npm - @quanta-intellect/vessel-browser - Versions diffs - 0.1.88 → 0.1.90 - Mend

@quanta-intellect/vessel-browser 0.1.88 → 0.1.90

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/out/main/index.js +760 -91
package/out/preload/index.js +16 -1
package/out/renderer/assets/{index-DRzS5XLW.js → index-Bu2bPSV-.js} +266 -130
package/out/renderer/index.html +1 -1
package/package.json +1 -1

package/out/main/index.js CHANGED Viewed

@@ -6,11 +6,12 @@ const fs = require("fs");
 const crypto$1 = require("crypto");
 const Anthropic = require("@anthropic-ai/sdk");
 const OpenAI = require("openai");
+const http = require("http");
 const path$1 = require("node:path");
 const node_module = require("node:module");
 const zod = require("zod");
 const crypto$2 = require("node:crypto");
-const http = require("node:http");
+const http$1 = require("node:http");
 const os = require("node:os");
 const mcp_js = require("@modelcontextprotocol/sdk/server/mcp.js");
 const streamableHttp_js = require("@modelcontextprotocol/sdk/server/streamableHttp.js");
@@ -77,7 +78,8 @@ const defaults = {
 };
 const SAVE_DEBOUNCE_MS$6 = 150;
 const CHAT_PROVIDER_SECRET_FILENAME = "vessel-chat-provider-secret";
-const logger$k = createLogger("Settings");
+const CODEX_TOKENS_FILENAME = "vessel-codex-tokens";
+const logger$n = createLogger("Settings");
 const SETTABLE_KEYS = new Set(Object.keys(defaults));
 let settings = null;
 let settingsIssues = [];
@@ -131,6 +133,38 @@ function clearStoredProviderSecret() {
   } catch {
   }
 }
+function getCodexTokensPath() {
+  return path.join(getUserDataPath(), CODEX_TOKENS_FILENAME);
+}
+function readStoredCodexTokens() {
+  try {
+    const raw = fs.readFileSync(getCodexTokensPath());
+    const decoded = canUseSafeStorage$1() && electron.safeStorage.decryptString ? electron.safeStorage.decryptString(raw) : raw.toString("utf-8");
+    const parsed = JSON.parse(decoded);
+    if (parsed && typeof parsed === "object" && typeof parsed.accessToken === "string" && typeof parsed.refreshToken === "string") {
+      return parsed;
+    }
+  } catch {
+  }
+  return null;
+}
+function writeStoredCodexTokens(tokens) {
+  const filePath = getCodexTokensPath();
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  const payload = JSON.stringify(tokens);
+  if (canUseSafeStorage$1()) {
+    const encrypted = electron.safeStorage.encryptString(payload);
+    fs.writeFileSync(filePath, encrypted, { mode: 384 });
+    return;
+  }
+  fs.writeFileSync(filePath, payload, { mode: 384 });
+}
+function clearStoredCodexTokens() {
+  try {
+    fs.unlinkSync(getCodexTokensPath());
+  } catch {
+  }
+}
 function mergeChatProviderSecret(provider) {
   if (!provider) return null;
   const stored = readStoredProviderSecret();
@@ -157,12 +191,14 @@ function buildPersistedSettings(source) {
 }
 function getRendererSettings() {
   const current = loadSettings();
+  const provider = current.chatProvider;
+  const hasCodexTokens = provider?.id === "openai_codex" && readStoredCodexTokens() !== null;
   return {
     ...current,
-    chatProvider: current.chatProvider ? {
-      ...current.chatProvider,
+    chatProvider: provider ? {
+      ...provider,
       apiKey: "",
-      hasApiKey: Boolean(current.chatProvider.apiKey)
+      hasApiKey: Boolean(provider.apiKey) || hasCodexTokens
     } : null
   };
 }
@@ -234,7 +270,7 @@ function persistNow() {
       getSettingsPath(),
       JSON.stringify(buildPersistedSettings(settings), null, 2)
     )
-  ).catch((err) => logger$k.error("Failed to save settings:", err));
+  ).catch((err) => logger$n.error("Failed to save settings:", err));
 }
 function saveSettings() {
   saveDirty = true;
@@ -341,7 +377,7 @@ function assertPermittedNavigationURL(url) {
 }
 const MAX_CUSTOM_HISTORY = 50;
 const READER_MODE_DATA_URL_PREFIX = "data:text/html;charset=utf-8,";
-const logger$j = createLogger("Tab");
+const logger$m = createLogger("Tab");
 const sessionCertExceptions = /* @__PURE__ */ new WeakMap();
 const sessionsWithVerifyProc = /* @__PURE__ */ new WeakSet();
 const CERT_VERIFY_TRUST = 0;
@@ -407,7 +443,7 @@ class Tab {
   guardedLoadURL(url, options) {
     const blockReason = this.getNavigationBlockReason(url);
     if (blockReason) {
-      logger$j.warn(blockReason);
+      logger$m.warn(blockReason);
       return blockReason;
     }
     void this.view.webContents.loadURL(url, options);
@@ -491,7 +527,7 @@ class Tab {
     wc.setWindowOpenHandler(({ url, disposition }) => {
       const error = this.getNavigationBlockReason(url);
       if (error) {
-        logger$j.warn(error);
+        logger$m.warn(error);
         return { action: "deny" };
       }
       this.onOpenUrl?.({
@@ -505,7 +541,7 @@ class Tab {
       const error = this.getNavigationBlockReason(url);
       if (!error) return;
       event.preventDefault();
-      logger$j.warn(`${context}: ${error}`);
+      logger$m.warn(`${context}: ${error}`);
     };
     wc.on("will-navigate", (event, url) => {
       blockNavigation(event, url, "Blocked top-level navigation");
@@ -589,7 +625,7 @@ class Tab {
         ::-webkit-scrollbar-thumb { background: rgba(255,255,255,0.12); border-radius: 999px; }
         ::-webkit-scrollbar-thumb:hover { background: rgba(255,255,255,0.22); }
         ::-webkit-scrollbar-corner { background: transparent; }
-      `).catch((err) => logger$j.warn("Failed to inject scrollbar CSS:", err));
+      `).catch((err) => logger$m.warn("Failed to inject scrollbar CSS:", err));
     });
     wc.on("page-favicon-updated", (_, favicons) => {
       this._state.favicon = favicons[0] || "";
@@ -625,7 +661,7 @@ class Tab {
       ).then((highlightedText) => {
         this.buildContextMenu(wc, params, highlightedText.trim());
       }).catch((err) => {
-        logger$j.warn("Failed to inspect highlighted text for context menu:", err);
+        logger$m.warn("Failed to inspect highlighted text for context menu:", err);
         this.buildContextMenu(wc, params, "");
       });
     });
@@ -826,7 +862,7 @@ class Tab {
         "document.documentElement.outerHTML"
       );
     } catch (err) {
-      logger$j.warn("Failed to retrieve page source:", err);
+      logger$m.warn("Failed to retrieve page source:", err);
       return;
     }
     const escaped = html.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
@@ -954,7 +990,7 @@ class Tab {
             document.addEventListener('mouseup', window.__vesselHighlightHandler);
           }
         })()
-      `).catch((err) => logger$j.warn("Failed to inject highlight listener:", err));
+      `).catch((err) => logger$m.warn("Failed to inject highlight listener:", err));
     } else {
       void wc.executeJavaScript(`
         (function() {
@@ -965,7 +1001,7 @@ class Tab {
             delete window.__vesselHighlightHandler;
           }
         })()
-      `).catch((err) => logger$j.warn("Failed to remove highlight listener:", err));
+      `).catch((err) => logger$m.warn("Failed to remove highlight listener:", err));
     }
   }
   get webContentsId() {
@@ -1002,7 +1038,7 @@ const SEARCH_ENGINE_PRESETS = {
   ecosia: { label: "Ecosia", url: "https://www.ecosia.org/search?q=" },
   kagi: { label: "Kagi", url: "https://kagi.com/search?q=" }
 };
-const logger$i = createLogger("JsonPersistence");
+const logger$l = createLogger("JsonPersistence");
 function canUseSafeStorage() {
   try {
     return electron.safeStorage.isEncryptionAvailable();
@@ -1067,7 +1103,7 @@ function createDebouncedJsonPersistence({
         data,
         typeof data === "string" ? { encoding: "utf-8", mode: 384 } : { mode: 384 }
       )
-    ).catch((err) => logger$i.error(`Failed to save ${logLabel}:`, err));
+    ).catch((err) => logger$l.error(`Failed to save ${logLabel}:`, err));
   };
   const schedule = () => {
     saveDirty2 = true;
@@ -2746,7 +2782,7 @@ function destroySession(tabId) {
     sessions.delete(tabId);
   }
 }
-const logger$h = createLogger("TabManager");
+const logger$k = createLogger("TabManager");
 function sanitizePdfFilename(title) {
   const clean = title.replace(/[<>:"/\\|?*\x00-\x1f]/g, " ").replace(/\s+/g, " ").trim();
   const base = (clean || "Vessel Page").replace(/\.pdf$/i, "");
@@ -3145,7 +3181,7 @@ class TabManager {
     }));
     if (entries.length > 0) {
       void highlightBatchOnPage(wc, entries).catch(
-        (err) => logger$h.warn("Failed to batch highlight:", err)
+        (err) => logger$k.warn("Failed to batch highlight:", err)
       );
     }
   }
@@ -3167,12 +3203,12 @@ class TabManager {
         const result = await captureSelectionHighlight(wc);
         if (result.success && result.text) {
           await highlightOnPage(wc, null, result.text, void 0, void 0, "yellow").catch(
-            (err) => logger$h.warn("Failed to capture highlight:", err)
+            (err) => logger$k.warn("Failed to capture highlight:", err)
           );
         }
         this.highlightCaptureCallback?.(result);
       } catch (err) {
-        logger$h.warn("Failed to capture highlight from page:", err);
+        logger$k.warn("Failed to capture highlight from page:", err);
         this.highlightCaptureCallback?.({
           success: false,
           message: "Could not capture selection"
@@ -3197,7 +3233,7 @@ class TabManager {
           void this.removeHighlightMarksForText(wc, text);
         }
       } catch (err) {
-        logger$h.warn("Failed to remove highlight from matching tab:", err);
+        logger$k.warn("Failed to remove highlight from matching tab:", err);
       }
     }
     this.highlightCaptureCallback?.({
@@ -3228,12 +3264,12 @@ class TabManager {
               void 0,
               color
             ).catch(
-              (err) => logger$h.warn("Failed to update highlight color:", err)
+              (err) => logger$k.warn("Failed to update highlight color:", err)
             );
           });
         }
       } catch (err) {
-        logger$h.warn("Failed to iterate highlights for color change:", err);
+        logger$k.warn("Failed to iterate highlights for color change:", err);
       }
     }
     this.highlightCaptureCallback?.({
@@ -3274,7 +3310,7 @@ class TabManager {
         });
       })()`
     ).catch(
-      (err) => logger$h.warn("Failed to remove highlight marks:", err)
+      (err) => logger$k.warn("Failed to remove highlight marks:", err)
     );
   }
   broadcastState() {
@@ -3477,7 +3513,12 @@ const Channels = {
   CLEAR_BROWSING_DATA: "browsing-data:clear",
   CLEAR_BROWSING_DATA_OPEN: "browsing-data:open",
   // Picture-in-Picture
-  TAB_TOGGLE_PIP: "tab:toggle-pip"
+  TAB_TOGGLE_PIP: "tab:toggle-pip",
+  // Codex OAuth
+  CODEX_START_AUTH: "codex:start-auth",
+  CODEX_CANCEL_AUTH: "codex:cancel-auth",
+  CODEX_AUTH_STATUS: "codex:auth-status",
+  CODEX_DISCONNECT: "codex:disconnect"
 };
 const MAX_DETAIL_ITEMS = 3;
 const MIN_BLOCK_SIMILARITY = 0.82;
@@ -4435,7 +4476,7 @@ function errorResult(error, value) {
 function getErrorMessage(error, fallback = "Unknown error") {
   return error instanceof Error && error.message ? error.message : fallback;
 }
-const logger$g = createLogger("Premium");
+const logger$j = createLogger("Premium");
 const VERIFICATION_API = process.env.VESSEL_PREMIUM_API || "https://vesselpremium.quantaintellect.com";
 const FREE_TOOL_ITERATION_LIMIT = 50;
 const REVALIDATION_INTERVAL_MS = 24 * 60 * 60 * 1e3;
@@ -4551,7 +4592,7 @@ async function verifySubscription$1(identifier) {
     });
     if (!res.ok) {
       const detail = await readApiErrorDetail(res);
-      logger$g.warn(
+      logger$j.warn(
         "Verification API returned a non-OK status:",
         res.status,
         detail
@@ -4570,7 +4611,7 @@ async function verifySubscription$1(identifier) {
     setSetting("premium", updated);
     return updated;
   } catch (err) {
-    logger$g.warn("Verification failed:", err);
+    logger$j.warn("Verification failed:", err);
     return current;
   }
 }
@@ -5143,7 +5184,7 @@ const EXTRACT_TIMEOUT_MAX_MS = 2e4;
 const MUTATION_CAPTURE_INTERVAL_MS = 5e3;
 const MUTATION_SETTLE_AFTER_MS = 1500;
 const AGENT_STREAM_IDLE_TIMEOUT_MS = 3e4;
-const logger$f = createLogger("Extractor");
+const logger$i = createLogger("Extractor");
 const EMPTY_PAGE_CONTENT = {
   title: "",
   content: "",
@@ -5893,7 +5934,7 @@ async function executeScript(webContents, script) {
       })
     ]);
   } catch (err) {
-    logger$f.warn("Failed to execute page script:", err);
+    logger$i.warn("Failed to execute page script:", err);
     return null;
   } finally {
     if (timer) {
@@ -6000,7 +6041,7 @@ async function estimateExtractionTimeout(webContents) {
       return EXTRACT_TIMEOUT_BASE_MS + extra;
     }
   } catch (err) {
-    logger$f.warn("Failed to estimate extraction timeout, using base timeout:", err);
+    logger$i.warn("Failed to estimate extraction timeout, using base timeout:", err);
   }
   return EXTRACT_TIMEOUT_BASE_MS;
 }
@@ -6609,8 +6650,8 @@ function resizeSidebarViews(state2) {
   }
 }
 function generateReaderHTML(page) {
-  const escapedTitle = escapeHtml(page.title);
-  const escapedByline = escapeHtml(page.byline);
+  const escapedTitle = escapeHtml$1(page.title);
+  const escapedByline = escapeHtml$1(page.byline);
   const renderedContent = renderReaderContent(page);
   return `<!DOCTYPE html>
 <html lang="en">
@@ -6698,9 +6739,9 @@ function renderReaderContent(page) {
   if (!source) {
     return "<p>No readable content was available for this page.</p>";
   }
-  return source.split(/\n{2,}/).map((block) => block.trim()).filter(Boolean).map((block) => `<p>${escapeHtml(block).replace(/\n/g, "<br>")}</p>`).join("\n");
+  return source.split(/\n{2,}/).map((block) => block.trim()).filter(Boolean).map((block) => `<p>${escapeHtml$1(block).replace(/\n/g, "<br>")}</p>`).join("\n");
 }
-function escapeHtml(str) {
+function escapeHtml$1(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
 }
 const mcpStatusChangeListeners = /* @__PURE__ */ new Set();
@@ -7177,6 +7218,17 @@ const PROVIDERS = {
     apiKeyPlaceholder: "sk-...",
     apiKeyHint: "Get your key from platform.openai.com"
   },
+  openai_codex: {
+    id: "openai_codex",
+    name: "OpenAI Codex",
+    type: "codex_oauth",
+    defaultModel: "gpt-5",
+    models: ["gpt-5", "gpt-5-mini", "gpt-5-nano", "o4", "o4-mini"],
+    requiresApiKey: false,
+    defaultBaseUrl: "https://api.openai.com/v1",
+    apiKeyPlaceholder: "",
+    apiKeyHint: "Sign in with your ChatGPT Plus or Pro subscription"
+  },
   openrouter: {
     id: "openrouter",
     name: "OpenRouter",
@@ -7348,7 +7400,7 @@ const MAX_MCP_NAV_CONTENT_LENGTH = 3e4;
 const MAX_AGENT_DEBUG_CONTENT_LENGTH = 2e4;
 const LLAMA_CPP_MIN_CTX_TOKENS = 16384;
 const LLAMA_CPP_RECOMMENDED_CTX_TOKENS = 32768;
-const logger$e = createLogger("OpenAIProvider");
+const logger$h = createLogger("OpenAIProvider");
 function shouldDebugAgentLoop() {
   const value = process.env.VESSEL_DEBUG_AGENT_LOOP;
   return value === "1" || value === "true";
@@ -7873,9 +7925,9 @@ function resolveToolCallName(rawName, args, availableToolNames) {
 function logAgentLoopDebug(payload) {
   if (!shouldDebugAgentLoop()) return;
   try {
-    logger$e.info(`[agent-debug] ${JSON.stringify(payload)}`);
+    logger$h.info(`[agent-debug] ${JSON.stringify(payload)}`);
   } catch (err) {
-    logger$e.warn("Failed to serialize debug payload:", err);
+    logger$h.warn("Failed to serialize debug payload:", err);
   }
 }
 function recoverTextEncodedToolCalls(text, availableToolNames) {
@@ -8409,6 +8461,525 @@ class OpenAICompatProvider {
     this.abortController?.abort();
   }
 }
+const logger$g = createLogger("CodexOAuth");
+const ISSUER = "https://auth.openai.com";
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const SCOPE = "openid profile email offline_access api.connectors.read api.connectors.invoke";
+const AUTH_TIMEOUT_MS = 5 * 60 * 1e3;
+const PREFERRED_PORT = 1455;
+const FALLBACK_PORT = 1457;
+let activeFlow = null;
+function base64url(buffer) {
+  return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function generatePkce() {
+  const codeVerifier = base64url(crypto$1.randomBytes(64));
+  const hash = crypto$1.createHash("sha256").update(codeVerifier).digest();
+  const codeChallenge = base64url(hash);
+  return { codeVerifier, codeChallenge };
+}
+function generateState() {
+  return base64url(crypto$1.randomBytes(32));
+}
+function buildAuthorizeUrl(port, pkce, state2) {
+  const redirectUri = `http://localhost:${port}/auth/callback`;
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: CLIENT_ID,
+    redirect_uri: redirectUri,
+    scope: SCOPE,
+    code_challenge: pkce.codeChallenge,
+    code_challenge_method: "S256",
+    state: state2,
+    id_token_add_organizations: "true",
+    codex_cli_simplified_flow: "true",
+    originator: "codex_cli_rs"
+  });
+  return `${ISSUER}/oauth/authorize?${params.toString()}`;
+}
+function parseJwtClaims(idToken) {
+  try {
+    const parts = idToken.split(".");
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf-8")
+    );
+    const authClaims = payload["https://api.openai.com/auth"] || {};
+    const accountId = authClaims.chatgpt_account_id || payload.chatgpt_account_id || payload.sub || "";
+    const email = authClaims.email || payload.email || void 0;
+    return { accountId, email };
+  } catch {
+    return null;
+  }
+}
+function parseTokenExpiry(accessToken) {
+  try {
+    const parts = accessToken.split(".");
+    if (parts.length !== 3) return Date.now() + 36e5;
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf-8")
+    );
+    if (payload.exp && typeof payload.exp === "number") {
+      return payload.exp * 1e3;
+    }
+  } catch {
+  }
+  return Date.now() + 36e5;
+}
+async function exchangeIdTokenForApiKey(idToken) {
+  const body = new URLSearchParams({
+    grant_type: "urn:ietf:params:oauth:grant-type:token-exchange",
+    client_id: CLIENT_ID,
+    requested_token: "openai-api-key",
+    subject_token: idToken,
+    subject_token_type: "urn:ietf:params:oauth:token-type:id_token"
+  });
+  const response = await fetch(`${ISSUER}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!response.ok) {
+    let errorMsg = `OpenAI API token exchange failed: ${response.status}`;
+    try {
+      const err = await response.json();
+      if (typeof err.error_description === "string") {
+        errorMsg = err.error_description;
+      } else if (typeof err.error === "string") {
+        errorMsg = err.error;
+      }
+    } catch {
+    }
+    throw new Error(errorMsg);
+  }
+  const data = await response.json();
+  if (!data.access_token) {
+    throw new Error("OpenAI API token exchange did not return an access token");
+  }
+  return data.access_token;
+}
+async function ensureCodexApiKey(tokens) {
+  if (tokens.apiKey) return tokens;
+  if (!tokens.idToken) return tokens;
+  try {
+    return {
+      ...tokens,
+      apiKey: await exchangeIdTokenForApiKey(tokens.idToken)
+    };
+  } catch (err) {
+    logger$g.warn(
+      "Codex API-key token exchange failed; continuing with ChatGPT OAuth tokens:",
+      err
+    );
+    return tokens;
+  }
+}
+async function exchangeCodeForTokens(code, redirectUri, codeVerifier) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code,
+    redirect_uri: redirectUri,
+    client_id: CLIENT_ID,
+    code_verifier: codeVerifier
+  });
+  const response = await fetch(`${ISSUER}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!response.ok) {
+    let errorMsg = `Token exchange failed: ${response.status}`;
+    try {
+      const err = await response.json();
+      if (typeof err.error_description === "string") {
+        errorMsg = err.error_description;
+      } else if (typeof err.error === "string") {
+        errorMsg = err.error;
+      }
+    } catch {
+    }
+    throw new Error(errorMsg);
+  }
+  const data = await response.json();
+  const claims = parseJwtClaims(data.id_token);
+  const expiresAt = parseTokenExpiry(data.access_token);
+  const tokens = {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    idToken: data.id_token,
+    expiresAt,
+    accountId: claims?.accountId || "",
+    accountEmail: claims?.email
+  };
+  return ensureCodexApiKey(tokens);
+}
+async function refreshAccessToken(tokens) {
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: tokens.refreshToken,
+    client_id: CLIENT_ID
+  });
+  const response = await fetch(`${ISSUER}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!response.ok) {
+    let errorMsg = `Token refresh failed: ${response.status}`;
+    try {
+      const err = await response.json();
+      if (typeof err.error_description === "string") errorMsg = err.error_description;
+      else if (typeof err.error === "string") errorMsg = err.error;
+    } catch {
+    }
+    throw new Error(errorMsg);
+  }
+  const data = await response.json();
+  const idToken = data.id_token || tokens.idToken || "";
+  const claims = idToken ? parseJwtClaims(idToken) : null;
+  const expiresAt = parseTokenExpiry(data.access_token);
+  const refreshedTokens = {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token || tokens.refreshToken,
+    idToken,
+    apiKey: tokens.apiKey,
+    expiresAt,
+    accountId: claims?.accountId || tokens.accountId || "",
+    accountEmail: claims?.email || tokens.accountEmail
+  };
+  return ensureCodexApiKey(refreshedTokens);
+}
+function startServer(port, pkce, expectedState, resolve, reject) {
+  const server = http.createServer(async (req, res) => {
+    const url = new URL(req.url || "/", `http://localhost:${port}`);
+    if (url.pathname === "/auth/callback") {
+      const state2 = url.searchParams.get("state");
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+      const errorDescription = url.searchParams.get("error_description");
+      if (error) {
+        res.writeHead(400, { "Content-Type": "text/plain", "Connection": "close" });
+        const msg = errorDescription || error;
+        res.end(`Authorization failed: ${msg}`);
+        reject(new Error(msg));
+        return;
+      }
+      if (state2 !== expectedState) {
+        res.writeHead(400, { "Content-Type": "text/plain", "Connection": "close" });
+        res.end("State mismatch. Please try again.");
+        reject(new Error("State mismatch"));
+        return;
+      }
+      if (!code) {
+        res.writeHead(400, { "Content-Type": "text/plain", "Connection": "close" });
+        res.end("Missing authorization code.");
+        reject(new Error("Missing authorization code"));
+        return;
+      }
+      try {
+        activeFlow?.onStatus("exchanging");
+        const redirectUri = `http://localhost:${activeFlow?.port ?? port}/auth/callback`;
+        const tokens = await exchangeCodeForTokens(code, redirectUri, pkce.codeVerifier);
+        res.writeHead(302, {
+          Location: `/success?email=${encodeURIComponent(tokens.accountEmail || tokens.accountId)}`,
+          Connection: "close"
+        });
+        res.end();
+        resolve(tokens);
+      } catch (err) {
+        res.writeHead(400, { "Content-Type": "text/plain", "Connection": "close" });
+        res.end(`Token exchange failed: ${err instanceof Error ? err.message : "Unknown error"}`);
+        reject(err instanceof Error ? err : new Error("Token exchange failed"));
+      }
+      return;
+    }
+    if (url.pathname === "/success") {
+      const email = url.searchParams.get("email") || "";
+      res.writeHead(200, { "Content-Type": "text/html", "Connection": "close" });
+      res.end(`<!DOCTYPE html>
+<html><head><meta charset="utf-8"><title>Vessel — Signed In</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;background:#111;color:#eee}</style></head>
+<body><div style="text-align:center"><h1>✓ Signed In</h1>
+<p>Connected as ${escapeHtml(email)}</p><p>You can close this tab.</p></div></body></html>`);
+      return;
+    }
+    if (url.pathname === "/cancel") {
+      res.writeHead(200, { "Content-Type": "text/plain", "Connection": "close" });
+      res.end("Login cancelled");
+      reject(new Error("Login cancelled by user"));
+      return;
+    }
+    res.writeHead(404, { "Connection": "close" });
+    res.end("Not found");
+  });
+  return server;
+}
+function escapeHtml(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+async function bindServer(server) {
+  const allowedPorts = [PREFERRED_PORT, FALLBACK_PORT];
+  for (const port of allowedPorts) {
+    try {
+      await new Promise((resolve, reject) => {
+        const onError = (err) => {
+          server.off("listening", onListening);
+          reject(err);
+        };
+        const onListening = () => {
+          server.off("error", onError);
+          resolve();
+        };
+        server.once("error", onError);
+        server.once("listening", onListening);
+        server.listen(port, "127.0.0.1");
+      });
+      return port;
+    } catch (err) {
+      if (err.code === "EADDRINUSE") {
+        continue;
+      }
+      throw err;
+    }
+  }
+  throw new Error(
+    `Could not bind Codex OAuth callback server to registered ports ${allowedPorts.join(", ")}`
+  );
+}
+async function startCodexOAuth(onStatus) {
+  if (activeFlow) {
+    throw new Error("Auth flow already in progress");
+  }
+  const pkce = generatePkce();
+  const state2 = generateState();
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    const safeOnStatus = (status, error) => {
+      try {
+        onStatus(status, error);
+      } catch {
+        logger$g.warn("Codex OAuth status callback failed — window may be closed");
+      }
+    };
+    const wrappedResolve = (tokens) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      safeOnStatus("connected");
+      resolve(tokens);
+    };
+    const wrappedReject = (err) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      safeOnStatus("error", err.message);
+      reject(err);
+    };
+    const server = startServer(0, pkce, state2, wrappedResolve, wrappedReject);
+    const timeout = setTimeout(() => {
+      wrappedReject(new Error("Auth flow timed out after 5 minutes"));
+    }, AUTH_TIMEOUT_MS);
+    activeFlow = {
+      state: state2,
+      codeVerifier: pkce.codeVerifier,
+      port: 0,
+      server,
+      timeout,
+      onStatus
+    };
+    const cleanup = () => {
+      if (activeFlow?.timeout) clearTimeout(activeFlow.timeout);
+      activeFlow?.server.close();
+      activeFlow = null;
+    };
+    bindServer(server).then((port) => {
+      if (settled) return;
+      activeFlow.port = port;
+      const authUrl = buildAuthorizeUrl(port, pkce, state2);
+      safeOnStatus("waiting");
+      electron.shell.openExternal(authUrl).catch((err) => {
+        logger$g.warn("Failed to open browser, user will need the URL:", err);
+      });
+    }).catch(wrappedReject);
+  });
+}
+function cancelCodexOAuth() {
+  if (!activeFlow) return;
+  activeFlow.server.close();
+  if (activeFlow.timeout) clearTimeout(activeFlow.timeout);
+  try {
+    activeFlow.onStatus("idle");
+  } catch {
+    logger$g.warn("Codex OAuth cancel status callback failed — window may be closed");
+  }
+  activeFlow = null;
+}
+const logger$f = createLogger("CodexProvider");
+const REFRESH_WINDOW_MS = 5 * 60 * 1e3;
+const CODEX_BACKEND_BASE_URL = "https://chatgpt.com/backend-api/codex";
+const CODEX_CLIENT_VERSION = "0.129.0";
+class CodexProvider {
+  agentToolProfile;
+  tokens;
+  model;
+  abortController = null;
+  constructor(tokens, model, _baseUrl) {
+    this.tokens = tokens;
+    this.model = model;
+    this.agentToolProfile = "default";
+  }
+  async ensureFreshTokens() {
+    if (Date.now() < this.tokens.expiresAt - REFRESH_WINDOW_MS) return;
+    try {
+      logger$f.info("Refreshing Codex access token");
+      const fresh = await refreshAccessToken(this.tokens);
+      this.tokens = fresh;
+      writeStoredCodexTokens(fresh);
+    } catch (err) {
+      clearStoredCodexTokens();
+      throw new Error(
+        `Codex token refresh failed — please re-authenticate. ${err instanceof Error ? err.message : ""}`
+      );
+    }
+  }
+  backendHeaders() {
+    const headers = {
+      Authorization: `Bearer ${this.tokens.accessToken}`,
+      "Content-Type": "application/json",
+      Accept: "text/event-stream",
+      originator: "codex_cli_rs",
+      "User-Agent": `codex_cli_rs/${CODEX_CLIENT_VERSION} Vessel`
+    };
+    if (this.tokens.accountId) {
+      headers["ChatGPT-Account-ID"] = this.tokens.accountId;
+    }
+    return headers;
+  }
+  buildInput(userMessage, history) {
+    const input = [];
+    for (const msg of history ?? []) {
+      input.push({
+        type: "message",
+        role: msg.role,
+        content: [{ type: "input_text", text: msg.content }]
+      });
+    }
+    input.push({
+      type: "message",
+      role: "user",
+      content: [{ type: "input_text", text: userMessage }]
+    });
+    return input;
+  }
+  handleStreamEvent(raw, onChunk, emittedTextFromDelta) {
+    if (!raw.trim() || raw.trim() === "[DONE]") return;
+    let event;
+    try {
+      event = JSON.parse(raw);
+    } catch {
+      return;
+    }
+    if (event.type === "response.output_text.delta" && event.delta) {
+      emittedTextFromDelta.value = true;
+      onChunk(event.delta);
+      return;
+    }
+    if (event.type === "response.output_item.done" && !emittedTextFromDelta.value) {
+      const text = event.item?.content?.filter((item) => item.type === "output_text" && item.text).map((item) => item.text).join("");
+      if (text) onChunk(text);
+      return;
+    }
+    if (event.type === "response.failed") {
+      const error = event.response?.error;
+      const message = error?.message || error?.code || "Codex response failed";
+      throw new Error(message);
+    }
+  }
+  async streamCodexResponse(systemPrompt, userMessage, onChunk, history) {
+    const response = await fetch(`${CODEX_BACKEND_BASE_URL}/responses`, {
+      method: "POST",
+      headers: this.backendHeaders(),
+      signal: this.abortController?.signal,
+      body: JSON.stringify({
+        model: this.model,
+        instructions: systemPrompt,
+        input: this.buildInput(userMessage, history),
+        stream: true,
+        store: false
+      })
+    });
+    if (!response.ok) {
+      const text = await response.text().catch(() => "");
+      throw new Error(
+        `Codex backend request failed: ${response.status}${text ? ` ${text}` : ""}`
+      );
+    }
+    if (!response.body) {
+      throw new Error("Codex backend returned an empty response stream");
+    }
+    const reader = response.body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = "";
+    const emittedTextFromDelta = { value: false };
+    while (true) {
+      const { value, done } = await reader.read();
+      if (done) break;
+      buffer += decoder.decode(value, { stream: true });
+      let separatorIndex;
+      while ((separatorIndex = buffer.indexOf("\n\n")) !== -1) {
+        const block = buffer.slice(0, separatorIndex);
+        buffer = buffer.slice(separatorIndex + 2);
+        const data = block.split("\n").filter((line) => line.startsWith("data:")).map((line) => line.slice(5).trimStart()).join("\n");
+        this.handleStreamEvent(data, onChunk, emittedTextFromDelta);
+      }
+    }
+    const trailing = buffer.trim();
+    if (trailing) {
+      const data = trailing.split("\n").filter((line) => line.startsWith("data:")).map((line) => line.slice(5).trimStart()).join("\n");
+      this.handleStreamEvent(data, onChunk, emittedTextFromDelta);
+    }
+  }
+  async streamQuery(systemPrompt, userMessage, onChunk, onEnd, history) {
+    await this.ensureFreshTokens();
+    this.abortController = new AbortController();
+    try {
+      await this.streamCodexResponse(systemPrompt, userMessage, onChunk, history);
+    } catch (err) {
+      if (err.name !== "AbortError") {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger$f.error("Codex streamQuery error:", err);
+        onChunk(`
+[Error: ${msg}]`);
+      }
+    } finally {
+      this.abortController = null;
+      onEnd();
+    }
+  }
+  async streamAgentQuery(systemPrompt, userMessage, _tools, onChunk, _onToolCall, onEnd, history) {
+    await this.ensureFreshTokens();
+    this.abortController = new AbortController();
+    try {
+      await this.streamCodexResponse(systemPrompt, userMessage, onChunk, history);
+    } catch (err) {
+      if (err.name !== "AbortError") {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger$f.error("Codex streamAgentQuery error:", err);
+        onChunk(`
+[Error: ${msg}]`);
+      }
+    } finally {
+      this.abortController = null;
+      onEnd();
+    }
+  }
+  cancel() {
+    this.abortController?.abort();
+    this.abortController = null;
+  }
+}
 function sanitizeProviderConfig(config) {
   return {
     ...config,
@@ -8430,7 +9001,7 @@ function validateProviderConnection(config, options = { requireModel: true }) {
   if (!meta) {
     return "Selected AI provider is not supported.";
   }
-  if (meta.requiresApiKey && !normalized.apiKey) {
+  if (meta.type !== "codex_oauth" && meta.requiresApiKey && !normalized.apiKey) {
     return `${meta.name} requires an API key. Open settings (Ctrl+,) to add one.`;
   }
   if (options.requireModel && !normalized.model) {
@@ -8472,6 +9043,34 @@ function buildLlamaCppCtxWarning(ctxSize) {
   }
   return void 0;
 }
+async function fetchCodexBackendModels(tokens) {
+  const url = new URL("https://chatgpt.com/backend-api/codex/models");
+  url.searchParams.set("client_version", "0.129.0");
+  const headers = {
+    Authorization: `Bearer ${tokens.accessToken}`,
+    originator: "codex_cli_rs",
+    "User-Agent": "codex_cli_rs/0.129.0 Vessel"
+  };
+  if (tokens.accountId) {
+    headers["ChatGPT-Account-ID"] = tokens.accountId;
+  }
+  const response = await fetch(url.toString(), { headers });
+  if (!response.ok) {
+    throw new Error(`Codex backend model discovery failed: ${response.status}`);
+  }
+  const payload = await response.json();
+  if (!Array.isArray(payload.models)) {
+    throw new Error("Codex backend model discovery returned an invalid response");
+  }
+  return payload.models.map((model) => {
+    if (!model || typeof model !== "object") return null;
+    const record = model;
+    const id = record.slug || record.id || record.model;
+    const visibility = record.visibility;
+    if (visibility === "hidden") return null;
+    return typeof id === "string" && id.trim() ? id.trim() : null;
+  }).filter((id) => id !== null);
+}
 async function probeLlamaCppCtxWarning(baseURL) {
   try {
     const root = new URL(baseURL);
@@ -8499,6 +9098,24 @@ async function fetchProviderModels(config) {
     const page2 = await client2.models.list();
     return okResult({ models: page2.data.map((model) => model.id) });
   }
+  if (normalized.id === "openai_codex") {
+    const tokens = readStoredCodexTokens();
+    if (!tokens) {
+      throw new Error("Codex provider requires authentication. Connect your ChatGPT account in settings.");
+    }
+    try {
+      const models2 = await fetchCodexBackendModels(tokens);
+      if (models2.length > 0) {
+        return okResult({ models: models2 });
+      }
+      throw new Error("Codex backend model discovery returned no models");
+    } catch (err) {
+      return okResult({
+        models: PROVIDERS.openai_codex.models,
+        warning: `Using built-in Codex model list because live discovery failed: ${err instanceof Error ? err.message : "Unknown error"}`
+      });
+    }
+  }
   const meta = PROVIDERS[normalized.id];
   const baseURL = normalized.baseUrl || meta?.defaultBaseUrl || "https://api.openai.com/v1";
   const client = new OpenAI({
@@ -8528,10 +9145,19 @@ function createProvider(config) {
       normalized.reasoningEffort
     );
   }
+  if (normalized.id === "openai_codex") {
+    const tokens = readStoredCodexTokens();
+    if (!tokens) {
+      throw new Error(
+        "OpenAI Codex requires authentication. Open settings to connect your ChatGPT account."
+      );
+    }
+    return new CodexProvider(tokens, normalized.model, normalized.baseUrl);
+  }
   return new OpenAICompatProvider(normalized);
 }
 const require$1 = node_module.createRequire(require("url").pathToFileURL(__filename).href);
-const logger$d = createLogger("DevTrace");
+const logger$e = createLogger("DevTrace");
 let cachedFactory;
 function createNoopTraceSession() {
   return {
@@ -8564,7 +9190,7 @@ function loadLocalFactory() {
         return cachedFactory;
       }
     } catch (err) {
-      logger$d.warn("Failed to load local trace logger:", err);
+      logger$e.warn("Failed to load local trace logger:", err);
     }
   }
   return cachedFactory;
@@ -12683,7 +13309,7 @@ function formatDeadLinkMessage(label, result) {
   const status = result.statusCode ? `HTTP ${result.statusCode}` : "dead link";
   return `Skipped stale link "${label}" because ${destination} returned ${status}. Try a different link or URL instead.`;
 }
-const logger$c = createLogger("Screenshot");
+const logger$d = createLogger("Screenshot");
 const SCREENSHOT_RETRY_COUNT = 3;
 const SCREENSHOT_RETRY_BASE_DELAY_MS = 120;
 async function captureScreenshot(wc) {
@@ -12705,7 +13331,7 @@ async function captureScreenshot(wc) {
         }
       }
     } catch (err) {
-      logger$c.debug(
+      logger$d.debug(
         `capturePage attempt ${attempt + 1} failed; retrying if attempts remain.`,
         getErrorMessage(err)
       );
@@ -13579,7 +14205,7 @@ function buildHuggingFaceSearchShortcut(currentUrl, rawQuery) {
     appliedFilters
   };
 }
-const logger$b = createLogger("PageActions");
+const logger$c = createLogger("PageActions");
 function getBookmarkMetadataFromArgs(args) {
   return normalizeBookmarkMetadata({
     intent: args.intent ?? args.intent,
@@ -13765,7 +14391,7 @@ async function executePageScript(wc, script, options) {
     return result;
   } catch (err) {
     const label = options?.label ? ` (${options.label})` : "";
-    logger$b.warn(`Failed to execute page script${label}:`, err);
+    logger$c.warn(`Failed to execute page script${label}:`, err);
     return null;
   } finally {
     if (timer) {
@@ -13866,7 +14492,7 @@ Search results snapshot:
 ${truncated}`;
     }
   } catch (err) {
-    logger$b.warn("Failed to build post-search summary, falling back to nav summary:", err);
+    logger$c.warn("Failed to build post-search summary, falling back to nav summary:", err);
   }
   const fallback = await getPostNavSummary(wc);
   return fallback ? `${fallback}
@@ -13889,7 +14515,7 @@ Page snapshot after navigation:
 ${truncated}`;
     }
   } catch (err) {
-    logger$b.warn("Failed to build post-click navigation summary:", err);
+    logger$c.warn("Failed to build post-click navigation summary:", err);
   }
   return "";
 }
@@ -14383,7 +15009,7 @@ async function restoreLocaleSnapshot(wc, snapshot) {
       }
     }
   } catch (err) {
-    logger$b.warn("Failed to restore locale via history navigation, trying URL reload fallback:", err);
+    logger$c.warn("Failed to restore locale via history navigation, trying URL reload fallback:", err);
   }
   if (snapshot.url && snapshot.url !== wc.getURL()) {
     try {
@@ -14392,7 +15018,7 @@ async function restoreLocaleSnapshot(wc, snapshot) {
       await waitForLoad(wc, 3e3);
       return;
     } catch (err) {
-      logger$b.warn("Failed to restore locale via safe URL load, trying page reload fallback:", err);
+      logger$c.warn("Failed to restore locale via safe URL load, trying page reload fallback:", err);
     }
   }
   if (snapshot.url) {
@@ -14400,7 +15026,7 @@ async function restoreLocaleSnapshot(wc, snapshot) {
       await wc.reload();
       await waitForLoad(wc, 3e3);
     } catch (err) {
-      logger$b.warn("Failed to restore locale via page reload:", err);
+      logger$c.warn("Failed to restore locale via page reload:", err);
     }
   }
 }
@@ -14752,7 +15378,7 @@ ${postActivationOverlayHint}`;
           return `${clickText} -> ${hrefFallbackUrl} (recovered via href fallback)`;
         }
       } catch (err) {
-        logger$b.warn("Failed href fallback after click, returning generic click result:", err);
+        logger$c.warn("Failed href fallback after click, returning generic click result:", err);
       }
     }
   }
@@ -14797,7 +15423,7 @@ async function tryAutoDismissCartDialog(wc) {
       return result;
     }
   } catch (err) {
-    logger$b.warn("Failed to auto-dismiss cart dialog, falling back to dialog actions:", err);
+    logger$c.warn("Failed to auto-dismiss cart dialog, falling back to dialog actions:", err);
   }
   return null;
 }
@@ -17067,7 +17693,7 @@ async function executeAction(name, args, ctx) {
               )
             ]);
           } catch (err) {
-            logger$b.warn("Failed to extract content for read_page, falling back to lighter recovery:", err);
+            logger$c.warn("Failed to extract content for read_page, falling back to lighter recovery:", err);
             content = null;
           }
           if (!content || content.content.length === 0) {
@@ -17084,12 +17710,12 @@ async function executeAction(name, args, ctx) {
                     new Promise((resolve) => setTimeout(() => resolve(null), 3e3))
                   ]);
                 } catch (err) {
-                  logger$b.warn("Failed to re-extract content after iframe consent dismissal:", err);
+                  logger$c.warn("Failed to re-extract content after iframe consent dismissal:", err);
                   content = null;
                 }
               }
             } catch (err) {
-              logger$b.warn("Failed iframe consent dismissal during read_page recovery:", err);
+              logger$c.warn("Failed iframe consent dismissal during read_page recovery:", err);
             }
           }
           if (content && content.content.length > 0) {
@@ -17502,7 +18128,7 @@ ${flow.steps.map((s, i) => `  ${i === 0 ? "→" : " "} ${s.label}`).join("\n")}`
           try {
             page = await extractContent(wc);
           } catch (err) {
-            logger$b.warn("Failed to extract content for suggest:", err);
+            logger$c.warn("Failed to extract content for suggest:", err);
             return "Could not read page. Try navigate to a working URL.";
           }
           const suggestions = [];
@@ -18827,7 +19453,7 @@ Exception: ${result.exceptionDetails}`);
     }
   );
 }
-const logger$a = createLogger("VaultShared");
+const logger$b = createLogger("VaultShared");
 const ALGORITHM = "aes-256-gcm";
 const IV_LENGTH = 12;
 const AUTH_TAG_LENGTH = 16;
@@ -18904,7 +19530,7 @@ function createVaultIO(vaultFilename, encrypt2, decrypt2) {
       cachedEntries = JSON.parse(json);
       return cachedEntries;
     } catch (err) {
-      logger$a.error("Failed to load vault:", err);
+      logger$b.error("Failed to load vault:", err);
       throw new Error("Could not unlock the vault. Check OS secret storage availability.");
     }
   }
@@ -18973,7 +19599,7 @@ function createAuditLog(filename, maxEntries) {
       } catch {
       }
     } catch (err) {
-      logger$a.error("Failed to write audit log:", err);
+      logger$b.error("Failed to write audit log:", err);
     }
   }
   function readAuditLog2(limit = 100) {
@@ -18983,7 +19609,7 @@ function createAuditLog(filename, maxEntries) {
       const lines = fs$1.readFileSync(auditPath, "utf-8").split("\n").filter((l) => l.trim());
       return lines.slice(-Math.min(limit, maxEntries)).map((line) => JSON.parse(line)).reverse();
     } catch (err) {
-      logger$a.error("Failed to read audit log:", err);
+      logger$b.error("Failed to read audit log:", err);
       return [];
     }
   }
@@ -19091,7 +19717,7 @@ async function requestConsent(request) {
 }
 const AUDIT_FILENAME = "vessel-vault-audit.jsonl";
 const MAX_ENTRIES = 1e3;
-const logger$9 = createLogger("VaultAudit");
+const logger$a = createLogger("VaultAudit");
 function getAuditPath() {
   return path$1.join(electron.app.getPath("userData"), AUDIT_FILENAME);
 }
@@ -19101,7 +19727,7 @@ function appendAuditEntry(entry) {
     fs$1.mkdirSync(path$1.dirname(auditPath), { recursive: true });
     fs$1.appendFileSync(auditPath, JSON.stringify(entry) + "\n");
   } catch (err) {
-    logger$9.error("Failed to write audit log:", err);
+    logger$a.error("Failed to write audit log:", err);
   }
 }
 function readAuditLog$1(limit = 100) {
@@ -19111,7 +19737,7 @@ function readAuditLog$1(limit = 100) {
     const lines = fs$1.readFileSync(auditPath, "utf-8").split("\n").filter((l) => l.trim());
     return lines.slice(-Math.min(limit, MAX_ENTRIES)).map((line) => JSON.parse(line)).reverse();
   } catch (err) {
-    logger$9.error("Failed to read audit log:", err);
+    logger$a.error("Failed to read audit log:", err);
     return [];
   }
 }
@@ -19284,7 +19910,7 @@ async function requestHumanVaultConsent(request) {
 }
 let httpServer = null;
 let mcpAuthToken = null;
-const logger$8 = createLogger("MCP");
+const logger$9 = createLogger("MCP");
 const MCP_AUTH_FILENAME = "mcp-auth.json";
 function getMcpAuthFilePath() {
   const configDir = process.env.VESSEL_CONFIG_DIR || path$1.join(
@@ -19320,7 +19946,7 @@ function writeMcpAuthFile(endpoint, token) {
       { mode: 384 }
     );
   } catch (err) {
-    logger$8.warn("Failed to write auth file:", err);
+    logger$9.warn("Failed to write auth file:", err);
   }
 }
 function clearMcpAuthFile() {
@@ -19345,7 +19971,7 @@ function clearMcpAuthFile() {
       { mode: 384 }
     );
   } catch (err) {
-    logger$8.warn("Failed to clear auth file:", err);
+    logger$9.warn("Failed to clear auth file:", err);
   }
 }
 function asTextResponse(text) {
@@ -19435,7 +20061,7 @@ async function getPostActionState(tabManager, name) {
         }
       }
     } catch (err) {
-      logger$8.warn("Failed to compute post-action state warning:", err);
+      logger$9.warn("Failed to compute post-action state warning:", err);
     }
     return `${warning}
 [state: url=${wc.getURL()}, canGoBack=${tab.canGoBack()}, canGoForward=${tab.canGoForward()}, loading=${wc.isLoading()}]`;
@@ -19537,7 +20163,7 @@ async function waitForConditionMcp(wc, text, selector, timeoutMs) {
         }
       })()
     `).catch((err) => {
-      logger$8.warn("Failed to gather wait_for timeout diagnostic:", err);
+      logger$9.warn("Failed to gather wait_for timeout diagnostic:", err);
       return null;
     });
     if (typeof diagnostic === "string" && diagnostic.trim()) {
@@ -19624,7 +20250,7 @@ function registerTools(server, tabManager, runtime2) {
           const page = await extractContent(wc);
           pageType = detectPageType(page);
         } catch (err) {
-          logger$8.warn("Failed to detect page type for tool scoring, falling back to GENERAL:", err);
+          logger$9.warn("Failed to detect page type for tool scoring, falling back to GENERAL:", err);
         }
       }
       const scored = TOOL_DEFINITIONS.map((def) => {
@@ -21022,7 +21648,7 @@ ${JSON.stringify(otherHighlights, null, 2)}`
             void 0,
             h.color
           ).catch(
-            (err) => logger$8.warn("Failed to restore highlight after removal:", err)
+            (err) => logger$9.warn("Failed to restore highlight after removal:", err)
           );
         }
       }
@@ -21870,7 +22496,7 @@ ${flow.steps.map((s, i) => `  ${i === 0 ? "→" : " "} ${s.label}`).join("\n")}`
       try {
         page = await extractContent(wc);
       } catch (err) {
-        logger$8.warn("Failed to extract page while generating suggestions:", err);
+        logger$9.warn("Failed to extract page while generating suggestions:", err);
         return asTextResponse(
           "Could not read page. Try navigate to a working URL."
         );
@@ -22479,7 +23105,7 @@ ${JSON.stringify(tableJson, null, 2)}`;
         try {
           targetDomain = new URL(tab.state.url).hostname;
         } catch (err) {
-          logger$8.warn("Failed to parse active tab URL for vault_status:", err);
+          logger$9.warn("Failed to parse active tab URL for vault_status:", err);
           return asErrorTextResponse("Could not parse active tab URL");
         }
       }
@@ -22545,7 +23171,7 @@ Use vault_login to fill the login form. Credentials are filled directly — you
       try {
         hostname = new URL(tab.state.url).hostname;
       } catch (err) {
-        logger$8.warn("Failed to parse active tab URL for vault_login:", err);
+        logger$9.warn("Failed to parse active tab URL for vault_login:", err);
         return asErrorTextResponse("Could not parse active tab URL");
       }
       const matches = findEntriesForDomain(`https://${hostname}`);
@@ -22639,7 +23265,7 @@ Use vault_login to fill the login form. Credentials are filled directly — you
       try {
         hostname = new URL(tab.state.url).hostname;
       } catch (err) {
-        logger$8.warn("Failed to parse active tab URL for vault_totp:", err);
+        logger$9.warn("Failed to parse active tab URL for vault_totp:", err);
         return asErrorTextResponse("Could not parse active tab URL");
       }
       const matches = findEntriesForDomain(`https://${hostname}`);
@@ -22937,7 +23563,7 @@ function startMcpServer(tabManager, runtime2, port) {
   });
   mcpAuthToken = getPersistentMcpAuthToken();
   return new Promise((resolve) => {
-    const server = http.createServer(async (req, res) => {
+    const server = http$1.createServer(async (req, res) => {
       const url = new URL(req.url || "/", `http://localhost:${port}`);
       if (url.pathname !== "/mcp") {
         res.writeHead(404);
@@ -22979,7 +23605,7 @@ function startMcpServer(tabManager, runtime2, port) {
         await mcpServer.connect(transport);
         await transport.handleRequest(req, res);
       } catch (error) {
-        logger$8.error("Error handling request:", error);
+        logger$9.error("Error handling request:", error);
         if (!res.headersSent) {
           res.writeHead(500, { "Content-Type": "application/json" });
           res.end(
@@ -22998,7 +23624,7 @@ function startMcpServer(tabManager, runtime2, port) {
     };
     server.once("error", (error) => {
       const message = error.code === "EADDRINUSE" ? `Port ${port} is already in use. MCP server not started.` : error.message;
-      logger$8.error("Server error:", error);
+      logger$9.error("Server error:", error);
       clearMcpAuthFile();
       setMcpHealth({
         configuredPort: port,
@@ -23030,7 +23656,7 @@ function startMcpServer(tabManager, runtime2, port) {
         message: `MCP server listening on ${endpoint}.`
       });
       if (process.env.VESSEL_DEBUG_MCP === "1" || process.env.VESSEL_DEBUG_MCP === "true") {
-        logger$8.info(`Server listening on ${endpoint} (auth enabled)`);
+        logger$9.info(`Server listening on ${endpoint} (auth enabled)`);
       }
       if (mcpAuthToken) {
         writeMcpAuthFile(endpoint, mcpAuthToken);
@@ -23069,7 +23695,7 @@ function stopMcpServer() {
         message: "MCP server is stopped."
       });
       if (process.env.VESSEL_DEBUG_MCP === "1" || process.env.VESSEL_DEBUG_MCP === "true") {
-        logger$8.info("Server stopped");
+        logger$9.info("Server stopped");
       }
       resolve();
     });
@@ -23090,7 +23716,7 @@ const KIT_ID_UNSAFE_CHAR_PATTERN = /[\/\\\0]/;
 function isSafeAutomationKitId(id) {
   return id.length > 0 && !KIT_ID_UNSAFE_CHAR_PATTERN.test(id);
 }
-const logger$7 = createLogger("KitRegistry");
+const logger$8 = createLogger("KitRegistry");
 function getUserKitsDir() {
   return path$1.join(electron.app.getPath("userData"), "kits");
 }
@@ -23128,10 +23754,10 @@ function getInstalledKits() {
       if (isValidKit(parsed)) {
         kits.push(parsed);
       } else {
-        logger$7.warn(`Skipping invalid kit file: ${file}`);
+        logger$8.warn(`Skipping invalid kit file: ${file}`);
       }
     } catch (err) {
-      logger$7.warn(`Failed to read kit file: ${file}`, err);
+      logger$8.warn(`Failed to read kit file: ${file}`, err);
     }
   }
   return kits;
@@ -23203,7 +23829,7 @@ function uninstallKit(id, scheduledKitIds) {
     return errorResult("Failed to remove the kit file.");
   }
 }
-const logger$6 = createLogger("Scheduler");
+const logger$7 = createLogger("Scheduler");
 let jobs = [];
 let removeIdleListener = null;
 let broadcastFn = null;
@@ -23228,7 +23854,7 @@ function saveJobs() {
   try {
     fs$1.writeFileSync(getJobsPath(), JSON.stringify(jobs, null, 2), "utf-8");
   } catch (err) {
-    logger$6.warn("Failed to save jobs:", err);
+    logger$7.warn("Failed to save jobs:", err);
   }
 }
 function normalizeJob(job, now = /* @__PURE__ */ new Date()) {
@@ -23350,7 +23976,7 @@ async function fireJob(job, windowState, runtime2) {
   };
   startActivity();
   if (!settings2.chatProvider) {
-    logger$6.warn(`Job "${job.kitName}" skipped — no chat provider configured`);
+    logger$7.warn(`Job "${job.kitName}" skipped — no chat provider configured`);
     appendActivity(
       "Chat provider not configured. Open Settings (Ctrl+,) to choose a provider."
     );
@@ -23358,7 +23984,7 @@ async function fireJob(job, windowState, runtime2) {
     return;
   }
   if (process.env.VESSEL_DEBUG_SCHEDULER === "1" || process.env.VESSEL_DEBUG_SCHEDULER === "true") {
-    logger$6.info(`Firing scheduled job: ${job.kitName} (${job.id})`);
+    logger$7.info(`Firing scheduled job: ${job.kitName} (${job.id})`);
   }
   try {
     const provider = createProvider(settings2.chatProvider);
@@ -23411,7 +24037,7 @@ function tick(windowState, runtime2) {
     saveJobs();
     broadcastFn?.(Channels.SCHEDULE_JOBS_UPDATE, jobs);
     void fireJob(job, windowState, runtime2).catch((err) => {
-      logger$6.warn("Unexpected error firing job:", err);
+      logger$7.warn("Unexpected error firing job:", err);
     }).finally(fireNext);
   };
   fireNext();
@@ -24521,7 +25147,7 @@ function createFindInPageBridge(tabManager, chromeView) {
     }
   };
 }
-const logger$5 = createLogger("PrivateWindow");
+const logger$6 = createLogger("PrivateWindow");
 const privateWindows = /* @__PURE__ */ new Set();
 function layoutPrivateViews(state2) {
   const { window: win, chromeView, tabManager } = state2;
@@ -24744,7 +25370,7 @@ function createPrivateWindow() {
       privateSession.clearStorageData(),
       privateSession.clearCache()
     ]).catch((error) => {
-      logger$5.warn("Failed to clear private browsing session:", error);
+      logger$6.warn("Failed to clear private browsing session:", error);
     });
   });
   privateWindows.add(state2);
@@ -24754,7 +25380,7 @@ function createPrivateWindow() {
   });
   loadPrivateRenderer(chromeView);
   win.show();
-  logger$5.info("Private browsing window opened");
+  logger$6.info("Private browsing window opened");
   return state2;
 }
 const secondaryWindows = /* @__PURE__ */ new Set();
@@ -25368,6 +25994,48 @@ function registerSecurityHandlers(tabManager) {
     tabManager.goBackToSafety(tabId);
   });
 }
+const logger$5 = createLogger("CodexIPC");
+function registerCodexHandlers() {
+  electron.ipcMain.handle(Channels.CODEX_START_AUTH, async (event) => {
+    const wc = event.sender;
+    if (!wc || wc.isDestroyed()) {
+      return {
+        ok: false,
+        error: "No active window found for sender"
+      };
+    }
+    const sendStatus = (status, error) => {
+      try {
+        wc.send(Channels.CODEX_AUTH_STATUS, { status, error: error || null });
+      } catch {
+        logger$5.warn("Codex auth status send failed — window may be closed");
+      }
+    };
+    try {
+      const tokens = await startCodexOAuth(sendStatus);
+      writeStoredCodexTokens(tokens);
+      return {
+        ok: true,
+        accountEmail: tokens.accountEmail || tokens.accountId,
+        accountId: tokens.accountId
+      };
+    } catch (err) {
+      logger$5.error("Codex auth failed:", err);
+      return {
+        ok: false,
+        error: err instanceof Error ? err.message : "Unknown error"
+      };
+    }
+  });
+  electron.ipcMain.handle(Channels.CODEX_CANCEL_AUTH, () => {
+    cancelCodexOAuth();
+    return { ok: true };
+  });
+  electron.ipcMain.handle(Channels.CODEX_DISCONNECT, () => {
+    clearStoredCodexTokens();
+    return { ok: true };
+  });
+}
 let activeChatProvider = null;
 const logger$4 = createLogger("IPC");
 const VALID_APPROVAL_MODES = ["auto", "confirm-dangerous", "manual"];
@@ -25941,6 +26609,7 @@ function registerIpcHandlers(windowState, runtime2) {
   registerVaultHandlers();
   registerHumanVaultHandlers();
   registerWindowControlHandlers(mainWindow);
+  registerCodexHandlers();
   electron.ipcMain.handle(Channels.AUTOMATION_GET_INSTALLED, () => {
     return getInstalledKits();
   });