@quanta-intellect/vessel-browser 0.1.86 → 0.1.90

package/out/main/index.js

@@ -6,11 +6,12 @@ const fs = require("fs");
 const crypto$1 = require("crypto");
 const Anthropic = require("@anthropic-ai/sdk");
 const OpenAI = require("openai");
+const http = require("http");
 const path$1 = require("node:path");
 const node_module = require("node:module");
 const zod = require("zod");
 const crypto$2 = require("node:crypto");
-const http = require("node:http");
+const http$1 = require("node:http");
 const os = require("node:os");
 const mcp_js = require("@modelcontextprotocol/sdk/server/mcp.js");
 const streamableHttp_js = require("@modelcontextprotocol/sdk/server/streamableHttp.js");
@@ -77,7 +78,8 @@ const defaults = {
 };
 const SAVE_DEBOUNCE_MS$6 = 150;
 const CHAT_PROVIDER_SECRET_FILENAME = "vessel-chat-provider-secret";
-const logger$k = createLogger("Settings");
+const CODEX_TOKENS_FILENAME = "vessel-codex-tokens";
+const logger$n = createLogger("Settings");
 const SETTABLE_KEYS = new Set(Object.keys(defaults));
 let settings = null;
 let settingsIssues = [];
@@ -131,6 +133,38 @@ function clearStoredProviderSecret() {
   } catch {
   }
 }
+function getCodexTokensPath() {
+  return path.join(getUserDataPath(), CODEX_TOKENS_FILENAME);
+}
+function readStoredCodexTokens() {
+  try {
+    const raw = fs.readFileSync(getCodexTokensPath());
+    const decoded = canUseSafeStorage$1() && electron.safeStorage.decryptString ? electron.safeStorage.decryptString(raw) : raw.toString("utf-8");
+    const parsed = JSON.parse(decoded);
+    if (parsed && typeof parsed === "object" && typeof parsed.accessToken === "string" && typeof parsed.refreshToken === "string") {
+      return parsed;
+    }
+  } catch {
+  }
+  return null;
+}
+function writeStoredCodexTokens(tokens) {
+  const filePath = getCodexTokensPath();
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  const payload = JSON.stringify(tokens);
+  if (canUseSafeStorage$1()) {
+    const encrypted = electron.safeStorage.encryptString(payload);
+    fs.writeFileSync(filePath, encrypted, { mode: 384 });
+    return;
+  }
+  fs.writeFileSync(filePath, payload, { mode: 384 });
+}
+function clearStoredCodexTokens() {
+  try {
+    fs.unlinkSync(getCodexTokensPath());
+  } catch {
+  }
+}
 function mergeChatProviderSecret(provider) {
   if (!provider) return null;
   const stored = readStoredProviderSecret();
@@ -157,12 +191,14 @@ function buildPersistedSettings(source) {
 }
 function getRendererSettings() {
   const current = loadSettings();
+  const provider = current.chatProvider;
+  const hasCodexTokens = provider?.id === "openai_codex" && readStoredCodexTokens() !== null;
   return {
     ...current,
-    chatProvider: current.chatProvider ? {
-      ...current.chatProvider,
+    chatProvider: provider ? {
+      ...provider,
       apiKey: "",
-      hasApiKey: Boolean(current.chatProvider.apiKey)
+      hasApiKey: Boolean(provider.apiKey) || hasCodexTokens
     } : null
   };
 }
@@ -234,7 +270,7 @@ function persistNow() {
       getSettingsPath(),
       JSON.stringify(buildPersistedSettings(settings), null, 2)
     )
-  ).catch((err) => logger$k.error("Failed to save settings:", err));
+  ).catch((err) => logger$n.error("Failed to save settings:", err));
 }
 function saveSettings() {
   saveDirty = true;
@@ -341,7 +377,7 @@ function assertPermittedNavigationURL(url) {
 }
 const MAX_CUSTOM_HISTORY = 50;
 const READER_MODE_DATA_URL_PREFIX = "data:text/html;charset=utf-8,";
-const logger$j = createLogger("Tab");
+const logger$m = createLogger("Tab");
 const sessionCertExceptions = /* @__PURE__ */ new WeakMap();
 const sessionsWithVerifyProc = /* @__PURE__ */ new WeakSet();
 const CERT_VERIFY_TRUST = 0;
@@ -407,7 +443,7 @@ class Tab {
   guardedLoadURL(url, options) {
     const blockReason = this.getNavigationBlockReason(url);
     if (blockReason) {
-      logger$j.warn(blockReason);
+      logger$m.warn(blockReason);
       return blockReason;
     }
     void this.view.webContents.loadURL(url, options);
@@ -491,7 +527,7 @@ class Tab {
     wc.setWindowOpenHandler(({ url, disposition }) => {
       const error = this.getNavigationBlockReason(url);
       if (error) {
-        logger$j.warn(error);
+        logger$m.warn(error);
         return { action: "deny" };
       }
       this.onOpenUrl?.({
@@ -505,7 +541,7 @@ class Tab {
       const error = this.getNavigationBlockReason(url);
       if (!error) return;
       event.preventDefault();
-      logger$j.warn(`${context}: ${error}`);
+      logger$m.warn(`${context}: ${error}`);
     };
     wc.on("will-navigate", (event, url) => {
       blockNavigation(event, url, "Blocked top-level navigation");
@@ -589,7 +625,7 @@ class Tab {
         ::-webkit-scrollbar-thumb { background: rgba(255,255,255,0.12); border-radius: 999px; }
         ::-webkit-scrollbar-thumb:hover { background: rgba(255,255,255,0.22); }
         ::-webkit-scrollbar-corner { background: transparent; }
-      `).catch((err) => logger$j.warn("Failed to inject scrollbar CSS:", err));
+      `).catch((err) => logger$m.warn("Failed to inject scrollbar CSS:", err));
     });
     wc.on("page-favicon-updated", (_, favicons) => {
       this._state.favicon = favicons[0] || "";
@@ -625,7 +661,7 @@ class Tab {
       ).then((highlightedText) => {
         this.buildContextMenu(wc, params, highlightedText.trim());
       }).catch((err) => {
-        logger$j.warn("Failed to inspect highlighted text for context menu:", err);
+        logger$m.warn("Failed to inspect highlighted text for context menu:", err);
         this.buildContextMenu(wc, params, "");
       });
     });
@@ -826,7 +862,7 @@ class Tab {
         "document.documentElement.outerHTML"
       );
     } catch (err) {
-      logger$j.warn("Failed to retrieve page source:", err);
+      logger$m.warn("Failed to retrieve page source:", err);
       return;
     }
     const escaped = html.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
@@ -954,7 +990,7 @@ class Tab {
             document.addEventListener('mouseup', window.__vesselHighlightHandler);
           }
         })()
-      `).catch((err) => logger$j.warn("Failed to inject highlight listener:", err));
+      `).catch((err) => logger$m.warn("Failed to inject highlight listener:", err));
     } else {
       void wc.executeJavaScript(`
         (function() {
@@ -965,7 +1001,7 @@ class Tab {
             delete window.__vesselHighlightHandler;
           }
         })()
-      `).catch((err) => logger$j.warn("Failed to remove highlight listener:", err));
+      `).catch((err) => logger$m.warn("Failed to remove highlight listener:", err));
     }
   }
   get webContentsId() {
@@ -1002,7 +1038,7 @@ const SEARCH_ENGINE_PRESETS = {
   ecosia: { label: "Ecosia", url: "https://www.ecosia.org/search?q=" },
   kagi: { label: "Kagi", url: "https://kagi.com/search?q=" }
 };
-const logger$i = createLogger("JsonPersistence");
+const logger$l = createLogger("JsonPersistence");
 function canUseSafeStorage() {
   try {
     return electron.safeStorage.isEncryptionAvailable();
@@ -1067,7 +1103,7 @@ function createDebouncedJsonPersistence({
         data,
         typeof data === "string" ? { encoding: "utf-8", mode: 384 } : { mode: 384 }
       )
-    ).catch((err) => logger$i.error(`Failed to save ${logLabel}:`, err));
+    ).catch((err) => logger$l.error(`Failed to save ${logLabel}:`, err));
   };
   const schedule = () => {
     saveDirty2 = true;
@@ -1429,8 +1465,7 @@ const VESSEL_HIGHLIGHT_CSS = `
   opacity: 1;
 }
 `;
-async function highlightOnPage(wc, resolvedSelector, text, label, durationMs, color) {
-  const c = resolveColor(color);
+async function ensureHighlightStyles(wc) {
   await wc.executeJavaScript(`
     (function() {
       if (!document.getElementById('__vessel-highlight-styles')) {
@@ -1439,6 +1474,14 @@ async function highlightOnPage(wc, resolvedSelector, text, label, durationMs, co
         s.textContent = ${JSON.stringify(VESSEL_HIGHLIGHT_CSS)};
         document.head.appendChild(s);
       }
+    })()
+  `);
+}
+async function highlightOnPage(wc, resolvedSelector, text, label, durationMs, color) {
+  const c = resolveColor(color);
+  await ensureHighlightStyles(wc);
+  await wc.executeJavaScript(`
+    (function() {
       if (!window.__vesselHighlightLabelManager) {
         var overlap = function(a, b) {
           return a.left < b.right && a.right > b.left && a.top < b.bottom && a.bottom > b.top;
@@ -1643,14 +1686,9 @@ async function highlightBatchOnPage(wc, entries) {
     color: resolveColor(e.color)
   }));
   if (serialized.length === 0) return;
+  await ensureHighlightStyles(wc);
   await wc.executeJavaScript(`
     (function() {
-      if (!document.getElementById('__vessel-highlight-styles')) {
-        var s = document.createElement('style');
-        s.id = '__vessel-highlight-styles';
-        s.textContent = ${JSON.stringify(VESSEL_HIGHLIGHT_CSS)};
-        document.head.appendChild(s);
-      }
       var entries = ${JSON.stringify(serialized)};
       ${SKIP_TAGS_JS}
       ${CONTENT_ROOTS_JS}
@@ -1754,6 +1792,8 @@ async function clearAllHighlightElements(wc) {
         el.style.removeProperty('outline');
         el.style.removeProperty('outline-offset');
       });
+      var style = document.getElementById('__vessel-highlight-styles');
+      if (style) style.remove();
       return true;
     })()
   `);
@@ -2742,7 +2782,7 @@ function destroySession(tabId) {
     sessions.delete(tabId);
   }
 }
-const logger$h = createLogger("TabManager");
+const logger$k = createLogger("TabManager");
 function sanitizePdfFilename(title) {
   const clean = title.replace(/[<>:"/\\|?*\x00-\x1f]/g, " ").replace(/\s+/g, " ").trim();
   const base = (clean || "Vessel Page").replace(/\.pdf$/i, "");
@@ -3141,7 +3181,7 @@ class TabManager {
     }));
     if (entries.length > 0) {
       void highlightBatchOnPage(wc, entries).catch(
-        (err) => logger$h.warn("Failed to batch highlight:", err)
+        (err) => logger$k.warn("Failed to batch highlight:", err)
       );
     }
   }
@@ -3163,12 +3203,12 @@ class TabManager {
         const result = await captureSelectionHighlight(wc);
         if (result.success && result.text) {
           await highlightOnPage(wc, null, result.text, void 0, void 0, "yellow").catch(
-            (err) => logger$h.warn("Failed to capture highlight:", err)
+            (err) => logger$k.warn("Failed to capture highlight:", err)
           );
         }
         this.highlightCaptureCallback?.(result);
       } catch (err) {
-        logger$h.warn("Failed to capture highlight from page:", err);
+        logger$k.warn("Failed to capture highlight from page:", err);
         this.highlightCaptureCallback?.({
           success: false,
           message: "Could not capture selection"
@@ -3193,7 +3233,7 @@ class TabManager {
           void this.removeHighlightMarksForText(wc, text);
         }
       } catch (err) {
-        logger$h.warn("Failed to remove highlight from matching tab:", err);
+        logger$k.warn("Failed to remove highlight from matching tab:", err);
       }
     }
     this.highlightCaptureCallback?.({
@@ -3224,12 +3264,12 @@ class TabManager {
               void 0,
               color
             ).catch(
-              (err) => logger$h.warn("Failed to update highlight color:", err)
+              (err) => logger$k.warn("Failed to update highlight color:", err)
             );
           });
         }
       } catch (err) {
-        logger$h.warn("Failed to iterate highlights for color change:", err);
+        logger$k.warn("Failed to iterate highlights for color change:", err);
       }
     }
     this.highlightCaptureCallback?.({
@@ -3270,7 +3310,7 @@ class TabManager {
         });
       })()`
     ).catch(
-      (err) => logger$h.warn("Failed to remove highlight marks:", err)
+      (err) => logger$k.warn("Failed to remove highlight marks:", err)
     );
   }
   broadcastState() {
@@ -3473,7 +3513,12 @@ const Channels = {
   CLEAR_BROWSING_DATA: "browsing-data:clear",
   CLEAR_BROWSING_DATA_OPEN: "browsing-data:open",
   // Picture-in-Picture
-  TAB_TOGGLE_PIP: "tab:toggle-pip"
+  TAB_TOGGLE_PIP: "tab:toggle-pip",
+  // Codex OAuth
+  CODEX_START_AUTH: "codex:start-auth",
+  CODEX_CANCEL_AUTH: "codex:cancel-auth",
+  CODEX_AUTH_STATUS: "codex:auth-status",
+  CODEX_DISCONNECT: "codex:disconnect"
 };
 const MAX_DETAIL_ITEMS = 3;
 const MIN_BLOCK_SIMILARITY = 0.82;
@@ -4431,7 +4476,7 @@ function errorResult(error, value) {
 function getErrorMessage(error, fallback = "Unknown error") {
   return error instanceof Error && error.message ? error.message : fallback;
 }
-const logger$g = createLogger("Premium");
+const logger$j = createLogger("Premium");
 const VERIFICATION_API = process.env.VESSEL_PREMIUM_API || "https://vesselpremium.quantaintellect.com";
 const FREE_TOOL_ITERATION_LIMIT = 50;
 const REVALIDATION_INTERVAL_MS = 24 * 60 * 60 * 1e3;
@@ -4547,7 +4592,7 @@ async function verifySubscription$1(identifier) {
     });
     if (!res.ok) {
       const detail = await readApiErrorDetail(res);
-      logger$g.warn(
+      logger$j.warn(
         "Verification API returned a non-OK status:",
         res.status,
         detail
@@ -4566,7 +4611,7 @@ async function verifySubscription$1(identifier) {
     setSetting("premium", updated);
     return updated;
   } catch (err) {
-    logger$g.warn("Verification failed:", err);
+    logger$j.warn("Verification failed:", err);
     return current;
   }
 }
@@ -5139,7 +5184,7 @@ const EXTRACT_TIMEOUT_MAX_MS = 2e4;
 const MUTATION_CAPTURE_INTERVAL_MS = 5e3;
 const MUTATION_SETTLE_AFTER_MS = 1500;
 const AGENT_STREAM_IDLE_TIMEOUT_MS = 3e4;
-const logger$f = createLogger("Extractor");
+const logger$i = createLogger("Extractor");
 const EMPTY_PAGE_CONTENT = {
   title: "",
   content: "",
@@ -5889,7 +5934,7 @@ async function executeScript(webContents, script) {
       })
     ]);
   } catch (err) {
-    logger$f.warn("Failed to execute page script:", err);
+    logger$i.warn("Failed to execute page script:", err);
     return null;
   } finally {
     if (timer) {
@@ -5996,7 +6041,7 @@ async function estimateExtractionTimeout(webContents) {
       return EXTRACT_TIMEOUT_BASE_MS + extra;
     }
   } catch (err) {
-    logger$f.warn("Failed to estimate extraction timeout, using base timeout:", err);
+    logger$i.warn("Failed to estimate extraction timeout, using base timeout:", err);
   }
   return EXTRACT_TIMEOUT_BASE_MS;
 }
@@ -6605,8 +6650,8 @@ function resizeSidebarViews(state2) {
   }
 }
 function generateReaderHTML(page) {
-  const escapedTitle = escapeHtml(page.title);
-  const escapedByline = escapeHtml(page.byline);
+  const escapedTitle = escapeHtml$1(page.title);
+  const escapedByline = escapeHtml$1(page.byline);
   const renderedContent = renderReaderContent(page);
   return `<!DOCTYPE html>
 <html lang="en">
@@ -6694,9 +6739,9 @@ function renderReaderContent(page) {
   if (!source) {
     return "<p>No readable content was available for this page.</p>";
   }
-  return source.split(/\n{2,}/).map((block) => block.trim()).filter(Boolean).map((block) => `<p>${escapeHtml(block).replace(/\n/g, "<br>")}</p>`).join("\n");
+  return source.split(/\n{2,}/).map((block) => block.trim()).filter(Boolean).map((block) => `<p>${escapeHtml$1(block).replace(/\n/g, "<br>")}</p>`).join("\n");
 }
-function escapeHtml(str) {
+function escapeHtml$1(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
 }
 const mcpStatusChangeListeners = /* @__PURE__ */ new Set();
@@ -7173,6 +7218,17 @@ const PROVIDERS = {
     apiKeyPlaceholder: "sk-...",
     apiKeyHint: "Get your key from platform.openai.com"
   },
+  openai_codex: {
+    id: "openai_codex",
+    name: "OpenAI Codex",
+    type: "codex_oauth",
+    defaultModel: "gpt-5",
+    models: ["gpt-5", "gpt-5-mini", "gpt-5-nano", "o4", "o4-mini"],
+    requiresApiKey: false,
+    defaultBaseUrl: "https://api.openai.com/v1",
+    apiKeyPlaceholder: "",
+    apiKeyHint: "Sign in with your ChatGPT Plus or Pro subscription"
+  },
   openrouter: {
     id: "openrouter",
     name: "OpenRouter",
@@ -7344,7 +7400,7 @@ const MAX_MCP_NAV_CONTENT_LENGTH = 3e4;
 const MAX_AGENT_DEBUG_CONTENT_LENGTH = 2e4;
 const LLAMA_CPP_MIN_CTX_TOKENS = 16384;
 const LLAMA_CPP_RECOMMENDED_CTX_TOKENS = 32768;
-const logger$e = createLogger("OpenAIProvider");
+const logger$h = createLogger("OpenAIProvider");
 function shouldDebugAgentLoop() {
   const value = process.env.VESSEL_DEBUG_AGENT_LOOP;
   return value === "1" || value === "true";
@@ -7869,9 +7925,9 @@ function resolveToolCallName(rawName, args, availableToolNames) {
 function logAgentLoopDebug(payload) {
   if (!shouldDebugAgentLoop()) return;
   try {
-    logger$e.info(`[agent-debug] ${JSON.stringify(payload)}`);
+    logger$h.info(`[agent-debug] ${JSON.stringify(payload)}`);
   } catch (err) {
-    logger$e.warn("Failed to serialize debug payload:", err);
+    logger$h.warn("Failed to serialize debug payload:", err);
   }
 }
 function recoverTextEncodedToolCalls(text, availableToolNames) {
@@ -8405,6 +8461,525 @@ class OpenAICompatProvider {
     this.abortController?.abort();
   }
 }
+const logger$g = createLogger("CodexOAuth");
+const ISSUER = "https://auth.openai.com";
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const SCOPE = "openid profile email offline_access api.connectors.read api.connectors.invoke";
+const AUTH_TIMEOUT_MS = 5 * 60 * 1e3;
+const PREFERRED_PORT = 1455;
+const FALLBACK_PORT = 1457;
+let activeFlow = null;
+function base64url(buffer) {
+  return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function generatePkce() {
+  const codeVerifier = base64url(crypto$1.randomBytes(64));
+  const hash = crypto$1.createHash("sha256").update(codeVerifier).digest();
+  const codeChallenge = base64url(hash);
+  return { codeVerifier, codeChallenge };
+}
+function generateState() {
+  return base64url(crypto$1.randomBytes(32));
+}
+function buildAuthorizeUrl(port, pkce, state2) {
+  const redirectUri = `http://localhost:${port}/auth/callback`;
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: CLIENT_ID,
+    redirect_uri: redirectUri,
+    scope: SCOPE,
+    code_challenge: pkce.codeChallenge,
+    code_challenge_method: "S256",
+    state: state2,
+    id_token_add_organizations: "true",
+    codex_cli_simplified_flow: "true",
+    originator: "codex_cli_rs"
+  });
+  return `${ISSUER}/oauth/authorize?${params.toString()}`;
+}
+function parseJwtClaims(idToken) {
+  try {
+    const parts = idToken.split(".");
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf-8")
+    );
+    const authClaims = payload["https://api.openai.com/auth"] || {};
+    const accountId = authClaims.chatgpt_account_id || payload.chatgpt_account_id || payload.sub || "";
+    const email = authClaims.email || payload.email || void 0;
+    return { accountId, email };
+  } catch {
+    return null;
+  }
+}
+function parseTokenExpiry(accessToken) {
+  try {
+    const parts = accessToken.split(".");
+    if (parts.length !== 3) return Date.now() + 36e5;
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf-8")
+    );
+    if (payload.exp && typeof payload.exp === "number") {
+      return payload.exp * 1e3;
+    }
+  } catch {
+  }
+  return Date.now() + 36e5;
+}
+async function exchangeIdTokenForApiKey(idToken) {
+  const body = new URLSearchParams({
+    grant_type: "urn:ietf:params:oauth:grant-type:token-exchange",
+    client_id: CLIENT_ID,
+    requested_token: "openai-api-key",
+    subject_token: idToken,
+    subject_token_type: "urn:ietf:params:oauth:token-type:id_token"
+  });
+  const response = await fetch(`${ISSUER}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!response.ok) {
+    let errorMsg = `OpenAI API token exchange failed: ${response.status}`;
+    try {
+      const err = await response.json();
+      if (typeof err.error_description === "string") {
+        errorMsg = err.error_description;
+      } else if (typeof err.error === "string") {
+        errorMsg = err.error;
+      }
+    } catch {
+    }
+    throw new Error(errorMsg);
+  }
+  const data = await response.json();
+  if (!data.access_token) {
+    throw new Error("OpenAI API token exchange did not return an access token");
+  }
+  return data.access_token;
+}
+async function ensureCodexApiKey(tokens) {
+  if (tokens.apiKey) return tokens;
+  if (!tokens.idToken) return tokens;
+  try {
+    return {
+      ...tokens,
+      apiKey: await exchangeIdTokenForApiKey(tokens.idToken)
+    };
+  } catch (err) {
+    logger$g.warn(
+      "Codex API-key token exchange failed; continuing with ChatGPT OAuth tokens:",
+      err
+    );
+    return tokens;
+  }
+}
+async function exchangeCodeForTokens(code, redirectUri, codeVerifier) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code,
+    redirect_uri: redirectUri,
+    client_id: CLIENT_ID,
+    code_verifier: codeVerifier
+  });
+  const response = await fetch(`${ISSUER}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!response.ok) {
+    let errorMsg = `Token exchange failed: ${response.status}`;
+    try {
+      const err = await response.json();
+      if (typeof err.error_description === "string") {
+        errorMsg = err.error_description;
+      } else if (typeof err.error === "string") {
+        errorMsg = err.error;
+      }
+    } catch {
+    }
+    throw new Error(errorMsg);
+  }
+  const data = await response.json();
+  const claims = parseJwtClaims(data.id_token);
+  const expiresAt = parseTokenExpiry(data.access_token);
+  const tokens = {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    idToken: data.id_token,
+    expiresAt,
+    accountId: claims?.accountId || "",
+    accountEmail: claims?.email
+  };
+  return ensureCodexApiKey(tokens);
+}
+async function refreshAccessToken(tokens) {
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: tokens.refreshToken,
+    client_id: CLIENT_ID
+  });
+  const response = await fetch(`${ISSUER}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!response.ok) {
+    let errorMsg = `Token refresh failed: ${response.status}`;
+    try {
+      const err = await response.json();
+      if (typeof err.error_description === "string") errorMsg = err.error_description;
+      else if (typeof err.error === "string") errorMsg = err.error;
+    } catch {
+    }
+    throw new Error(errorMsg);
+  }
+  const data = await response.json();
+  const idToken = data.id_token || tokens.idToken || "";
+  const claims = idToken ? parseJwtClaims(idToken) : null;
+  const expiresAt = parseTokenExpiry(data.access_token);
+  const refreshedTokens = {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token || tokens.refreshToken,
+    idToken,
+    apiKey: tokens.apiKey,
+    expiresAt,
+    accountId: claims?.accountId || tokens.accountId || "",
+    accountEmail: claims?.email || tokens.accountEmail
+  };
+  return ensureCodexApiKey(refreshedTokens);
+}
+function startServer(port, pkce, expectedState, resolve, reject) {
+  const server = http.createServer(async (req, res) => {
+    const url = new URL(req.url || "/", `http://localhost:${port}`);
+    if (url.pathname === "/auth/callback") {
+      const state2 = url.searchParams.get("state");
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+      const errorDescription = url.searchParams.get("error_description");
+      if (error) {
+        res.writeHead(400, { "Content-Type": "text/plain", "Connection": "close" });
+        const msg = errorDescription || error;
+        res.end(`Authorization failed: ${msg}`);
+        reject(new Error(msg));
+        return;
+      }
+      if (state2 !== expectedState) {
+        res.writeHead(400, { "Content-Type": "text/plain", "Connection": "close" });
+        res.end("State mismatch. Please try again.");
+        reject(new Error("State mismatch"));
+        return;
+      }
+      if (!code) {
+        res.writeHead(400, { "Content-Type": "text/plain", "Connection": "close" });
+        res.end("Missing authorization code.");
+        reject(new Error("Missing authorization code"));
+        return;
+      }
+      try {
+        activeFlow?.onStatus("exchanging");
+        const redirectUri = `http://localhost:${activeFlow?.port ?? port}/auth/callback`;
+        const tokens = await exchangeCodeForTokens(code, redirectUri, pkce.codeVerifier);
+        res.writeHead(302, {
+          Location: `/success?email=${encodeURIComponent(tokens.accountEmail || tokens.accountId)}`,
+          Connection: "close"
+        });
+        res.end();
+        resolve(tokens);
+      } catch (err) {
+        res.writeHead(400, { "Content-Type": "text/plain", "Connection": "close" });
+        res.end(`Token exchange failed: ${err instanceof Error ? err.message : "Unknown error"}`);
+        reject(err instanceof Error ? err : new Error("Token exchange failed"));
+      }
+      return;
+    }
+    if (url.pathname === "/success") {
+      const email = url.searchParams.get("email") || "";
+      res.writeHead(200, { "Content-Type": "text/html", "Connection": "close" });
+      res.end(`<!DOCTYPE html>
+<html><head><meta charset="utf-8"><title>Vessel — Signed In</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;background:#111;color:#eee}</style></head>
+<body><div style="text-align:center"><h1>✓ Signed In</h1>
+<p>Connected as ${escapeHtml(email)}</p><p>You can close this tab.</p></div></body></html>`);
+      return;
+    }
+    if (url.pathname === "/cancel") {
+      res.writeHead(200, { "Content-Type": "text/plain", "Connection": "close" });
+      res.end("Login cancelled");
+      reject(new Error("Login cancelled by user"));
+      return;
+    }
+    res.writeHead(404, { "Connection": "close" });
+    res.end("Not found");
+  });
+  return server;
+}
+function escapeHtml(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+async function bindServer(server) {
+  const allowedPorts = [PREFERRED_PORT, FALLBACK_PORT];
+  for (const port of allowedPorts) {
+    try {
+      await new Promise((resolve, reject) => {
+        const onError = (err) => {
+          server.off("listening", onListening);
+          reject(err);
+        };
+        const onListening = () => {
+          server.off("error", onError);
+          resolve();
+        };
+        server.once("error", onError);
+        server.once("listening", onListening);
+        server.listen(port, "127.0.0.1");
+      });
+      return port;
+    } catch (err) {
+      if (err.code === "EADDRINUSE") {
+        continue;
+      }
+      throw err;
+    }
+  }
+  throw new Error(
+    `Could not bind Codex OAuth callback server to registered ports ${allowedPorts.join(", ")}`
+  );
+}
+async function startCodexOAuth(onStatus) {
+  if (activeFlow) {
+    throw new Error("Auth flow already in progress");
+  }
+  const pkce = generatePkce();
+  const state2 = generateState();
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    const safeOnStatus = (status, error) => {
+      try {
+        onStatus(status, error);
+      } catch {
+        logger$g.warn("Codex OAuth status callback failed — window may be closed");
+      }
+    };
+    const wrappedResolve = (tokens) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      safeOnStatus("connected");
+      resolve(tokens);
+    };
+    const wrappedReject = (err) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      safeOnStatus("error", err.message);
+      reject(err);
+    };
+    const server = startServer(0, pkce, state2, wrappedResolve, wrappedReject);
+    const timeout = setTimeout(() => {
+      wrappedReject(new Error("Auth flow timed out after 5 minutes"));
+    }, AUTH_TIMEOUT_MS);
+    activeFlow = {
+      state: state2,
+      codeVerifier: pkce.codeVerifier,
+      port: 0,
+      server,
+      timeout,
+      onStatus
+    };
+    const cleanup = () => {
+      if (activeFlow?.timeout) clearTimeout(activeFlow.timeout);
+      activeFlow?.server.close();
+      activeFlow = null;
+    };
+    bindServer(server).then((port) => {
+      if (settled) return;
+      activeFlow.port = port;
+      const authUrl = buildAuthorizeUrl(port, pkce, state2);
+      safeOnStatus("waiting");
+      electron.shell.openExternal(authUrl).catch((err) => {
+        logger$g.warn("Failed to open browser, user will need the URL:", err);
+      });
+    }).catch(wrappedReject);
+  });
+}
+function cancelCodexOAuth() {
+  if (!activeFlow) return;
+  activeFlow.server.close();
+  if (activeFlow.timeout) clearTimeout(activeFlow.timeout);
+  try {
+    activeFlow.onStatus("idle");
+  } catch {
+    logger$g.warn("Codex OAuth cancel status callback failed — window may be closed");
+  }
+  activeFlow = null;
+}
+const logger$f = createLogger("CodexProvider");
+const REFRESH_WINDOW_MS = 5 * 60 * 1e3;
+const CODEX_BACKEND_BASE_URL = "https://chatgpt.com/backend-api/codex";
+const CODEX_CLIENT_VERSION = "0.129.0";
+class CodexProvider {
+  agentToolProfile;
+  tokens;
+  model;
+  abortController = null;
+  constructor(tokens, model, _baseUrl) {
+    this.tokens = tokens;
+    this.model = model;
+    this.agentToolProfile = "default";
+  }
+  async ensureFreshTokens() {
+    if (Date.now() < this.tokens.expiresAt - REFRESH_WINDOW_MS) return;
+    try {
+      logger$f.info("Refreshing Codex access token");
+      const fresh = await refreshAccessToken(this.tokens);
+      this.tokens = fresh;
+      writeStoredCodexTokens(fresh);
+    } catch (err) {
+      clearStoredCodexTokens();
+      throw new Error(
+        `Codex token refresh failed — please re-authenticate. ${err instanceof Error ? err.message : ""}`
+      );
+    }
+  }
+  backendHeaders() {
+    const headers = {
+      Authorization: `Bearer ${this.tokens.accessToken}`,
+      "Content-Type": "application/json",
+      Accept: "text/event-stream",
+      originator: "codex_cli_rs",
+      "User-Agent": `codex_cli_rs/${CODEX_CLIENT_VERSION} Vessel`
+    };
+    if (this.tokens.accountId) {
+      headers["ChatGPT-Account-ID"] = this.tokens.accountId;
+    }
+    return headers;
+  }
+  buildInput(userMessage, history) {
+    const input = [];
+    for (const msg of history ?? []) {
+      input.push({
+        type: "message",
+        role: msg.role,
+        content: [{ type: "input_text", text: msg.content }]
+      });
+    }
+    input.push({
+      type: "message",
+      role: "user",
+      content: [{ type: "input_text", text: userMessage }]
+    });
+    return input;
+  }
+  handleStreamEvent(raw, onChunk, emittedTextFromDelta) {
+    if (!raw.trim() || raw.trim() === "[DONE]") return;
+    let event;
+    try {
+      event = JSON.parse(raw);
+    } catch {
+      return;
+    }
+    if (event.type === "response.output_text.delta" && event.delta) {
+      emittedTextFromDelta.value = true;
+      onChunk(event.delta);
+      return;
+    }
+    if (event.type === "response.output_item.done" && !emittedTextFromDelta.value) {
+      const text = event.item?.content?.filter((item) => item.type === "output_text" && item.text).map((item) => item.text).join("");
+      if (text) onChunk(text);
+      return;
+    }
+    if (event.type === "response.failed") {
+      const error = event.response?.error;
+      const message = error?.message || error?.code || "Codex response failed";
+      throw new Error(message);
+    }
+  }
+  async streamCodexResponse(systemPrompt, userMessage, onChunk, history) {
+    const response = await fetch(`${CODEX_BACKEND_BASE_URL}/responses`, {
+      method: "POST",
+      headers: this.backendHeaders(),
+      signal: this.abortController?.signal,
+      body: JSON.stringify({
+        model: this.model,
+        instructions: systemPrompt,
+        input: this.buildInput(userMessage, history),
+        stream: true,
+        store: false
+      })
+    });
+    if (!response.ok) {
+      const text = await response.text().catch(() => "");
+      throw new Error(
+        `Codex backend request failed: ${response.status}${text ? ` ${text}` : ""}`
+      );
+    }
+    if (!response.body) {
+      throw new Error("Codex backend returned an empty response stream");
+    }
+    const reader = response.body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = "";
+    const emittedTextFromDelta = { value: false };
+    while (true) {
+      const { value, done } = await reader.read();
+      if (done) break;
+      buffer += decoder.decode(value, { stream: true });
+      let separatorIndex;
+      while ((separatorIndex = buffer.indexOf("\n\n")) !== -1) {
+        const block = buffer.slice(0, separatorIndex);
+        buffer = buffer.slice(separatorIndex + 2);
+        const data = block.split("\n").filter((line) => line.startsWith("data:")).map((line) => line.slice(5).trimStart()).join("\n");
+        this.handleStreamEvent(data, onChunk, emittedTextFromDelta);
+      }
+    }
+    const trailing = buffer.trim();
+    if (trailing) {
+      const data = trailing.split("\n").filter((line) => line.startsWith("data:")).map((line) => line.slice(5).trimStart()).join("\n");
+      this.handleStreamEvent(data, onChunk, emittedTextFromDelta);
+    }
+  }
+  async streamQuery(systemPrompt, userMessage, onChunk, onEnd, history) {
+    await this.ensureFreshTokens();
+    this.abortController = new AbortController();
+    try {
+      await this.streamCodexResponse(systemPrompt, userMessage, onChunk, history);
+    } catch (err) {
+      if (err.name !== "AbortError") {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger$f.error("Codex streamQuery error:", err);
+        onChunk(`
+
+[Error: ${msg}]`);
+      }
+    } finally {
+      this.abortController = null;
+      onEnd();
+    }
+  }
+  async streamAgentQuery(systemPrompt, userMessage, _tools, onChunk, _onToolCall, onEnd, history) {
+    await this.ensureFreshTokens();
+    this.abortController = new AbortController();
+    try {
+      await this.streamCodexResponse(systemPrompt, userMessage, onChunk, history);
+    } catch (err) {
+      if (err.name !== "AbortError") {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger$f.error("Codex streamAgentQuery error:", err);
+        onChunk(`
+
+[Error: ${msg}]`);
+      }
+    } finally {
+      this.abortController = null;
+      onEnd();
+    }
+  }
+  cancel() {
+    this.abortController?.abort();
+    this.abortController = null;
+  }
+}
 function sanitizeProviderConfig(config) {
   return {
     ...config,
@@ -8426,7 +9001,7 @@ function validateProviderConnection(config, options = { requireModel: true }) {
   if (!meta) {
     return "Selected AI provider is not supported.";
   }
-  if (meta.requiresApiKey && !normalized.apiKey) {
+  if (meta.type !== "codex_oauth" && meta.requiresApiKey && !normalized.apiKey) {
     return `${meta.name} requires an API key. Open settings (Ctrl+,) to add one.`;
   }
   if (options.requireModel && !normalized.model) {
@@ -8468,6 +9043,34 @@ function buildLlamaCppCtxWarning(ctxSize) {
   }
   return void 0;
 }
+async function fetchCodexBackendModels(tokens) {
+  const url = new URL("https://chatgpt.com/backend-api/codex/models");
+  url.searchParams.set("client_version", "0.129.0");
+  const headers = {
+    Authorization: `Bearer ${tokens.accessToken}`,
+    originator: "codex_cli_rs",
+    "User-Agent": "codex_cli_rs/0.129.0 Vessel"
+  };
+  if (tokens.accountId) {
+    headers["ChatGPT-Account-ID"] = tokens.accountId;
+  }
+  const response = await fetch(url.toString(), { headers });
+  if (!response.ok) {
+    throw new Error(`Codex backend model discovery failed: ${response.status}`);
+  }
+  const payload = await response.json();
+  if (!Array.isArray(payload.models)) {
+    throw new Error("Codex backend model discovery returned an invalid response");
+  }
+  return payload.models.map((model) => {
+    if (!model || typeof model !== "object") return null;
+    const record = model;
+    const id = record.slug || record.id || record.model;
+    const visibility = record.visibility;
+    if (visibility === "hidden") return null;
+    return typeof id === "string" && id.trim() ? id.trim() : null;
+  }).filter((id) => id !== null);
+}
 async function probeLlamaCppCtxWarning(baseURL) {
   try {
     const root = new URL(baseURL);
@@ -8495,6 +9098,24 @@ async function fetchProviderModels(config) {
     const page2 = await client2.models.list();
     return okResult({ models: page2.data.map((model) => model.id) });
   }
+  if (normalized.id === "openai_codex") {
+    const tokens = readStoredCodexTokens();
+    if (!tokens) {
+      throw new Error("Codex provider requires authentication. Connect your ChatGPT account in settings.");
+    }
+    try {
+      const models2 = await fetchCodexBackendModels(tokens);
+      if (models2.length > 0) {
+        return okResult({ models: models2 });
+      }
+      throw new Error("Codex backend model discovery returned no models");
+    } catch (err) {
+      return okResult({
+        models: PROVIDERS.openai_codex.models,
+        warning: `Using built-in Codex model list because live discovery failed: ${err instanceof Error ? err.message : "Unknown error"}`
+      });
+    }
+  }
   const meta = PROVIDERS[normalized.id];
   const baseURL = normalized.baseUrl || meta?.defaultBaseUrl || "https://api.openai.com/v1";
   const client = new OpenAI({
@@ -8524,10 +9145,19 @@ function createProvider(config) {
       normalized.reasoningEffort
     );
   }
+  if (normalized.id === "openai_codex") {
+    const tokens = readStoredCodexTokens();
+    if (!tokens) {
+      throw new Error(
+        "OpenAI Codex requires authentication. Open settings to connect your ChatGPT account."
+      );
+    }
+    return new CodexProvider(tokens, normalized.model, normalized.baseUrl);
+  }
   return new OpenAICompatProvider(normalized);
 }
 const require$1 = node_module.createRequire(require("url").pathToFileURL(__filename).href);
-const logger$d = createLogger("DevTrace");
+const logger$e = createLogger("DevTrace");
 let cachedFactory;
 function createNoopTraceSession() {
   return {
@@ -8560,7 +9190,7 @@ function loadLocalFactory() {
         return cachedFactory;
       }
     } catch (err) {
-      logger$d.warn("Failed to load local trace logger:", err);
+      logger$e.warn("Failed to load local trace logger:", err);
     }
   }
   return cachedFactory;
@@ -12679,7 +13309,7 @@ function formatDeadLinkMessage(label, result) {
   const status = result.statusCode ? `HTTP ${result.statusCode}` : "dead link";
   return `Skipped stale link "${label}" because ${destination} returned ${status}. Try a different link or URL instead.`;
 }
-const logger$c = createLogger("Screenshot");
+const logger$d = createLogger("Screenshot");
 const SCREENSHOT_RETRY_COUNT = 3;
 const SCREENSHOT_RETRY_BASE_DELAY_MS = 120;
 async function captureScreenshot(wc) {
@@ -12701,7 +13331,7 @@ async function captureScreenshot(wc) {
         }
       }
     } catch (err) {
-      logger$c.debug(
+      logger$d.debug(
         `capturePage attempt ${attempt + 1} failed; retrying if attempts remain.`,
         getErrorMessage(err)
       );
@@ -13575,7 +14205,7 @@ function buildHuggingFaceSearchShortcut(currentUrl, rawQuery) {
     appliedFilters
   };
 }
-const logger$b = createLogger("PageActions");
+const logger$c = createLogger("PageActions");
 function getBookmarkMetadataFromArgs(args) {
   return normalizeBookmarkMetadata({
     intent: args.intent ?? args.intent,
@@ -13761,7 +14391,7 @@ async function executePageScript(wc, script, options) {
     return result;
   } catch (err) {
     const label = options?.label ? ` (${options.label})` : "";
-    logger$b.warn(`Failed to execute page script${label}:`, err);
+    logger$c.warn(`Failed to execute page script${label}:`, err);
     return null;
   } finally {
     if (timer) {
@@ -13862,7 +14492,7 @@ Search results snapshot:
 ${truncated}`;
     }
   } catch (err) {
-    logger$b.warn("Failed to build post-search summary, falling back to nav summary:", err);
+    logger$c.warn("Failed to build post-search summary, falling back to nav summary:", err);
   }
   const fallback = await getPostNavSummary(wc);
   return fallback ? `${fallback}
@@ -13885,7 +14515,7 @@ Page snapshot after navigation:
 ${truncated}`;
     }
   } catch (err) {
-    logger$b.warn("Failed to build post-click navigation summary:", err);
+    logger$c.warn("Failed to build post-click navigation summary:", err);
   }
   return "";
 }
@@ -14379,7 +15009,7 @@ async function restoreLocaleSnapshot(wc, snapshot) {
       }
     }
   } catch (err) {
-    logger$b.warn("Failed to restore locale via history navigation, trying URL reload fallback:", err);
+    logger$c.warn("Failed to restore locale via history navigation, trying URL reload fallback:", err);
   }
   if (snapshot.url && snapshot.url !== wc.getURL()) {
     try {
@@ -14388,7 +15018,7 @@ async function restoreLocaleSnapshot(wc, snapshot) {
       await waitForLoad(wc, 3e3);
       return;
     } catch (err) {
-      logger$b.warn("Failed to restore locale via safe URL load, trying page reload fallback:", err);
+      logger$c.warn("Failed to restore locale via safe URL load, trying page reload fallback:", err);
     }
   }
   if (snapshot.url) {
@@ -14396,7 +15026,7 @@ async function restoreLocaleSnapshot(wc, snapshot) {
       await wc.reload();
       await waitForLoad(wc, 3e3);
     } catch (err) {
-      logger$b.warn("Failed to restore locale via page reload:", err);
+      logger$c.warn("Failed to restore locale via page reload:", err);
     }
   }
 }
@@ -14748,7 +15378,7 @@ ${postActivationOverlayHint}`;
           return `${clickText} -> ${hrefFallbackUrl} (recovered via href fallback)`;
         }
       } catch (err) {
-        logger$b.warn("Failed href fallback after click, returning generic click result:", err);
+        logger$c.warn("Failed href fallback after click, returning generic click result:", err);
       }
     }
   }
@@ -14793,7 +15423,7 @@ async function tryAutoDismissCartDialog(wc) {
       return result;
     }
   } catch (err) {
-    logger$b.warn("Failed to auto-dismiss cart dialog, falling back to dialog actions:", err);
+    logger$c.warn("Failed to auto-dismiss cart dialog, falling back to dialog actions:", err);
   }
   return null;
 }
@@ -17063,7 +17693,7 @@ async function executeAction(name, args, ctx) {
               )
             ]);
           } catch (err) {
-            logger$b.warn("Failed to extract content for read_page, falling back to lighter recovery:", err);
+            logger$c.warn("Failed to extract content for read_page, falling back to lighter recovery:", err);
             content = null;
           }
           if (!content || content.content.length === 0) {
@@ -17080,12 +17710,12 @@ async function executeAction(name, args, ctx) {
                     new Promise((resolve) => setTimeout(() => resolve(null), 3e3))
                   ]);
                 } catch (err) {
-                  logger$b.warn("Failed to re-extract content after iframe consent dismissal:", err);
+                  logger$c.warn("Failed to re-extract content after iframe consent dismissal:", err);
                   content = null;
                 }
               }
             } catch (err) {
-              logger$b.warn("Failed iframe consent dismissal during read_page recovery:", err);
+              logger$c.warn("Failed iframe consent dismissal during read_page recovery:", err);
             }
           }
           if (content && content.content.length > 0) {
@@ -17498,7 +18128,7 @@ ${flow.steps.map((s, i) => `  ${i === 0 ? "→" : " "} ${s.label}`).join("\n")}`
           try {
             page = await extractContent(wc);
           } catch (err) {
-            logger$b.warn("Failed to extract content for suggest:", err);
+            logger$c.warn("Failed to extract content for suggest:", err);
             return "Could not read page. Try navigate to a working URL.";
           }
           const suggestions = [];
@@ -18823,7 +19453,7 @@ Exception: ${result.exceptionDetails}`);
     }
   );
 }
-const logger$a = createLogger("VaultShared");
+const logger$b = createLogger("VaultShared");
 const ALGORITHM = "aes-256-gcm";
 const IV_LENGTH = 12;
 const AUTH_TAG_LENGTH = 16;
@@ -18900,7 +19530,7 @@ function createVaultIO(vaultFilename, encrypt2, decrypt2) {
       cachedEntries = JSON.parse(json);
       return cachedEntries;
     } catch (err) {
-      logger$a.error("Failed to load vault:", err);
+      logger$b.error("Failed to load vault:", err);
       throw new Error("Could not unlock the vault. Check OS secret storage availability.");
     }
   }
@@ -18969,7 +19599,7 @@ function createAuditLog(filename, maxEntries) {
       } catch {
       }
     } catch (err) {
-      logger$a.error("Failed to write audit log:", err);
+      logger$b.error("Failed to write audit log:", err);
     }
   }
   function readAuditLog2(limit = 100) {
@@ -18979,7 +19609,7 @@ function createAuditLog(filename, maxEntries) {
       const lines = fs$1.readFileSync(auditPath, "utf-8").split("\n").filter((l) => l.trim());
       return lines.slice(-Math.min(limit, maxEntries)).map((line) => JSON.parse(line)).reverse();
     } catch (err) {
-      logger$a.error("Failed to read audit log:", err);
+      logger$b.error("Failed to read audit log:", err);
       return [];
     }
   }
@@ -19087,7 +19717,7 @@ async function requestConsent(request) {
 }
 const AUDIT_FILENAME = "vessel-vault-audit.jsonl";
 const MAX_ENTRIES = 1e3;
-const logger$9 = createLogger("VaultAudit");
+const logger$a = createLogger("VaultAudit");
 function getAuditPath() {
   return path$1.join(electron.app.getPath("userData"), AUDIT_FILENAME);
 }
@@ -19097,7 +19727,7 @@ function appendAuditEntry(entry) {
     fs$1.mkdirSync(path$1.dirname(auditPath), { recursive: true });
     fs$1.appendFileSync(auditPath, JSON.stringify(entry) + "\n");
   } catch (err) {
-    logger$9.error("Failed to write audit log:", err);
+    logger$a.error("Failed to write audit log:", err);
   }
 }
 function readAuditLog$1(limit = 100) {
@@ -19107,7 +19737,7 @@ function readAuditLog$1(limit = 100) {
     const lines = fs$1.readFileSync(auditPath, "utf-8").split("\n").filter((l) => l.trim());
     return lines.slice(-Math.min(limit, MAX_ENTRIES)).map((line) => JSON.parse(line)).reverse();
   } catch (err) {
-    logger$9.error("Failed to read audit log:", err);
+    logger$a.error("Failed to read audit log:", err);
     return [];
   }
 }
@@ -19280,7 +19910,7 @@ async function requestHumanVaultConsent(request) {
 }
 let httpServer = null;
 let mcpAuthToken = null;
-const logger$8 = createLogger("MCP");
+const logger$9 = createLogger("MCP");
 const MCP_AUTH_FILENAME = "mcp-auth.json";
 function getMcpAuthFilePath() {
   const configDir = process.env.VESSEL_CONFIG_DIR || path$1.join(
@@ -19316,7 +19946,7 @@ function writeMcpAuthFile(endpoint, token) {
       { mode: 384 }
     );
   } catch (err) {
-    logger$8.warn("Failed to write auth file:", err);
+    logger$9.warn("Failed to write auth file:", err);
   }
 }
 function clearMcpAuthFile() {
@@ -19341,7 +19971,7 @@ function clearMcpAuthFile() {
       { mode: 384 }
     );
   } catch (err) {
-    logger$8.warn("Failed to clear auth file:", err);
+    logger$9.warn("Failed to clear auth file:", err);
   }
 }
 function asTextResponse(text) {
@@ -19431,7 +20061,7 @@ async function getPostActionState(tabManager, name) {
         }
       }
     } catch (err) {
-      logger$8.warn("Failed to compute post-action state warning:", err);
+      logger$9.warn("Failed to compute post-action state warning:", err);
     }
     return `${warning}
 [state: url=${wc.getURL()}, canGoBack=${tab.canGoBack()}, canGoForward=${tab.canGoForward()}, loading=${wc.isLoading()}]`;
@@ -19533,7 +20163,7 @@ async function waitForConditionMcp(wc, text, selector, timeoutMs) {
         }
       })()
     `).catch((err) => {
-      logger$8.warn("Failed to gather wait_for timeout diagnostic:", err);
+      logger$9.warn("Failed to gather wait_for timeout diagnostic:", err);
       return null;
     });
     if (typeof diagnostic === "string" && diagnostic.trim()) {
@@ -19620,7 +20250,7 @@ function registerTools(server, tabManager, runtime2) {
           const page = await extractContent(wc);
           pageType = detectPageType(page);
         } catch (err) {
-          logger$8.warn("Failed to detect page type for tool scoring, falling back to GENERAL:", err);
+          logger$9.warn("Failed to detect page type for tool scoring, falling back to GENERAL:", err);
         }
       }
       const scored = TOOL_DEFINITIONS.map((def) => {
@@ -21018,7 +21648,7 @@ ${JSON.stringify(otherHighlights, null, 2)}`
             void 0,
             h.color
           ).catch(
-            (err) => logger$8.warn("Failed to restore highlight after removal:", err)
+            (err) => logger$9.warn("Failed to restore highlight after removal:", err)
           );
         }
       }
@@ -21866,7 +22496,7 @@ ${flow.steps.map((s, i) => `  ${i === 0 ? "→" : " "} ${s.label}`).join("\n")}`
       try {
         page = await extractContent(wc);
       } catch (err) {
-        logger$8.warn("Failed to extract page while generating suggestions:", err);
+        logger$9.warn("Failed to extract page while generating suggestions:", err);
         return asTextResponse(
           "Could not read page. Try navigate to a working URL."
         );
@@ -22475,7 +23105,7 @@ ${JSON.stringify(tableJson, null, 2)}`;
         try {
           targetDomain = new URL(tab.state.url).hostname;
         } catch (err) {
-          logger$8.warn("Failed to parse active tab URL for vault_status:", err);
+          logger$9.warn("Failed to parse active tab URL for vault_status:", err);
           return asErrorTextResponse("Could not parse active tab URL");
         }
       }
@@ -22541,7 +23171,7 @@ Use vault_login to fill the login form. Credentials are filled directly — you
       try {
         hostname = new URL(tab.state.url).hostname;
       } catch (err) {
-        logger$8.warn("Failed to parse active tab URL for vault_login:", err);
+        logger$9.warn("Failed to parse active tab URL for vault_login:", err);
         return asErrorTextResponse("Could not parse active tab URL");
       }
       const matches = findEntriesForDomain(`https://${hostname}`);
@@ -22635,7 +23265,7 @@ Use vault_login to fill the login form. Credentials are filled directly — you
       try {
         hostname = new URL(tab.state.url).hostname;
       } catch (err) {
-        logger$8.warn("Failed to parse active tab URL for vault_totp:", err);
+        logger$9.warn("Failed to parse active tab URL for vault_totp:", err);
         return asErrorTextResponse("Could not parse active tab URL");
       }
       const matches = findEntriesForDomain(`https://${hostname}`);
@@ -22933,7 +23563,7 @@ function startMcpServer(tabManager, runtime2, port) {
   });
   mcpAuthToken = getPersistentMcpAuthToken();
   return new Promise((resolve) => {
-    const server = http.createServer(async (req, res) => {
+    const server = http$1.createServer(async (req, res) => {
       const url = new URL(req.url || "/", `http://localhost:${port}`);
       if (url.pathname !== "/mcp") {
         res.writeHead(404);
@@ -22975,7 +23605,7 @@ function startMcpServer(tabManager, runtime2, port) {
         await mcpServer.connect(transport);
         await transport.handleRequest(req, res);
       } catch (error) {
-        logger$8.error("Error handling request:", error);
+        logger$9.error("Error handling request:", error);
         if (!res.headersSent) {
           res.writeHead(500, { "Content-Type": "application/json" });
           res.end(
@@ -22994,7 +23624,7 @@ function startMcpServer(tabManager, runtime2, port) {
     };
     server.once("error", (error) => {
       const message = error.code === "EADDRINUSE" ? `Port ${port} is already in use. MCP server not started.` : error.message;
-      logger$8.error("Server error:", error);
+      logger$9.error("Server error:", error);
       clearMcpAuthFile();
       setMcpHealth({
         configuredPort: port,
@@ -23026,7 +23656,7 @@ function startMcpServer(tabManager, runtime2, port) {
         message: `MCP server listening on ${endpoint}.`
       });
       if (process.env.VESSEL_DEBUG_MCP === "1" || process.env.VESSEL_DEBUG_MCP === "true") {
-        logger$8.info(`Server listening on ${endpoint} (auth enabled)`);
+        logger$9.info(`Server listening on ${endpoint} (auth enabled)`);
       }
       if (mcpAuthToken) {
         writeMcpAuthFile(endpoint, mcpAuthToken);
@@ -23065,7 +23695,7 @@ function stopMcpServer() {
         message: "MCP server is stopped."
       });
       if (process.env.VESSEL_DEBUG_MCP === "1" || process.env.VESSEL_DEBUG_MCP === "true") {
-        logger$8.info("Server stopped");
+        logger$9.info("Server stopped");
       }
       resolve();
     });
@@ -23086,7 +23716,7 @@ const KIT_ID_UNSAFE_CHAR_PATTERN = /[\/\\\0]/;
 function isSafeAutomationKitId(id) {
   return id.length > 0 && !KIT_ID_UNSAFE_CHAR_PATTERN.test(id);
 }
-const logger$7 = createLogger("KitRegistry");
+const logger$8 = createLogger("KitRegistry");
 function getUserKitsDir() {
   return path$1.join(electron.app.getPath("userData"), "kits");
 }
@@ -23124,10 +23754,10 @@ function getInstalledKits() {
       if (isValidKit(parsed)) {
         kits.push(parsed);
       } else {
-        logger$7.warn(`Skipping invalid kit file: ${file}`);
+        logger$8.warn(`Skipping invalid kit file: ${file}`);
       }
     } catch (err) {
-      logger$7.warn(`Failed to read kit file: ${file}`, err);
+      logger$8.warn(`Failed to read kit file: ${file}`, err);
     }
   }
   return kits;
@@ -23199,7 +23829,7 @@ function uninstallKit(id, scheduledKitIds) {
     return errorResult("Failed to remove the kit file.");
   }
 }
-const logger$6 = createLogger("Scheduler");
+const logger$7 = createLogger("Scheduler");
 let jobs = [];
 let removeIdleListener = null;
 let broadcastFn = null;
@@ -23224,7 +23854,7 @@ function saveJobs() {
   try {
     fs$1.writeFileSync(getJobsPath(), JSON.stringify(jobs, null, 2), "utf-8");
   } catch (err) {
-    logger$6.warn("Failed to save jobs:", err);
+    logger$7.warn("Failed to save jobs:", err);
   }
 }
 function normalizeJob(job, now = /* @__PURE__ */ new Date()) {
@@ -23346,7 +23976,7 @@ async function fireJob(job, windowState, runtime2) {
   };
   startActivity();
   if (!settings2.chatProvider) {
-    logger$6.warn(`Job "${job.kitName}" skipped — no chat provider configured`);
+    logger$7.warn(`Job "${job.kitName}" skipped — no chat provider configured`);
     appendActivity(
       "Chat provider not configured. Open Settings (Ctrl+,) to choose a provider."
     );
@@ -23354,7 +23984,7 @@ async function fireJob(job, windowState, runtime2) {
     return;
   }
   if (process.env.VESSEL_DEBUG_SCHEDULER === "1" || process.env.VESSEL_DEBUG_SCHEDULER === "true") {
-    logger$6.info(`Firing scheduled job: ${job.kitName} (${job.id})`);
+    logger$7.info(`Firing scheduled job: ${job.kitName} (${job.id})`);
   }
   try {
     const provider = createProvider(settings2.chatProvider);
@@ -23407,7 +24037,7 @@ function tick(windowState, runtime2) {
     saveJobs();
     broadcastFn?.(Channels.SCHEDULE_JOBS_UPDATE, jobs);
     void fireJob(job, windowState, runtime2).catch((err) => {
-      logger$6.warn("Unexpected error firing job:", err);
+      logger$7.warn("Unexpected error firing job:", err);
     }).finally(fireNext);
   };
   fireNext();
@@ -24517,7 +25147,7 @@ function createFindInPageBridge(tabManager, chromeView) {
     }
   };
 }
-const logger$5 = createLogger("PrivateWindow");
+const logger$6 = createLogger("PrivateWindow");
 const privateWindows = /* @__PURE__ */ new Set();
 function layoutPrivateViews(state2) {
   const { window: win, chromeView, tabManager } = state2;
@@ -24740,7 +25370,7 @@ function createPrivateWindow() {
       privateSession.clearStorageData(),
       privateSession.clearCache()
     ]).catch((error) => {
-      logger$5.warn("Failed to clear private browsing session:", error);
+      logger$6.warn("Failed to clear private browsing session:", error);
     });
   });
   privateWindows.add(state2);
@@ -24750,7 +25380,7 @@ function createPrivateWindow() {
   });
   loadPrivateRenderer(chromeView);
   win.show();
-  logger$5.info("Private browsing window opened");
+  logger$6.info("Private browsing window opened");
   return state2;
 }
 const secondaryWindows = /* @__PURE__ */ new Set();
@@ -25364,6 +25994,48 @@ function registerSecurityHandlers(tabManager) {
     tabManager.goBackToSafety(tabId);
   });
 }
+const logger$5 = createLogger("CodexIPC");
+function registerCodexHandlers() {
+  electron.ipcMain.handle(Channels.CODEX_START_AUTH, async (event) => {
+    const wc = event.sender;
+    if (!wc || wc.isDestroyed()) {
+      return {
+        ok: false,
+        error: "No active window found for sender"
+      };
+    }
+    const sendStatus = (status, error) => {
+      try {
+        wc.send(Channels.CODEX_AUTH_STATUS, { status, error: error || null });
+      } catch {
+        logger$5.warn("Codex auth status send failed — window may be closed");
+      }
+    };
+    try {
+      const tokens = await startCodexOAuth(sendStatus);
+      writeStoredCodexTokens(tokens);
+      return {
+        ok: true,
+        accountEmail: tokens.accountEmail || tokens.accountId,
+        accountId: tokens.accountId
+      };
+    } catch (err) {
+      logger$5.error("Codex auth failed:", err);
+      return {
+        ok: false,
+        error: err instanceof Error ? err.message : "Unknown error"
+      };
+    }
+  });
+  electron.ipcMain.handle(Channels.CODEX_CANCEL_AUTH, () => {
+    cancelCodexOAuth();
+    return { ok: true };
+  });
+  electron.ipcMain.handle(Channels.CODEX_DISCONNECT, () => {
+    clearStoredCodexTokens();
+    return { ok: true };
+  });
+}
 let activeChatProvider = null;
 const logger$4 = createLogger("IPC");
 const VALID_APPROVAL_MODES = ["auto", "confirm-dangerous", "manual"];
@@ -25937,6 +26609,7 @@ function registerIpcHandlers(windowState, runtime2) {
   registerVaultHandlers();
   registerHumanVaultHandlers();
   registerWindowControlHandlers(mainWindow);
+  registerCodexHandlers();
   electron.ipcMain.handle(Channels.AUTOMATION_GET_INSTALLED, () => {
     return getInstalledKits();
   });