codex-account-orchestrator 1.0.0

package/dist/gateway/openai_gateway.js

@@ -0,0 +1,478 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OpenAiGateway = void 0;
+const fs_1 = __importDefault(require("fs"));
+const url_1 = require("url");
+const token_utils_1 = require("./token_utils");
+const TOKEN_REFRESH_BUFFER_SECONDS = 90;
+class OpenAiGateway {
+    pool;
+    config;
+    inFlightRefresh = new Map();
+    constructor(pool, config) {
+        this.pool = pool;
+        this.config = config;
+    }
+    async handleRequest(req, res) {
+        if (!req.url) {
+            res.writeHead(400).end("Missing URL");
+            return;
+        }
+        const url = new url_1.URL(req.url, `http://${req.headers.host ?? "localhost"}`);
+        if (req.method === "GET" && url.pathname === "/health") {
+            res.writeHead(200, { "content-type": "application/json" });
+            res.end(JSON.stringify({ status: "ok" }));
+            return;
+        }
+        const body = await readBody(req);
+        logRequestDebug(req, body);
+        const sessionKey = resolveSessionKey(req);
+        const excluded = new Set();
+        let attempts = 0;
+        while (attempts < this.config.maxRetryPasses + this.pool.getAccounts().length) {
+            attempts += 1;
+            const selected = this.selectAccount(sessionKey, excluded);
+            if (!selected) {
+                res.writeHead(429, { "content-type": "application/json" });
+                res.end(JSON.stringify({ error: "all_accounts_exhausted" }));
+                return;
+            }
+            process.stdout.write(`Gateway: ${req.method ?? "REQ"} ${url.pathname} -> ${selected.name}\n`);
+            const response = await this.forwardRequest(selected, req, body);
+            if (response.ok) {
+                this.pool.markSuccess(selected);
+                await streamResponse(res, response.response);
+                return;
+            }
+            if (response.quota) {
+                excluded.add(selected.name);
+                this.pool.markQuota(selected, this.config.cooldownSeconds, response.resetAtMs);
+                this.pool.clearAssignment(sessionKey);
+                process.stdout.write(`Gateway: quota hit, switching from ${selected.name}\n`);
+                continue;
+            }
+            if (response.authFailure) {
+                excluded.add(selected.name);
+                this.pool.markAuthFailure(selected, "auth_failed");
+                this.pool.clearAssignment(sessionKey);
+                const detail = response.bodyText ? truncate(response.bodyText, 200) : "unknown";
+                process.stdout.write(`Gateway: auth failure on ${selected.name} (${detail})\n`);
+                continue;
+            }
+            process.stdout.write(`Gateway: upstream error ${response.status} on ${selected.name}\n`);
+            await writeErrorResponse(res, response.status, response.bodyText);
+            return;
+        }
+        res.writeHead(500).end("gateway_exhausted");
+    }
+    selectAccount(sessionKey, excluded) {
+        const sticky = this.pool.getStickyAccount(sessionKey);
+        if (sticky && !excluded.has(sticky.name) && sticky.cooldownUntilMs <= Date.now()) {
+            return sticky;
+        }
+        const picked = this.pool.pickNextAvailable(excluded);
+        if (picked) {
+            this.pool.assignAccount(sessionKey, picked.name);
+        }
+        return picked;
+    }
+    async forwardRequest(account, req, body) {
+        const targetUrl = buildTargetUrl(this.config.baseUrl, req.url ?? "");
+        if (shouldForceQuota(account.name)) {
+            return {
+                ok: false,
+                status: 429,
+                authFailure: false,
+                quota: true,
+                bodyText: "forced_quota"
+            };
+        }
+        const accessToken = this.config.overrideAuth ? await this.ensureAccessToken(account) : undefined;
+        if (this.config.overrideAuth && !accessToken) {
+            return {
+                ok: false,
+                status: 401,
+                authFailure: true,
+                quota: false,
+                bodyText: "missing_access_token"
+            };
+        }
+        const attempt = async (token) => {
+            const headers = buildForwardHeaders(req, account, token, this.config);
+            return this.fetchOnce(targetUrl, req.method, headers, body);
+        };
+        let response = await attempt(accessToken);
+        if (response.authFailure && this.config.overrideAuth && account.tokens.idToken) {
+            process.stdout.write(`Gateway: access token rejected for ${account.name}, trying id_token\n`);
+            response = await attempt(account.tokens.idToken);
+        }
+        return response;
+    }
+    async fetchOnce(targetUrl, method, headers, body) {
+        logUpstreamDebug(method ?? "REQ", targetUrl, headers);
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), this.config.requestTimeoutMs);
+        try {
+            const response = await fetch(targetUrl, {
+                method,
+                headers,
+                body: body.length > 0 ? body : undefined,
+                signal: controller.signal
+            });
+            clearTimeout(timeout);
+            if (response.status === 401 || response.status === 403) {
+                return {
+                    ok: false,
+                    status: response.status,
+                    authFailure: true,
+                    quota: false,
+                    bodyText: await safeReadText(response)
+                };
+            }
+            const errorBody = await tryReadErrorBody(response);
+            if (errorBody?.quota) {
+                return {
+                    ok: false,
+                    status: response.status,
+                    authFailure: false,
+                    quota: true,
+                    resetAtMs: errorBody.resetAtMs,
+                    bodyText: errorBody.rawText
+                };
+            }
+            if (!response.ok) {
+                return {
+                    ok: false,
+                    status: response.status,
+                    authFailure: false,
+                    quota: false,
+                    bodyText: errorBody?.rawText ?? (await safeReadText(response))
+                };
+            }
+            return {
+                ok: true,
+                status: response.status,
+                response,
+                quota: false,
+                authFailure: false
+            };
+        }
+        catch (error) {
+            clearTimeout(timeout);
+            return {
+                ok: false,
+                status: 502,
+                authFailure: false,
+                quota: false,
+                bodyText: error instanceof Error ? error.message : "gateway_fetch_error"
+            };
+        }
+    }
+    async ensureAccessToken(account) {
+        if (this.pool.isTokenFresh(account, TOKEN_REFRESH_BUFFER_SECONDS)) {
+            return account.tokens.accessToken;
+        }
+        const existing = this.inFlightRefresh.get(account.name);
+        if (existing) {
+            const updated = await existing;
+            return updated.accessToken;
+        }
+        const refreshPromise = this.refreshToken(account);
+        this.inFlightRefresh.set(account.name, refreshPromise);
+        try {
+            const refreshed = await refreshPromise;
+            return refreshed.accessToken;
+        }
+        finally {
+            this.inFlightRefresh.delete(account.name);
+        }
+    }
+    async refreshToken(account) {
+        const response = await fetch("https://auth.openai.com/oauth/token", {
+            method: "POST",
+            headers: {
+                "content-type": "application/x-www-form-urlencoded"
+            },
+            body: new URLSearchParams({
+                grant_type: "refresh_token",
+                refresh_token: account.tokens.refreshToken,
+                client_id: this.config.oauthClientId
+            })
+        });
+        if (!response.ok) {
+            const errorText = await safeReadText(response);
+            throw new Error(`token_refresh_failed: ${errorText}`);
+        }
+        const payload = (await response.json());
+        const details = (0, token_utils_1.deriveTokenDetails)(payload.access_token, payload.id_token);
+        const updated = {
+            accessToken: payload.access_token,
+            refreshToken: payload.refresh_token,
+            idToken: payload.id_token,
+            accountId: payload.account_id ?? details.chatgptAccountId,
+            ...details
+        };
+        this.pool.updateTokens(account, updated);
+        return updated;
+    }
+}
+exports.OpenAiGateway = OpenAiGateway;
+function resolveSessionKey(req) {
+    const headerKeys = ["x-session-id", "openai-session", "x-openai-session", "x-request-id"];
+    for (const key of headerKeys) {
+        const value = req.headers[key];
+        if (value) {
+            return `${key}:${value}`;
+        }
+    }
+    return req.socket.remoteAddress ? `ip:${req.socket.remoteAddress}` : "default";
+}
+function buildForwardHeaders(req, account, accessToken, config) {
+    const headers = new Headers();
+    for (const [key, value] of Object.entries(req.headers)) {
+        if (!value) {
+            continue;
+        }
+        const lowerKey = key.toLowerCase();
+        if (lowerKey === "host") {
+            continue;
+        }
+        if (lowerKey === "content-length") {
+            continue;
+        }
+        if (config.overrideAuth && lowerKey === "authorization") {
+            continue;
+        }
+        if (config.overrideAuth && lowerKey === "cookie") {
+            continue;
+        }
+        if (Array.isArray(value)) {
+            headers.set(key, value.join(","));
+        }
+        else {
+            headers.set(key, value);
+        }
+    }
+    if (config.overrideAuth && accessToken) {
+        headers.set("authorization", `Bearer ${accessToken}`);
+    }
+    if (config.overrideAuth) {
+        applyAccountHeaders(headers, account);
+    }
+    return headers;
+}
+function applyAccountHeaders(headers, account) {
+    const sessionId = account.tokens.sessionId;
+    if (sessionId) {
+        headers.set("openai-session", sessionId);
+        headers.set("x-openai-session", sessionId);
+    }
+    const accountId = account.tokens.chatgptAccountId ?? account.tokens.accountId;
+    if (accountId) {
+        headers.set("openai-account-id", accountId);
+        headers.set("x-openai-account-id", accountId);
+    }
+    const userId = account.tokens.userId ?? account.tokens.chatgptUserId;
+    if (userId) {
+        headers.set("openai-user-id", userId);
+        headers.set("x-openai-user-id", userId);
+    }
+    const organizationId = account.tokens.organizationId;
+    if (organizationId) {
+        headers.set("openai-organization", organizationId);
+        headers.set("openai-organization-id", organizationId);
+    }
+}
+function logRequestDebug(req, body) {
+    if (process.env.CAO_DEBUG_HEADERS !== "1") {
+        return;
+    }
+    const headerLines = [];
+    for (const [key, value] of Object.entries(req.headers)) {
+        if (!value) {
+            continue;
+        }
+        if (!shouldLogHeader(key)) {
+            continue;
+        }
+        const rawValue = Array.isArray(value) ? value.join(",") : value;
+        headerLines.push(`${key}: ${redactHeaderValue(key, rawValue)}`);
+    }
+    if (headerLines.length > 0) {
+        process.stdout.write(`Gateway debug headers:\n${headerLines.join("\n")}\n`);
+    }
+    const authHeader = req.headers.authorization;
+    if (typeof authHeader === "string" && authHeader.startsWith("Bearer ")) {
+        const token = authHeader.slice("Bearer ".length);
+        const sessionId = (0, token_utils_1.parseJwtSessionId)(token);
+        if (sessionId) {
+            process.stdout.write(`Gateway debug incoming session_id: ${sessionId}\n`);
+        }
+    }
+    if (process.env.CAO_DEBUG_BODY === "1") {
+        const snippet = formatBodySnippet(body);
+        process.stdout.write(`Gateway debug body (${body.length} bytes): ${snippet}\n`);
+    }
+    else {
+        process.stdout.write(`Gateway debug body length: ${body.length} bytes\n`);
+    }
+    if (process.env.CAO_CAPTURE_BODY === "1") {
+        const capturePath = process.env.CAO_CAPTURE_BODY_PATH ?? "/tmp/cao-last-body.json";
+        try {
+            fs_1.default.writeFileSync(capturePath, body);
+            process.stdout.write(`Gateway debug body saved: ${capturePath}\n`);
+        }
+        catch (error) {
+            process.stdout.write(`Gateway debug body save failed: ${error instanceof Error ? error.message : "unknown"}\n`);
+        }
+    }
+}
+function logUpstreamDebug(method, url, headers) {
+    if (process.env.CAO_DEBUG_HEADERS !== "1") {
+        return;
+    }
+    const headerLines = [];
+    headers.forEach((value, key) => {
+        if (!shouldLogHeader(key)) {
+            return;
+        }
+        headerLines.push(`${key}: ${redactHeaderValue(key, value)}`);
+    });
+    process.stdout.write(`Gateway debug upstream ${method} ${url.toString()}\n`);
+    if (headerLines.length > 0) {
+        process.stdout.write(`${headerLines.join("\n")}\n`);
+    }
+}
+function shouldLogHeader(key) {
+    const lower = key.toLowerCase();
+    return (lower.includes("openai") ||
+        lower.includes("authorization") ||
+        lower.includes("session") ||
+        lower === "user-agent" ||
+        lower === "content-type");
+}
+function redactHeaderValue(key, value) {
+    const lower = key.toLowerCase();
+    if (lower.includes("authorization") || lower.includes("token")) {
+        return redactValue(value);
+    }
+    if (lower.includes("cookie")) {
+        return "<redacted>";
+    }
+    if (lower.includes("session")) {
+        return redactValue(value);
+    }
+    return value;
+}
+function redactValue(value) {
+    if (value.length <= 12) {
+        return "<redacted>";
+    }
+    return `${value.slice(0, 6)}…${value.slice(-4)}`;
+}
+function formatBodySnippet(body) {
+    const text = body.toString("utf8");
+    const sanitized = text.replace(/[^\x09\x0A\x0D\x20-\x7E]/g, "?");
+    return truncate(sanitized, 400);
+}
+function shouldForceQuota(accountName) {
+    const forced = process.env.CAO_FORCE_QUOTA_ACCOUNTS;
+    if (!forced) {
+        return false;
+    }
+    return forced
+        .split(",")
+        .map((name) => name.trim())
+        .filter(Boolean)
+        .includes(accountName);
+}
+async function readBody(req) {
+    const chunks = [];
+    for await (const chunk of req) {
+        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+    }
+    return Buffer.concat(chunks);
+}
+async function streamResponse(res, upstream) {
+    const headers = {};
+    upstream.headers.forEach((value, key) => {
+        headers[key] = value;
+    });
+    res.writeHead(upstream.status, headers);
+    if (!upstream.body) {
+        res.end();
+        return;
+    }
+    const reader = upstream.body.getReader();
+    while (true) {
+        const { done, value } = await reader.read();
+        if (done) {
+            break;
+        }
+        if (value) {
+            res.write(Buffer.from(value));
+        }
+    }
+    res.end();
+}
+async function safeReadText(response) {
+    try {
+        return await response.text();
+    }
+    catch {
+        return "";
+    }
+}
+async function writeErrorResponse(res, status, bodyText) {
+    res.writeHead(status, { "content-type": "application/json" });
+    res.end(bodyText ?? "{}");
+}
+function truncate(value, maxLength) {
+    if (value.length <= maxLength) {
+        return value;
+    }
+    return `${value.slice(0, maxLength)}...`;
+}
+function buildTargetUrl(baseUrl, requestPath) {
+    const base = new url_1.URL(baseUrl);
+    const requestUrl = new url_1.URL(requestPath, "http://localhost");
+    const basePath = base.pathname.endsWith("/") ? base.pathname.slice(0, -1) : base.pathname;
+    const requestPathname = requestUrl.pathname.startsWith("/")
+        ? requestUrl.pathname
+        : `/${requestUrl.pathname}`;
+    base.pathname = `${basePath}${requestPathname}`;
+    base.search = requestUrl.search;
+    if (baseUrl.includes("chatgpt.com/backend-api/codex")) {
+        if (base.pathname.startsWith("/backend-api/codex/v1/responses")) {
+            base.pathname = "/backend-api/codex/responses/compact";
+            base.search = "";
+        }
+    }
+    return base;
+}
+async function tryReadErrorBody(response) {
+    if (response.ok) {
+        return undefined;
+    }
+    const rawText = await safeReadText(response);
+    try {
+        const parsed = JSON.parse(rawText);
+        if (parsed.error?.type === "usage_limit_reached") {
+            const resetAtMs = parsed.error.resets_at ? parsed.error.resets_at * 1000 : undefined;
+            return { quota: true, resetAtMs, rawText };
+        }
+        if (response.status === 429) {
+            const resetAtMs = parsed.error?.resets_at ? parsed.error.resets_at * 1000 : undefined;
+            return { quota: true, resetAtMs, rawText };
+        }
+    }
+    catch {
+        if (response.status === 429) {
+            return { quota: true, rawText };
+        }
+    }
+    return { quota: false, rawText };
+}

package/dist/gateway/server.d.ts

@@ -0,0 +1,4 @@
+import http from "http";
+import { AccountPool } from "./account_pool";
+import { GatewayConfig } from "./gateway_config";
+export declare function startGatewayServer(pool: AccountPool, config: GatewayConfig): http.Server;

package/dist/gateway/server.js

@@ -0,0 +1,23 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startGatewayServer = startGatewayServer;
+const http_1 = __importDefault(require("http"));
+const openai_gateway_1 = require("./openai_gateway");
+function startGatewayServer(pool, config) {
+    const gateway = new openai_gateway_1.OpenAiGateway(pool, config);
+    const server = http_1.default.createServer(async (req, res) => {
+        try {
+            await gateway.handleRequest(req, res);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "gateway_error";
+            res.writeHead(500, { "content-type": "text/plain" });
+            res.end(message);
+        }
+    });
+    server.listen(config.port, config.bindAddress);
+    return server;
+}

package/dist/gateway/token_utils.d.ts

@@ -0,0 +1,18 @@
+export interface TokenDetails {
+    expiresAtMs?: number;
+    sessionId?: string;
+    chatgptAccountId?: string;
+    chatgptUserId?: string;
+    userId?: string;
+    organizationId?: string;
+}
+export interface TokenPair extends TokenDetails {
+    accessToken: string;
+    refreshToken: string;
+    idToken?: string;
+    accountId?: string;
+}
+export declare function parseJwtExpiry(token: string): number | undefined;
+export declare function parseJwtSessionId(token: string): string | undefined;
+export declare function deriveTokenDetails(accessToken: string, idToken?: string): TokenDetails;
+export declare function isTokenFresh(expiresAtMs: number | undefined, bufferSeconds: number): boolean;

package/dist/gateway/token_utils.js

@@ -0,0 +1,73 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseJwtExpiry = parseJwtExpiry;
+exports.parseJwtSessionId = parseJwtSessionId;
+exports.deriveTokenDetails = deriveTokenDetails;
+exports.isTokenFresh = isTokenFresh;
+function parseJwtExpiry(token) {
+    const payload = parseJwtPayload(token);
+    if (!payload || typeof payload.exp !== "number") {
+        return undefined;
+    }
+    return payload.exp * 1000;
+}
+function parseJwtSessionId(token) {
+    const payload = parseJwtPayload(token);
+    if (!payload) {
+        return undefined;
+    }
+    if (typeof payload.session_id === "string") {
+        return payload.session_id;
+    }
+    if (typeof payload.sid === "string") {
+        return payload.sid;
+    }
+    return undefined;
+}
+function deriveTokenDetails(accessToken, idToken) {
+    const payload = parseJwtPayload(accessToken);
+    const details = {
+        expiresAtMs: parseJwtExpiry(accessToken),
+        sessionId: parseJwtSessionId(accessToken)
+    };
+    const authPayload = payload?.["https://api.openai.com/auth"];
+    if (authPayload) {
+        details.chatgptAccountId = authPayload.chatgpt_account_id;
+        details.chatgptUserId = authPayload.chatgpt_user_id;
+        details.userId = authPayload.user_id;
+    }
+    const organizationId = parseOrganizationId(idToken ?? accessToken);
+    if (organizationId) {
+        details.organizationId = organizationId;
+    }
+    return details;
+}
+function parseJwtPayload(token) {
+    const parts = token.split(".");
+    if (parts.length < 2) {
+        return undefined;
+    }
+    try {
+        return JSON.parse(Buffer.from(parts[1], "base64url").toString("utf8"));
+    }
+    catch {
+        return undefined;
+    }
+}
+function parseOrganizationId(token) {
+    const payload = parseJwtPayload(token);
+    const authPayload = payload?.["https://api.openai.com/auth"];
+    const organizations = authPayload?.organizations;
+    if (!Array.isArray(organizations) || organizations.length === 0) {
+        return undefined;
+    }
+    const defaultOrg = organizations.find((org) => org.is_default);
+    return defaultOrg?.id ?? organizations[0]?.id;
+}
+function isTokenFresh(expiresAtMs, bufferSeconds) {
+    if (!expiresAtMs) {
+        return true;
+    }
+    const now = Date.now();
+    return expiresAtMs - now > bufferSeconds * 1000;
+}

package/dist/output_capture.d.ts

@@ -0,0 +1,6 @@
+export declare class OutputCapture {
+    private readonly lines;
+    private partial;
+    addChunk(chunk: Buffer | string): void;
+    getText(): string;
+}

package/dist/output_capture.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OutputCapture = void 0;
+const constants_1 = require("./constants");
+class OutputCapture {
+    lines = [];
+    partial = "";
+    addChunk(chunk) {
+        const text = chunk instanceof Buffer ? chunk.toString("utf8") : chunk;
+        const combined = this.partial + text;
+        const parts = combined.split(/\r?\n/);
+        this.partial = parts.pop() ?? "";
+        for (const line of parts) {
+            this.lines.push(line);
+        }
+        if (this.lines.length > constants_1.MAX_CAPTURED_LINES) {
+            this.lines.splice(0, this.lines.length - constants_1.MAX_CAPTURED_LINES);
+        }
+    }
+    getText() {
+        const allLines = this.partial.length > 0 ? [...this.lines, this.partial] : this.lines;
+        return allLines.join("\n");
+    }
+}
+exports.OutputCapture = OutputCapture;

package/dist/paths.d.ts

@@ -0,0 +1,3 @@
+export declare function getBaseDir(dataDir?: string): string;
+export declare function getAccountDir(baseDir: string, accountName: string): string;
+export declare function getRegistryPath(baseDir: string): string;

package/dist/paths.js

@@ -0,0 +1,23 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getBaseDir = getBaseDir;
+exports.getAccountDir = getAccountDir;
+exports.getRegistryPath = getRegistryPath;
+const os_1 = __importDefault(require("os"));
+const path_1 = __importDefault(require("path"));
+const constants_1 = require("./constants");
+function getBaseDir(dataDir) {
+    if (dataDir && dataDir.trim().length > 0) {
+        return dataDir;
+    }
+    return path_1.default.join(os_1.default.homedir(), ".codex-account-orchestrator");
+}
+function getAccountDir(baseDir, accountName) {
+    return path_1.default.join(baseDir, accountName);
+}
+function getRegistryPath(baseDir) {
+    return path_1.default.join(baseDir, constants_1.REGISTRY_FILE_NAME);
+}

package/dist/process_runner.d.ts

@@ -0,0 +1,5 @@
+export interface RunResult {
+    exitCode: number;
+    quotaError: boolean;
+}
+export declare function runCodexOnce(codexBin: string, codexArgs: string[], accountDir: string, captureOutput: boolean): Promise<RunResult>;