bosun 0.36.6 → 0.36.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bosun",
-  "version": "0.36.6",
+  "version": "0.36.7",
   "description": "AI-powered orchestrator supervisor — manages AI agent executors with failover, auto-restarts on failure, analyzes crashes with Codex SDK, creates PRs via Vibe-Kanban API, and sends Telegram notifications. Supports N executors with weighted distribution, multi-repo projects, and auto-setup.",
   "type": "module",
   "license": "Apache 2.0",

package/setup-web-server.mjs

@@ -1604,6 +1604,21 @@ function handleApply(body) {
     if (env.copilotEnableAskUser)       envMap.COPILOT_ENABLE_ASK_USER          = "true";
     if (env.copilotMcpConfig)           envMap.COPILOT_MCP_CONFIG               = env.copilotMcpConfig;
 
+    // ── Sentinel / watchdog ────────────────────────────────────────────────
+    if (env.sentinelAutoStart != null)          envMap.BOSUN_SENTINEL_AUTO_START        = env.sentinelAutoStart ? "true" : "false";
+    if (env.sentinelStrict != null)             envMap.BOSUN_SENTINEL_STRICT            = env.sentinelStrict ? "true" : "false";
+    if (env.sentinelAutoRestartMonitor != null) envMap.SENTINEL_AUTO_RESTART_MONITOR    = env.sentinelAutoRestartMonitor ? "true" : "false";
+    if (env.sentinelCrashLoopThreshold)         envMap.SENTINEL_CRASH_LOOP_THRESHOLD    = String(env.sentinelCrashLoopThreshold);
+    if (env.sentinelCrashLoopWindowMin)         envMap.SENTINEL_CRASH_LOOP_WINDOW_MIN   = String(env.sentinelCrashLoopWindowMin);
+    if (env.sentinelRepairAgentEnabled != null) envMap.SENTINEL_REPAIR_AGENT_ENABLED    = env.sentinelRepairAgentEnabled ? "true" : "false";
+    if (env.sentinelRepairTimeoutMin)           envMap.SENTINEL_REPAIR_TIMEOUT_MIN      = String(env.sentinelRepairTimeoutMin);
+
+    // ── Daemon restart policy ──────────────────────────────────────────────
+    if (env.daemonRestartDelayMs != null)       envMap.RESTART_DELAY_MS                      = String(env.daemonRestartDelayMs);
+    if (env.daemonMaxRestarts != null)          envMap.MAX_RESTARTS                           = String(env.daemonMaxRestarts);
+    if (env.daemonMaxInstantRestarts)           envMap.BOSUN_DAEMON_MAX_INSTANT_RESTARTS      = String(env.daemonMaxInstantRestarts);
+    if (env.daemonInstantCrashWindowMs)         envMap.BOSUN_DAEMON_INSTANT_CRASH_WINDOW_MS   = String(env.daemonInstantCrashWindowMs);
+
     // Ensure every setup field has safe defaults and invalid values are normalized.
     applyNonBlockingSetupEnvDefaults(envMap, env, process.env);
 

package/ui/setup.html

@@ -723,6 +723,19 @@ function App() {
   const [whatsappEnabled, setWhatsappEnabled] = useState(false);
   const [telegramIntervalMin, setTelegramIntervalMin] = useState(10);
   const [orchestratorScript, setOrchestratorScript] = useState("");
+  // Sentinel / watchdog
+  const [sentinelAutoStart, setSentinelAutoStart] = useState(false);
+  const [sentinelStrict, setSentinelStrict] = useState(false);
+  const [sentinelAutoRestartMonitor, setSentinelAutoRestartMonitor] = useState(true);
+  const [sentinelCrashLoopThreshold, setSentinelCrashLoopThreshold] = useState(3);
+  const [sentinelCrashLoopWindowMin, setSentinelCrashLoopWindowMin] = useState(5);
+  const [sentinelRepairAgentEnabled, setSentinelRepairAgentEnabled] = useState(false);
+  const [sentinelRepairTimeoutMin, setSentinelRepairTimeoutMin] = useState(15);
+  // Daemon restart policy
+  const [daemonRestartDelayMs, setDaemonRestartDelayMs] = useState(10000);
+  const [daemonMaxRestarts, setDaemonMaxRestarts] = useState(0);
+  const [daemonMaxInstantRestarts, setDaemonMaxInstantRestarts] = useState(3);
+  const [daemonInstantCrashWindowMs, setDaemonInstantCrashWindowMs] = useState(15000);
   // Launch / startup
   const [autoStartEnabled, setAutoStartEnabled] = useState(false);
   const [desktopShortcutEnabled, setDesktopShortcutEnabled] = useState(false);
@@ -1231,6 +1244,19 @@ function App() {
       if (env.WHATSAPP_ENABLED) { setWhatsappEnabled(env.WHATSAPP_ENABLED === "true"); envLoaded = true; }
       if (env.TELEGRAM_INTERVAL_MIN) { setTelegramIntervalMin(Number(env.TELEGRAM_INTERVAL_MIN) || 10); envLoaded = true; }
       if (env.ORCHESTRATOR_SCRIPT) { setOrchestratorScript(env.ORCHESTRATOR_SCRIPT); envLoaded = true; }
+      // Sentinel / watchdog
+      if (env.BOSUN_SENTINEL_AUTO_START) { setSentinelAutoStart(env.BOSUN_SENTINEL_AUTO_START === "true"); envLoaded = true; }
+      if (env.BOSUN_SENTINEL_STRICT) { setSentinelStrict(env.BOSUN_SENTINEL_STRICT === "true"); envLoaded = true; }
+      if (env.SENTINEL_AUTO_RESTART_MONITOR !== undefined) { setSentinelAutoRestartMonitor(env.SENTINEL_AUTO_RESTART_MONITOR !== "false"); envLoaded = true; }
+      if (env.SENTINEL_CRASH_LOOP_THRESHOLD) { setSentinelCrashLoopThreshold(Number(env.SENTINEL_CRASH_LOOP_THRESHOLD) || 3); envLoaded = true; }
+      if (env.SENTINEL_CRASH_LOOP_WINDOW_MIN) { setSentinelCrashLoopWindowMin(Number(env.SENTINEL_CRASH_LOOP_WINDOW_MIN) || 5); envLoaded = true; }
+      if (env.SENTINEL_REPAIR_AGENT_ENABLED) { setSentinelRepairAgentEnabled(env.SENTINEL_REPAIR_AGENT_ENABLED === "true"); envLoaded = true; }
+      if (env.SENTINEL_REPAIR_TIMEOUT_MIN) { setSentinelRepairTimeoutMin(Number(env.SENTINEL_REPAIR_TIMEOUT_MIN) || 15); envLoaded = true; }
+      // Daemon restart policy
+      if (env.RESTART_DELAY_MS) { setDaemonRestartDelayMs(Number(env.RESTART_DELAY_MS) || 10000); envLoaded = true; }
+      if (env.MAX_RESTARTS) { setDaemonMaxRestarts(Number(env.MAX_RESTARTS) || 0); envLoaded = true; }
+      if (env.BOSUN_DAEMON_MAX_INSTANT_RESTARTS) { setDaemonMaxInstantRestarts(Number(env.BOSUN_DAEMON_MAX_INSTANT_RESTARTS) || 3); envLoaded = true; }
+      if (env.BOSUN_DAEMON_INSTANT_CRASH_WINDOW_MS) { setDaemonInstantCrashWindowMs(Number(env.BOSUN_DAEMON_INSTANT_CRASH_WINDOW_MS) || 15000); envLoaded = true; }
       // Voice settings
       if (env.VOICE_ENABLED !== undefined) { setVoiceEnabled(env.VOICE_ENABLED !== "false"); envLoaded = true; }
       if (env.VOICE_PROVIDER) { setVoiceProvider(env.VOICE_PROVIDER); envLoaded = true; }
@@ -1587,6 +1613,19 @@ function App() {
           whatsappEnabled,
           telegramIntervalMin,
           orchestratorScript,
+          // Sentinel / watchdog
+          sentinelAutoStart,
+          sentinelStrict,
+          sentinelAutoRestartMonitor,
+          sentinelCrashLoopThreshold,
+          sentinelCrashLoopWindowMin,
+          sentinelRepairAgentEnabled,
+          sentinelRepairTimeoutMin,
+          // Daemon restart policy
+          daemonRestartDelayMs,
+          daemonMaxRestarts,
+          daemonMaxInstantRestarts,
+          daemonInstantCrashWindowMs,
         },
         configJson: {
           projectName,
@@ -3145,6 +3184,8 @@ function App() {
                     <select value=${ep.provider} onchange=${(e) => updateVoiceEndpoint(i, "provider", e.target.value)}>
                       <option value="azure">Azure OpenAI</option>
                       <option value="openai">OpenAI</option>
+                      <option value="claude">Claude (Anthropic)</option>
+                      <option value="gemini">Gemini (Google)</option>
                     </select>
                   </div>
                   <div class="form-group">
@@ -3185,6 +3226,23 @@ function App() {
                       <input type="text" value=${ep.model} oninput=${(e) => updateVoiceEndpoint(i, "model", e.target.value)} placeholder="gpt-audio-1.5" />
                     </div>
                   `}
+                  ${ep.provider === "claude" && html`
+                    <div class="form-group">
+                      <label>Model</label>
+                      <input type="text" value=${ep.model} oninput=${(e) => updateVoiceEndpoint(i, "model", e.target.value)} placeholder="claude-opus-4-5" />
+                    </div>
+                  `}
+                  ${ep.provider === "gemini" && html`
+                    <div class="form-group">
+                      <label>Model</label>
+                      <input type="text" value=${ep.model} oninput=${(e) => updateVoiceEndpoint(i, "model", e.target.value)} placeholder="gemini-2.0-flash" />
+                    </div>
+                  `}
+                  <div class="form-group">
+                    <label>Vision Model</label>
+                    <input type="text" value=${ep.visionModel || ""} oninput=${(e) => updateVoiceEndpoint(i, "visionModel", e.target.value)} placeholder="e.g. gpt-4.1-nano" />
+                    <div class="hint">Optional model for vision/image tasks on this endpoint.</div>
+                  </div>
                 </div>
               </div>
             `)}
@@ -3250,7 +3308,102 @@ function App() {
         </div>
       <//>
 
-      <${Section} title="🚀 Launch & Startup">
+      <${Section} title="�️ Sentinel / Watchdog">
+        <p class="hint" style="margin-top:0;margin-bottom:16px">
+          The Sentinel continuously monitors bosun and auto-restarts it if it crashes or enters a crash loop.
+        </p>
+        <div class="form-group" style="margin-bottom:12px">
+          <label style="display:flex;align-items:center;gap:8px;cursor:pointer;user-select:none">
+            <input type="checkbox" checked=${sentinelAutoStart}
+              onchange=${(e) => setSentinelAutoStart(e.target.checked)}
+              style="width:auto;padding:0;margin:0;accent-color:var(--accent);cursor:pointer" />
+            Enable Sentinel / Watchdog
+          </label>
+          <div class="hint">Bosun will be watched by an external monitor process that restarts it on failure.</div>
+        </div>
+        <div class="form-group" style="margin-bottom:12px">
+          <label style="display:flex;align-items:center;gap:8px;cursor:pointer;user-select:none">
+            <input type="checkbox" checked=${sentinelStrict}
+              onchange=${(e) => setSentinelStrict(e.target.checked)}
+              style="width:auto;padding:0;margin:0;accent-color:var(--accent);cursor:pointer" />
+            Strict Mode
+          </label>
+          <div class="hint">In strict mode the sentinel will refuse to start bosun if it detects unsafe conditions.</div>
+        </div>
+        <div class="form-group" style="margin-bottom:12px">
+          <label style="display:flex;align-items:center;gap:8px;cursor:pointer;user-select:none">
+            <input type="checkbox" checked=${sentinelAutoRestartMonitor}
+              onchange=${(e) => setSentinelAutoRestartMonitor(e.target.checked)}
+              style="width:auto;padding:0;margin:0;accent-color:var(--accent);cursor:pointer" />
+            Auto-restart monitor on crash
+          </label>
+          <div class="hint">The monitor process itself will be restarted if it exits unexpectedly.</div>
+        </div>
+        <div class="executor-grid">
+          <div class="form-group">
+            <label>Crash Loop Threshold</label>
+            <input type="number" value=${sentinelCrashLoopThreshold} min="1" max="20"
+              oninput=${(e) => setSentinelCrashLoopThreshold(Number(e.target.value) || 3)} />
+            <div class="hint">Number of restarts within the window before a crash loop is declared.</div>
+          </div>
+          <div class="form-group">
+            <label>Crash Loop Window (minutes)</label>
+            <input type="number" value=${sentinelCrashLoopWindowMin} min="1" max="60"
+              oninput=${(e) => setSentinelCrashLoopWindowMin(Number(e.target.value) || 5)} />
+            <div class="hint">Time window in which the threshold is measured.</div>
+          </div>
+        </div>
+        <div class="form-group" style="margin-bottom:12px">
+          <label style="display:flex;align-items:center;gap:8px;cursor:pointer;user-select:none">
+            <input type="checkbox" checked=${sentinelRepairAgentEnabled}
+              onchange=${(e) => setSentinelRepairAgentEnabled(e.target.checked)}
+              style="width:auto;padding:0;margin:0;accent-color:var(--accent);cursor:pointer" />
+            Enable Repair Agent
+          </label>
+          <div class="hint">On crash loop, run an AI repair agent to attempt automatic diagnosis and fix.</div>
+        </div>
+        ${sentinelRepairAgentEnabled && html`
+          <div class="form-group">
+            <label>Repair Agent Timeout (minutes)</label>
+            <input type="number" value=${sentinelRepairTimeoutMin} min="1" max="120"
+              oninput=${(e) => setSentinelRepairTimeoutMin(Number(e.target.value) || 15)} />
+          </div>
+        `}
+      <//>
+
+      <${Section} title="🔁 Daemon Restart Policy">
+        <p class="hint" style="margin-top:0;margin-bottom:16px">
+          Controls how the bosun daemon process handles crashes and restarts.
+        </p>
+        <div class="executor-grid">
+          <div class="form-group">
+            <label>Restart Delay (ms)</label>
+            <input type="number" value=${daemonRestartDelayMs} min="0"
+              oninput=${(e) => setDaemonRestartDelayMs(Number(e.target.value) || 10000)} />
+            <div class="hint">Delay before restarting after a crash. Default: 10 000 ms.</div>
+          </div>
+          <div class="form-group">
+            <label>Max Restarts (0 = unlimited)</label>
+            <input type="number" value=${daemonMaxRestarts} min="0"
+              oninput=${(e) => setDaemonMaxRestarts(Number(e.target.value))} />
+            <div class="hint">Maximum total restarts before giving up. 0 means no limit.</div>
+          </div>
+          <div class="form-group">
+            <label>Max Instant-Crash Restarts</label>
+            <input type="number" value=${daemonMaxInstantRestarts} min="1" max="20"
+              oninput=${(e) => setDaemonMaxInstantRestarts(Number(e.target.value) || 3)} />
+            <div class="hint">Max restarts allowed within the instant-crash window before stopping.</div>
+          </div>
+          <div class="form-group">
+            <label>Instant-Crash Window (ms)</label>
+            <input type="number" value=${daemonInstantCrashWindowMs} min="1000"
+              oninput=${(e) => setDaemonInstantCrashWindowMs(Number(e.target.value) || 15000)} />
+            <div class="hint">If bosun crashes faster than this window repeatedly, it's considered an instant-crash loop. Default: 15 000 ms.</div>
+          </div>
+        </div>
+      <//>
+
+      <${Section} title="�🚀 Launch & Startup">
         <p class="hint" style="margin-top:0;margin-bottom:16px">
           Configure whether bosun starts automatically and whether a desktop shortcut is created.
           ${status?.startupStatus?.methodName ? html` Platform method: <strong>${status.startupStatus.methodName}</strong>.` : ""}
@@ -3386,11 +3539,17 @@ function App() {
             <tr><th>Workflow Parallel Branches</th><td>${workflowMaxConcurrentBranches}</td></tr>
             <tr><th>Auto-Start on Login</th><td>${autoStartEnabled ? "Enabled" : "Disabled"}</td></tr>
             <tr><th>Desktop Shortcut</th><td>${desktopShortcutEnabled ? "Installed" : "Not installed"}</td></tr>
+            <tr><th>Sentinel / Watchdog</th><td>${sentinelAutoStart ? `Enabled${sentinelStrict ? " (strict)" : ""}` : "Disabled"}</td></tr>
+            <tr><th>Crash Loop Threshold</th><td>${sentinelCrashLoopThreshold} restarts in ${sentinelCrashLoopWindowMin} min</td></tr>
+            <tr><th>Repair Agent</th><td>${sentinelRepairAgentEnabled ? `Enabled (timeout ${sentinelRepairTimeoutMin} min)` : "Disabled"}</td></tr>
+            <tr><th>Daemon Restart Delay</th><td>${daemonRestartDelayMs} ms</td></tr>
+            <tr><th>Max Restarts</th><td>${daemonMaxRestarts === 0 ? "Unlimited" : daemonMaxRestarts}</td></tr>
           ` : html`
             <tr><th>Max Parallel</th><td>${maxParallel}</td></tr>
             <tr><th>Failover Strategy</th><td>${failoverStrategy}</td></tr>
             <tr><th>Auto-Start on Login</th><td>${autoStartEnabled ? "Enabled" : "Disabled"}</td></tr>
             <tr><th>Desktop Shortcut</th><td>${desktopShortcutEnabled ? "Installed" : "Not installed"}</td></tr>
+            <tr><th>Sentinel / Watchdog</th><td>${sentinelAutoStart ? "Enabled" : "Disabled"}</td></tr>
           `}
         </tbody>
       </table>

package/ui/tabs/settings.js

@@ -1350,6 +1350,15 @@ function ServerConfigMode() {
         <!-- Voice Endpoints card-based editor (synced with /setup) -->
         ${activeCategory === "voice" && html`<${VoiceEndpointsEditor} />`}
 
+        <!-- OpenAI Codex OAuth login card (voice category) -->
+        ${activeCategory === "voice" && html`<${OpenAICodexLoginCard} />`}
+
+        <!-- Claude OAuth login card (voice category) -->
+        ${activeCategory === "voice" && html`<${ClaudeLoginCard} />`}
+
+        <!-- Google Gemini OAuth login card (voice category) -->
+        ${activeCategory === "voice" && html`<${GeminiLoginCard} />`}
+
         <!-- Settings list for active category -->
         ${catDefs.length === 0
           ? html`
@@ -2008,10 +2017,11 @@ function VoiceEndpointsEditor() {
   const normalizeEp = useCallback((ep = {}, idx = 0) => ({
     _id: ep._id ?? `ep-${idx}-${Date.now()}`,
     name: String(ep.name || `endpoint-${idx + 1}`),
-    provider: ["azure", "openai"].includes(ep.provider) ? ep.provider : "azure",
+    provider: ["azure", "openai", "claude", "gemini"].includes(ep.provider) ? ep.provider : "azure",
     endpoint: String(ep.endpoint || ""),
     deployment: String(ep.deployment || ""),
     model: String(ep.model || ""),
+    visionModel: String(ep.visionModel || ""),
     apiKey: String(ep.apiKey || ""),
     voiceId: String(ep.voiceId || ""),
     role: ["primary", "backup"].includes(ep.role) ? ep.role : "primary",
@@ -2130,6 +2140,8 @@ function VoiceEndpointsEditor() {
               <select value=${ep.provider} onChange=${(e) => updateEndpoint(ep._id, "provider", e.target.value)}>
                 <option value="azure">Azure OpenAI</option>
                 <option value="openai">OpenAI</option>
+                <option value="claude">Claude (Anthropic)</option>
+                <option value="gemini">Google Gemini</option>
               </select>
             </div>
             <div>
@@ -2159,7 +2171,7 @@ function VoiceEndpointsEditor() {
                   onInput=${(e) => updateEndpoint(ep._id, "endpoint", e.target.value)} />
               </div>
               <div style="grid-column:1/-1">
-                <div class="setting-row-label">Deployment Name</div>
+                <div class="setting-row-label">Audio Model (Realtime)</div>
                 <input type="text" value=${ep.deployment} placeholder="gpt-realtime-1.5"
                   onInput=${(e) => updateEndpoint(ep._id, "deployment", e.target.value)} />
                 <div class="meta-text" style="margin-top:3px">
@@ -2170,11 +2182,18 @@ function VoiceEndpointsEditor() {
             `}
             ${ep.provider === "openai" && html`
               <div style="grid-column:1/-1">
-                <div class="setting-row-label">Model</div>
+                <div class="setting-row-label">Audio Model (Realtime)</div>
                 <input type="text" value=${ep.model} placeholder="gpt-4o-realtime-preview"
                   onInput=${(e) => updateEndpoint(ep._id, "model", e.target.value)} />
               </div>
             `}
+            <div style="grid-column:1/-1">
+              <div class="setting-row-label">Vision Model</div>
+              <input type="text" value=${ep.visionModel}
+                placeholder=${ep.provider === "azure" ? "gpt-4o" : ep.provider === "claude" ? "claude-opus-4-5" : ep.provider === "gemini" ? "gemini-2.5-flash" : "gpt-4o"}
+                onInput=${(e) => updateEndpoint(ep._id, "visionModel", e.target.value)} />
+              <div class="meta-text" style="margin-top:3px">Model used for screenshot / image analysis tasks.</div>
+            </div>
           </div>
         </div>
       `)}
@@ -2188,6 +2207,191 @@ function VoiceEndpointsEditor() {
   `;
 }
 
+/* ═══════════════════════════════════════════════════════════════
+ *  _OAuthLoginCard — shared PKCE OAuth login card factory.
+ *  Instantiated as OpenAICodexLoginCard, ClaudeLoginCard, GeminiLoginCard.
+ * ═══════════════════════════════════════════════════════════════ */
+function _OAuthLoginCard({ displayName, emoji, statusRoute, loginRoute, cancelRoute, logoutRoute, description, successMsg, signOutMsg }) {
+  const [phase, setPhase] = useState("idle");
+  const [authUrl, setAuthUrl] = useState("");
+  const [error, setError] = useState("");
+  const pollRef = useRef(null);
+
+  useEffect(() => {
+    (async () => {
+      try {
+        const res = await apiFetch(statusRoute);
+        if (res.ok) setPhase(res.status === "connected" ? "connected" : "idle");
+      } catch { /* non-fatal */ }
+    })();
+    return () => { if (pollRef.current) clearTimeout(pollRef.current); };
+  }, [statusRoute]);
+
+  async function startLogin() {
+    setPhase("pending"); setError("");
+    try {
+      const res = await apiFetch(loginRoute, { method: "POST" });
+      if (!res.ok) throw new Error(res.error || "Failed to start login");
+      setAuthUrl(res.authUrl || "");
+      beginPolling();
+    } catch (err) { setError(err.message); setPhase("error"); }
+  }
+
+  function beginPolling() {
+    if (pollRef.current) clearTimeout(pollRef.current);
+    async function tick() {
+      try {
+        const res = await apiFetch(statusRoute);
+        if (!res.ok) { pollRef.current = setTimeout(tick, 2000); return; }
+        if (res.status === "complete" || res.status === "connected") {
+          pollRef.current = null; setPhase("complete");
+          haptic("success"); showToast(successMsg, "success"); return;
+        }
+        if (res.status === "error") {
+          pollRef.current = null;
+          setError(res.result?.error || "Login failed"); setPhase("error"); return;
+        }
+        pollRef.current = setTimeout(tick, 2000);
+      } catch { pollRef.current = setTimeout(tick, 3000); }
+    }
+    pollRef.current = setTimeout(tick, 2000);
+  }
+
+  async function handleLogout() {
+    try {
+      await apiFetch(logoutRoute, { method: "POST" });
+      setPhase("idle"); setAuthUrl("");
+      haptic("medium"); showToast(signOutMsg, "info");
+    } catch (err) { showToast(`Logout failed: ${err.message}`, "error"); }
+  }
+
+  async function handleCancel() {
+    if (pollRef.current) { clearTimeout(pollRef.current); pollRef.current = null; }
+    try { await apiFetch(cancelRoute, { method: "POST" }); } catch { /* ignore */ }
+    setPhase("idle"); setAuthUrl("");
+  }
+
+  if (phase === "connected" || phase === "complete") {
+    return html`
+      <${Card}>
+        <div style="display:flex;align-items:center;gap:10px;padding:4px 0">
+          <span style="font-size:22px">${emoji}</span>
+          <div style="flex:1;min-width:0">
+            <div style="font-size:13px;font-weight:600;color:var(--text-primary)">${displayName} Connected</div>
+            <div style="font-size:12px;color:var(--text-secondary);margin-top:2px">Signed in via OAuth. Token used for API access.</div>
+          </div>
+          <button class="btn btn-sm btn-secondary" onClick=${handleLogout}>Sign out</button>
+        </div>
+      <//>
+    `;
+  }
+
+  if (phase === "pending") {
+    return html`
+      <${Card}>
+        <div style="text-align:center;padding:12px 0">
+          <div style="font-size:12px;color:var(--text-secondary);margin-bottom:12px">
+            A browser window should have opened. If not, open the link below:
+          </div>
+          ${authUrl && html`
+            <button onClick=${() => { try { window.open(authUrl, "_blank"); } catch {} }}
+              style="font-size:12px;word-break:break-all;cursor:pointer;
+                background:var(--surface-1);border:1px solid var(--border-color,rgba(255,255,255,0.1));
+                border-radius:6px;padding:8px 12px;color:var(--accent);text-decoration:underline;
+                max-width:100%;text-align:left"
+            >${authUrl}</button>
+          `}
+          <div style="font-size:12px;color:var(--text-hint);margin-top:12px;display:flex;align-items:center;justify-content:center;gap:6px">
+            <span class="spinner" style="width:14px;height:14px;border:2px solid var(--border);border-top-color:var(--accent);border-radius:50%"></span>
+            Waiting for you to sign in…
+          </div>
+          <button class="btn btn-sm" style="margin-top:12px;opacity:0.7" onClick=${handleCancel}>Cancel</button>
+        </div>
+      <//>
+    `;
+  }
+
+  if (phase === "error") {
+    return html`
+      <${Card}>
+        <div style="text-align:center;padding:10px 0">
+          <div style="font-size:13px;color:var(--color-error,#f87171);margin-bottom:10px">${error}</div>
+          <button class="btn btn-sm btn-primary" onClick=${startLogin}>Try again</button>
+        </div>
+      <//>
+    `;
+  }
+
+  // idle
+  return html`
+    <${Card}>
+      <div style="text-align:center;padding:16px 0">
+        <div style="font-size:32px;margin-bottom:8px">${emoji}</div>
+        <div style="font-size:15px;font-weight:600;margin-bottom:4px;color:var(--text-primary)">Sign in with ${displayName}</div>
+        <div style="font-size:12px;color:var(--text-secondary);margin-bottom:16px;max-width:300px;margin-inline:auto;line-height:1.6">${description}</div>
+        <button class="btn btn-primary" onClick=${startLogin} style="min-width:220px">Sign in with ${displayName}</button>
+      </div>
+    <//>
+  `;
+}
+
+/* ═══════════════════════════════════════════════════════════════
+ *  OpenAICodexLoginCard — "Sign in with OpenAI" (ChatGPT/Codex accounts)
+ *  Uses OAuth 2.0 PKCE flow via auth.openai.com — same flow as the
+ *  official Codex CLI and the ChatGPT desktop app.
+ *
+ *  Allows ChatGPT Plus/Pro/Team subscribers to authenticate without
+ *  needing to create an API key.
+ * ═══════════════════════════════════════════════════════════════ */
+function OpenAICodexLoginCard() {
+  return html`<${_OAuthLoginCard}
+    displayName="OpenAI"
+    emoji="🤖"
+    statusRoute="/api/voice/auth/openai/status"
+    loginRoute="/api/voice/auth/openai/login"
+    cancelRoute="/api/voice/auth/openai/cancel"
+    logoutRoute="/api/voice/auth/openai/logout"
+    description="Use your ChatGPT Plus, Pro, or Team subscription to access OpenAI Realtime Audio without managing API keys. Uses the same OAuth flow as the Codex CLI."
+    successMsg="Signed in with OpenAI!"
+    signOutMsg="Signed out from OpenAI"
+  />`;
+}
+
+/* ═══════════════════════════════════════════════════════════════
+ *  ClaudeLoginCard — OAuth PKCE for Anthropic Claude
+ * ═══════════════════════════════════════════════════════════════ */
+function ClaudeLoginCard() {
+  return html`<${_OAuthLoginCard}
+    displayName="Claude"
+    emoji="🧠"
+    statusRoute="/api/voice/auth/claude/status"
+    loginRoute="/api/voice/auth/claude/login"
+    cancelRoute="/api/voice/auth/claude/cancel"
+    logoutRoute="/api/voice/auth/claude/logout"
+    description="Sign in with your Claude.ai account to use Claude models for vision and analysis tasks. Uses the same OAuth PKCE flow as the official Claude desktop app."
+    successMsg="Signed in with Claude!"
+    signOutMsg="Signed out from Claude"
+  />`;
+}
+
+/* ═══════════════════════════════════════════════════════════════
+ *  GeminiLoginCard — OAuth PKCE for Google Gemini
+ * ═══════════════════════════════════════════════════════════════ */
+function GeminiLoginCard() {
+  return html`<${_OAuthLoginCard}
+    displayName="Google Gemini"
+    emoji="✨"
+    statusRoute="/api/voice/auth/gemini/status"
+    loginRoute="/api/voice/auth/gemini/login"
+    cancelRoute="/api/voice/auth/gemini/cancel"
+    logoutRoute="/api/voice/auth/gemini/logout"
+    description="Sign in with your Google account to access Gemini models for vision and multimodal tasks. Uses Google OAuth with offline access for persistent refresh tokens."
+    successMsg="Signed in with Google Gemini!"
+    signOutMsg="Signed out from Google Gemini"
+  />`;
+}
+
+
 /* ═══════════════════════════════════════════════════════════════
  *  GitHubDeviceFlowCard — "Sign in with GitHub" (like VS Code / Roo Code)
  *  Uses OAuth Device Flow: no public URL, no callback needed.

package/ui-server.mjs

@@ -9254,6 +9254,7 @@ async function handleApi(req, res, url) {
         if (ep.endpoint) out.endpoint = String(ep.endpoint);
         if (ep.deployment) out.deployment = String(ep.deployment);
         if (ep.model) out.model = String(ep.model);
+        if (ep.visionModel) out.visionModel = String(ep.visionModel);
         if (ep.apiKey) out.apiKey = String(ep.apiKey);
         if (ep.voiceId) out.voiceId = String(ep.voiceId);
         if (ep.role) out.role = String(ep.role);
@@ -9274,6 +9275,164 @@ async function handleApi(req, res, url) {
     return;
   }
 
+  // ── OpenAI Codex OAuth routes ─────────────────────────────────────────────
+
+  // GET /api/voice/auth/openai/status — token presence + pending login state
+  if (path === "/api/voice/auth/openai/status" && req.method === "GET") {
+    try {
+      const { getOpenAILoginStatus } = await import("./voice-auth-manager.mjs");
+      jsonResponse(res, 200, { ok: true, ...getOpenAILoginStatus() });
+    } catch (err) {
+      jsonResponse(res, 500, { ok: false, error: err.message });
+    }
+    return;
+  }
+
+  // POST /api/voice/auth/openai/login — start PKCE login, open browser
+  if (path === "/api/voice/auth/openai/login" && req.method === "POST") {
+    try {
+      const { startOpenAICodexLogin } = await import("./voice-auth-manager.mjs");
+      const { authUrl } = startOpenAICodexLogin();
+      jsonResponse(res, 200, { ok: true, authUrl });
+    } catch (err) {
+      jsonResponse(res, 500, { ok: false, error: err.message });
+    }
+    return;
+  }
+
+  // POST /api/voice/auth/openai/cancel — cancel pending login
+  if (path === "/api/voice/auth/openai/cancel" && req.method === "POST") {
+    try {
+      const { cancelOpenAILogin } = await import("./voice-auth-manager.mjs");
+      cancelOpenAILogin();
+      jsonResponse(res, 200, { ok: true });
+    } catch (err) {
+      jsonResponse(res, 500, { ok: false, error: err.message });
+    }
+    return;
+  }
+
+  // POST /api/voice/auth/openai/logout — remove stored token
+  if (path === "/api/voice/auth/openai/logout" && req.method === "POST") {
+    try {
+      const { logoutOpenAI } = await import("./voice-auth-manager.mjs");
+      const result = logoutOpenAI();
+      broadcastUiEvent(["settings", "voice"], "invalidate", {
+        reason: "openai-oauth-logout",
+      });
+      jsonResponse(res, 200, { ok: true, ...result });
+    } catch (err) {
+      jsonResponse(res, 500, { ok: false, error: err.message });
+    }
+    return;
+  }
+
+  // POST /api/voice/auth/openai/refresh — exchange refresh_token for new access_token
+  if (path === "/api/voice/auth/openai/refresh" && req.method === "POST") {
+    try {
+      const { refreshOpenAICodexToken } = await import("./voice-auth-manager.mjs");
+      await refreshOpenAICodexToken();
+      jsonResponse(res, 200, { ok: true });
+    } catch (err) {
+      jsonResponse(res, 500, { ok: false, error: err.message });
+    }
+    return;
+  }
+
+  // ── Claude OAuth routes ────────────────────────────────────────────────────
+
+  if (path === "/api/voice/auth/claude/status" && req.method === "GET") {
+    try {
+      const { getClaudeLoginStatus } = await import("./voice-auth-manager.mjs");
+      jsonResponse(res, 200, { ok: true, ...getClaudeLoginStatus() });
+    } catch (err) { jsonResponse(res, 500, { ok: false, error: err.message }); }
+    return;
+  }
+
+  if (path === "/api/voice/auth/claude/login" && req.method === "POST") {
+    try {
+      const { startClaudeLogin } = await import("./voice-auth-manager.mjs");
+      const { authUrl } = startClaudeLogin();
+      jsonResponse(res, 200, { ok: true, authUrl });
+    } catch (err) { jsonResponse(res, 500, { ok: false, error: err.message }); }
+    return;
+  }
+
+  if (path === "/api/voice/auth/claude/cancel" && req.method === "POST") {
+    try {
+      const { cancelClaudeLogin } = await import("./voice-auth-manager.mjs");
+      cancelClaudeLogin();
+      jsonResponse(res, 200, { ok: true });
+    } catch (err) { jsonResponse(res, 500, { ok: false, error: err.message }); }
+    return;
+  }
+
+  if (path === "/api/voice/auth/claude/logout" && req.method === "POST") {
+    try {
+      const { logoutClaude } = await import("./voice-auth-manager.mjs");
+      const result = logoutClaude();
+      broadcastUiEvent(["settings", "voice"], "invalidate", { reason: "claude-oauth-logout" });
+      jsonResponse(res, 200, { ok: true, ...result });
+    } catch (err) { jsonResponse(res, 500, { ok: false, error: err.message }); }
+    return;
+  }
+
+  if (path === "/api/voice/auth/claude/refresh" && req.method === "POST") {
+    try {
+      const { refreshClaudeToken } = await import("./voice-auth-manager.mjs");
+      await refreshClaudeToken();
+      jsonResponse(res, 200, { ok: true });
+    } catch (err) { jsonResponse(res, 500, { ok: false, error: err.message }); }
+    return;
+  }
+
+  // ── Google Gemini OAuth routes ─────────────────────────────────────────────
+
+  if (path === "/api/voice/auth/gemini/status" && req.method === "GET") {
+    try {
+      const { getGeminiLoginStatus } = await import("./voice-auth-manager.mjs");
+      jsonResponse(res, 200, { ok: true, ...getGeminiLoginStatus() });
+    } catch (err) { jsonResponse(res, 500, { ok: false, error: err.message }); }
+    return;
+  }
+
+  if (path === "/api/voice/auth/gemini/login" && req.method === "POST") {
+    try {
+      const { startGeminiLogin } = await import("./voice-auth-manager.mjs");
+      const { authUrl } = startGeminiLogin();
+      jsonResponse(res, 200, { ok: true, authUrl });
+    } catch (err) { jsonResponse(res, 500, { ok: false, error: err.message }); }
+    return;
+  }
+
+  if (path === "/api/voice/auth/gemini/cancel" && req.method === "POST") {
+    try {
+      const { cancelGeminiLogin } = await import("./voice-auth-manager.mjs");
+      cancelGeminiLogin();
+      jsonResponse(res, 200, { ok: true });
+    } catch (err) { jsonResponse(res, 500, { ok: false, error: err.message }); }
+    return;
+  }
+
+  if (path === "/api/voice/auth/gemini/logout" && req.method === "POST") {
+    try {
+      const { logoutGemini } = await import("./voice-auth-manager.mjs");
+      const result = logoutGemini();
+      broadcastUiEvent(["settings", "voice"], "invalidate", { reason: "gemini-oauth-logout" });
+      jsonResponse(res, 200, { ok: true, ...result });
+    } catch (err) { jsonResponse(res, 500, { ok: false, error: err.message }); }
+    return;
+  }
+
+  if (path === "/api/voice/auth/gemini/refresh" && req.method === "POST") {
+    try {
+      const { refreshGeminiToken } = await import("./voice-auth-manager.mjs");
+      await refreshGeminiToken();
+      jsonResponse(res, 200, { ok: true });
+    } catch (err) { jsonResponse(res, 500, { ok: false, error: err.message }); }
+    return;
+  }
+
   // GET /api/voice/sdk-config — SDK-first configuration for client
   if (path === "/api/voice/sdk-config" && req.method === "GET") {
     try {

package/voice-auth-manager.mjs

@@ -1,4 +1,7 @@
+import { createHash, randomBytes } from "node:crypto";
+import { exec as childExec } from "node:child_process";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { createServer } from "node:http";
 import { homedir } from "node:os";
 import { dirname, join } from "node:path";
 
@@ -162,3 +165,350 @@ export function saveVoiceOAuthToken(provider, payload = {}) {
 export function getVoiceAuthStatePath() {
   return VOICE_AUTH_STATE_PATH;
 }
+
+// ── Generic OAuth PKCE provider registry ─────────────────────────────────────
+//
+// Provider configs reverse-engineered from official CLI tools:
+// • openai  — https://github.com/openai/codex + opencode/issues/3281
+// • claude  — github.com/XiaoConstantine/dspy-go/pkg/llms (Claude Code client)
+// • gemini  — google-gemini/gemini-cli (Google Gemini CLI public client)
+//
+// All use OAuth 2.0 Authorization Code + PKCE (RFC 7636) with no client secret
+// (public clients per RFC 8252 §8.4).
+const OAUTH_PROVIDERS = {
+  openai: {
+    clientId: "app_EMoamEEZ73f0CkXaXp7hrann",
+    authorizeUrl: "https://auth.openai.com/oauth/authorize",
+    tokenUrl: "https://auth.openai.com/oauth/token",
+    redirectUri: "http://localhost:1455/auth/callback",
+    port: 1455,
+    scopes: "openid profile email offline_access",
+    extraParams: {
+      id_token_add_organizations: "true",
+      codex_cli_simplified_flow: "true",
+    },
+    accentColor: "#10a37f",
+  },
+  claude: {
+    // Claude Code public client — same one used by `claude auth login`
+    clientId: "9d1c250a-e61b-44d9-88ed-5944d1962f5e",
+    authorizeUrl: "https://claude.ai/oauth/authorize",
+    tokenUrl: "https://console.anthropic.com/v1/oauth/token",
+    redirectUri: "http://localhost:10001/auth/callback",
+    port: 10001,
+    scopes: "openid profile email offline_access",
+    extraParams: {},
+    accentColor: "#d97706",
+  },
+  gemini: {
+    // Gemini CLI public client (google-gemini/gemini-cli open-source)
+    clientId: "681255809395-ets0jcnv5ak5mca0r35k1ofb3aqrdh28.apps.googleusercontent.com",
+    authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+    tokenUrl: "https://oauth2.googleapis.com/token",
+    redirectUri: "http://localhost:10002/auth/callback",
+    port: 10002,
+    scopes: [
+      "https://www.googleapis.com/auth/generative-language",
+      "https://www.googleapis.com/auth/cloud-platform",
+      "openid",
+      "email",
+      "profile",
+    ].join(" "),
+    extraParams: {
+      // Offline access (refresh token) + force consent screen to re-issue refresh_token
+      access_type: "offline",
+      prompt: "consent",
+    },
+    accentColor: "#1a73e8",
+  },
+};
+
+// Module-scope per-provider pending login state (never inside a function — hard rule).
+const _providerPendingLogin = new Map();
+
+// ── PKCE helpers ──────────────────────────────────────────────────────────────
+
+function _generateCodeVerifier() {
+  return randomBytes(32).toString("base64url");
+}
+
+function _computeCodeChallenge(verifier) {
+  return createHash("sha256").update(verifier).digest("base64url");
+}
+
+function _generateState() {
+  return randomBytes(16).toString("hex");
+}
+
+// ── Generic token exchange ────────────────────────────────────────────────────
+
+async function _exchangeCode(code, codeVerifier, cfg) {
+  const params = new URLSearchParams({
+    grant_type: "authorization_code",
+    code,
+    client_id: cfg.clientId,
+    redirect_uri: cfg.redirectUri,
+    code_verifier: codeVerifier,
+  });
+  const res = await fetch(cfg.tokenUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: params.toString(),
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => res.status.toString());
+    throw new Error(`Token exchange failed (${res.status}): ${text}`);
+  }
+  return res.json();
+}
+
+// ── Generic one-shot callback server ─────────────────────────────────────────
+
+function _createCallbackServer(provider, cfg, expectedState, codeVerifier) {
+  const port = cfg.port;
+  const server = createServer((req, res) => {
+    let url;
+    try {
+      url = new URL(req.url, `http://localhost:${port}`);
+    } catch {
+      res.writeHead(400).end("Bad request");
+      return;
+    }
+
+    if (url.pathname !== "/auth/callback") {
+      res.writeHead(404).end("Not found");
+      return;
+    }
+
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    const error = url.searchParams.get("error");
+    const errorDescription = url.searchParams.get("error_description") || error || "Unknown error";
+    const pending = _providerPendingLogin.get(provider);
+
+    if (error) {
+      res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+      res.end(`<!DOCTYPE html><html><body style="font-family:system-ui;padding:40px">
+        <h2>Sign-in failed</h2><p>${errorDescription}</p><p>You can close this window.</p>
+      </body></html>`);
+      if (pending) { pending.status = "error"; pending.result = { error: errorDescription }; }
+      setTimeout(() => server.close(), 500);
+      return;
+    }
+
+    if (!code || state !== expectedState) {
+      res.writeHead(400).end("Invalid callback");
+      if (pending) { pending.status = "error"; pending.result = { error: "state_mismatch" }; }
+      setTimeout(() => server.close(), 500);
+      return;
+    }
+
+    _exchangeCode(code, codeVerifier, cfg)
+      .then((tokenData) => {
+        const expiresAt = tokenData.expires_in
+          ? new Date(Date.now() + Number(tokenData.expires_in) * 1000).toISOString()
+          : null;
+        saveVoiceOAuthToken(provider, {
+          accessToken: tokenData.access_token,
+          refreshToken: tokenData.refresh_token || null,
+          expiresAt,
+          tokenType: tokenData.token_type || "Bearer",
+        });
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(`<!DOCTYPE html><html><body style="font-family:system-ui;padding:40px;text-align:center">
+          <h2 style="color:${cfg.accentColor}">✓ Signed in successfully</h2>
+          <p>You can close this window and return to Bosun.</p>
+        </body></html>`);
+        const p = _providerPendingLogin.get(provider);
+        if (p) { p.status = "complete"; p.result = { ok: true }; }
+      })
+      .catch((err) => {
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(`<!DOCTYPE html><html><body style="font-family:system-ui;padding:40px">
+          <h2>Token exchange failed</h2><p>${err.message}</p><p>You can close this window.</p>
+        </body></html>`);
+        const p = _providerPendingLogin.get(provider);
+        if (p) { p.status = "error"; p.result = { error: err.message }; }
+      })
+      .finally(() => { setTimeout(() => server.close(), 1000); });
+  });
+
+  server.on("error", (err) => {
+    const p = _providerPendingLogin.get(provider);
+    if (p?.status === "pending") { p.status = "error"; p.result = { error: err.message }; }
+  });
+
+  server.listen(port, "localhost");
+  return server;
+}
+
+// ── Open browser cross-platform ───────────────────────────────────────────────
+
+function _openBrowser(url) {
+  const cmd =
+    process.platform === "win32"
+      ? `start "" "${url}"`
+      : process.platform === "darwin"
+        ? `open "${url}"`
+        : `xdg-open "${url}"`;
+  childExec(cmd, () => { /* non-fatal: URL already returned to caller */ });
+}
+
+// ── Generic provider login functions ────────────────────────────────────────
+
+function _startProviderLogin(provider) {
+  const cfg = OAUTH_PROVIDERS[provider];
+  if (!cfg) throw new Error(`Unknown OAuth provider: ${provider}`);
+
+  // Cancel any existing login for this provider
+  _cancelProviderLogin(provider);
+
+  const codeVerifier = _generateCodeVerifier();
+  const codeChallenge = _computeCodeChallenge(codeVerifier);
+  const state = _generateState();
+
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: cfg.clientId,
+    redirect_uri: cfg.redirectUri,
+    scope: cfg.scopes,
+    state,
+    code_challenge: codeChallenge,
+    code_challenge_method: "S256",
+    ...cfg.extraParams,
+  });
+
+  const authUrl = `${cfg.authorizeUrl}?${params.toString()}`;
+  const server = _createCallbackServer(provider, cfg, state, codeVerifier);
+
+  _providerPendingLogin.set(provider, {
+    state,
+    codeVerifier,
+    server,
+    status: "pending",
+    result: null,
+    startedAt: Date.now(),
+  });
+
+  try { _openBrowser(authUrl); } catch { /* ignore */ }
+
+  return { authUrl };
+}
+
+function _getProviderLoginStatus(provider) {
+  const hasToken = Boolean(resolveVoiceOAuthToken(provider, false));
+  const pending = _providerPendingLogin.get(provider);
+  if (!pending) {
+    return { status: hasToken ? "connected" : "idle", hasToken };
+  }
+  const elapsed = Date.now() - pending.startedAt;
+  if (elapsed > 5 * 60 * 1000 && pending.status === "pending") {
+    _cancelProviderLogin(provider);
+    return { status: "idle", hasToken };
+  }
+  return { status: pending.status, result: pending.result || null, hasToken };
+}
+
+function _cancelProviderLogin(provider) {
+  const pending = _providerPendingLogin.get(provider);
+  if (pending?.server) {
+    try { pending.server.close(); } catch { /* ignore */ }
+  }
+  _providerPendingLogin.delete(provider);
+}
+
+function _logoutProvider(provider) {
+  const curr = getCachedState(true);
+  if (!curr?.providers?.[provider]) return { ok: true, wasLoggedIn: false };
+  const next = {
+    ...curr,
+    providers: { ...(curr.providers || {}) },
+  };
+  delete next.providers[provider];
+  mkdirSync(dirname(VOICE_AUTH_STATE_PATH), { recursive: true });
+  writeFileSync(VOICE_AUTH_STATE_PATH, JSON.stringify(next, null, 2));
+  _cachedState = next;
+  _cachedStateAt = Date.now();
+  return { ok: true, wasLoggedIn: true };
+}
+
+async function _refreshProviderToken(provider) {
+  const cfg = OAUTH_PROVIDERS[provider];
+  if (!cfg) throw new Error(`Unknown OAuth provider: ${provider}`);
+
+  const state = getCachedState(true);
+  const providerData = state?.providers?.[provider] || {};
+  const refreshToken = providerData.refreshToken || providerData.refresh_token;
+  if (!refreshToken) throw new Error(`No refresh token stored for ${provider}`);
+
+  const params = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: refreshToken,
+    client_id: cfg.clientId,
+    ...(cfg.extraParams?.access_type ? { access_type: cfg.extraParams.access_type } : {}),
+  });
+
+  const res = await fetch(cfg.tokenUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: params.toString(),
+  });
+
+  if (!res.ok) {
+    const text = await res.text().catch(() => res.status.toString());
+    throw new Error(`Token refresh failed (${res.status}): ${text}`);
+  }
+
+  const tokenData = await res.json();
+  const expiresAt = tokenData.expires_in
+    ? new Date(Date.now() + Number(tokenData.expires_in) * 1000).toISOString()
+    : null;
+
+  saveVoiceOAuthToken(provider, {
+    accessToken: tokenData.access_token,
+    refreshToken: tokenData.refresh_token || refreshToken,
+    expiresAt,
+    tokenType: tokenData.token_type || "Bearer",
+  });
+
+  return tokenData;
+}
+
+// ── Public API — OpenAI ──────────────────────────────────────────────────────
+
+/** Start the OpenAI Codex OAuth PKCE flow (same as Codex CLI / ChatGPT app). */
+export function startOpenAICodexLogin()    { return _startProviderLogin("openai"); }
+/** Poll the status of an in-progress OpenAI login. */
+export function getOpenAILoginStatus()     { return _getProviderLoginStatus("openai"); }
+/** Cancel an in-progress OpenAI login. */
+export function cancelOpenAILogin()        { return _cancelProviderLogin("openai"); }
+/** Remove the stored OpenAI OAuth token. */
+export function logoutOpenAI()             { return _logoutProvider("openai"); }
+/** Refresh an expired OpenAI access token using the stored refresh_token. */
+export async function refreshOpenAICodexToken() { return _refreshProviderToken("openai"); }
+
+// ── Public API — Claude ──────────────────────────────────────────────────────
+
+/** Start the Anthropic Claude OAuth PKCE flow (same as `claude auth login`). */
+export function startClaudeLogin()         { return _startProviderLogin("claude"); }
+/** Poll the status of an in-progress Claude login. */
+export function getClaudeLoginStatus()     { return _getProviderLoginStatus("claude"); }
+/** Cancel an in-progress Claude login. */
+export function cancelClaudeLogin()        { return _cancelProviderLogin("claude"); }
+/** Remove the stored Claude OAuth token. */
+export function logoutClaude()             { return _logoutProvider("claude"); }
+/** Refresh an expired Claude access token. */
+export async function refreshClaudeToken() { return _refreshProviderToken("claude"); }
+
+// ── Public API — Google Gemini ───────────────────────────────────────────────
+
+/** Start the Google Gemini OAuth PKCE flow (same as gemini-cli `gemini auth login`). */
+export function startGeminiLogin()         { return _startProviderLogin("gemini"); }
+/** Poll the status of an in-progress Gemini login. */
+export function getGeminiLoginStatus()     { return _getProviderLoginStatus("gemini"); }
+/** Cancel an in-progress Gemini login. */
+export function cancelGeminiLogin()        { return _cancelProviderLogin("gemini"); }
+/** Remove the stored Gemini OAuth token. */
+export function logoutGemini()             { return _logoutProvider("gemini"); }
+/** Refresh an expired Gemini access token. */
+export async function refreshGeminiToken() { return _refreshProviderToken("gemini"); }

package/voice-relay.mjs

@@ -949,6 +949,9 @@ async function createAzureEphemeralToken(cfg, toolDefinitions = [], callContext
   }
 
   const sessionConfig = {
+    // GA protocol (gpt-realtime-1.5 etc.) requires type: "realtime" in the POST body.
+    // Preview protocol does not support this field — omit it to avoid 400s.
+    ...(isAzureGaProtocol(deployment) ? { type: "realtime" } : {}),
     model: deployment,
     voice: voiceId,
     instructions,