npm - @ouro.bot/cli - Versions diffs - 0.1.0-alpha.643 → 0.1.0-alpha.645 - Mend

@ouro.bot/cli 0.1.0-alpha.643 → 0.1.0-alpha.645

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/changelog.json +12 -0
package/dist/heart/config.js +5 -1
package/dist/heart/core.js +19 -2
package/dist/heart/provider-failover.js +11 -1
package/dist/heart/providers/openai-codex-token.js +349 -0
package/dist/senses/pipeline.js +45 -0
package/package.json +1 -1

package/changelog.json CHANGED Viewed

@@ -1,6 +1,18 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.645",
+      "changes": [
+        "Rescue openai-codex refresh when the vault refresh token has rotated by retrying with the local Codex login, and classify sign-in-required refresh failures as human-required."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.644",
+      "changes": [
+        "Refresh expired openai-codex OAuth credentials automatically and expose chat-driven recovery, with full coverage for stale-token repair, malformed local Codex auth files, transient refresh failures, and human-required reauth boundaries."
+      ]
+    },
     {
       "version": "0.1.0-alpha.643",
       "changes": [

package/dist/heart/config.js CHANGED Viewed

@@ -231,7 +231,11 @@ function getAnthropicConfig() {
 }
 function getOpenAICodexConfig() {
     const raw = readProviderConfig("openai-codex");
-    return { oauthAccessToken: typeof raw.oauthAccessToken === "string" ? raw.oauthAccessToken : "" };
+    return {
+        oauthAccessToken: typeof raw.oauthAccessToken === "string" ? raw.oauthAccessToken : "",
+        ...(typeof raw.refreshToken === "string" ? { refreshToken: raw.refreshToken } : {}),
+        ...(typeof raw.expiresAt === "number" ? { expiresAt: raw.expiresAt } : {}),
+    };
 }
 function getGithubCopilotConfig() {
     const raw = readProviderConfig("github-copilot");

package/dist/heart/core.js CHANGED Viewed

@@ -37,6 +37,7 @@ const tool_friction_1 = require("./tool-friction");
 const provider_models_1 = require("./provider-models");
 const provider_credentials_1 = require("./provider-credentials");
 const provider_attempt_1 = require("./provider-attempt");
+const openai_codex_token_1 = require("./providers/openai-codex-token");
 const _providerRuntimes = {
     human: null,
     agent: null,
@@ -61,15 +62,25 @@ async function getProviderRuntimeFingerprint(facing) {
             `Run \`ouro auth --agent ${agentName} --provider ${binding.provider}\`.`,
         ].join("\n"));
     }
+    let record = credential.record;
+    if (binding.provider === "openai-codex") {
+        const refresh = await (0, openai_codex_token_1.refreshOpenAICodexProviderCredentials)(agentName, {
+            record,
+            reason: "runtime-init",
+        });
+        if (refresh.ok) {
+            record = refresh.record;
+        }
+    }
     return {
         binding,
         fingerprint: JSON.stringify({
             lane: binding.lane,
             provider: binding.provider,
             model: binding.model,
-            credentialRevision: credential.record.revision,
+            credentialRevision: record.revision,
         }),
-        credential: credential.record,
+        credential: record,
     };
 }
 function createProviderRegistry() {
@@ -844,6 +855,12 @@ async function runAgent(messages, callbacks, channel, signal, options) {
                     const seconds = delayMs / 1000;
                     const cause = RETRY_LABELS[record.classification];
                     try {
+                        if (record.provider === "openai-codex" && record.classification === "auth-failure") {
+                            await (0, openai_codex_token_1.refreshOpenAICodexProviderCredentials)((0, identity_2.getAgentName)(), {
+                                force: true,
+                                reason: "turn-auth-failure",
+                            });
+                        }
                         await (0, provider_credentials_1.refreshProviderCredentialPool)((0, identity_2.getAgentName)(), {
                             preserveCachedOnFailure: true,
                             providers: [record.provider],

package/dist/heart/provider-failover.js CHANGED Viewed

@@ -126,6 +126,9 @@ function buildFailoverContext(errorMessage, classification, currentProvider, cur
     if (classification === "auth-failure") {
         lines.push("");
         lines.push("To keep using the current provider:");
+        if (currentProvider === "openai-codex") {
+            lines.push(`  - Reply "refresh openai-codex" to try the saved refresh token from this chat.`);
+        }
         lines.push(`  1. Run \`ouro auth --agent ${agentName} --provider ${currentProvider}\``);
     }
     if (modelMismatch) {
@@ -182,11 +185,18 @@ function buildFailoverContext(errorMessage, classification, currentProvider, cur
 }
 function handleFailoverReply(reply, context) {
     const lower = reply.toLowerCase().trim();
+    const currentProvider = context.currentProvider;
+    const currentLane = context.currentLane ?? "outward";
+    if (context.classification === "auth-failure"
+        && (lower.includes(`refresh ${currentProvider}`)
+            || lower.includes(`reauth ${currentProvider}`)
+            || (currentProvider === "openai-codex" && (lower.includes("refresh codex") || lower.includes("reauth codex"))))) {
+        return { action: "refresh", provider: currentProvider, lane: currentLane };
+    }
     const readyProviders = context.readyProviders ?? context.workingProviders.map((provider) => ({
         provider,
         model: (0, provider_models_1.resolveModelForProviderDisplay)(provider),
     }));
-    const currentLane = context.currentLane ?? "outward";
     for (const candidate of readyProviders) {
         if (lower.includes(`switch to ${candidate.provider}`) || lower === candidate.provider) {
             return {

package/dist/heart/providers/openai-codex-token.js ADDED Viewed

@@ -0,0 +1,349 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readOpenAICodexJwtExpiresAt = readOpenAICodexJwtExpiresAt;
+exports.refreshOpenAICodexProviderCredentials = refreshOpenAICodexProviderCredentials;
+const fs = __importStar(require("node:fs"));
+const os = __importStar(require("node:os"));
+const path = __importStar(require("node:path"));
+const runtime_1 = require("../../nerves/runtime");
+const provider_credentials_1 = require("../provider-credentials");
+const OPENAI_CODEX_TOKEN_ENDPOINT = "https://auth.openai.com/oauth/token";
+const OPENAI_CODEX_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const OPENAI_CODEX_REFRESH_MARGIN_MS = 5 * 60_000;
+function decodeJwtPayload(token) {
+    const parts = token.split(".");
+    if (parts.length < 2 || !parts[1])
+        return null;
+    try {
+        const base64 = parts[1]
+            .replace(/-/g, "+")
+            .replace(/_/g, "/")
+            .padEnd(Math.ceil(parts[1].length / 4) * 4, "=");
+        const parsed = JSON.parse(Buffer.from(base64, "base64").toString("utf8"));
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+function readOpenAICodexJwtExpiresAt(token) {
+    const payload = decodeJwtPayload(token);
+    const exp = payload?.exp;
+    if (typeof exp !== "number" || !Number.isFinite(exp) || exp <= 0)
+        return undefined;
+    return Math.floor(exp * 1000);
+}
+function recordCredentialString(record, field) {
+    const value = record.credentials[field];
+    return typeof value === "string" ? value.trim() : "";
+}
+function recordCredentialNumber(record, field) {
+    const value = record.credentials[field];
+    if (typeof value === "number" && Number.isFinite(value) && value > 0)
+        return value;
+    if (typeof value === "string") {
+        const parsed = Number(value);
+        if (Number.isFinite(parsed) && parsed > 0)
+            return parsed;
+    }
+    return undefined;
+}
+function resolveExpiresAt(record) {
+    return recordCredentialNumber(record, "expiresAt")
+        ?? readOpenAICodexJwtExpiresAt(recordCredentialString(record, "oauthAccessToken"));
+}
+function isRecordFresh(record, now) {
+    const expiresAt = resolveExpiresAt(record);
+    if (!expiresAt)
+        return true;
+    return expiresAt > now.getTime() + OPENAI_CODEX_REFRESH_MARGIN_MS;
+}
+function authCommand(agentName) {
+    return `ouro auth --agent ${agentName} --provider openai-codex`;
+}
+function readProviderRecordFailure(result, agentName) {
+    return {
+        ok: false,
+        actor: "human-required",
+        message: `openai-codex credentials could not be loaded for ${agentName}: ${result.error}. Run '${authCommand(agentName)}'.`,
+    };
+}
+function parseRefreshFailure(body) {
+    try {
+        const parsed = JSON.parse(body);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return body.trim();
+        const record = parsed;
+        const error = record.error;
+        if (error && typeof error === "object" && !Array.isArray(error)) {
+            const code = error.code;
+            const message = error.message;
+            if (typeof message === "string" && message.trim())
+                return message.trim();
+            if (typeof code === "string" && code.trim())
+                return code.trim();
+        }
+        if (typeof error === "string" && error.trim())
+            return error.trim();
+        const code = record.code;
+        if (typeof code === "string" && code.trim())
+            return code.trim();
+    }
+    catch {
+        // Plain-text bodies are useful as-is.
+    }
+    return body.trim() || "refresh endpoint returned an empty error body";
+}
+function readLocalCodexAuthTokens(homeDir) {
+    const authPath = path.join(homeDir, ".codex", "auth.json");
+    let raw;
+    try {
+        raw = fs.readFileSync(authPath, "utf8");
+    }
+    catch {
+        return { status: "missing" };
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        if (!parsed.tokens || typeof parsed.tokens !== "object")
+            return { status: "invalid" };
+        const accessToken = typeof parsed.tokens.access_token === "string" ? parsed.tokens.access_token.trim() : "";
+        const refreshToken = typeof parsed.tokens.refresh_token === "string" ? parsed.tokens.refresh_token.trim() : "";
+        if (!accessToken || !refreshToken)
+            return { status: "invalid" };
+        return { status: "ready", tokens: { accessToken, refreshToken } };
+    }
+    catch {
+        return { status: "invalid" };
+    }
+}
+async function updateLocalCodexAuthIfUnchanged(input) {
+    const authPath = path.join(input.homeDir, ".codex", "auth.json");
+    let raw;
+    try {
+        raw = fs.readFileSync(authPath, "utf8");
+    }
+    catch {
+        return "missing";
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        if (!parsed.tokens || typeof parsed.tokens !== "object")
+            return "skipped";
+        const currentAccess = typeof parsed.tokens.access_token === "string" ? parsed.tokens.access_token : "";
+        const currentRefresh = typeof parsed.tokens.refresh_token === "string" ? parsed.tokens.refresh_token : "";
+        if (currentAccess !== input.oldAccessToken && currentRefresh !== input.oldRefreshToken) {
+            return "skipped";
+        }
+        parsed.tokens.access_token = input.newAccessToken;
+        parsed.tokens.refresh_token = input.newRefreshToken;
+        parsed.last_refresh = input.now.toISOString();
+        fs.writeFileSync(authPath, `${JSON.stringify(parsed, null, 2)}\n`, "utf8");
+        return "updated";
+    }
+    catch {
+        return "error";
+    }
+}
+async function requestOpenAICodexTokenRefresh(input) {
+    let response;
+    try {
+        response = await input.fetchImpl(OPENAI_CODEX_TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                client_id: OPENAI_CODEX_CLIENT_ID,
+                grant_type: "refresh_token",
+                refresh_token: input.refreshToken,
+            }),
+        });
+    }
+    catch (error) {
+        return { ok: false, detail: error instanceof Error ? error.message : String(error) };
+    }
+    if (!response.ok) {
+        const body = await response.text().catch(() => "");
+        return { ok: false, status: response.status, detail: parseRefreshFailure(body) };
+    }
+    let body;
+    try {
+        body = await response.json();
+    }
+    catch (error) {
+        return { ok: false, detail: `refresh endpoint returned invalid JSON: ${error instanceof Error ? error.message : String(error)}` };
+    }
+    const accessToken = typeof body.access_token === "string" ? body.access_token.trim() : "";
+    const refreshToken = typeof body.refresh_token === "string" ? body.refresh_token.trim() : input.refreshToken;
+    if (!accessToken)
+        return { ok: false, detail: "refresh endpoint returned no access_token" };
+    return { ok: true, accessToken, refreshToken };
+}
+function refreshFailureRequiresHuman(refresh) {
+    const detail = refresh.detail.toLowerCase();
+    return refresh.status === 401
+        || detail.includes("signing in again")
+        || detail.includes("already been used")
+        || detail.includes("invalid_grant")
+        || detail.includes("refresh token expired");
+}
+async function refreshOpenAICodexProviderCredentials(agentName, options = {}) {
+    const now = options.now ?? new Date();
+    const readRecord = options.readRecord ?? provider_credentials_1.readProviderCredentialRecord;
+    const upsertCredential = options.upsertCredential ?? provider_credentials_1.upsertProviderCredential;
+    let record = options.record;
+    if (!record) {
+        const result = await readRecord(agentName, "openai-codex", { refreshIfMissing: true });
+        if (!result.ok)
+            return readProviderRecordFailure(result, agentName);
+        record = result.record;
+    }
+    if (!options.force && isRecordFresh(record, now)) {
+        (0, runtime_1.emitNervesEvent)({
+            component: "engine",
+            event: "engine.openai_codex_token_refresh_skipped",
+            message: "openai-codex token refresh skipped because the credential is still fresh",
+            meta: { agentName, reason: options.reason ?? "fresh" },
+        });
+        return { ok: true, refreshed: false, record };
+    }
+    const oldAccessToken = recordCredentialString(record, "oauthAccessToken");
+    const oldRefreshToken = recordCredentialString(record, "refreshToken");
+    const homeDir = options.homeDir ?? os.homedir();
+    const fallbackLocalAuth = oldRefreshToken ? undefined : readLocalCodexAuthTokens(homeDir);
+    let refreshSource = oldRefreshToken
+        ? { source: "vault", accessToken: oldAccessToken, refreshToken: oldRefreshToken }
+        : fallbackLocalAuth?.status === "ready"
+            ? { source: "local-codex-auth", accessToken: fallbackLocalAuth.tokens.accessToken, refreshToken: fallbackLocalAuth.tokens.refreshToken }
+            : undefined;
+    if (!refreshSource) {
+        return {
+            ok: false,
+            actor: "human-required",
+            message: `openai-codex has no saved refresh token for ${agentName} and no usable local Codex login to import. Run '${authCommand(agentName)}'.`,
+        };
+    }
+    (0, runtime_1.emitNervesEvent)({
+        component: "engine",
+        event: "engine.openai_codex_token_refresh_start",
+        message: "refreshing openai-codex OAuth token",
+        meta: { agentName, reason: options.reason ?? "unspecified", source: refreshSource.source },
+    });
+    let refresh = await requestOpenAICodexTokenRefresh({
+        refreshToken: refreshSource.refreshToken,
+        fetchImpl: options.fetchImpl ?? fetch,
+    });
+    if (!refresh.ok && oldRefreshToken) {
+        const retryLocalAuth = readLocalCodexAuthTokens(homeDir);
+        if (retryLocalAuth.status === "ready" && retryLocalAuth.tokens.refreshToken !== oldRefreshToken) {
+            (0, runtime_1.emitNervesEvent)({
+                component: "engine",
+                event: "engine.openai_codex_token_refresh_local_rescue",
+                message: "retrying openai-codex OAuth refresh with local Codex auth tokens",
+                meta: { agentName, reason: options.reason ?? "unspecified", status: refresh.status ?? "none", detail: refresh.detail },
+            });
+            refreshSource = {
+                source: "local-codex-auth",
+                accessToken: retryLocalAuth.tokens.accessToken,
+                refreshToken: retryLocalAuth.tokens.refreshToken,
+            };
+            refresh = await requestOpenAICodexTokenRefresh({
+                refreshToken: refreshSource.refreshToken,
+                fetchImpl: options.fetchImpl ?? fetch,
+            });
+        }
+    }
+    if (!refresh.ok) {
+        const actor = refreshFailureRequiresHuman(refresh) ? "human-required" : "agent-runnable";
+        (0, runtime_1.emitNervesEvent)({
+            level: actor === "human-required" ? "warn" : "error",
+            component: "engine",
+            event: "engine.openai_codex_token_refresh_error",
+            message: "openai-codex OAuth token refresh failed",
+            meta: {
+                agentName,
+                reason: options.reason ?? "unspecified",
+                actor,
+                source: refreshSource.source,
+                ...(refresh.status ? { status: refresh.status } : {}),
+                detail: refresh.detail,
+            },
+        });
+        return {
+            ok: false,
+            actor,
+            message: actor === "human-required"
+                ? `openai-codex refresh token is no longer usable (${refresh.detail}). Run '${authCommand(agentName)}'.`
+                : `openai-codex token refresh failed (${refresh.detail}); retry refresh before asking for browser login.`,
+        };
+    }
+    const expiresAt = readOpenAICodexJwtExpiresAt(refresh.accessToken);
+    const credentials = {
+        oauthAccessToken: refresh.accessToken,
+        refreshToken: refresh.refreshToken,
+        ...(expiresAt ? { expiresAt } : {}),
+    };
+    const updated = await upsertCredential({
+        agentName,
+        provider: "openai-codex",
+        credentials,
+        config: { ...record.config },
+        provenance: { source: record.provenance.source },
+        now,
+    });
+    const localAuthSync = await updateLocalCodexAuthIfUnchanged({
+        homeDir,
+        oldAccessToken: refreshSource.accessToken,
+        oldRefreshToken: refreshSource.refreshToken,
+        newAccessToken: refresh.accessToken,
+        newRefreshToken: refresh.refreshToken,
+        now,
+    });
+    (0, runtime_1.emitNervesEvent)({
+        component: "engine",
+        event: "engine.openai_codex_token_refresh_end",
+        message: "refreshed openai-codex OAuth token",
+        meta: {
+            agentName,
+            reason: options.reason ?? "unspecified",
+            credentialRevision: updated.revision,
+            source: refreshSource.source,
+            localCodexAuth: localAuthSync,
+        },
+    });
+    return { ok: true, refreshed: true, record: updated };
+}

package/dist/senses/pipeline.js CHANGED Viewed

@@ -53,6 +53,7 @@ const active_work_1 = require("../heart/active-work");
 const delegation_1 = require("../heart/delegation");
 const obligations_1 = require("../arc/obligations");
 const provider_failover_1 = require("../heart/provider-failover");
+const openai_codex_token_1 = require("../heart/providers/openai-codex-token");
 const tempo_1 = require("../heart/tempo");
 const temporal_view_1 = require("../heart/temporal-view");
 const start_of_turn_packet_1 = require("../heart/start-of-turn-packet");
@@ -362,6 +363,50 @@ async function handleInboundTurn(input) {
             }
             // Switch failed OR succeeded — either way, fall through to normal processing.
         }
+        else if (failoverAction.action === "refresh") {
+            const refresh = failoverAction.provider === "openai-codex"
+                ? await (0, openai_codex_token_1.refreshOpenAICodexProviderCredentials)(failoverAgentName, {
+                    force: true,
+                    reason: "failover-reply",
+                })
+                : { ok: false, actor: "human-required", message: `provider ${failoverAction.provider} does not support chat-driven refresh` };
+            if (refresh.ok) {
+                (0, runtime_1.emitNervesEvent)({
+                    component: "senses",
+                    event: "senses.failover_refresh",
+                    message: `refreshed ${failoverAction.provider} provider credentials via failover`,
+                    meta: {
+                        agentName: failoverAgentName,
+                        lane: failoverAction.lane,
+                        provider: failoverAction.provider,
+                        refreshed: refresh.refreshed,
+                    },
+                });
+                input.messages = [{
+                        role: "user",
+                        content: `[provider refresh: ${pendingContext.errorSummary}. refreshed ${failoverAction.provider} credentials for the ${failoverAction.lane} lane. your conversation history is intact — respond to the user's last message.]`,
+                    }];
+            }
+            else {
+                (0, runtime_1.emitNervesEvent)({
+                    level: refresh.actor === "human-required" ? "warn" : "error",
+                    component: "senses",
+                    event: "senses.failover_refresh_error",
+                    message: `failed to refresh ${failoverAction.provider} provider credentials via failover`,
+                    meta: {
+                        agentName: failoverAgentName,
+                        lane: failoverAction.lane,
+                        provider: failoverAction.provider,
+                        actor: refresh.actor,
+                        error: refresh.message,
+                    },
+                });
+                input.messages = [{
+                        role: "user",
+                        content: `[provider refresh failed: tried to refresh ${failoverAction.provider} for the ${failoverAction.lane} lane. actor: ${refresh.actor}. reason: ${refresh.message}. current lane unchanged: ${pendingContext.currentProvider} / ${pendingContext.currentModel}. If ready alternatives are listed in the prior failover message, switch to one; otherwise tell the user the concrete human-required auth step.]`,
+                    }];
+            }
+        }
     }
     // Step 0b: Slash command interception (before friend resolution / agent turn)
     {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.643",
+  "version": "0.1.0-alpha.645",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",