@ouro.bot/cli 0.1.0-alpha.66 → 0.1.0-alpha.661

package/dist/heart/providers/openai-codex-token.js

@@ -0,0 +1,349 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readOpenAICodexJwtExpiresAt = readOpenAICodexJwtExpiresAt;
+exports.refreshOpenAICodexProviderCredentials = refreshOpenAICodexProviderCredentials;
+const fs = __importStar(require("node:fs"));
+const os = __importStar(require("node:os"));
+const path = __importStar(require("node:path"));
+const runtime_1 = require("../../nerves/runtime");
+const provider_credentials_1 = require("../provider-credentials");
+const OPENAI_CODEX_TOKEN_ENDPOINT = "https://auth.openai.com/oauth/token";
+const OPENAI_CODEX_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const OPENAI_CODEX_REFRESH_MARGIN_MS = 5 * 60_000;
+function decodeJwtPayload(token) {
+    const parts = token.split(".");
+    if (parts.length < 2 || !parts[1])
+        return null;
+    try {
+        const base64 = parts[1]
+            .replace(/-/g, "+")
+            .replace(/_/g, "/")
+            .padEnd(Math.ceil(parts[1].length / 4) * 4, "=");
+        const parsed = JSON.parse(Buffer.from(base64, "base64").toString("utf8"));
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+function readOpenAICodexJwtExpiresAt(token) {
+    const payload = decodeJwtPayload(token);
+    const exp = payload?.exp;
+    if (typeof exp !== "number" || !Number.isFinite(exp) || exp <= 0)
+        return undefined;
+    return Math.floor(exp * 1000);
+}
+function recordCredentialString(record, field) {
+    const value = record.credentials[field];
+    return typeof value === "string" ? value.trim() : "";
+}
+function recordCredentialNumber(record, field) {
+    const value = record.credentials[field];
+    if (typeof value === "number" && Number.isFinite(value) && value > 0)
+        return value;
+    if (typeof value === "string") {
+        const parsed = Number(value);
+        if (Number.isFinite(parsed) && parsed > 0)
+            return parsed;
+    }
+    return undefined;
+}
+function resolveExpiresAt(record) {
+    return recordCredentialNumber(record, "expiresAt")
+        ?? readOpenAICodexJwtExpiresAt(recordCredentialString(record, "oauthAccessToken"));
+}
+function isRecordFresh(record, now) {
+    const expiresAt = resolveExpiresAt(record);
+    if (!expiresAt)
+        return true;
+    return expiresAt > now.getTime() + OPENAI_CODEX_REFRESH_MARGIN_MS;
+}
+function authCommand(agentName) {
+    return `ouro auth --agent ${agentName} --provider openai-codex`;
+}
+function readProviderRecordFailure(result, agentName) {
+    return {
+        ok: false,
+        actor: "human-required",
+        message: `openai-codex credentials could not be loaded for ${agentName}: ${result.error}. Run '${authCommand(agentName)}'.`,
+    };
+}
+function parseRefreshFailure(body) {
+    try {
+        const parsed = JSON.parse(body);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return body.trim();
+        const record = parsed;
+        const error = record.error;
+        if (error && typeof error === "object" && !Array.isArray(error)) {
+            const code = error.code;
+            const message = error.message;
+            if (typeof message === "string" && message.trim())
+                return message.trim();
+            if (typeof code === "string" && code.trim())
+                return code.trim();
+        }
+        if (typeof error === "string" && error.trim())
+            return error.trim();
+        const code = record.code;
+        if (typeof code === "string" && code.trim())
+            return code.trim();
+    }
+    catch {
+        // Plain-text bodies are useful as-is.
+    }
+    return body.trim() || "refresh endpoint returned an empty error body";
+}
+function readLocalCodexAuthTokens(homeDir) {
+    const authPath = path.join(homeDir, ".codex", "auth.json");
+    let raw;
+    try {
+        raw = fs.readFileSync(authPath, "utf8");
+    }
+    catch {
+        return { status: "missing" };
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        if (!parsed.tokens || typeof parsed.tokens !== "object")
+            return { status: "invalid" };
+        const accessToken = typeof parsed.tokens.access_token === "string" ? parsed.tokens.access_token.trim() : "";
+        const refreshToken = typeof parsed.tokens.refresh_token === "string" ? parsed.tokens.refresh_token.trim() : "";
+        if (!accessToken || !refreshToken)
+            return { status: "invalid" };
+        return { status: "ready", tokens: { accessToken, refreshToken } };
+    }
+    catch {
+        return { status: "invalid" };
+    }
+}
+async function updateLocalCodexAuthIfUnchanged(input) {
+    const authPath = path.join(input.homeDir, ".codex", "auth.json");
+    let raw;
+    try {
+        raw = fs.readFileSync(authPath, "utf8");
+    }
+    catch {
+        return "missing";
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        if (!parsed.tokens || typeof parsed.tokens !== "object")
+            return "skipped";
+        const currentAccess = typeof parsed.tokens.access_token === "string" ? parsed.tokens.access_token : "";
+        const currentRefresh = typeof parsed.tokens.refresh_token === "string" ? parsed.tokens.refresh_token : "";
+        if (currentAccess !== input.oldAccessToken && currentRefresh !== input.oldRefreshToken) {
+            return "skipped";
+        }
+        parsed.tokens.access_token = input.newAccessToken;
+        parsed.tokens.refresh_token = input.newRefreshToken;
+        parsed.last_refresh = input.now.toISOString();
+        fs.writeFileSync(authPath, `${JSON.stringify(parsed, null, 2)}\n`, "utf8");
+        return "updated";
+    }
+    catch {
+        return "error";
+    }
+}
+async function requestOpenAICodexTokenRefresh(input) {
+    let response;
+    try {
+        response = await input.fetchImpl(OPENAI_CODEX_TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                client_id: OPENAI_CODEX_CLIENT_ID,
+                grant_type: "refresh_token",
+                refresh_token: input.refreshToken,
+            }),
+        });
+    }
+    catch (error) {
+        return { ok: false, detail: error instanceof Error ? error.message : String(error) };
+    }
+    if (!response.ok) {
+        const body = await response.text().catch(() => "");
+        return { ok: false, status: response.status, detail: parseRefreshFailure(body) };
+    }
+    let body;
+    try {
+        body = await response.json();
+    }
+    catch (error) {
+        return { ok: false, detail: `refresh endpoint returned invalid JSON: ${error instanceof Error ? error.message : String(error)}` };
+    }
+    const accessToken = typeof body.access_token === "string" ? body.access_token.trim() : "";
+    const refreshToken = typeof body.refresh_token === "string" ? body.refresh_token.trim() : input.refreshToken;
+    if (!accessToken)
+        return { ok: false, detail: "refresh endpoint returned no access_token" };
+    return { ok: true, accessToken, refreshToken };
+}
+function refreshFailureRequiresHuman(refresh) {
+    const detail = refresh.detail.toLowerCase();
+    return refresh.status === 401
+        || detail.includes("signing in again")
+        || detail.includes("already been used")
+        || detail.includes("invalid_grant")
+        || detail.includes("refresh token expired");
+}
+async function refreshOpenAICodexProviderCredentials(agentName, options = {}) {
+    const now = options.now ?? new Date();
+    const readRecord = options.readRecord ?? provider_credentials_1.readProviderCredentialRecord;
+    const upsertCredential = options.upsertCredential ?? provider_credentials_1.upsertProviderCredential;
+    let record = options.record;
+    if (!record) {
+        const result = await readRecord(agentName, "openai-codex", { refreshIfMissing: true });
+        if (!result.ok)
+            return readProviderRecordFailure(result, agentName);
+        record = result.record;
+    }
+    if (!options.force && isRecordFresh(record, now)) {
+        (0, runtime_1.emitNervesEvent)({
+            component: "engine",
+            event: "engine.openai_codex_token_refresh_skipped",
+            message: "openai-codex token refresh skipped because the credential is still fresh",
+            meta: { agentName, reason: options.reason ?? "fresh" },
+        });
+        return { ok: true, refreshed: false, record };
+    }
+    const oldAccessToken = recordCredentialString(record, "oauthAccessToken");
+    const oldRefreshToken = recordCredentialString(record, "refreshToken");
+    const homeDir = options.homeDir ?? os.homedir();
+    const fallbackLocalAuth = oldRefreshToken ? undefined : readLocalCodexAuthTokens(homeDir);
+    let refreshSource = oldRefreshToken
+        ? { source: "vault", accessToken: oldAccessToken, refreshToken: oldRefreshToken }
+        : fallbackLocalAuth?.status === "ready"
+            ? { source: "local-codex-auth", accessToken: fallbackLocalAuth.tokens.accessToken, refreshToken: fallbackLocalAuth.tokens.refreshToken }
+            : undefined;
+    if (!refreshSource) {
+        return {
+            ok: false,
+            actor: "human-required",
+            message: `openai-codex has no saved refresh token for ${agentName} and no usable local Codex login to import. Run '${authCommand(agentName)}'.`,
+        };
+    }
+    (0, runtime_1.emitNervesEvent)({
+        component: "engine",
+        event: "engine.openai_codex_token_refresh_start",
+        message: "refreshing openai-codex OAuth token",
+        meta: { agentName, reason: options.reason ?? "unspecified", source: refreshSource.source },
+    });
+    let refresh = await requestOpenAICodexTokenRefresh({
+        refreshToken: refreshSource.refreshToken,
+        fetchImpl: options.fetchImpl ?? fetch,
+    });
+    if (!refresh.ok && oldRefreshToken) {
+        const retryLocalAuth = readLocalCodexAuthTokens(homeDir);
+        if (retryLocalAuth.status === "ready" && retryLocalAuth.tokens.refreshToken !== oldRefreshToken) {
+            (0, runtime_1.emitNervesEvent)({
+                component: "engine",
+                event: "engine.openai_codex_token_refresh_local_rescue",
+                message: "retrying openai-codex OAuth refresh with local Codex auth tokens",
+                meta: { agentName, reason: options.reason ?? "unspecified", status: refresh.status ?? "none", detail: refresh.detail },
+            });
+            refreshSource = {
+                source: "local-codex-auth",
+                accessToken: retryLocalAuth.tokens.accessToken,
+                refreshToken: retryLocalAuth.tokens.refreshToken,
+            };
+            refresh = await requestOpenAICodexTokenRefresh({
+                refreshToken: refreshSource.refreshToken,
+                fetchImpl: options.fetchImpl ?? fetch,
+            });
+        }
+    }
+    if (!refresh.ok) {
+        const actor = refreshFailureRequiresHuman(refresh) ? "human-required" : "agent-runnable";
+        (0, runtime_1.emitNervesEvent)({
+            level: actor === "human-required" ? "warn" : "error",
+            component: "engine",
+            event: "engine.openai_codex_token_refresh_error",
+            message: "openai-codex OAuth token refresh failed",
+            meta: {
+                agentName,
+                reason: options.reason ?? "unspecified",
+                actor,
+                source: refreshSource.source,
+                ...(refresh.status ? { status: refresh.status } : {}),
+                detail: refresh.detail,
+            },
+        });
+        return {
+            ok: false,
+            actor,
+            message: actor === "human-required"
+                ? `openai-codex refresh token is no longer usable (${refresh.detail}). Run '${authCommand(agentName)}'.`
+                : `openai-codex token refresh failed (${refresh.detail}); retry refresh before asking for browser login.`,
+        };
+    }
+    const expiresAt = readOpenAICodexJwtExpiresAt(refresh.accessToken);
+    const credentials = {
+        oauthAccessToken: refresh.accessToken,
+        refreshToken: refresh.refreshToken,
+        ...(expiresAt ? { expiresAt } : {}),
+    };
+    const updated = await upsertCredential({
+        agentName,
+        provider: "openai-codex",
+        credentials,
+        config: { ...record.config },
+        provenance: { source: record.provenance.source },
+        now,
+    });
+    const localAuthSync = await updateLocalCodexAuthIfUnchanged({
+        homeDir,
+        oldAccessToken: refreshSource.accessToken,
+        oldRefreshToken: refreshSource.refreshToken,
+        newAccessToken: refresh.accessToken,
+        newRefreshToken: refresh.refreshToken,
+        now,
+    });
+    (0, runtime_1.emitNervesEvent)({
+        component: "engine",
+        event: "engine.openai_codex_token_refresh_end",
+        message: "refreshed openai-codex OAuth token",
+        meta: {
+            agentName,
+            reason: options.reason ?? "unspecified",
+            credentialRevision: updated.revision,
+            source: refreshSource.source,
+            localCodexAuth: localAuthSync,
+        },
+    });
+    return { ok: true, refreshed: true, record: updated };
+}

package/dist/heart/providers/openai-codex.js

@@ -3,6 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.classifyOpenAICodexError = classifyOpenAICodexError;
 exports.createOpenAICodexProviderRuntime = createOpenAICodexProviderRuntime;
 const openai_1 = __importDefault(require("openai"));
 const config_1 = require("../config");
@@ -10,6 +11,7 @@ const identity_1 = require("../identity");
 const runtime_1 = require("../../nerves/runtime");
 const streaming_1 = require("../streaming");
 const model_capabilities_1 = require("../model-capabilities");
+const error_classification_1 = require("./error-classification");
 const OPENAI_CODEX_AUTH_FAILURE_MARKERS = [
     "authentication failed",
     "unauthorized",
@@ -18,9 +20,16 @@ const OPENAI_CODEX_AUTH_FAILURE_MARKERS = [
     "invalid bearer token",
 ];
 const OPENAI_CODEX_BACKEND_BASE_URL = "https://chatgpt.com/backend-api/codex";
-function getOpenAICodexSecretsPathForGuidance() {
-    return (0, identity_1.getAgentSecretsPath)();
-}
+const OPENAI_CODEX_PING_INPUT = [{ role: "user", content: "ping" }];
+const OPENAI_CODEX_PING_CALLBACKS = {
+    onModelStart() { },
+    onModelStreamStart() { },
+    onTextChunk() { },
+    onReasoningChunk() { },
+    onToolStart() { },
+    onToolEnd() { },
+    onError() { },
+};
 function getOpenAICodexAgentNameForGuidance() {
     return (0, identity_1.getAgentName)();
 }
@@ -28,11 +37,9 @@ function getOpenAICodexOAuthInstructions() {
     const agentName = getOpenAICodexAgentNameForGuidance();
     return [
         "Fix:",
-        `  1. Run \`ouro auth --agent ${agentName}\``,
-        `  2. Open ${getOpenAICodexSecretsPathForGuidance()}`,
-        "  3. Confirm providers.openai-codex.oauthAccessToken is set",
-        "  4. This provider uses chatgpt.com/backend-api/codex/responses (not api.openai.com/responses).",
-        "  5. After reauth, retry the failed ouro command or reconnect this session.",
+        `  1. Run \`ouro auth --agent ${agentName} --provider openai-codex\``,
+        "  2. This provider uses chatgpt.com/backend-api/codex/responses (not api.openai.com/responses).",
+        "  3. After reauth, retry the failed ouro command or reconnect this session.",
     ].join("\n");
 }
 function getOpenAICodexReauthGuidance(reason) {
@@ -42,22 +49,19 @@ function getOpenAICodexReauthGuidance(reason) {
         getOpenAICodexOAuthInstructions(),
     ].join("\n");
 }
+function classifyOpenAICodexError(error) {
+    return (0, error_classification_1.classifyHttpError)(error, {
+        isAuthFailure: isOpenAICodexAuthFailure,
+        isUsageLimit: (e) => {
+            const lower = e.message.toLowerCase();
+            return lower.includes("usage") || lower.includes("quota") || lower.includes("exceeded your");
+        },
+    });
+}
 function isOpenAICodexAuthFailure(error) {
-    if (!(error instanceof Error))
-        return false;
-    const status = error.status;
-    if (status === 401 || status === 403)
-        return true;
     const lower = error.message.toLowerCase();
     return OPENAI_CODEX_AUTH_FAILURE_MARKERS.some((marker) => lower.includes(marker));
 }
-function withOpenAICodexAuthGuidance(error) {
-    const base = error instanceof Error ? error.message : String(error);
-    if (isOpenAICodexAuthFailure(error)) {
-        return new Error(getOpenAICodexReauthGuidance(`OpenAI Codex authentication failed (${base}).`));
-    }
-    return error instanceof Error ? error : new Error(String(error));
-}
 function decodeJwtPayload(token) {
     const parts = token.split(".");
     if (parts.length < 2)
@@ -88,16 +92,27 @@ function getChatGPTAccountIdFromToken(token) {
         return "";
     return accountId.trim();
 }
-function createOpenAICodexProviderRuntime() {
+function createOpenAICodexResponsesParams(input, instructions, model, reasoningEffort) {
+    return {
+        model,
+        input,
+        instructions,
+        tools: [],
+        reasoning: { effort: reasoningEffort, summary: "detailed" },
+        stream: true,
+        store: false,
+        include: ["reasoning.encrypted_content"],
+    };
+}
+function createOpenAICodexProviderRuntime(model, codexConfig = (0, config_1.getOpenAICodexConfig)()) {
     (0, runtime_1.emitNervesEvent)({
         component: "engine",
         event: "engine.provider_init",
         message: "openai-codex provider init",
         meta: { provider: "openai-codex" },
     });
-    const codexConfig = (0, config_1.getOpenAICodexConfig)();
-    if (!(codexConfig.model && codexConfig.oauthAccessToken)) {
-        throw new Error(getOpenAICodexReauthGuidance("provider 'openai-codex' is selected in agent.json but providers.openai-codex.model/oauthAccessToken is incomplete in secrets.json."));
+    if (!codexConfig.oauthAccessToken) {
+        throw new Error(getOpenAICodexReauthGuidance("provider 'openai-codex' is selected but openai-codex.oauthAccessToken is missing in the agent vault."));
     }
     const token = codexConfig.oauthAccessToken.trim();
     if (!token) {
@@ -107,7 +122,7 @@ function createOpenAICodexProviderRuntime() {
     if (!chatgptAccountId) {
         throw new Error(getOpenAICodexReauthGuidance("OpenAI Codex OAuth access token is missing a chatgpt_account_id claim required for chatgpt.com/backend-api/codex."));
     }
-    const modelCaps = (0, model_capabilities_1.getModelCapabilities)(codexConfig.model);
+    const modelCaps = (0, model_capabilities_1.getModelCapabilities)(model);
     const capabilities = new Set();
     if (modelCaps.reasoningEffort)
         capabilities.add("reasoning-effort");
@@ -121,14 +136,13 @@ function createOpenAICodexProviderRuntime() {
             "OpenAI-Beta": "responses=experimental",
             originator: "ouroboros",
         },
-        timeout: 30000,
         maxRetries: 0,
     });
     let nativeInput = null;
     let nativeInstructions = "";
     return {
         id: "openai-codex",
-        model: codexConfig.model,
+        model,
         client,
         capabilities,
         supportedReasoningEfforts: modelCaps.reasoningEffort,
@@ -140,32 +154,33 @@ function createOpenAICodexProviderRuntime() {
         appendToolOutput(callId, output) {
             if (!nativeInput)
                 return;
-            nativeInput.push({ type: "function_call_output", call_id: callId, output });
+            nativeInput.push({ type: "function_call_output", call_id: callId, output: (0, streaming_1.truncateResponsesFunctionCallOutput)(output) });
         },
         async streamTurn(request) {
             if (!nativeInput)
                 this.resetTurnState(request.messages);
-            const params = {
-                model: this.model,
-                input: nativeInput,
-                instructions: nativeInstructions,
-                tools: (0, streaming_1.toResponsesTools)(request.activeTools),
-                reasoning: { effort: request.reasoningEffort ?? "medium", summary: "detailed" },
-                stream: true,
-                store: false,
-                include: ["reasoning.encrypted_content"],
-            };
+            const params = createOpenAICodexResponsesParams(nativeInput, nativeInstructions, this.model, request.reasoningEffort ?? "medium");
+            params.tools = (0, streaming_1.toResponsesTools)(request.activeTools);
             if (request.toolChoiceRequired)
                 params.tool_choice = "required";
             try {
-                const result = await (0, streaming_1.streamResponsesApi)(this.client, params, request.callbacks, request.signal);
+                const result = await (0, streaming_1.streamResponsesApi)(this.client, params, request.callbacks, request.signal, request.eagerSettleStreaming);
                 for (const item of result.outputItems)
                     nativeInput.push(item);
                 return result;
             }
             catch (error) {
-                throw withOpenAICodexAuthGuidance(error);
+                throw error instanceof Error ? error : new Error(String(error));
             }
         },
+        /* v8 ignore start -- ping: tested via provider-ping.test.ts @preserve */
+        async ping(signal) {
+            await (0, streaming_1.streamResponsesApi)(this.client, createOpenAICodexResponsesParams(OPENAI_CODEX_PING_INPUT, "", this.model, "medium"), OPENAI_CODEX_PING_CALLBACKS, signal);
+        },
+        /* v8 ignore stop */
+        /* v8 ignore next 3 -- delegation: classification logic tested via classifyOpenAICodexError @preserve */
+        classifyError(error) {
+            return classifyOpenAICodexError(error);
+        },
     };
 }