agentgui 1.0.700 → 1.0.701

package/CLAUDE.md

@@ -82,6 +82,7 @@ XState v5 machines provide formal state tracking alongside (not replacing) the e
 - `BASE_URL` - URL prefix (default: /gm)
 - `STARTUP_CWD` - Working directory passed to agents
 - `HOT_RELOAD` - Set to "false" to disable watch mode
+- `CODEX_HOME` - Override Codex CLI home directory (default: `~/.codex`)
 
 ## ACP Tool Lifecycle
 
@@ -123,6 +124,11 @@ All routes are prefixed with `BASE_URL` (default `/gm`).
 - `GET /api/tools/:id/history` - Get tool install/update history (query: limit, offset)
 - `POST /api/tools/update` - Batch update all tools with available updates
 - `POST /api/tools/refresh-all` - Refresh all tool statuses from package manager
+- `POST /api/codex-oauth/start` - Start Codex CLI OAuth flow (returns `{ authUrl, mode }`)
+- `GET /api/codex-oauth/status` - Get current Codex OAuth state `{ status, email, error }`
+- `POST /api/codex-oauth/relay` - Relay OAuth code+state from remote browser (body: `{ code, state }`)
+- `POST /api/codex-oauth/complete` - Complete OAuth by pasting redirect URL (body: `{ url }`)
+- `GET /codex-oauth2callback` - OAuth callback endpoint (redirect_uri for local flows)
 
 ## Tool Update System
 
@@ -286,6 +292,27 @@ Speech models (~470MB total) are downloaded automatically on server startup. No
 - **Client init:** `loadAgents()`, `loadConversations()`, `checkSpeechStatus()` run in parallel via `Promise.all()`.
 - **`perMessageDeflate: false`** on WebSocket server — msgpack binary doesn't compress well, and zlib was blocking the event loop on every streaming_progress send.
 
+## Codex CLI OAuth
+
+OpenAI Codex CLI uses PKCE authorization code flow against `https://auth.openai.com`.
+
+**Flow:**
+1. `POST /api/codex-oauth/start` generates PKCE (SHA-256 S256 challenge), CSRF state, returns `authUrl`
+2. User opens `authUrl` in browser and authenticates via OpenAI/ChatGPT
+3. **Local**: Browser redirects to `http://localhost:1455/auth/callback` — but since agentgui's server is on a different port, the redirect goes to `GET /codex-oauth2callback` (agentgui intercepts via matching route). Token exchange happens server-side.
+4. **Remote**: Redirect goes to `/codex-oauth2callback` which serves a relay page. Relay POSTs `{ code, state }` to `/api/codex-oauth/relay`. Token exchange happens on the server.
+5. Tokens saved to `$CODEX_HOME/auth.json` (default: `~/.codex/auth.json`) as `{ auth_mode: "chatgpt", tokens: { id_token, access_token, refresh_token }, last_refresh }`
+
+**Constants (in server.js):**
+- Issuer: `https://auth.openai.com`
+- Client ID: `app_EMoamEEZ73f0CkXaXp7hrann`
+- Scopes: `openid profile email offline_access api.connectors.read api.connectors.invoke`
+- Redirect URI (local): `http://localhost:1455/auth/callback` (actual callback goes to agentgui's `/codex-oauth2callback`)
+
+**WebSocket handlers** (in `lib/ws-handlers-util.js`): `codex.start`, `codex.status`, `codex.relay`, `codex.complete`
+
+**Agent auth**: `POST /api/agents/codex/auth` starts OAuth flow same as Gemini — broadcasts `script_started`/`script_output`/`script_stopped` events as OAuth progresses.
+
 ## ACP SDK Integration
 
 - **@agentclientprotocol/sdk** (`^0.4.1`) added to dependencies

package/lib/ws-handlers-util.js

@@ -9,6 +9,7 @@ export function register(router, deps) {
   const { queries, wsOptimizer, modelDownloadState, ensureModelsDownloaded,
     broadcastSync, getSpeech, getProviderConfigs, saveProviderConfig,
     startGeminiOAuth, exchangeGeminiOAuthCode, geminiOAuthState,
+    startCodexOAuth, exchangeCodexOAuthCode, codexOAuthState,
     STARTUP_CWD, activeScripts, voiceCacheManager, toolManager, discoveredAgents } = deps;
 
   router.handle('home', () => ({ home: os.homedir(), cwd: STARTUP_CWD }));
@@ -175,6 +176,45 @@ export function register(router, deps) {
     } catch (e) { err(400, e.message); }
   });
 
+  router.handle('codex.start', async () => {
+    try {
+      const result = await startCodexOAuth();
+      return { authUrl: result.authUrl, mode: result.mode };
+    } catch (e) { err(500, e.message); }
+  });
+
+  router.handle('codex.status', () => {
+    const st = typeof codexOAuthState === 'function' ? codexOAuthState() : codexOAuthState;
+    return st;
+  });
+
+  router.handle('codex.relay', async (p) => {
+    const { code, state } = p;
+    if (!code || !state) err(400, 'Missing code or state');
+    try {
+      const email = await exchangeCodexOAuthCode(code, state);
+      return { success: true, email };
+    } catch (e) { err(400, e.message); }
+  });
+
+  router.handle('codex.complete', async (p) => {
+    const pastedUrl = (p.url || '').trim();
+    if (!pastedUrl) err(400, 'No URL provided');
+    let parsed;
+    try { parsed = new URL(pastedUrl); } catch { err(400, 'Invalid URL. Paste the full URL from the browser address bar.'); }
+    const urlError = parsed.searchParams.get('error');
+    if (urlError) {
+      const desc = parsed.searchParams.get('error_description') || urlError;
+      return { error: desc };
+    }
+    const code = parsed.searchParams.get('code');
+    const state = parsed.searchParams.get('state');
+    try {
+      const email = await exchangeCodexOAuthCode(code, state);
+      return { success: true, email };
+    } catch (e) { err(400, e.message); }
+  });
+
   router.handle('ws.stats', () => wsOptimizer.getStats());
 
   router.handle('conv.scripts', (p) => {
@@ -268,47 +308,47 @@ export function register(router, deps) {
     }
   });
 
-  router.handle('agent.subagents', async (p) => {
-    const { id } = p;
-    if (!id) err(400, 'Missing agent id');
-
-    // Claude Code: run 'claude agents list' and parse output
-    if (id === 'claude-code' || id === 'cli-claude') {
-      const spawnEnv = { ...process.env };
-      delete spawnEnv.CLAUDECODE;
-      const result = spawnSync('claude', ['agents', 'list'], {
-        encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'],
-        env: spawnEnv
-      });
-      if (result.status !== 0 || !result.stdout) return { subAgents: [] };
-      const output = result.stdout.trim();
-      // Output format: '  agentId · model' lines under section headers
-      const agents = [];
-      for (const line of output.split('\n').filter(l => l.trim())) {
-        const match = line.match(/^  (\S+)\s+·/);
-        if (match) {
-          const id = match[1];
-          agents.push({ id, name: id });
-        }
-      }
-      console.log('[agent.subagents] claude agents list found:', agents.map(a => a.id).join(', '));
-      return { subAgents: agents };
-    }
-
-    // ACP agents: hardcoded map filtered by installed tools
-    const subAgentMap = {
-      'opencode':     [{ id: 'gm-oc',   name: 'GM OpenCode' }],
-      'cli-opencode': [{ id: 'gm-oc',   name: 'GM OpenCode' }],
-      'gemini':       [{ id: 'gm-gc',   name: 'GM Gemini'   }],
-      'cli-gemini':   [{ id: 'gm-gc',   name: 'GM Gemini'   }],
-      'kilo':         [{ id: 'gm-kilo', name: 'GM Kilo'     }],
-      'cli-kilo':     [{ id: 'gm-kilo', name: 'GM Kilo'     }],
-      'codex':        [],
-      'cli-codex':    []
-    };
-    const subAgents = subAgentMap[id] || [];
-    const tools = await toolManager.getAllToolsAsync();
-    const installed = new Set(tools.filter(t => t.category === 'plugin' && t.installed).map(t => t.id));
-    return { subAgents: subAgents.filter(sa => installed.has(sa.id)) };
+  router.handle('agent.subagents', async (p) => {
+    const { id } = p;
+    if (!id) err(400, 'Missing agent id');
+
+    // Claude Code: run 'claude agents list' and parse output
+    if (id === 'claude-code' || id === 'cli-claude') {
+      const spawnEnv = { ...process.env };
+      delete spawnEnv.CLAUDECODE;
+      const result = spawnSync('claude', ['agents', 'list'], {
+        encoding: 'utf-8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'],
+        env: spawnEnv
+      });
+      if (result.status !== 0 || !result.stdout) return { subAgents: [] };
+      const output = result.stdout.trim();
+      // Output format: '  agentId · model' lines under section headers
+      const agents = [];
+      for (const line of output.split('\n').filter(l => l.trim())) {
+        const match = line.match(/^  (\S+)\s+·/);
+        if (match) {
+          const id = match[1];
+          agents.push({ id, name: id });
+        }
+      }
+      console.log('[agent.subagents] claude agents list found:', agents.map(a => a.id).join(', '));
+      return { subAgents: agents };
+    }
+
+    // ACP agents: hardcoded map filtered by installed tools
+    const subAgentMap = {
+      'opencode':     [{ id: 'gm-oc',   name: 'GM OpenCode' }],
+      'cli-opencode': [{ id: 'gm-oc',   name: 'GM OpenCode' }],
+      'gemini':       [{ id: 'gm-gc',   name: 'GM Gemini'   }],
+      'cli-gemini':   [{ id: 'gm-gc',   name: 'GM Gemini'   }],
+      'kilo':         [{ id: 'gm-kilo', name: 'GM Kilo'     }],
+      'cli-kilo':     [{ id: 'gm-kilo', name: 'GM Kilo'     }],
+      'codex':        [],
+      'cli-codex':    []
+    };
+    const subAgents = subAgentMap[id] || [];
+    const tools = await toolManager.getAllToolsAsync();
+    const installed = new Set(tools.filter(t => t.category === 'plugin' && t.installed).map(t => t.id));
+    return { subAgents: subAgents.filter(sa => installed.has(sa.id)) };
   });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentgui",
-  "version": "1.0.700",
+  "version": "1.0.701",
   "description": "Multi-agent ACP client with real-time communication",
   "type": "module",
   "main": "server.js",

package/server.js

@@ -949,6 +949,238 @@ function getGeminiOAuthStatus() {
   return null;
 }
 
+const CODEX_HOME = process.env.CODEX_HOME || path.join(os.homedir(), '.codex');
+const CODEX_AUTH_FILE = path.join(CODEX_HOME, 'auth.json');
+const CODEX_OAUTH_ISSUER = 'https://auth.openai.com';
+const CODEX_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
+const CODEX_SCOPES = 'openid profile email offline_access api.connectors.read api.connectors.invoke';
+const CODEX_OAUTH_PORT = 1455;
+
+let codexOAuthState = { status: 'idle', error: null, email: null };
+let codexOAuthPending = null;
+
+function generatePkce() {
+  const verifierBytes = crypto.randomBytes(64);
+  const codeVerifier = verifierBytes.toString('base64url');
+  const challengeBytes = crypto.createHash('sha256').update(codeVerifier).digest();
+  const codeChallenge = challengeBytes.toString('base64url');
+  return { codeVerifier, codeChallenge };
+}
+
+function parseJwtEmail(jwt) {
+  try {
+    const parts = jwt.split('.');
+    if (parts.length < 2) return '';
+    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+    return payload.email || payload['https://api.openai.com/profile']?.email || '';
+  } catch (_) { return ''; }
+}
+
+function saveCodexCredentials(tokens) {
+  if (!fs.existsSync(CODEX_HOME)) fs.mkdirSync(CODEX_HOME, { recursive: true });
+  const auth = { auth_mode: 'chatgpt', tokens, last_refresh: new Date().toISOString() };
+  fs.writeFileSync(CODEX_AUTH_FILE, JSON.stringify(auth, null, 2), { mode: 0o600 });
+  try { fs.chmodSync(CODEX_AUTH_FILE, 0o600); } catch (_) {}
+}
+
+function getCodexOAuthStatus() {
+  try {
+    if (fs.existsSync(CODEX_AUTH_FILE)) {
+      const auth = JSON.parse(fs.readFileSync(CODEX_AUTH_FILE, 'utf8'));
+      if (auth.tokens?.access_token || auth.tokens?.refresh_token) {
+        const email = parseJwtEmail(auth.tokens?.id_token || '') || '';
+        return { hasKey: true, apiKey: email || '****oauth', defaultModel: '', path: CODEX_AUTH_FILE, authMethod: 'oauth' };
+      }
+    }
+  } catch (_) {}
+  return null;
+}
+
+async function startCodexOAuth(req) {
+  const remote = isRemoteRequest(req);
+  const redirectUri = remote
+    ? `${buildBaseUrl(req)}${BASE_URL}/codex-oauth2callback`
+    : `http://localhost:${CODEX_OAUTH_PORT}/auth/callback`;
+
+  const pkce = generatePkce();
+  const csrfToken = crypto.randomBytes(32).toString('hex');
+  const relayUrl = remote ? `${buildBaseUrl(req)}${BASE_URL}/api/codex-oauth/relay` : null;
+  const state = encodeOAuthState(csrfToken, relayUrl);
+
+  const params = new URLSearchParams({
+    response_type: 'code',
+    client_id: CODEX_CLIENT_ID,
+    redirect_uri: redirectUri,
+    scope: CODEX_SCOPES,
+    code_challenge: pkce.codeChallenge,
+    code_challenge_method: 'S256',
+    id_token_add_organizations: 'true',
+    codex_cli_simplified_flow: 'true',
+    state,
+  });
+
+  const authUrl = `${CODEX_OAUTH_ISSUER}/oauth/authorize?${params.toString()}`;
+  const mode = remote ? 'remote' : 'local';
+
+  codexOAuthPending = { pkce, redirectUri, state: csrfToken };
+  codexOAuthState = { status: 'pending', error: null, email: null };
+
+  setTimeout(() => {
+    if (codexOAuthState.status === 'pending') {
+      codexOAuthState = { status: 'error', error: 'Authentication timed out', email: null };
+      codexOAuthPending = null;
+    }
+  }, 5 * 60 * 1000);
+
+  return { authUrl, mode };
+}
+
+async function exchangeCodexOAuthCode(code, stateParam) {
+  if (!codexOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
+
+  const { pkce, redirectUri, state: expectedCsrf } = codexOAuthPending;
+  const { csrfToken } = decodeOAuthState(stateParam);
+
+  if (csrfToken !== expectedCsrf) {
+    codexOAuthState = { status: 'error', error: 'State mismatch', email: null };
+    codexOAuthPending = null;
+    throw new Error('State mismatch - possible CSRF attack.');
+  }
+
+  if (!code) {
+    codexOAuthState = { status: 'error', error: 'No authorization code received', email: null };
+    codexOAuthPending = null;
+    throw new Error('No authorization code received.');
+  }
+
+  const body = new URLSearchParams({
+    grant_type: 'authorization_code',
+    code,
+    redirect_uri: redirectUri,
+    client_id: CODEX_CLIENT_ID,
+    code_verifier: pkce.codeVerifier,
+  });
+
+  const resp = await fetch(`${CODEX_OAUTH_ISSUER}/oauth/token`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: body.toString(),
+  });
+
+  if (!resp.ok) {
+    const text = await resp.text();
+    codexOAuthState = { status: 'error', error: `Token exchange failed: ${resp.status}`, email: null };
+    codexOAuthPending = null;
+    throw new Error(`Token exchange failed (${resp.status}): ${text}`);
+  }
+
+  const tokens = await resp.json();
+  const email = parseJwtEmail(tokens.id_token || '');
+
+  saveCodexCredentials(tokens);
+  codexOAuthState = { status: 'success', error: null, email };
+  codexOAuthPending = null;
+
+  return email;
+}
+
+function codexOAuthResultPage(title, message, success) {
+  const color = success ? '#10b981' : '#ef4444';
+  const icon = success ? '&#10003;' : '&#10007;';
+  return `<!DOCTYPE html><html><head><title>${title}</title></head>
+<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
+<div style="text-align:center;max-width:400px;padding:2rem;">
+<div style="font-size:4rem;color:${color};margin-bottom:1rem;">${icon}</div>
+<h1 style="font-size:1.5rem;margin-bottom:0.5rem;">${title}</h1>
+<p style="color:#9ca3af;">${message}</p>
+<p style="color:#6b7280;margin-top:1rem;font-size:0.875rem;">You can close this tab.</p>
+</div></body></html>`;
+}
+
+function codexOAuthRelayPage(code, state, error) {
+  const stateData = decodeOAuthState(state || '');
+  const relayUrl = stateData.relayUrl || '';
+  const escapedCode = (code || '').replace(/['"\\]/g, '');
+  const escapedState = (state || '').replace(/['"\\]/g, '');
+  const escapedError = (error || '').replace(/['"\\]/g, '');
+  const escapedRelay = relayUrl.replace(/['"\\]/g, '');
+  return `<!DOCTYPE html><html><head><title>Completing sign-in...</title></head>
+<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
+<div id="status" style="text-align:center;max-width:400px;padding:2rem;">
+<div id="spinner" style="font-size:2rem;margin-bottom:1rem;">&#8987;</div>
+<h1 id="title" style="font-size:1.5rem;margin-bottom:0.5rem;">Completing sign-in...</h1>
+<p id="msg" style="color:#9ca3af;">Relaying authentication to server...</p>
+</div>
+<script>
+(function() {
+  var code = '${escapedCode}';
+  var state = '${escapedState}';
+  var error = '${escapedError}';
+  var relayUrl = '${escapedRelay}';
+  function show(icon, title, msg, color) {
+    document.getElementById('spinner').textContent = icon;
+    document.getElementById('spinner').style.color = color;
+    document.getElementById('title').textContent = title;
+    document.getElementById('msg').textContent = msg;
+  }
+  if (error) { show('\\u2717', 'Authentication Failed', error, '#ef4444'); return; }
+  if (!code) { show('\\u2717', 'Authentication Failed', 'No authorization code received.', '#ef4444'); return; }
+  if (!relayUrl) { show('\\u2713', 'Authentication Successful', 'Credentials saved. You can close this tab.', '#10b981'); return; }
+  fetch(relayUrl, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ code: code, state: state })
+  }).then(function(r) { return r.json(); }).then(function(data) {
+    if (data.success) {
+      show('\\u2713', 'Authentication Successful', data.email ? 'Signed in as ' + data.email + '. You can close this tab.' : 'Credentials saved. You can close this tab.', '#10b981');
+    } else {
+      show('\\u2717', 'Authentication Failed', data.error || 'Unknown error', '#ef4444');
+    }
+  }).catch(function(e) {
+    show('\\u2717', 'Relay Failed', 'Could not reach server: ' + e.message + '. You may need to paste the URL manually.', '#ef4444');
+  });
+})();
+</script>
+</body></html>`;
+}
+
+async function handleCodexOAuthCallback(req, res) {
+  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
+  const code = reqUrl.searchParams.get('code');
+  const state = reqUrl.searchParams.get('state');
+  const error = reqUrl.searchParams.get('error');
+  const errorDesc = reqUrl.searchParams.get('error_description');
+
+  if (error) {
+    const desc = errorDesc || error;
+    codexOAuthState = { status: 'error', error: desc, email: null };
+    codexOAuthPending = null;
+  }
+
+  const stateData = decodeOAuthState(state || '');
+  if (stateData.relayUrl) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(codexOAuthRelayPage(code, state, errorDesc || error));
+    return;
+  }
+
+  if (!codexOAuthPending) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(codexOAuthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
+    return;
+  }
+
+  try {
+    if (error) throw new Error(errorDesc || error);
+    const email = await exchangeCodexOAuthCode(code, state);
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(codexOAuthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Codex CLI credentials saved.', true));
+  } catch (e) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(codexOAuthResultPage('Authentication Failed', e.message, false));
+  }
+}
+
 const PROVIDER_CONFIGS = {
   'anthropic': {
     name: 'Anthropic', configPaths: [
@@ -1037,6 +1269,13 @@ function getProviderConfigs() {
         continue;
       }
     }
+    if (providerId === 'codex') {
+      const oauthStatus = getCodexOAuthStatus();
+      if (oauthStatus) {
+        configs[providerId] = { name: config.name, ...oauthStatus };
+        continue;
+      }
+    }
     for (const configPath of config.configPaths) {
       try {
         if (fs.existsSync(configPath)) {
@@ -1167,6 +1406,11 @@ const server = http.createServer(async (req, res) => {
       return;
     }
 
+    if (pathOnly === '/codex-oauth2callback' && req.method === 'GET') {
+      await handleCodexOAuthCallback(req, res);
+      return;
+    }
+
     if (pathOnly === '/api/conversations' && req.method === 'GET') {
       const conversations = queries.getConversationsList();
       // Filter out stale streaming state using a single bulk query instead of N+1 per-conversation queries
@@ -2622,12 +2866,110 @@ const server = http.createServer(async (req, res) => {
       return;
     }
 
+    if (pathOnly === '/api/codex-oauth/start' && req.method === 'POST') {
+      try {
+        const result = await startCodexOAuth(req);
+        sendJSON(req, res, 200, { authUrl: result.authUrl, mode: result.mode });
+      } catch (e) {
+        console.error('[codex-oauth] /api/codex-oauth/start failed:', e);
+        sendJSON(req, res, 500, { error: e.message });
+      }
+      return;
+    }
+
+    if (pathOnly === '/api/codex-oauth/status' && req.method === 'GET') {
+      sendJSON(req, res, 200, codexOAuthState);
+      return;
+    }
+
+    if (pathOnly === '/api/codex-oauth/relay' && req.method === 'POST') {
+      try {
+        const body = await parseBody(req);
+        const { code, state: stateParam } = body;
+        if (!code || !stateParam) {
+          sendJSON(req, res, 400, { error: 'Missing code or state' });
+          return;
+        }
+        const email = await exchangeCodexOAuthCode(code, stateParam);
+        sendJSON(req, res, 200, { success: true, email });
+      } catch (e) {
+        codexOAuthState = { status: 'error', error: e.message, email: null };
+        codexOAuthPending = null;
+        sendJSON(req, res, 400, { error: e.message });
+      }
+      return;
+    }
+
+    if (pathOnly === '/api/codex-oauth/complete' && req.method === 'POST') {
+      try {
+        const body = await parseBody(req);
+        const pastedUrl = (body.url || '').trim();
+        if (!pastedUrl) {
+          sendJSON(req, res, 400, { error: 'No URL provided' });
+          return;
+        }
+        let parsed;
+        try { parsed = new URL(pastedUrl); } catch (_) {
+          sendJSON(req, res, 400, { error: 'Invalid URL. Paste the full URL from the browser address bar.' });
+          return;
+        }
+        const error = parsed.searchParams.get('error');
+        if (error) {
+          const desc = parsed.searchParams.get('error_description') || error;
+          codexOAuthState = { status: 'error', error: desc, email: null };
+          codexOAuthPending = null;
+          sendJSON(req, res, 200, { error: desc });
+          return;
+        }
+        const code = parsed.searchParams.get('code');
+        const state = parsed.searchParams.get('state');
+        const email = await exchangeCodexOAuthCode(code, state);
+        sendJSON(req, res, 200, { success: true, email });
+      } catch (e) {
+        codexOAuthState = { status: 'error', error: e.message, email: null };
+        codexOAuthPending = null;
+        sendJSON(req, res, 400, { error: e.message });
+      }
+      return;
+    }
+
     const agentAuthMatch = pathOnly.match(/^\/api\/agents\/([^/]+)\/auth$/);
     if (agentAuthMatch && req.method === 'POST') {
       const agentId = agentAuthMatch[1];
       const agent = discoveredAgents.find(a => a.id === agentId);
       if (!agent) { sendJSON(req, res, 404, { error: 'Agent not found' }); return; }
 
+      if (agentId === 'codex' || agentId === 'cli-codex') {
+        try {
+          const result = await startCodexOAuth(req);
+          const conversationId = '__agent_auth__';
+          broadcastSync({ type: 'script_started', conversationId, script: 'auth-codex', agentId: 'codex', timestamp: Date.now() });
+          broadcastSync({ type: 'script_output', conversationId, data: `\x1b[36mOpening OpenAI OAuth in your browser...\x1b[0m\r\n\r\nIf it doesn't open automatically, visit:\r\n${result.authUrl}\r\n`, stream: 'stdout', timestamp: Date.now() });
+
+          const pollId = setInterval(() => {
+            if (codexOAuthState.status === 'success') {
+              clearInterval(pollId);
+              const email = codexOAuthState.email || '';
+              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[32mAuthentication successful${email ? ' (' + email + ')' : ''}\x1b[0m\r\n`, stream: 'stdout', timestamp: Date.now() });
+              broadcastSync({ type: 'script_stopped', conversationId, code: 0, timestamp: Date.now() });
+            } else if (codexOAuthState.status === 'error') {
+              clearInterval(pollId);
+              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${codexOAuthState.error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
+              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: codexOAuthState.error, timestamp: Date.now() });
+            }
+          }, 1000);
+
+          setTimeout(() => clearInterval(pollId), 5 * 60 * 1000);
+
+          sendJSON(req, res, 200, { ok: true, agentId, authUrl: result.authUrl, mode: result.mode });
+          return;
+        } catch (e) {
+          console.error('[codex-oauth] /api/agents/codex/auth failed:', e);
+          sendJSON(req, res, 500, { error: e.message });
+          return;
+        }
+      }
+
       if (agentId === 'gemini') {
         try {
           const result = await startGeminiOAuth(req);
@@ -4190,6 +4532,8 @@ registerUtilHandlers(wsRouter, {
   broadcastSync, getSpeech, getProviderConfigs, saveProviderConfig,
   startGeminiOAuth, exchangeGeminiOAuthCode,
   geminiOAuthState: () => geminiOAuthState,
+  startCodexOAuth, exchangeCodexOAuthCode,
+  codexOAuthState: () => codexOAuthState,
   STARTUP_CWD, activeScripts, voiceCacheManager, toolManager, discoveredAgents
 });