@nordbyte/nordrelay 0.2.1

package/dist/codex-auth.js

@@ -0,0 +1,150 @@
+import { execFile } from "node:child_process";
+const CODEX_CLI = "codex";
+const COMMAND_TIMEOUT_MS = 10_000;
+const AUTH_CACHE_TTL_MS = 30_000;
+let cachedAuthStatus;
+/**
+ * Check whether Codex is currently authenticated.
+ *
+ * Priority:
+ * 1. If CODEX_API_KEY is set in the environment, report authenticated via API key.
+ * 2. Otherwise, shell out to `codex login status` to check CLI auth.
+ * 3. If the CLI command fails or is unavailable, report unauthenticated.
+ *
+ * Results are cached for 30 seconds to avoid per-message CLI invocations.
+ */
+export async function checkAuthStatus(apiKey) {
+    if (apiKey) {
+        return {
+            authenticated: true,
+            method: "api-key",
+            detail: "Authenticated via CODEX_API_KEY",
+        };
+    }
+    if (cachedAuthStatus && Date.now() < cachedAuthStatus.expiresAt) {
+        return cachedAuthStatus.status;
+    }
+    try {
+        const { stdout } = await runCodexCommand(["login", "status"]);
+        const output = stdout.trim();
+        const status = {
+            authenticated: true,
+            method: "cli",
+            detail: output || "Authenticated via Codex CLI",
+        };
+        cachedAuthStatus = { status, expiresAt: Date.now() + AUTH_CACHE_TTL_MS };
+        return status;
+    }
+    catch (error) {
+        const status = parseCommandError(error);
+        cachedAuthStatus = { status, expiresAt: Date.now() + AUTH_CACHE_TTL_MS };
+        return status;
+    }
+}
+/**
+ * Clear the cached auth status so the next check hits the CLI.
+ */
+export function clearAuthCache() {
+    cachedAuthStatus = undefined;
+}
+/**
+ * Attempt to start a login flow via the Codex CLI.
+ * Uses --device-auth to get a device code flow suitable for headless/remote hosts.
+ */
+export async function startLogin() {
+    clearAuthCache();
+    try {
+        const { stdout } = await runCodexCommand(["login", "--device-auth"]);
+        const output = stdout.trim();
+        return {
+            success: true,
+            message: output || "Login initiated. Check your terminal or browser for the next step.",
+        };
+    }
+    catch (error) {
+        const detail = extractErrorMessage(error);
+        return {
+            success: false,
+            message: detail || "Login command failed. Try running 'codex auth login' on the host.",
+        };
+    }
+}
+/**
+ * Attempt to logout via the Codex CLI.
+ */
+export async function startLogout() {
+    clearAuthCache();
+    try {
+        const { stdout } = await runCodexCommand(["logout"]);
+        const output = stdout.trim();
+        return {
+            success: true,
+            message: output || "Logged out successfully.",
+        };
+    }
+    catch (error) {
+        const detail = extractErrorMessage(error);
+        return {
+            success: false,
+            message: detail || "Logout command failed. Try running 'codex auth logout' on the host.",
+        };
+    }
+}
+function runCodexCommand(args) {
+    return new Promise((resolve, reject) => {
+        execFile(CODEX_CLI, args, {
+            timeout: COMMAND_TIMEOUT_MS,
+            env: { ...process.env },
+            maxBuffer: 1024 * 1024,
+        }, (error, stdout, stderr) => {
+            if (error) {
+                // Attach stdout/stderr to the error for richer diagnostics
+                const enriched = error;
+                enriched.stdout = typeof stdout === "string" ? stdout : "";
+                enriched.stderr = typeof stderr === "string" ? stderr : "";
+                reject(enriched);
+                return;
+            }
+            resolve({
+                stdout: typeof stdout === "string" ? stdout : "",
+                stderr: typeof stderr === "string" ? stderr : "",
+            });
+        });
+    });
+}
+function parseCommandError(error) {
+    const errno = error?.code;
+    if (errno === "ENOENT") {
+        return {
+            authenticated: false,
+            method: "none",
+            detail: "Codex CLI not found. Install it or set CODEX_API_KEY.",
+        };
+    }
+    const detail = extractErrorMessage(error) || "Not authenticated";
+    return {
+        authenticated: false,
+        method: "none",
+        detail,
+    };
+}
+function extractErrorMessage(error) {
+    if (typeof error === "object" && error !== null) {
+        const enriched = error;
+        const stderr = enriched.stderr?.trim();
+        if (stderr) {
+            return stderr;
+        }
+        const stdout = enriched.stdout?.trim();
+        if (stdout) {
+            return stdout;
+        }
+        if (enriched.signal) {
+            return `Command terminated with signal ${enriched.signal}.`;
+        }
+        if (enriched.message) {
+            return enriched.message;
+        }
+    }
+    return error instanceof Error ? error.message : String(error);
+}

package/dist/codex-cli.js

@@ -0,0 +1,79 @@
+import { accessSync, constants, realpathSync } from "node:fs";
+import path from "node:path";
+/**
+ * Prefer the host Codex CLI so normal `codex` updates are picked up by the
+ * connector. Falls back to the SDK-bundled CLI when no external binary exists.
+ */
+export function resolveCodexCli(env = process.env) {
+    const explicitPath = optionalString(env.CODEX_CLI_PATH);
+    if (explicitPath) {
+        return { path: explicitPath, source: "env" };
+    }
+    if (isEnabled(env.CODEX_USE_BUNDLED_CLI)) {
+        return { source: "bundled" };
+    }
+    const pathMatch = findExecutableOnPath("codex", env.PATH);
+    return pathMatch ? { path: pathMatch, source: "path" } : { source: "bundled" };
+}
+export function describeCodexCli(resolution) {
+    if (resolution.path) {
+        return `${resolution.source} (${resolution.path})`;
+    }
+    return "bundled @openai/codex";
+}
+export function findExecutableOnPath(command, pathValue) {
+    if (!pathValue) {
+        return undefined;
+    }
+    const extensions = process.platform === "win32"
+        ? (process.env.PATHEXT || ".EXE;.CMD;.BAT;.COM").split(";")
+        : [""];
+    for (const rawDirectory of pathValue.split(path.delimiter)) {
+        const directory = rawDirectory.trim();
+        if (!directory) {
+            continue;
+        }
+        for (const extension of extensions) {
+            const candidate = path.join(directory, `${command}${extension}`);
+            if (!isExecutable(candidate) || isProjectLocalBin(candidate)) {
+                continue;
+            }
+            return candidate;
+        }
+    }
+    return undefined;
+}
+function isExecutable(filePath) {
+    try {
+        accessSync(filePath, constants.X_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function isProjectLocalBin(filePath) {
+    const absolute = path.resolve(filePath);
+    const resolved = resolveRealPath(filePath);
+    const localBin = path.resolve(process.cwd(), "node_modules", ".bin");
+    return (absolute === localBin ||
+        absolute.startsWith(`${localBin}${path.sep}`) ||
+        resolved === localBin ||
+        resolved.startsWith(`${localBin}${path.sep}`));
+}
+function resolveRealPath(filePath) {
+    try {
+        return realpathSync(filePath);
+    }
+    catch {
+        return path.resolve(filePath);
+    }
+}
+function optionalString(value) {
+    const trimmed = value?.trim();
+    return trimmed ? trimmed : undefined;
+}
+function isEnabled(value) {
+    const normalized = value?.trim().toLowerCase();
+    return normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on";
+}

package/dist/codex-config.js

@@ -0,0 +1,50 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import path from "node:path";
+const FAST_OPT_OUT_RE = /^(\s*fast_default_opt_out\s*=\s*)(true|false)(\s*(?:#.*)?)$/m;
+const NOTICE_HEADER_RE = /^(\[notice\]\s*)$/m;
+export function readCodexFastMode() {
+    const configPath = getCodexConfigPath();
+    if (!configPath || !existsSync(configPath)) {
+        return null;
+    }
+    try {
+        const contents = readFileSync(configPath, "utf8");
+        const match = contents.match(FAST_OPT_OUT_RE);
+        if (!match) {
+            return null;
+        }
+        return match[2] === "false";
+    }
+    catch {
+        return null;
+    }
+}
+export function writeCodexFastMode(enabled) {
+    const configPath = getCodexConfigPath();
+    if (!configPath) {
+        return;
+    }
+    const codexDir = path.dirname(configPath);
+    mkdirSync(codexDir, { recursive: true });
+    const optOutValue = enabled ? "false" : "true";
+    const line = `fast_default_opt_out = ${optOutValue}`;
+    const currentContents = existsSync(configPath) ? readFileSync(configPath, "utf8") : "";
+    if (FAST_OPT_OUT_RE.test(currentContents)) {
+        writeFileSync(configPath, currentContents.replace(FAST_OPT_OUT_RE, `$1${optOutValue}$3`), "utf8");
+        return;
+    }
+    if (NOTICE_HEADER_RE.test(currentContents)) {
+        writeFileSync(configPath, currentContents.replace(NOTICE_HEADER_RE, `$1\n${line}`), "utf8");
+        return;
+    }
+    const prefix = currentContents.length === 0
+        ? ""
+        : currentContents.endsWith("\n")
+            ? `${currentContents}\n`
+            : `${currentContents}\n\n`;
+    writeFileSync(configPath, `${prefix}[notice]\n${line}\n`, "utf8");
+}
+function getCodexConfigPath() {
+    const home = process.env.HOME;
+    return home ? path.join(home, ".codex", "config.toml") : null;
+}

package/dist/codex-launch.js

@@ -0,0 +1,109 @@
+export const DEFAULT_LAUNCH_PROFILE_ID = "default";
+export function isCodexSandboxMode(value) {
+    return value === "read-only" || value === "workspace-write" || value === "danger-full-access";
+}
+export function isCodexApprovalPolicy(value) {
+    return value === "never" || value === "on-request" || value === "on-failure" || value === "untrusted";
+}
+export function createLaunchProfile(input) {
+    return {
+        ...input,
+        unsafe: isUnsafeLaunchProfile(input.sandboxMode),
+    };
+}
+export function createDefaultLaunchProfile(sandboxMode, approvalPolicy) {
+    return createLaunchProfile({
+        id: DEFAULT_LAUNCH_PROFILE_ID,
+        label: "Default",
+        sandboxMode,
+        approvalPolicy,
+    });
+}
+export function createBuiltinLaunchProfiles(defaultProfile, options) {
+    const profiles = [
+        defaultProfile,
+        createLaunchProfile({
+            id: "readonly",
+            label: "Read Only",
+            sandboxMode: "read-only",
+            approvalPolicy: "never",
+        }),
+        createLaunchProfile({
+            id: "review",
+            label: "Review",
+            sandboxMode: "workspace-write",
+            approvalPolicy: "on-request",
+        }),
+    ];
+    if (options?.includeFullAccess) {
+        profiles.push(createLaunchProfile({
+            id: "full-access",
+            label: "Full Access",
+            sandboxMode: "danger-full-access",
+            approvalPolicy: "never",
+        }));
+    }
+    return profiles;
+}
+export function parseLaunchProfilesJson(raw) {
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (error) {
+        throw new Error(`Invalid CODEX_LAUNCH_PROFILES_JSON: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    if (!Array.isArray(parsed)) {
+        throw new Error("Invalid CODEX_LAUNCH_PROFILES_JSON: expected a JSON array");
+    }
+    return parsed.map((entry, index) => parseLaunchProfileEntry(entry, index));
+}
+export function findLaunchProfile(profiles, profileId) {
+    if (!profileId) {
+        return undefined;
+    }
+    return profiles.find((profile) => profile.id === profileId);
+}
+export function formatLaunchProfileBehavior(profile) {
+    return `${profile.sandboxMode} / ${profile.approvalPolicy}`;
+}
+export function formatLaunchProfileLabel(profile, isCurrent = false) {
+    const prefix = profile.unsafe ? "⚠️" : "🛡️";
+    const selected = isCurrent ? " ✓" : "";
+    return `${prefix} ${profile.label} · ${formatLaunchProfileBehavior(profile)}${selected}`;
+}
+export function isUnsafeLaunchProfile(profileOrSandboxMode) {
+    const sandboxMode = typeof profileOrSandboxMode === "string" ? profileOrSandboxMode : profileOrSandboxMode.sandboxMode;
+    return sandboxMode === "danger-full-access";
+}
+function parseLaunchProfileEntry(entry, index) {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+        throw new Error(`Invalid CODEX_LAUNCH_PROFILES_JSON entry at index ${index}: expected an object`);
+    }
+    const rawId = readStringField(entry, "id", index);
+    if (!/^[a-z0-9][a-z0-9_-]*$/.test(rawId)) {
+        throw new Error(`Invalid CODEX_LAUNCH_PROFILES_JSON entry at index ${index}: id must match /^[a-z0-9][a-z0-9_-]*$/`);
+    }
+    const rawLabel = readStringField(entry, "label", index);
+    const rawSandboxMode = readStringField(entry, "sandboxMode", index);
+    if (!isCodexSandboxMode(rawSandboxMode)) {
+        throw new Error(`Invalid CODEX_LAUNCH_PROFILES_JSON entry at index ${index}: unsupported sandboxMode "${rawSandboxMode}"`);
+    }
+    const rawApprovalPolicy = readStringField(entry, "approvalPolicy", index);
+    if (!isCodexApprovalPolicy(rawApprovalPolicy)) {
+        throw new Error(`Invalid CODEX_LAUNCH_PROFILES_JSON entry at index ${index}: unsupported approvalPolicy "${rawApprovalPolicy}"`);
+    }
+    return createLaunchProfile({
+        id: rawId,
+        label: rawLabel,
+        sandboxMode: rawSandboxMode,
+        approvalPolicy: rawApprovalPolicy,
+    });
+}
+function readStringField(entry, field, index) {
+    const value = Reflect.get(entry, field);
+    if (typeof value !== "string" || value.trim().length === 0) {
+        throw new Error(`Invalid CODEX_LAUNCH_PROFILES_JSON entry at index ${index}: missing ${field}`);
+    }
+    return value.trim();
+}