agentgui 1.0.752 → 1.0.753

package/lib/oauth-codex.js

@@ -0,0 +1,162 @@
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+import crypto from 'crypto';
+import { buildBaseUrl, isRemoteRequest, encodeOAuthState, decodeOAuthState, oauthResultPage, oauthRelayPage } from './oauth-common.js';
+
+const CODEX_HOME = process.env.CODEX_HOME || path.join(os.homedir(), '.codex');
+const CODEX_AUTH_FILE = path.join(CODEX_HOME, 'auth.json');
+const CODEX_OAUTH_ISSUER = 'https://auth.openai.com';
+const CODEX_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
+const CODEX_SCOPES = 'openid profile email offline_access api.connectors.read api.connectors.invoke';
+const CODEX_OAUTH_PORT = 1455;
+
+let codexOAuthState = { status: 'idle', error: null, email: null };
+let codexOAuthPending = null;
+
+function generatePkce() {
+  const verifierBytes = crypto.randomBytes(64);
+  const codeVerifier = verifierBytes.toString('base64url');
+  const challengeBytes = crypto.createHash('sha256').update(codeVerifier).digest();
+  const codeChallenge = challengeBytes.toString('base64url');
+  return { codeVerifier, codeChallenge };
+}
+
+function parseJwtEmail(jwt) {
+  try {
+    const parts = jwt.split('.');
+    if (parts.length < 2) return '';
+    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+    return payload.email || payload['https://api.openai.com/profile']?.email || '';
+  } catch (_) { return ''; }
+}
+
+function saveCodexCredentials(tokens) {
+  if (!fs.existsSync(CODEX_HOME)) fs.mkdirSync(CODEX_HOME, { recursive: true });
+  const auth = { auth_mode: 'chatgpt', tokens, last_refresh: new Date().toISOString() };
+  fs.writeFileSync(CODEX_AUTH_FILE, JSON.stringify(auth, null, 2), { mode: 0o600 });
+  try { fs.chmodSync(CODEX_AUTH_FILE, 0o600); } catch (_) {}
+}
+
+export function getCodexOAuthStatus() {
+  try {
+    if (fs.existsSync(CODEX_AUTH_FILE)) {
+      const auth = JSON.parse(fs.readFileSync(CODEX_AUTH_FILE, 'utf8'));
+      if (auth.tokens?.access_token || auth.tokens?.refresh_token) {
+        const email = parseJwtEmail(auth.tokens?.id_token || '') || '';
+        return { hasKey: true, apiKey: email || '****oauth', defaultModel: '', path: CODEX_AUTH_FILE, authMethod: 'oauth' };
+      }
+    }
+  } catch (_) {}
+  return null;
+}
+
+export async function startCodexOAuth(req, { PORT, BASE_URL }) {
+  const remote = isRemoteRequest(req);
+  const redirectUri = remote
+    ? `${buildBaseUrl(req, PORT)}${BASE_URL}/codex-oauth2callback`
+    : `http://localhost:${CODEX_OAUTH_PORT}/auth/callback`;
+  const pkce = generatePkce();
+  const csrfToken = crypto.randomBytes(32).toString('hex');
+  const relayUrl = remote ? `${buildBaseUrl(req, PORT)}${BASE_URL}/api/codex-oauth/relay` : null;
+  const state = encodeOAuthState(csrfToken, relayUrl);
+  const params = new URLSearchParams({
+    response_type: 'code',
+    client_id: CODEX_CLIENT_ID,
+    redirect_uri: redirectUri,
+    scope: CODEX_SCOPES,
+    code_challenge: pkce.codeChallenge,
+    code_challenge_method: 'S256',
+    id_token_add_organizations: 'true',
+    codex_cli_simplified_flow: 'true',
+    state,
+  });
+  const authUrl = `${CODEX_OAUTH_ISSUER}/oauth/authorize?${params.toString()}`;
+  const mode = remote ? 'remote' : 'local';
+  codexOAuthPending = { pkce, redirectUri, state: csrfToken };
+  codexOAuthState = { status: 'pending', error: null, email: null };
+  setTimeout(() => {
+    if (codexOAuthState.status === 'pending') {
+      codexOAuthState = { status: 'error', error: 'Authentication timed out', email: null };
+      codexOAuthPending = null;
+    }
+  }, 5 * 60 * 1000);
+  return { authUrl, mode };
+}
+
+export async function exchangeCodexOAuthCode(code, stateParam) {
+  if (!codexOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
+  const { pkce, redirectUri, state: expectedCsrf } = codexOAuthPending;
+  const { csrfToken } = decodeOAuthState(stateParam);
+  if (csrfToken !== expectedCsrf) {
+    codexOAuthState = { status: 'error', error: 'State mismatch', email: null };
+    codexOAuthPending = null;
+    throw new Error('State mismatch - possible CSRF attack.');
+  }
+  if (!code) {
+    codexOAuthState = { status: 'error', error: 'No authorization code received', email: null };
+    codexOAuthPending = null;
+    throw new Error('No authorization code received.');
+  }
+  const body = new URLSearchParams({
+    grant_type: 'authorization_code',
+    code,
+    redirect_uri: redirectUri,
+    client_id: CODEX_CLIENT_ID,
+    code_verifier: pkce.codeVerifier,
+  });
+  const resp = await fetch(`${CODEX_OAUTH_ISSUER}/oauth/token`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: body.toString(),
+  });
+  if (!resp.ok) {
+    const text = await resp.text();
+    codexOAuthState = { status: 'error', error: `Token exchange failed: ${resp.status}`, email: null };
+    codexOAuthPending = null;
+    throw new Error(`Token exchange failed (${resp.status}): ${text}`);
+  }
+  const tokens = await resp.json();
+  const email = parseJwtEmail(tokens.id_token || '');
+  saveCodexCredentials(tokens);
+  codexOAuthState = { status: 'success', error: null, email };
+  codexOAuthPending = null;
+  return email;
+}
+
+export async function handleCodexOAuthCallback(req, res, PORT) {
+  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
+  const code = reqUrl.searchParams.get('code');
+  const state = reqUrl.searchParams.get('state');
+  const error = reqUrl.searchParams.get('error');
+  const errorDesc = reqUrl.searchParams.get('error_description');
+  if (error) {
+    const desc = errorDesc || error;
+    codexOAuthState = { status: 'error', error: desc, email: null };
+    codexOAuthPending = null;
+  }
+  const stateData = decodeOAuthState(state || '');
+  if (stateData.relayUrl) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthRelayPage(code, state, errorDesc || error));
+    return;
+  }
+  if (!codexOAuthPending) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
+    return;
+  }
+  try {
+    if (error) throw new Error(errorDesc || error);
+    const email = await exchangeCodexOAuthCode(code, state);
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Codex CLI credentials saved.', true));
+  } catch (e) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthResultPage('Authentication Failed', e.message, false));
+  }
+}
+
+export function getCodexOAuthState() { return codexOAuthState; }
+export function getCodexOAuthPending() { return codexOAuthPending; }
+export { CODEX_HOME, CODEX_AUTH_FILE };

package/lib/oauth-common.js

@@ -0,0 +1,92 @@
+import crypto from 'crypto';
+
+export function buildBaseUrl(req, PORT) {
+  const override = process.env.AGENTGUI_BASE_URL;
+  if (override) return override.replace(/\/+$/, '');
+  const fwdProto = req.headers['x-forwarded-proto'];
+  const fwdHost = req.headers['x-forwarded-host'] || req.headers['host'];
+  if (fwdHost) {
+    const proto = fwdProto || (req.socket.encrypted ? 'https' : 'http');
+    const cleanHost = fwdHost.replace(/:443$/, '').replace(/:80$/, '');
+    return `${proto}://${cleanHost}`;
+  }
+  return `http://127.0.0.1:${PORT}`;
+}
+
+export function isRemoteRequest(req) {
+  return !!(req && (req.headers['x-forwarded-for'] || req.headers['x-forwarded-host'] || req.headers['x-forwarded-proto']));
+}
+
+export function encodeOAuthState(csrfToken, relayUrl) {
+  const payload = JSON.stringify({ t: csrfToken, r: relayUrl });
+  return Buffer.from(payload).toString('base64url');
+}
+
+export function decodeOAuthState(stateStr) {
+  try {
+    const payload = JSON.parse(Buffer.from(stateStr, 'base64url').toString());
+    return { csrfToken: payload.t, relayUrl: payload.r };
+  } catch (_) {
+    return { csrfToken: stateStr, relayUrl: null };
+  }
+}
+
+export function oauthResultPage(title, message, success) {
+  const color = success ? '#10b981' : '#ef4444';
+  const icon = success ? '✓' : '✗';
+  return `<!DOCTYPE html><html><head><title>${title}</title></head>
+<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
+<div style="text-align:center;max-width:400px;padding:2rem;">
+<div style="font-size:4rem;color:${color};margin-bottom:1rem;">${icon}</div>
+<h1 style="font-size:1.5rem;margin-bottom:0.5rem;">${title}</h1>
+<p style="color:#9ca3af;">${message}</p>
+<p style="color:#6b7280;margin-top:1rem;font-size:0.875rem;">You can close this tab.</p>
+</div></body></html>`;
+}
+
+export function oauthRelayPage(code, state, error) {
+  const stateData = decodeOAuthState(state || '');
+  const relayUrl = stateData.relayUrl || '';
+  const escapedCode = (code || '').replace(/['"\\]/g, '');
+  const escapedState = (state || '').replace(/['"\\]/g, '');
+  const escapedError = (error || '').replace(/['"\\]/g, '');
+  const escapedRelay = relayUrl.replace(/['"\\]/g, '');
+  return `<!DOCTYPE html><html><head><title>Completing sign-in...</title></head>
+<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
+<div id="status" style="text-align:center;max-width:400px;padding:2rem;">
+<div id="spinner" style="font-size:2rem;margin-bottom:1rem;">&#8987;</div>
+<h1 id="title" style="font-size:1.5rem;margin-bottom:0.5rem;">Completing sign-in...</h1>
+<p id="msg" style="color:#9ca3af;">Relaying authentication to server...</p>
+</div>
+<script>
+(function() {
+  var code = '${escapedCode}';
+  var state = '${escapedState}';
+  var error = '${escapedError}';
+  var relayUrl = '${escapedRelay}';
+  function show(icon, title, msg, color) {
+    document.getElementById('spinner').textContent = icon;
+    document.getElementById('spinner').style.color = color;
+    document.getElementById('title').textContent = title;
+    document.getElementById('msg').textContent = msg;
+  }
+  if (error) { show('\\u2717', 'Authentication Failed', error, '#ef4444'); return; }
+  if (!code) { show('\\u2717', 'Authentication Failed', 'No authorization code received.', '#ef4444'); return; }
+  if (!relayUrl) { show('\\u2713', 'Authentication Successful', 'Credentials saved. You can close this tab.', '#10b981'); return; }
+  fetch(relayUrl, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ code: code, state: state })
+  }).then(function(r) { return r.json(); }).then(function(data) {
+    if (data.success) {
+      show('\\u2713', 'Authentication Successful', data.email ? 'Signed in as ' + data.email + '. You can close this tab.' : 'Credentials saved. You can close this tab.', '#10b981');
+    } else {
+      show('\\u2717', 'Authentication Failed', data.error || 'Unknown error', '#ef4444');
+    }
+  }).catch(function(e) {
+    show('\\u2717', 'Relay Failed', 'Could not reach server: ' + e.message + '. You may need to paste the URL manually.', '#ef4444');
+  });
+})();
+</script>
+</body></html>`;
+}

package/lib/oauth-gemini.js

@@ -0,0 +1,200 @@
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+import crypto from 'crypto';
+import { execSync } from 'child_process';
+import { OAuth2Client } from 'google-auth-library';
+import { findCommand } from './agent-discovery.js';
+import { buildBaseUrl, isRemoteRequest, encodeOAuthState, decodeOAuthState, oauthResultPage, oauthRelayPage } from './oauth-common.js';
+
+const GEMINI_SCOPES = [
+  'https://www.googleapis.com/auth/cloud-platform',
+  'https://www.googleapis.com/auth/userinfo.email',
+  'https://www.googleapis.com/auth/userinfo.profile',
+];
+const GEMINI_DIR = path.join(os.homedir(), '.gemini');
+const GEMINI_OAUTH_FILE = path.join(GEMINI_DIR, 'oauth_creds.json');
+const GEMINI_ACCOUNTS_FILE = path.join(GEMINI_DIR, 'google_accounts.json');
+
+let geminiOAuthState = { status: 'idle', error: null, email: null };
+let geminiOAuthPending = null;
+
+function extractOAuthFromFile(oauth2Path) {
+  try {
+    const src = fs.readFileSync(oauth2Path, 'utf8');
+    const idMatch = src.match(/OAUTH_CLIENT_ID\s*=\s*['"]([^'"]+)['"]/);
+    const secretMatch = src.match(/OAUTH_CLIENT_SECRET\s*=\s*['"]([^'"]+)['"]/);
+    if (idMatch && secretMatch) return { clientId: idMatch[1], clientSecret: secretMatch[1] };
+  } catch {}
+  return null;
+}
+
+export function getGeminiOAuthCreds(rootDir) {
+  if (process.env.GOOGLE_OAUTH_CLIENT_ID && process.env.GOOGLE_OAUTH_CLIENT_SECRET) {
+    return { clientId: process.env.GOOGLE_OAUTH_CLIENT_ID, clientSecret: process.env.GOOGLE_OAUTH_CLIENT_SECRET, custom: true };
+  }
+  const oauthRelPath = path.join('node_modules', '@google', 'gemini-cli-core', 'dist', 'src', 'code_assist', 'oauth2.js');
+  try {
+    const geminiPath = findCommand('gemini', rootDir);
+    if (geminiPath) {
+      const realPath = fs.realpathSync(geminiPath);
+      const pkgRoot = path.resolve(path.dirname(realPath), '..');
+      const result = extractOAuthFromFile(path.join(pkgRoot, oauthRelPath));
+      if (result) return result;
+    }
+  } catch (e) {
+    console.error('[gemini-oauth] gemini lookup failed:', e.message);
+  }
+  try {
+    const npmCacheDirs = new Set();
+    const addDir = (d) => { if (d) npmCacheDirs.add(path.join(d, '_npx')); };
+    addDir(path.join(os.homedir(), '.npm'));
+    addDir(path.join(os.homedir(), '.cache', '.npm'));
+    if (process.env.NPM_CACHE) addDir(process.env.NPM_CACHE);
+    if (process.env.npm_config_cache) addDir(process.env.npm_config_cache);
+    try { addDir(execSync('npm config get cache', { encoding: 'utf8', timeout: 5000 }).trim()); } catch {}
+    for (const cacheDir of npmCacheDirs) {
+      if (!fs.existsSync(cacheDir)) continue;
+      for (const d of fs.readdirSync(cacheDir).filter(d => !d.startsWith('.'))) {
+        const result = extractOAuthFromFile(path.join(cacheDir, d, oauthRelPath));
+        if (result) return result;
+      }
+    }
+  } catch (e) {
+    console.error('[gemini-oauth] npm cache scan failed:', e.message);
+  }
+  console.error('[gemini-oauth] Could not find Gemini CLI OAuth credentials in any known location');
+  return null;
+}
+
+function saveGeminiCredentials(tokens, email) {
+  if (!fs.existsSync(GEMINI_DIR)) fs.mkdirSync(GEMINI_DIR, { recursive: true });
+  fs.writeFileSync(GEMINI_OAUTH_FILE, JSON.stringify(tokens, null, 2), { mode: 0o600 });
+  try { fs.chmodSync(GEMINI_OAUTH_FILE, 0o600); } catch (_) {}
+  let accounts = { active: null, old: [] };
+  try {
+    if (fs.existsSync(GEMINI_ACCOUNTS_FILE)) {
+      accounts = JSON.parse(fs.readFileSync(GEMINI_ACCOUNTS_FILE, 'utf8'));
+    }
+  } catch (_) {}
+  if (email) {
+    if (accounts.active && accounts.active !== email && !accounts.old.includes(accounts.active)) {
+      accounts.old.push(accounts.active);
+    }
+    accounts.active = email;
+  }
+  fs.writeFileSync(GEMINI_ACCOUNTS_FILE, JSON.stringify(accounts, null, 2), { mode: 0o600 });
+}
+
+export async function startGeminiOAuth(req, { PORT, BASE_URL, rootDir }) {
+  const creds = getGeminiOAuthCreds(rootDir);
+  if (!creds) throw new Error('Could not find Gemini CLI OAuth credentials. Install gemini CLI first.');
+  const useCustomClient = !!creds.custom;
+  const remote = isRemoteRequest(req);
+  let redirectUri;
+  if (useCustomClient && req) {
+    redirectUri = `${buildBaseUrl(req, PORT)}${BASE_URL}/oauth2callback`;
+  } else {
+    redirectUri = `http://localhost:${PORT}${BASE_URL}/oauth2callback`;
+  }
+  const csrfToken = crypto.randomBytes(32).toString('hex');
+  const relayUrl = req ? `${buildBaseUrl(req, PORT)}${BASE_URL}/api/gemini-oauth/relay` : null;
+  const state = encodeOAuthState(csrfToken, relayUrl);
+  const client = new OAuth2Client({ clientId: creds.clientId, clientSecret: creds.clientSecret });
+  const authUrl = client.generateAuthUrl({ redirect_uri: redirectUri, access_type: 'offline', scope: GEMINI_SCOPES, state });
+  const mode = useCustomClient ? 'custom' : (remote ? 'cli-remote' : 'cli-local');
+  geminiOAuthPending = { client, redirectUri, state: csrfToken };
+  geminiOAuthState = { status: 'pending', error: null, email: null };
+  setTimeout(() => {
+    if (geminiOAuthState.status === 'pending') {
+      geminiOAuthState = { status: 'error', error: 'Authentication timed out', email: null };
+      geminiOAuthPending = null;
+    }
+  }, 5 * 60 * 1000);
+  return { authUrl, mode };
+}
+
+export async function exchangeGeminiOAuthCode(code, stateParam) {
+  if (!geminiOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
+  const { client, redirectUri, state: expectedCsrf } = geminiOAuthPending;
+  const { csrfToken } = decodeOAuthState(stateParam);
+  if (csrfToken !== expectedCsrf) {
+    geminiOAuthState = { status: 'error', error: 'State mismatch', email: null };
+    geminiOAuthPending = null;
+    throw new Error('State mismatch - possible CSRF attack.');
+  }
+  if (!code) {
+    geminiOAuthState = { status: 'error', error: 'No authorization code received', email: null };
+    geminiOAuthPending = null;
+    throw new Error('No authorization code received.');
+  }
+  const { tokens } = await client.getToken({ code, redirect_uri: redirectUri });
+  client.setCredentials(tokens);
+  let email = '';
+  try {
+    const { token } = await client.getAccessToken();
+    if (token) {
+      const resp = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', { headers: { Authorization: `Bearer ${token}` } });
+      if (resp.ok) { const info = await resp.json(); email = info.email || ''; }
+    }
+  } catch (_) {}
+  saveGeminiCredentials(tokens, email);
+  geminiOAuthState = { status: 'success', error: null, email };
+  geminiOAuthPending = null;
+  return email;
+}
+
+export async function handleGeminiOAuthCallback(req, res, PORT) {
+  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
+  const code = reqUrl.searchParams.get('code');
+  const state = reqUrl.searchParams.get('state');
+  const error = reqUrl.searchParams.get('error');
+  const errorDesc = reqUrl.searchParams.get('error_description');
+  if (error) {
+    const desc = errorDesc || error;
+    geminiOAuthState = { status: 'error', error: desc, email: null };
+    geminiOAuthPending = null;
+  }
+  const stateData = decodeOAuthState(state || '');
+  if (stateData.relayUrl) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthRelayPage(code, state, errorDesc || error));
+    return;
+  }
+  if (!geminiOAuthPending) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
+    return;
+  }
+  try {
+    if (error) throw new Error(errorDesc || error);
+    const email = await exchangeGeminiOAuthCode(code, state);
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Gemini CLI credentials saved.', true));
+  } catch (e) {
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end(oauthResultPage('Authentication Failed', e.message, false));
+  }
+}
+
+export function getGeminiOAuthStatus() {
+  try {
+    if (fs.existsSync(GEMINI_OAUTH_FILE)) {
+      const creds = JSON.parse(fs.readFileSync(GEMINI_OAUTH_FILE, 'utf8'));
+      if (creds.refresh_token || creds.access_token) {
+        let email = '';
+        try {
+          if (fs.existsSync(GEMINI_ACCOUNTS_FILE)) {
+            const accts = JSON.parse(fs.readFileSync(GEMINI_ACCOUNTS_FILE, 'utf8'));
+            email = accts.active || '';
+          }
+        } catch (_) {}
+        return { hasKey: true, apiKey: email || '****oauth', defaultModel: '', path: GEMINI_OAUTH_FILE, authMethod: 'oauth' };
+      }
+    }
+  } catch (_) {}
+  return null;
+}
+
+export function getGeminiOAuthState() { return geminiOAuthState; }
+export function getGeminiOAuthPending() { return geminiOAuthPending; }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentgui",
-  "version": "1.0.752",
+  "version": "1.0.753",
   "description": "Multi-agent ACP client with real-time communication",
   "type": "module",
   "main": "electron/main.js",

package/server.js

@@ -10,7 +10,6 @@ import { execSync, spawn } from 'child_process';
 import { LRUCache } from 'lru-cache';
 import { createRequire } from 'module';
 const PKG_VERSION = JSON.parse(fs.readFileSync(new URL('./package.json', import.meta.url), 'utf8')).version;
-import { OAuth2Client } from 'google-auth-library';
 import express from 'express';
 import Busboy from 'busboy';
 import fsbrowse from 'fsbrowse';
@@ -18,6 +17,8 @@ import { queries } from './database.js';
 import { runClaudeWithStreaming } from './lib/claude-runner.js';
 import { initializeDescriptors, getAgentDescriptor } from './lib/agent-descriptors.js';
 import { findCommand, queryACPServerAgents, discoverAgents, discoverExternalACPServers, initializeAgentDiscovery } from './lib/agent-discovery.js';
+import { getGeminiOAuthCreds, startGeminiOAuth, exchangeGeminiOAuthCode, handleGeminiOAuthCallback, getGeminiOAuthStatus, getGeminiOAuthState } from './lib/oauth-gemini.js';
+import { startCodexOAuth, exchangeCodexOAuthCode, handleCodexOAuthCallback, getCodexOAuthStatus, getCodexOAuthState, CODEX_HOME, CODEX_AUTH_FILE } from './lib/oauth-codex.js';
 import { WSOptimizer } from './lib/ws-optimizer.js';
 import { WsRouter } from './lib/ws-protocol.js';
 import { encode as wsEncode } from './lib/codec.js';
@@ -483,551 +484,6 @@ async function getModelsForAgent(agentId) {
   return models;
 }
 
-const GEMINI_SCOPES = [
-  'https://www.googleapis.com/auth/cloud-platform',
-  'https://www.googleapis.com/auth/userinfo.email',
-  'https://www.googleapis.com/auth/userinfo.profile',
-];
-
-function extractOAuthFromFile(oauth2Path) {
-  try {
-    const src = fs.readFileSync(oauth2Path, 'utf8');
-    const idMatch = src.match(/OAUTH_CLIENT_ID\s*=\s*['"]([^'"]+)['"]/);
-    const secretMatch = src.match(/OAUTH_CLIENT_SECRET\s*=\s*['"]([^'"]+)['"]/);
-    if (idMatch && secretMatch) return { clientId: idMatch[1], clientSecret: secretMatch[1] };
-  } catch {}
-  return null;
-}
-
-function getGeminiOAuthCreds() {
-  if (process.env.GOOGLE_OAUTH_CLIENT_ID && process.env.GOOGLE_OAUTH_CLIENT_SECRET) {
-    return { clientId: process.env.GOOGLE_OAUTH_CLIENT_ID, clientSecret: process.env.GOOGLE_OAUTH_CLIENT_SECRET, custom: true };
-  }
-  const oauthRelPath = path.join('node_modules', '@google', 'gemini-cli-core', 'dist', 'src', 'code_assist', 'oauth2.js');
-  try {
-    const geminiPath = findCommand('gemini', rootDir);
-    if (geminiPath) {
-      const realPath = fs.realpathSync(geminiPath);
-      const pkgRoot = path.resolve(path.dirname(realPath), '..');
-      const result = extractOAuthFromFile(path.join(pkgRoot, oauthRelPath));
-      if (result) return result;
-    }
-  } catch (e) {
-    console.error('[gemini-oauth] gemini lookup failed:', e.message);
-  }
-  try {
-    const npmCacheDirs = new Set();
-    const addDir = (d) => { if (d) npmCacheDirs.add(path.join(d, '_npx')); };
-    addDir(path.join(os.homedir(), '.npm'));
-    addDir(path.join(os.homedir(), '.cache', '.npm'));
-    if (process.env.NPM_CACHE) addDir(process.env.NPM_CACHE);
-    if (process.env.npm_config_cache) addDir(process.env.npm_config_cache);
-    try { addDir(execSync('npm config get cache', { encoding: 'utf8', timeout: 5000 }).trim()); } catch {}
-    for (const cacheDir of npmCacheDirs) {
-      if (!fs.existsSync(cacheDir)) continue;
-      for (const d of fs.readdirSync(cacheDir).filter(d => !d.startsWith('.'))) {
-        const result = extractOAuthFromFile(path.join(cacheDir, d, oauthRelPath));
-        if (result) return result;
-      }
-    }
-  } catch (e) {
-    console.error('[gemini-oauth] npm cache scan failed:', e.message);
-  }
-  console.error('[gemini-oauth] Could not find Gemini CLI OAuth credentials in any known location');
-  return null;
-}
-const GEMINI_DIR = path.join(os.homedir(), '.gemini');
-const GEMINI_OAUTH_FILE = path.join(GEMINI_DIR, 'oauth_creds.json');
-const GEMINI_ACCOUNTS_FILE = path.join(GEMINI_DIR, 'google_accounts.json');
-
-let geminiOAuthState = { status: 'idle', error: null, email: null };
-let geminiOAuthPending = null;
-
-function buildBaseUrl(req) {
-  const override = process.env.AGENTGUI_BASE_URL;
-  if (override) return override.replace(/\/+$/, '');
-  const fwdProto = req.headers['x-forwarded-proto'];
-  const fwdHost = req.headers['x-forwarded-host'] || req.headers['host'];
-  if (fwdHost) {
-    const proto = fwdProto || (req.socket.encrypted ? 'https' : 'http');
-    const cleanHost = fwdHost.replace(/:443$/, '').replace(/:80$/, '');
-    return `${proto}://${cleanHost}`;
-  }
-  return `http://127.0.0.1:${PORT}`;
-}
-
-function saveGeminiCredentials(tokens, email) {
-  if (!fs.existsSync(GEMINI_DIR)) fs.mkdirSync(GEMINI_DIR, { recursive: true });
-  fs.writeFileSync(GEMINI_OAUTH_FILE, JSON.stringify(tokens, null, 2), { mode: 0o600 });
-  try { fs.chmodSync(GEMINI_OAUTH_FILE, 0o600); } catch (_) {}
-
-  let accounts = { active: null, old: [] };
-  try {
-    if (fs.existsSync(GEMINI_ACCOUNTS_FILE)) {
-      accounts = JSON.parse(fs.readFileSync(GEMINI_ACCOUNTS_FILE, 'utf8'));
-    }
-  } catch (_) {}
-
-  if (email) {
-    if (accounts.active && accounts.active !== email && !accounts.old.includes(accounts.active)) {
-      accounts.old.push(accounts.active);
-    }
-    accounts.active = email;
-  }
-  fs.writeFileSync(GEMINI_ACCOUNTS_FILE, JSON.stringify(accounts, null, 2), { mode: 0o600 });
-}
-
-function geminiOAuthResultPage(title, message, success) {
-  const color = success ? '#10b981' : '#ef4444';
-  const icon = success ? '✓' : '✗';
-  return `<!DOCTYPE html><html><head><title>${title}</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div style="text-align:center;max-width:400px;padding:2rem;">
-<div style="font-size:4rem;color:${color};margin-bottom:1rem;">${icon}</div>
-<h1 style="font-size:1.5rem;margin-bottom:0.5rem;">${title}</h1>
-<p style="color:#9ca3af;">${message}</p>
-<p style="color:#6b7280;margin-top:1rem;font-size:0.875rem;">You can close this tab.</p>
-</div></body></html>`;
-}
-
-function encodeOAuthState(csrfToken, relayUrl) {
-  const payload = JSON.stringify({ t: csrfToken, r: relayUrl });
-  return Buffer.from(payload).toString('base64url');
-}
-
-function decodeOAuthState(stateStr) {
-  try {
-    const payload = JSON.parse(Buffer.from(stateStr, 'base64url').toString());
-    return { csrfToken: payload.t, relayUrl: payload.r };
-  } catch (_) {
-    return { csrfToken: stateStr, relayUrl: null };
-  }
-}
-
-function geminiOAuthRelayPage(code, state, error) {
-  const stateData = decodeOAuthState(state || '');
-  const relayUrl = stateData.relayUrl || '';
-  const escapedCode = (code || '').replace(/['"\\]/g, '');
-  const escapedState = (state || '').replace(/['"\\]/g, '');
-  const escapedError = (error || '').replace(/['"\\]/g, '');
-  const escapedRelay = relayUrl.replace(/['"\\]/g, '');
-  return `<!DOCTYPE html><html><head><title>Completing sign-in...</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div id="status" style="text-align:center;max-width:400px;padding:2rem;">
-<div id="spinner" style="font-size:2rem;margin-bottom:1rem;">&#8987;</div>
-<h1 id="title" style="font-size:1.5rem;margin-bottom:0.5rem;">Completing sign-in...</h1>
-<p id="msg" style="color:#9ca3af;">Relaying authentication to server...</p>
-</div>
-<script>
-(function() {
-  var code = '${escapedCode}';
-  var state = '${escapedState}';
-  var error = '${escapedError}';
-  var relayUrl = '${escapedRelay}';
-  function show(icon, title, msg, color) {
-    document.getElementById('spinner').textContent = icon;
-    document.getElementById('spinner').style.color = color;
-    document.getElementById('title').textContent = title;
-    document.getElementById('msg').textContent = msg;
-  }
-  if (error) { show('\\u2717', 'Authentication Failed', error, '#ef4444'); return; }
-  if (!code) { show('\\u2717', 'Authentication Failed', 'No authorization code received.', '#ef4444'); return; }
-  if (!relayUrl) { show('\\u2713', 'Authentication Successful', 'Credentials saved. You can close this tab.', '#10b981'); return; }
-  fetch(relayUrl, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ code: code, state: state })
-  }).then(function(r) { return r.json(); }).then(function(data) {
-    if (data.success) {
-      show('\\u2713', 'Authentication Successful', data.email ? 'Signed in as ' + data.email + '. You can close this tab.' : 'Credentials saved. You can close this tab.', '#10b981');
-    } else {
-      show('\\u2717', 'Authentication Failed', data.error || 'Unknown error', '#ef4444');
-    }
-  }).catch(function(e) {
-    show('\\u2717', 'Relay Failed', 'Could not reach server: ' + e.message + '. You may need to paste the URL manually.', '#ef4444');
-  });
-})();
-</script>
-</body></html>`;
-}
-
-function isRemoteRequest(req) {
-  return !!(req && (req.headers['x-forwarded-for'] || req.headers['x-forwarded-host'] || req.headers['x-forwarded-proto']));
-}
-
-async function startGeminiOAuth(req) {
-  const creds = getGeminiOAuthCreds();
-  if (!creds) throw new Error('Could not find Gemini CLI OAuth credentials. Install gemini CLI first.');
-
-  const useCustomClient = !!creds.custom;
-  const remote = isRemoteRequest(req);
-  let redirectUri;
-  if (useCustomClient && req) {
-    redirectUri = `${buildBaseUrl(req)}${BASE_URL}/oauth2callback`;
-  } else {
-    redirectUri = `http://localhost:${PORT}${BASE_URL}/oauth2callback`;
-  }
-
-  const csrfToken = crypto.randomBytes(32).toString('hex');
-  const relayUrl = req ? `${buildBaseUrl(req)}${BASE_URL}/api/gemini-oauth/relay` : null;
-  const state = encodeOAuthState(csrfToken, relayUrl);
-
-  const client = new OAuth2Client({
-    clientId: creds.clientId,
-    clientSecret: creds.clientSecret,
-  });
-
-  const authUrl = client.generateAuthUrl({
-    redirect_uri: redirectUri,
-    access_type: 'offline',
-    scope: GEMINI_SCOPES,
-    state,
-  });
-
-  const mode = useCustomClient ? 'custom' : (remote ? 'cli-remote' : 'cli-local');
-  geminiOAuthPending = { client, redirectUri, state: csrfToken };
-  geminiOAuthState = { status: 'pending', error: null, email: null };
-
-  setTimeout(() => {
-    if (geminiOAuthState.status === 'pending') {
-      geminiOAuthState = { status: 'error', error: 'Authentication timed out', email: null };
-      geminiOAuthPending = null;
-    }
-  }, 5 * 60 * 1000);
-
-  return { authUrl, mode };
-}
-
-async function exchangeGeminiOAuthCode(code, stateParam) {
-  if (!geminiOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
-
-  const { client, redirectUri, state: expectedCsrf } = geminiOAuthPending;
-  const { csrfToken } = decodeOAuthState(stateParam);
-
-  if (csrfToken !== expectedCsrf) {
-    geminiOAuthState = { status: 'error', error: 'State mismatch', email: null };
-    geminiOAuthPending = null;
-    throw new Error('State mismatch - possible CSRF attack.');
-  }
-
-  if (!code) {
-    geminiOAuthState = { status: 'error', error: 'No authorization code received', email: null };
-    geminiOAuthPending = null;
-    throw new Error('No authorization code received.');
-  }
-
-  const { tokens } = await client.getToken({ code, redirect_uri: redirectUri });
-  client.setCredentials(tokens);
-
-  let email = '';
-  try {
-    const { token } = await client.getAccessToken();
-    if (token) {
-      const resp = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {
-        headers: { Authorization: `Bearer ${token}` }
-      });
-      if (resp.ok) {
-        const info = await resp.json();
-        email = info.email || '';
-      }
-    }
-  } catch (_) {}
-
-  saveGeminiCredentials(tokens, email);
-  geminiOAuthState = { status: 'success', error: null, email };
-  geminiOAuthPending = null;
-
-  return email;
-}
-
-async function handleGeminiOAuthCallback(req, res) {
-  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
-  const code = reqUrl.searchParams.get('code');
-  const state = reqUrl.searchParams.get('state');
-  const error = reqUrl.searchParams.get('error');
-  const errorDesc = reqUrl.searchParams.get('error_description');
-
-  if (error) {
-    const desc = errorDesc || error;
-    geminiOAuthState = { status: 'error', error: desc, email: null };
-    geminiOAuthPending = null;
-  }
-
-  const stateData = decodeOAuthState(state || '');
-  if (stateData.relayUrl) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthRelayPage(code, state, errorDesc || error));
-    return;
-  }
-
-  if (!geminiOAuthPending) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
-    return;
-  }
-
-  try {
-    if (error) throw new Error(errorDesc || error);
-    const email = await exchangeGeminiOAuthCode(code, state);
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Gemini CLI credentials saved.', true));
-  } catch (e) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthResultPage('Authentication Failed', e.message, false));
-  }
-}
-
-function getGeminiOAuthStatus() {
-  try {
-    if (fs.existsSync(GEMINI_OAUTH_FILE)) {
-      const creds = JSON.parse(fs.readFileSync(GEMINI_OAUTH_FILE, 'utf8'));
-      if (creds.refresh_token || creds.access_token) {
-        let email = '';
-        try {
-          if (fs.existsSync(GEMINI_ACCOUNTS_FILE)) {
-            const accts = JSON.parse(fs.readFileSync(GEMINI_ACCOUNTS_FILE, 'utf8'));
-            email = accts.active || '';
-          }
-        } catch (_) {}
-        return { hasKey: true, apiKey: email || '****oauth', defaultModel: '', path: GEMINI_OAUTH_FILE, authMethod: 'oauth' };
-      }
-    }
-  } catch (_) {}
-  return null;
-}
-
-const CODEX_HOME = process.env.CODEX_HOME || path.join(os.homedir(), '.codex');
-const CODEX_AUTH_FILE = path.join(CODEX_HOME, 'auth.json');
-const CODEX_OAUTH_ISSUER = 'https://auth.openai.com';
-const CODEX_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
-const CODEX_SCOPES = 'openid profile email offline_access api.connectors.read api.connectors.invoke';
-const CODEX_OAUTH_PORT = 1455;
-
-let codexOAuthState = { status: 'idle', error: null, email: null };
-let codexOAuthPending = null;
-
-function generatePkce() {
-  const verifierBytes = crypto.randomBytes(64);
-  const codeVerifier = verifierBytes.toString('base64url');
-  const challengeBytes = crypto.createHash('sha256').update(codeVerifier).digest();
-  const codeChallenge = challengeBytes.toString('base64url');
-  return { codeVerifier, codeChallenge };
-}
-
-function parseJwtEmail(jwt) {
-  try {
-    const parts = jwt.split('.');
-    if (parts.length < 2) return '';
-    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
-    return payload.email || payload['https://api.openai.com/profile']?.email || '';
-  } catch (_) { return ''; }
-}
-
-function saveCodexCredentials(tokens) {
-  if (!fs.existsSync(CODEX_HOME)) fs.mkdirSync(CODEX_HOME, { recursive: true });
-  const auth = { auth_mode: 'chatgpt', tokens, last_refresh: new Date().toISOString() };
-  fs.writeFileSync(CODEX_AUTH_FILE, JSON.stringify(auth, null, 2), { mode: 0o600 });
-  try { fs.chmodSync(CODEX_AUTH_FILE, 0o600); } catch (_) {}
-}
-
-function getCodexOAuthStatus() {
-  try {
-    if (fs.existsSync(CODEX_AUTH_FILE)) {
-      const auth = JSON.parse(fs.readFileSync(CODEX_AUTH_FILE, 'utf8'));
-      if (auth.tokens?.access_token || auth.tokens?.refresh_token) {
-        const email = parseJwtEmail(auth.tokens?.id_token || '') || '';
-        return { hasKey: true, apiKey: email || '****oauth', defaultModel: '', path: CODEX_AUTH_FILE, authMethod: 'oauth' };
-      }
-    }
-  } catch (_) {}
-  return null;
-}
-
-async function startCodexOAuth(req) {
-  const remote = isRemoteRequest(req);
-  const redirectUri = remote
-    ? `${buildBaseUrl(req)}${BASE_URL}/codex-oauth2callback`
-    : `http://localhost:${CODEX_OAUTH_PORT}/auth/callback`;
-
-  const pkce = generatePkce();
-  const csrfToken = crypto.randomBytes(32).toString('hex');
-  const relayUrl = remote ? `${buildBaseUrl(req)}${BASE_URL}/api/codex-oauth/relay` : null;
-  const state = encodeOAuthState(csrfToken, relayUrl);
-
-  const params = new URLSearchParams({
-    response_type: 'code',
-    client_id: CODEX_CLIENT_ID,
-    redirect_uri: redirectUri,
-    scope: CODEX_SCOPES,
-    code_challenge: pkce.codeChallenge,
-    code_challenge_method: 'S256',
-    id_token_add_organizations: 'true',
-    codex_cli_simplified_flow: 'true',
-    state,
-  });
-
-  const authUrl = `${CODEX_OAUTH_ISSUER}/oauth/authorize?${params.toString()}`;
-  const mode = remote ? 'remote' : 'local';
-
-  codexOAuthPending = { pkce, redirectUri, state: csrfToken };
-  codexOAuthState = { status: 'pending', error: null, email: null };
-
-  setTimeout(() => {
-    if (codexOAuthState.status === 'pending') {
-      codexOAuthState = { status: 'error', error: 'Authentication timed out', email: null };
-      codexOAuthPending = null;
-    }
-  }, 5 * 60 * 1000);
-
-  return { authUrl, mode };
-}
-
-async function exchangeCodexOAuthCode(code, stateParam) {
-  if (!codexOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
-
-  const { pkce, redirectUri, state: expectedCsrf } = codexOAuthPending;
-  const { csrfToken } = decodeOAuthState(stateParam);
-
-  if (csrfToken !== expectedCsrf) {
-    codexOAuthState = { status: 'error', error: 'State mismatch', email: null };
-    codexOAuthPending = null;
-    throw new Error('State mismatch - possible CSRF attack.');
-  }
-
-  if (!code) {
-    codexOAuthState = { status: 'error', error: 'No authorization code received', email: null };
-    codexOAuthPending = null;
-    throw new Error('No authorization code received.');
-  }
-
-  const body = new URLSearchParams({
-    grant_type: 'authorization_code',
-    code,
-    redirect_uri: redirectUri,
-    client_id: CODEX_CLIENT_ID,
-    code_verifier: pkce.codeVerifier,
-  });
-
-  const resp = await fetch(`${CODEX_OAUTH_ISSUER}/oauth/token`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-    body: body.toString(),
-  });
-
-  if (!resp.ok) {
-    const text = await resp.text();
-    codexOAuthState = { status: 'error', error: `Token exchange failed: ${resp.status}`, email: null };
-    codexOAuthPending = null;
-    throw new Error(`Token exchange failed (${resp.status}): ${text}`);
-  }
-
-  const tokens = await resp.json();
-  const email = parseJwtEmail(tokens.id_token || '');
-
-  saveCodexCredentials(tokens);
-  codexOAuthState = { status: 'success', error: null, email };
-  codexOAuthPending = null;
-
-  return email;
-}
-
-function codexOAuthResultPage(title, message, success) {
-  const color = success ? '#10b981' : '#ef4444';
-  const icon = success ? '&#10003;' : '&#10007;';
-  return `<!DOCTYPE html><html><head><title>${title}</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div style="text-align:center;max-width:400px;padding:2rem;">
-<div style="font-size:4rem;color:${color};margin-bottom:1rem;">${icon}</div>
-<h1 style="font-size:1.5rem;margin-bottom:0.5rem;">${title}</h1>
-<p style="color:#9ca3af;">${message}</p>
-<p style="color:#6b7280;margin-top:1rem;font-size:0.875rem;">You can close this tab.</p>
-</div></body></html>`;
-}
-
-function codexOAuthRelayPage(code, state, error) {
-  const stateData = decodeOAuthState(state || '');
-  const relayUrl = stateData.relayUrl || '';
-  const escapedCode = (code || '').replace(/['"\\]/g, '');
-  const escapedState = (state || '').replace(/['"\\]/g, '');
-  const escapedError = (error || '').replace(/['"\\]/g, '');
-  const escapedRelay = relayUrl.replace(/['"\\]/g, '');
-  return `<!DOCTYPE html><html><head><title>Completing sign-in...</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div id="status" style="text-align:center;max-width:400px;padding:2rem;">
-<div id="spinner" style="font-size:2rem;margin-bottom:1rem;">&#8987;</div>
-<h1 id="title" style="font-size:1.5rem;margin-bottom:0.5rem;">Completing sign-in...</h1>
-<p id="msg" style="color:#9ca3af;">Relaying authentication to server...</p>
-</div>
-<script>
-(function() {
-  var code = '${escapedCode}';
-  var state = '${escapedState}';
-  var error = '${escapedError}';
-  var relayUrl = '${escapedRelay}';
-  function show(icon, title, msg, color) {
-    document.getElementById('spinner').textContent = icon;
-    document.getElementById('spinner').style.color = color;
-    document.getElementById('title').textContent = title;
-    document.getElementById('msg').textContent = msg;
-  }
-  if (error) { show('\\u2717', 'Authentication Failed', error, '#ef4444'); return; }
-  if (!code) { show('\\u2717', 'Authentication Failed', 'No authorization code received.', '#ef4444'); return; }
-  if (!relayUrl) { show('\\u2713', 'Authentication Successful', 'Credentials saved. You can close this tab.', '#10b981'); return; }
-  fetch(relayUrl, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ code: code, state: state })
-  }).then(function(r) { return r.json(); }).then(function(data) {
-    if (data.success) {
-      show('\\u2713', 'Authentication Successful', data.email ? 'Signed in as ' + data.email + '. You can close this tab.' : 'Credentials saved. You can close this tab.', '#10b981');
-    } else {
-      show('\\u2717', 'Authentication Failed', data.error || 'Unknown error', '#ef4444');
-    }
-  }).catch(function(e) {
-    show('\\u2717', 'Relay Failed', 'Could not reach server: ' + e.message + '. You may need to paste the URL manually.', '#ef4444');
-  });
-})();
-</script>
-</body></html>`;
-}
-
-async function handleCodexOAuthCallback(req, res) {
-  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
-  const code = reqUrl.searchParams.get('code');
-  const state = reqUrl.searchParams.get('state');
-  const error = reqUrl.searchParams.get('error');
-  const errorDesc = reqUrl.searchParams.get('error_description');
-
-  if (error) {
-    const desc = errorDesc || error;
-    codexOAuthState = { status: 'error', error: desc, email: null };
-    codexOAuthPending = null;
-  }
-
-  const stateData = decodeOAuthState(state || '');
-  if (stateData.relayUrl) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthRelayPage(code, state, errorDesc || error));
-    return;
-  }
-
-  if (!codexOAuthPending) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
-    return;
-  }
-
-  try {
-    if (error) throw new Error(errorDesc || error);
-    const email = await exchangeCodexOAuthCode(code, state);
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Codex CLI credentials saved.', true));
-  } catch (e) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthResultPage('Authentication Failed', e.message, false));
-  }
-}
-
 const PROVIDER_CONFIGS = {
   'anthropic': {
     name: 'Anthropic', configPaths: [
@@ -1281,12 +737,12 @@ const server = http.createServer(async (req, res) => {
     const pathOnly = routePath.split('?')[0];
 
     if (pathOnly === '/oauth2callback' && req.method === 'GET') {
-      await handleGeminiOAuthCallback(req, res);
+      await handleGeminiOAuthCallback(req, res, PORT);
       return;
     }
 
     if (pathOnly === '/codex-oauth2callback' && req.method === 'GET') {
-      await handleCodexOAuthCallback(req, res);
+      await handleCodexOAuthCallback(req, res, PORT);
       return;
     }
 
@@ -2746,7 +2202,7 @@ const server = http.createServer(async (req, res) => {
 
     if (pathOnly === '/api/gemini-oauth/start' && req.method === 'POST') {
       try {
-        const result = await startGeminiOAuth(req);
+        const result = await startGeminiOAuth(req, { PORT, BASE_URL, rootDir });
         sendJSON(req, res, 200, { authUrl: result.authUrl, mode: result.mode });
       } catch (e) {
         console.error('[gemini-oauth] /api/gemini-oauth/start failed:', e);
@@ -2756,7 +2212,7 @@ const server = http.createServer(async (req, res) => {
     }
 
     if (pathOnly === '/api/gemini-oauth/status' && req.method === 'GET') {
-      sendJSON(req, res, 200, geminiOAuthState);
+      sendJSON(req, res, 200, getGeminiOAuthState());
       return;
     }
 
@@ -2771,8 +2227,6 @@ const server = http.createServer(async (req, res) => {
         const email = await exchangeGeminiOAuthCode(code, stateParam);
         sendJSON(req, res, 200, { success: true, email });
       } catch (e) {
-        geminiOAuthState = { status: 'error', error: e.message, email: null };
-        geminiOAuthPending = null;
         sendJSON(req, res, 400, { error: e.message });
       }
       return;
@@ -2796,8 +2250,6 @@ const server = http.createServer(async (req, res) => {
         const error = parsed.searchParams.get('error');
         if (error) {
           const desc = parsed.searchParams.get('error_description') || error;
-          geminiOAuthState = { status: 'error', error: desc, email: null };
-          geminiOAuthPending = null;
           sendJSON(req, res, 200, { error: desc });
           return;
         }
@@ -2807,8 +2259,6 @@ const server = http.createServer(async (req, res) => {
         const email = await exchangeGeminiOAuthCode(code, state);
         sendJSON(req, res, 200, { success: true, email });
       } catch (e) {
-        geminiOAuthState = { status: 'error', error: e.message, email: null };
-        geminiOAuthPending = null;
         sendJSON(req, res, 400, { error: e.message });
       }
       return;
@@ -2816,7 +2266,7 @@ const server = http.createServer(async (req, res) => {
 
     if (pathOnly === '/api/codex-oauth/start' && req.method === 'POST') {
       try {
-        const result = await startCodexOAuth(req);
+        const result = await startCodexOAuth(req, { PORT, BASE_URL });
         sendJSON(req, res, 200, { authUrl: result.authUrl, mode: result.mode });
       } catch (e) {
         console.error('[codex-oauth] /api/codex-oauth/start failed:', e);
@@ -2826,7 +2276,7 @@ const server = http.createServer(async (req, res) => {
     }
 
     if (pathOnly === '/api/codex-oauth/status' && req.method === 'GET') {
-      sendJSON(req, res, 200, codexOAuthState);
+      sendJSON(req, res, 200, getCodexOAuthState());
       return;
     }
 
@@ -2841,8 +2291,6 @@ const server = http.createServer(async (req, res) => {
         const email = await exchangeCodexOAuthCode(code, stateParam);
         sendJSON(req, res, 200, { success: true, email });
       } catch (e) {
-        codexOAuthState = { status: 'error', error: e.message, email: null };
-        codexOAuthPending = null;
         sendJSON(req, res, 400, { error: e.message });
       }
       return;
@@ -2864,8 +2312,6 @@ const server = http.createServer(async (req, res) => {
         const error = parsed.searchParams.get('error');
         if (error) {
           const desc = parsed.searchParams.get('error_description') || error;
-          codexOAuthState = { status: 'error', error: desc, email: null };
-          codexOAuthPending = null;
           sendJSON(req, res, 200, { error: desc });
           return;
         }
@@ -2874,8 +2320,6 @@ const server = http.createServer(async (req, res) => {
         const email = await exchangeCodexOAuthCode(code, state);
         sendJSON(req, res, 200, { success: true, email });
       } catch (e) {
-        codexOAuthState = { status: 'error', error: e.message, email: null };
-        codexOAuthPending = null;
         sendJSON(req, res, 400, { error: e.message });
       }
       return;
@@ -2889,21 +2333,21 @@ const server = http.createServer(async (req, res) => {
 
       if (agentId === 'codex' || agentId === 'cli-codex') {
         try {
-          const result = await startCodexOAuth(req);
+          const result = await startCodexOAuth(req, { PORT, BASE_URL });
           const conversationId = '__agent_auth__';
           broadcastSync({ type: 'script_started', conversationId, script: 'auth-codex', agentId: 'codex', timestamp: Date.now() });
           broadcastSync({ type: 'script_output', conversationId, data: `\x1b[36mOpening OpenAI OAuth in your browser...\x1b[0m\r\n\r\nIf it doesn't open automatically, visit:\r\n${result.authUrl}\r\n`, stream: 'stdout', timestamp: Date.now() });
 
           const pollId = setInterval(() => {
-            if (codexOAuthState.status === 'success') {
+            if (getCodexOAuthState().status === 'success') {
               clearInterval(pollId);
-              const email = codexOAuthState.email || '';
+              const email = getCodexOAuthState().email || '';
               broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[32mAuthentication successful${email ? ' (' + email + ')' : ''}\x1b[0m\r\n`, stream: 'stdout', timestamp: Date.now() });
               broadcastSync({ type: 'script_stopped', conversationId, code: 0, timestamp: Date.now() });
-            } else if (codexOAuthState.status === 'error') {
+            } else if (getCodexOAuthState().status === 'error') {
               clearInterval(pollId);
-              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${codexOAuthState.error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
-              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: codexOAuthState.error, timestamp: Date.now() });
+              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${getCodexOAuthState().error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
+              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: getCodexOAuthState().error, timestamp: Date.now() });
             }
           }, 1000);
 
@@ -2920,21 +2364,21 @@ const server = http.createServer(async (req, res) => {
 
       if (agentId === 'gemini') {
         try {
-          const result = await startGeminiOAuth(req);
+          const result = await startGeminiOAuth(req, { PORT, BASE_URL, rootDir });
           const conversationId = '__agent_auth__';
           broadcastSync({ type: 'script_started', conversationId, script: 'auth-gemini', agentId: 'gemini', timestamp: Date.now() });
           broadcastSync({ type: 'script_output', conversationId, data: `\x1b[36mOpening Google OAuth in your browser...\x1b[0m\r\n\r\nIf it doesn't open automatically, visit:\r\n${result.authUrl}\r\n`, stream: 'stdout', timestamp: Date.now() });
 
           const pollId = setInterval(() => {
-            if (geminiOAuthState.status === 'success') {
+            if (getGeminiOAuthState().status === 'success') {
               clearInterval(pollId);
-              const email = geminiOAuthState.email || '';
+              const email = getGeminiOAuthState().email || '';
               broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[32mAuthentication successful${email ? ' (' + email + ')' : ''}\x1b[0m\r\n`, stream: 'stdout', timestamp: Date.now() });
               broadcastSync({ type: 'script_stopped', conversationId, code: 0, timestamp: Date.now() });
-            } else if (geminiOAuthState.status === 'error') {
+            } else if (getGeminiOAuthState().status === 'error') {
               clearInterval(pollId);
-              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${geminiOAuthState.error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
-              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: geminiOAuthState.error, timestamp: Date.now() });
+              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${getGeminiOAuthState().error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
+              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: getGeminiOAuthState().error, timestamp: Date.now() });
             }
           }, 1000);
 
@@ -4516,7 +3960,7 @@ console.log('[INIT] About to call registerSessionHandlers, discoveredAgents.leng
 registerSessionHandlers(wsRouter, {
   db: queries, discoveredAgents, modelCache,
   getAgentDescriptor, activeScripts, broadcastSync,
-  startGeminiOAuth, geminiOAuthState: () => geminiOAuthState
+  startGeminiOAuth: (req) => startGeminiOAuth(req, { PORT, BASE_URL, rootDir }), geminiOAuthState: getGeminiOAuthState
 });
 console.log('[INIT] registerSessionHandlers completed');
 
@@ -4536,10 +3980,12 @@ registerScriptHandlers(wsRouter, {
 });
 
 registerOAuthHandlers(wsRouter, {
-  startGeminiOAuth, exchangeGeminiOAuthCode,
-  geminiOAuthState: () => geminiOAuthState,
-  startCodexOAuth, exchangeCodexOAuthCode,
-  codexOAuthState: () => codexOAuthState,
+  startGeminiOAuth: (req) => startGeminiOAuth(req, { PORT, BASE_URL, rootDir }),
+  exchangeGeminiOAuthCode,
+  geminiOAuthState: getGeminiOAuthState,
+  startCodexOAuth: (req) => startCodexOAuth(req, { PORT, BASE_URL }),
+  exchangeCodexOAuthCode,
+  codexOAuthState: getCodexOAuthState,
 });
 
 wsRouter.onLegacy((data, ws) => {