@poncho-ai/harness 0.30.0 → 0.31.0

package/dist/index.js

@@ -134,7 +134,7 @@ var parseAgentMarkdown = (content) => {
   if (typeof parsed.name !== "string" || parsed.name.trim() === "") {
     throw new Error("Invalid AGENT.md: frontmatter requires a non-empty `name`.");
   }
-  const KNOWN_PROVIDERS = /* @__PURE__ */ new Set(["anthropic", "openai"]);
+  const KNOWN_PROVIDERS = /* @__PURE__ */ new Set(["anthropic", "openai", "openai-codex"]);
   const splitProviderPrefix = (raw) => {
     const slashIdx = raw.indexOf("/");
     if (slashIdx > 0) {
@@ -1440,6 +1440,11 @@ All credentials in \`poncho.config.js\` use **env var name** fields (\`*Env\` su
 |---|---|---|
 | \`providers.anthropic.apiKeyEnv\` | \`ANTHROPIC_API_KEY\` | Anthropic model API key |
 | \`providers.openai.apiKeyEnv\` | \`OPENAI_API_KEY\` | OpenAI model API key |
+| \`providers.openaiCodex.refreshTokenEnv\` | \`OPENAI_CODEX_REFRESH_TOKEN\` | OpenAI Codex OAuth refresh token |
+| \`providers.openaiCodex.accountIdEnv\` | \`OPENAI_CODEX_ACCOUNT_ID\` | OpenAI Codex account/org routing header (optional) |
+| \`providers.openaiCodex.accessTokenEnv\` | \`OPENAI_CODEX_ACCESS_TOKEN\` | OpenAI Codex OAuth access token seed (optional) |
+| \`providers.openaiCodex.accessTokenExpiresAtEnv\` | \`OPENAI_CODEX_ACCESS_TOKEN_EXPIRES_AT\` | Access token epoch expiry in ms (optional) |
+| \`providers.openaiCodex.authFilePathEnv\` | \`OPENAI_CODEX_AUTH_FILE\` | Overrides local auth file path used by \`poncho auth\` |
 | \`auth.tokenEnv\` | \`PONCHO_AUTH_TOKEN\` | Auth passphrase / bearer token |
 | \`storage.urlEnv\` | \`UPSTASH_REDIS_REST_URL\` / \`REDIS_URL\` | Storage connection URL |
 | \`storage.tokenEnv\` | \`UPSTASH_REDIS_REST_TOKEN\` | Upstash REST token |
@@ -1511,6 +1516,10 @@ export default {
   providers: {
     // anthropic: { apiKeyEnv: 'ANTHROPIC_API_KEY' },  // default
     // openai: { apiKeyEnv: 'OPENAI_API_KEY' },        // default
+    // openaiCodex: {
+    //   refreshTokenEnv: 'OPENAI_CODEX_REFRESH_TOKEN',
+    //   accountIdEnv: 'OPENAI_CODEX_ACCOUNT_ID', // optional
+    // },
   },
 
   // Unified storage (preferred). Replaces separate \`state\` and \`memory\` blocks.
@@ -1609,6 +1618,11 @@ Remote storage keys are namespaced and versioned, for example \`poncho:v1:<agent
 |----------|----------|-------------|
 | \`ANTHROPIC_API_KEY\` | Yes* | Claude API key |
 | \`OPENAI_API_KEY\` | No | OpenAI API key (if using OpenAI) |
+| \`OPENAI_CODEX_REFRESH_TOKEN\` | No | OpenAI Codex OAuth refresh token (if using \`model.provider: openai-codex\`) |
+| \`OPENAI_CODEX_ACCOUNT_ID\` | No | OpenAI Codex account/org id for request routing (optional) |
+| \`OPENAI_CODEX_ACCESS_TOKEN\` | No | Optional pre-seeded short-lived access token |
+| \`OPENAI_CODEX_ACCESS_TOKEN_EXPIRES_AT\` | No | Epoch millis expiry for \`OPENAI_CODEX_ACCESS_TOKEN\` |
+| \`OPENAI_CODEX_AUTH_FILE\` | No | Local auth store override for \`poncho auth\` commands |
 | \`PONCHO_AUTH_TOKEN\` | No | Unified auth token (Web UI passphrase + API Bearer token) |
 | \`PONCHO_INTERNAL_SECRET\` | No | Shared secret used by internal serverless callbacks (recommended for Vercel/Lambda) |
 | \`PONCHO_SELF_BASE_URL\` | No | Explicit base URL for internal self-callbacks when auto-detection is unavailable |
@@ -1833,6 +1847,36 @@ Make sure you have a \`.env\` file with your API key:
 echo "ANTHROPIC_API_KEY=sk-ant-..." > .env
 \`\`\`
 
+### "OpenAI Codex credentials not found"
+
+Bootstrap credentials with device auth, then export env values:
+
+\`\`\`bash
+poncho auth login --provider openai-codex --device
+poncho auth export --provider openai-codex --format env
+\`\`\`
+
+For production, copy exported values into your deployment secret manager (not committed files).
+
+### "OpenAI Codex token refresh failed" / \`invalid_grant\`
+
+Your refresh token is expired or rotated. Re-run one-time auth and rotate deployment secrets:
+
+\`\`\`bash
+poncho auth login --provider openai-codex --device
+poncho auth export --provider openai-codex --format env
+\`\`\`
+
+Then restart your deployment so new secrets are loaded.
+
+### "Missing scopes: model.request / api.model.read / api.responses.write"
+
+Re-authenticate and ensure the OAuth flow requested required scopes. Then verify:
+
+\`\`\`bash
+poncho auth status --provider openai-codex
+\`\`\`
+
 ### "MCP server failed to connect"
 
 Check that:
@@ -2064,8 +2108,8 @@ var ponchoDocsTool = defineTool({
 
 // src/harness.ts
 import { randomUUID as randomUUID3 } from "crypto";
-import { readFile as readFile8 } from "fs/promises";
-import { resolve as resolve10 } from "path";
+import { readFile as readFile9 } from "fs/promises";
+import { resolve as resolve11 } from "path";
 import { getTextContent as getTextContent2 } from "@poncho-ai/sdk";
 
 // src/upload-store.ts
@@ -3572,6 +3616,252 @@ var LocalMcpBridge = class {
 // src/model-factory.ts
 import { createOpenAI } from "@ai-sdk/openai";
 import { createAnthropic } from "@ai-sdk/anthropic";
+
+// src/openai-codex-auth.ts
+import { homedir as homedir3 } from "os";
+import { dirname as dirname4, resolve as resolve8 } from "path";
+import { mkdir as mkdir5, readFile as readFile7, chmod, writeFile as writeFile6, rm as rm3 } from "fs/promises";
+var OPENAI_CODEX_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+var OPENAI_AUTH_ISSUER = "https://auth.openai.com";
+var REFRESH_TOKEN_GRACE_MS = 5 * 60 * 1e3;
+var DEVICE_POLLING_SAFETY_MARGIN_MS = 3e3;
+var DEVICE_FLOW_TIMEOUT_MS = 10 * 60 * 1e3;
+var REQUIRED_SCOPES = [
+  "openid",
+  "profile",
+  "email",
+  "offline_access",
+  "api.responses.write",
+  "model.request",
+  "api.model.read"
+];
+var defaultedConfig = (config) => ({
+  refreshTokenEnv: config?.refreshTokenEnv ?? "OPENAI_CODEX_REFRESH_TOKEN",
+  accessTokenEnv: config?.accessTokenEnv ?? "OPENAI_CODEX_ACCESS_TOKEN",
+  accessTokenExpiresAtEnv: config?.accessTokenExpiresAtEnv ?? "OPENAI_CODEX_ACCESS_TOKEN_EXPIRES_AT",
+  accountIdEnv: config?.accountIdEnv ?? "OPENAI_CODEX_ACCOUNT_ID",
+  authFilePathEnv: config?.authFilePathEnv ?? "OPENAI_CODEX_AUTH_FILE"
+});
+var parseEpochMillis = (value) => {
+  if (!value) return void 0;
+  const parsed = Number.parseInt(value, 10);
+  if (Number.isNaN(parsed) || parsed <= 0) return void 0;
+  return parsed;
+};
+var getOpenAICodexAuthFilePath = (config) => {
+  const env = defaultedConfig(config);
+  const fromEnv = process.env[env.authFilePathEnv];
+  if (typeof fromEnv === "string" && fromEnv.trim().length > 0) {
+    return resolve8(fromEnv);
+  }
+  return resolve8(homedir3(), ".poncho", "auth", "openai-codex.json");
+};
+var readOpenAICodexSession = async (config) => {
+  const filePath = getOpenAICodexAuthFilePath(config);
+  try {
+    const content = await readFile7(filePath, "utf8");
+    const parsed = JSON.parse(content);
+    if (typeof parsed.refreshToken !== "string" || parsed.refreshToken.length === 0) {
+      return void 0;
+    }
+    return {
+      refreshToken: parsed.refreshToken,
+      accessToken: typeof parsed.accessToken === "string" && parsed.accessToken.length > 0 ? parsed.accessToken : void 0,
+      accessTokenExpiresAt: typeof parsed.accessTokenExpiresAt === "number" && parsed.accessTokenExpiresAt > 0 ? parsed.accessTokenExpiresAt : void 0,
+      accountId: typeof parsed.accountId === "string" && parsed.accountId.length > 0 ? parsed.accountId : void 0
+    };
+  } catch {
+    return void 0;
+  }
+};
+var writeOpenAICodexSession = async (session, config) => {
+  const filePath = getOpenAICodexAuthFilePath(config);
+  await mkdir5(dirname4(filePath), { recursive: true });
+  const payload = {
+    ...session,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  await writeFile6(filePath, `${JSON.stringify(payload, null, 2)}
+`, "utf8");
+  await chmod(filePath, 384);
+};
+var deleteOpenAICodexSession = async (config) => {
+  const filePath = getOpenAICodexAuthFilePath(config);
+  await rm3(filePath, { force: true });
+};
+var parseAccountIdFromJwt = (token) => {
+  if (!token) return void 0;
+  const parts = token.split(".");
+  if (parts.length !== 3) return void 0;
+  try {
+    const claims = JSON.parse(Buffer.from(parts[1] ?? "", "base64url").toString("utf8"));
+    return claims.chatgpt_account_id ?? claims["https://api.openai.com/auth"]?.chatgpt_account_id ?? claims.organizations?.[0]?.id;
+  } catch {
+    return void 0;
+  }
+};
+var exchangeRefreshToken = async (refreshToken) => {
+  const response = await fetch(`${OPENAI_AUTH_ISSUER}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: OPENAI_CODEX_CLIENT_ID
+    }).toString()
+  });
+  if (!response.ok) {
+    const body = await response.text();
+    throw new Error(
+      `OpenAI Codex token refresh failed (${response.status}). Re-run \`poncho auth login --provider openai-codex --device\`, export the new token, and update deployment secrets. Details: ${body.slice(0, 240)}`
+    );
+  }
+  return await response.json();
+};
+var exchangeAuthorizationCode = async (code, codeVerifier) => {
+  const response = await fetch(`${OPENAI_AUTH_ISSUER}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: `${OPENAI_AUTH_ISSUER}/deviceauth/callback`,
+      client_id: OPENAI_CODEX_CLIENT_ID,
+      code_verifier: codeVerifier
+    }).toString()
+  });
+  if (!response.ok) {
+    const body = await response.text();
+    throw new Error(
+      `OpenAI Codex device token exchange failed (${response.status}): ${body.slice(0, 240)}`
+    );
+  }
+  return await response.json();
+};
+var readSessionFromEnv = (config) => {
+  const env = defaultedConfig(config);
+  const refreshToken = process.env[env.refreshTokenEnv];
+  if (!refreshToken || refreshToken.trim().length === 0) return void 0;
+  return {
+    refreshToken: refreshToken.trim(),
+    accessToken: process.env[env.accessTokenEnv]?.trim() || void 0,
+    accessTokenExpiresAt: parseEpochMillis(process.env[env.accessTokenExpiresAtEnv]),
+    accountId: process.env[env.accountIdEnv]?.trim() || void 0
+  };
+};
+var shouldRefresh = (expiresAt) => !expiresAt || Date.now() + REFRESH_TOKEN_GRACE_MS >= expiresAt;
+var runtimeCachedSession;
+var readSession = async (config) => {
+  const envSession = readSessionFromEnv(config);
+  if (envSession) return { session: envSession, source: "env" };
+  if (runtimeCachedSession) {
+    return { session: runtimeCachedSession, source: "file" };
+  }
+  const fileSession = await readOpenAICodexSession(config);
+  if (!fileSession) {
+    throw new Error(
+      "OpenAI Codex credentials not found. Run `poncho auth login --provider openai-codex --device` locally, or set OPENAI_CODEX_REFRESH_TOKEN in your environment."
+    );
+  }
+  runtimeCachedSession = fileSession;
+  return { session: fileSession, source: "file" };
+};
+var getOpenAICodexAccessToken = async (config) => {
+  const { session, source } = await readSession(config);
+  if (session.accessToken && !shouldRefresh(session.accessTokenExpiresAt)) {
+    return { accessToken: session.accessToken, accountId: session.accountId };
+  }
+  const refreshed = await exchangeRefreshToken(session.refreshToken);
+  const nextSession = {
+    refreshToken: refreshed.refresh_token ?? session.refreshToken,
+    accessToken: refreshed.access_token,
+    accessTokenExpiresAt: Date.now() + (refreshed.expires_in ?? 3600) * 1e3,
+    accountId: session.accountId ?? parseAccountIdFromJwt(refreshed.id_token) ?? parseAccountIdFromJwt(refreshed.access_token)
+  };
+  runtimeCachedSession = nextSession;
+  if (source === "file") {
+    await writeOpenAICodexSession(nextSession, config);
+  }
+  return {
+    accessToken: nextSession.accessToken,
+    accountId: nextSession.accountId
+  };
+};
+var getOpenAICodexRequiredScopes = () => [...REQUIRED_SCOPES];
+var startOpenAICodexDeviceAuth = async () => {
+  const response = await fetch(`${OPENAI_AUTH_ISSUER}/api/accounts/deviceauth/usercode`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "User-Agent": "poncho/1.0"
+    },
+    body: JSON.stringify({
+      client_id: OPENAI_CODEX_CLIENT_ID,
+      scope: REQUIRED_SCOPES.join(" ")
+    })
+  });
+  if (!response.ok) {
+    const body = await response.text();
+    throw new Error(
+      `OpenAI Codex device authorization start failed (${response.status}): ${body.slice(0, 240)}`
+    );
+  }
+  const data = await response.json();
+  const intervalRaw = typeof data.interval === "number" ? data.interval : Number.parseInt(String(data.interval ?? "5"), 10);
+  const intervalMs = Math.max(Number.isNaN(intervalRaw) ? 5 : intervalRaw, 1) * 1e3;
+  return {
+    deviceAuthId: data.device_auth_id,
+    userCode: data.user_code,
+    verificationUrl: `${OPENAI_AUTH_ISSUER}/codex/device`,
+    intervalMs
+  };
+};
+var completeOpenAICodexDeviceAuth = async (request) => {
+  const startedAt = Date.now();
+  while (Date.now() - startedAt < DEVICE_FLOW_TIMEOUT_MS) {
+    const response = await fetch(`${OPENAI_AUTH_ISSUER}/api/accounts/deviceauth/token`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "User-Agent": "poncho/1.0"
+      },
+      body: JSON.stringify({
+        device_auth_id: request.deviceAuthId,
+        user_code: request.userCode
+      })
+    });
+    if (response.ok) {
+      const data = await response.json();
+      const tokens = await exchangeAuthorizationCode(
+        data.authorization_code,
+        data.code_verifier
+      );
+      if (!tokens.refresh_token || tokens.refresh_token.length === 0) {
+        throw new Error("OpenAI Codex device auth succeeded but no refresh token was returned.");
+      }
+      return {
+        refreshToken: tokens.refresh_token,
+        accessToken: tokens.access_token,
+        accessTokenExpiresAt: Date.now() + (tokens.expires_in ?? 3600) * 1e3,
+        accountId: parseAccountIdFromJwt(tokens.id_token) ?? parseAccountIdFromJwt(tokens.access_token)
+      };
+    }
+    if (response.status !== 403 && response.status !== 404) {
+      const body = await response.text();
+      throw new Error(
+        `OpenAI Codex device authorization polling failed (${response.status}): ${body.slice(0, 240)}`
+      );
+    }
+    await new Promise((resolveWait) => {
+      setTimeout(resolveWait, request.intervalMs + DEVICE_POLLING_SAFETY_MARGIN_MS);
+    });
+  }
+  throw new Error(
+    "OpenAI Codex device authorization timed out. Re-run `poncho auth login --provider openai-codex --device`."
+  );
+};
+
+// src/model-factory.ts
 var MODEL_CONTEXT_WINDOWS = {
   "claude-opus-4-6": 2e5,
   "claude-sonnet-4-6": 2e5,
@@ -3596,6 +3886,29 @@ var MODEL_CONTEXT_WINDOWS = {
   "o3": 2e5
 };
 var DEFAULT_CONTEXT_WINDOW = 2e5;
+var OPENAI_CODEX_DEFAULT_INSTRUCTIONS = "You are Codex, based on GPT-5. You are running as a coding agent in Poncho.";
+var extractSystemInstructionFromInput = (input) => {
+  if (!Array.isArray(input)) return void 0;
+  for (const message of input) {
+    if (!message || typeof message !== "object") continue;
+    const candidate = message;
+    if (candidate.role !== "system") continue;
+    if (typeof candidate.content === "string" && candidate.content.trim().length > 0) {
+      return candidate.content;
+    }
+    if (Array.isArray(candidate.content)) {
+      const textParts = candidate.content.map((part) => {
+        if (!part || typeof part !== "object") return "";
+        const p = part;
+        return typeof p.text === "string" ? p.text : "";
+      }).filter((text) => text.trim().length > 0);
+      if (textParts.length > 0) {
+        return textParts.join("\n");
+      }
+    }
+  }
+  return void 0;
+};
 var getModelContextWindow = (modelName) => {
   if (MODEL_CONTEXT_WINDOWS[modelName] !== void 0) {
     return MODEL_CONTEXT_WINDOWS[modelName];
@@ -3610,6 +3923,39 @@ var getModelContextWindow = (modelName) => {
 };
 var createModelProvider = (provider, config) => {
   const normalized = (provider ?? "anthropic").toLowerCase();
+  if (normalized === "openai-codex") {
+    const openai = createOpenAI({
+      apiKey: "oauth-placeholder",
+      fetch: async (input, init) => {
+        const { accessToken, accountId } = await getOpenAICodexAccessToken(config?.openaiCodex);
+        const headers = new Headers(init?.headers);
+        headers.set("Authorization", `Bearer ${accessToken}`);
+        headers.set("originator", "poncho");
+        headers.set("User-Agent", "poncho/1.0");
+        if (accountId) {
+          headers.set("ChatGPT-Account-Id", accountId);
+        }
+        const originalUrl = input instanceof URL ? input.toString() : typeof input === "string" ? input : input.url;
+        const parsed = new URL(originalUrl);
+        const shouldRewrite = parsed.pathname.includes("/v1/responses") || parsed.pathname.includes("/chat/completions");
+        const targetUrl = shouldRewrite ? "https://chatgpt.com/backend-api/codex/responses" : originalUrl;
+        let body = init?.body;
+        if (shouldRewrite && typeof body === "string" && headers.get("Content-Type")?.includes("application/json")) {
+          try {
+            const payload = JSON.parse(body);
+            if (typeof payload.instructions !== "string" || payload.instructions.trim() === "") {
+              payload.instructions = extractSystemInstructionFromInput(payload.input) ?? OPENAI_CODEX_DEFAULT_INSTRUCTIONS;
+            }
+            payload.store = false;
+            body = JSON.stringify(payload);
+          } catch {
+          }
+        }
+        return fetch(targetUrl, { ...init, headers, body });
+      }
+    });
+    return (modelName) => openai(modelName);
+  }
   if (normalized === "openai") {
     const apiKeyEnv2 = config?.openai?.apiKeyEnv ?? "OPENAI_API_KEY";
     const openai = createOpenAI({
@@ -3626,8 +3972,8 @@ var createModelProvider = (provider, config) => {
 };
 
 // src/skill-context.ts
-import { readFile as readFile7, readdir as readdir2, stat } from "fs/promises";
-import { dirname as dirname4, resolve as resolve8, normalize } from "path";
+import { readFile as readFile8, readdir as readdir2, stat } from "fs/promises";
+import { dirname as dirname5, resolve as resolve9, normalize } from "path";
 import YAML3 from "yaml";
 var DEFAULT_SKILL_DIRS = ["skills"];
 var resolveSkillDirs = (workingDir, extraPaths) => {
@@ -3639,7 +3985,7 @@ var resolveSkillDirs = (workingDir, extraPaths) => {
       }
     }
   }
-  return dirs.map((d) => resolve8(workingDir, d));
+  return dirs.map((d) => resolve9(workingDir, d));
 };
 var FRONTMATTER_PATTERN3 = /^---\s*\n([\s\S]*?)\n---\s*\n?([\s\S]*)$/;
 var asRecord2 = (value) => typeof value === "object" && value !== null ? value : {};
@@ -3708,7 +4054,7 @@ var collectSkillManifests = async (directory) => {
   const entries = await readdir2(directory, { withFileTypes: true });
   const files = [];
   for (const entry of entries) {
-    const fullPath = resolve8(directory, entry.name);
+    const fullPath = resolve9(directory, entry.name);
     let isDir = entry.isDirectory();
     let isFile = entry.isFile();
     if (entry.isSymbolicLink()) {
@@ -3743,13 +4089,13 @@ var loadSkillMetadata = async (workingDir, extraSkillPaths) => {
   const seen = /* @__PURE__ */ new Set();
   for (const manifest of allManifests) {
     try {
-      const content = await readFile7(manifest, "utf8");
+      const content = await readFile8(manifest, "utf8");
       const parsed = parseSkillFrontmatter(content);
       if (parsed && !seen.has(parsed.name)) {
         seen.add(parsed.name);
         skills.push({
           ...parsed,
-          skillDir: dirname4(manifest),
+          skillDir: dirname5(manifest),
           skillPath: manifest
         });
       }
@@ -3788,7 +4134,7 @@ ${xmlSkills}
 };
 var escapeXml = (value) => value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
 var loadSkillInstructions = async (skill) => {
-  const content = await readFile7(skill.skillPath, "utf8");
+  const content = await readFile8(skill.skillPath, "utf8");
   const match = content.match(FRONTMATTER_PATTERN3);
   return match ? match[2].trim() : content.trim();
 };
@@ -3797,11 +4143,11 @@ var readSkillResource = async (skill, relativePath) => {
   if (normalized.startsWith("..") || normalized.startsWith("/")) {
     throw new Error("Path must be relative and within the skill directory");
   }
-  const fullPath = resolve8(skill.skillDir, normalized);
+  const fullPath = resolve9(skill.skillDir, normalized);
   if (!fullPath.startsWith(skill.skillDir)) {
     throw new Error("Path escapes the skill directory");
   }
-  return await readFile7(fullPath, "utf8");
+  return await readFile8(fullPath, "utf8");
 };
 var MAX_INSTRUCTIONS_PER_SKILL = 1200;
 var loadSkillContext = async (workingDir) => {
@@ -3920,7 +4266,7 @@ function convertSchema(schema) {
 // src/skill-tools.ts
 import { defineTool as defineTool4 } from "@poncho-ai/sdk";
 import { access as access2, readdir as readdir3, stat as stat2 } from "fs/promises";
-import { extname, normalize as normalize2, resolve as resolve9, sep as sep2 } from "path";
+import { extname, normalize as normalize2, resolve as resolve10, sep as sep2 } from "path";
 import { pathToFileURL } from "url";
 import { createJiti as createJiti2 } from "jiti";
 var createSkillTools = (skills, options) => {
@@ -4178,7 +4524,7 @@ var collectScriptFiles = async (directory) => {
     if (entry.name === "node_modules") {
       continue;
     }
-    const fullPath = resolve9(directory, entry.name);
+    const fullPath = resolve10(directory, entry.name);
     let isDir = entry.isDirectory();
     let isFile = entry.isFile();
     if (entry.isSymbolicLink()) {
@@ -4217,8 +4563,8 @@ var normalizeScriptPolicyPath = (relativePath) => {
 };
 var resolveScriptPath = (baseDir, relativePath, containmentDir) => {
   const normalized = normalizeScriptPolicyPath(relativePath);
-  const fullPath = resolve9(baseDir, normalized);
-  const boundary = resolve9(containmentDir ?? baseDir);
+  const fullPath = resolve10(baseDir, normalized);
+  const boundary = resolve10(containmentDir ?? baseDir);
   if (!fullPath.startsWith(`${boundary}${sep2}`) && fullPath !== boundary) {
     throw new Error("Script path must stay inside the allowed directory");
   }
@@ -4324,8 +4670,8 @@ function applyRateLimitCooldown(retryAfterHeader) {
 async function runWithSearchThrottle(fn) {
   const previous = searchQueue;
   let release;
-  searchQueue = new Promise((resolve12) => {
-    release = resolve12;
+  searchQueue = new Promise((resolve13) => {
+    release = resolve13;
   });
   await previous.catch(() => {
   });
@@ -5122,6 +5468,8 @@ export default {
   providers: {
     anthropic: { apiKeyEnv: "ANTHROPIC_API_KEY" },
     openai: { apiKeyEnv: "OPENAI_API_KEY" },
+    // openai-codex provider reads OAuth tokens from env vars by default:
+    // openaiCodex: { refreshTokenEnv: "OPENAI_CODEX_REFRESH_TOKEN", accountIdEnv: "OPENAI_CODEX_ACCOUNT_ID" },
   },
   auth: {
     required: true,
@@ -5524,8 +5872,8 @@ var AgentHarness = class _AgentHarness {
       return false;
     }
     try {
-      const agentFilePath = resolve10(this.workingDir, "AGENT.md");
-      const rawContent = await readFile8(agentFilePath, "utf8");
+      const agentFilePath = resolve11(this.workingDir, "AGENT.md");
+      const rawContent = await readFile9(agentFilePath, "utf8");
       if (rawContent === this.agentFileFingerprint) {
         return false;
       }
@@ -5594,8 +5942,8 @@ var AgentHarness = class _AgentHarness {
     }
   }
   async initialize() {
-    const agentFilePath = resolve10(this.workingDir, "AGENT.md");
-    const agentRawContent = await readFile8(agentFilePath, "utf8");
+    const agentFilePath = resolve11(this.workingDir, "AGENT.md");
+    const agentRawContent = await readFile9(agentFilePath, "utf8");
     this.parsedAgent = parseAgentMarkdown(agentRawContent);
     this.agentFileFingerprint = agentRawContent;
     const identity = await ensureAgentIdentity(this.workingDir);
@@ -5702,14 +6050,14 @@ var AgentHarness = class _AgentHarness {
       const filePath = pathResolve(stateDir, `${sessionId}.json`);
       return {
         async save(json) {
-          const { mkdir: mkdir6, writeFile: writeFile7 } = await import("fs/promises");
-          await mkdir6(stateDir, { recursive: true });
-          await writeFile7(filePath, json, "utf8");
+          const { mkdir: mkdir7, writeFile: writeFile8 } = await import("fs/promises");
+          await mkdir7(stateDir, { recursive: true });
+          await writeFile8(filePath, json, "utf8");
         },
         async load() {
-          const { readFile: readFile10 } = await import("fs/promises");
+          const { readFile: readFile11 } = await import("fs/promises");
           try {
-            return await readFile10(filePath, "utf8");
+            return await readFile11(filePath, "utf8");
           } catch {
             return void 0;
           }
@@ -5775,7 +6123,7 @@ var AgentHarness = class _AgentHarness {
     let browserMod;
     try {
       const { existsSync } = await import("fs");
-      const { join, dirname: dirname6 } = await import("path");
+      const { join, dirname: dirname7 } = await import("path");
       const { pathToFileURL: pathToFileURL2 } = await import("url");
       let searchDir = this.workingDir;
       let entryPath;
@@ -5785,7 +6133,7 @@ var AgentHarness = class _AgentHarness {
           entryPath = candidate;
           break;
         }
-        const parent = dirname6(searchDir);
+        const parent = dirname7(searchDir);
         if (parent === searchDir) break;
         searchDir = parent;
       }
@@ -5890,9 +6238,9 @@ var AgentHarness = class _AgentHarness {
           for await (const event of this.run(input)) {
             eventQueue.push(event);
             if (queueResolve) {
-              const resolve12 = queueResolve;
+              const resolve13 = queueResolve;
               queueResolve = null;
-              resolve12();
+              resolve13();
             }
           }
         } catch (error) {
@@ -5911,8 +6259,8 @@ var AgentHarness = class _AgentHarness {
           if (eventQueue.length > 0) {
             yield eventQueue.shift();
           } else if (!generatorDone) {
-            await new Promise((resolve12) => {
-              queueResolve = resolve12;
+            await new Promise((resolve13) => {
+              queueResolve = resolve13;
             });
           }
         }
@@ -6504,8 +6852,8 @@ ${textContent}` };
               let timer;
               nextPart = await Promise.race([
                 fullStreamIterator.next(),
-                new Promise((resolve12) => {
-                  timer = setTimeout(() => resolve12(null), effectiveTimeout);
+                new Promise((resolve13) => {
+                  timer = setTimeout(() => resolve13(null), effectiveTimeout);
                 })
               ]);
               clearTimeout(timer);
@@ -6822,7 +7170,7 @@ ${textContent}` };
           const raced = await Promise.race([
             this.dispatcher.executeBatch(approvedCalls, toolContext),
             new Promise(
-              (resolve12) => setTimeout(() => resolve12(TOOL_DEADLINE_SENTINEL), toolDeadlineRemainingMs)
+              (resolve13) => setTimeout(() => resolve13(TOOL_DEADLINE_SENTINEL), toolDeadlineRemainingMs)
             )
           ]);
           if (raced === TOOL_DEADLINE_SENTINEL) {
@@ -7163,8 +7511,8 @@ var LatitudeCapture = class {
 
 // src/state.ts
 import { randomUUID as randomUUID4 } from "crypto";
-import { mkdir as mkdir5, readFile as readFile9, readdir as readdir4, rename as rename3, rm as rm3, writeFile as writeFile6 } from "fs/promises";
-import { dirname as dirname5, resolve as resolve11 } from "path";
+import { mkdir as mkdir6, readFile as readFile10, readdir as readdir4, rename as rename3, rm as rm4, writeFile as writeFile7 } from "fs/promises";
+import { dirname as dirname6, resolve as resolve12 } from "path";
 var DEFAULT_OWNER = "local-owner";
 var LOCAL_STATE_FILE = "state.json";
 var CONVERSATIONS_DIRECTORY = "conversations";
@@ -7180,9 +7528,9 @@ var toStoreIdentity = async ({
   return { name: ensured.name, id: agentId };
 };
 var writeJsonAtomic3 = async (filePath, payload) => {
-  await mkdir5(dirname5(filePath), { recursive: true });
+  await mkdir6(dirname6(filePath), { recursive: true });
   const tmpPath = `${filePath}.tmp`;
-  await writeFile6(tmpPath, JSON.stringify(payload, null, 2), "utf8");
+  await writeFile7(tmpPath, JSON.stringify(payload, null, 2), "utf8");
   await rename3(tmpPath, filePath);
 };
 var formatUtcTimestamp = (value) => new Date(value).toISOString().replace(/[-:]/g, "").replace(/\.\d{3}Z$/, "Z");
@@ -7371,8 +7719,8 @@ var FileConversationStore = class {
       agentId: this.agentId
     });
     const agentDir = getAgentStoreDirectory(identity);
-    const conversationsDir = resolve11(agentDir, CONVERSATIONS_DIRECTORY);
-    const indexPath = resolve11(conversationsDir, LOCAL_CONVERSATION_INDEX_FILE);
+    const conversationsDir = resolve12(agentDir, CONVERSATIONS_DIRECTORY);
+    const indexPath = resolve12(conversationsDir, LOCAL_CONVERSATION_INDEX_FILE);
     this.paths = { conversationsDir, indexPath };
     return this.paths;
   }
@@ -7386,9 +7734,9 @@ var FileConversationStore = class {
   }
   async readConversationFile(fileName) {
     const { conversationsDir } = await this.resolvePaths();
-    const filePath = resolve11(conversationsDir, fileName);
+    const filePath = resolve12(conversationsDir, fileName);
     try {
-      const raw = await readFile9(filePath, "utf8");
+      const raw = await readFile10(filePath, "utf8");
       return JSON.parse(raw);
     } catch {
       return void 0;
@@ -7434,7 +7782,7 @@ var FileConversationStore = class {
     this.loaded = true;
     const { indexPath } = await this.resolvePaths();
     try {
-      const raw = await readFile9(indexPath, "utf8");
+      const raw = await readFile10(indexPath, "utf8");
       const parsed = JSON.parse(raw);
       for (const conversation of parsed.conversations ?? []) {
         this.conversations.set(conversation.conversationId, conversation);
@@ -7457,7 +7805,7 @@ var FileConversationStore = class {
     const { conversationsDir } = await this.resolvePaths();
     const existing = this.conversations.get(conversation.conversationId);
     const fileName = existing?.fileName ?? this.resolveConversationFileName(conversation);
-    const filePath = resolve11(conversationsDir, fileName);
+    const filePath = resolve12(conversationsDir, fileName);
     this.writing = this.writing.then(async () => {
       await writeJsonAtomic3(filePath, conversation);
       this.conversations.set(conversation.conversationId, {
@@ -7555,7 +7903,7 @@ var FileConversationStore = class {
     if (removed) {
       this.writing = this.writing.then(async () => {
         if (existing) {
-          await rm3(resolve11(conversationsDir, existing.fileName), { force: true });
+          await rm4(resolve12(conversationsDir, existing.fileName), { force: true });
         }
         await this.writeIndex();
       });
@@ -7577,7 +7925,7 @@ var FileConversationStore = class {
     const summary = this.conversations.get(conversationId);
     if (!summary) return void 0;
     const { conversationsDir } = await this.resolvePaths();
-    const filePath = resolve11(conversationsDir, summary.fileName);
+    const filePath = resolve12(conversationsDir, summary.fileName);
     let result;
     this.writing = this.writing.then(async () => {
       const conv = await this.readConversationFile(summary.fileName);
@@ -7616,7 +7964,7 @@ var FileStateStore = class {
       workingDir: this.workingDir,
       agentId: this.agentId
     });
-    this.filePath = resolve11(getAgentStoreDirectory(identity), LOCAL_STATE_FILE);
+    this.filePath = resolve12(getAgentStoreDirectory(identity), LOCAL_STATE_FILE);
   }
   isExpired(state) {
     return typeof this.ttlMs === "number" && Date.now() - state.updatedAt > this.ttlMs;
@@ -7628,7 +7976,7 @@ var FileStateStore = class {
     }
     this.loaded = true;
     try {
-      const raw = await readFile9(this.filePath, "utf8");
+      const raw = await readFile10(this.filePath, "utf8");
       const parsed = JSON.parse(raw);
       for (const state of parsed.states ?? []) {
         this.states.set(state.runId, state);
@@ -8337,6 +8685,7 @@ export {
   LatitudeCapture,
   LocalMcpBridge,
   LocalUploadStore,
+  OPENAI_CODEX_CLIENT_ID,
   PONCHO_UPLOAD_SCHEME,
   S3UploadStore,
   STORAGE_SCHEMA_VERSION,
@@ -8346,6 +8695,7 @@ export {
   buildAgentDirectoryName,
   buildSkillContextWindow,
   compactMessages,
+  completeOpenAICodexDeviceAuth,
   createConversationStore,
   createDefaultTools,
   createDeleteDirectoryTool,
@@ -8361,6 +8711,7 @@ export {
   createUploadStore,
   createWriteTool,
   defineTool7 as defineTool,
+  deleteOpenAICodexSession,
   deriveUploadKey,
   ensureAgentIdentity,
   estimateTokens,
@@ -8369,6 +8720,9 @@ export {
   generateAgentId,
   getAgentStoreDirectory,
   getModelContextWindow,
+  getOpenAICodexAccessToken,
+  getOpenAICodexAuthFilePath,
+  getOpenAICodexRequiredScopes,
   getPonchoStoreRoot,
   jsonSchemaToZod,
   loadPonchoConfig,
@@ -8380,6 +8734,7 @@ export {
   parseAgentFile,
   parseAgentMarkdown,
   ponchoDocsTool,
+  readOpenAICodexSession,
   readSkillResource,
   renderAgentPrompt,
   resolveAgentIdentity,
@@ -8387,5 +8742,7 @@ export {
   resolveMemoryConfig,
   resolveSkillDirs,
   resolveStateConfig,
-  slugifyStorageComponent
+  slugifyStorageComponent,
+  startOpenAICodexDeviceAuth,
+  writeOpenAICodexSession
 };