@oh-my-pi/pi-ai 15.2.2 → 15.2.4

package/CHANGELOG.md

@@ -2,6 +2,17 @@
 
 ## [Unreleased]
 
+## [15.2.4] - 2026-05-22
+
+### Fixed
+
+- Fixed ChatGPT Plus/Pro (Codex) OAuth login returning `Token exchange failed: 403` on Windows. When port 1455 was in use, the callback server silently fell back to a random port; OpenAI's authorization endpoint accepts any localhost redirect URI (loose validation), so the browser callback succeeds and shows "Authentication Successful", but the token endpoint rejects the non-registered port with 403. The `OpenAICodexOAuthFlow` now enforces a fixed `redirectUri` option so a busy port immediately surfaces as "port unavailable" instead of producing a confusing 403 ([#1277](https://github.com/can1357/oh-my-pi/issues/1277)).
+- Improved `exchangeCodeForToken` error diagnostics: the 403 response body (`error` / `error_description` fields) is now included in the thrown message, matching the existing `refreshOpenAICodexToken` behaviour.
+
+### Added
+
+- Added `ChatGPT Plus/Pro (Codex, headless/device)` (`openai-codex-device`) as an alternative login method for the Codex provider. Uses OpenAI's device-code flow (`/api/accounts/deviceauth/usercode` → poll `/api/accounts/deviceauth/token`), which avoids a local callback server and port 1455 entirely. Credentials are stored under the existing `openai-codex` provider key so all models and tooling continue to work without reconfiguration ([#1277](https://github.com/can1357/oh-my-pi/issues/1277)).
+
 ## [15.2.2] - 2026-05-22
 
 ### Fixed

package/dist/types/providers/openai-completions.d.ts

@@ -18,7 +18,7 @@ export declare function isOpenAICompletionsProgressChunk(chunk: unknown): boolea
 export interface OpenAICompletionsOptions extends StreamOptions {
     toolChoice?: ToolChoice;
     reasoning?: "minimal" | "low" | "medium" | "high" | "xhigh";
-    /** Force-disable reasoning for OpenRouter-format requests (sends `reasoning: { enabled: false }`). */
+    /** Force-disable reasoning where supported, or request the lowest effort on generic effort endpoints. */
     disableReasoning?: boolean;
     serviceTier?: ServiceTier;
 }

package/dist/types/types.d.ts

@@ -242,9 +242,9 @@ export interface SimpleStreamOptions extends StreamOptions {
      * Force-disable reasoning for the request even when the model supports it.
      * Takes precedence over `reasoning`. Useful for fast utility calls
      * (e.g. title generation) where the model would otherwise burn the entire
-     * output budget on internal thinking. Currently honored by OpenRouter
-     * (sends `reasoning: { enabled: false }`); other providers already behave
-     * this way when `reasoning` is undefined.
+     * output budget on internal thinking. Provider support is format-specific:
+     * some transports can disable reasoning directly, while generic
+     * effort-based OpenAI-compatible endpoints use the lowest supported effort.
      */
     disableReasoning?: boolean;
     /**

package/dist/types/utils/oauth/openai-codex.d.ts

@@ -8,6 +8,13 @@ export type OpenAICodexLoginOptions = OAuthController & {
     originator?: string;
 };
 export declare function loginOpenAICodex(options: OpenAICodexLoginOptions): Promise<OAuthCredentials>;
+/**
+ * Login with OpenAI Codex using the device-code (headless) flow.
+ *
+ * Avoids a local callback server entirely — useful when port 1455 is unavailable
+ * or when the browser callback flow fails with 403 (e.g. network/proxy issues).
+ */
+export declare function loginOpenAICodexDevice(ctrl: OAuthController): Promise<OAuthCredentials>;
 /**
  * Refresh OpenAI Codex OAuth token
  */

package/dist/types/utils/oauth/types.d.ts

@@ -7,7 +7,7 @@ export type OAuthCredentials = {
     email?: string;
     accountId?: string;
 };
-export type OAuthProvider = "alibaba-coding-plan" | "anthropic" | "cerebras" | "cloudflare-ai-gateway" | "cursor" | "fireworks" | "firepass" | "github-copilot" | "google-gemini-cli" | "google-antigravity" | "gitlab-duo" | "huggingface" | "kimi-code" | "kilo" | "kagi" | "litellm" | "lm-studio" | "minimax-code" | "minimax-code-cn" | "moonshot" | "nvidia" | "nanogpt" | "ollama" | "ollama-cloud" | "openai-codex" | "opencode-go" | "opencode-zen" | "parallel" | "perplexity" | "qianfan" | "qwen-portal" | "synthetic" | "tavily" | "together" | "venice" | "vercel-ai-gateway" | "vllm" | "xiaomi" | "zenmux" | "zai";
+export type OAuthProvider = "alibaba-coding-plan" | "anthropic" | "cerebras" | "cloudflare-ai-gateway" | "cursor" | "fireworks" | "firepass" | "github-copilot" | "google-gemini-cli" | "google-antigravity" | "gitlab-duo" | "huggingface" | "kimi-code" | "kilo" | "kagi" | "litellm" | "lm-studio" | "minimax-code" | "minimax-code-cn" | "moonshot" | "nvidia" | "nanogpt" | "ollama" | "ollama-cloud" | "openai-codex" | "openai-codex-device" | "opencode-go" | "opencode-zen" | "parallel" | "perplexity" | "qianfan" | "qwen-portal" | "synthetic" | "tavily" | "together" | "venice" | "vercel-ai-gateway" | "vllm" | "xiaomi" | "zenmux" | "zai";
 export type OAuthProviderId = OAuthProvider | (string & {});
 export type OAuthPrompt = {
     message: string;

package/package.json

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@oh-my-pi/pi-ai",
-	"version": "15.2.2",
+	"version": "15.2.4",
 	"description": "Unified LLM API with automatic model discovery and provider configuration",
 	"homepage": "https://omp.sh",
 	"author": "Can Boluk",
@@ -43,7 +43,7 @@
 	"dependencies": {
 		"@anthropic-ai/sdk": "^0.94.0",
 		"@bufbuild/protobuf": "^2.12.0",
-		"@oh-my-pi/pi-utils": "15.2.2",
+		"@oh-my-pi/pi-utils": "15.2.4",
 		"openai": "^6.36.0",
 		"partial-json": "^0.1.7",
 		"zod": "4.4.3"

package/src/auth-storage.ts

@@ -29,6 +29,7 @@ import { kimiUsageProvider } from "./usage/kimi";
 import { codexRankingStrategy, openaiCodexUsageProvider } from "./usage/openai-codex";
 import { zaiUsageProvider } from "./usage/zai";
 import { getOAuthApiKey, getOAuthProvider, refreshOAuthToken } from "./utils/oauth";
+import { loginOpenAICodexDevice } from "./utils/oauth/openai-codex";
 import type { OAuthController, OAuthCredentials, OAuthProvider, OAuthProviderId } from "./utils/oauth/types";
 
 // ─────────────────────────────────────────────────────────────────────────────
@@ -1298,6 +1299,14 @@ export class AuthStorage {
 				});
 				break;
 			}
+			case "openai-codex-device": {
+				// Device/headless flow — stores credentials under "openai-codex" so the
+				// provider can pick them up without a separate provider configuration.
+				const deviceCredentials = await loginOpenAICodexDevice(ctrl);
+				const newCredential: OAuthCredential = { type: "oauth", ...deviceCredentials };
+				await this.#upsertOAuthCredential("openai-codex", newCredential);
+				return;
+			}
 			case "gitlab-duo": {
 				const { loginGitLabDuo } = await import("./utils/oauth/gitlab-duo");
 				credentials = await loginGitLabDuo({

package/src/providers/openai-completions-compat.ts

@@ -171,7 +171,13 @@ export function detectOpenAICompat(model: Model<"openai-completions">, resolvedB
 						high: "high",
 						xhigh: "max",
 					} satisfies Partial<Record<OpenAIReasoningEffort, string>>)
-				: {};
+				: isFireworks
+					? ({
+							// Fireworks' OpenAI-compatible endpoint rejects OpenAI's
+							// `minimal` literal but accepts `none` for the lowest setting.
+							minimal: "none",
+						} satisfies Partial<Record<OpenAIReasoningEffort, string>>)
+					: {};
 
 	return {
 		supportsStore: !isNonStandard,

package/src/providers/openai-completions.ts

@@ -10,7 +10,7 @@ import type {
 	ChatCompletionToolMessageParam,
 } from "openai/resources/chat/completions";
 import packageJson from "../../package.json" with { type: "json" };
-import type { Effort } from "../model-thinking";
+import { type Effort, getSupportedEfforts } from "../model-thinking";
 import { calculateCost } from "../models";
 import { getEnvApiKey } from "../stream";
 import {
@@ -219,7 +219,7 @@ export function isOpenAICompletionsProgressChunk(chunk: unknown): boolean {
 export interface OpenAICompletionsOptions extends StreamOptions {
 	toolChoice?: ToolChoice;
 	reasoning?: "minimal" | "low" | "medium" | "high" | "xhigh";
-	/** Force-disable reasoning for OpenRouter-format requests (sends `reasoning: { enabled: false }`). */
+	/** Force-disable reasoning where supported, or request the lowest effort on generic effort endpoints. */
 	disableReasoning?: boolean;
 	serviceTier?: ServiceTier;
 }
@@ -1177,6 +1177,21 @@ function buildParams(
 	) {
 		// OpenAI-style reasoning_effort
 		params.reasoning_effort = mapReasoningEffort(options.reasoning, compat.reasoningEffortMap) as Effort;
+	} else if (
+		supportsReasoningParams &&
+		options?.disableReasoning &&
+		!options?.reasoning &&
+		model.reasoning &&
+		compat.supportsReasoningEffort
+	) {
+		// Generic OpenAI-compatible effort endpoints do not expose a true off
+		// switch. Use the model's lowest supported effort as the closest
+		// transport-level approximation when callers request disabled reasoning.
+		const minEffort = getSupportedEfforts(model)[0];
+		if (minEffort === undefined) {
+			throw new Error(`Model ${model.provider}/${model.id} has no supported reasoning efforts`);
+		}
+		params.reasoning_effort = mapReasoningEffort(minEffort, compat.reasoningEffortMap) as Effort;
 	}
 
 	if (compat.disableReasoningOnToolChoice && params.tool_choice !== undefined) {

package/src/types.ts

@@ -375,9 +375,9 @@ export interface SimpleStreamOptions extends StreamOptions {
 	 * Force-disable reasoning for the request even when the model supports it.
 	 * Takes precedence over `reasoning`. Useful for fast utility calls
 	 * (e.g. title generation) where the model would otherwise burn the entire
-	 * output budget on internal thinking. Currently honored by OpenRouter
-	 * (sends `reasoning: { enabled: false }`); other providers already behave
-	 * this way when `reasoning` is undefined.
+	 * output budget on internal thinking. Provider support is format-specific:
+	 * some transports can disable reasoning directly, while generic
+	 * effort-based OpenAI-compatible endpoints use the lowest supported effort.
 	 */
 	disableReasoning?: boolean;
 	/**

package/src/utils/oauth/index.ts

@@ -25,6 +25,11 @@ const builtInOAuthProviders: OAuthProviderInfo[] = [
 		name: "ChatGPT Plus/Pro (Codex Subscription)",
 		available: true,
 	},
+	{
+		id: "openai-codex-device",
+		name: "ChatGPT Plus/Pro (Codex, headless/device)",
+		available: true,
+	},
 	{
 		id: "gitlab-duo",
 		name: "GitLab Duo",
@@ -279,7 +284,8 @@ export async function refreshOAuthToken(
 			newCredentials = await refreshAntigravityToken(credentials.refresh, credentials.projectId);
 			break;
 		}
-		case "openai-codex": {
+		case "openai-codex":
+		case "openai-codex-device": {
 			const { refreshOpenAICodexToken } = await import("./openai-codex");
 			newCredentials = await refreshOpenAICodexToken(credentials.refresh);
 			break;

package/src/utils/oauth/openai-codex.ts

@@ -1,7 +1,7 @@
 /**
- * OpenAI Codex (ChatGPT OAuth) flow
+ * OpenAI Codex (ChatGPT OAuth) flow — browser and device-code flows.
  */
-import { OAuthCallbackFlow } from "./callback-server";
+import { OAuthCallbackFlow, type OAuthCallbackFlowOptions } from "./callback-server";
 import { generatePKCE } from "./pkce";
 import type { OAuthController, OAuthCredentials } from "./types";
 
@@ -14,6 +14,14 @@ const SCOPE = "openid profile email offline_access";
 const JWT_CLAIM_PATH = "https://api.openai.com/auth";
 const JWT_PROFILE_CLAIM = "https://api.openai.com/profile";
 const TOKEN_REQUEST_TIMEOUT_MS = 15_000;
+const DEVICE_USERCODE_URL = "https://auth.openai.com/api/accounts/deviceauth/usercode";
+const DEVICE_TOKEN_URL = "https://auth.openai.com/api/accounts/deviceauth/token";
+const DEVICE_REDIRECT_URI = "https://auth.openai.com/deviceauth/callback";
+const DEVICE_AUTH_URL = "https://auth.openai.com/codex/device";
+const DEVICE_POLL_INTERVAL_MS = 5_000;
+const DEVICE_POLL_SAFETY_MARGIN_MS = 3_000;
+/** Upper bound on device-code polling to avoid infinite loops on server errors. */
+const DEVICE_MAX_POLLS = 120;
 
 type JwtPayload = {
 	[JWT_CLAIM_PATH]?: {
@@ -59,7 +67,15 @@ class OpenAICodexOAuthFlow extends OAuthCallbackFlow {
 		private readonly pkce: PKCE,
 		private readonly originator: string,
 	) {
-		super(ctrl, CALLBACK_PORT, CALLBACK_PATH);
+		super(ctrl, {
+			preferredPort: CALLBACK_PORT,
+			callbackPath: CALLBACK_PATH,
+			// Enforce the fixed port: OpenAI only allows http://localhost:1455/auth/callback.
+			// Without this, a busy port 1455 falls back to a random port, and the token
+			// exchange would fail with 403 because the redirect_uri no longer matches the
+			// registered allowlist entry.
+			redirectUri: `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`,
+		} satisfies OAuthCallbackFlowOptions);
 	}
 
 	async generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }> {
@@ -100,7 +116,13 @@ async function exchangeCodeForToken(code: string, verifier: string, redirectUri:
 	});
 
 	if (!tokenResponse.ok) {
-		throw new Error(`Token exchange failed: ${tokenResponse.status}`);
+		let detail = `${tokenResponse.status}`;
+		try {
+			const body = (await tokenResponse.json()) as { error?: string; error_description?: string };
+			if (body.error)
+				detail = `${tokenResponse.status} ${body.error}${body.error_description ? `: ${body.error_description}` : ""}`;
+		} catch {}
+		throw new Error(`Token exchange failed: ${detail}`);
 	}
 
 	const tokenData = (await tokenResponse.json()) as {
@@ -143,6 +165,93 @@ export async function loginOpenAICodex(options: OpenAICodexLoginOptions): Promis
 	return flow.login();
 }
 
+/**
+ * Login with OpenAI Codex using the device-code (headless) flow.
+ *
+ * Avoids a local callback server entirely — useful when port 1455 is unavailable
+ * or when the browser callback flow fails with 403 (e.g. network/proxy issues).
+ */
+export async function loginOpenAICodexDevice(ctrl: OAuthController): Promise<OAuthCredentials> {
+	ctrl.onProgress?.("Initiating device authorization…");
+
+	const initResponse = await fetch(DEVICE_USERCODE_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify({ client_id: CLIENT_ID }),
+		signal: AbortSignal.timeout(TOKEN_REQUEST_TIMEOUT_MS),
+	});
+
+	if (!initResponse.ok) {
+		throw new Error(`Device authorization initiation failed: ${initResponse.status}`);
+	}
+
+	const initData = (await initResponse.json()) as {
+		device_auth_id?: string;
+		user_code?: string;
+		interval?: string | number;
+	};
+
+	if (!initData.device_auth_id || !initData.user_code) {
+		throw new Error("Device authorization response missing required fields");
+	}
+
+	const userCode = initData.user_code;
+	const pollIntervalMs =
+		(typeof initData.interval === "number"
+			? initData.interval
+			: parseInt(String(initData.interval ?? "5"), 10) || 5) *
+			1000 +
+		DEVICE_POLL_SAFETY_MARGIN_MS;
+
+	ctrl.onAuth?.({
+		url: DEVICE_AUTH_URL,
+		instructions: `Enter code: ${userCode}`,
+	});
+
+	ctrl.onProgress?.(`Waiting for browser authorization (code: ${userCode})…`);
+
+	for (let poll = 0; poll < DEVICE_MAX_POLLS; poll++) {
+		await Bun.sleep(poll === 0 ? Math.min(pollIntervalMs, DEVICE_POLL_INTERVAL_MS) : pollIntervalMs);
+
+		if (ctrl.signal?.aborted) {
+			throw new Error("Device authorization cancelled");
+		}
+
+		const pollResponse = await fetch(DEVICE_TOKEN_URL, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				device_auth_id: initData.device_auth_id,
+				user_code: userCode,
+			}),
+			signal: AbortSignal.timeout(TOKEN_REQUEST_TIMEOUT_MS),
+		});
+
+		// 403/404 = authorization pending, keep polling
+		if (pollResponse.status === 403 || pollResponse.status === 404) {
+			continue;
+		}
+
+		if (!pollResponse.ok) {
+			throw new Error(`Device token polling failed: ${pollResponse.status}`);
+		}
+
+		const pollData = (await pollResponse.json()) as {
+			authorization_code?: string;
+			code_verifier?: string;
+		};
+
+		if (!pollData.authorization_code || !pollData.code_verifier) {
+			throw new Error("Device token response missing authorization_code or code_verifier");
+		}
+
+		ctrl.onProgress?.("Exchanging authorization code for tokens…");
+		return exchangeCodeForToken(pollData.authorization_code, pollData.code_verifier, DEVICE_REDIRECT_URI);
+	}
+
+	throw new Error("Device authorization timed out — user did not complete login in time");
+}
+
 /**
  * Refresh OpenAI Codex OAuth token
  */

package/src/utils/oauth/types.ts

@@ -34,6 +34,7 @@ export type OAuthProvider =
 	| "ollama"
 	| "ollama-cloud"
 	| "openai-codex"
+	| "openai-codex-device"
 	| "opencode-go"
 	| "opencode-zen"
 	| "parallel"