npm - agentgui - Versions diffs - 1.0.752 → 1.0.754 - Mend

agentgui 1.0.752 → 1.0.754

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/server.js CHANGED Viewed

@@ -10,7 +10,6 @@ import { execSync, spawn } from 'child_process';
 import { LRUCache } from 'lru-cache';
 import { createRequire } from 'module';
 const PKG_VERSION = JSON.parse(fs.readFileSync(new URL('./package.json', import.meta.url), 'utf8')).version;
-import { OAuth2Client } from 'google-auth-library';
 import express from 'express';
 import Busboy from 'busboy';
 import fsbrowse from 'fsbrowse';
@@ -18,6 +17,9 @@ import { queries } from './database.js';
 import { runClaudeWithStreaming } from './lib/claude-runner.js';
 import { initializeDescriptors, getAgentDescriptor } from './lib/agent-descriptors.js';
 import { findCommand, queryACPServerAgents, discoverAgents, discoverExternalACPServers, initializeAgentDiscovery } from './lib/agent-discovery.js';
+import { getGeminiOAuthCreds, startGeminiOAuth, exchangeGeminiOAuthCode, handleGeminiOAuthCallback, getGeminiOAuthStatus, getGeminiOAuthState } from './lib/oauth-gemini.js';
+import { initSpeechManager, getSpeech, ensurePocketTtsSetup, voiceCacheManager, modelDownloadState, broadcastModelProgress, ensureModelsDownloaded, eagerTTS } from './lib/speech-manager.js';
+import { startCodexOAuth, exchangeCodexOAuthCode, handleCodexOAuthCallback, getCodexOAuthStatus, getCodexOAuthState, CODEX_HOME, CODEX_AUTH_FILE } from './lib/oauth-codex.js';
 import { WSOptimizer } from './lib/ws-optimizer.js';
 import { WsRouter } from './lib/ws-protocol.js';
 import { encode as wsEncode } from './lib/codec.js';
@@ -68,232 +70,6 @@ process.on('SIGHUP', () => { console.log('[SIGNAL] SIGHUP received (ignored - un
 process.on('beforeExit', (code) => { console.log('[PROCESS] beforeExit with code:', code); });
 process.on('exit', (code) => { console.log('[PROCESS] exit with code:', code); });
-const ttsTextAccumulators = new Map();
-const voiceCacheManager = {
-  generating: new Map(),
-  maxCacheSize: 10 * 1024 * 1024,
-  async getOrGenerateCache(conversationId, text) {
-    const cacheKey = `${conversationId}:${text}`;
-    if (this.generating.has(cacheKey)) {
-      return new Promise((resolve) => {
-        const checkInterval = setInterval(() => {
-          const cached = queries.getVoiceCache(conversationId, text);
-          if (cached) {
-            clearInterval(checkInterval);
-            resolve(cached);
-          }
-        }, 50);
-      });
-    }
-    const cached = queries.getVoiceCache(conversationId, text);
-    if (cached) return cached;
-    this.generating.set(cacheKey, true);
-    try {
-      const speech = await getSpeech();
-      const audioBlob = await speech.synthesize(text, 'default');
-      const saved = queries.saveVoiceCache(conversationId, text, audioBlob);
-      const totalSize = queries.getVoiceCacheSize(conversationId);
-      if (totalSize > this.maxCacheSize) {
-        const needed = totalSize - this.maxCacheSize;
-        queries.deleteOldestVoiceCache(conversationId, needed);
-      }
-      return saved;
-    } finally {
-      this.generating.delete(cacheKey);
-    }
-  }
-};
-let speechModule = null;
-async function getSpeech() {
-  if (!speechModule) speechModule = await import('./lib/speech.js');
-  return speechModule;
-}
-async function ensurePocketTtsSetup(onProgress) {
-  const { createRequire: cr } = await import('module');
-  const r = cr(import.meta.url);
-  const serverTTS = r('webtalk/server-tts');
-  return serverTTS.ensureInstalled(onProgress);
-}
-// Model download manager
-const modelDownloadState = {
-  downloading: false,
-  progress: null,
-  error: null,
-  complete: false,
-  startTime: null,
-  downloadMetrics: new Map()
-};
-function broadcastModelProgress(progress) {
-  modelDownloadState.progress = progress;
-  const broadcastData = {
-    type: 'model_download_progress',
-    modelId: progress.type || 'unknown',
-    bytesDownloaded: progress.bytesDownloaded || 0,
-    bytesRemaining: progress.bytesRemaining || 0,
-    totalBytes: progress.totalBytes || 0,
-    downloadSpeed: progress.downloadSpeed || 0,
-    eta: progress.eta || 0,
-    retryCount: progress.retryCount || 0,
-    currentGateway: progress.currentGateway || '',
-    status: progress.status || (progress.done ? 'completed' : progress.downloading ? 'downloading' : 'paused'),
-    percentComplete: progress.percentComplete || 0,
-    completedFiles: progress.completedFiles || 0,
-    totalFiles: progress.totalFiles || 0,
-    timestamp: Date.now(),
-    ...progress
-  };
-  broadcastSync(broadcastData);
-}
-async function validateAndCleanupModels(modelsDir) {
-  try {
-    const manifestPath = path.join(modelsDir, '.manifests.json');
-    if (fs.existsSync(manifestPath)) {
-      try {
-        const content = fs.readFileSync(manifestPath, 'utf8');
-        JSON.parse(content);
-      } catch (e) {
-        console.error('[MODELS] Manifest corrupted, removing:', e.message);
-        fs.unlinkSync(manifestPath);
-      }
-    }
-    const files = fs.readdirSync(modelsDir);
-    for (const file of files) {
-      if (file.endsWith('.tmp')) {
-        try {
-          fs.unlinkSync(path.join(modelsDir, file));
-          console.log('[MODELS] Cleaned up temp file:', file);
-        } catch (e) {
-          console.warn('[MODELS] Failed to clean:', file);
-        }
-      }
-    }
-  } catch (e) {
-    console.warn('[MODELS] Cleanup check failed:', e.message);
-  }
-}
-async function ensureModelsDownloaded() {
-  if (modelDownloadState.downloading) {
-    while (modelDownloadState.downloading) {
-      await new Promise(r => setTimeout(r, 100));
-    }
-    return modelDownloadState.complete;
-  }
-  modelDownloadState.downloading = true;
-  modelDownloadState.error = null;
-  try {
-    const r = createRequire(import.meta.url);
-    const { createConfig } = r('webtalk/config');
-    const { ensureModel } = r('webtalk/whisper-models');
-    const { ensureTTSModels } = r('webtalk/tts-models');
-    const gmguiModels = path.join(os.homedir(), '.gmgui', 'models');
-    const modelsBase = process.env.PORTABLE_EXE_DIR
-      ? (fs.existsSync(path.join(process.env.PORTABLE_EXE_DIR, 'models', 'onnx-community')) ? path.join(process.env.PORTABLE_EXE_DIR, 'models') : gmguiModels)
-      : gmguiModels;
-    await validateAndCleanupModels(modelsBase);
-    const config = createConfig({
-      modelsDir: modelsBase,
-      ttsModelsDir: path.join(modelsBase, 'tts'),
-    });
-    // Progress callback for broadcasting download progress
-    const onProgress = (progress) => {
-      broadcastModelProgress({
-        ...progress,
-        started: true,
-        done: false,
-        downloading: true
-      });
-    };
-    broadcastModelProgress({ started: true, done: false, downloading: true, type: 'whisper', status: 'starting' });
-    await ensureModel('onnx-community/whisper-base', config, onProgress);
-    broadcastModelProgress({ started: true, done: false, downloading: true, type: 'tts', status: 'starting' });
-    await ensureTTSModels(config, onProgress);
-    modelDownloadState.complete = true;
-    broadcastModelProgress({ started: true, done: true, complete: true, downloading: false });
-    return true;
-  } catch (err) {
-    console.error('[MODELS] Download error:', err.message);
-    modelDownloadState.error = err.message;
-    broadcastModelProgress({ done: true, error: err.message });
-    return false;
-  } finally {
-    modelDownloadState.downloading = false;
-  }
-}
-function eagerTTS(text, conversationId, sessionId) {
-  const key = `${conversationId}:${sessionId}`;
-  let acc = ttsTextAccumulators.get(key);
-  if (!acc) {
-    acc = { text: '', timer: null };
-    ttsTextAccumulators.set(key, acc);
-  }
-  acc.text += text;
-  if (acc.timer) clearTimeout(acc.timer);
-  acc.timer = setTimeout(() => flushTTSaccumulator(key, conversationId, sessionId), 600);
-}
-function flushTTSaccumulator(key, conversationId, sessionId) {
-  const acc = ttsTextAccumulators.get(key);
-  if (!acc || !acc.text) return;
-  const text = acc.text.trim();
-  acc.text = '';
-  ttsTextAccumulators.delete(key);
-  getSpeech().then(speech => {
-    const status = speech.getStatus();
-    if (!status.ttsReady || status.ttsError) return;
-    const voices = new Set();
-    for (const ws of syncClients) {
-      const vid = ws.ttsVoiceId || 'default';
-      const convKey = `conv-${conversationId}`;
-      if (ws.subscriptions && (ws.subscriptions.has(sessionId) || ws.subscriptions.has(convKey))) {
-        voices.add(vid);
-      }
-    }
-    if (voices.size === 0) return;
-    for (const vid of voices) {
-      const cacheKey = speech.ttsCacheKey(text, vid);
-      const cached = speech.ttsCacheGet(cacheKey);
-      if (cached) {
-        pushTTSAudio(cacheKey, cached, conversationId, sessionId, vid);
-        continue;
-      }
-      speech.synthesize(text, vid).then(wav => {
-        if (speech.ttsCacheSet) speech.ttsCacheSet(cacheKey, wav);
-        pushTTSAudio(cacheKey, wav, conversationId, sessionId, vid);
-      }).catch(() => {});
-    }
-  }).catch(() => {});
-}
-function pushTTSAudio(cacheKey, wav, conversationId, sessionId, voiceId) {
-  const b64 = wav.toString('base64');
-  broadcastSync({
-    type: 'tts_audio',
-    cacheKey,
-    audio: b64,
-    voiceId,
-    conversationId,
-    sessionId,
-    timestamp: Date.now()
-  });
-}
 function buildSystemPrompt(agentId, model, subAgent) {
   const parts = [];
@@ -483,551 +259,6 @@ async function getModelsForAgent(agentId) {
   return models;
 }
-const GEMINI_SCOPES = [
-  'https://www.googleapis.com/auth/cloud-platform',
-  'https://www.googleapis.com/auth/userinfo.email',
-  'https://www.googleapis.com/auth/userinfo.profile',
-];
-function extractOAuthFromFile(oauth2Path) {
-  try {
-    const src = fs.readFileSync(oauth2Path, 'utf8');
-    const idMatch = src.match(/OAUTH_CLIENT_ID\s*=\s*['"]([^'"]+)['"]/);
-    const secretMatch = src.match(/OAUTH_CLIENT_SECRET\s*=\s*['"]([^'"]+)['"]/);
-    if (idMatch && secretMatch) return { clientId: idMatch[1], clientSecret: secretMatch[1] };
-  } catch {}
-  return null;
-}
-function getGeminiOAuthCreds() {
-  if (process.env.GOOGLE_OAUTH_CLIENT_ID && process.env.GOOGLE_OAUTH_CLIENT_SECRET) {
-    return { clientId: process.env.GOOGLE_OAUTH_CLIENT_ID, clientSecret: process.env.GOOGLE_OAUTH_CLIENT_SECRET, custom: true };
-  }
-  const oauthRelPath = path.join('node_modules', '@google', 'gemini-cli-core', 'dist', 'src', 'code_assist', 'oauth2.js');
-  try {
-    const geminiPath = findCommand('gemini', rootDir);
-    if (geminiPath) {
-      const realPath = fs.realpathSync(geminiPath);
-      const pkgRoot = path.resolve(path.dirname(realPath), '..');
-      const result = extractOAuthFromFile(path.join(pkgRoot, oauthRelPath));
-      if (result) return result;
-    }
-  } catch (e) {
-    console.error('[gemini-oauth] gemini lookup failed:', e.message);
-  }
-  try {
-    const npmCacheDirs = new Set();
-    const addDir = (d) => { if (d) npmCacheDirs.add(path.join(d, '_npx')); };
-    addDir(path.join(os.homedir(), '.npm'));
-    addDir(path.join(os.homedir(), '.cache', '.npm'));
-    if (process.env.NPM_CACHE) addDir(process.env.NPM_CACHE);
-    if (process.env.npm_config_cache) addDir(process.env.npm_config_cache);
-    try { addDir(execSync('npm config get cache', { encoding: 'utf8', timeout: 5000 }).trim()); } catch {}
-    for (const cacheDir of npmCacheDirs) {
-      if (!fs.existsSync(cacheDir)) continue;
-      for (const d of fs.readdirSync(cacheDir).filter(d => !d.startsWith('.'))) {
-        const result = extractOAuthFromFile(path.join(cacheDir, d, oauthRelPath));
-        if (result) return result;
-      }
-    }
-  } catch (e) {
-    console.error('[gemini-oauth] npm cache scan failed:', e.message);
-  }
-  console.error('[gemini-oauth] Could not find Gemini CLI OAuth credentials in any known location');
-  return null;
-}
-const GEMINI_DIR = path.join(os.homedir(), '.gemini');
-const GEMINI_OAUTH_FILE = path.join(GEMINI_DIR, 'oauth_creds.json');
-const GEMINI_ACCOUNTS_FILE = path.join(GEMINI_DIR, 'google_accounts.json');
-let geminiOAuthState = { status: 'idle', error: null, email: null };
-let geminiOAuthPending = null;
-function buildBaseUrl(req) {
-  const override = process.env.AGENTGUI_BASE_URL;
-  if (override) return override.replace(/\/+$/, '');
-  const fwdProto = req.headers['x-forwarded-proto'];
-  const fwdHost = req.headers['x-forwarded-host'] || req.headers['host'];
-  if (fwdHost) {
-    const proto = fwdProto || (req.socket.encrypted ? 'https' : 'http');
-    const cleanHost = fwdHost.replace(/:443$/, '').replace(/:80$/, '');
-    return `${proto}://${cleanHost}`;
-  }
-  return `http://127.0.0.1:${PORT}`;
-}
-function saveGeminiCredentials(tokens, email) {
-  if (!fs.existsSync(GEMINI_DIR)) fs.mkdirSync(GEMINI_DIR, { recursive: true });
-  fs.writeFileSync(GEMINI_OAUTH_FILE, JSON.stringify(tokens, null, 2), { mode: 0o600 });
-  try { fs.chmodSync(GEMINI_OAUTH_FILE, 0o600); } catch (_) {}
-  let accounts = { active: null, old: [] };
-  try {
-    if (fs.existsSync(GEMINI_ACCOUNTS_FILE)) {
-      accounts = JSON.parse(fs.readFileSync(GEMINI_ACCOUNTS_FILE, 'utf8'));
-    }
-  } catch (_) {}
-  if (email) {
-    if (accounts.active && accounts.active !== email && !accounts.old.includes(accounts.active)) {
-      accounts.old.push(accounts.active);
-    }
-    accounts.active = email;
-  }
-  fs.writeFileSync(GEMINI_ACCOUNTS_FILE, JSON.stringify(accounts, null, 2), { mode: 0o600 });
-}
-function geminiOAuthResultPage(title, message, success) {
-  const color = success ? '#10b981' : '#ef4444';
-  const icon = success ? '&#10003;' : '&#10007;';
-  return `<!DOCTYPE html><html><head><title>${title}</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div style="text-align:center;max-width:400px;padding:2rem;">
-<div style="font-size:4rem;color:${color};margin-bottom:1rem;">${icon}</div>
-<h1 style="font-size:1.5rem;margin-bottom:0.5rem;">${title}</h1>
-<p style="color:#9ca3af;">${message}</p>
-<p style="color:#6b7280;margin-top:1rem;font-size:0.875rem;">You can close this tab.</p>
-</div></body></html>`;
-}
-function encodeOAuthState(csrfToken, relayUrl) {
-  const payload = JSON.stringify({ t: csrfToken, r: relayUrl });
-  return Buffer.from(payload).toString('base64url');
-}
-function decodeOAuthState(stateStr) {
-  try {
-    const payload = JSON.parse(Buffer.from(stateStr, 'base64url').toString());
-    return { csrfToken: payload.t, relayUrl: payload.r };
-  } catch (_) {
-    return { csrfToken: stateStr, relayUrl: null };
-  }
-}
-function geminiOAuthRelayPage(code, state, error) {
-  const stateData = decodeOAuthState(state || '');
-  const relayUrl = stateData.relayUrl || '';
-  const escapedCode = (code || '').replace(/['"\\]/g, '');
-  const escapedState = (state || '').replace(/['"\\]/g, '');
-  const escapedError = (error || '').replace(/['"\\]/g, '');
-  const escapedRelay = relayUrl.replace(/['"\\]/g, '');
-  return `<!DOCTYPE html><html><head><title>Completing sign-in...</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div id="status" style="text-align:center;max-width:400px;padding:2rem;">
-<div id="spinner" style="font-size:2rem;margin-bottom:1rem;">&#8987;</div>
-<h1 id="title" style="font-size:1.5rem;margin-bottom:0.5rem;">Completing sign-in...</h1>
-<p id="msg" style="color:#9ca3af;">Relaying authentication to server...</p>
-</div>
-<script>
-(function() {
-  var code = '${escapedCode}';
-  var state = '${escapedState}';
-  var error = '${escapedError}';
-  var relayUrl = '${escapedRelay}';
-  function show(icon, title, msg, color) {
-    document.getElementById('spinner').textContent = icon;
-    document.getElementById('spinner').style.color = color;
-    document.getElementById('title').textContent = title;
-    document.getElementById('msg').textContent = msg;
-  }
-  if (error) { show('\\u2717', 'Authentication Failed', error, '#ef4444'); return; }
-  if (!code) { show('\\u2717', 'Authentication Failed', 'No authorization code received.', '#ef4444'); return; }
-  if (!relayUrl) { show('\\u2713', 'Authentication Successful', 'Credentials saved. You can close this tab.', '#10b981'); return; }
-  fetch(relayUrl, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ code: code, state: state })
-  }).then(function(r) { return r.json(); }).then(function(data) {
-    if (data.success) {
-      show('\\u2713', 'Authentication Successful', data.email ? 'Signed in as ' + data.email + '. You can close this tab.' : 'Credentials saved. You can close this tab.', '#10b981');
-    } else {
-      show('\\u2717', 'Authentication Failed', data.error || 'Unknown error', '#ef4444');
-    }
-  }).catch(function(e) {
-    show('\\u2717', 'Relay Failed', 'Could not reach server: ' + e.message + '. You may need to paste the URL manually.', '#ef4444');
-  });
-})();
-</script>
-</body></html>`;
-}
-function isRemoteRequest(req) {
-  return !!(req && (req.headers['x-forwarded-for'] || req.headers['x-forwarded-host'] || req.headers['x-forwarded-proto']));
-}
-async function startGeminiOAuth(req) {
-  const creds = getGeminiOAuthCreds();
-  if (!creds) throw new Error('Could not find Gemini CLI OAuth credentials. Install gemini CLI first.');
-  const useCustomClient = !!creds.custom;
-  const remote = isRemoteRequest(req);
-  let redirectUri;
-  if (useCustomClient && req) {
-    redirectUri = `${buildBaseUrl(req)}${BASE_URL}/oauth2callback`;
-  } else {
-    redirectUri = `http://localhost:${PORT}${BASE_URL}/oauth2callback`;
-  }
-  const csrfToken = crypto.randomBytes(32).toString('hex');
-  const relayUrl = req ? `${buildBaseUrl(req)}${BASE_URL}/api/gemini-oauth/relay` : null;
-  const state = encodeOAuthState(csrfToken, relayUrl);
-  const client = new OAuth2Client({
-    clientId: creds.clientId,
-    clientSecret: creds.clientSecret,
-  });
-  const authUrl = client.generateAuthUrl({
-    redirect_uri: redirectUri,
-    access_type: 'offline',
-    scope: GEMINI_SCOPES,
-    state,
-  });
-  const mode = useCustomClient ? 'custom' : (remote ? 'cli-remote' : 'cli-local');
-  geminiOAuthPending = { client, redirectUri, state: csrfToken };
-  geminiOAuthState = { status: 'pending', error: null, email: null };
-  setTimeout(() => {
-    if (geminiOAuthState.status === 'pending') {
-      geminiOAuthState = { status: 'error', error: 'Authentication timed out', email: null };
-      geminiOAuthPending = null;
-    }
-  }, 5 * 60 * 1000);
-  return { authUrl, mode };
-}
-async function exchangeGeminiOAuthCode(code, stateParam) {
-  if (!geminiOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
-  const { client, redirectUri, state: expectedCsrf } = geminiOAuthPending;
-  const { csrfToken } = decodeOAuthState(stateParam);
-  if (csrfToken !== expectedCsrf) {
-    geminiOAuthState = { status: 'error', error: 'State mismatch', email: null };
-    geminiOAuthPending = null;
-    throw new Error('State mismatch - possible CSRF attack.');
-  }
-  if (!code) {
-    geminiOAuthState = { status: 'error', error: 'No authorization code received', email: null };
-    geminiOAuthPending = null;
-    throw new Error('No authorization code received.');
-  }
-  const { tokens } = await client.getToken({ code, redirect_uri: redirectUri });
-  client.setCredentials(tokens);
-  let email = '';
-  try {
-    const { token } = await client.getAccessToken();
-    if (token) {
-      const resp = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {
-        headers: { Authorization: `Bearer ${token}` }
-      });
-      if (resp.ok) {
-        const info = await resp.json();
-        email = info.email || '';
-      }
-    }
-  } catch (_) {}
-  saveGeminiCredentials(tokens, email);
-  geminiOAuthState = { status: 'success', error: null, email };
-  geminiOAuthPending = null;
-  return email;
-}
-async function handleGeminiOAuthCallback(req, res) {
-  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
-  const code = reqUrl.searchParams.get('code');
-  const state = reqUrl.searchParams.get('state');
-  const error = reqUrl.searchParams.get('error');
-  const errorDesc = reqUrl.searchParams.get('error_description');
-  if (error) {
-    const desc = errorDesc || error;
-    geminiOAuthState = { status: 'error', error: desc, email: null };
-    geminiOAuthPending = null;
-  }
-  const stateData = decodeOAuthState(state || '');
-  if (stateData.relayUrl) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthRelayPage(code, state, errorDesc || error));
-    return;
-  }
-  if (!geminiOAuthPending) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
-    return;
-  }
-  try {
-    if (error) throw new Error(errorDesc || error);
-    const email = await exchangeGeminiOAuthCode(code, state);
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Gemini CLI credentials saved.', true));
-  } catch (e) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(geminiOAuthResultPage('Authentication Failed', e.message, false));
-  }
-}
-function getGeminiOAuthStatus() {
-  try {
-    if (fs.existsSync(GEMINI_OAUTH_FILE)) {
-      const creds = JSON.parse(fs.readFileSync(GEMINI_OAUTH_FILE, 'utf8'));
-      if (creds.refresh_token || creds.access_token) {
-        let email = '';
-        try {
-          if (fs.existsSync(GEMINI_ACCOUNTS_FILE)) {
-            const accts = JSON.parse(fs.readFileSync(GEMINI_ACCOUNTS_FILE, 'utf8'));
-            email = accts.active || '';
-          }
-        } catch (_) {}
-        return { hasKey: true, apiKey: email || '****oauth', defaultModel: '', path: GEMINI_OAUTH_FILE, authMethod: 'oauth' };
-      }
-    }
-  } catch (_) {}
-  return null;
-}
-const CODEX_HOME = process.env.CODEX_HOME || path.join(os.homedir(), '.codex');
-const CODEX_AUTH_FILE = path.join(CODEX_HOME, 'auth.json');
-const CODEX_OAUTH_ISSUER = 'https://auth.openai.com';
-const CODEX_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
-const CODEX_SCOPES = 'openid profile email offline_access api.connectors.read api.connectors.invoke';
-const CODEX_OAUTH_PORT = 1455;
-let codexOAuthState = { status: 'idle', error: null, email: null };
-let codexOAuthPending = null;
-function generatePkce() {
-  const verifierBytes = crypto.randomBytes(64);
-  const codeVerifier = verifierBytes.toString('base64url');
-  const challengeBytes = crypto.createHash('sha256').update(codeVerifier).digest();
-  const codeChallenge = challengeBytes.toString('base64url');
-  return { codeVerifier, codeChallenge };
-}
-function parseJwtEmail(jwt) {
-  try {
-    const parts = jwt.split('.');
-    if (parts.length < 2) return '';
-    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
-    return payload.email || payload['https://api.openai.com/profile']?.email || '';
-  } catch (_) { return ''; }
-}
-function saveCodexCredentials(tokens) {
-  if (!fs.existsSync(CODEX_HOME)) fs.mkdirSync(CODEX_HOME, { recursive: true });
-  const auth = { auth_mode: 'chatgpt', tokens, last_refresh: new Date().toISOString() };
-  fs.writeFileSync(CODEX_AUTH_FILE, JSON.stringify(auth, null, 2), { mode: 0o600 });
-  try { fs.chmodSync(CODEX_AUTH_FILE, 0o600); } catch (_) {}
-}
-function getCodexOAuthStatus() {
-  try {
-    if (fs.existsSync(CODEX_AUTH_FILE)) {
-      const auth = JSON.parse(fs.readFileSync(CODEX_AUTH_FILE, 'utf8'));
-      if (auth.tokens?.access_token || auth.tokens?.refresh_token) {
-        const email = parseJwtEmail(auth.tokens?.id_token || '') || '';
-        return { hasKey: true, apiKey: email || '****oauth', defaultModel: '', path: CODEX_AUTH_FILE, authMethod: 'oauth' };
-      }
-    }
-  } catch (_) {}
-  return null;
-}
-async function startCodexOAuth(req) {
-  const remote = isRemoteRequest(req);
-  const redirectUri = remote
-    ? `${buildBaseUrl(req)}${BASE_URL}/codex-oauth2callback`
-    : `http://localhost:${CODEX_OAUTH_PORT}/auth/callback`;
-  const pkce = generatePkce();
-  const csrfToken = crypto.randomBytes(32).toString('hex');
-  const relayUrl = remote ? `${buildBaseUrl(req)}${BASE_URL}/api/codex-oauth/relay` : null;
-  const state = encodeOAuthState(csrfToken, relayUrl);
-  const params = new URLSearchParams({
-    response_type: 'code',
-    client_id: CODEX_CLIENT_ID,
-    redirect_uri: redirectUri,
-    scope: CODEX_SCOPES,
-    code_challenge: pkce.codeChallenge,
-    code_challenge_method: 'S256',
-    id_token_add_organizations: 'true',
-    codex_cli_simplified_flow: 'true',
-    state,
-  });
-  const authUrl = `${CODEX_OAUTH_ISSUER}/oauth/authorize?${params.toString()}`;
-  const mode = remote ? 'remote' : 'local';
-  codexOAuthPending = { pkce, redirectUri, state: csrfToken };
-  codexOAuthState = { status: 'pending', error: null, email: null };
-  setTimeout(() => {
-    if (codexOAuthState.status === 'pending') {
-      codexOAuthState = { status: 'error', error: 'Authentication timed out', email: null };
-      codexOAuthPending = null;
-    }
-  }, 5 * 60 * 1000);
-  return { authUrl, mode };
-}
-async function exchangeCodexOAuthCode(code, stateParam) {
-  if (!codexOAuthPending) throw new Error('No pending OAuth flow. Please start authentication again.');
-  const { pkce, redirectUri, state: expectedCsrf } = codexOAuthPending;
-  const { csrfToken } = decodeOAuthState(stateParam);
-  if (csrfToken !== expectedCsrf) {
-    codexOAuthState = { status: 'error', error: 'State mismatch', email: null };
-    codexOAuthPending = null;
-    throw new Error('State mismatch - possible CSRF attack.');
-  }
-  if (!code) {
-    codexOAuthState = { status: 'error', error: 'No authorization code received', email: null };
-    codexOAuthPending = null;
-    throw new Error('No authorization code received.');
-  }
-  const body = new URLSearchParams({
-    grant_type: 'authorization_code',
-    code,
-    redirect_uri: redirectUri,
-    client_id: CODEX_CLIENT_ID,
-    code_verifier: pkce.codeVerifier,
-  });
-  const resp = await fetch(`${CODEX_OAUTH_ISSUER}/oauth/token`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-    body: body.toString(),
-  });
-  if (!resp.ok) {
-    const text = await resp.text();
-    codexOAuthState = { status: 'error', error: `Token exchange failed: ${resp.status}`, email: null };
-    codexOAuthPending = null;
-    throw new Error(`Token exchange failed (${resp.status}): ${text}`);
-  }
-  const tokens = await resp.json();
-  const email = parseJwtEmail(tokens.id_token || '');
-  saveCodexCredentials(tokens);
-  codexOAuthState = { status: 'success', error: null, email };
-  codexOAuthPending = null;
-  return email;
-}
-function codexOAuthResultPage(title, message, success) {
-  const color = success ? '#10b981' : '#ef4444';
-  const icon = success ? '&#10003;' : '&#10007;';
-  return `<!DOCTYPE html><html><head><title>${title}</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div style="text-align:center;max-width:400px;padding:2rem;">
-<div style="font-size:4rem;color:${color};margin-bottom:1rem;">${icon}</div>
-<h1 style="font-size:1.5rem;margin-bottom:0.5rem;">${title}</h1>
-<p style="color:#9ca3af;">${message}</p>
-<p style="color:#6b7280;margin-top:1rem;font-size:0.875rem;">You can close this tab.</p>
-</div></body></html>`;
-}
-function codexOAuthRelayPage(code, state, error) {
-  const stateData = decodeOAuthState(state || '');
-  const relayUrl = stateData.relayUrl || '';
-  const escapedCode = (code || '').replace(/['"\\]/g, '');
-  const escapedState = (state || '').replace(/['"\\]/g, '');
-  const escapedError = (error || '').replace(/['"\\]/g, '');
-  const escapedRelay = relayUrl.replace(/['"\\]/g, '');
-  return `<!DOCTYPE html><html><head><title>Completing sign-in...</title></head>
-<body style="margin:0;display:flex;align-items:center;justify-content:center;min-height:100vh;background:#111827;font-family:system-ui,sans-serif;color:white;">
-<div id="status" style="text-align:center;max-width:400px;padding:2rem;">
-<div id="spinner" style="font-size:2rem;margin-bottom:1rem;">&#8987;</div>
-<h1 id="title" style="font-size:1.5rem;margin-bottom:0.5rem;">Completing sign-in...</h1>
-<p id="msg" style="color:#9ca3af;">Relaying authentication to server...</p>
-</div>
-<script>
-(function() {
-  var code = '${escapedCode}';
-  var state = '${escapedState}';
-  var error = '${escapedError}';
-  var relayUrl = '${escapedRelay}';
-  function show(icon, title, msg, color) {
-    document.getElementById('spinner').textContent = icon;
-    document.getElementById('spinner').style.color = color;
-    document.getElementById('title').textContent = title;
-    document.getElementById('msg').textContent = msg;
-  }
-  if (error) { show('\\u2717', 'Authentication Failed', error, '#ef4444'); return; }
-  if (!code) { show('\\u2717', 'Authentication Failed', 'No authorization code received.', '#ef4444'); return; }
-  if (!relayUrl) { show('\\u2713', 'Authentication Successful', 'Credentials saved. You can close this tab.', '#10b981'); return; }
-  fetch(relayUrl, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ code: code, state: state })
-  }).then(function(r) { return r.json(); }).then(function(data) {
-    if (data.success) {
-      show('\\u2713', 'Authentication Successful', data.email ? 'Signed in as ' + data.email + '. You can close this tab.' : 'Credentials saved. You can close this tab.', '#10b981');
-    } else {
-      show('\\u2717', 'Authentication Failed', data.error || 'Unknown error', '#ef4444');
-    }
-  }).catch(function(e) {
-    show('\\u2717', 'Relay Failed', 'Could not reach server: ' + e.message + '. You may need to paste the URL manually.', '#ef4444');
-  });
-})();
-</script>
-</body></html>`;
-}
-async function handleCodexOAuthCallback(req, res) {
-  const reqUrl = new URL(req.url, `http://localhost:${PORT}`);
-  const code = reqUrl.searchParams.get('code');
-  const state = reqUrl.searchParams.get('state');
-  const error = reqUrl.searchParams.get('error');
-  const errorDesc = reqUrl.searchParams.get('error_description');
-  if (error) {
-    const desc = errorDesc || error;
-    codexOAuthState = { status: 'error', error: desc, email: null };
-    codexOAuthPending = null;
-  }
-  const stateData = decodeOAuthState(state || '');
-  if (stateData.relayUrl) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthRelayPage(code, state, errorDesc || error));
-    return;
-  }
-  if (!codexOAuthPending) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthResultPage('Authentication Failed', 'No pending OAuth flow.', false));
-    return;
-  }
-  try {
-    if (error) throw new Error(errorDesc || error);
-    const email = await exchangeCodexOAuthCode(code, state);
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthResultPage('Authentication Successful', email ? `Signed in as ${email}` : 'Codex CLI credentials saved.', true));
-  } catch (e) {
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end(codexOAuthResultPage('Authentication Failed', e.message, false));
-  }
-}
 const PROVIDER_CONFIGS = {
   'anthropic': {
     name: 'Anthropic', configPaths: [
@@ -1281,12 +512,12 @@ const server = http.createServer(async (req, res) => {
     const pathOnly = routePath.split('?')[0];
     if (pathOnly === '/oauth2callback' && req.method === 'GET') {
-      await handleGeminiOAuthCallback(req, res);
+      await handleGeminiOAuthCallback(req, res, PORT);
       return;
     }
     if (pathOnly === '/codex-oauth2callback' && req.method === 'GET') {
-      await handleCodexOAuthCallback(req, res);
+      await handleCodexOAuthCallback(req, res, PORT);
       return;
     }
@@ -2746,7 +1977,7 @@ const server = http.createServer(async (req, res) => {
     if (pathOnly === '/api/gemini-oauth/start' && req.method === 'POST') {
       try {
-        const result = await startGeminiOAuth(req);
+        const result = await startGeminiOAuth(req, { PORT, BASE_URL, rootDir });
         sendJSON(req, res, 200, { authUrl: result.authUrl, mode: result.mode });
       } catch (e) {
         console.error('[gemini-oauth] /api/gemini-oauth/start failed:', e);
@@ -2756,7 +1987,7 @@ const server = http.createServer(async (req, res) => {
     }
     if (pathOnly === '/api/gemini-oauth/status' && req.method === 'GET') {
-      sendJSON(req, res, 200, geminiOAuthState);
+      sendJSON(req, res, 200, getGeminiOAuthState());
       return;
     }
@@ -2771,8 +2002,6 @@ const server = http.createServer(async (req, res) => {
         const email = await exchangeGeminiOAuthCode(code, stateParam);
         sendJSON(req, res, 200, { success: true, email });
       } catch (e) {
-        geminiOAuthState = { status: 'error', error: e.message, email: null };
-        geminiOAuthPending = null;
         sendJSON(req, res, 400, { error: e.message });
       }
       return;
@@ -2796,8 +2025,6 @@ const server = http.createServer(async (req, res) => {
         const error = parsed.searchParams.get('error');
         if (error) {
           const desc = parsed.searchParams.get('error_description') || error;
-          geminiOAuthState = { status: 'error', error: desc, email: null };
-          geminiOAuthPending = null;
           sendJSON(req, res, 200, { error: desc });
           return;
         }
@@ -2807,8 +2034,6 @@ const server = http.createServer(async (req, res) => {
         const email = await exchangeGeminiOAuthCode(code, state);
         sendJSON(req, res, 200, { success: true, email });
       } catch (e) {
-        geminiOAuthState = { status: 'error', error: e.message, email: null };
-        geminiOAuthPending = null;
         sendJSON(req, res, 400, { error: e.message });
       }
       return;
@@ -2816,7 +2041,7 @@ const server = http.createServer(async (req, res) => {
     if (pathOnly === '/api/codex-oauth/start' && req.method === 'POST') {
       try {
-        const result = await startCodexOAuth(req);
+        const result = await startCodexOAuth(req, { PORT, BASE_URL });
         sendJSON(req, res, 200, { authUrl: result.authUrl, mode: result.mode });
       } catch (e) {
         console.error('[codex-oauth] /api/codex-oauth/start failed:', e);
@@ -2826,7 +2051,7 @@ const server = http.createServer(async (req, res) => {
     }
     if (pathOnly === '/api/codex-oauth/status' && req.method === 'GET') {
-      sendJSON(req, res, 200, codexOAuthState);
+      sendJSON(req, res, 200, getCodexOAuthState());
       return;
     }
@@ -2841,8 +2066,6 @@ const server = http.createServer(async (req, res) => {
         const email = await exchangeCodexOAuthCode(code, stateParam);
         sendJSON(req, res, 200, { success: true, email });
       } catch (e) {
-        codexOAuthState = { status: 'error', error: e.message, email: null };
-        codexOAuthPending = null;
         sendJSON(req, res, 400, { error: e.message });
       }
       return;
@@ -2864,8 +2087,6 @@ const server = http.createServer(async (req, res) => {
         const error = parsed.searchParams.get('error');
         if (error) {
           const desc = parsed.searchParams.get('error_description') || error;
-          codexOAuthState = { status: 'error', error: desc, email: null };
-          codexOAuthPending = null;
           sendJSON(req, res, 200, { error: desc });
           return;
         }
@@ -2874,8 +2095,6 @@ const server = http.createServer(async (req, res) => {
         const email = await exchangeCodexOAuthCode(code, state);
         sendJSON(req, res, 200, { success: true, email });
       } catch (e) {
-        codexOAuthState = { status: 'error', error: e.message, email: null };
-        codexOAuthPending = null;
         sendJSON(req, res, 400, { error: e.message });
       }
       return;
@@ -2889,21 +2108,21 @@ const server = http.createServer(async (req, res) => {
       if (agentId === 'codex' || agentId === 'cli-codex') {
         try {
-          const result = await startCodexOAuth(req);
+          const result = await startCodexOAuth(req, { PORT, BASE_URL });
           const conversationId = '__agent_auth__';
           broadcastSync({ type: 'script_started', conversationId, script: 'auth-codex', agentId: 'codex', timestamp: Date.now() });
           broadcastSync({ type: 'script_output', conversationId, data: `\x1b[36mOpening OpenAI OAuth in your browser...\x1b[0m\r\n\r\nIf it doesn't open automatically, visit:\r\n${result.authUrl}\r\n`, stream: 'stdout', timestamp: Date.now() });
           const pollId = setInterval(() => {
-            if (codexOAuthState.status === 'success') {
+            if (getCodexOAuthState().status === 'success') {
               clearInterval(pollId);
-              const email = codexOAuthState.email || '';
+              const email = getCodexOAuthState().email || '';
               broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[32mAuthentication successful${email ? ' (' + email + ')' : ''}\x1b[0m\r\n`, stream: 'stdout', timestamp: Date.now() });
               broadcastSync({ type: 'script_stopped', conversationId, code: 0, timestamp: Date.now() });
-            } else if (codexOAuthState.status === 'error') {
+            } else if (getCodexOAuthState().status === 'error') {
               clearInterval(pollId);
-              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${codexOAuthState.error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
-              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: codexOAuthState.error, timestamp: Date.now() });
+              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${getCodexOAuthState().error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
+              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: getCodexOAuthState().error, timestamp: Date.now() });
             }
           }, 1000);
@@ -2920,21 +2139,21 @@ const server = http.createServer(async (req, res) => {
       if (agentId === 'gemini') {
         try {
-          const result = await startGeminiOAuth(req);
+          const result = await startGeminiOAuth(req, { PORT, BASE_URL, rootDir });
           const conversationId = '__agent_auth__';
           broadcastSync({ type: 'script_started', conversationId, script: 'auth-gemini', agentId: 'gemini', timestamp: Date.now() });
           broadcastSync({ type: 'script_output', conversationId, data: `\x1b[36mOpening Google OAuth in your browser...\x1b[0m\r\n\r\nIf it doesn't open automatically, visit:\r\n${result.authUrl}\r\n`, stream: 'stdout', timestamp: Date.now() });
           const pollId = setInterval(() => {
-            if (geminiOAuthState.status === 'success') {
+            if (getGeminiOAuthState().status === 'success') {
               clearInterval(pollId);
-              const email = geminiOAuthState.email || '';
+              const email = getGeminiOAuthState().email || '';
               broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[32mAuthentication successful${email ? ' (' + email + ')' : ''}\x1b[0m\r\n`, stream: 'stdout', timestamp: Date.now() });
               broadcastSync({ type: 'script_stopped', conversationId, code: 0, timestamp: Date.now() });
-            } else if (geminiOAuthState.status === 'error') {
+            } else if (getGeminiOAuthState().status === 'error') {
               clearInterval(pollId);
-              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${geminiOAuthState.error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
-              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: geminiOAuthState.error, timestamp: Date.now() });
+              broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${getGeminiOAuthState().error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
+              broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: getGeminiOAuthState().error, timestamp: Date.now() });
             }
           }, 1000);
@@ -4499,6 +3718,8 @@ function broadcastSync(event) {
 // WebSocket protocol router
 const wsRouter = new WsRouter();
+initSpeechManager({ broadcastSync, syncClients, queries });
 registerConvHandlers(wsRouter, {
   queries, activeExecutions, rateLimitState,
   broadcastSync, processMessageWithStreaming, cleanupExecution,
@@ -4516,7 +3737,7 @@ console.log('[INIT] About to call registerSessionHandlers, discoveredAgents.leng
 registerSessionHandlers(wsRouter, {
   db: queries, discoveredAgents, modelCache,
   getAgentDescriptor, activeScripts, broadcastSync,
-  startGeminiOAuth, geminiOAuthState: () => geminiOAuthState
+  startGeminiOAuth: (req) => startGeminiOAuth(req, { PORT, BASE_URL, rootDir }), geminiOAuthState: getGeminiOAuthState
 });
 console.log('[INIT] registerSessionHandlers completed');
@@ -4536,10 +3757,12 @@ registerScriptHandlers(wsRouter, {
 });
 registerOAuthHandlers(wsRouter, {
-  startGeminiOAuth, exchangeGeminiOAuthCode,
-  geminiOAuthState: () => geminiOAuthState,
-  startCodexOAuth, exchangeCodexOAuthCode,
-  codexOAuthState: () => codexOAuthState,
+  startGeminiOAuth: (req) => startGeminiOAuth(req, { PORT, BASE_URL, rootDir }),
+  exchangeGeminiOAuthCode,
+  geminiOAuthState: getGeminiOAuthState,
+  startCodexOAuth: (req) => startCodexOAuth(req, { PORT, BASE_URL }),
+  exchangeCodexOAuthCode,
+  codexOAuthState: getCodexOAuthState,
 });
 wsRouter.onLegacy((data, ws) => {