@miraigent/codex-usage-dashboard 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Miraigent
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,114 @@
+# Codex Usage Dashboard
+
+Local web dashboard for viewing Codex account usage limits across multiple CODEX_HOME profiles.
+
+This is an unofficial tool. It is not made by, affiliated with, endorsed by, or supported by OpenAI.
+
+## What It Shows
+
+- Codex account connection state
+- 5-hour usage window
+- Weekly usage window
+- Reset time
+- Remaining credit balance when returned by Codex
+- Re-login device code helper for each configured account
+- One account or any number of accounts, driven by the accounts array in config.json
+
+The dashboard does not print or store ChatGPT/Codex tokens. It starts codex app-server --stdio and calls account/read and account/rateLimits/read.
+
+## Requirements
+
+- Node.js 20 or newer
+- Python 3 with the standard library pty module
+- OpenAI Codex CLI installed and available as codex
+- A local machine or server where you can log in with Codex
+
+## Install
+
+    npm install -g @miraigent/codex-usage-dashboard
+
+Or run from a cloned repository:
+
+    npm install
+    npm start
+
+## Configure
+
+Create a config file. Use one account, two accounts, or any number of accounts:
+
+    mkdir -p ~/.codex-accounts/codex-1 ~/.codex-accounts/codex-2
+    cp config.example.json config.json
+
+Edit config.json:
+
+    {
+      "host": "127.0.0.1",
+      "port": 8787,
+      "refreshSeconds": 60,
+      "accounts": [
+        {
+          "id": "codex-1",
+          "label": "Codex Account 1",
+          "codexCommand": "codex",
+          "codexHome": "/absolute/path/to/.codex-accounts/codex-1"
+        },
+        {
+          "id": "codex-2",
+          "label": "Codex Account 2",
+          "codexCommand": "codex",
+          "codexHome": "/absolute/path/to/.codex-accounts/codex-2"
+        }
+      ]
+    }
+
+You can also point to a config file explicitly:
+
+    CODEX_USAGE_DASHBOARD_CONFIG=/path/to/config.json codex-usage-dashboard
+
+## Login
+
+Use the dashboard's re-login panel, or run Codex login manually for each profile:
+
+    CODEX_HOME=/absolute/path/to/.codex-accounts/codex-1 codex login --device-auth
+    CODEX_HOME=/absolute/path/to/.codex-accounts/codex-2 codex login --device-auth
+
+For a single-account setup, keep only one object in accounts.
+
+For three or more accounts, add more objects with unique id and codexHome values.
+
+## Run
+
+    codex-usage-dashboard
+
+Open:
+
+    http://127.0.0.1:8787
+
+## Basic Authentication
+
+Set both variables to protect the dashboard:
+
+    export CODEX_USAGE_DASHBOARD_BASIC_USER='your-user'
+    export CODEX_USAGE_DASHBOARD_BASIC_PASSWORD='your-password'
+    codex-usage-dashboard
+
+Do not expose this dashboard to the public internet without authentication, a VPN, or a trusted reverse proxy.
+
+## Re-login Flow
+
+When auth expires:
+
+1. Open the dashboard.
+2. Click codex-1 or codex-2 under Re-login.
+3. Open the displayed OpenAI device login link.
+4. Enter the displayed one-time code.
+5. Click Refresh after login completes.
+
+The re-login helper logs out only the selected CODEX_HOME profile before generating a new device code.
+
+## Security Notes
+
+- Keep config.json private if it contains local paths you do not want to publish.
+- Never paste ChatGPT/Codex tokens into this app.
+- Do not commit auth.json or any CODEX_HOME directory.
+- Bind to 127.0.0.1 unless you have an authenticated access layer.

package/bin/codex-usage-dashboard

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+require("../server");

package/config.example.json

@@ -0,0 +1,19 @@
+{
+  "host": "127.0.0.1",
+  "port": 8787,
+  "refreshSeconds": 60,
+  "accounts": [
+    {
+      "id": "codex-1",
+      "label": "Codex Account 1",
+      "codexCommand": "codex",
+      "codexHome": "/absolute/path/to/.codex-accounts/codex-1"
+    },
+    {
+      "id": "codex-2",
+      "label": "Codex Account 2",
+      "codexCommand": "codex",
+      "codexHome": "/absolute/path/to/.codex-accounts/codex-2"
+    }
+  ]
+}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@miraigent/codex-usage-dashboard",
+  "version": "0.1.0",
+  "private": false,
+  "description": "Local dashboard for Codex account usage limits across multiple CODEX_HOME profiles.",
+  "type": "commonjs",
+  "bin": {
+    "codex-usage-dashboard": "bin/codex-usage-dashboard"
+  },
+  "scripts": {
+    "start": "node server.js",
+    "check": "node --check server.js && node --check public/app.js && python3 -m py_compile scripts/codex-device-code.py",
+    "pack:dry-run": "npm pack --dry-run"
+  },
+  "files": [
+    "bin/",
+    "public/",
+    "scripts/codex-device-code.py",
+    "scripts/check-accounts.sh",
+    "scripts/login-account.sh",
+    "config.example.json",
+    "server.js",
+    "README.md",
+    "LICENSE"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Miraigent/codex-usage-dashboard.git"
+  },
+  "keywords": [
+    "codex",
+    "openai",
+    "usage",
+    "dashboard",
+    "quota"
+  ],
+  "author": "Miraigent",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "engines": {
+    "node": ">=20"
+  }
+}

package/public/app.js

@@ -0,0 +1,183 @@
+const accountsEl = document.querySelector("#accounts");
+const statusEl = document.querySelector("#status");
+const refreshEl = document.querySelector("#refresh");
+const loginResultEl = document.querySelector("#login-result");
+const loginActionsEl = document.querySelector(".login-actions");
+
+let refreshTimer = null;
+let renderedLoginAccounts = "";
+
+function fmtDate(value) {
+  if (!value) return "未開始または不明";
+  const ms = typeof value === "number" ? value * 1000 : Date.parse(value);
+  if (!Number.isFinite(ms)) return "不明";
+  return new Intl.DateTimeFormat("ja-JP", {
+    month: "2-digit",
+    day: "2-digit",
+    hour: "2-digit",
+    minute: "2-digit",
+  }).format(new Date(ms));
+}
+
+function fmtUntil(value) {
+  if (!value) return "不明";
+  const ms = typeof value === "number" ? value * 1000 : Date.parse(value);
+  if (!Number.isFinite(ms)) return "不明";
+  const remainingMs = ms - Date.now();
+  if (remainingMs <= 0) return "まもなく更新";
+  const totalMinutes = Math.ceil(remainingMs / 60000);
+  const days = Math.floor(totalMinutes / 1440);
+  const hours = Math.floor((totalMinutes % 1440) / 60);
+  const minutes = totalMinutes % 60;
+  if (days > 0) return "あと" + days + "日" + hours + "時間";
+  if (hours > 0) return "あと" + hours + "時間" + minutes + "分";
+  return "あと" + minutes + "分";
+}
+
+function pct(value) {
+  return typeof value === "number" ? Math.round(value * 10) / 10 : null;
+}
+
+function windowName(window, fallback) {
+  if (!window?.windowDurationMins) return fallback;
+  if (window.windowDurationMins === 300) return "5時間の使用制限";
+  if (window.windowDurationMins === 10080) return "週間利用上限";
+  return window.windowDurationMins + "分の使用制限";
+}
+
+function limitView(title, window) {
+  if (!window) return "";
+  const used = pct(window.usedPercent) ?? 0;
+  const remaining = pct(window.remainingPercent) ?? Math.max(0, 100 - used);
+  const cls = remaining <= 5 ? "bad" : remaining <= 15 ? "warn" : "";
+  return [
+    '<div class="limit">',
+    '<div class="limit-title"><span>' + escapeHtml(title) + '</span><span>' + remaining + '% 残り</span></div>',
+    '<div class="bar"><span class="' + cls + '" style="width:' + Math.max(0, Math.min(100, remaining)) + '%"></span></div>',
+    '<div class="details">',
+    '<span>使用済み</span><span>' + used + '%</span>',
+    '<span>リセット</span><span>' + escapeHtml(fmtDate(window.resetsAt)) + '</span>',
+    '<span>解除まで</span><span>' + escapeHtml(fmtUntil(window.resetsAt)) + '</span>',
+    '</div>',
+    '</div>',
+  ].join("");
+}
+
+function accountView(account) {
+  if (!account.ok) {
+    return [
+      '<article class="card error-card">',
+      '<h2>' + escapeHtml(account.label || account.id) + '</h2>',
+      '<p class="meta">取得失敗 / 再ログインが必要です</p>',
+      '<p class="error">' + escapeHtml(account.error || "Unknown error") + '</p>',
+      '</article>',
+    ].join("");
+  }
+
+  const limit = account.rateLimits || {};
+  const plan = account.account?.planType || limit.planType || "plan unknown";
+  const credits = limit.credits
+    ? '<p class="credits">クレジット: ' + escapeHtml(String(limit.credits.balance ?? "0")) + (limit.credits.unlimited ? " / unlimited" : "") + "</p>"
+    : "";
+
+  return [
+    '<article class="card">',
+    '<h2>' + escapeHtml(account.label || account.id) + '</h2>',
+    '<p class="meta">' + escapeHtml(plan) + ' / ' + (account.account?.hasEmail ? "account connected" : "email hidden") + '</p>',
+    limitView(windowName(limit.primary, "5時間の使用制限"), limit.primary),
+    limitView(windowName(limit.secondary, "週間利用上限"), limit.secondary),
+    credits,
+    '</article>',
+  ].join("");
+}
+
+function renderLoginActions(accounts) {
+  const key = accounts.map((account) => account.id + ":" + (account.label || "")).join("|");
+  if (key === renderedLoginAccounts) return;
+  renderedLoginAccounts = key;
+  if (!accounts.length) {
+    loginActionsEl.innerHTML = '<span class="meta">アカウントが未設定です。</span>';
+    return;
+  }
+  loginActionsEl.innerHTML = accounts
+    .map((account) => {
+      const id = escapeHtml(account.id);
+      const label = escapeHtml(account.label || account.id);
+      return '<button class="login-code" type="button" data-account="' + id + '">' + label + "</button>";
+    })
+    .join("");
+  for (const button of loginActionsEl.querySelectorAll(".login-code")) {
+    button.addEventListener("click", () => createLoginCode(button.dataset.account, button));
+  }
+}
+
+function escapeHtml(value) {
+  return String(value)
+    .replaceAll("&", "&amp;")
+    .replaceAll("<", "&lt;")
+    .replaceAll(">", "&gt;")
+    .replaceAll('"', "&quot;")
+    .replaceAll("'", "&#039;");
+}
+
+async function load() {
+  refreshEl.disabled = true;
+  statusEl.textContent = "Refreshing...";
+  try {
+    const response = await fetch("api/usage", { cache: "no-store" });
+    const data = await response.json();
+    if (!data.ok && data.error) {
+      statusEl.textContent = data.error;
+    } else {
+      statusEl.textContent = "最終更新: " + fmtDate(data.fetchedAt);
+    }
+    const accounts = data.accounts || [];
+    renderLoginActions(accounts);
+    accountsEl.innerHTML = accounts.map(accountView).join("") || '<p class="status">アカウントが未設定です。</p>';
+    if (refreshTimer) clearTimeout(refreshTimer);
+    const seconds = Math.max(30, data.refreshSeconds || 60);
+    refreshTimer = setTimeout(load, seconds * 1000);
+  } catch (error) {
+    statusEl.textContent = "取得失敗: " + error.message;
+  } finally {
+    refreshEl.disabled = false;
+  }
+}
+
+refreshEl.addEventListener("click", load);
+loadConfiguredAccounts();
+load();
+
+async function loadConfiguredAccounts() {
+  try {
+    const response = await fetch("api/accounts", { cache: "no-store" });
+    const data = await response.json();
+    if (data.ok) renderLoginActions(data.accounts || []);
+  } catch {
+    loginActionsEl.innerHTML = '<span class="meta">アカウント一覧を取得できませんでした。</span>';
+  }
+}
+
+async function createLoginCode(account, button) {
+  button.disabled = true;
+  loginResultEl.hidden = false;
+  loginResultEl.innerHTML = '<p class="meta">ログインコードを発行中です...</p>';
+  try {
+    const response = await fetch("api/login-code?account=" + encodeURIComponent(account), { cache: "no-store" });
+    const data = await response.json();
+    if (!data.ok) {
+      loginResultEl.innerHTML = '<p class="error">' + escapeHtml(data.error || "ログインコードを発行できませんでした") + "</p>";
+      return;
+    }
+    loginResultEl.innerHTML = [
+      '<p class="meta">' + escapeHtml(data.label) + ' / ' + escapeHtml(data.generatedAt) + '</p>',
+      '<p><a href="' + escapeHtml(data.url) + '" target="_blank" rel="noreferrer">OpenAI Codex device loginを開く</a></p>',
+      '<p class="login-code-value">' + escapeHtml(data.code) + '</p>',
+      '<p class="meta">このコードを開いたページに入力してください。完了後、Refreshで残量を確認できます。</p>',
+    ].join("");
+  } catch (error) {
+    loginResultEl.innerHTML = '<p class="error">取得失敗: ' + escapeHtml(error.message) + "</p>";
+  } finally {
+    button.disabled = false;
+  }
+}

package/public/index.html

@@ -0,0 +1,34 @@
+<!doctype html>
+<html lang="ja">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>Codex Usage Dashboard</title>
+    <link rel="stylesheet" href="style.css">
+  </head>
+  <body>
+    <main>
+      <header>
+        <div>
+          <p class="eyebrow">Codex Usage</p>
+          <h1>Account Limits</h1>
+        </div>
+        <button id="refresh" type="button">Refresh</button>
+      </header>
+      <p id="status" class="status">Loading...</p>
+      <section class="login-panel">
+        <div>
+          <p class="eyebrow">Codex Login</p>
+          <h2>再ログインコード発行</h2>
+          <p class="meta">認証が切れた時だけ使います。対象アカウントを一度ログアウトして、新しい15分コードを発行します。</p>
+        </div>
+        <div class="login-actions">
+          <span id="login-actions-status" class="meta">Loading accounts...</span>
+        </div>
+        <div id="login-result" class="login-result" hidden></div>
+      </section>
+      <section id="accounts" class="accounts"></section>
+    </main>
+    <script src="app.js"></script>
+  </body>
+</html>

package/public/style.css

@@ -0,0 +1,201 @@
+:root {
+  color-scheme: light dark;
+  --bg: #f6f7f9;
+  --panel: #ffffff;
+  --text: #172033;
+  --muted: #667085;
+  --line: #d7dce5;
+  --good: #0f8a5f;
+  --warn: #b76e00;
+  --bad: #b42318;
+  --accent: #176b87;
+}
+
+@media (prefers-color-scheme: dark) {
+  :root {
+    --bg: #101418;
+    --panel: #181e25;
+    --text: #edf2f7;
+    --muted: #a6b0bd;
+    --line: #2d3642;
+    --accent: #6fc2d0;
+  }
+}
+
+* {
+  box-sizing: border-box;
+}
+
+body {
+  margin: 0;
+  background: var(--bg);
+  color: var(--text);
+  font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+}
+
+main {
+  width: min(1120px, calc(100vw - 32px));
+  margin: 32px auto;
+}
+
+header {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 16px;
+  margin-bottom: 18px;
+}
+
+.eyebrow {
+  color: var(--muted);
+  font-size: 13px;
+  margin: 0 0 4px;
+}
+
+h1 {
+  font-size: 32px;
+  line-height: 1.1;
+  margin: 0;
+}
+
+button {
+  border: 1px solid var(--line);
+  background: var(--panel);
+  color: var(--text);
+  border-radius: 6px;
+  padding: 9px 14px;
+  font: inherit;
+  cursor: pointer;
+}
+
+.status {
+  color: var(--muted);
+  min-height: 24px;
+}
+
+.accounts {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(320px, 1fr));
+  gap: 16px;
+}
+
+.login-panel {
+  background: var(--panel);
+  border: 1px solid var(--line);
+  border-radius: 8px;
+  padding: 18px;
+  margin: 0 0 16px;
+}
+
+.login-panel h2 {
+  margin: 0 0 6px;
+  font-size: 20px;
+}
+
+.login-actions {
+  display: flex;
+  flex-wrap: wrap;
+  gap: 10px;
+  margin-top: 12px;
+}
+
+.login-result {
+  border-top: 1px solid var(--line);
+  margin-top: 14px;
+  padding-top: 14px;
+}
+
+.login-result a {
+  color: var(--accent);
+}
+
+.login-code-value {
+  display: inline-block;
+  letter-spacing: 0.08em;
+  font-size: 24px;
+  font-weight: 750;
+  border: 1px solid var(--line);
+  border-radius: 6px;
+  padding: 8px 12px;
+  margin: 4px 0;
+}
+
+.card {
+  background: var(--panel);
+  border: 1px solid var(--line);
+  border-radius: 8px;
+  padding: 18px;
+}
+
+.card h2 {
+  margin: 0 0 6px;
+  font-size: 20px;
+}
+
+.meta {
+  color: var(--muted);
+  font-size: 13px;
+  margin: 0 0 14px;
+}
+
+.error {
+  color: var(--bad);
+  white-space: pre-wrap;
+}
+
+.error-card {
+  border-color: color-mix(in srgb, var(--bad) 55%, var(--line));
+}
+
+.limit {
+  border-top: 1px solid var(--line);
+  padding-top: 14px;
+  margin-top: 14px;
+}
+
+.limit-title {
+  display: flex;
+  justify-content: space-between;
+  gap: 10px;
+  font-weight: 650;
+  margin-bottom: 8px;
+}
+
+.bar {
+  width: 100%;
+  height: 10px;
+  overflow: hidden;
+  background: var(--bg);
+  border: 1px solid var(--line);
+  border-radius: 999px;
+}
+
+.bar span {
+  display: block;
+  height: 100%;
+  width: 0;
+  background: var(--good);
+}
+
+.bar span.warn {
+  background: var(--warn);
+}
+
+.bar span.bad {
+  background: var(--bad);
+}
+
+.details {
+  display: grid;
+  grid-template-columns: 1fr 1fr;
+  gap: 8px 12px;
+  color: var(--muted);
+  font-size: 13px;
+  margin-top: 10px;
+}
+
+.credits {
+  margin-top: 14px;
+  color: var(--muted);
+  font-size: 14px;
+}

package/scripts/check-accounts.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ "$#" -gt 0 ]; then
+  accounts=("$@")
+elif [ -n "${CODEX_USAGE_ACCOUNTS:-}" ]; then
+  read -r -a accounts <<< "$CODEX_USAGE_ACCOUNTS"
+else
+  accounts=(codex-1 codex-2)
+fi
+
+for account in "${accounts[@]}"; do
+  accounts_dir="${CODEX_ACCOUNTS_DIR:-$HOME/.codex-accounts}"
+  export CODEX_HOME="$accounts_dir/$account"
+  echo "== $account =="
+  if [ ! -d "$CODEX_HOME" ]; then
+    echo "missing CODEX_HOME: $CODEX_HOME"
+    continue
+  fi
+  codex login status 2>&1 | sed -E 's/[A-Za-z0-9_=-]{24,}/<redacted>/g' || true
+done

package/scripts/codex-device-code.py

@@ -0,0 +1,79 @@
+#!/usr/bin/env python3
+import json
+import os
+import pty
+import re
+import select
+import subprocess
+import sys
+import time
+
+
+def main() -> int:
+    if len(sys.argv) != 4:
+        print(json.dumps({"ok": False, "error": "usage: codex-device-code.py <account-id> <codex-command> <codex-home>"}))
+        return 2
+
+    account_id, codex_command, codex_home = sys.argv[1:4]
+    env = os.environ.copy()
+    env["CODEX_HOME"] = codex_home
+    os.makedirs(codex_home, mode=0o700, exist_ok=True)
+
+    subprocess.run([codex_command, "logout"], env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, timeout=10)
+
+    pid, master_fd = pty.fork()
+    if pid == 0:
+        os.environ.update(env)
+        os.execv(codex_command, [codex_command, "login", "--device-auth"])
+
+    output = ""
+    deadline = time.time() + 15
+    code_re = re.compile(r"(?<![A-Z0-9])[A-Z0-9]{4,5}-[A-Z0-9]{4,5}(?![A-Z0-9])")
+    url = "https://auth.openai.com/codex/device"
+
+    try:
+        while time.time() < deadline:
+            ready, _, _ = select.select([master_fd], [], [], 0.2)
+            if not ready:
+                try:
+                    finished_pid, _ = os.waitpid(pid, os.WNOHANG)
+                except ChildProcessError:
+                    finished_pid = pid
+                if finished_pid:
+                    break
+                continue
+            try:
+                chunk = os.read(master_fd, 4096).decode("utf-8", "replace")
+            except OSError:
+                break
+            output += chunk
+            match = code_re.search(output)
+            if match:
+                try:
+                    os.kill(pid, 15)
+                except ProcessLookupError:
+                    pass
+                print(json.dumps({
+                    "ok": True,
+                    "account": account_id,
+                    "url": url,
+                    "code": match.group(0),
+                    "expiresInMinutes": 15,
+                }))
+                return 0
+    finally:
+        try:
+            os.close(master_fd)
+        except OSError:
+            pass
+        try:
+            os.kill(pid, 15)
+        except ProcessLookupError:
+            pass
+
+    print(json.dumps({"ok": False, "account": account_id, "error": "login code generation timed out"}))
+    return 1
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

package/scripts/login-account.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ "$#" -ne 1 ]; then
+  echo "Usage: $0 <account-id>" >&2
+  exit 2
+fi
+
+account="$1"
+
+accounts_dir="${CODEX_ACCOUNTS_DIR:-$HOME/.codex-accounts}"
+export CODEX_HOME="$accounts_dir/$account"
+mkdir -p "$CODEX_HOME"
+chmod 700 "$CODEX_HOME"
+
+echo "Logging in $account with CODEX_HOME=$CODEX_HOME"
+echo "Do not paste tokens into chat. Complete the browser/device flow shown by Codex."
+exec codex login --device-auth

package/server.js

@@ -0,0 +1,433 @@
+const http = require("node:http");
+const crypto = require("node:crypto");
+const fs = require("node:fs");
+const path = require("node:path");
+const { spawn } = require("node:child_process");
+
+const ROOT = __dirname;
+const CWD_CONFIG_PATH = path.join(process.cwd(), "config.json");
+const CONFIG_PATH =
+  process.env.CODEX_USAGE_DASHBOARD_CONFIG ||
+  (fs.existsSync(CWD_CONFIG_PATH) ? CWD_CONFIG_PATH : path.join(ROOT, "config.json"));
+const DEFAULT_CONFIG = {
+  host: "127.0.0.1",
+  port: 8787,
+  refreshSeconds: 60,
+  accounts: [],
+};
+
+function loadConfig() {
+  if (!fs.existsSync(CONFIG_PATH)) {
+    return {
+      ...DEFAULT_CONFIG,
+      configMissing: true,
+      configPath: CONFIG_PATH,
+    };
+  }
+
+  const parsed = JSON.parse(fs.readFileSync(CONFIG_PATH, "utf8"));
+  return {
+    ...DEFAULT_CONFIG,
+    ...parsed,
+    accounts: Array.isArray(parsed.accounts) ? parsed.accounts : [],
+    configPath: CONFIG_PATH,
+  };
+}
+
+function json(res, status, body) {
+  const data = Buffer.from(JSON.stringify(body, null, 2));
+  res.writeHead(status, {
+    "content-type": "application/json; charset=utf-8",
+    "cache-control": "no-store",
+    "content-length": data.length,
+  });
+  res.end(data);
+}
+
+function staticFile(res, filePath, contentType) {
+  fs.readFile(filePath, (err, data) => {
+    if (err) {
+      res.writeHead(404, { "content-type": "text/plain; charset=utf-8" });
+      res.end("Not found");
+      return;
+    }
+    res.writeHead(200, {
+      "content-type": contentType,
+      "cache-control": "no-store",
+      "content-length": data.length,
+    });
+    res.end(data);
+  });
+}
+
+function redactError(message) {
+  return String(message || "")
+    .replace(/[A-Za-z0-9_-]{32,}/g, "<redacted>")
+    .slice(0, 1200);
+}
+
+function basicAuthConfig() {
+  const username = process.env.CODEX_USAGE_DASHBOARD_BASIC_USER || "";
+  const password = process.env.CODEX_USAGE_DASHBOARD_BASIC_PASSWORD || "";
+  if (!username || !password) return null;
+  return { username, password };
+}
+
+function safeEqual(left, right) {
+  const leftBuffer = Buffer.from(String(left));
+  const rightBuffer = Buffer.from(String(right));
+  if (leftBuffer.length !== rightBuffer.length) return false;
+  return crypto.timingSafeEqual(leftBuffer, rightBuffer);
+}
+
+function unauthorized(res) {
+  res.writeHead(401, {
+    "www-authenticate": 'Basic realm="Codex Usage Dashboard", charset="UTF-8"',
+    "content-type": "text/plain; charset=utf-8",
+    "cache-control": "no-store",
+  });
+  res.end("Authentication required");
+}
+
+function isAuthorized(req) {
+  const auth = basicAuthConfig();
+  if (!auth) return true;
+  const header = req.headers.authorization || "";
+  const match = header.match(/^Basic\s+(.+)$/i);
+  if (!match) return false;
+  let decoded = "";
+  try {
+    decoded = Buffer.from(match[1], "base64").toString("utf8");
+  } catch {
+    return false;
+  }
+  const separator = decoded.indexOf(":");
+  if (separator < 0) return false;
+  const username = decoded.slice(0, separator);
+  const password = decoded.slice(separator + 1);
+  return safeEqual(username, auth.username) && safeEqual(password, auth.password);
+}
+
+function normalizeWindow(window) {
+  if (!window) return null;
+  const usedPercent = typeof window.usedPercent === "number" ? window.usedPercent : null;
+  return {
+    usedPercent,
+    remainingPercent: typeof usedPercent === "number" ? Math.max(0, Math.round((100 - usedPercent) * 100) / 100) : null,
+    resetsAt: window.resetsAt || null,
+    windowDurationMins: window.windowDurationMins || null,
+  };
+}
+
+function normalizeLimit(limit) {
+  if (!limit) return null;
+  return {
+    limitId: limit.limitId || null,
+    limitName: limit.limitName || null,
+    planType: limit.planType || null,
+    primary: normalizeWindow(limit.primary),
+    secondary: normalizeWindow(limit.secondary),
+    credits: limit.credits
+      ? {
+          hasCredits: Boolean(limit.credits.hasCredits),
+          unlimited: Boolean(limit.credits.unlimited),
+          balance: limit.credits.balance ?? null,
+        }
+      : null,
+    individualLimit: limit.individualLimit || null,
+    rateLimitReachedType: limit.rateLimitReachedType || null,
+  };
+}
+
+function normalizeAccount(accountResponse) {
+  const account = accountResponse?.account || null;
+  return {
+    type: account?.type || null,
+    planType: account?.planType || null,
+    hasEmail: Boolean(account?.email),
+    requiresOpenaiAuth: Boolean(accountResponse?.requiresOpenaiAuth),
+  };
+}
+
+function findAccount(id) {
+  const config = loadConfig();
+  if (config.configMissing) {
+    return null;
+  }
+  return config.accounts.find((account, index) => (account.id || "account-" + (index + 1)) === id) || null;
+}
+
+function configuredAccounts() {
+  const config = loadConfig();
+  if (config.configMissing) return [];
+  return config.accounts.map((account, index) => ({
+    id: account.id || "account-" + (index + 1),
+    label: account.label || account.id || "Account " + (index + 1),
+  }));
+}
+
+function createCodexEnv(account) {
+  const env = { ...process.env };
+  if (account.codexHome) {
+    env.CODEX_HOME = account.codexHome;
+  }
+  return env;
+}
+
+function requestCodex(account) {
+  const codexCommand = account.codexCommand || "codex";
+  const env = createCodexEnv(account);
+
+  const child = spawn(codexCommand, ["app-server", "--stdio"], {
+    env,
+    stdio: ["pipe", "pipe", "pipe"],
+    windowsHide: true,
+  });
+
+  let buffer = "";
+  let stderr = "";
+  let nextId = 1;
+  const pending = new Map();
+
+  const cleanup = () => {
+    for (const entry of pending.values()) {
+      clearTimeout(entry.timer);
+    }
+    pending.clear();
+    if (!child.killed) child.kill();
+  };
+
+  function send(method, params = {}, timeoutMs = 15000) {
+    const id = nextId++;
+    child.stdin.write(JSON.stringify({ id, method, params }) + "\n");
+    return new Promise((resolve, reject) => {
+      const timer = setTimeout(() => {
+        pending.delete(id);
+        reject(new Error(method + " timed out"));
+      }, timeoutMs);
+      pending.set(id, { resolve, reject, timer });
+    });
+  }
+
+  child.stdout.on("data", (chunk) => {
+    buffer += chunk.toString("utf8");
+    let newline;
+    while ((newline = buffer.indexOf("\n")) >= 0) {
+      const line = buffer.slice(0, newline).trim();
+      buffer = buffer.slice(newline + 1);
+      if (!line) continue;
+      let message;
+      try {
+        message = JSON.parse(line);
+      } catch {
+        continue;
+      }
+      if (typeof message.id !== "number") continue;
+      const item = pending.get(message.id);
+      if (!item) continue;
+      pending.delete(message.id);
+      clearTimeout(item.timer);
+      if (message.error) {
+        item.reject(new Error(message.error.message || JSON.stringify(message.error)));
+      } else {
+        item.resolve(message.result);
+      }
+    }
+  });
+
+  child.stderr.on("data", (chunk) => {
+    stderr += chunk.toString("utf8");
+  });
+
+  return new Promise((resolve) => {
+    child.once("error", (error) => {
+      cleanup();
+      resolve({ ok: false, error: redactError(error.message) });
+    });
+
+    (async () => {
+      try {
+        await send("initialize", {
+          clientInfo: {
+            name: "violet-codex-usage-dashboard",
+            title: "Violet Codex Usage Dashboard",
+            version: "0.1.0",
+          },
+          capabilities: {
+            experimentalApi: true,
+          },
+        });
+        const [accountInfo, limits] = await Promise.all([
+          send("account/read", { refreshToken: false }),
+          send("account/rateLimits/read", {}),
+        ]);
+        cleanup();
+        resolve({
+          ok: true,
+          id: account.id,
+          label: account.label || account.id,
+          account: normalizeAccount(accountInfo),
+          rateLimits: normalizeLimit(limits?.rateLimits),
+          rateLimitsByLimitId: Object.fromEntries(
+            Object.entries(limits?.rateLimitsByLimitId || {}).map(([key, value]) => [key, normalizeLimit(value)]),
+          ),
+          fetchedAt: new Date().toISOString(),
+        });
+      } catch (error) {
+        cleanup();
+        resolve({
+          ok: false,
+          id: account.id,
+          label: account.label || account.id,
+          error: redactError(error.message),
+          stderr: redactError(stderr),
+          fetchedAt: new Date().toISOString(),
+        });
+      }
+    })();
+  });
+}
+
+function createLoginCode(account) {
+  const codexCommand = account.codexCommand || "codex";
+  const codexHome = account.codexHome || path.join(process.env.HOME || process.cwd(), ".codex");
+  const child = spawn("python3", [path.join(ROOT, "scripts", "codex-device-code.py"), account.id, codexCommand, codexHome], {
+    env: process.env,
+    stdio: ["ignore", "pipe", "pipe"],
+    windowsHide: true,
+  });
+
+  let output = "";
+  let settled = false;
+
+  function parseLoginOutput(text) {
+    try {
+      const parsed = JSON.parse(text.trim().split("\n").at(-1));
+      return {
+        ...parsed,
+        label: account.label || account.id,
+        generatedAt: new Date().toISOString(),
+      };
+    } catch {
+      return null;
+    }
+  }
+
+  return new Promise((resolve) => {
+    const timer = setTimeout(() => {
+      if (settled) return;
+      settled = true;
+      if (!child.killed) child.kill();
+      resolve({ ok: false, account: account.id, error: "login code generation timed out" });
+    }, 10000);
+
+    function onData(chunk) {
+      output += chunk.toString("utf8");
+      const parsed = parseLoginOutput(output);
+      if (!parsed || settled) return;
+      settled = true;
+      clearTimeout(timer);
+      if (!child.killed) child.kill();
+      resolve(parsed);
+    }
+
+    child.stdout.on("data", onData);
+    child.stderr.on("data", onData);
+    child.once("error", (error) => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      resolve({ ok: false, account: account.id, error: redactError(error.message) });
+    });
+    child.once("exit", () => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      resolve({ ok: false, account: account.id, error: "codex login exited before producing a code" });
+    });
+  });
+}
+
+async function usage() {
+  const config = loadConfig();
+  if (config.configMissing) {
+    return {
+      ok: false,
+      error: "config.json is missing. Copy config.example.json to config.json and configure accounts.",
+      configPath: config.configPath,
+      accounts: [],
+    };
+  }
+
+  const accounts = await Promise.all(
+    config.accounts.map((account, index) =>
+      requestCodex({
+        ...account,
+        id: account.id || "account-" + (index + 1),
+      }),
+    ),
+  );
+
+  return {
+    ok: accounts.every((account) => account.ok),
+    refreshSeconds: config.refreshSeconds,
+    fetchedAt: new Date().toISOString(),
+    accounts,
+  };
+}
+
+const server = http.createServer(async (req, res) => {
+  if (!isAuthorized(req)) {
+    unauthorized(res);
+    return;
+  }
+
+  const url = new URL(req.url, "http://localhost");
+  if (url.pathname === "/" || url.pathname === "/index.html") {
+    staticFile(res, path.join(ROOT, "public", "index.html"), "text/html; charset=utf-8");
+    return;
+  }
+  if (url.pathname === "/app.js") {
+    staticFile(res, path.join(ROOT, "public", "app.js"), "application/javascript; charset=utf-8");
+    return;
+  }
+  if (url.pathname === "/style.css") {
+    staticFile(res, path.join(ROOT, "public", "style.css"), "text/css; charset=utf-8");
+    return;
+  }
+  if (url.pathname === "/api/usage") {
+    try {
+      json(res, 200, await usage());
+    } catch (error) {
+      json(res, 500, { ok: false, error: redactError(error.message) });
+    }
+    return;
+  }
+  if (url.pathname === "/api/accounts") {
+    json(res, 200, { ok: true, accounts: configuredAccounts() });
+    return;
+  }
+  if (url.pathname === "/api/login-code") {
+    const accountId = url.searchParams.get("account") || "";
+    const account = findAccount(accountId);
+    if (!account) {
+      json(res, 404, { ok: false, error: "Unknown account" });
+      return;
+    }
+    try {
+      json(res, 200, await createLoginCode({ ...account, id: accountId }));
+    } catch (error) {
+      json(res, 500, { ok: false, error: redactError(error.message) });
+    }
+    return;
+  }
+  json(res, 404, { ok: false, error: "Not found" });
+});
+
+const config = loadConfig();
+server.listen(config.port, config.host, () => {
+  console.log("Codex usage dashboard listening on http://" + config.host + ":" + config.port);
+  if (config.configMissing) {
+    console.log("Missing config: copy " + path.join(ROOT, "config.example.json") + " to " + CONFIG_PATH);
+  }
+});