claude-gpt-launcher 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/.codex/skills/claude-gpt-launcher/SKILL.md +46 -0
  2. package/.codex/skills/claude-gpt-launcher/agents/openai.yaml +4 -0
  3. package/CONTRIBUTING.md +23 -0
  4. package/Claude-GPT-Launcher-threat-model.md +191 -0
  5. package/LICENSE +21 -0
  6. package/Package.swift +25 -0
  7. package/README.md +239 -0
  8. package/RELEASING.md +43 -0
  9. package/Resources/AppIcon.icns +0 -0
  10. package/Resources/AppIcon.png +0 -0
  11. package/Resources/Info.plist +28 -0
  12. package/SECURITY.md +17 -0
  13. package/Sources/ClaudeGPTLauncher/App/ClaudeGPTLauncherApp.swift +61 -0
  14. package/Sources/ClaudeGPTLauncher/Models/ModelOption.swift +27 -0
  15. package/Sources/ClaudeGPTLauncher/Models/ProjectInfo.swift +10 -0
  16. package/Sources/ClaudeGPTLauncher/Services/ProjectInspector.swift +53 -0
  17. package/Sources/ClaudeGPTLauncher/Services/Shell.swift +47 -0
  18. package/Sources/ClaudeGPTLauncher/Services/TerminalLauncher.swift +85 -0
  19. package/Sources/ClaudeGPTLauncher/Stores/LauncherStore.swift +56 -0
  20. package/Sources/ClaudeGPTLauncher/Views/ContentView.swift +181 -0
  21. package/Sources/ClaudeGPTLauncher/Views/SettingsView.swift +22 -0
  22. package/Sources/ClaudeGPTMCP/ClaudeGPTMCPServer.swift +149 -0
  23. package/Sources/ClaudeGPTMCP/ClaudeHarnessRunner.swift +125 -0
  24. package/Sources/ClaudeGPTMCP/CommandRunner.swift +111 -0
  25. package/Sources/ClaudeGPTMCP/MCPProjectGuard.swift +74 -0
  26. package/npm/cli.mjs +233 -0
  27. package/package.json +76 -0
  28. package/script/build_and_run.sh +82 -0
  29. package/script/claude-gpt +92 -0
  30. package/script/install_backend.sh +21 -0
  31. package/script/release_macos.sh +61 -0
@@ -0,0 +1,46 @@
1
+ ---
2
+ name: claude-gpt-launcher
3
+ description: Install, diagnose, open, unregister, or remove Claude GPT Launcher and its Codex MCP bridge. Use when a user asks to set up the launcher, verify prerequisites, manage the claude-gpt-harness MCP, or troubleshoot installation state on an Apple silicon Mac.
4
+ ---
5
+
6
+ # Claude GPT Launcher
7
+
8
+ Start with a read-only diagnostic:
9
+
10
+ ```zsh
11
+ claude-gpt-launcher doctor --json
12
+ ```
13
+
14
+ If the command is missing, install it from npm:
15
+
16
+ ```zsh
17
+ npm install --global claude-gpt-launcher
18
+ ```
19
+
20
+ Install the backend helper and native app explicitly:
21
+
22
+ ```zsh
23
+ claude-gpt-launcher install
24
+ ```
25
+
26
+ Register the optional Codex bridge only when requested:
27
+
28
+ ```zsh
29
+ claude-gpt-launcher mcp install --enable-edits
30
+ claude-gpt-launcher mcp status --json
31
+ ```
32
+
33
+ For sensitive repositories, pass comma-separated remote substrings:
34
+
35
+ ```zsh
36
+ claude-gpt-launcher mcp install --enable-edits --protected-remotes "company/production,example/private-app"
37
+ ```
38
+
39
+ Use `claude-gpt-launcher open` to open the installed app. Use
40
+ `claude-gpt-launcher mcp remove` to remove only the MCP registration. Run
41
+ `claude-gpt-launcher uninstall` only when the user explicitly asks to remove
42
+ the app, backend helper, and MCP registration.
43
+
44
+ Never request, print, extract, or pass OAuth tokens through CLI flags. Report
45
+ missing provider authentication and direct the user to the provider-supported
46
+ login flow.
@@ -0,0 +1,4 @@
1
+ interface:
2
+ display_name: "Claude GPT Launcher"
3
+ short_description: "Install and operate the local harness bridge"
4
+ default_prompt: "Use $claude-gpt-launcher to verify and manage the local Claude GPT launcher."
@@ -0,0 +1,23 @@
1
+ # Contributing
2
+
3
+ Thanks for helping improve Claude GPT Launcher.
4
+
5
+ ## Before opening a pull request
6
+
7
+ 1. Keep the change focused and avoid unrelated refactors.
8
+ 2. Never commit OAuth material, API keys, private repository content, personal
9
+ paths, or real account identifiers.
10
+ 3. Preserve localhost-only networking and explicit edit authorization.
11
+ 4. Run the complete validation suite:
12
+
13
+ ```zsh
14
+ npm test
15
+ npm run pack:check
16
+ ```
17
+
18
+ 5. Explain the user-facing effect and any security-boundary change.
19
+
20
+ ## Reporting security problems
21
+
22
+ Follow [SECURITY.md](SECURITY.md). Do not open a public issue containing exploit
23
+ details or credentials.
@@ -0,0 +1,191 @@
1
+ # Claude GPT Launcher threat model
2
+
3
+ ## Executive summary
4
+
5
+ The highest residual risks are npm supply-chain compromise and prompt-driven
6
+ access to sensitive local files when processing an untrusted repository. The
7
+ launcher now avoids install-time scripts, publishes through an OIDC-ready
8
+ workflow, notarizes hardened-runtime app archives, pins resolved executable
9
+ paths, selects an unused localhost port, validates real repository paths,
10
+ limits MCP work, and refuses to overwrite unrelated local artifacts. It is still a
11
+ same-user developer tool rather than an OS sandbox, so untrusted repositories
12
+ should run in a disposable account or container.
13
+
14
+ ## Scope and assumptions
15
+
16
+ - In scope: `npm/`, `script/`, `Sources/ClaudeGPTMCP/`,
17
+ `Sources/ClaudeGPTLauncher/`, `Resources/`, and npm packaging metadata.
18
+ - Runtime assumption: individual Apple-silicon Mac developer account with
19
+ Claude Code, Codex, and the proxy installed intentionally.
20
+ - Distribution assumption: public npm package; no lifecycle `postinstall`.
21
+ - Data assumption: repository content and prompts may be confidential; OAuth
22
+ credentials stay in provider-supported storage.
23
+ - Out of scope: security of Claude Code, Codex, the proxy implementation, model
24
+ providers, npm itself, and a fully compromised local user account.
25
+
26
+ Open questions that could change ranking:
27
+
28
+ - Enterprise or shared-Mac deployment would increase local isolation risk.
29
+ - Automated CI use would require non-interactive credential and artifact rules.
30
+ - Supporting untrusted third-party repositories would make OS sandboxing a
31
+ release requirement rather than a recommendation.
32
+
33
+ ## System model
34
+
35
+ ### Primary components
36
+
37
+ - npm CLI: explicit installation, diagnostics, MCP registration, and removal
38
+ (`npm/cli.mjs`).
39
+ - Native SwiftUI launcher: selects a Git repository and opens Terminal
40
+ (`Sources/ClaudeGPTLauncher/`).
41
+ - Backend wrapper: starts a loopback proxy and Claude Code process
42
+ (`script/claude-gpt`).
43
+ - MCP server: validates requests and delegates bounded plan/edit tasks
44
+ (`Sources/ClaudeGPTMCP/`).
45
+ - Build/package tooling: ad-hoc signs local builds and separately creates a
46
+ Developer ID signed, notarized, stapled, checksummed release archive
47
+ (`script/build_and_run.sh`, `script/release_macos.sh`, `package.json`).
48
+
49
+ ### Data flows and trust boundaries
50
+
51
+ - npm registry → npm CLI: package source and executable scripts; npm integrity
52
+ metadata applies, but publisher-account compromise remains possible.
53
+ - User → npm CLI: explicit commands and repository-protection patterns; parsed
54
+ as argument arrays without a shell.
55
+ - Codex → MCP server: newline-delimited JSON-RPC containing repository paths,
56
+ prompts, models, and edit intent; schema and size controls are applied.
57
+ - MCP server → backend wrapper: validated repository root and fixed CLI flags;
58
+ environment is reduced to a narrow allowlist.
59
+ - Backend wrapper → loopback proxy: prompts and model traffic over a randomly
60
+ selected `127.0.0.1` port; an occupied port fails closed.
61
+ - Claude Code → repository: read or edit tools under the user's OS account;
62
+ tool restrictions and deny patterns apply, but no OS sandbox exists.
63
+
64
+ #### Diagram
65
+
66
+ ```mermaid
67
+ flowchart LR
68
+ NPM["npm registry"] --> CLI["npm CLI"]
69
+ USER["Local user"] --> CLI
70
+ CLI --> APP["macOS app"]
71
+ CODEX["Codex"] --> MCP["MCP server"]
72
+ APP --> WRAP["Backend wrapper"]
73
+ MCP --> WRAP
74
+ WRAP --> PROXY["Loopback proxy"]
75
+ WRAP --> CLAUDE["Claude Code"]
76
+ CLAUDE --> REPO["Git repository"]
77
+ PROXY --> PROVIDER["Model provider"]
78
+ ```
79
+
80
+ ## Assets and security objectives
81
+
82
+ | Asset | Why it matters | Security objective (C/I/A) |
83
+ |---|---|---|
84
+ | Repository content | May contain proprietary source and configuration | C/I |
85
+ | OAuth credentials | Account compromise could consume subscription access | C/I |
86
+ | Local filesystem | Same-user processes can access personal developer files | C/I/A |
87
+ | MCP edit authorization | Controls whether delegated changes are permitted | I |
88
+ | npm package and app bundle | Compromise executes code under the installer user | I |
89
+ | Proxy availability | Required for model-backed sessions | A |
90
+ | Logs and MCP output | May contain code, paths, or errors | C |
91
+
92
+ ## Attacker model
93
+
94
+ ### Capabilities
95
+
96
+ - Publish or substitute a malicious npm package after publisher compromise.
97
+ - Commit prompt-injection content to a repository the user opens.
98
+ - Invoke the local MCP if the attacker already controls a permitted Codex/MCP
99
+ client under the same user account.
100
+ - Race or occupy local ports and place executables earlier in a hostile `PATH`.
101
+ - Supply malformed paths, symlinks, prompts, and oversized MCP work requests.
102
+
103
+ ### Non-capabilities
104
+
105
+ - No unauthenticated internet listener is exposed by this repository.
106
+ - A remote attacker cannot directly call the stdio MCP without local process
107
+ access.
108
+ - The tool does not intentionally read or store OAuth tokens.
109
+ - The model cannot execute Bash through the MCP's declared tool set.
110
+
111
+ ## Entry points and attack surfaces
112
+
113
+ | Surface | How reached | Trust boundary | Notes | Evidence |
114
+ |---|---|---|---|---|
115
+ | npm CLI arguments | Local shell or `npx` | User → CLI | Explicit write commands; JSON mode | `npm/cli.mjs` command switch |
116
+ | npm package install | npm registry | Registry → local user | No `postinstall`; package still contains executable code | `package.json` scripts and bin |
117
+ | Project picker | Native app | User → app | Resolves selected Git root | `ProjectInspector.swift` |
118
+ | MCP JSON-RPC | Codex stdio | Codex → MCP | Plan and gated edit tools | `ClaudeGPTMCPServer.swift` |
119
+ | Project path | MCP tool argument | Client → filesystem | Symlinks resolved; real root rechecked | `MCPProjectGuard.validate` |
120
+ | Prompt | MCP tool argument | Client/repository → model | Length and turn limits; prompt injection remains | `ClaudeHarnessRunner.run` |
121
+ | Proxy port | Local TCP | Wrapper → proxy | Random loopback port; occupied port rejected | `script/claude-gpt` |
122
+ | Install destinations | Local filesystem | npm CLI → user home | Ownership checks prevent name collisions | installer and uninstall functions |
123
+
124
+ ## Top abuse paths
125
+
126
+ 1. Attacker compromises npm publisher → publishes a trojan release → user runs
127
+ `npx ... install` → attacker gains same-user code execution.
128
+ 2. Malicious repository embeds prompt instructions → Claude reads them during
129
+ analysis → attempts to read sensitive files outside the repo → content is
130
+ returned through MCP. Common secret directories are denied, but the OS does
131
+ not enforce full confinement.
132
+ 3. Overbroad user request plus enabled MCP edits → model changes more files than
133
+ intended → repository integrity is damaged before Codex review.
134
+ 4. Local process occupies a chosen proxy port → launcher detects the listener
135
+ and fails rather than sending prompts to it.
136
+ 5. Hostile working environment alters `PATH` → wrapper resolves each dependency
137
+ before entering the repository and invokes the absolute path.
138
+ 6. Unrelated app/helper/MCP uses the same name → install or uninstall checks
139
+ ownership → operation refuses or skips the unrelated artifact.
140
+ 7. Client submits excessive prompt/output work → prompt, output, turn, and time
141
+ limits terminate the request before unbounded local resource consumption.
142
+
143
+ ## Threat model table
144
+
145
+ | Threat ID | Threat source | Prerequisites | Threat action | Impact | Impacted assets | Existing controls (evidence) | Gaps | Recommended mitigations | Detection ideas | Likelihood | Impact severity | Priority |
146
+ |---|---|---|---|---|---|---|---|---|---|---|---|---|
147
+ | TM-001 | npm account/package compromise | User installs a malicious release | Execute arbitrary package code | Same-user compromise | Filesystem, credentials, source | No dependencies or postinstall; OIDC-ready publish workflow with provenance; Developer ID signing, notarization, stapling, and checksums for app archives | npm and Apple publisher identities remain external trust anchors | Configure npm trusted publishing, require npm 2FA, protect releases, and sign Git tags | Monitor npm owner/version changes and verify Gatekeeper/checksum results | Low | High | High |
148
+ | TM-002 | Malicious repository content | User delegates analysis of untrusted code | Prompt injection induces out-of-repo reads | Secret or source disclosure | Filesystem, credentials | Tool allowlist and credential-directory deny rules in `ClaudeHarnessRunner.swift` | Claude Code can normally read outside cwd | Recommend container/disposable account; evaluate a real sandbox before claiming untrusted-repo safety | Audit returned paths and provider telemetry | Medium | High | High |
149
+ | TM-003 | Overbroad model action | MCP edits explicitly enabled | Modify unintended in-repo files | Repository integrity loss | Source, Git state | Install-time edit gate, call confirmation, no Bash, Codex diff validation | Confirmation is delegated to client policy | Keep edits off by default; add per-call UI approval if Codex exposes one | Log mode, root, and changed-file summary without content | Medium | Medium | Medium |
150
+ | TM-004 | Same-user local process | Can bind local TCP first | Capture proxy-bound traffic | Prompt/source disclosure | Repository content | Random loopback port and occupied-port fail-closed logic in `script/claude-gpt` | Port allocation still has a small race | Prefer authenticated Unix socket if proxy supports it | Record bind failures without prompt data | Low | High | Medium |
151
+ | TM-005 | Hostile PATH/repository | User launches from manipulated environment | Substitute git, curl, proxy, or Claude binary | Same-user execution | Filesystem, credentials | Absolute executable resolution before `cd` in `script/claude-gpt` | A hostile PATH before launch can still select a malicious binary | Document trusted installation sources; optionally pin known install locations | `doctor` reports resolved paths | Low | High | Medium |
152
+ | TM-006 | Name collision or malicious local artifact | Existing same-name app/helper/MCP | Trick install/uninstall into replacing unrelated data | Local data loss or tool hijack | Filesystem, app integrity | Bundle ID, ownership marker, and MCP-command checks | Marker is not cryptographic | Add manifest hashes for future upgrades | Report every skipped collision | Low | Medium | Low |
153
+ | TM-007 | MCP client/model output | Authorized local call | Return sensitive code or fill disk | Disclosure or local DoS | Logs, source, availability | Private temporary logs, 0600 files, default cleanup, 10 MB output, and 10-minute timeout in `CommandRunner.swift` and `script/claude-gpt` | MCP response intentionally enters Codex chat | Add optional redaction and lower configurable limits | Count failures by reason, never log prompt content | Medium | Medium | Medium |
154
+ | TM-008 | Symlink/path manipulation | Client supplies crafted path | Escape home/repository boundary | Unauthorized local reads/edits | Filesystem | Resolve symlinks and revalidate Git root in `MCPProjectGuard.swift` | Files inside an allowed repo may themselves be symlinks | Treat untrusted repositories as requiring OS isolation | Log rejected canonical root only | Low | High | Medium |
155
+
156
+ ## Criticality calibration
157
+
158
+ - Critical: remote or package-level compromise that silently extracts provider
159
+ credentials at scale; arbitrary code execution from a normal read-only call.
160
+ - High: likely disclosure of local secrets from an untrusted repository;
161
+ malicious npm release executing as the developer.
162
+ - Medium: same-user port race, overbroad in-repo edits, bounded resource abuse,
163
+ or path attacks requiring a crafted local repository.
164
+ - Low: safe refusal, diagnostic path disclosure to the local user, or collision
165
+ behavior that skips rather than deletes an artifact.
166
+
167
+ ## Focus paths for security review
168
+
169
+ | Path | Why it matters | Related Threat IDs |
170
+ |---|---|---|
171
+ | `npm/cli.mjs` | Owns installation, registration, and destructive removal | TM-001, TM-006 |
172
+ | `package.json` | Defines public package execution and release scripts | TM-001 |
173
+ | `script/claude-gpt` | Controls executable resolution, proxy lifecycle, and environment | TM-004, TM-005 |
174
+ | `script/install_backend.sh` | Writes an executable into the user's home | TM-006 |
175
+ | `script/build_and_run.sh` | Replaces and signs the installed app bundle | TM-001, TM-006 |
176
+ | `script/release_macos.sh` | Signs, notarizes, staples, verifies, and checksums public app archives | TM-001 |
177
+ | `.github/workflows/publish-npm.yml` | Defines the tokenless npm publication trust boundary | TM-001 |
178
+ | `Sources/ClaudeGPTMCP/MCPProjectGuard.swift` | Enforces canonical repository boundaries | TM-008 |
179
+ | `Sources/ClaudeGPTMCP/ClaudeHarnessRunner.swift` | Defines tool, prompt, edit, and model policy | TM-002, TM-003 |
180
+ | `Sources/ClaudeGPTMCP/CommandRunner.swift` | Handles environment, temp output, timeout, and subprocesses | TM-005, TM-007 |
181
+ | `Sources/ClaudeGPTMCP/ClaudeGPTMCPServer.swift` | Parses client input and exposes edit capabilities | TM-003, TM-007 |
182
+ | `SECURITY.md` | Sets disclosure expectations and states the non-sandbox boundary | TM-001, TM-002 |
183
+
184
+ ## Quality check
185
+
186
+ - [x] Covered npm, CLI, app, MCP, subprocess, filesystem, and loopback entry points.
187
+ - [x] Represented every discovered trust boundary in at least one threat.
188
+ - [x] Separated runtime behavior from build, test, and publication behavior.
189
+ - [x] Recorded the assumed individual-developer deployment model and open
190
+ enterprise/untrusted-repo questions.
191
+ - [x] Distinguished implemented controls from residual risks and recommendations.
package/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Claude GPT Launcher contributors
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/Package.swift ADDED
@@ -0,0 +1,25 @@
1
+ // swift-tools-version: 5.9
2
+ import PackageDescription
3
+
4
+ let package = Package(
5
+ name: "ClaudeGPTLauncher",
6
+ platforms: [.macOS(.v14)],
7
+ products: [
8
+ .executable(name: "ClaudeGPTLauncher", targets: ["ClaudeGPTLauncher"]),
9
+ .executable(name: "ClaudeGPTMCP", targets: ["ClaudeGPTMCP"])
10
+ ],
11
+ targets: [
12
+ .executableTarget(
13
+ name: "ClaudeGPTLauncher",
14
+ path: "Sources/ClaudeGPTLauncher"
15
+ ),
16
+ .executableTarget(
17
+ name: "ClaudeGPTMCP",
18
+ path: "Sources/ClaudeGPTMCP"
19
+ ),
20
+ .testTarget(
21
+ name: "ClaudeGPTLauncherTests",
22
+ dependencies: ["ClaudeGPTLauncher", "ClaudeGPTMCP"]
23
+ )
24
+ ]
25
+ )
package/README.md ADDED
@@ -0,0 +1,239 @@
1
+ <p align="center">
2
+ <img src="Resources/AppIcon.png" width="180" alt="Claude GPT Launcher icon">
3
+ </p>
4
+
5
+ <h1 align="center">Claude GPT Launcher</h1>
6
+
7
+ <p align="center">
8
+ <strong>The Claude Code workflow. GPT models. One click.</strong>
9
+ </p>
10
+
11
+ <p align="center">
12
+ <img alt="macOS 14+" src="https://img.shields.io/badge/macOS-14%2B-111827?logo=apple">
13
+ <img alt="Apple silicon" src="https://img.shields.io/badge/Apple%20silicon-native-2563EB">
14
+ <img alt="Swift" src="https://img.shields.io/badge/Swift-5.9%2B-F05138?logo=swift&logoColor=white">
15
+ <img alt="MCP" src="https://img.shields.io/badge/MCP-ready-7C3AED">
16
+ <a href="https://www.npmjs.com/package/claude-gpt-launcher"><img alt="npm" src="https://img.shields.io/npm/v/claude-gpt-launcher?logo=npm"></a>
17
+ <img alt="MIT license" src="https://img.shields.io/badge/license-MIT-16A34A">
18
+ </p>
19
+
20
+ Claude GPT Launcher is a tiny native macOS app for developers who enjoy the
21
+ Claude Code terminal experience and want to route it through GPT models exposed
22
+ by a local Codex-compatible proxy.
23
+
24
+ Pick a repository. Pick a model. Get a real Claude Code session—without copying
25
+ tokens, pasting environment variables, or leaving a proxy running forever.
26
+
27
+ > [!IMPORTANT]
28
+ > This is an independent community project. It is not affiliated with,
29
+ > endorsed by, or supported by Anthropic or OpenAI. It relies on the third-party
30
+ > [`raine/claude-code-proxy`](https://github.com/raine/claude-code-proxy)
31
+ > project and may be affected by provider policy or protocol changes.
32
+
33
+ ## Why does this exist?
34
+
35
+ Claude Code has a distinctive interactive harness: project awareness, planning,
36
+ edits, tool calls, and a terminal-first workflow. Codex-backed GPT models offer
37
+ a different model family and subscription path. This project joins those two
38
+ pieces behind a friendly Mac launcher and an optional MCP bridge.
39
+
40
+ ```text
41
+ Native Mac app or Codex chat
42
+
43
+ Claude Code harness
44
+
45
+ localhost compatibility proxy
46
+
47
+ Codex / GPT models
48
+ ```
49
+
50
+ ## What you get
51
+
52
+ | Surface | What it does |
53
+ |---|---|
54
+ | 🖥️ Native app | Pick any Git project and open a configured Claude Code session |
55
+ | ⌨️ `claude-gpt` | Start the same workflow from any terminal |
56
+ | 🔌 Codex MCP | Let a Codex chat consult or edit through the Claude Code harness |
57
+ | 🧭 Model picker | Switch between configured Sol, Terra, and Luna model aliases |
58
+ | 🧹 Owned cleanup | The session stops its own proxy and removes temporary state |
59
+
60
+ ## Quick start
61
+
62
+ ### 1. Install the prerequisites
63
+
64
+ Install Claude Code using Anthropic's package:
65
+
66
+ ```zsh
67
+ npm install --global @anthropic-ai/claude-code
68
+ ```
69
+
70
+ Install the proxy:
71
+
72
+ ```zsh
73
+ brew install raine/claude-code-proxy/claude-code-proxy
74
+ ```
75
+
76
+ Start the proxy's supported browser OAuth flow:
77
+
78
+ ```zsh
79
+ claude-code-proxy codex auth login
80
+ claude-code-proxy codex auth status
81
+ ```
82
+
83
+ The login result is stored by the proxy in macOS Keychain. Never paste or
84
+ commit the resulting credential.
85
+
86
+ ### 2. Install Claude GPT Launcher
87
+
88
+ Install and build from npm:
89
+
90
+ ```zsh
91
+ npx claude-gpt-launcher install
92
+ ```
93
+
94
+ Or download the Apple-notarized ZIP from the
95
+ [latest GitHub release](https://github.com/Bennyyy28/claude-gpt-launcher/releases/latest),
96
+ verify its checksum, and move **Claude GPT.app** to Applications:
97
+
98
+ ```zsh
99
+ shasum -a 256 -c Claude-GPT-Launcher-*.zip.sha256
100
+ ```
101
+
102
+ ### 3. Open a project
103
+
104
+ Open **Claude GPT** from `~/Applications`, drag in a Git repository, choose a
105
+ model, and select **Open Claude GPT**.
106
+
107
+ Or skip the window:
108
+
109
+ ```zsh
110
+ claude-gpt "$HOME/code/my-project"
111
+ ```
112
+
113
+ ## Bring the harness into Codex
114
+
115
+ The installed app bundles a local stdio MCP server:
116
+
117
+ - `claude_code_plan` performs a read-only harness consultation.
118
+ - `claude_code_edit` performs repository edits without Bash or network tools.
119
+
120
+ Register it with Codex:
121
+
122
+ ```zsh
123
+ claude-gpt-launcher mcp install --enable-edits
124
+ claude-gpt-launcher mcp status --json
125
+ ```
126
+
127
+ Then open a new Codex chat. The MCP result returns directly to that chat—no
128
+ second terminal and no prompt copy/paste.
129
+
130
+ To protect sensitive repositories by remote substring:
131
+
132
+ ```zsh
133
+ claude-gpt-launcher mcp install \
134
+ --enable-edits \
135
+ --protected-remotes "company/production,example/private-app"
136
+ ```
137
+
138
+ Matching repositories remain denied until a caller explicitly opts in.
139
+
140
+ ## Useful commands
141
+
142
+ ```zsh
143
+ # Check platform, dependencies, app, backend, and MCP state
144
+ claude-gpt-launcher doctor --json
145
+
146
+ # Open the app
147
+ claude-gpt-launcher open
148
+
149
+ # Remove only the MCP registration
150
+ claude-gpt-launcher mcp remove
151
+
152
+ # Remove owned app, helper, and MCP artifacts
153
+ claude-gpt-launcher uninstall
154
+ ```
155
+
156
+ ## Safety model
157
+
158
+ The defaults are intentionally narrow:
159
+
160
+ - The proxy binds to a randomly selected `127.0.0.1` port.
161
+ - A port collision fails closed instead of reusing an unknown listener.
162
+ - OAuth material is never printed, extracted, or committed by this project.
163
+ - MCP edits require both installation-time enablement and call-time confirmation.
164
+ - The MCP excludes Bash and network tools.
165
+ - Repository roots and symlinks are canonicalized before delegation.
166
+ - Prompts, turns, output, and runtime are bounded.
167
+ - Installation and removal refuse to overwrite unrelated same-name artifacts.
168
+
169
+ > [!WARNING]
170
+ > Claude Code is not an OS sandbox and can normally read outside its working
171
+ > directory. The MCP adds deny rules for common credential locations, but you
172
+ > should still use a disposable account, container, or VM for untrusted code.
173
+
174
+ Read the full [security policy](SECURITY.md) and
175
+ [adversarial threat model](Claude-GPT-Launcher-threat-model.md) before enabling
176
+ MCP edits broadly.
177
+
178
+ ## FAQ
179
+
180
+ <details>
181
+ <summary><strong>Does this extract my subscription token?</strong></summary>
182
+
183
+ No. Authentication is initiated through the proxy's supported OAuth screen.
184
+ This project never prints or asks you to paste the resulting token.
185
+
186
+ </details>
187
+
188
+ <details>
189
+ <summary><strong>Is this an official Anthropic or OpenAI integration?</strong></summary>
190
+
191
+ No. It is an open-source compatibility project built on another open-source
192
+ proxy. Provider policies and protocols can change, so use it with that risk in
193
+ mind.
194
+
195
+ </details>
196
+
197
+ <details>
198
+ <summary><strong>Why not just use Codex directly?</strong></summary>
199
+
200
+ You absolutely can. This project is specifically for people who prefer the
201
+ Claude Code harness or want Codex to call that harness through MCP.
202
+
203
+ </details>
204
+
205
+ <details>
206
+ <summary><strong>Does closing the session stop the proxy?</strong></summary>
207
+
208
+ Yes. Each launcher session owns a temporary proxy process and cleans it up when
209
+ Claude Code exits.
210
+
211
+ </details>
212
+
213
+ ## Build from source
214
+
215
+ ```zsh
216
+ ./script/install_backend.sh
217
+ ./script/build_and_run.sh --install
218
+ npm test
219
+ ```
220
+
221
+ Requirements: Apple-silicon Mac, macOS 14+, Swift 5.9+, Node.js 20+, Claude
222
+ Code, and `claude-code-proxy`.
223
+
224
+ ## Contributing
225
+
226
+ Issues, focused pull requests, documentation improvements, and security-minded
227
+ reviews are welcome. Start with [CONTRIBUTING.md](CONTRIBUTING.md). Please use
228
+ private vulnerability reporting for security issues.
229
+
230
+ ## Acknowledgements
231
+
232
+ - [`raine/claude-code-proxy`](https://github.com/raine/claude-code-proxy) for
233
+ the Anthropic-compatible local proxy.
234
+ - Claude Code and Codex for inspiring a delightfully strange bridge between two
235
+ excellent developer workflows.
236
+
237
+ ## License
238
+
239
+ MIT — see [LICENSE](LICENSE).
package/RELEASING.md ADDED
@@ -0,0 +1,43 @@
1
+ # Releasing
2
+
3
+ Releases have two independent artifacts: the npm source package and a notarized
4
+ Apple-silicon app archive. Never put npm, Apple ID, or App Store Connect secrets
5
+ in this repository or in command-line arguments.
6
+
7
+ ## npm
8
+
9
+ Run the full validation, then publish from a clean release commit:
10
+
11
+ ```zsh
12
+ npm test
13
+ npm run pack:check
14
+ npm publish --access public --provenance
15
+ ```
16
+
17
+ For later releases, configure npm trusted publishing for
18
+ `Bennyyy28/claude-gpt-launcher` and workflow `publish-npm.yml`. The release
19
+ workflow then publishes without a long-lived npm token. Trusted publishing
20
+ requires npm 11.5.1 or newer; the workflow pins a compatible npm release.
21
+
22
+ ## Notarized macOS archive
23
+
24
+ Create a Keychain-backed `notarytool` profile once. Enter the app-specific
25
+ password only at the interactive prompt:
26
+
27
+ ```zsh
28
+ xcrun notarytool store-credentials claude-gpt-launcher-notary \
29
+ --apple-id "YOUR_APPLE_ID" \
30
+ --team-id "YOUR_TEAM_ID"
31
+ ```
32
+
33
+ Build, sign, submit, staple, assess, and checksum the archive:
34
+
35
+ ```zsh
36
+ DEVELOPER_ID_APPLICATION="Developer ID Application: YOUR NAME (YOUR_TEAM_ID)" \
37
+ NOTARYTOOL_PROFILE="claude-gpt-launcher-notary" \
38
+ npm run release:macos
39
+ ```
40
+
41
+ The distributable ZIP and its SHA-256 file are written to `dist/release/`.
42
+ Upload both to the matching GitHub release. The script fails closed unless
43
+ Apple accepts the submission and Gatekeeper accepts the stapled app.
Binary file
Binary file
@@ -0,0 +1,28 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+ <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3
+ <plist version="1.0">
4
+ <dict>
5
+ <key>CFBundleExecutable</key>
6
+ <string>ClaudeGPTLauncher</string>
7
+ <key>CFBundleIdentifier</key>
8
+ <string>app.claudegpt.launcher</string>
9
+ <key>CFBundleName</key>
10
+ <string>Claude GPT</string>
11
+ <key>CFBundleDisplayName</key>
12
+ <string>Claude GPT</string>
13
+ <key>CFBundleIconFile</key>
14
+ <string>AppIcon</string>
15
+ <key>CFBundlePackageType</key>
16
+ <string>APPL</string>
17
+ <key>CFBundleShortVersionString</key>
18
+ <string>1.0.0</string>
19
+ <key>CFBundleVersion</key>
20
+ <string>1</string>
21
+ <key>LSMinimumSystemVersion</key>
22
+ <string>14.0</string>
23
+ <key>NSHighResolutionCapable</key>
24
+ <true/>
25
+ <key>NSPrincipalClass</key>
26
+ <string>NSApplication</string>
27
+ </dict>
28
+ </plist>
package/SECURITY.md ADDED
@@ -0,0 +1,17 @@
1
+ # Security Policy
2
+
3
+ ## Reporting a vulnerability
4
+
5
+ Use the repository host's private vulnerability-reporting feature. Do not open
6
+ a public issue containing exploit details, credentials, repository contents, or
7
+ OAuth material.
8
+
9
+ Include the affected version, platform, reproduction steps, impact, and any
10
+ suggested mitigation. Never include live tokens; use clearly fake placeholders.
11
+
12
+ ## Security boundary
13
+
14
+ Claude GPT Launcher is a local developer tool, not an OS sandbox. It runs under
15
+ the current user's permissions and sends selected repository context through
16
+ the configured model provider. Use disposable environments for untrusted
17
+ repositories and review changes before committing them.