () => {
+    const cache = new CodexAppInventoryCache({ ttlMs: 1_000 });
+    const key = "runtime";
+    let resolveStale: ((response: v2.AppsListResponse) => void) | undefined;
+    let resolveFresh: ((response: v2.AppsListResponse) => void) | undefined;
+    const request = vi.fn(
+      async (_method: "app/list", params: v2.AppsListParams): Promise<v2.AppsListResponse> => {
+        expect(params.forceRefetch).toBe(request.mock.calls.length === 2);
+        return await new Promise((resolve) => {
+          if (request.mock.calls.length === 1) {
+            resolveStale = resolve;
+          } else {
+            resolveFresh = resolve;
+          }
+        });
+      },
+    );
+
+    const staleRead = cache.read({ key, request, nowMs: 0 });
+    expect(staleRead.state).toBe("missing");
+    expect(staleRead.refreshScheduled).toBe(true);
+
+    cache.invalidate(key, "plugin installed", 1);
+    const forcedRead = cache.read({ key, request, nowMs: 1, forceRefetch: true });
+    expect(forcedRead.state).toBe("missing");
+    expect(forcedRead.refreshScheduled).toBe(true);
+    expect(request).toHaveBeenCalledTimes(2);
+
+    const forced = cache.refreshNow({ key, request, nowMs: 1 });
+    resolveFresh?.({ data: [app("fresh-app")], nextCursor: null });
+    await expect(forced).resolves.toStrictEqual({
+      key,
+      apps: [app("fresh-app")],
+      fetchedAtMs: 1,
+      expiresAtMs: 1_001,
+      revision: 2,
+    });
+
+    resolveStale?.({ data: [app("stale-app")], nextCursor: null });
+    await Promise.resolve();
+
+    const freshRead = cache.read({ key, request, nowMs: 2 });
+    expect(freshRead.state).toBe("fresh");
+    expect(freshRead.snapshot?.apps.map((item) => item.id)).toEqual(["fresh-app"]);
+  });
+});
+
+function app(id: string): v2.AppInfo {
+  return {
+    id,
+    name: id,
+    description: null,
+    logoUrl: null,
+    logoUrlDark: null,
+    distributionChannel: null,
+    branding: null,
+    appMetadata: null,
+    labels: null,
+    installUrl: null,
+    isAccessible: true,
+    isEnabled: true,
+    pluginDisplayNames: [],
+  };
+}

package/src/app-server/app-inventory-cache.ts

@@ -0,0 +1,324 @@
+import { embeddedAgentLog } from "klaw/plugin-sdk/agent-harness-runtime";
+import type { JsonValue, v2 } from "./protocol.js";
+
+export const CODEX_APP_INVENTORY_CACHE_TTL_MS = 60 * 60 * 1_000;
+const MAX_SERIALIZED_ERROR_MESSAGE_LENGTH = 500;
+
+export type CodexAppInventoryRequest = (
+  method: "app/list",
+  params: v2.AppsListParams,
+) => Promise<v2.AppsListResponse>;
+
+export type CodexAppInventoryCacheKeyInput = {
+  codexHome?: string;
+  endpoint?: string;
+  authProfileId?: string;
+  accountId?: string;
+  envApiKeyFingerprint?: string;
+  appServerVersion?: string;
+};
+
+export type CodexAppInventoryCacheDiagnostic = {
+  message: string;
+  atMs: number;
+};
+
+export type CodexAppInventorySnapshot = {
+  key: string;
+  apps: v2.AppInfo[];
+  fetchedAtMs: number;
+  expiresAtMs: number;
+  revision: number;
+  lastError?: CodexAppInventoryCacheDiagnostic;
+};
+
+export type CodexAppInventoryReadState = "fresh" | "stale" | "missing";
+
+export type CodexAppInventoryCacheRead = {
+  state: CodexAppInventoryReadState;
+  key: string;
+  revision: number;
+  snapshot?: CodexAppInventorySnapshot;
+  refreshScheduled: boolean;
+  diagnostic?: CodexAppInventoryCacheDiagnostic;
+};
+
+type CacheEntry = CodexAppInventorySnapshot & {
+  invalidated: boolean;
+};
+
+type RefreshParams = {
+  key: string;
+  request: CodexAppInventoryRequest;
+  nowMs?: number;
+  forceRefetch?: boolean;
+  suppressRefresh?: boolean;
+};
+
+export class CodexAppInventoryCache {
+  private readonly ttlMs: number;
+  private readonly entries = new Map<string, CacheEntry>();
+  private readonly inFlight = new Map<string, Promise<CodexAppInventorySnapshot>>();
+  // Per-key refresh generation. Each refresh attempt claims the next token so
+  // an older request that finishes late cannot overwrite a newer snapshot.
+  private readonly refreshTokens = new Map<string, number>();
+  private readonly diagnostics = new Map<string, CodexAppInventoryCacheDiagnostic>();
+  private revision = 0;
+
+  constructor(options: { ttlMs?: number } = {}) {
+    this.ttlMs = options.ttlMs ?? CODEX_APP_INVENTORY_CACHE_TTL_MS;
+  }
+
+  read(params: RefreshParams): CodexAppInventoryCacheRead {
+    const nowMs = params.nowMs ?? Date.now();
+    const entry = this.entries.get(params.key);
+    if (!entry) {
+      const refreshScheduled = params.suppressRefresh ? false : this.scheduleRefresh(params);
+      return {
+        state: "missing",
+        key: params.key,
+        revision: this.revision,
+        refreshScheduled,
+        ...(this.diagnostics.get(params.key)
+          ? { diagnostic: this.diagnostics.get(params.key) }
+          : {}),
+      };
+    }
+
+    const state: CodexAppInventoryReadState =
+      entry.invalidated || entry.expiresAtMs <= nowMs ? "stale" : "fresh";
+    const refreshScheduled =
+      state === "fresh" && !params.forceRefetch ? false : this.scheduleRefresh(params);
+    return {
+      state,
+      key: params.key,
+      revision: entry.revision,
+      snapshot: stripEntryState(entry),
+      refreshScheduled,
+      ...(entry.lastError ? { diagnostic: entry.lastError } : {}),
+    };
+  }
+
+  refreshNow(params: RefreshParams): Promise<CodexAppInventorySnapshot> {
+    return this.refresh(params);
+  }
+
+  invalidate(key: string, reason: string, nowMs = Date.now()): number {
+    this.revision += 1;
+    const diagnostic = { message: reason, atMs: nowMs };
+    const entry = this.entries.get(key);
+    if (entry) {
+      entry.invalidated = true;
+      entry.lastError = diagnostic;
+      entry.revision = this.revision;
+    } else {
+      this.diagnostics.set(key, diagnostic);
+    }
+    return this.revision;
+  }
+
+  clear(): void {
+    this.entries.clear();
+    this.inFlight.clear();
+    this.refreshTokens.clear();
+    this.diagnostics.clear();
+    this.revision = 0;
+  }
+
+  getRevision(): number {
+    return this.revision;
+  }
+
+  private scheduleRefresh(params: RefreshParams): boolean {
+    if (this.inFlight.has(params.key) && !params.forceRefetch) {
+      return true;
+    }
+    const promise = this.refresh(params);
+    this.inFlight.set(params.key, promise);
+    promise.catch(() => undefined);
+    return true;
+  }
+
+  private async refresh(params: RefreshParams): Promise<CodexAppInventorySnapshot> {
+    const existing = this.inFlight.get(params.key);
+    if (existing && !params.forceRefetch) {
+      return existing;
+    }
+
+    const refreshToken = (this.refreshTokens.get(params.key) ?? 0) + 1;
+    this.refreshTokens.set(params.key, refreshToken);
+    const promise = this.refreshUncoalesced(params, refreshToken);
+    this.inFlight.set(params.key, promise);
+    try {
+      return await promise;
+    } finally {
+      if (this.inFlight.get(params.key) === promise) {
+        this.inFlight.delete(params.key);
+      }
+    }
+  }
+
+  private async refreshUncoalesced(
+    params: RefreshParams,
+    refreshToken: number,
+  ): Promise<CodexAppInventorySnapshot> {
+    const nowMs = params.nowMs ?? Date.now();
+    try {
+      const apps = await listAllApps(params.request, params.forceRefetch ?? false);
+      this.revision += 1;
+      const snapshot: CodexAppInventorySnapshot = {
+        key: params.key,
+        apps,
+        fetchedAtMs: nowMs,
+        expiresAtMs: nowMs + this.ttlMs,
+        revision: this.revision,
+      };
+      // Only publish this snapshot if no newer refresh started for the same key
+      // while this request was in flight.
+      if (this.refreshTokens.get(params.key) === refreshToken) {
+        this.entries.set(params.key, { ...snapshot, invalidated: false });
+        this.diagnostics.delete(params.key);
+      }
+      return snapshot;
+    } catch (error) {
+      const diagnostic = {
+        message: sanitizeErrorMessage(error instanceof Error ? error.message : String(error)),
+        atMs: nowMs,
+      };
+      this.diagnostics.set(params.key, diagnostic);
+      const entry = this.entries.get(params.key);
+      if (entry) {
+        entry.lastError = diagnostic;
+      }
+      embeddedAgentLog.warn("codex app inventory refresh failed", {
+        forceRefetch: params.forceRefetch === true,
+        keyFingerprint: fingerprintInventoryCacheKey(params.key),
+        error: serializeCodexAppInventoryError(error),
+      });
+      throw error;
+    }
+  }
+}
+
+export function serializeCodexAppInventoryError(error: unknown): Record<string, unknown> {
+  const record = isRecord(error) ? error : undefined;
+  const data = record && "data" in record ? redactErrorData(record.data) : undefined;
+  return {
+    name:
+      error instanceof Error
+        ? error.name
+        : typeof record?.name === "string"
+          ? record.name
+          : undefined,
+    message: sanitizeErrorMessage(error instanceof Error ? error.message : String(error)),
+    ...(typeof record?.code === "number" ? { code: record.code } : {}),
+    ...(data !== undefined ? { data } : {}),
+  };
+}
+
+export const defaultCodexAppInventoryCache = new CodexAppInventoryCache();
+
+export function buildCodexAppInventoryCacheKey(input: CodexAppInventoryCacheKeyInput): string {
+  return JSON.stringify({
+    codexHome: input.codexHome ?? null,
+    endpoint: input.endpoint ?? null,
+    authProfileId: input.authProfileId ?? null,
+    accountId: input.accountId ?? null,
+    envApiKeyFingerprint: input.envApiKeyFingerprint ?? null,
+    appServerVersion: input.appServerVersion ?? null,
+  });
+}
+
+async function listAllApps(
+  request: CodexAppInventoryRequest,
+  forceRefetch: boolean,
+): Promise<v2.AppInfo[]> {
+  const apps: v2.AppInfo[] = [];
+  let cursor: string | null | undefined;
+  do {
+    const response = await request("app/list", {
+      cursor,
+      limit: 100,
+      forceRefetch,
+    });
+    apps.push(...response.data);
+    cursor = response.nextCursor;
+  } while (cursor);
+  return apps;
+}
+
+function stripEntryState(entry: CacheEntry): CodexAppInventorySnapshot {
+  const { invalidated: _invalidated, ...snapshot } = entry;
+  return snapshot;
+}
+
+function fingerprintInventoryCacheKey(key: string): string {
+  let hash = 0;
+  for (let index = 0; index < key.length; index += 1) {
+    hash = (hash * 31 + key.charCodeAt(index)) >>> 0;
+  }
+  return hash.toString(16).padStart(8, "0");
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+
+function redactErrorData(value: unknown, depth = 0): JsonValue | undefined {
+  if (value === undefined) {
+    return undefined;
+  }
+  if (value === null || typeof value === "boolean" || typeof value === "number") {
+    return value;
+  }
+  if (depth > 6) {
+    return "[truncated]";
+  }
+  if (Array.isArray(value)) {
+    return value.map((entry) => redactErrorData(entry, depth + 1) ?? null);
+  }
+  if (isRecord(value)) {
+    const redacted: Record<string, JsonValue> = {};
+    for (const [key, entry] of Object.entries(value)) {
+      redacted[key] = isSensitiveErrorDataKey(key)
+        ? "<redacted>"
+        : (redactErrorData(entry, depth + 1) ?? null);
+    }
+    return redacted;
+  }
+  if (typeof value === "string" && value.length > 500) {
+    return `${value.slice(0, 500)}...`;
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "bigint") {
+    return value.toString();
+  }
+  if (typeof value === "symbol") {
+    return value.description ? `Symbol(${value.description})` : "Symbol()";
+  }
+  if (typeof value === "function") {
+    return value.name ? `[function ${value.name}]` : "[function]";
+  }
+  return "[unserializable]";
+}
+
+function sanitizeErrorMessage(message: string): string {
+  const htmlStart = message.search(/<html[\s>]/i);
+  const withoutHtml =
+    htmlStart >= 0
+      ? `${message.slice(0, htmlStart).trimEnd()} [HTML response body omitted]`
+      : message;
+  const redacted = withoutHtml.replace(
+    /([?&][^=\s"'<>]*(?:api[_-]?key|authorization|cookie|credential|password|secret|token|tk)[^=\s"'<>]*=)[^&\s"'<>]+/gi,
+    "$1<redacted>",
+  );
+  return redacted.length > MAX_SERIALIZED_ERROR_MESSAGE_LENGTH
+    ? `${redacted.slice(0, MAX_SERIALIZED_ERROR_MESSAGE_LENGTH)}...`
+    : redacted;
+}
+
+function isSensitiveErrorDataKey(key: string): boolean {
+  return /api[_-]?key|authorization|cookie|credential|password|secret|token/i.test(key);
+}