codemaxxing 1.0.17 → 1.1.0

package/dist/utils/anthropic-oauth.js

@@ -0,0 +1,171 @@
+/**
+ * Anthropic OAuth PKCE flow
+ *
+ * Lets users log in with their Claude Pro/Max subscription (no API key needed).
+ * Uses the same OAuth flow as Claude Code CLI.
+ */
+import { createServer } from "http";
+import { randomBytes, createHash } from "crypto";
+import { exec } from "child_process";
+import { saveCredential } from "./auth.js";
+// ── Constants ──
+const CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+const AUTHORIZE_URL = "https://claude.ai/oauth/authorize";
+const TOKEN_URL = "https://platform.claude.com/v1/oauth/token";
+const CALLBACK_HOST = "127.0.0.1";
+const CALLBACK_PORT = 53692;
+const CALLBACK_PATH = "/callback";
+const REDIRECT_URI = `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`;
+const SCOPES = "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
+// ── PKCE helpers ──
+function base64url(buf) {
+    return buf
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=/g, "");
+}
+function generatePKCE() {
+    const verifier = base64url(randomBytes(32));
+    const challenge = base64url(createHash("sha256").update(verifier).digest());
+    return { verifier, challenge };
+}
+// ── Browser opener ──
+function openBrowser(url) {
+    const cmd = process.platform === "darwin"
+        ? `open "${url}"`
+        : process.platform === "win32"
+            ? `start "" "${url}"`
+            : `xdg-open "${url}"`;
+    exec(cmd);
+}
+// ── Token refresh ──
+export async function refreshAnthropicOAuthToken(refreshToken) {
+    const res = await fetch(TOKEN_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+            grant_type: "refresh_token",
+            client_id: CLIENT_ID,
+            refresh_token: refreshToken,
+            scope: SCOPES,
+        }),
+    });
+    if (!res.ok) {
+        const errText = await res.text();
+        throw new Error(`Token refresh failed (${res.status}): ${errText}`);
+    }
+    const data = (await res.json());
+    return {
+        access: data.access_token,
+        refresh: data.refresh_token ?? refreshToken,
+        expires: Date.now() + data.expires_in * 1000,
+    };
+}
+// ── Main OAuth login flow ──
+export async function loginAnthropicOAuth(onStatus) {
+    const { verifier, challenge } = generatePKCE();
+    return new Promise((resolve, reject) => {
+        const server = createServer(async (req, res) => {
+            const url = new URL(req.url ?? "/", "http://localhost");
+            if (url.pathname !== CALLBACK_PATH) {
+                res.writeHead(404);
+                res.end("Not found");
+                return;
+            }
+            const code = url.searchParams.get("code");
+            const returnedState = url.searchParams.get("state");
+            if (!code) {
+                res.writeHead(400, { "Content-Type": "text/html" });
+                res.end("<h1>Error: No authorization code received</h1><p>Please try again.</p>");
+                server.close();
+                reject(new Error("No authorization code received"));
+                return;
+            }
+            // state should match verifier
+            if (returnedState !== verifier) {
+                res.writeHead(400, { "Content-Type": "text/html" });
+                res.end("<h1>Error: State mismatch</h1><p>Please try again.</p>");
+                server.close();
+                reject(new Error("OAuth state mismatch"));
+                return;
+            }
+            onStatus?.("Exchanging code for tokens...");
+            try {
+                const tokenRes = await fetch(TOKEN_URL, {
+                    method: "POST",
+                    headers: { "Content-Type": "application/json" },
+                    body: JSON.stringify({
+                        grant_type: "authorization_code",
+                        client_id: CLIENT_ID,
+                        code,
+                        state: verifier,
+                        redirect_uri: REDIRECT_URI,
+                        code_verifier: verifier,
+                    }),
+                });
+                if (!tokenRes.ok) {
+                    const errText = await tokenRes.text();
+                    throw new Error(`Token exchange failed (${tokenRes.status}): ${errText}`);
+                }
+                const tokenData = (await tokenRes.json());
+                res.writeHead(200, { "Content-Type": "text/html" });
+                res.end("<html><body style=\"font-family:monospace;background:#1a1a2e;color:#0ff;display:flex;justify-content:center;align-items:center;height:100vh;margin:0\"><div style=\"text-align:center\"><h1>Authenticated!</h1><p>You can close this tab and return to Codemaxxing.</p></div></body></html>");
+                server.close();
+                const expiresAt = Date.now() + tokenData.expires_in * 1000;
+                const cred = {
+                    provider: "anthropic",
+                    method: "oauth",
+                    apiKey: tokenData.access_token,
+                    baseUrl: "https://api.anthropic.com",
+                    label: "Anthropic (Claude Pro/Max)",
+                    refreshToken: tokenData.refresh_token,
+                    oauthExpires: expiresAt,
+                    createdAt: new Date().toISOString(),
+                };
+                saveCredential(cred);
+                resolve(cred);
+            }
+            catch (err) {
+                res.writeHead(500, { "Content-Type": "text/html" });
+                res.end(`<h1>Error</h1><p>${err.message}</p>`);
+                server.close();
+                reject(err);
+            }
+        });
+        server.listen(CALLBACK_PORT, CALLBACK_HOST, () => {
+            const params = new URLSearchParams({
+                code: "true",
+                client_id: CLIENT_ID,
+                response_type: "code",
+                redirect_uri: REDIRECT_URI,
+                scope: SCOPES,
+                code_challenge: challenge,
+                code_challenge_method: "S256",
+                state: verifier,
+            });
+            const authUrl = `${AUTHORIZE_URL}?${params.toString()}`;
+            onStatus?.("Opening browser for Claude login...");
+            try {
+                openBrowser(authUrl);
+            }
+            catch {
+                onStatus?.(`Could not open browser. Please visit:\n${authUrl}`);
+            }
+            onStatus?.("Waiting for authorization...");
+            // Timeout after 120 seconds
+            setTimeout(() => {
+                server.close();
+                reject(new Error("OAuth timed out after 120 seconds"));
+            }, 120 * 1000);
+        });
+        server.on("error", (err) => {
+            if (err.code === "EADDRINUSE") {
+                reject(new Error(`Port ${CALLBACK_PORT} is already in use. Close other auth flows and try again.`));
+            }
+            else {
+                reject(err);
+            }
+        });
+    });
+}

package/dist/utils/auth.d.ts

@@ -18,6 +18,8 @@ export interface AuthCredential {
     baseUrl: string;
     label?: string;
     expiresAt?: string;
+    refreshToken?: string;
+    oauthExpires?: number;
     createdAt: string;
 }
 export interface ProviderDef {

package/dist/utils/auth.js

@@ -17,6 +17,7 @@ import { join } from "path";
 import { createServer } from "http";
 import { randomBytes, createHash } from "crypto";
 import { execSync, exec } from "child_process";
+import { detectOpenAICodexOAuth } from "./openai-oauth.js";
 // ── Paths ──
 const CONFIG_DIR = join(homedir(), ".codemaxxing");
 const AUTH_FILE = join(CONFIG_DIR, "auth.json");
@@ -32,15 +33,15 @@ export const PROVIDERS = [
     {
         id: "anthropic",
         name: "Anthropic (Claude)",
-        methods: ["setup-token", "api-key"],
-        baseUrl: "https://api.anthropic.com/v1",
+        methods: ["oauth", "api-key"],
+        baseUrl: "https://api.anthropic.com",
         consoleUrl: "https://console.anthropic.com/settings/keys",
         description: "Claude Opus, Sonnet, Haiku — use your subscription or API key",
     },
     {
         id: "openai",
         name: "OpenAI (ChatGPT)",
-        methods: ["cached-token", "api-key"],
+        methods: ["oauth", "api-key"],
         baseUrl: "https://api.openai.com/v1",
         consoleUrl: "https://platform.openai.com/api-keys",
         description: "GPT-4o, GPT-5, o1 — use your ChatGPT subscription or API key",
@@ -291,6 +292,16 @@ export async function anthropicSetupToken(onStatus) {
 }
 // ── OpenAI / Codex CLI Cached Token ──
 export function detectCodexToken() {
+    // Check OpenClaw auth-profiles first (for Codex OAuth tokens)
+    try {
+        const oauthCreds = detectOpenAICodexOAuth();
+        if (oauthCreds?.access) {
+            return oauthCreds.access;
+        }
+    }
+    catch {
+        // detection failed, fall through
+    }
     // Codex CLI stores OAuth tokens — check common locations
     const locations = [
         join(homedir(), ".codex", "auth.json"),
@@ -314,6 +325,28 @@ export function detectCodexToken() {
             }
         }
     }
+    // Codex CLI v0.18+ stores tokens in macOS Keychain
+    if (process.platform === "darwin") {
+        const keychainQueries = [
+            ["security", "find-generic-password", "-s", "codex", "-w"],
+            ["security", "find-generic-password", "-a", "openai", "-s", "codex", "-w"],
+            ["security", "find-generic-password", "-s", "openai-codex", "-w"],
+            ["security", "find-generic-password", "-l", "codex", "-w"],
+        ];
+        for (const args of keychainQueries) {
+            try {
+                const token = execSync(args.join(" "), { stdio: "pipe", timeout: 3000 }).toString().trim();
+                if (token)
+                    return token;
+            }
+            catch {
+                continue;
+            }
+        }
+    }
+    // Final fallback: environment variable
+    if (process.env.OPENAI_API_KEY)
+        return process.env.OPENAI_API_KEY;
     return null;
 }
 export function importCodexToken(onStatus) {
@@ -467,6 +500,12 @@ export function detectAvailableAuth() {
             description: "Claude Code CLI detected — can link your Anthropic subscription",
         });
     }
+    // OpenAI: always offer OAuth login, and note if cached tokens exist
+    available.push({
+        provider: "openai",
+        method: "oauth",
+        description: "Log in with your ChatGPT subscription (browser OAuth)",
+    });
     if (detectCodexToken()) {
         available.push({
             provider: "openai",

package/dist/utils/ollama.js

@@ -25,6 +25,11 @@ export function isOllamaInstalled() {
         if (getWindowsOllamaPaths().some(p => existsSync(p)))
             return true;
     }
+    // Check known install paths on macOS
+    if (process.platform === "darwin") {
+        if (existsSync("/usr/local/bin/ollama") || existsSync("/opt/homebrew/bin/ollama"))
+            return true;
+    }
     // Check if the server is responding (if server is running, Ollama is definitely installed)
     try {
         execSync("curl -s http://localhost:11434/api/tags", {
@@ -64,7 +69,7 @@ export async function isOllamaRunning() {
 /** Get the install command for the user's OS */
 export function getOllamaInstallCommand(os) {
     switch (os) {
-        case "macos": return "brew install ollama";
+        case "macos": return "curl -fsSL https://ollama.com/install.sh | sh";
         case "linux": return "curl -fsSL https://ollama.com/install.sh | sh";
         case "windows": return "winget install Ollama.Ollama";
     }

package/dist/utils/openai-oauth.d.ts

@@ -0,0 +1,19 @@
+/**
+ * OpenAI Codex OAuth PKCE flow
+ *
+ * Lets users log in with their ChatGPT Plus/Pro subscription (no API key needed).
+ * Uses the same OAuth flow as OpenAI's Codex CLI.
+ */
+import { type AuthCredential } from "./auth.js";
+export declare function detectOpenAICodexOAuth(): {
+    access: string;
+    refresh: string;
+    expires: number;
+    accountId: string;
+} | null;
+export declare function refreshOpenAICodexToken(refreshToken: string): Promise<{
+    access: string;
+    refresh: string;
+    expires: number;
+}>;
+export declare function loginOpenAICodexOAuth(onStatus?: (msg: string) => void): Promise<AuthCredential>;

package/dist/utils/openai-oauth.js

@@ -0,0 +1,233 @@
+/**
+ * OpenAI Codex OAuth PKCE flow
+ *
+ * Lets users log in with their ChatGPT Plus/Pro subscription (no API key needed).
+ * Uses the same OAuth flow as OpenAI's Codex CLI.
+ */
+import { createServer } from "http";
+import { randomBytes, createHash } from "crypto";
+import { exec } from "child_process";
+import { readFileSync, readdirSync, existsSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+import { saveCredential } from "./auth.js";
+// ── Constants ──
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
+const TOKEN_URL = "https://auth.openai.com/oauth/token";
+const REDIRECT_URI = "http://localhost:1455/auth/callback";
+const SCOPE = "openid profile email offline_access";
+// ── PKCE helpers ──
+function base64url(buf) {
+    return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function generatePKCE() {
+    const verifier = base64url(randomBytes(32));
+    const challenge = base64url(createHash("sha256").update(verifier).digest());
+    return { verifier, challenge };
+}
+// ── JWT decode (no verification — just extract payload) ──
+function decodeJwtPayload(token) {
+    const parts = token.split(".");
+    if (parts.length < 2)
+        return {};
+    const payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    return JSON.parse(Buffer.from(payload, "base64").toString("utf-8"));
+}
+// ── Browser opener ──
+function openBrowser(url) {
+    const cmd = process.platform === "darwin"
+        ? `open "${url}"`
+        : process.platform === "win32"
+            ? `start "" "${url}"`
+            : `xdg-open "${url}"`;
+    exec(cmd);
+}
+// ── Detect existing OpenClaw auth-profiles ──
+export function detectOpenAICodexOAuth() {
+    const openclawBase = join(homedir(), ".openclaw", "agents");
+    if (!existsSync(openclawBase))
+        return null;
+    try {
+        const agents = readdirSync(openclawBase);
+        for (const agent of agents) {
+            const profilePath = join(openclawBase, agent, "agent", "auth-profiles.json");
+            if (!existsSync(profilePath))
+                continue;
+            try {
+                const data = JSON.parse(readFileSync(profilePath, "utf-8"));
+                // auth-profiles.json has { profiles: { "openai-codex:default": { ... }, ... } }
+                const profileEntries = data?.profiles ? Object.values(data.profiles) : (Array.isArray(data) ? data : Object.values(data));
+                for (const profile of profileEntries) {
+                    if (profile?.provider === "openai-codex" && profile.access) {
+                        const p = profile;
+                        return {
+                            access: p.access,
+                            refresh: p.refresh ?? "",
+                            expires: p.expires ?? 0,
+                            accountId: p.accountId ?? "",
+                        };
+                    }
+                }
+            }
+            catch {
+                continue;
+            }
+        }
+    }
+    catch {
+        // ignore
+    }
+    return null;
+}
+// ── Token refresh ──
+export async function refreshOpenAICodexToken(refreshToken) {
+    const res = await fetch(TOKEN_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+            grant_type: "refresh_token",
+            client_id: CLIENT_ID,
+            refresh_token: refreshToken,
+        }).toString(),
+    });
+    if (!res.ok) {
+        const errText = await res.text();
+        throw new Error(`Token refresh failed (${res.status}): ${errText}`);
+    }
+    const data = (await res.json());
+    return {
+        access: data.access_token,
+        refresh: data.refresh_token ?? refreshToken,
+        expires: Date.now() + data.expires_in * 1000,
+    };
+}
+// ── Main OAuth login flow ──
+export async function loginOpenAICodexOAuth(onStatus) {
+    const { verifier, challenge } = generatePKCE();
+    const state = randomBytes(16).toString("hex");
+    return new Promise((resolve, reject) => {
+        const server = createServer(async (req, res) => {
+            const url = new URL(req.url ?? "/", "http://localhost");
+            if (url.pathname !== "/auth/callback") {
+                res.writeHead(404);
+                res.end("Not found");
+                return;
+            }
+            const code = url.searchParams.get("code");
+            const returnedState = url.searchParams.get("state");
+            if (!code) {
+                res.writeHead(400, { "Content-Type": "text/html" });
+                res.end("<h1>Error: No authorization code received</h1><p>Please try again.</p>");
+                server.close();
+                reject(new Error("No authorization code received"));
+                return;
+            }
+            if (returnedState !== state) {
+                res.writeHead(400, { "Content-Type": "text/html" });
+                res.end("<h1>Error: State mismatch</h1><p>Please try again.</p>");
+                server.close();
+                reject(new Error("OAuth state mismatch"));
+                return;
+            }
+            onStatus?.("Exchanging code for tokens...");
+            try {
+                const tokenRes = await fetch(TOKEN_URL, {
+                    method: "POST",
+                    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                    body: new URLSearchParams({
+                        grant_type: "authorization_code",
+                        client_id: CLIENT_ID,
+                        code,
+                        code_verifier: verifier,
+                        redirect_uri: REDIRECT_URI,
+                    }).toString(),
+                });
+                if (!tokenRes.ok) {
+                    const errText = await tokenRes.text();
+                    throw new Error(`Token exchange failed (${tokenRes.status}): ${errText}`);
+                }
+                const tokenData = (await tokenRes.json());
+                // Extract accountId from JWT
+                let accountId = "";
+                try {
+                    const payload = decodeJwtPayload(tokenData.access_token);
+                    const authClaim = payload["https://api.openai.com/auth"];
+                    if (authClaim?.chatgpt_account_id) {
+                        accountId = authClaim.chatgpt_account_id;
+                    }
+                }
+                catch {
+                    // non-fatal — accountId is optional
+                }
+                res.writeHead(200, { "Content-Type": "text/html" });
+                res.end(`
+          <html>
+            <body style="font-family: monospace; background: #1a1a2e; color: #0ff; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0;">
+              <div style="text-align: center;">
+                <h1>Authenticated!</h1>
+                <p>You can close this tab and return to Codemaxxing.</p>
+              </div>
+            </body>
+          </html>
+        `);
+                server.close();
+                const expiresAt = Date.now() + tokenData.expires_in * 1000;
+                const cred = {
+                    provider: "openai",
+                    method: "oauth",
+                    apiKey: tokenData.access_token,
+                    baseUrl: "https://chatgpt.com/backend-api",
+                    label: "OpenAI (ChatGPT subscription)",
+                    refreshToken: tokenData.refresh_token,
+                    oauthExpires: expiresAt,
+                    createdAt: new Date().toISOString(),
+                };
+                saveCredential(cred);
+                resolve(cred);
+            }
+            catch (err) {
+                res.writeHead(500, { "Content-Type": "text/html" });
+                res.end(`<h1>Error</h1><p>${err.message}</p>`);
+                server.close();
+                reject(err);
+            }
+        });
+        server.listen(1455, "127.0.0.1", () => {
+            const params = new URLSearchParams({
+                response_type: "code",
+                client_id: CLIENT_ID,
+                redirect_uri: REDIRECT_URI,
+                scope: SCOPE,
+                code_challenge: challenge,
+                code_challenge_method: "S256",
+                state,
+                id_token_add_organizations: "true",
+                codex_cli_simplified_flow: "true",
+                originator: "codemaxxing",
+            });
+            const authUrl = `${AUTHORIZE_URL}?${params.toString()}`;
+            onStatus?.("Opening browser for ChatGPT login...");
+            try {
+                openBrowser(authUrl);
+            }
+            catch {
+                onStatus?.(`Could not open browser. Please visit:\n${authUrl}`);
+            }
+            onStatus?.("Waiting for authorization...");
+            // Timeout after 60 seconds
+            setTimeout(() => {
+                server.close();
+                reject(new Error("OAuth timed out after 60 seconds"));
+            }, 60 * 1000);
+        });
+        server.on("error", (err) => {
+            if (err.code === "EADDRINUSE") {
+                reject(new Error("Port 1455 is already in use. Close other auth flows and try again."));
+            }
+            else {
+                reject(err);
+            }
+        });
+    });
+}

package/dist/utils/responses-api.d.ts

@@ -0,0 +1,40 @@
+/**
+ * OpenAI Codex Responses API handler
+ *
+ * Uses the ChatGPT backend endpoint (https://chatgpt.com/backend-api/codex/responses)
+ * which is what Codex CLI, OpenClaw, and other tools use with ChatGPT Plus OAuth tokens.
+ *
+ * This endpoint supports the Responses API format but is separate from api.openai.com.
+ * Standard API keys use api.openai.com/v1/responses; Codex OAuth tokens use this.
+ */
+export interface ResponsesAPIOptions {
+    baseUrl: string;
+    apiKey: string;
+    model: string;
+    maxTokens: number;
+    systemPrompt: string;
+    messages: any[];
+    tools: any[];
+    onToken?: (token: string) => void;
+    onToolCall?: (name: string, args: Record<string, unknown>) => void;
+}
+interface ToolCall {
+    id: string;
+    name: string;
+    input: Record<string, unknown>;
+}
+/**
+ * Execute a chat request using the Codex Responses API endpoint
+ * Streams text + handles tool calls
+ */
+export declare function chatWithResponsesAPI(options: ResponsesAPIOptions): Promise<{
+    contentText: string;
+    toolCalls: ToolCall[];
+    promptTokens: number;
+    completionTokens: number;
+}>;
+/**
+ * Determine if a model should use the Responses API
+ */
+export declare function shouldUseResponsesAPI(model: string): boolean;
+export {};