npm - agentgui - Versions diffs - 1.0.751 → 1.0.753 - Mend

agentgui 1.0.751 → 1.0.753

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/server.js CHANGED Viewed

@@ -10,13 +10,15 @@ import { execSync, spawn } from 'child_process';
 import { LRUCache } from 'lru-cache';
 import { createRequire } from 'module';
 const PKG_VERSION = JSON.parse(fs.readFileSync(new URL('./package.json', import.meta.url), 'utf8')).version;
-import { OAuth2Client } from 'google-auth-library';
 import express from 'express';
 import Busboy from 'busboy';
 import fsbrowse from 'fsbrowse';
 import { queries } from './database.js';
 import { runClaudeWithStreaming } from './lib/claude-runner.js';
 import { initializeDescriptors, getAgentDescriptor } from './lib/agent-descriptors.js';
+import { findCommand, queryACPServerAgents, discoverAgents, discoverExternalACPServers, initializeAgentDiscovery } from './lib/agent-discovery.js';
+import { getGeminiOAuthCreds, startGeminiOAuth, exchangeGeminiOAuthCode, handleGeminiOAuthCallback, getGeminiOAuthStatus, getGeminiOAuthState } from './lib/oauth-gemini.js';
+import { startCodexOAuth, exchangeCodexOAuthCode, handleCodexOAuthCallback, getCodexOAuthStatus, getCodexOAuthState, CODEX_HOME, CODEX_AUTH_FILE } from './lib/oauth-codex.js';
 import { WSOptimizer } from './lib/ws-optimizer.js';
 import { WsRouter } from './lib/ws-protocol.js';
 import { encode as wsEncode } from './lib/codec.js';
@@ -49,14 +51,20 @@ process.on('unhandledRejection', (reason, promise) => {
   if (reason instanceof Error) console.error(reason.stack);
 });
-process.on('SIGINT', () => {
-  console.log('[SIGNAL] SIGINT received - graceful shutdown');
+function gracefulShutdown(signal) {
+  console.log(`[SIGNAL] ${signal} received - graceful shutdown`);
   try { pm2Manager.disconnect(); } catch (_) {}
   if (jsonlWatcher) try { jsonlWatcher.stop(); } catch (_) {}
+  for (const [convId, entry] of activeExecutions) {
+    try { if (entry.pid) process.kill(entry.pid, 'SIGTERM'); } catch (_) {}
+  }
   stopACPTools().catch(() => {}).finally(() => {
     try { wss.close(() => server.close(() => process.exit(0))); } catch (_) { process.exit(0); }
+    setTimeout(() => process.exit(1), 5000);
   });
-});
+}
+process.on('SIGINT', () => gracefulShutdown('SIGINT'));
+process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
 process.on('SIGHUP', () => { console.log('[SIGNAL] SIGHUP received (ignored - uncrashable)'); });
 process.on('beforeExit', (code) => { console.log('[PROCESS] beforeExit with code:', code); });
 process.on('exit', (code) => { console.log('[PROCESS] exit with code:', code); });
@@ -444,180 +452,12 @@ expressApp.use(BASE_URL + '/files/:conversationId', (req, res, next) => {
   router(req, res, next);
 });
-function findCommand(cmd) {
-  const isWindows = os.platform() === 'win32';
-  const localBin = path.join(path.dirname(fileURLToPath(import.meta.url)), 'node_modules', '.bin', isWindows ? cmd + '.cmd' : cmd);
-  if (fs.existsSync(localBin)) {
-    console.log(`[agent-discovery] Found ${cmd} in local node_modules`);
-    return localBin;
-  }
-  try {
-    // Increase timeout to 10 seconds to handle slower systems and running agents
-    const timeoutMs = 10000;
-    if (isWindows) {
-      const result = execSync(`where ${cmd}`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'ignore'], timeout: timeoutMs }).trim();
-      if (result) {
-        console.log(`[agent-discovery] Found ${cmd} in PATH`);
-        return result.split('\n')[0].trim();
-      }
-    } else {
-      const result = execSync(`which ${cmd}`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'ignore'], timeout: timeoutMs }).trim();
-      if (result) {
-        console.log(`[agent-discovery] Found ${cmd} in PATH`);
-        return result;
-      }
-    }
-  } catch (err) {
-    console.log(`[agent-discovery] ${cmd} not found or timed out`);
-    return null;
-  }
-  return null;
-}
-async function queryACPServerAgents(baseUrl) {
-  const endpoint = baseUrl.endsWith('/') ? baseUrl + 'agents/search' : baseUrl + '/agents/search';
-  try {
-    const response = await fetch(endpoint, {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json' },
-      body: JSON.stringify({}),
-      signal: AbortSignal.timeout(5000)
-    });
-    if (!response.ok) {
-      console.error(`Failed to query ACP agents from ${baseUrl}: ${response.status}`);
-      return [];
-    }
-    const data = await response.json();
-    if (!data?.agents || !Array.isArray(data.agents)) {
-      console.error(`Invalid agents response from ${baseUrl}`);
-      return [];
-    }
-    return data.agents.map(agent => ({
-      id: agent.agent_id || agent.id,
-      name: agent.metadata?.ref?.name || agent.name || 'Unknown Agent',
-      metadata: {
-        ref: {
-          name: agent.metadata?.ref?.name,
-          version: agent.metadata?.ref?.version,
-          url: agent.metadata?.ref?.url,
-          tags: agent.metadata?.ref?.tags
-        },
-        description: agent.metadata?.description,
-        author: agent.metadata?.author,
-        license: agent.metadata?.license
-      },
-      specs: agent.specs ? {
-        capabilities: agent.specs.capabilities,
-        input_schema: agent.specs.input_schema || agent.specs.input,
-        output_schema: agent.specs.output_schema || agent.specs.output,
-        thread_state_schema: agent.specs.thread_state_schema || agent.specs.thread_state,
-        config_schema: agent.specs.config_schema || agent.specs.config,
-        custom_streaming_update_schema: agent.specs.custom_streaming_update_schema || agent.specs.custom_streaming_update
-      } : null,
-      custom_data: agent.custom_data,
-      icon: agent.metadata?.ref?.name?.charAt(0) || 'A',
-      protocol: 'acp',
-      path: baseUrl
-    }));
-  } catch (error) {
-    console.error(`ACP agents query failed for ${baseUrl}: ${error.message}`);
-    return [];
-  }
-}
-function discoverAgents() {
-  const agents = [];
-  const binaries = [
-    { cmd: 'claude', id: 'claude-code', name: 'Claude Code', icon: 'C', protocol: 'cli' },
-    { cmd: 'opencode', id: 'opencode', name: 'OpenCode', icon: 'O', protocol: 'acp', npxPackage: 'opencode-ai' },
-    { cmd: 'gemini', id: 'gemini', name: 'Gemini CLI', icon: 'G', protocol: 'acp', npxPackage: '@google/gemini-cli' },
-    { cmd: 'kilo', id: 'kilo', name: 'Kilo Code', icon: 'K', protocol: 'acp', npxPackage: '@kilocode/cli' },
-    { cmd: 'goose', id: 'goose', name: 'Goose', icon: 'g', protocol: 'acp' },
-    { cmd: 'openhands', id: 'openhands', name: 'OpenHands', icon: 'H', protocol: 'acp' },
-    { cmd: 'augment', id: 'augment', name: 'Augment Code', icon: 'A', protocol: 'acp' },
-    { cmd: 'cline', id: 'cline', name: 'Cline', icon: 'c', protocol: 'acp' },
-    { cmd: 'kimi', id: 'kimi', name: 'Kimi CLI', icon: 'K', protocol: 'acp' },
-    { cmd: 'qwen-code', id: 'qwen', name: 'Qwen Code', icon: 'Q', protocol: 'acp' },
-    { cmd: 'codex', id: 'codex', name: 'Codex CLI', icon: 'X', protocol: 'acp', npxPackage: '@openai/codex' },
-    { cmd: 'mistral-vibe', id: 'mistral', name: 'Mistral Vibe', icon: 'M', protocol: 'acp' },
-    { cmd: 'kiro', id: 'kiro', name: 'Kiro CLI', icon: 'k', protocol: 'acp' },
-    { cmd: 'fast-agent', id: 'fast-agent', name: 'fast-agent', icon: 'F', protocol: 'acp' },
-  ];
-  for (const bin of binaries) {
-    const result = findCommand(bin.cmd);
-    if (result) {
-      agents.push({ id: bin.id, name: bin.name, icon: bin.icon, path: result, protocol: bin.protocol });
-    } else if (bin.npxPackage) {
-      // For npx-launchable packages (including claude-code as fallback)
-      agents.push({ id: bin.id, name: bin.name, icon: bin.icon, path: null, protocol: bin.protocol, npxPackage: bin.npxPackage, npxLaunchable: true });
-    } else if (bin.id === 'claude-code') {
-      // Ensure Claude Code is always available as an npx-launchable agent
-      agents.push({ id: bin.id, name: bin.name, icon: bin.icon, path: null, protocol: bin.protocol, npxPackage: '@anthropic-ai/claude-code', npxLaunchable: true });
-    }
-  }
-  // Add CLI tool wrappers for ACP agents (these map CLI commands to plugin sub-agents)
-  // These allow users to select "OpenCode", "Gemini", etc. and then pick a model/variant
-  const cliWrappers = [
-    { id: 'cli-opencode', name: 'OpenCode', icon: 'O', protocol: 'cli-wrapper', acpId: 'opencode' },
-    { id: 'cli-gemini', name: 'Gemini', icon: 'G', protocol: 'cli-wrapper', acpId: 'gemini' },
-    { id: 'cli-kilo', name: 'Kilo', icon: 'K', protocol: 'cli-wrapper', acpId: 'kilo' },
-    { id: 'cli-codex', name: 'Codex', icon: 'X', protocol: 'cli-wrapper', acpId: 'codex' },
-  ];
-  // Only add CLI wrappers for agents that are already discovered
-  console.log('[discoverAgents] Found agents:', agents.map(a => a.id).join(', '));
-  for (const wrapper of cliWrappers) {
-    if (agents.some(a => a.id === wrapper.acpId)) {
-      console.log(`[discoverAgents] Adding CLI wrapper for ${wrapper.id}`);
-      agents.push(wrapper);
-      console.log(`[discoverAgents] After push, agents.length = ${agents.length}, includes ${wrapper.id}? ${agents.some(a => a.id === wrapper.id)}`);
-    } else {
-      console.log(`[discoverAgents] Skipping CLI wrapper ${wrapper.id} (ACP agent ${wrapper.acpId} not found)`);
-    }
-  }
-  // Remove raw ACP agents that have a cli-wrapper (avoid duplicates in UI)
-  const wrappedAcpIds = new Set(cliWrappers.filter(w => agents.some(a => a.id === w.acpId)).map(w => w.acpId));
-  const filtered = agents.filter(a => !wrappedAcpIds.has(a.id));
-  console.log('[discoverAgents] Final agent count:', filtered.length, 'Agent IDs:', filtered.map(a => a.id).join(', '));
-  return filtered;
-}
-// Function to discover agents from external ACP servers
-async function discoverExternalACPServers() {
-  const externalAgents = [];
-  for (const agent of discoveredAgents.filter(a => a.protocol === 'acp' && a.acpPort)) {
-    try {
-      const agents = await queryACPServerAgents(`http://localhost:${agent.acpPort}`);
-      externalAgents.push(...agents);
-    } catch (_) {}
-  }
-  return externalAgents;
-}
 let discoveredAgents = [];
 initializeDescriptors(discoveredAgents);
-// Agent discovery happens asynchronously in background to not block startup
-async function initializeAgentDiscovery() {
-  try {
-    const agents = discoverAgents();
-    // Mutate the existing array instead of reassigning to preserve closure references in handlers
-    discoveredAgents.length = 0;
-    discoveredAgents.push(...agents);
-    initializeDescriptors(discoveredAgents);
-    console.log('[AGENTS] Discovered:', discoveredAgents.map(a => ({ id: a.id, found: !!a.path, protocol: a.protocol })));
-    console.log('[AGENTS] Total count:', discoveredAgents.length);
-  } catch (err) {
-    console.error('[AGENTS] Discovery error:', err.message);
-    logError('initializeAgentDiscovery', err);
-  }
-}
-// Start immediately but don't wait for it
 const startTime = Date.now();
-initializeAgentDiscovery().then(() => {
+initializeAgentDiscovery(discoveredAgents, rootDir, logError).then(() => {
+  initializeDescriptors(discoveredAgents);
   console.log('[INIT] initializeAgentDiscovery completed in', Date.now() - startTime, 'ms');
 }).catch(() => {});
@@ -644,551 +484,6 @@ async function getModelsForAgent(agentId) {
   return models;
 }
-const GEMINI_SCOPES = [
-  'https://www.googleapis.com/auth/cloud-platform',
-  'https://www.googleapis.com/auth/userinfo.email',
-  'https://www.googleapis.com/auth/userinfo.profile',
-];
-function extractOAuthFromFile(oauth2Path) {
-  try {
-    const src = fs.readFileSync(oauth2Path, 'utf8');
-    const idMatch = src.match(/OAUTH_CLIENT_ID\s*=\s*['"]([^'"]+)['"]/);
-    const secretMatch = src.match(/OAUTH_CLIENT_SECRET\s*=\s*['"]([^'"]+)['"]/);
-    if (idMatch && secretMatch) return { clientId: idMatch[1], clientSecret: secretMatch[1] };
-  } catch {}
-  return null;
-}
-function getGeminiOAuthCreds() {
-  if (process.env.GOOGLE_OAUTH_CLIENT_ID && process.env.GOOGLE_OAUTH_CLIENT_SECRET) {
-    return { clientId: process.env.GOOGLE_OAUTH_CLIENT_ID, clientSecret: process.env.GOOGLE_OAUTH_CLIENT_SECRET, custom: true };
-  }
-  const oauthRelPath = path.join('node_modules', '@google', 'gemini-cli-core', 'dist', 'src', 'code_assist', 'oauth2.js');
-  try {
-    const geminiPath = findCommand('gemini');
-    if (geminiPath) {
-      const realPath = fs.realpathSync(geminiPath);
-      const pkgRoot = path.resolve(path.dirname(realPath), '..');
-      const result = extractOAuthFromFile(path.join(pkgRoot, oauthRelPath));
-      if (result) return result;
-    }
-  } catch (e) {
-    console.error('[gemini-oauth] gemini lookup failed:', e.message);
-  }
-  try {
-    const npmCacheDirs = new Set();
-    const addDir = (d) => { if (d) npmCacheDirs.add(path.join(d, '_npx')); };
-    addDir(path.join(os.homedir(), '.npm'));
-    addDir(path.join(os.homedir(), '.cache', '.npm'));
-    if (process.env.NPM_CACHE) addDir(process.env.NPM_CACHE);
-    if (process.env.npm_config_cache) addDir(process.env.npm_config_cache);
-    try { addDir(execSync('npm config get cache', { encoding: 'utf8', timeout: 5000 }).trim()); } catch {}
-    for (const cacheDir of npmCacheDirs) {
-      if (!fs.existsSync(cacheDir)) continue;
-      for (const d of fs.readdirSync(cacheDir).filter(d => !d.startsWith('.'))) {
-        const result = extractOAuthFromFile(path.join(cacheDir, d, oauthRelPath));
-        if (result) return result;
-      }
-    }
-  } catch (e) {
-    console.error('[gemini-oauth] npm cache scan failed:', e.message);
-  }
-  console.error('[gemini-oauth] Could not find Gemini CLI OAuth credentials in any known location');
-  return null;
-}
-const GEMINI_DIR = path.join(os.homedir(), '.gemini');
-const GEMINI_OAUTH_FILE = path.join(GEMINI_DIR, 'oauth_creds.json');
-const GEMINI_ACCOUNTS_FILE = path.join(GEMINI_DIR, 'google_accounts.json');
-let geminiOAuthState = { status: 'idle', error: null, email: null };
-let geminiOAuthPending = null;
-function buildBaseUrl(req) {
-  const override = process.env.AGENTGUI_BASE_URL;
-  if (override) return override.replace(/\/+$/, '');
-  const fwdProto = req.headers['x-forwarded-proto'];
-  const fwdHost = req.headers['x-forwarded-host'] || req.headers['host'];
-  if (fwdHost) {
-    const proto = fwdProto || (req.socket.encrypted ? 'https' : 'http');
-    const cleanHost = fwdHost.replace(/:443$/, '').replace(/:80$/, '');
-    return `${proto}://${cleanHost}`;
-  }
-  return `http://127.0.0.1:${PORT}`;
-}
-function saveGeminiCredentials(tokens, email) {
-  if (!fs.existsSync(GEMINI_DIR)) fs.mkdirSync(GEMINI_DIR, { recursive: true });
-  fs.writeFileSync(GEMINI_OAUTH_FILE, JSON.stringify(tokens, null, 2), { mode: 0o600 });
-  try { fs.chmodSync(GEMINI_OAUTH_FILE, 0o600); } catch (_) {}
-  let accounts = { active: null, old: [] };
-  try {
-    if (fs.existsSync(GEMINI_ACCOUNTS_FILE)) {
-      accounts = JSON.parse(fs.readFileSync(GEMINI_ACCOUNTS_FILE, 'utf8'));
-    }
-  } catch (_) {}
-  if (email) {
-    if (accounts.active && accounts.active !== email && !accounts.old.includes(accounts.active)) {
-      accounts.old.push(accounts.active);
-    }
-    accounts.active = email;
-  }
-  fs.writeFileSync(GEMINI_ACCOUNTS_FILE, JSON.stringify(accounts, null, 2), { mode: 0o600 });
-}
-function geminiOAuthResultPage(title, message, success) {
-  const color = success ? '#10b981' : '#ef4444';
-  const icon = success ? '&#10003;' : '&#10007;';
-  return `<!DOCTYPE html><html><head><title>${title}</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div style="text-align:center;max-width:400px;padding:2rem;">
-<div style="font-size:4rem;color:${color};margin-bottom:1rem;">${icon}</div>
-<h1 style="font-size:1.5rem;margin-bottom:0.5rem;">${title}</h1>
-<p style="color:#9ca3af;">${message}</p>
-<p style="color:#6b7280;margin-top:1rem;font-size:0.875rem;">You can close this tab.</p>
-</div></body></html>`;
-}
-function encodeOAuthState(csrfToken, relayUrl) {
-  const payload = JSON.stringify({ t: csrfToken, r: relayUrl });
-  return Buffer.from(payload).toString('base64url');
-}
-function decodeOAuthState(stateStr) {
-  try {
-    const payload = JSON.parse(Buffer.from(stateStr, 'base64url').toString());
-    return { csrfToken: payload.t, relayUrl: payload.r };
-  } catch (_) {
-    return { csrfToken: stateStr, relayUrl: null };
-  }
-}
-function geminiOAuthRelayPage(code, state, error) {
-  const stateData = decodeOAuthState(state || '');
-  const relayUrl = stateData.relayUrl || '';
-  const escapedCode = (code || '').replace(/['"\\]/g, '');
-  const escapedState = (state || '').replace(/['"\\]/g, '');
-  const escapedError = (error || '').replace(/['"\\]/g, '');
-  const escapedRelay = relayUrl.replace(/['"\\]/g, '');
-  return `<!DOCTYPE html><html><head><title>Completing sign-in...</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div id="status" style="text-align:center;max-width:400px;padding:2rem;">
-<div id="spinner" style="font-size:2rem;margin-bottom:1rem;">&#8987;</div>
-<h1 id="title" style="font-size:1.5rem;margin-bottom:0.5rem;">Completing sign-in...</h1>
-<p id="msg" style="color:#9ca3af;">Relaying authentication to server...</p>
-</div>
-<script>
-(function() {
-  var code = '${escapedCode}';
-  var state = '${escapedState}';
-  var error = '${escapedError}';
-  var relayUrl = '${escapedRelay}';
-  function show(icon, title, msg, color) {
-    document.getElementById('spinner').textContent = icon;
-    document.getElementById('spinner').style.color = color;
-    document.getElementById('title').textContent = title;
-    document.getElementById('msg').textContent = msg;
-  }
-  if (error) { show('\\u2717', 'Authentication Failed', error, '#ef4444'); return; }
-  if (!code) { show('\\u2717', 'Authentication Failed', 'No authorization code received.', '#ef4444'); return; }
-  if (!relayUrl) { show('\\u2713', 'Authentication Successful', 'Credentials saved. You can close this tab.', '#10b981'); return; }
-  fetch(relayUrl, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ code: code, state: state })
-  }).then(function(r) { return r.json(); }).then(function(data) {
-    if (data.success) {
-      show('\\u2713', 'Authentication Successful', data.email ? 'Signed in as ' + data.email + '. You can close this tab.' : 'Credentials saved. You can close this tab.', '#10b981');
-    } else {
-      show('\\u2717', 'Authentication Failed', data.error || 'Unknown error', '#ef4444');
-    }
-  }).catch(function(e) {
-    show('\\u2717', 'Relay Failed', 'Could not reach server: ' + e.message + '. You may need to paste the URL manually.', '#ef4444');
-  });
-})();
-</script>
-</body></html>`;
-}
-function isRemoteRequest(req) {
-  return !!(req && (req.headers['x-forwarded-for'] || req.headers['x-forwarded-host'] || req.headers['x-forwarded-proto']));
-}
-async function startGeminiOAuth(req) {
-  const creds = getGeminiOAuthCreds();
-  if (!creds) throw new Error('Could not find Gemini CLI OAuth credentials. Install gemini CLI first.');
-  const useCustomClient = !!creds.custom;
-  const remote = isRemoteRequest(req);
-  let redirectUri;
-  if (useCustomClient && req) {
-    redirectUri = `${buildBaseUrl(req)}${BASE_URL}/oauth2callback`;
-  } else {
-    redirectUri = `http://localhost:${PORT}${BASE_URL}/oauth2callback`;
-  }
-  const csrfToken = crypto.randomBytes(32).toString('hex');
-  const relayUrl = req ? `${buildBaseUrl(req)}${BASE_URL}/api/gemini-oauth/relay` : null;
-  const state = encodeOAuthState(csrfToken, relayUrl);
-  const client = new OAuth2Client({
-    clientId: creds.clientId,
-    clientSecret: creds.clientSecret,
-  });
-  const authUrl = client.generateAuthUrl({
-    redirect_uri: redirectUri,
-    access_type: 'offline',
-    scope: GEMINI_SCOPES,
-    state,
-  });
-  const mode = useCustomClient ? 'custom' : (remote ? 'cli-remote' : 'cli-local');
-  geminiOAuthPending = { client, redirectUri, state: csrfToken };
-  geminiOAuthState = { status: 'pending', error: null, email: null };
-  setTimeout(() => {
-    if (geminiOAuthState.status === 'pending') {
-      geminiOAuthState = { status: 'error', error: 'Authentication timed out', email: null };
-      geminiOAuthPending = null;
-    }
-  }, 5 * 60 * 1000);
-  return { authUrl, mode };
-}
-async function exchangeGeminiOAuthCode(code, stateParam) {
-  if (!geminiOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
-  const { client, redirectUri, state: expectedCsrf } = geminiOAuthPending;
-  const { csrfToken } = decodeOAuthState(stateParam);
-  if (csrfToken !== expectedCsrf) {
-    geminiOAuthState = { status: 'error', error: 'State mismatch', email: null };
-    geminiOAuthPending = null;
-    throw new Error('State mismatch - possible CSRF attack.');
-  }
-  if (!code) {
-    geminiOAuthState = { status: 'error', error: 'No authorization code received', email: null };
-    geminiOAuthPending = null;
-    throw new Error('No authorization code received.');
-  }
-  const { tokens } = await client.getToken({ code, redirect_uri: redirectUri });
-  client.setCredentials(tokens);
-  let email = '';
-  try {
-    const { token } = await client.getAccessToken();
-    if (token) {
-      const resp = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {
-        headers: { Authorization: `Bearer ${token}` }
-      });
-      if (resp.ok) {
-        const info = await resp.json();
-        email = info.email || '';
-      }
-    }
-  } catch (_) {}
-  saveGeminiCredentials(tokens, email);
-  geminiOAuthState = { status: 'success', error: null, email };
-  geminiOAuthPending = null;
-  return email;
-}
-async function handleGeminiOAuthCallback(req, res) {
-  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
-  const code = reqUrl.searchParams.get('code');
-  const state = reqUrl.searchParams.get('state');
-  const error = reqUrl.searchParams.get('error');
-  const errorDesc = reqUrl.searchParams.get('error_description');
-  if (error) {
-    const desc = errorDesc || error;
-    geminiOAuthState = { status: 'error', error: desc, email: null };
-    geminiOAuthPending = null;
-  }
-  const stateData = decodeOAuthState(state || '');
-  if (stateData.relayUrl) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthRelayPage(code, state, errorDesc || error));
-    return;
-  }
-  if (!geminiOAuthPending) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
-    return;
-  }
-  try {
-    if (error) throw new Error(errorDesc || error);
-    const email = await exchangeGeminiOAuthCode(code, state);
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Gemini CLI credentials saved.', true));
-  } catch (e) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthResultPage('Authentication Failed', e.message, false));
-  }
-}
-function getGeminiOAuthStatus() {
-  try {
-    if (fs.existsSync(GEMINI_OAUTH_FILE)) {
-      const creds = JSON.parse(fs.readFileSync(GEMINI_OAUTH_FILE, 'utf8'));
-      if (creds.refresh_token || creds.access_token) {
-        let email = '';
-        try {
-          if (fs.existsSync(GEMINI_ACCOUNTS_FILE)) {
-            const accts = JSON.parse(fs.readFileSync(GEMINI_ACCOUNTS_FILE, 'utf8'));
-            email = accts.active || '';
-          }
-        } catch (_) {}
-        return { hasKey: true, apiKey: email || '****oauth', defaultModel: '', path: GEMINI_OAUTH_FILE, authMethod: 'oauth' };
-      }
-    }
-  } catch (_) {}
-  return null;
-}
-const CODEX_HOME = process.env.CODEX_HOME || path.join(os.homedir(), '.codex');
-const CODEX_AUTH_FILE = path.join(CODEX_HOME, 'auth.json');
-const CODEX_OAUTH_ISSUER = 'https://auth.openai.com';
-const CODEX_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
-const CODEX_SCOPES = 'openid profile email offline_access api.connectors.read api.connectors.invoke';
-const CODEX_OAUTH_PORT = 1455;
-let codexOAuthState = { status: 'idle', error: null, email: null };
-let codexOAuthPending = null;
-function generatePkce() {
-  const verifierBytes = crypto.randomBytes(64);
-  const codeVerifier = verifierBytes.toString('base64url');
-  const challengeBytes = crypto.createHash('sha256').update(codeVerifier).digest();
-  const codeChallenge = challengeBytes.toString('base64url');
-  return { codeVerifier, codeChallenge };
-}
-function parseJwtEmail(jwt) {
-  try {
-    const parts = jwt.split('.');
-    if (parts.length < 2) return '';
-    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
-    return payload.email || payload['https://api.openai.com/profile']?.email || '';
-  } catch (_) { return ''; }
-}
-function saveCodexCredentials(tokens) {
-  if (!fs.existsSync(CODEX_HOME)) fs.mkdirSync(CODEX_HOME, { recursive: true });
-  const auth = { auth_mode: 'chatgpt', tokens, last_refresh: new Date().toISOString() };
-  fs.writeFileSync(CODEX_AUTH_FILE, JSON.stringify(auth, null, 2), { mode: 0o600 });
-  try { fs.chmodSync(CODEX_AUTH_FILE, 0o600); } catch (_) {}
-}
-function getCodexOAuthStatus() {
-  try {
-    if (fs.existsSync(CODEX_AUTH_FILE)) {
-      const auth = JSON.parse(fs.readFileSync(CODEX_AUTH_FILE, 'utf8'));
-      if (auth.tokens?.access_token || auth.tokens?.refresh_token) {
-        const email = parseJwtEmail(auth.tokens?.id_token || '') || '';
-        return { hasKey: true, apiKey: email || '****oauth', defaultModel: '', path: CODEX_AUTH_FILE, authMethod: 'oauth' };
-      }
-    }
-  } catch (_) {}
-  return null;
-}
-async function startCodexOAuth(req) {
-  const remote = isRemoteRequest(req);
-  const redirectUri = remote
-    ? `${buildBaseUrl(req)}${BASE_URL}/codex-oauth2callback`
-    : `http://localhost:${CODEX_OAUTH_PORT}/auth/callback`;
-  const pkce = generatePkce();
-  const csrfToken = crypto.randomBytes(32).toString('hex');
-  const relayUrl = remote ? `${buildBaseUrl(req)}${BASE_URL}/api/codex-oauth/relay` : null;
-  const state = encodeOAuthState(csrfToken, relayUrl);
-  const params = new URLSearchParams({
-    response_type: 'code',
-    client_id: CODEX_CLIENT_ID,
-    redirect_uri: redirectUri,
-    scope: CODEX_SCOPES,
-    code_challenge: pkce.codeChallenge,
-    code_challenge_method: 'S256',
-    id_token_add_organizations: 'true',
-    codex_cli_simplified_flow: 'true',
-    state,
-  });
-  const authUrl = `${CODEX_OAUTH_ISSUER}/oauth/authorize?${params.toString()}`;
-  const mode = remote ? 'remote' : 'local';
-  codexOAuthPending = { pkce, redirectUri, state: csrfToken };
-  codexOAuthState = { status: 'pending', error: null, email: null };
-  setTimeout(() => {
-    if (codexOAuthState.status === 'pending') {
-      codexOAuthState = { status: 'error', error: 'Authentication timed out', email: null };
-      codexOAuthPending = null;
-    }
-  }, 5 * 60 * 1000);
-  return { authUrl, mode };
-}
-async function exchangeCodexOAuthCode(code, stateParam) {
-  if (!codexOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
-  const { pkce, redirectUri, state: expectedCsrf } = codexOAuthPending;
-  const { csrfToken } = decodeOAuthState(stateParam);
-  if (csrfToken !== expectedCsrf) {
-    codexOAuthState = { status: 'error', error: 'State mismatch', email: null };
-    codexOAuthPending = null;
-    throw new Error('State mismatch - possible CSRF attack.');
-  }
-  if (!code) {
-    codexOAuthState = { status: 'error', error: 'No authorization code received', email: null };
-    codexOAuthPending = null;
-    throw new Error('No authorization code received.');
-  }
-  const body = new URLSearchParams({
-    grant_type: 'authorization_code',
-    code,
-    redirect_uri: redirectUri,
-    client_id: CODEX_CLIENT_ID,
-    code_verifier: pkce.codeVerifier,
-  });
-  const resp = await fetch(`${CODEX_OAUTH_ISSUER}/oauth/token`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-    body: body.toString(),
-  });
-  if (!resp.ok) {
-    const text = await resp.text();
-    codexOAuthState = { status: 'error', error: `Token exchange failed: ${resp.status}`, email: null };
-    codexOAuthPending = null;
-    throw new Error(`Token exchange failed (${resp.status}): ${text}`);
-  }
-  const tokens = await resp.json();
-  const email = parseJwtEmail(tokens.id_token || '');
-  saveCodexCredentials(tokens);
-  codexOAuthState = { status: 'success', error: null, email };
-  codexOAuthPending = null;
-  return email;
-}
-function codexOAuthResultPage(title, message, success) {
-  const color = success ? '#10b981' : '#ef4444';
-  const icon = success ? '&#10003;' : '&#10007;';
-  return `<!DOCTYPE html><html><head><title>${title}</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div style="text-align:center;max-width:400px;padding:2rem;">
-<div style="font-size:4rem;color:${color};margin-bottom:1rem;">${icon}</div>
-<h1 style="font-size:1.5rem;margin-bottom:0.5rem;">${title}</h1>
-<p style="color:#9ca3af;">${message}</p>
-<p style="color:#6b7280;margin-top:1rem;font-size:0.875rem;">You can close this tab.</p>
-</div></body></html>`;
-}
-function codexOAuthRelayPage(code, state, error) {
-  const stateData = decodeOAuthState(state || '');
-  const relayUrl = stateData.relayUrl || '';
-  const escapedCode = (code || '').replace(/['"\\]/g, '');
-  const escapedState = (state || '').replace(/['"\\]/g, '');
-  const escapedError = (error || '').replace(/['"\\]/g, '');
-  const escapedRelay = relayUrl.replace(/['"\\]/g, '');
-  return `<!DOCTYPE html><html><head><title>Completing sign-in...</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div id="status" style="text-align:center;max-width:400px;padding:2rem;">
-<div id="spinner" style="font-size:2rem;margin-bottom:1rem;">&#8987;</div>
-<h1 id="title" style="font-size:1.5rem;margin-bottom:0.5rem;">Completing sign-in...</h1>
-<p id="msg" style="color:#9ca3af;">Relaying authentication to server...</p>
-</div>
-<script>
-(function() {
-  var code = '${escapedCode}';
-  var state = '${escapedState}';
-  var error = '${escapedError}';
-  var relayUrl = '${escapedRelay}';
-  function show(icon, title, msg, color) {
-    document.getElementById('spinner').textContent = icon;
-    document.getElementById('spinner').style.color = color;
-    document.getElementById('title').textContent = title;
-    document.getElementById('msg').textContent = msg;
-  }
-  if (error) { show('\\u2717', 'Authentication Failed', error, '#ef4444'); return; }
-  if (!code) { show('\\u2717', 'Authentication Failed', 'No authorization code received.', '#ef4444'); return; }
-  if (!relayUrl) { show('\\u2713', 'Authentication Successful', 'Credentials saved. You can close this tab.', '#10b981'); return; }
-  fetch(relayUrl, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ code: code, state: state })
-  }).then(function(r) { return r.json(); }).then(function(data) {
-    if (data.success) {
-      show('\\u2713', 'Authentication Successful', data.email ? 'Signed in as ' + data.email + '. You can close this tab.' : 'Credentials saved. You can close this tab.', '#10b981');
-    } else {
-      show('\\u2717', 'Authentication Failed', data.error || 'Unknown error', '#ef4444');
-    }
-  }).catch(function(e) {
-    show('\\u2717', 'Relay Failed', 'Could not reach server: ' + e.message + '. You may need to paste the URL manually.', '#ef4444');
-  });
-})();
-</script>
-</body></html>`;
-}
-async function handleCodexOAuthCallback(req, res) {
-  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
-  const code = reqUrl.searchParams.get('code');
-  const state = reqUrl.searchParams.get('state');
-  const error = reqUrl.searchParams.get('error');
-  const errorDesc = reqUrl.searchParams.get('error_description');
-  if (error) {
-    const desc = errorDesc || error;
-    codexOAuthState = { status: 'error', error: desc, email: null };
-    codexOAuthPending = null;
-  }
-  const stateData = decodeOAuthState(state || '');
-  if (stateData.relayUrl) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthRelayPage(code, state, errorDesc || error));
-    return;
-  }
-  if (!codexOAuthPending) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
-    return;
-  }
-  try {
-    if (error) throw new Error(errorDesc || error);
-    const email = await exchangeCodexOAuthCode(code, state);
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Codex CLI credentials saved.', true));
-  } catch (e) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthResultPage('Authentication Failed', e.message, false));
-  }
-}
 const PROVIDER_CONFIGS = {
   'anthropic': {
     name: 'Anthropic', configPaths: [
@@ -1364,6 +659,9 @@ function sendJSON(req, res, statusCode, data) {
   compressAndSend(req, res, statusCode, 'application/json', JSON.stringify(data));
 }
+const _rateLimitMap = new LRUCache({ max: 1000, ttl: 60000 });
+const RATE_LIMIT_MAX = parseInt(process.env.RATE_LIMIT_MAX || '300', 10);
 const server = http.createServer(async (req, res) => {
   res.setHeader('Access-Control-Allow-Origin', '*');
   res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
@@ -1371,6 +669,17 @@ const server = http.createServer(async (req, res) => {
   if (req.method === 'OPTIONS') { res.writeHead(200); res.end(); return; }
   if (req.headers.upgrade && req.headers.upgrade.toLowerCase() === 'websocket') return;
+  const clientIp = req.headers['x-forwarded-for']?.split(',')[0]?.trim() || req.socket.remoteAddress;
+  const hits = (_rateLimitMap.get(clientIp) || 0) + 1;
+  _rateLimitMap.set(clientIp, hits);
+  res.setHeader('X-RateLimit-Limit', RATE_LIMIT_MAX);
+  res.setHeader('X-RateLimit-Remaining', Math.max(0, RATE_LIMIT_MAX - hits));
+  if (hits > RATE_LIMIT_MAX) {
+    res.writeHead(429, { 'Retry-After': '60' });
+    res.end('Too Many Requests');
+    return;
+  }
   const _pwd = process.env.PASSWORD;
   if (_pwd) {
     const _auth = req.headers['authorization'] || '';
@@ -1428,12 +737,26 @@ const server = http.createServer(async (req, res) => {
     const pathOnly = routePath.split('?')[0];
     if (pathOnly === '/oauth2callback' && req.method === 'GET') {
-      await handleGeminiOAuthCallback(req, res);
+      await handleGeminiOAuthCallback(req, res, PORT);
       return;
     }
     if (pathOnly === '/codex-oauth2callback' && req.method === 'GET') {
-      await handleCodexOAuthCallback(req, res);
+      await handleCodexOAuthCallback(req, res, PORT);
+      return;
+    }
+    if (pathOnly === '/api/health' && req.method === 'GET') {
+      sendJSON(req, res, 200, {
+        status: 'ok',
+        version: PKG_VERSION,
+        uptime: process.uptime(),
+        agents: discoveredAgents.length,
+        activeExecutions: activeExecutions.size,
+        wsClients: wss.clients.size,
+        memory: process.memoryUsage(),
+        acp: getACPStatus()
+      });
       return;
     }
@@ -2426,7 +1749,7 @@ const server = http.createServer(async (req, res) => {
         const localResult = queries.searchAgents(discoveredAgents, body);
         // Get external agents from ACP servers
-        const externalAgents = await discoverExternalACPServers();
+        const externalAgents = await discoverExternalACPServers(discoveredAgents);
         const externalResult = queries.searchAgents(externalAgents, body);
         // Combine results
@@ -2879,7 +2202,7 @@ const server = http.createServer(async (req, res) => {
     if (pathOnly === '/api/gemini-oauth/start' && req.method === 'POST') {
       try {
-        const result = await startGeminiOAuth(req);
+        const result = await startGeminiOAuth(req, { PORT, BASE_URL, rootDir });
         sendJSON(req, res, 200, { authUrl: result.authUrl, mode: result.mode });
       } catch (e) {
         console.error('[gemini-oauth] /api/gemini-oauth/start failed:', e);
@@ -2889,7 +2212,7 @@ const server = http.createServer(async (req, res) => {
     }
     if (pathOnly === '/api/gemini-oauth/status' && req.method === 'GET') {
-      sendJSON(req, res, 200, geminiOAuthState);
+      sendJSON(req, res, 200, getGeminiOAuthState());
       return;
     }
@@ -2904,8 +2227,6 @@ const server = http.createServer(async (req, res) => {
         const email = await exchangeGeminiOAuthCode(code, stateParam);
         sendJSON(req, res, 200, { success: true, email });
       } catch (e) {
-        geminiOAuthState = { status: 'error', error: e.message, email: null };
-        geminiOAuthPending = null;
         sendJSON(req, res, 400, { error: e.message });
       }
       return;
@@ -2929,8 +2250,6 @@ const server = http.createServer(async (req, res) => {
         const error = parsed.searchParams.get('error');
         if (error) {
           const desc = parsed.searchParams.get('error_description') || error;
-          geminiOAuthState = { status: 'error', error: desc, email: null };
-          geminiOAuthPending = null;
           sendJSON(req, res, 200, { error: desc });
           return;
         }
@@ -2940,8 +2259,6 @@ const server = http.createServer(async (req, res) => {
         const email = await exchangeGeminiOAuthCode(code, state);
         sendJSON(req, res, 200, { success: true, email });
       } catch (e) {
-        geminiOAuthState = { status: 'error', error: e.message, email: null };
-        geminiOAuthPending = null;
         sendJSON(req, res, 400, { error: e.message });
       }
       return;
@@ -2949,7 +2266,7 @@ const server = http.createServer(async (req, res) => {
     if (pathOnly === '/api/codex-oauth/start' && req.method === 'POST') {
       try {
-        const result = await startCodexOAuth(req);
+        const result = await startCodexOAuth(req, { PORT, BASE_URL });
         sendJSON(req, res, 200, { authUrl: result.authUrl, mode: result.mode });
       } catch (e) {
         console.error('[codex-oauth] /api/codex-oauth/start failed:', e);
@@ -2959,7 +2276,7 @@ const server = http.createServer(async (req, res) => {
     }
     if (pathOnly === '/api/codex-oauth/status' && req.method === 'GET') {
-      sendJSON(req, res, 200, codexOAuthState);
+      sendJSON(req, res, 200, getCodexOAuthState());
       return;
     }
@@ -2974,8 +2291,6 @@ const server = http.createServer(async (req, res) => {
         const email = await exchangeCodexOAuthCode(code, stateParam);
         sendJSON(req, res, 200, { success: true, email });
       } catch (e) {
-        codexOAuthState = { status: 'error', error: e.message, email: null };
-        codexOAuthPending = null;
         sendJSON(req, res, 400, { error: e.message });
       }
       return;
@@ -2997,8 +2312,6 @@ const server = http.createServer(async (req, res) => {
         const error = parsed.searchParams.get('error');
         if (error) {
           const desc = parsed.searchParams.get('error_description') || error;
-          codexOAuthState = { status: 'error', error: desc, email: null };
-          codexOAuthPending = null;
           sendJSON(req, res, 200, { error: desc });
           return;
         }
@@ -3007,8 +2320,6 @@ const server = http.createServer(async (req, res) => {
         const email = await exchangeCodexOAuthCode(code, state);
         sendJSON(req, res, 200, { success: true, email });
       } catch (e) {
-        codexOAuthState = { status: 'error', error: e.message, email: null };
-        codexOAuthPending = null;
         sendJSON(req, res, 400, { error: e.message });
       }
       return;
@@ -3022,21 +2333,21 @@ const server = http.createServer(async (req, res) => {
       if (agentId === 'codex' || agentId === 'cli-codex') {
         try {
-          const result = await startCodexOAuth(req);
+          const result = await startCodexOAuth(req, { PORT, BASE_URL });
           const conversationId = '__agent_auth__';
           broadcastSync({ type: 'script_started', conversationId, script: 'auth-codex', agentId: 'codex', timestamp: Date.now() });
           broadcastSync({ type: 'script_output', conversationId, data: `\x1b[36mOpening OpenAI OAuth in your browser...\x1b[0m\r\n\r\nIf it doesn't open automatically, visit:\r\n${result.authUrl}\r\n`, stream: 'stdout', timestamp: Date.now() });
           const pollId = setInterval(() => {
-            if (codexOAuthState.status === 'success') {
+            if (getCodexOAuthState().status === 'success') {
               clearInterval(pollId);
-              const email = codexOAuthState.email || '';
+              const email = getCodexOAuthState().email || '';
               broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[32mAuthentication successful${email ? ' (' + email + ')' : ''}\x1b[0m\r\n`, stream: 'stdout', timestamp: Date.now() });
               broadcastSync({ type: 'script_stopped', conversationId, code: 0, timestamp: Date.now() });
-            } else if (codexOAuthState.status === 'error') {
+            } else if (getCodexOAuthState().status === 'error') {
               clearInterval(pollId);
-              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${codexOAuthState.error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
-              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: codexOAuthState.error, timestamp: Date.now() });
+              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${getCodexOAuthState().error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
+              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: getCodexOAuthState().error, timestamp: Date.now() });
             }
           }, 1000);
@@ -3053,21 +2364,21 @@ const server = http.createServer(async (req, res) => {
       if (agentId === 'gemini') {
         try {
-          const result = await startGeminiOAuth(req);
+          const result = await startGeminiOAuth(req, { PORT, BASE_URL, rootDir });
           const conversationId = '__agent_auth__';
           broadcastSync({ type: 'script_started', conversationId, script: 'auth-gemini', agentId: 'gemini', timestamp: Date.now() });
           broadcastSync({ type: 'script_output', conversationId, data: `\x1b[36mOpening Google OAuth in your browser...\x1b[0m\r\n\r\nIf it doesn't open automatically, visit:\r\n${result.authUrl}\r\n`, stream: 'stdout', timestamp: Date.now() });
           const pollId = setInterval(() => {
-            if (geminiOAuthState.status === 'success') {
+            if (getGeminiOAuthState().status === 'success') {
               clearInterval(pollId);
-              const email = geminiOAuthState.email || '';
+              const email = getGeminiOAuthState().email || '';
               broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[32mAuthentication successful${email ? ' (' + email + ')' : ''}\x1b[0m\r\n`, stream: 'stdout', timestamp: Date.now() });
               broadcastSync({ type: 'script_stopped', conversationId, code: 0, timestamp: Date.now() });
-            } else if (geminiOAuthState.status === 'error') {
+            } else if (getGeminiOAuthState().status === 'error') {
               clearInterval(pollId);
-              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${geminiOAuthState.error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
-              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: geminiOAuthState.error, timestamp: Date.now() });
+              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${getGeminiOAuthState().error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
+              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: getGeminiOAuthState().error, timestamp: Date.now() });
             }
           }, 1000);
@@ -4649,7 +3960,7 @@ console.log('[INIT] About to call registerSessionHandlers, discoveredAgents.leng
 registerSessionHandlers(wsRouter, {
   db: queries, discoveredAgents, modelCache,
   getAgentDescriptor, activeScripts, broadcastSync,
-  startGeminiOAuth, geminiOAuthState: () => geminiOAuthState
+  startGeminiOAuth: (req) => startGeminiOAuth(req, { PORT, BASE_URL, rootDir }), geminiOAuthState: getGeminiOAuthState
 });
 console.log('[INIT] registerSessionHandlers completed');
@@ -4669,10 +3980,12 @@ registerScriptHandlers(wsRouter, {
 });
 registerOAuthHandlers(wsRouter, {
-  startGeminiOAuth, exchangeGeminiOAuthCode,
-  geminiOAuthState: () => geminiOAuthState,
-  startCodexOAuth, exchangeCodexOAuthCode,
-  codexOAuthState: () => codexOAuthState,
+  startGeminiOAuth: (req) => startGeminiOAuth(req, { PORT, BASE_URL, rootDir }),
+  exchangeGeminiOAuthCode,
+  geminiOAuthState: getGeminiOAuthState,
+  startCodexOAuth: (req) => startCodexOAuth(req, { PORT, BASE_URL }),
+  exchangeCodexOAuthCode,
+  codexOAuthState: getCodexOAuthState,
 });
 wsRouter.onLegacy((data, ws) => {