@ouro.bot/cli 0.1.0-alpha.642 → 0.1.0-alpha.644

package/changelog.json

@@ -1,6 +1,18 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.644",
+      "changes": [
+        "Refresh expired openai-codex OAuth credentials automatically and expose chat-driven recovery, with full coverage for stale-token repair, malformed local Codex auth files, transient refresh failures, and human-required reauth boundaries."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.643",
+      "changes": [
+        "Dependency audit hardening: refresh the Teams SDK family and vulnerable transitive packages, force Teams' stale msal-node edge onto the safe 5.2.x line, update Teams invoke handlers for the newer SDK route-handler return contract, and add a root npm audit gate to release preflight."
+      ]
+    },
     {
       "version": "0.1.0-alpha.642",
       "changes": [

package/dist/heart/config.js

@@ -231,7 +231,11 @@ function getAnthropicConfig() {
 }
 function getOpenAICodexConfig() {
     const raw = readProviderConfig("openai-codex");
-    return { oauthAccessToken: typeof raw.oauthAccessToken === "string" ? raw.oauthAccessToken : "" };
+    return {
+        oauthAccessToken: typeof raw.oauthAccessToken === "string" ? raw.oauthAccessToken : "",
+        ...(typeof raw.refreshToken === "string" ? { refreshToken: raw.refreshToken } : {}),
+        ...(typeof raw.expiresAt === "number" ? { expiresAt: raw.expiresAt } : {}),
+    };
 }
 function getGithubCopilotConfig() {
     const raw = readProviderConfig("github-copilot");

package/dist/heart/core.js

@@ -37,6 +37,7 @@ const tool_friction_1 = require("./tool-friction");
 const provider_models_1 = require("./provider-models");
 const provider_credentials_1 = require("./provider-credentials");
 const provider_attempt_1 = require("./provider-attempt");
+const openai_codex_token_1 = require("./providers/openai-codex-token");
 const _providerRuntimes = {
     human: null,
     agent: null,
@@ -61,15 +62,25 @@ async function getProviderRuntimeFingerprint(facing) {
             `Run \`ouro auth --agent ${agentName} --provider ${binding.provider}\`.`,
         ].join("\n"));
     }
+    let record = credential.record;
+    if (binding.provider === "openai-codex") {
+        const refresh = await (0, openai_codex_token_1.refreshOpenAICodexProviderCredentials)(agentName, {
+            record,
+            reason: "runtime-init",
+        });
+        if (refresh.ok) {
+            record = refresh.record;
+        }
+    }
     return {
         binding,
         fingerprint: JSON.stringify({
             lane: binding.lane,
             provider: binding.provider,
             model: binding.model,
-            credentialRevision: credential.record.revision,
+            credentialRevision: record.revision,
         }),
-        credential: credential.record,
+        credential: record,
     };
 }
 function createProviderRegistry() {
@@ -844,6 +855,12 @@ async function runAgent(messages, callbacks, channel, signal, options) {
                     const seconds = delayMs / 1000;
                     const cause = RETRY_LABELS[record.classification];
                     try {
+                        if (record.provider === "openai-codex" && record.classification === "auth-failure") {
+                            await (0, openai_codex_token_1.refreshOpenAICodexProviderCredentials)((0, identity_2.getAgentName)(), {
+                                force: true,
+                                reason: "turn-auth-failure",
+                            });
+                        }
                         await (0, provider_credentials_1.refreshProviderCredentialPool)((0, identity_2.getAgentName)(), {
                             preserveCachedOnFailure: true,
                             providers: [record.provider],

package/dist/heart/provider-failover.js

@@ -126,6 +126,9 @@ function buildFailoverContext(errorMessage, classification, currentProvider, cur
     if (classification === "auth-failure") {
         lines.push("");
         lines.push("To keep using the current provider:");
+        if (currentProvider === "openai-codex") {
+            lines.push(`  - Reply "refresh openai-codex" to try the saved refresh token from this chat.`);
+        }
         lines.push(`  1. Run \`ouro auth --agent ${agentName} --provider ${currentProvider}\``);
     }
     if (modelMismatch) {
@@ -182,11 +185,18 @@ function buildFailoverContext(errorMessage, classification, currentProvider, cur
 }
 function handleFailoverReply(reply, context) {
     const lower = reply.toLowerCase().trim();
+    const currentProvider = context.currentProvider;
+    const currentLane = context.currentLane ?? "outward";
+    if (context.classification === "auth-failure"
+        && (lower.includes(`refresh ${currentProvider}`)
+            || lower.includes(`reauth ${currentProvider}`)
+            || (currentProvider === "openai-codex" && (lower.includes("refresh codex") || lower.includes("reauth codex"))))) {
+        return { action: "refresh", provider: currentProvider, lane: currentLane };
+    }
     const readyProviders = context.readyProviders ?? context.workingProviders.map((provider) => ({
         provider,
         model: (0, provider_models_1.resolveModelForProviderDisplay)(provider),
     }));
-    const currentLane = context.currentLane ?? "outward";
     for (const candidate of readyProviders) {
         if (lower.includes(`switch to ${candidate.provider}`) || lower === candidate.provider) {
             return {

package/dist/heart/providers/openai-codex-token.js

@@ -0,0 +1,289 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readOpenAICodexJwtExpiresAt = readOpenAICodexJwtExpiresAt;
+exports.refreshOpenAICodexProviderCredentials = refreshOpenAICodexProviderCredentials;
+const fs = __importStar(require("node:fs"));
+const os = __importStar(require("node:os"));
+const path = __importStar(require("node:path"));
+const runtime_1 = require("../../nerves/runtime");
+const provider_credentials_1 = require("../provider-credentials");
+const OPENAI_CODEX_TOKEN_ENDPOINT = "https://auth.openai.com/oauth/token";
+const OPENAI_CODEX_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const OPENAI_CODEX_REFRESH_MARGIN_MS = 5 * 60_000;
+function decodeJwtPayload(token) {
+    const parts = token.split(".");
+    if (parts.length < 2 || !parts[1])
+        return null;
+    try {
+        const base64 = parts[1]
+            .replace(/-/g, "+")
+            .replace(/_/g, "/")
+            .padEnd(Math.ceil(parts[1].length / 4) * 4, "=");
+        const parsed = JSON.parse(Buffer.from(base64, "base64").toString("utf8"));
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+function readOpenAICodexJwtExpiresAt(token) {
+    const payload = decodeJwtPayload(token);
+    const exp = payload?.exp;
+    if (typeof exp !== "number" || !Number.isFinite(exp) || exp <= 0)
+        return undefined;
+    return Math.floor(exp * 1000);
+}
+function recordCredentialString(record, field) {
+    const value = record.credentials[field];
+    return typeof value === "string" ? value.trim() : "";
+}
+function recordCredentialNumber(record, field) {
+    const value = record.credentials[field];
+    if (typeof value === "number" && Number.isFinite(value) && value > 0)
+        return value;
+    if (typeof value === "string") {
+        const parsed = Number(value);
+        if (Number.isFinite(parsed) && parsed > 0)
+            return parsed;
+    }
+    return undefined;
+}
+function resolveExpiresAt(record) {
+    return recordCredentialNumber(record, "expiresAt")
+        ?? readOpenAICodexJwtExpiresAt(recordCredentialString(record, "oauthAccessToken"));
+}
+function isRecordFresh(record, now) {
+    const expiresAt = resolveExpiresAt(record);
+    if (!expiresAt)
+        return true;
+    return expiresAt > now.getTime() + OPENAI_CODEX_REFRESH_MARGIN_MS;
+}
+function authCommand(agentName) {
+    return `ouro auth --agent ${agentName} --provider openai-codex`;
+}
+function readProviderRecordFailure(result, agentName) {
+    return {
+        ok: false,
+        actor: "human-required",
+        message: `openai-codex credentials could not be loaded for ${agentName}: ${result.error}. Run '${authCommand(agentName)}'.`,
+    };
+}
+function parseRefreshFailure(body) {
+    try {
+        const parsed = JSON.parse(body);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return body.trim();
+        const record = parsed;
+        const error = record.error;
+        if (error && typeof error === "object" && !Array.isArray(error)) {
+            const code = error.code;
+            const message = error.message;
+            if (typeof message === "string" && message.trim())
+                return message.trim();
+            if (typeof code === "string" && code.trim())
+                return code.trim();
+        }
+        if (typeof error === "string" && error.trim())
+            return error.trim();
+        const code = record.code;
+        if (typeof code === "string" && code.trim())
+            return code.trim();
+    }
+    catch {
+        // Plain-text bodies are useful as-is.
+    }
+    return body.trim() || "refresh endpoint returned an empty error body";
+}
+async function updateLocalCodexAuthIfUnchanged(input) {
+    const authPath = path.join(input.homeDir, ".codex", "auth.json");
+    let raw;
+    try {
+        raw = fs.readFileSync(authPath, "utf8");
+    }
+    catch {
+        return "missing";
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        if (!parsed.tokens || typeof parsed.tokens !== "object")
+            return "skipped";
+        const currentAccess = typeof parsed.tokens.access_token === "string" ? parsed.tokens.access_token : "";
+        const currentRefresh = typeof parsed.tokens.refresh_token === "string" ? parsed.tokens.refresh_token : "";
+        if (currentAccess !== input.oldAccessToken && currentRefresh !== input.oldRefreshToken) {
+            return "skipped";
+        }
+        parsed.tokens.access_token = input.newAccessToken;
+        parsed.tokens.refresh_token = input.newRefreshToken;
+        parsed.last_refresh = input.now.toISOString();
+        fs.writeFileSync(authPath, `${JSON.stringify(parsed, null, 2)}\n`, "utf8");
+        return "updated";
+    }
+    catch {
+        return "error";
+    }
+}
+async function requestOpenAICodexTokenRefresh(input) {
+    let response;
+    try {
+        response = await input.fetchImpl(OPENAI_CODEX_TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                client_id: OPENAI_CODEX_CLIENT_ID,
+                grant_type: "refresh_token",
+                refresh_token: input.refreshToken,
+            }),
+        });
+    }
+    catch (error) {
+        return { ok: false, detail: error instanceof Error ? error.message : String(error) };
+    }
+    if (!response.ok) {
+        const body = await response.text().catch(() => "");
+        return { ok: false, status: response.status, detail: parseRefreshFailure(body) };
+    }
+    let body;
+    try {
+        body = await response.json();
+    }
+    catch (error) {
+        return { ok: false, detail: `refresh endpoint returned invalid JSON: ${error instanceof Error ? error.message : String(error)}` };
+    }
+    const accessToken = typeof body.access_token === "string" ? body.access_token.trim() : "";
+    const refreshToken = typeof body.refresh_token === "string" ? body.refresh_token.trim() : input.refreshToken;
+    if (!accessToken)
+        return { ok: false, detail: "refresh endpoint returned no access_token" };
+    return { ok: true, accessToken, refreshToken };
+}
+async function refreshOpenAICodexProviderCredentials(agentName, options = {}) {
+    const now = options.now ?? new Date();
+    const readRecord = options.readRecord ?? provider_credentials_1.readProviderCredentialRecord;
+    const upsertCredential = options.upsertCredential ?? provider_credentials_1.upsertProviderCredential;
+    let record = options.record;
+    if (!record) {
+        const result = await readRecord(agentName, "openai-codex", { refreshIfMissing: true });
+        if (!result.ok)
+            return readProviderRecordFailure(result, agentName);
+        record = result.record;
+    }
+    if (!options.force && isRecordFresh(record, now)) {
+        (0, runtime_1.emitNervesEvent)({
+            component: "engine",
+            event: "engine.openai_codex_token_refresh_skipped",
+            message: "openai-codex token refresh skipped because the credential is still fresh",
+            meta: { agentName, reason: options.reason ?? "fresh" },
+        });
+        return { ok: true, refreshed: false, record };
+    }
+    const oldAccessToken = recordCredentialString(record, "oauthAccessToken");
+    const oldRefreshToken = recordCredentialString(record, "refreshToken");
+    if (!oldRefreshToken) {
+        return {
+            ok: false,
+            actor: "human-required",
+            message: `openai-codex has no saved refresh token for ${agentName}. Run '${authCommand(agentName)}'.`,
+        };
+    }
+    (0, runtime_1.emitNervesEvent)({
+        component: "engine",
+        event: "engine.openai_codex_token_refresh_start",
+        message: "refreshing openai-codex OAuth token",
+        meta: { agentName, reason: options.reason ?? "unspecified" },
+    });
+    const refresh = await requestOpenAICodexTokenRefresh({
+        refreshToken: oldRefreshToken,
+        fetchImpl: options.fetchImpl ?? fetch,
+    });
+    if (!refresh.ok) {
+        const actor = refresh.status === 401 ? "human-required" : "agent-runnable";
+        (0, runtime_1.emitNervesEvent)({
+            level: actor === "human-required" ? "warn" : "error",
+            component: "engine",
+            event: "engine.openai_codex_token_refresh_error",
+            message: "openai-codex OAuth token refresh failed",
+            meta: {
+                agentName,
+                reason: options.reason ?? "unspecified",
+                actor,
+                ...(refresh.status ? { status: refresh.status } : {}),
+                detail: refresh.detail,
+            },
+        });
+        return {
+            ok: false,
+            actor,
+            message: actor === "human-required"
+                ? `openai-codex refresh token is no longer usable (${refresh.detail}). Run '${authCommand(agentName)}'.`
+                : `openai-codex token refresh failed (${refresh.detail}); retry refresh before asking for browser login.`,
+        };
+    }
+    const expiresAt = readOpenAICodexJwtExpiresAt(refresh.accessToken);
+    const credentials = {
+        oauthAccessToken: refresh.accessToken,
+        refreshToken: refresh.refreshToken,
+        ...(expiresAt ? { expiresAt } : {}),
+    };
+    const updated = await upsertCredential({
+        agentName,
+        provider: "openai-codex",
+        credentials,
+        config: { ...record.config },
+        provenance: { source: record.provenance.source },
+        now,
+    });
+    const localAuth = await updateLocalCodexAuthIfUnchanged({
+        homeDir: options.homeDir ?? os.homedir(),
+        oldAccessToken,
+        oldRefreshToken,
+        newAccessToken: refresh.accessToken,
+        newRefreshToken: refresh.refreshToken,
+        now,
+    });
+    (0, runtime_1.emitNervesEvent)({
+        component: "engine",
+        event: "engine.openai_codex_token_refresh_end",
+        message: "refreshed openai-codex OAuth token",
+        meta: {
+            agentName,
+            reason: options.reason ?? "unspecified",
+            credentialRevision: updated.revision,
+            localCodexAuth: localAuth,
+        },
+    });
+    return { ok: true, refreshed: true, record: updated };
+}

package/dist/senses/pipeline.js

@@ -53,6 +53,7 @@ const active_work_1 = require("../heart/active-work");
 const delegation_1 = require("../heart/delegation");
 const obligations_1 = require("../arc/obligations");
 const provider_failover_1 = require("../heart/provider-failover");
+const openai_codex_token_1 = require("../heart/providers/openai-codex-token");
 const tempo_1 = require("../heart/tempo");
 const temporal_view_1 = require("../heart/temporal-view");
 const start_of_turn_packet_1 = require("../heart/start-of-turn-packet");
@@ -362,6 +363,50 @@ async function handleInboundTurn(input) {
             }
             // Switch failed OR succeeded — either way, fall through to normal processing.
         }
+        else if (failoverAction.action === "refresh") {
+            const refresh = failoverAction.provider === "openai-codex"
+                ? await (0, openai_codex_token_1.refreshOpenAICodexProviderCredentials)(failoverAgentName, {
+                    force: true,
+                    reason: "failover-reply",
+                })
+                : { ok: false, actor: "human-required", message: `provider ${failoverAction.provider} does not support chat-driven refresh` };
+            if (refresh.ok) {
+                (0, runtime_1.emitNervesEvent)({
+                    component: "senses",
+                    event: "senses.failover_refresh",
+                    message: `refreshed ${failoverAction.provider} provider credentials via failover`,
+                    meta: {
+                        agentName: failoverAgentName,
+                        lane: failoverAction.lane,
+                        provider: failoverAction.provider,
+                        refreshed: refresh.refreshed,
+                    },
+                });
+                input.messages = [{
+                        role: "user",
+                        content: `[provider refresh: ${pendingContext.errorSummary}. refreshed ${failoverAction.provider} credentials for the ${failoverAction.lane} lane. your conversation history is intact — respond to the user's last message.]`,
+                    }];
+            }
+            else {
+                (0, runtime_1.emitNervesEvent)({
+                    level: refresh.actor === "human-required" ? "warn" : "error",
+                    component: "senses",
+                    event: "senses.failover_refresh_error",
+                    message: `failed to refresh ${failoverAction.provider} provider credentials via failover`,
+                    meta: {
+                        agentName: failoverAgentName,
+                        lane: failoverAction.lane,
+                        provider: failoverAction.provider,
+                        actor: refresh.actor,
+                        error: refresh.message,
+                    },
+                });
+                input.messages = [{
+                        role: "user",
+                        content: `[provider refresh failed: tried to refresh ${failoverAction.provider} for the ${failoverAction.lane} lane. actor: ${refresh.actor}. reason: ${refresh.message}. current lane unchanged: ${pendingContext.currentProvider} / ${pendingContext.currentModel}. If ready alternatives are listed in the prior failover message, switch to one; otherwise tell the user the concrete human-required auth step.]`,
+                    }];
+            }
+        }
     }
     // Step 0b: Slash command interception (before friend resolution / agent turn)
     {

package/dist/senses/teams.js

@@ -946,7 +946,7 @@ function registerBotHandlers(app, label) {
         const turnKey = teamsTurnKey(convId);
         // Validate payload — graceful no-op for malformed invocations
         if (activity.value?.actionName !== "feedback" || !reaction) {
-            return;
+            return undefined;
         }
         const syntheticText = buildFeedbackSyntheticText(reaction, comment);
         // Turn coordination: if a turn is active, enqueue as steering follow-up
@@ -957,7 +957,7 @@ function registerBotHandlers(app, label) {
                 receivedAt: Date.now(),
                 effect: (0, continuity_1.classifySteeringFollowUpEffect)(syntheticText),
             });
-            return;
+            return undefined;
         }
         try {
             const teamsContext = {
@@ -978,6 +978,7 @@ function registerBotHandlers(app, label) {
         finally {
             _turnCoordinator.endTurn(turnKey);
         }
+        return undefined;
     });
     /* v8 ignore stop */
     // Handle bot install — send welcome Adaptive Card with prompt starters.
@@ -999,6 +1000,7 @@ function registerBotHandlers(app, label) {
             const msg = err instanceof Error ? err.message : String(err);
             (0, runtime_1.emitNervesEvent)({ level: "error", event: "channel.welcome_handler_error", component: "channels", message: msg.slice(0, 200), meta: {} });
         }
+        return undefined;
     });
     /* v8 ignore stop */
     app.on("message", async (ctx) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.642",
+  "version": "0.1.0-alpha.644",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",
@@ -52,12 +52,12 @@
     "@anthropic-ai/sdk": "^0.78.0",
     "@azure/identity": "^4.13.0",
     "@azure/storage-blob": "^12.31.0",
-    "@microsoft/teams.api": "2.0.5",
-    "@microsoft/teams.apps": "^2.0.5",
-    "@microsoft/teams.cards": "2.0.5",
-    "@microsoft/teams.common": "2.0.5",
-    "@microsoft/teams.dev": "^2.0.5",
-    "@microsoft/teams.graph": "2.0.5",
+    "@microsoft/teams.api": "2.0.11",
+    "@microsoft/teams.apps": "2.0.11",
+    "@microsoft/teams.cards": "2.0.11",
+    "@microsoft/teams.common": "2.0.11",
+    "@microsoft/teams.dev": "2.0.11",
+    "@microsoft/teams.graph": "2.0.11",
     "@types/react": "^17.0.91",
     "@types/ws": "^8.18.1",
     "fast-glob": "^3.3.3",
@@ -87,6 +87,9 @@
     "vitest": "^4.0.18"
   },
   "overrides": {
+    "@microsoft/teams.apps": {
+      "@azure/msal-node": "^5.2.2"
+    },
     "@testing-library/react": {
       "react": "$react",
       "@types/react": "$@types/react"