agentgui 1.0.702 → 1.0.703

package/server.js

@@ -696,96 +696,6 @@ const GEMINI_ACCOUNTS_FILE = path.join(GEMINI_DIR, 'google_accounts.json');
 let geminiOAuthState = { status: 'idle', error: null, email: null };
 let geminiOAuthPending = null;
 
-const CODEX_AUTH_FILE = path.join(os.homedir(), '.codex', 'auth.json');
-let codexDeviceAuthState = { status: 'idle', error: null, userCode: null, authUrl: null };
-let codexDeviceAuthProcess = null;
-
-function getCodexAuthStatus() {
-  try {
-    if (fs.existsSync(CODEX_AUTH_FILE)) {
-      const creds = JSON.parse(fs.readFileSync(CODEX_AUTH_FILE, 'utf-8'));
-      if (creds.auth_mode === 'oauth' || creds.access_token || creds.refresh_token) {
-        return { authenticated: true, detail: creds.email || 'oauth' };
-      }
-      if (creds.auth_mode === 'apikey' && creds.OPENAI_API_KEY) {
-        return { authenticated: true, detail: 'api-key' };
-      }
-    }
-  } catch (_) {}
-  return { authenticated: false, detail: 'no credentials' };
-}
-
-function startCodexDeviceAuth() {
-  if (codexDeviceAuthProcess) {
-    return { alreadyRunning: true };
-  }
-  const codexStatus = getCodexAuthStatus();
-  if (codexStatus.authenticated) {
-    codexDeviceAuthState = { status: 'success', error: null, userCode: null, authUrl: null };
-    return { alreadyAuthenticated: true };
-  }
-  codexDeviceAuthState = { status: 'pending', error: null, userCode: null, authUrl: null };
-  const child = spawn('npx', ['@openai/codex', 'login', '--device-auth'], {
-    stdio: ['ignore', 'pipe', 'pipe'],
-    env: { ...process.env, FORCE_COLOR: '0', NO_COLOR: '1' },
-    shell: os.platform() === 'win32',
-  });
-  codexDeviceAuthProcess = child;
-
-  const onData = (chunk) => {
-    const text = chunk.toString().replace(/\x1b\[[0-9;]*m/g, '');
-    const urlMatch = text.match(/https:\/\/auth\.openai\.com\/codex\/device[^\s]*/);
-    const codeMatch = text.match(/\b([0-9A-Z]{4}-[0-9A-Z]{5})\b/);
-    if (urlMatch && !codexDeviceAuthState.authUrl) codexDeviceAuthState.authUrl = urlMatch[0];
-    if (codeMatch && !codexDeviceAuthState.userCode) codexDeviceAuthState.userCode = codeMatch[1];
-  };
-  child.stdout.on('data', onData);
-  child.stderr.on('data', onData);
-
-  const authFileWatcher = fs.watchFile ? null : null;
-  const pollInterval = setInterval(() => {
-    const st = getCodexAuthStatus();
-    if (st.authenticated) {
-      clearInterval(pollInterval);
-      clearTimeout(timeoutId);
-      codexDeviceAuthState = { status: 'success', error: null, userCode: codexDeviceAuthState.userCode, authUrl: codexDeviceAuthState.authUrl };
-      if (codexDeviceAuthProcess) { try { codexDeviceAuthProcess.kill('SIGTERM'); } catch (_) {} codexDeviceAuthProcess = null; }
-    }
-  }, 1500);
-
-  const timeoutId = setTimeout(() => {
-    clearInterval(pollInterval);
-    if (codexDeviceAuthState.status === 'pending') {
-      codexDeviceAuthState = { status: 'error', error: 'Authentication timed out', userCode: null, authUrl: null };
-    }
-    if (codexDeviceAuthProcess) { try { codexDeviceAuthProcess.kill('SIGTERM'); } catch (_) {} codexDeviceAuthProcess = null; }
-  }, 5 * 60 * 1000);
-
-  child.on('error', (e) => {
-    clearInterval(pollInterval);
-    clearTimeout(timeoutId);
-    codexDeviceAuthState = { status: 'error', error: e.message, userCode: null, authUrl: null };
-    codexDeviceAuthProcess = null;
-  });
-  child.on('close', (code) => {
-    clearInterval(pollInterval);
-    clearTimeout(timeoutId);
-    codexDeviceAuthProcess = null;
-    if (codexDeviceAuthState.status === 'pending') {
-      if (code === 0) {
-        const st = getCodexAuthStatus();
-        codexDeviceAuthState = st.authenticated
-          ? { status: 'success', error: null, userCode: codexDeviceAuthState.userCode, authUrl: codexDeviceAuthState.authUrl }
-          : { status: 'error', error: 'Process exited without saving credentials', userCode: null, authUrl: null };
-      } else {
-        codexDeviceAuthState = { status: 'error', error: 'Authentication cancelled', userCode: null, authUrl: null };
-      }
-    }
-  });
-
-  return { started: true };
-}
-
 function buildBaseUrl(req) {
   const override = process.env.AGENTGUI_BASE_URL;
   if (override) return override.replace(/\/+$/, '');
@@ -1039,6 +949,238 @@ function getGeminiOAuthStatus() {
   return null;
 }
 
+const CODEX_HOME = process.env.CODEX_HOME || path.join(os.homedir(), '.codex');
+const CODEX_AUTH_FILE = path.join(CODEX_HOME, 'auth.json');
+const CODEX_OAUTH_ISSUER = 'https://auth.openai.com';
+const CODEX_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
+const CODEX_SCOPES = 'openid profile email offline_access api.connectors.read api.connectors.invoke';
+const CODEX_OAUTH_PORT = 1455;
+
+let codexOAuthState = { status: 'idle', error: null, email: null };
+let codexOAuthPending = null;
+
+function generatePkce() {
+  const verifierBytes = crypto.randomBytes(64);
+  const codeVerifier = verifierBytes.toString('base64url');
+  const challengeBytes = crypto.createHash('sha256').update(codeVerifier).digest();
+  const codeChallenge = challengeBytes.toString('base64url');
+  return { codeVerifier, codeChallenge };
+}
+
+function parseJwtEmail(jwt) {
+  try {
+    const parts = jwt.split('.');
+    if (parts.length < 2) return '';
+    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+    return payload.email || payload['https://api.openai.com/profile']?.email || '';
+  } catch (_) { return ''; }
+}
+
+function saveCodexCredentials(tokens) {
+  if (!fs.existsSync(CODEX_HOME)) fs.mkdirSync(CODEX_HOME, { recursive: true });
+  const auth = { auth_mode: 'chatgpt', tokens, last_refresh: new Date().toISOString() };
+  fs.writeFileSync(CODEX_AUTH_FILE, JSON.stringify(auth, null, 2), { mode: 0o600 });
+  try { fs.chmodSync(CODEX_AUTH_FILE, 0o600); } catch (_) {}
+}
+
+function getCodexOAuthStatus() {
+  try {
+    if (fs.existsSync(CODEX_AUTH_FILE)) {
+      const auth = JSON.parse(fs.readFileSync(CODEX_AUTH_FILE, 'utf8'));
+      if (auth.tokens?.access_token || auth.tokens?.refresh_token) {
+        const email = parseJwtEmail(auth.tokens?.id_token || '') || '';
+        return { hasKey: true, apiKey: email || '****oauth', defaultModel: '', path: CODEX_AUTH_FILE, authMethod: 'oauth' };
+      }
+    }
+  } catch (_) {}
+  return null;
+}
+
+async function startCodexOAuth(req) {
+  const remote = isRemoteRequest(req);
+  const redirectUri = remote
+    ? `${buildBaseUrl(req)}${BASE_URL}/codex-oauth2callback`
+    : `http://localhost:${CODEX_OAUTH_PORT}/auth/callback`;
+
+  const pkce = generatePkce();
+  const csrfToken = crypto.randomBytes(32).toString('hex');
+  const relayUrl = remote ? `${buildBaseUrl(req)}${BASE_URL}/api/codex-oauth/relay` : null;
+  const state = encodeOAuthState(csrfToken, relayUrl);
+
+  const params = new URLSearchParams({
+    response_type: 'code',
+    client_id: CODEX_CLIENT_ID,
+    redirect_uri: redirectUri,
+    scope: CODEX_SCOPES,
+    code_challenge: pkce.codeChallenge,
+    code_challenge_method: 'S256',
+    id_token_add_organizations: 'true',
+    codex_cli_simplified_flow: 'true',
+    state,
+  });
+
+  const authUrl = `${CODEX_OAUTH_ISSUER}/oauth/authorize?${params.toString()}`;
+  const mode = remote ? 'remote' : 'local';
+
+  codexOAuthPending = { pkce, redirectUri, state: csrfToken };
+  codexOAuthState = { status: 'pending', error: null, email: null };
+
+  setTimeout(() => {
+    if (codexOAuthState.status === 'pending') {
+      codexOAuthState = { status: 'error', error: 'Authentication timed out', email: null };
+      codexOAuthPending = null;
+    }
+  }, 5 * 60 * 1000);
+
+  return { authUrl, mode };
+}
+
+async function exchangeCodexOAuthCode(code, stateParam) {
+  if (!codexOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
+
+  const { pkce, redirectUri, state: expectedCsrf } = codexOAuthPending;
+  const { csrfToken } = decodeOAuthState(stateParam);
+
+  if (csrfToken !== expectedCsrf) {
+    codexOAuthState = { status: 'error', error: 'State mismatch', email: null };
+    codexOAuthPending = null;
+    throw new Error('State mismatch - possible CSRF attack.');
+  }
+
+  if (!code) {
+    codexOAuthState = { status: 'error', error: 'No authorization code received', email: null };
+    codexOAuthPending = null;
+    throw new Error('No authorization code received.');
+  }
+
+  const body = new URLSearchParams({
+    grant_type: 'authorization_code',
+    code,
+    redirect_uri: redirectUri,
+    client_id: CODEX_CLIENT_ID,
+    code_verifier: pkce.codeVerifier,
+  });
+
+  const resp = await fetch(`${CODEX_OAUTH_ISSUER}/oauth/token`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: body.toString(),
+  });
+
+  if (!resp.ok) {
+    const text = await resp.text();
+    codexOAuthState = { status: 'error', error: `Token exchange failed: ${resp.status}`, email: null };
+    codexOAuthPending = null;
+    throw new Error(`Token exchange failed (${resp.status}): ${text}`);
+  }
+
+  const tokens = await resp.json();
+  const email = parseJwtEmail(tokens.id_token || '');
+
+  saveCodexCredentials(tokens);
+  codexOAuthState = { status: 'success', error: null, email };
+  codexOAuthPending = null;
+
+  return email;
+}
+
+function codexOAuthResultPage(title, message, success) {
+  const color = success ? '#10b981' : '#ef4444';
+  const icon = success ? '&#10003;' : '&#10007;';
+  return `<!DOCTYPE html><html><head><title>${title}</title></head>
+<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
+<div style="text-align:center;max-width:400px;padding:2rem;">
+<div style="font-size:4rem;color:${color};margin-bottom:1rem;">${icon}</div>
+<h1 style="font-size:1.5rem;margin-bottom:0.5rem;">${title}</h1>
+<p style="color:#9ca3af;">${message}</p>
+<p style="color:#6b7280;margin-top:1rem;font-size:0.875rem;">You can close this tab.</p>
+</div></body></html>`;
+}
+
+function codexOAuthRelayPage(code, state, error) {
+  const stateData = decodeOAuthState(state || '');
+  const relayUrl = stateData.relayUrl || '';
+  const escapedCode = (code || '').replace(/['"\\]/g, '');
+  const escapedState = (state || '').replace(/['"\\]/g, '');
+  const escapedError = (error || '').replace(/['"\\]/g, '');
+  const escapedRelay = relayUrl.replace(/['"\\]/g, '');
+  return `<!DOCTYPE html><html><head><title>Completing sign-in...</title></head>
+<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
+<div id="status" style="text-align:center;max-width:400px;padding:2rem;">
+<div id="spinner" style="font-size:2rem;margin-bottom:1rem;">&#8987;</div>
+<h1 id="title" style="font-size:1.5rem;margin-bottom:0.5rem;">Completing sign-in...</h1>
+<p id="msg" style="color:#9ca3af;">Relaying authentication to server...</p>
+</div>
+<script>
+(function() {
+  var code = '${escapedCode}';
+  var state = '${escapedState}';
+  var error = '${escapedError}';
+  var relayUrl = '${escapedRelay}';
+  function show(icon, title, msg, color) {
+    document.getElementById('spinner').textContent = icon;
+    document.getElementById('spinner').style.color = color;
+    document.getElementById('title').textContent = title;
+    document.getElementById('msg').textContent = msg;
+  }
+  if (error) { show('\\u2717', 'Authentication Failed', error, '#ef4444'); return; }
+  if (!code) { show('\\u2717', 'Authentication Failed', 'No authorization code received.', '#ef4444'); return; }
+  if (!relayUrl) { show('\\u2713', 'Authentication Successful', 'Credentials saved. You can close this tab.', '#10b981'); return; }
+  fetch(relayUrl, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ code: code, state: state })
+  }).then(function(r) { return r.json(); }).then(function(data) {
+    if (data.success) {
+      show('\\u2713', 'Authentication Successful', data.email ? 'Signed in as ' + data.email + '. You can close this tab.' : 'Credentials saved. You can close this tab.', '#10b981');
+    } else {
+      show('\\u2717', 'Authentication Failed', data.error || 'Unknown error', '#ef4444');
+    }
+  }).catch(function(e) {
+    show('\\u2717', 'Relay Failed', 'Could not reach server: ' + e.message + '. You may need to paste the URL manually.', '#ef4444');
+  });
+})();
+</script>
+</body></html>`;
+}
+
+async function handleCodexOAuthCallback(req, res) {
+  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
+  const code = reqUrl.searchParams.get('code');
+  const state = reqUrl.searchParams.get('state');
+  const error = reqUrl.searchParams.get('error');
+  const errorDesc = reqUrl.searchParams.get('error_description');
+
+  if (error) {
+    const desc = errorDesc || error;
+    codexOAuthState = { status: 'error', error: desc, email: null };
+    codexOAuthPending = null;
+  }
+
+  const stateData = decodeOAuthState(state || '');
+  if (stateData.relayUrl) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(codexOAuthRelayPage(code, state, errorDesc || error));
+    return;
+  }
+
+  if (!codexOAuthPending) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(codexOAuthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
+    return;
+  }
+
+  try {
+    if (error) throw new Error(errorDesc || error);
+    const email = await exchangeCodexOAuthCode(code, state);
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(codexOAuthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Codex CLI credentials saved.', true));
+  } catch (e) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(codexOAuthResultPage('Authentication Failed', e.message, false));
+  }
+}
+
 const PROVIDER_CONFIGS = {
   'anthropic': {
     name: 'Anthropic', configPaths: [
@@ -1127,6 +1269,13 @@ function getProviderConfigs() {
         continue;
       }
     }
+    if (providerId === 'codex') {
+      const oauthStatus = getCodexOAuthStatus();
+      if (oauthStatus) {
+        configs[providerId] = { name: config.name, ...oauthStatus };
+        continue;
+      }
+    }
     for (const configPath of config.configPaths) {
       try {
         if (fs.existsSync(configPath)) {
@@ -1257,6 +1406,11 @@ const server = http.createServer(async (req, res) => {
       return;
     }
 
+    if (pathOnly === '/codex-oauth2callback' && req.method === 'GET') {
+      await handleCodexOAuthCallback(req, res);
+      return;
+    }
+
     if (pathOnly === '/api/conversations' && req.method === 'GET') {
       const conversations = queries.getConversationsList();
       // Filter out stale streaming state using a single bulk query instead of N+1 per-conversation queries
@@ -2267,10 +2421,6 @@ const server = http.createServer(async (req, res) => {
             } else {
               status.detail = 'no credentials';
             }
-          } else if (agent.id === 'codex') {
-            const codexSt = getCodexAuthStatus();
-            status.authenticated = codexSt.authenticated;
-            status.detail = codexSt.detail;
           } else {
             status.detail = 'unknown';
           }
@@ -2716,12 +2866,110 @@ const server = http.createServer(async (req, res) => {
       return;
     }
 
+    if (pathOnly === '/api/codex-oauth/start' && req.method === 'POST') {
+      try {
+        const result = await startCodexOAuth(req);
+        sendJSON(req, res, 200, { authUrl: result.authUrl, mode: result.mode });
+      } catch (e) {
+        console.error('[codex-oauth] /api/codex-oauth/start failed:', e);
+        sendJSON(req, res, 500, { error: e.message });
+      }
+      return;
+    }
+
+    if (pathOnly === '/api/codex-oauth/status' && req.method === 'GET') {
+      sendJSON(req, res, 200, codexOAuthState);
+      return;
+    }
+
+    if (pathOnly === '/api/codex-oauth/relay' && req.method === 'POST') {
+      try {
+        const body = await parseBody(req);
+        const { code, state: stateParam } = body;
+        if (!code || !stateParam) {
+          sendJSON(req, res, 400, { error: 'Missing code or state' });
+          return;
+        }
+        const email = await exchangeCodexOAuthCode(code, stateParam);
+        sendJSON(req, res, 200, { success: true, email });
+      } catch (e) {
+        codexOAuthState = { status: 'error', error: e.message, email: null };
+        codexOAuthPending = null;
+        sendJSON(req, res, 400, { error: e.message });
+      }
+      return;
+    }
+
+    if (pathOnly === '/api/codex-oauth/complete' && req.method === 'POST') {
+      try {
+        const body = await parseBody(req);
+        const pastedUrl = (body.url || '').trim();
+        if (!pastedUrl) {
+          sendJSON(req, res, 400, { error: 'No URL provided' });
+          return;
+        }
+        let parsed;
+        try { parsed = new URL(pastedUrl); } catch (_) {
+          sendJSON(req, res, 400, { error: 'Invalid URL. Paste the full URL from the browser address bar.' });
+          return;
+        }
+        const error = parsed.searchParams.get('error');
+        if (error) {
+          const desc = parsed.searchParams.get('error_description') || error;
+          codexOAuthState = { status: 'error', error: desc, email: null };
+          codexOAuthPending = null;
+          sendJSON(req, res, 200, { error: desc });
+          return;
+        }
+        const code = parsed.searchParams.get('code');
+        const state = parsed.searchParams.get('state');
+        const email = await exchangeCodexOAuthCode(code, state);
+        sendJSON(req, res, 200, { success: true, email });
+      } catch (e) {
+        codexOAuthState = { status: 'error', error: e.message, email: null };
+        codexOAuthPending = null;
+        sendJSON(req, res, 400, { error: e.message });
+      }
+      return;
+    }
+
     const agentAuthMatch = pathOnly.match(/^\/api\/agents\/([^/]+)\/auth$/);
     if (agentAuthMatch && req.method === 'POST') {
       const agentId = agentAuthMatch[1];
       const agent = discoveredAgents.find(a => a.id === agentId);
       if (!agent) { sendJSON(req, res, 404, { error: 'Agent not found' }); return; }
 
+      if (agentId === 'codex' || agentId === 'cli-codex') {
+        try {
+          const result = await startCodexOAuth(req);
+          const conversationId = '__agent_auth__';
+          broadcastSync({ type: 'script_started', conversationId, script: 'auth-codex', agentId: 'codex', timestamp: Date.now() });
+          broadcastSync({ type: 'script_output', conversationId, data: `\x1b[36mOpening OpenAI OAuth in your browser...\x1b[0m\r\n\r\nIf it doesn't open automatically, visit:\r\n${result.authUrl}\r\n`, stream: 'stdout', timestamp: Date.now() });
+
+          const pollId = setInterval(() => {
+            if (codexOAuthState.status === 'success') {
+              clearInterval(pollId);
+              const email = codexOAuthState.email || '';
+              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[32mAuthentication successful${email ? ' (' + email + ')' : ''}\x1b[0m\r\n`, stream: 'stdout', timestamp: Date.now() });
+              broadcastSync({ type: 'script_stopped', conversationId, code: 0, timestamp: Date.now() });
+            } else if (codexOAuthState.status === 'error') {
+              clearInterval(pollId);
+              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${codexOAuthState.error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
+              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: codexOAuthState.error, timestamp: Date.now() });
+            }
+          }, 1000);
+
+          setTimeout(() => clearInterval(pollId), 5 * 60 * 1000);
+
+          sendJSON(req, res, 200, { ok: true, agentId, authUrl: result.authUrl, mode: result.mode });
+          return;
+        } catch (e) {
+          console.error('[codex-oauth] /api/agents/codex/auth failed:', e);
+          sendJSON(req, res, 500, { error: e.message });
+          return;
+        }
+      }
+
       if (agentId === 'gemini') {
         try {
           const result = await startGeminiOAuth(req);
@@ -2753,55 +3001,6 @@ const server = http.createServer(async (req, res) => {
         }
       }
 
-      if (agentId === 'codex') {
-        const conversationId = '__agent_auth__';
-        const result = startCodexDeviceAuth();
-        if (result.alreadyRunning) {
-          sendJSON(req, res, 200, { ok: true, agentId, authUrl: codexDeviceAuthState.authUrl, userCode: codexDeviceAuthState.userCode, status: 'pending' });
-          return;
-        }
-        if (result.alreadyAuthenticated) {
-          sendJSON(req, res, 200, { ok: true, agentId, status: 'success' });
-          return;
-        }
-        broadcastSync({ type: 'script_started', conversationId, script: 'auth-codex', agentId: 'codex', timestamp: Date.now() });
-        broadcastSync({ type: 'script_output', conversationId, data: '\x1b[36mStarting Codex device authorization...\x1b[0m\r\n', stream: 'stdout', timestamp: Date.now() });
-
-        const waitForCode = (tries) => {
-          if (tries <= 0) return;
-          if (codexDeviceAuthState.authUrl && codexDeviceAuthState.userCode) {
-            const msg = `\r\nVisit: ${codexDeviceAuthState.authUrl}\r\nEnter code: ${codexDeviceAuthState.userCode}\r\n`;
-            broadcastSync({ type: 'script_output', conversationId, data: msg, stream: 'stdout', timestamp: Date.now() });
-            return;
-          }
-          setTimeout(() => waitForCode(tries - 1), 500);
-        };
-        waitForCode(10);
-
-        const pollId = setInterval(() => {
-          if (codexDeviceAuthState.status === 'success') {
-            clearInterval(pollId);
-            broadcastSync({ type: 'script_output', conversationId, data: '\r\n\x1b[32mCodex authentication successful\x1b[0m\r\n', stream: 'stdout', timestamp: Date.now() });
-            broadcastSync({ type: 'script_stopped', conversationId, code: 0, timestamp: Date.now() });
-          } else if (codexDeviceAuthState.status === 'error') {
-            clearInterval(pollId);
-            broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${codexDeviceAuthState.error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
-            broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: codexDeviceAuthState.error, timestamp: Date.now() });
-          }
-        }, 1500);
-        setTimeout(() => clearInterval(pollId), 5 * 60 * 1000 + 5000);
-
-        const waitForInfo = (tries) => {
-          if (codexDeviceAuthState.authUrl || tries <= 0) {
-            sendJSON(req, res, 200, { ok: true, agentId, authUrl: codexDeviceAuthState.authUrl, userCode: codexDeviceAuthState.userCode, status: codexDeviceAuthState.status });
-          } else {
-            setTimeout(() => waitForInfo(tries - 1), 400);
-          }
-        };
-        waitForInfo(12);
-        return;
-      }
-
       const authCommands = {
         'claude-code': { cmd: 'claude', args: ['setup-token'] },
         'opencode': { cmd: 'opencode', args: ['auth', 'login'] },
@@ -4333,7 +4532,8 @@ registerUtilHandlers(wsRouter, {
   broadcastSync, getSpeech, getProviderConfigs, saveProviderConfig,
   startGeminiOAuth, exchangeGeminiOAuthCode,
   geminiOAuthState: () => geminiOAuthState,
-  startCodexDeviceAuth, codexDeviceAuthState: () => codexDeviceAuthState,
+  startCodexOAuth, exchangeCodexOAuthCode,
+  codexOAuthState: () => codexOAuthState,
   STARTUP_CWD, activeScripts, voiceCacheManager, toolManager, discoveredAgents
 });
 

package/static/js/agent-auth.js

@@ -128,7 +128,6 @@
   function closeDropdown() { dropdown.classList.remove('open'); editingProvider = null; }
 
   var oauthPollInterval = null, oauthPollTimeout = null, oauthFallbackTimer = null;
-  var codexPollInterval = null, codexPollTimeout = null;
 
   function cleanupOAuthPolling() {
     if (oauthPollInterval) { clearInterval(oauthPollInterval); oauthPollInterval = null; }
@@ -136,96 +135,6 @@
     if (oauthFallbackTimer) { clearTimeout(oauthFallbackTimer); oauthFallbackTimer = null; }
   }
 
-  function cleanupCodexPolling() {
-    if (codexPollInterval) { clearInterval(codexPollInterval); codexPollInterval = null; }
-    if (codexPollTimeout) { clearTimeout(codexPollTimeout); codexPollTimeout = null; }
-  }
-
-  function removeCodexModal() {
-    var el = document.getElementById('codexDeviceModal');
-    if (el) el.remove();
-  }
-
-  function showCodexDeviceModal(authUrl, userCode) {
-    removeCodexModal();
-    var overlay = document.createElement('div');
-    overlay.id = 'codexDeviceModal';
-    overlay.style.cssText = 'position:fixed;inset:0;background:rgba(0,0,0,0.7);display:flex;align-items:center;justify-content:center;z-index:9999;';
-    var displayUrl = authUrl || 'https://auth.openai.com/codex/device';
-    var displayCode = userCode || '';
-    overlay.innerHTML = '<div style="background:var(--color-bg-secondary,#1f2937);border-radius:1rem;padding:2rem;max-width:30rem;width:calc(100% - 2rem);box-shadow:0 25px 50px rgba(0,0,0,0.5);color:var(--color-text-primary,white);font-family:system-ui,sans-serif;" onclick="event.stopPropagation()">' +
-      '<div style="display:flex;justify-content:space-between;align-items:center;margin-bottom:1.25rem;">' +
-      '<h2 style="font-size:1.125rem;font-weight:700;margin:0;">Codex Sign-In</h2>' +
-      '<button id="codexModalClose" style="background:none;border:none;color:var(--color-text-secondary,#9ca3af);font-size:1.5rem;cursor:pointer;padding:0;line-height:1;">\u00d7</button></div>' +
-      '<div id="codexModalContent" style="text-align:center;">' +
-      '<div style="font-size:2rem;margin-bottom:1rem;animation:pulse 2s infinite;">&#9203;</div>' +
-      '<p style="font-size:0.85rem;color:var(--color-text-secondary,#d1d5db);margin:0 0 1rem;">Follow these steps to sign in with your OpenAI account:</p>' +
-      '<div style="margin-bottom:1rem;">' +
-      '<p style="font-size:0.8rem;color:var(--color-text-secondary,#9ca3af);margin:0 0 0.5rem;text-align:left;">1. Open this link in your browser:</p>' +
-      '<div style="display:flex;gap:0.5rem;align-items:center;">' +
-      '<a href="' + esc(displayUrl) + '" target="_blank" style="flex:1;padding:0.5rem 0.75rem;background:var(--color-primary,#3b82f6);color:white;text-decoration:none;border-radius:0.375rem;font-size:0.8rem;font-weight:600;text-align:center;">Open Sign-In Page</a>' +
-      '</div></div>' +
-      '<div style="margin-bottom:1.25rem;">' +
-      '<p style="font-size:0.8rem;color:var(--color-text-secondary,#9ca3af);margin:0 0 0.5rem;text-align:left;">2. Enter this one-time code:</p>' +
-      '<div style="display:flex;gap:0.5rem;align-items:center;">' +
-      '<div id="codexUserCode" style="flex:1;padding:0.625rem;background:var(--color-bg-primary,#111827);border:2px solid var(--color-primary,#3b82f6);border-radius:0.5rem;font-family:monospace;font-size:1.25rem;font-weight:700;letter-spacing:0.15em;text-align:center;">' + esc(displayCode) + '</div>' +
-      '<button id="codexCopyBtn" style="padding:0.5rem 0.75rem;background:var(--color-bg-primary,#374151);border:1px solid var(--color-border,#4b5563);border-radius:0.375rem;color:var(--color-text-primary,white);font-size:0.75rem;cursor:pointer;flex-shrink:0;">Copy</button>' +
-      '</div></div>' +
-      '<p style="font-size:0.75rem;color:var(--color-text-secondary,#6b7280);margin:0;">This dialog will close automatically when sign-in completes.</p>' +
-      '</div>' +
-      '<div id="codexModalSuccess" style="display:none;text-align:center;padding:1rem 0;">' +
-      '<div style="font-size:3rem;color:#10b981;margin-bottom:0.75rem;">&#10003;</div>' +
-      '<p style="font-weight:600;margin:0 0 0.25rem;">Authentication Successful</p>' +
-      '<p style="font-size:0.8rem;color:var(--color-text-secondary,#9ca3af);margin:0;">Codex CLI is now authenticated.</p>' +
-      '</div>' +
-      '<div style="margin-top:1.25rem;">' +
-      '<button id="codexModalCancel" style="width:100%;padding:0.625rem;border-radius:0.5rem;border:1px solid var(--color-border,#4b5563);background:transparent;color:var(--color-text-primary,white);font-size:0.8rem;cursor:pointer;font-weight:600;">Cancel</button></div>' +
-      '<style>@keyframes pulse{0%,100%{opacity:1}50%{opacity:0.5}}</style></div>';
-    document.body.appendChild(overlay);
-
-    var dismiss = function() { cleanupCodexPolling(); authRunning = false; removeCodexModal(); };
-    document.getElementById('codexModalClose').addEventListener('click', dismiss);
-    document.getElementById('codexModalCancel').addEventListener('click', dismiss);
-
-    var copyBtn = document.getElementById('codexCopyBtn');
-    if (copyBtn && displayCode) {
-      copyBtn.addEventListener('click', function(e) {
-        e.stopPropagation();
-        navigator.clipboard.writeText(displayCode).then(function() {
-          copyBtn.textContent = 'Copied!';
-          setTimeout(function() { copyBtn.textContent = 'Copy'; }, 2000);
-        }).catch(function() {});
-      });
-    }
-
-    cleanupCodexPolling();
-    codexPollInterval = setInterval(function() {
-      window.wsClient.rpc('codex.status')
-        .then(function(st) {
-          if (st.status === 'success') {
-            cleanupCodexPolling();
-            authRunning = false;
-            var content = document.getElementById('codexModalContent');
-            var success = document.getElementById('codexModalSuccess');
-            var cancel = document.getElementById('codexModalCancel');
-            if (content) content.style.display = 'none';
-            if (success) success.style.display = 'block';
-            if (cancel) cancel.textContent = 'Close';
-            setTimeout(function() { removeCodexModal(); refresh(); }, 2500);
-          } else if (st.status === 'error') {
-            cleanupCodexPolling();
-            authRunning = false;
-            removeCodexModal();
-            refresh();
-          }
-        }).catch(function() {});
-    }, 1500);
-    codexPollTimeout = setTimeout(function() {
-      cleanupCodexPolling();
-      if (authRunning) { authRunning = false; removeCodexModal(); }
-    }, 5 * 60 * 1000);
-  }
-
   function showOAuthWaitingModal() {
     removeOAuthModal();
     var overlay = document.createElement('div');
@@ -308,19 +217,6 @@
 
   function triggerAuth(agentId) {
     if (authRunning) return;
-    if (agentId === 'codex') {
-      authRunning = true;
-      window.wsClient.rpc('codex.start')
-        .then(function(data) {
-          if (data.status === 'success') {
-            authRunning = false;
-            refresh();
-            return;
-          }
-          showCodexDeviceModal(data.authUrl, data.userCode);
-        }).catch(function() { authRunning = false; });
-      return;
-    }
     window.wsClient.rpc('agent.auth', { id: agentId })
       .then(function(data) {
         if (data.ok) {
@@ -375,8 +271,6 @@
       authRunning = false;
       removeOAuthModal();
       cleanupOAuthPolling();
-      cleanupCodexPolling();
-      removeCodexModal();
       var term = getTerminal();
       var msg = data.error ? data.error : ('exited with code ' + (data.code || 0));
       if (term) term.writeln('\r\n\x1b[90m[auth ' + msg + ']\x1b[0m');