npm - agentgui - Versions diffs - 1.0.701 → 1.0.702 - Mend

agentgui 1.0.701 → 1.0.702

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CLAUDE.md CHANGED Viewed

@@ -82,7 +82,6 @@ XState v5 machines provide formal state tracking alongside (not replacing) the e
 - `BASE_URL` - URL prefix (default: /gm)
 - `STARTUP_CWD` - Working directory passed to agents
 - `HOT_RELOAD` - Set to "false" to disable watch mode
-- `CODEX_HOME` - Override Codex CLI home directory (default: `~/.codex`)
 ## ACP Tool Lifecycle
@@ -124,11 +123,6 @@ All routes are prefixed with `BASE_URL` (default `/gm`).
 - `GET /api/tools/:id/history` - Get tool install/update history (query: limit, offset)
 - `POST /api/tools/update` - Batch update all tools with available updates
 - `POST /api/tools/refresh-all` - Refresh all tool statuses from package manager
-- `POST /api/codex-oauth/start` - Start Codex CLI OAuth flow (returns `{ authUrl, mode }`)
-- `GET /api/codex-oauth/status` - Get current Codex OAuth state `{ status, email, error }`
-- `POST /api/codex-oauth/relay` - Relay OAuth code+state from remote browser (body: `{ code, state }`)
-- `POST /api/codex-oauth/complete` - Complete OAuth by pasting redirect URL (body: `{ url }`)
-- `GET /codex-oauth2callback` - OAuth callback endpoint (redirect_uri for local flows)
 ## Tool Update System
@@ -292,27 +286,6 @@ Speech models (~470MB total) are downloaded automatically on server startup. No
 - **Client init:** `loadAgents()`, `loadConversations()`, `checkSpeechStatus()` run in parallel via `Promise.all()`.
 - **`perMessageDeflate: false`** on WebSocket server — msgpack binary doesn't compress well, and zlib was blocking the event loop on every streaming_progress send.
-## Codex CLI OAuth
-OpenAI Codex CLI uses PKCE authorization code flow against `https://auth.openai.com`.
-**Flow:**
-1. `POST /api/codex-oauth/start` generates PKCE (SHA-256 S256 challenge), CSRF state, returns `authUrl`
-2. User opens `authUrl` in browser and authenticates via OpenAI/ChatGPT
-3. **Local**: Browser redirects to `http://localhost:1455/auth/callback` — but since agentgui's server is on a different port, the redirect goes to `GET /codex-oauth2callback` (agentgui intercepts via matching route). Token exchange happens server-side.
-4. **Remote**: Redirect goes to `/codex-oauth2callback` which serves a relay page. Relay POSTs `{ code, state }` to `/api/codex-oauth/relay`. Token exchange happens on the server.
-5. Tokens saved to `$CODEX_HOME/auth.json` (default: `~/.codex/auth.json`) as `{ auth_mode: "chatgpt", tokens: { id_token, access_token, refresh_token }, last_refresh }`
-**Constants (in server.js):**
-- Issuer: `https://auth.openai.com`
-- Client ID: `app_EMoamEEZ73f0CkXaXp7hrann`
-- Scopes: `openid profile email offline_access api.connectors.read api.connectors.invoke`
-- Redirect URI (local): `http://localhost:1455/auth/callback` (actual callback goes to agentgui's `/codex-oauth2callback`)
-**WebSocket handlers** (in `lib/ws-handlers-util.js`): `codex.start`, `codex.status`, `codex.relay`, `codex.complete`
-**Agent auth**: `POST /api/agents/codex/auth` starts OAuth flow same as Gemini — broadcasts `script_started`/`script_output`/`script_stopped` events as OAuth progresses.
 ## ACP SDK Integration
 - **@agentclientprotocol/sdk** (`^0.4.1`) added to dependencies

package/lib/ws-handlers-util.js CHANGED Viewed

@@ -9,7 +9,7 @@ export function register(router, deps) {
   const { queries, wsOptimizer, modelDownloadState, ensureModelsDownloaded,
     broadcastSync, getSpeech, getProviderConfigs, saveProviderConfig,
     startGeminiOAuth, exchangeGeminiOAuthCode, geminiOAuthState,
-    startCodexOAuth, exchangeCodexOAuthCode, codexOAuthState,
+    startCodexDeviceAuth, codexDeviceAuthState,
     STARTUP_CWD, activeScripts, voiceCacheManager, toolManager, discoveredAgents } = deps;
   router.handle('home', () => ({ home: os.homedir(), cwd: STARTUP_CWD }));
@@ -158,46 +158,31 @@ export function register(router, deps) {
     } catch (e) { err(400, e.message); }
   });
-  router.handle('gemini.complete', async (p) => {
-    const pastedUrl = (p.url || '').trim();
-    if (!pastedUrl) err(400, 'No URL provided');
-    let parsed;
-    try { parsed = new URL(pastedUrl); } catch { err(400, 'Invalid URL. Paste the full URL from the browser address bar.'); }
-    const urlError = parsed.searchParams.get('error');
-    if (urlError) {
-      const desc = parsed.searchParams.get('error_description') || urlError;
-      return { error: desc };
-    }
-    const code = parsed.searchParams.get('code');
-    const state = parsed.searchParams.get('state');
-    try {
-      const email = await exchangeGeminiOAuthCode(code, state);
-      return { success: true, email };
-    } catch (e) { err(400, e.message); }
-  });
   router.handle('codex.start', async () => {
     try {
-      const result = await startCodexOAuth();
-      return { authUrl: result.authUrl, mode: result.mode };
+      const result = startCodexDeviceAuth();
+      const st = typeof codexDeviceAuthState === 'function' ? codexDeviceAuthState() : codexDeviceAuthState;
+      if (result.alreadyAuthenticated) return { status: 'success', authenticated: true };
+      const waitForCode = () => new Promise((resolve) => {
+        let tries = 12;
+        const poll = () => {
+          const state = typeof codexDeviceAuthState === 'function' ? codexDeviceAuthState() : codexDeviceAuthState;
+          if (state.authUrl || tries-- <= 0) resolve(state);
+          else setTimeout(poll, 400);
+        };
+        poll();
+      });
+      const state = await waitForCode();
+      return { status: state.status, authUrl: state.authUrl, userCode: state.userCode };
     } catch (e) { err(500, e.message); }
   });
   router.handle('codex.status', () => {
-    const st = typeof codexOAuthState === 'function' ? codexOAuthState() : codexOAuthState;
+    const st = typeof codexDeviceAuthState === 'function' ? codexDeviceAuthState() : codexDeviceAuthState;
     return st;
   });
-  router.handle('codex.relay', async (p) => {
-    const { code, state } = p;
-    if (!code || !state) err(400, 'Missing code or state');
-    try {
-      const email = await exchangeCodexOAuthCode(code, state);
-      return { success: true, email };
-    } catch (e) { err(400, e.message); }
-  });
-  router.handle('codex.complete', async (p) => {
+  router.handle('gemini.complete', async (p) => {
     const pastedUrl = (p.url || '').trim();
     if (!pastedUrl) err(400, 'No URL provided');
     let parsed;
@@ -210,7 +195,7 @@ export function register(router, deps) {
     const code = parsed.searchParams.get('code');
     const state = parsed.searchParams.get('state');
     try {
-      const email = await exchangeCodexOAuthCode(code, state);
+      const email = await exchangeGeminiOAuthCode(code, state);
       return { success: true, email };
     } catch (e) { err(400, e.message); }
   });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "agentgui",
-  "version": "1.0.701",
+  "version": "1.0.702",
   "description": "Multi-agent ACP client with real-time communication",
   "type": "module",
   "main": "server.js",

package/server.js CHANGED Viewed

@@ -696,6 +696,96 @@ const GEMINI_ACCOUNTS_FILE = path.join(GEMINI_DIR, 'google_accounts.json');
 let geminiOAuthState = { status: 'idle', error: null, email: null };
 let geminiOAuthPending = null;
+const CODEX_AUTH_FILE = path.join(os.homedir(), '.codex', 'auth.json');
+let codexDeviceAuthState = { status: 'idle', error: null, userCode: null, authUrl: null };
+let codexDeviceAuthProcess = null;
+function getCodexAuthStatus() {
+  try {
+    if (fs.existsSync(CODEX_AUTH_FILE)) {
+      const creds = JSON.parse(fs.readFileSync(CODEX_AUTH_FILE, 'utf-8'));
+      if (creds.auth_mode === 'oauth' || creds.access_token || creds.refresh_token) {
+        return { authenticated: true, detail: creds.email || 'oauth' };
+      }
+      if (creds.auth_mode === 'apikey' && creds.OPENAI_API_KEY) {
+        return { authenticated: true, detail: 'api-key' };
+      }
+    }
+  } catch (_) {}
+  return { authenticated: false, detail: 'no credentials' };
+}
+function startCodexDeviceAuth() {
+  if (codexDeviceAuthProcess) {
+    return { alreadyRunning: true };
+  }
+  const codexStatus = getCodexAuthStatus();
+  if (codexStatus.authenticated) {
+    codexDeviceAuthState = { status: 'success', error: null, userCode: null, authUrl: null };
+    return { alreadyAuthenticated: true };
+  }
+  codexDeviceAuthState = { status: 'pending', error: null, userCode: null, authUrl: null };
+  const child = spawn('npx', ['@openai/codex', 'login', '--device-auth'], {
+    stdio: ['ignore', 'pipe', 'pipe'],
+    env: { ...process.env, FORCE_COLOR: '0', NO_COLOR: '1' },
+    shell: os.platform() === 'win32',
+  });
+  codexDeviceAuthProcess = child;
+  const onData = (chunk) => {
+    const text = chunk.toString().replace(/\x1b\[[0-9;]*m/g, '');
+    const urlMatch = text.match(/https:\/\/auth\.openai\.com\/codex\/device[^\s]*/);
+    const codeMatch = text.match(/\b([0-9A-Z]{4}-[0-9A-Z]{5})\b/);
+    if (urlMatch && !codexDeviceAuthState.authUrl) codexDeviceAuthState.authUrl = urlMatch[0];
+    if (codeMatch && !codexDeviceAuthState.userCode) codexDeviceAuthState.userCode = codeMatch[1];
+  };
+  child.stdout.on('data', onData);
+  child.stderr.on('data', onData);
+  const authFileWatcher = fs.watchFile ? null : null;
+  const pollInterval = setInterval(() => {
+    const st = getCodexAuthStatus();
+    if (st.authenticated) {
+      clearInterval(pollInterval);
+      clearTimeout(timeoutId);
+      codexDeviceAuthState = { status: 'success', error: null, userCode: codexDeviceAuthState.userCode, authUrl: codexDeviceAuthState.authUrl };
+      if (codexDeviceAuthProcess) { try { codexDeviceAuthProcess.kill('SIGTERM'); } catch (_) {} codexDeviceAuthProcess = null; }
+    }
+  }, 1500);
+  const timeoutId = setTimeout(() => {
+    clearInterval(pollInterval);
+    if (codexDeviceAuthState.status === 'pending') {
+      codexDeviceAuthState = { status: 'error', error: 'Authentication timed out', userCode: null, authUrl: null };
+    }
+    if (codexDeviceAuthProcess) { try { codexDeviceAuthProcess.kill('SIGTERM'); } catch (_) {} codexDeviceAuthProcess = null; }
+  }, 5 * 60 * 1000);
+  child.on('error', (e) => {
+    clearInterval(pollInterval);
+    clearTimeout(timeoutId);
+    codexDeviceAuthState = { status: 'error', error: e.message, userCode: null, authUrl: null };
+    codexDeviceAuthProcess = null;
+  });
+  child.on('close', (code) => {
+    clearInterval(pollInterval);
+    clearTimeout(timeoutId);
+    codexDeviceAuthProcess = null;
+    if (codexDeviceAuthState.status === 'pending') {
+      if (code === 0) {
+        const st = getCodexAuthStatus();
+        codexDeviceAuthState = st.authenticated
+          ? { status: 'success', error: null, userCode: codexDeviceAuthState.userCode, authUrl: codexDeviceAuthState.authUrl }
+          : { status: 'error', error: 'Process exited without saving credentials', userCode: null, authUrl: null };
+      } else {
+        codexDeviceAuthState = { status: 'error', error: 'Authentication cancelled', userCode: null, authUrl: null };
+      }
+    }
+  });
+  return { started: true };
+}
 function buildBaseUrl(req) {
   const override = process.env.AGENTGUI_BASE_URL;
   if (override) return override.replace(/\/+$/, '');
@@ -949,238 +1039,6 @@ function getGeminiOAuthStatus() {
   return null;
 }
-const CODEX_HOME = process.env.CODEX_HOME || path.join(os.homedir(), '.codex');
-const CODEX_AUTH_FILE = path.join(CODEX_HOME, 'auth.json');
-const CODEX_OAUTH_ISSUER = 'https://auth.openai.com';
-const CODEX_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
-const CODEX_SCOPES = 'openid profile email offline_access api.connectors.read api.connectors.invoke';
-const CODEX_OAUTH_PORT = 1455;
-let codexOAuthState = { status: 'idle', error: null, email: null };
-let codexOAuthPending = null;
-function generatePkce() {
-  const verifierBytes = crypto.randomBytes(64);
-  const codeVerifier = verifierBytes.toString('base64url');
-  const challengeBytes = crypto.createHash('sha256').update(codeVerifier).digest();
-  const codeChallenge = challengeBytes.toString('base64url');
-  return { codeVerifier, codeChallenge };
-}
-function parseJwtEmail(jwt) {
-  try {
-    const parts = jwt.split('.');
-    if (parts.length < 2) return '';
-    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
-    return payload.email || payload['https://api.openai.com/profile']?.email || '';
-  } catch (_) { return ''; }
-}
-function saveCodexCredentials(tokens) {
-  if (!fs.existsSync(CODEX_HOME)) fs.mkdirSync(CODEX_HOME, { recursive: true });
-  const auth = { auth_mode: 'chatgpt', tokens, last_refresh: new Date().toISOString() };
-  fs.writeFileSync(CODEX_AUTH_FILE, JSON.stringify(auth, null, 2), { mode: 0o600 });
-  try { fs.chmodSync(CODEX_AUTH_FILE, 0o600); } catch (_) {}
-}
-function getCodexOAuthStatus() {
-  try {
-    if (fs.existsSync(CODEX_AUTH_FILE)) {
-      const auth = JSON.parse(fs.readFileSync(CODEX_AUTH_FILE, 'utf8'));
-      if (auth.tokens?.access_token || auth.tokens?.refresh_token) {
-        const email = parseJwtEmail(auth.tokens?.id_token || '') || '';
-        return { hasKey: true, apiKey: email || '****oauth', defaultModel: '', path: CODEX_AUTH_FILE, authMethod: 'oauth' };
-      }
-    }
-  } catch (_) {}
-  return null;
-}
-async function startCodexOAuth(req) {
-  const remote = isRemoteRequest(req);
-  const redirectUri = remote
-    ? `${buildBaseUrl(req)}${BASE_URL}/codex-oauth2callback`
-    : `http://localhost:${CODEX_OAUTH_PORT}/auth/callback`;
-  const pkce = generatePkce();
-  const csrfToken = crypto.randomBytes(32).toString('hex');
-  const relayUrl = remote ? `${buildBaseUrl(req)}${BASE_URL}/api/codex-oauth/relay` : null;
-  const state = encodeOAuthState(csrfToken, relayUrl);
-  const params = new URLSearchParams({
-    response_type: 'code',
-    client_id: CODEX_CLIENT_ID,
-    redirect_uri: redirectUri,
-    scope: CODEX_SCOPES,
-    code_challenge: pkce.codeChallenge,
-    code_challenge_method: 'S256',
-    id_token_add_organizations: 'true',
-    codex_cli_simplified_flow: 'true',
-    state,
-  });
-  const authUrl = `${CODEX_OAUTH_ISSUER}/oauth/authorize?${params.toString()}`;
-  const mode = remote ? 'remote' : 'local';
-  codexOAuthPending = { pkce, redirectUri, state: csrfToken };
-  codexOAuthState = { status: 'pending', error: null, email: null };
-  setTimeout(() => {
-    if (codexOAuthState.status === 'pending') {
-      codexOAuthState = { status: 'error', error: 'Authentication timed out', email: null };
-      codexOAuthPending = null;
-    }
-  }, 5 * 60 * 1000);
-  return { authUrl, mode };
-}
-async function exchangeCodexOAuthCode(code, stateParam) {
-  if (!codexOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
-  const { pkce, redirectUri, state: expectedCsrf } = codexOAuthPending;
-  const { csrfToken } = decodeOAuthState(stateParam);
-  if (csrfToken !== expectedCsrf) {
-    codexOAuthState = { status: 'error', error: 'State mismatch', email: null };
-    codexOAuthPending = null;
-    throw new Error('State mismatch - possible CSRF attack.');
-  }
-  if (!code) {
-    codexOAuthState = { status: 'error', error: 'No authorization code received', email: null };
-    codexOAuthPending = null;
-    throw new Error('No authorization code received.');
-  }
-  const body = new URLSearchParams({
-    grant_type: 'authorization_code',
-    code,
-    redirect_uri: redirectUri,
-    client_id: CODEX_CLIENT_ID,
-    code_verifier: pkce.codeVerifier,
-  });
-  const resp = await fetch(`${CODEX_OAUTH_ISSUER}/oauth/token`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-    body: body.toString(),
-  });
-  if (!resp.ok) {
-    const text = await resp.text();
-    codexOAuthState = { status: 'error', error: `Token exchange failed: ${resp.status}`, email: null };
-    codexOAuthPending = null;
-    throw new Error(`Token exchange failed (${resp.status}): ${text}`);
-  }
-  const tokens = await resp.json();
-  const email = parseJwtEmail(tokens.id_token || '');
-  saveCodexCredentials(tokens);
-  codexOAuthState = { status: 'success', error: null, email };
-  codexOAuthPending = null;
-  return email;
-}
-function codexOAuthResultPage(title, message, success) {
-  const color = success ? '#10b981' : '#ef4444';
-  const icon = success ? '&#10003;' : '&#10007;';
-  return `<!DOCTYPE html><html><head><title>${title}</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div style="text-align:center;max-width:400px;padding:2rem;">
-<div style="font-size:4rem;color:${color};margin-bottom:1rem;">${icon}</div>
-<h1 style="font-size:1.5rem;margin-bottom:0.5rem;">${title}</h1>
-<p style="color:#9ca3af;">${message}</p>
-<p style="color:#6b7280;margin-top:1rem;font-size:0.875rem;">You can close this tab.</p>
-</div></body></html>`;
-}
-function codexOAuthRelayPage(code, state, error) {
-  const stateData = decodeOAuthState(state || '');
-  const relayUrl = stateData.relayUrl || '';
-  const escapedCode = (code || '').replace(/['"\\]/g, '');
-  const escapedState = (state || '').replace(/['"\\]/g, '');
-  const escapedError = (error || '').replace(/['"\\]/g, '');
-  const escapedRelay = relayUrl.replace(/['"\\]/g, '');
-  return `<!DOCTYPE html><html><head><title>Completing sign-in...</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div id="status" style="text-align:center;max-width:400px;padding:2rem;">
-<div id="spinner" style="font-size:2rem;margin-bottom:1rem;">&#8987;</div>
-<h1 id="title" style="font-size:1.5rem;margin-bottom:0.5rem;">Completing sign-in...</h1>
-<p id="msg" style="color:#9ca3af;">Relaying authentication to server...</p>
-</div>
-<script>
-(function() {
-  var code = '${escapedCode}';
-  var state = '${escapedState}';
-  var error = '${escapedError}';
-  var relayUrl = '${escapedRelay}';
-  function show(icon, title, msg, color) {
-    document.getElementById('spinner').textContent = icon;
-    document.getElementById('spinner').style.color = color;
-    document.getElementById('title').textContent = title;
-    document.getElementById('msg').textContent = msg;
-  }
-  if (error) { show('\\u2717', 'Authentication Failed', error, '#ef4444'); return; }
-  if (!code) { show('\\u2717', 'Authentication Failed', 'No authorization code received.', '#ef4444'); return; }
-  if (!relayUrl) { show('\\u2713', 'Authentication Successful', 'Credentials saved. You can close this tab.', '#10b981'); return; }
-  fetch(relayUrl, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ code: code, state: state })
-  }).then(function(r) { return r.json(); }).then(function(data) {
-    if (data.success) {
-      show('\\u2713', 'Authentication Successful', data.email ? 'Signed in as ' + data.email + '. You can close this tab.' : 'Credentials saved. You can close this tab.', '#10b981');
-    } else {
-      show('\\u2717', 'Authentication Failed', data.error || 'Unknown error', '#ef4444');
-    }
-  }).catch(function(e) {
-    show('\\u2717', 'Relay Failed', 'Could not reach server: ' + e.message + '. You may need to paste the URL manually.', '#ef4444');
-  });
-})();
-</script>
-</body></html>`;
-}
-async function handleCodexOAuthCallback(req, res) {
-  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
-  const code = reqUrl.searchParams.get('code');
-  const state = reqUrl.searchParams.get('state');
-  const error = reqUrl.searchParams.get('error');
-  const errorDesc = reqUrl.searchParams.get('error_description');
-  if (error) {
-    const desc = errorDesc || error;
-    codexOAuthState = { status: 'error', error: desc, email: null };
-    codexOAuthPending = null;
-  }
-  const stateData = decodeOAuthState(state || '');
-  if (stateData.relayUrl) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthRelayPage(code, state, errorDesc || error));
-    return;
-  }
-  if (!codexOAuthPending) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
-    return;
-  }
-  try {
-    if (error) throw new Error(errorDesc || error);
-    const email = await exchangeCodexOAuthCode(code, state);
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Codex CLI credentials saved.', true));
-  } catch (e) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthResultPage('Authentication Failed', e.message, false));
-  }
-}
 const PROVIDER_CONFIGS = {
   'anthropic': {
     name: 'Anthropic', configPaths: [
@@ -1269,13 +1127,6 @@ function getProviderConfigs() {
         continue;
       }
     }
-    if (providerId === 'codex') {
-      const oauthStatus = getCodexOAuthStatus();
-      if (oauthStatus) {
-        configs[providerId] = { name: config.name, ...oauthStatus };
-        continue;
-      }
-    }
     for (const configPath of config.configPaths) {
       try {
         if (fs.existsSync(configPath)) {
@@ -1406,11 +1257,6 @@ const server = http.createServer(async (req, res) => {
       return;
     }
-    if (pathOnly === '/codex-oauth2callback' && req.method === 'GET') {
-      await handleCodexOAuthCallback(req, res);
-      return;
-    }
     if (pathOnly === '/api/conversations' && req.method === 'GET') {
       const conversations = queries.getConversationsList();
       // Filter out stale streaming state using a single bulk query instead of N+1 per-conversation queries
@@ -2421,6 +2267,10 @@ const server = http.createServer(async (req, res) => {
             } else {
               status.detail = 'no credentials';
             }
+          } else if (agent.id === 'codex') {
+            const codexSt = getCodexAuthStatus();
+            status.authenticated = codexSt.authenticated;
+            status.detail = codexSt.detail;
           } else {
             status.detail = 'unknown';
           }
@@ -2866,110 +2716,12 @@ const server = http.createServer(async (req, res) => {
       return;
     }
-    if (pathOnly === '/api/codex-oauth/start' && req.method === 'POST') {
-      try {
-        const result = await startCodexOAuth(req);
-        sendJSON(req, res, 200, { authUrl: result.authUrl, mode: result.mode });
-      } catch (e) {
-        console.error('[codex-oauth] /api/codex-oauth/start failed:', e);
-        sendJSON(req, res, 500, { error: e.message });
-      }
-      return;
-    }
-    if (pathOnly === '/api/codex-oauth/status' && req.method === 'GET') {
-      sendJSON(req, res, 200, codexOAuthState);
-      return;
-    }
-    if (pathOnly === '/api/codex-oauth/relay' && req.method === 'POST') {
-      try {
-        const body = await parseBody(req);
-        const { code, state: stateParam } = body;
-        if (!code || !stateParam) {
-          sendJSON(req, res, 400, { error: 'Missing code or state' });
-          return;
-        }
-        const email = await exchangeCodexOAuthCode(code, stateParam);
-        sendJSON(req, res, 200, { success: true, email });
-      } catch (e) {
-        codexOAuthState = { status: 'error', error: e.message, email: null };
-        codexOAuthPending = null;
-        sendJSON(req, res, 400, { error: e.message });
-      }
-      return;
-    }
-    if (pathOnly === '/api/codex-oauth/complete' && req.method === 'POST') {
-      try {
-        const body = await parseBody(req);
-        const pastedUrl = (body.url || '').trim();
-        if (!pastedUrl) {
-          sendJSON(req, res, 400, { error: 'No URL provided' });
-          return;
-        }
-        let parsed;
-        try { parsed = new URL(pastedUrl); } catch (_) {
-          sendJSON(req, res, 400, { error: 'Invalid URL. Paste the full URL from the browser address bar.' });
-          return;
-        }
-        const error = parsed.searchParams.get('error');
-        if (error) {
-          const desc = parsed.searchParams.get('error_description') || error;
-          codexOAuthState = { status: 'error', error: desc, email: null };
-          codexOAuthPending = null;
-          sendJSON(req, res, 200, { error: desc });
-          return;
-        }
-        const code = parsed.searchParams.get('code');
-        const state = parsed.searchParams.get('state');
-        const email = await exchangeCodexOAuthCode(code, state);
-        sendJSON(req, res, 200, { success: true, email });
-      } catch (e) {
-        codexOAuthState = { status: 'error', error: e.message, email: null };
-        codexOAuthPending = null;
-        sendJSON(req, res, 400, { error: e.message });
-      }
-      return;
-    }
     const agentAuthMatch = pathOnly.match(/^\/api\/agents\/([^/]+)\/auth$/);
     if (agentAuthMatch && req.method === 'POST') {
       const agentId = agentAuthMatch[1];
       const agent = discoveredAgents.find(a => a.id === agentId);
       if (!agent) { sendJSON(req, res, 404, { error: 'Agent not found' }); return; }
-      if (agentId === 'codex' || agentId === 'cli-codex') {
-        try {
-          const result = await startCodexOAuth(req);
-          const conversationId = '__agent_auth__';
-          broadcastSync({ type: 'script_started', conversationId, script: 'auth-codex', agentId: 'codex', timestamp: Date.now() });
-          broadcastSync({ type: 'script_output', conversationId, data: `\x1b[36mOpening OpenAI OAuth in your browser...\x1b[0m\r\n\r\nIf it doesn't open automatically, visit:\r\n${result.authUrl}\r\n`, stream: 'stdout', timestamp: Date.now() });
-          const pollId = setInterval(() => {
-            if (codexOAuthState.status === 'success') {
-              clearInterval(pollId);
-              const email = codexOAuthState.email || '';
-              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[32mAuthentication successful${email ? ' (' + email + ')' : ''}\x1b[0m\r\n`, stream: 'stdout', timestamp: Date.now() });
-              broadcastSync({ type: 'script_stopped', conversationId, code: 0, timestamp: Date.now() });
-            } else if (codexOAuthState.status === 'error') {
-              clearInterval(pollId);
-              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${codexOAuthState.error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
-              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: codexOAuthState.error, timestamp: Date.now() });
-            }
-          }, 1000);
-          setTimeout(() => clearInterval(pollId), 5 * 60 * 1000);
-          sendJSON(req, res, 200, { ok: true, agentId, authUrl: result.authUrl, mode: result.mode });
-          return;
-        } catch (e) {
-          console.error('[codex-oauth] /api/agents/codex/auth failed:', e);
-          sendJSON(req, res, 500, { error: e.message });
-          return;
-        }
-      }
       if (agentId === 'gemini') {
         try {
           const result = await startGeminiOAuth(req);
@@ -3001,6 +2753,55 @@ const server = http.createServer(async (req, res) => {
         }
       }
+      if (agentId === 'codex') {
+        const conversationId = '__agent_auth__';
+        const result = startCodexDeviceAuth();
+        if (result.alreadyRunning) {
+          sendJSON(req, res, 200, { ok: true, agentId, authUrl: codexDeviceAuthState.authUrl, userCode: codexDeviceAuthState.userCode, status: 'pending' });
+          return;
+        }
+        if (result.alreadyAuthenticated) {
+          sendJSON(req, res, 200, { ok: true, agentId, status: 'success' });
+          return;
+        }
+        broadcastSync({ type: 'script_started', conversationId, script: 'auth-codex', agentId: 'codex', timestamp: Date.now() });
+        broadcastSync({ type: 'script_output', conversationId, data: '\x1b[36mStarting Codex device authorization...\x1b[0m\r\n', stream: 'stdout', timestamp: Date.now() });
+        const waitForCode = (tries) => {
+          if (tries <= 0) return;
+          if (codexDeviceAuthState.authUrl && codexDeviceAuthState.userCode) {
+            const msg = `\r\nVisit: ${codexDeviceAuthState.authUrl}\r\nEnter code: ${codexDeviceAuthState.userCode}\r\n`;
+            broadcastSync({ type: 'script_output', conversationId, data: msg, stream: 'stdout', timestamp: Date.now() });
+            return;
+          }
+          setTimeout(() => waitForCode(tries - 1), 500);
+        };
+        waitForCode(10);
+        const pollId = setInterval(() => {
+          if (codexDeviceAuthState.status === 'success') {
+            clearInterval(pollId);
+            broadcastSync({ type: 'script_output', conversationId, data: '\r\n\x1b[32mCodex authentication successful\x1b[0m\r\n', stream: 'stdout', timestamp: Date.now() });
+            broadcastSync({ type: 'script_stopped', conversationId, code: 0, timestamp: Date.now() });
+          } else if (codexDeviceAuthState.status === 'error') {
+            clearInterval(pollId);
+            broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${codexDeviceAuthState.error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
+            broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: codexDeviceAuthState.error, timestamp: Date.now() });
+          }
+        }, 1500);
+        setTimeout(() => clearInterval(pollId), 5 * 60 * 1000 + 5000);
+        const waitForInfo = (tries) => {
+          if (codexDeviceAuthState.authUrl || tries <= 0) {
+            sendJSON(req, res, 200, { ok: true, agentId, authUrl: codexDeviceAuthState.authUrl, userCode: codexDeviceAuthState.userCode, status: codexDeviceAuthState.status });
+          } else {
+            setTimeout(() => waitForInfo(tries - 1), 400);
+          }
+        };
+        waitForInfo(12);
+        return;
+      }
       const authCommands = {
         'claude-code': { cmd: 'claude', args: ['setup-token'] },
         'opencode': { cmd: 'opencode', args: ['auth', 'login'] },
@@ -4532,8 +4333,7 @@ registerUtilHandlers(wsRouter, {
   broadcastSync, getSpeech, getProviderConfigs, saveProviderConfig,
   startGeminiOAuth, exchangeGeminiOAuthCode,
   geminiOAuthState: () => geminiOAuthState,
-  startCodexOAuth, exchangeCodexOAuthCode,
-  codexOAuthState: () => codexOAuthState,
+  startCodexDeviceAuth, codexDeviceAuthState: () => codexDeviceAuthState,
   STARTUP_CWD, activeScripts, voiceCacheManager, toolManager, discoveredAgents
 });

package/static/js/agent-auth.js CHANGED Viewed

@@ -128,6 +128,7 @@
   function closeDropdown() { dropdown.classList.remove('open'); editingProvider = null; }
   var oauthPollInterval = null, oauthPollTimeout = null, oauthFallbackTimer = null;
+  var codexPollInterval = null, codexPollTimeout = null;
   function cleanupOAuthPolling() {
     if (oauthPollInterval) { clearInterval(oauthPollInterval); oauthPollInterval = null; }
@@ -135,6 +136,96 @@
     if (oauthFallbackTimer) { clearTimeout(oauthFallbackTimer); oauthFallbackTimer = null; }
   }
+  function cleanupCodexPolling() {
+    if (codexPollInterval) { clearInterval(codexPollInterval); codexPollInterval = null; }
+    if (codexPollTimeout) { clearTimeout(codexPollTimeout); codexPollTimeout = null; }
+  }
+  function removeCodexModal() {
+    var el = document.getElementById('codexDeviceModal');
+    if (el) el.remove();
+  }
+  function showCodexDeviceModal(authUrl, userCode) {
+    removeCodexModal();
+    var overlay = document.createElement('div');
+    overlay.id = 'codexDeviceModal';
+    overlay.style.cssText = 'position:fixed;inset:0;background:rgba(0,0,0,0.7);display:flex;align-items:center;justify-content:center;z-index:9999;';
+    var displayUrl = authUrl || 'https://auth.openai.com/codex/device';
+    var displayCode = userCode || '';
+    overlay.innerHTML = '<div style="background:var(--color-bg-secondary,#1f2937);border-radius:1rem;padding:2rem;max-width:30rem;width:calc(100% - 2rem);box-shadow:0 25px 50px rgba(0,0,0,0.5);color:var(--color-text-primary,white);font-family:system-ui,sans-serif;" onclick="event.stopPropagation()">' +
+      '<div style="display:flex;justify-content:space-between;align-items:center;margin-bottom:1.25rem;">' +
+      '<h2 style="font-size:1.125rem;font-weight:700;margin:0;">Codex Sign-In</h2>' +
+      '<button id="codexModalClose" style="background:none;border:none;color:var(--color-text-secondary,#9ca3af);font-size:1.5rem;cursor:pointer;padding:0;line-height:1;">\u00d7</button></div>' +
+      '<div id="codexModalContent" style="text-align:center;">' +
+      '<div style="font-size:2rem;margin-bottom:1rem;animation:pulse 2s infinite;">&#9203;</div>' +
+      '<p style="font-size:0.85rem;color:var(--color-text-secondary,#d1d5db);margin:0 0 1rem;">Follow these steps to sign in with your OpenAI account:</p>' +
+      '<div style="margin-bottom:1rem;">' +
+      '<p style="font-size:0.8rem;color:var(--color-text-secondary,#9ca3af);margin:0 0 0.5rem;text-align:left;">1. Open this link in your browser:</p>' +
+      '<div style="display:flex;gap:0.5rem;align-items:center;">' +
+      '<a href="' + esc(displayUrl) + '" target="_blank" style="flex:1;padding:0.5rem 0.75rem;background:var(--color-primary,#3b82f6);color:white;text-decoration:none;border-radius:0.375rem;font-size:0.8rem;font-weight:600;text-align:center;">Open Sign-In Page</a>' +
+      '</div></div>' +
+      '<div style="margin-bottom:1.25rem;">' +
+      '<p style="font-size:0.8rem;color:var(--color-text-secondary,#9ca3af);margin:0 0 0.5rem;text-align:left;">2. Enter this one-time code:</p>' +
+      '<div style="display:flex;gap:0.5rem;align-items:center;">' +
+      '<div id="codexUserCode" style="flex:1;padding:0.625rem;background:var(--color-bg-primary,#111827);border:2px solid var(--color-primary,#3b82f6);border-radius:0.5rem;font-family:monospace;font-size:1.25rem;font-weight:700;letter-spacing:0.15em;text-align:center;">' + esc(displayCode) + '</div>' +
+      '<button id="codexCopyBtn" style="padding:0.5rem 0.75rem;background:var(--color-bg-primary,#374151);border:1px solid var(--color-border,#4b5563);border-radius:0.375rem;color:var(--color-text-primary,white);font-size:0.75rem;cursor:pointer;flex-shrink:0;">Copy</button>' +
+      '</div></div>' +
+      '<p style="font-size:0.75rem;color:var(--color-text-secondary,#6b7280);margin:0;">This dialog will close automatically when sign-in completes.</p>' +
+      '</div>' +
+      '<div id="codexModalSuccess" style="display:none;text-align:center;padding:1rem 0;">' +
+      '<div style="font-size:3rem;color:#10b981;margin-bottom:0.75rem;">&#10003;</div>' +
+      '<p style="font-weight:600;margin:0 0 0.25rem;">Authentication Successful</p>' +
+      '<p style="font-size:0.8rem;color:var(--color-text-secondary,#9ca3af);margin:0;">Codex CLI is now authenticated.</p>' +
+      '</div>' +
+      '<div style="margin-top:1.25rem;">' +
+      '<button id="codexModalCancel" style="width:100%;padding:0.625rem;border-radius:0.5rem;border:1px solid var(--color-border,#4b5563);background:transparent;color:var(--color-text-primary,white);font-size:0.8rem;cursor:pointer;font-weight:600;">Cancel</button></div>' +
+      '<style>@keyframes pulse{0%,100%{opacity:1}50%{opacity:0.5}}</style></div>';
+    document.body.appendChild(overlay);
+    var dismiss = function() { cleanupCodexPolling(); authRunning = false; removeCodexModal(); };
+    document.getElementById('codexModalClose').addEventListener('click', dismiss);
+    document.getElementById('codexModalCancel').addEventListener('click', dismiss);
+    var copyBtn = document.getElementById('codexCopyBtn');
+    if (copyBtn && displayCode) {
+      copyBtn.addEventListener('click', function(e) {
+        e.stopPropagation();
+        navigator.clipboard.writeText(displayCode).then(function() {
+          copyBtn.textContent = 'Copied!';
+          setTimeout(function() { copyBtn.textContent = 'Copy'; }, 2000);
+        }).catch(function() {});
+      });
+    }
+    cleanupCodexPolling();
+    codexPollInterval = setInterval(function() {
+      window.wsClient.rpc('codex.status')
+        .then(function(st) {
+          if (st.status === 'success') {
+            cleanupCodexPolling();
+            authRunning = false;
+            var content = document.getElementById('codexModalContent');
+            var success = document.getElementById('codexModalSuccess');
+            var cancel = document.getElementById('codexModalCancel');
+            if (content) content.style.display = 'none';
+            if (success) success.style.display = 'block';
+            if (cancel) cancel.textContent = 'Close';
+            setTimeout(function() { removeCodexModal(); refresh(); }, 2500);
+          } else if (st.status === 'error') {
+            cleanupCodexPolling();
+            authRunning = false;
+            removeCodexModal();
+            refresh();
+          }
+        }).catch(function() {});
+    }, 1500);
+    codexPollTimeout = setTimeout(function() {
+      cleanupCodexPolling();
+      if (authRunning) { authRunning = false; removeCodexModal(); }
+    }, 5 * 60 * 1000);
+  }
   function showOAuthWaitingModal() {
     removeOAuthModal();
     var overlay = document.createElement('div');
@@ -217,6 +308,19 @@
   function triggerAuth(agentId) {
     if (authRunning) return;
+    if (agentId === 'codex') {
+      authRunning = true;
+      window.wsClient.rpc('codex.start')
+        .then(function(data) {
+          if (data.status === 'success') {
+            authRunning = false;
+            refresh();
+            return;
+          }
+          showCodexDeviceModal(data.authUrl, data.userCode);
+        }).catch(function() { authRunning = false; });
+      return;
+    }
     window.wsClient.rpc('agent.auth', { id: agentId })
       .then(function(data) {
         if (data.ok) {
@@ -271,6 +375,8 @@
       authRunning = false;
       removeOAuthModal();
       cleanupOAuthPolling();
+      cleanupCodexPolling();
+      removeCodexModal();
       var term = getTerminal();
       var msg = data.error ? data.error : ('exited with code ' + (data.code || 0));
       if (term) term.writeln('\r\n\x1b[90m[auth ' + msg + ']\x1b[0m');