codex-claude-proxy 1.0.0 → 1.0.2

package/README.md

@@ -6,7 +6,17 @@ A local proxy server that exposes an **Anthropic-compatible API** (Claude Messag
 
 It is designed primarily for **Claude Code CLI** (Anthropic-format client) while actually executing requests against Codex.
 
-> This project is inspired by the structure of the Antigravity Claude Proxy README in `antigravity-claude-proxy-main/README.md`, but this proxy targets **ChatGPT Codex** and does **not** implement all Antigravity features.
+## Table of Contents
+- [How it works](#how-it-works)
+- [Model Mapping](#model-mapping-claude-name--codex)
+- [Features](#features)
+- [Installation](#installation)
+- [Quick Start](#quick-start)
+- [Authentication](#authenticate-codex--chatgpt)
+- [Claude Code Integration](#configure-claude-code-to-use-the-proxy)
+- [Documentation](#documentation)
+- [Legal](#legal)
+
 
 ---
 
@@ -17,13 +27,6 @@ It is designed primarily for **Claude Code CLI** (Anthropic-format client) while
 - “Claude” and “Anthropic” are trademarks of Anthropic PBC.
 - Software is provided **“as is”**, without warranty. You are responsible for complying with all applicable Terms of Service and Acceptable Use Policies.
 
-### Legal
-
-- **Not affiliated with OpenAI or Anthropic.** This is an independent open-source project and is not endorsed by, sponsored by, or affiliated with OpenAI or Anthropic.
-- “ChatGPT”, “OpenAI”, and “Codex” are trademarks of their respective owners.
-- “Claude” and “Anthropic” are trademarks of Anthropic PBC.
-- Software is provided "as is", without warranty. You are responsible for complying with all applicable Terms of Service and Acceptable Use Policies.
-
 ---
 
 ## How it works
@@ -41,6 +44,10 @@ At a high level:
 2. The proxy maps the incoming “Claude model name” into a Codex model.
 3. The proxy converts formats as needed and returns responses back in Anthropic-compatible shapes, including streaming and tool calls.
 
+Notes:
+- Requests are proxied to the ChatGPT Codex backend.
+- The `claude-haiku-4` (“Haiku”) lane can optionally route via **OpenRouter** to **MiniMax M2.5** / **GLM-5** (depending on server configuration).
+
 ---
 
 ## Model mapping (Claude name → Codex)
@@ -51,7 +58,7 @@ This proxy accepts Claude-style model IDs (what Claude Code expects) and maps th
 |---|---|---:|---|
 | `claude-sonnet-4-5` | **GPT-5.2 Codex** | Yes | Default “Sonnet” lane |
 | `claude-opus-4-5` | **GPT-5.3 Codex** | Yes | Default “Opus” lane |
-| `claude-haiku-4` | **GPT-5.2** (fast lane) | Yes | Lightweight / fast |
+| `claude-haiku-4` | **GLM-5 / MiniMax M2.5** | No | Unlimited / No Auth required |
 
 ---
 
@@ -78,12 +85,26 @@ This proxy accepts Claude-style model IDs (what Claude Code expects) and maps th
 
 ---
 
-## Quick start
+## Installation
 
 ```bash
+# Run once (no install)
+npx codex-claude-proxy@latest start
+
+# Or install globally
+npm i -g codex-claude-proxy
+codex-claude-proxy start
+
+# Or from source
+git clone <repo-url>
+cd codex-claude-proxy
 npm install
 npm start
+```
+
+## Quick start
 
+```bash
 # WebUI
 open http://localhost:8081
 
@@ -110,29 +131,47 @@ Codex-backed routes require at least one authenticated ChatGPT account.
 2. Open `http://localhost:8081`
 3. Go to Accounts and add an account via OAuth (or use the Manual mode for headless environments)
 
-### Option B: CLI helpers
+### Option B: CLI
 
-Desktop (opens browser):
+Add an account:
+
+```bash
+# Opens browser
+codex-claude-proxy accounts add
+
+# Headless / VM (prints URL; you paste callback URL/code)
+codex-claude-proxy accounts add --no-browser
+```
+
+List accounts:
+
+```bash
+codex-claude-proxy accounts list
+```
+
+(If you’re running from source, use `npm start` in one terminal and run the CLI commands in another.)
+
+Desktop (equivalent npm script):
 
 ```bash
 npm run accounts:add
 ```
 
-Headless / VM:
+Headless / VM (equivalent npm script):
 
 ```bash
 npm run accounts:add:headless
-# Prints URL, you paste callback URL/code
 ```
 
 ### Option C: Import from Codex app
 
+You can import an existing Codex app session via the server (see [Accounts](./docs/ACCOUNTS.md) for details).
+
 ```bash
 curl -X POST http://localhost:8081/accounts/import
-# Imports from ~/.codex/auth.json
 ```
 
-Details: `docs/OAUTH.md` and `docs/ACCOUNTS.md`.
+Details: [OAuth](./docs/OAUTH.md) and [Accounts](./docs/ACCOUNTS.md).
 
 ---
 
@@ -144,7 +183,7 @@ Details: `docs/OAUTH.md` and `docs/ACCOUNTS.md`.
 curl -X POST http://localhost:8081/claude/config/proxy
 ```
 
-This updates `~/.claude/settings.json` to point Claude Code at `http://localhost:8081`.
+This updates your local Claude Code settings to point at `http://localhost:8081`.
 
 ### Manual (env vars)
 
@@ -154,53 +193,42 @@ export ANTHROPIC_API_KEY=any-key
 claude
 ```
 
-More details: `docs/CLAUDE_INTEGRATION.md`.
+More details: [Claude Code Integration](./docs/CLAUDE_INTEGRATION.md).
 
 ---
 
-## API surface (high level)
+## Security
 
-- Anthropic-compatible:
-  - `POST /v1/messages`
-  - `GET  /v1/models`
-  - `POST /v1/messages/count_tokens`
+- **Localhost Only**: CORS is strictly restricted to `localhost` and `127.0.0.1` to prevent unauthorized cross-origin requests from external websites.
+- **Credential Safety**: Credentials are not allowed in cross-origin requests.
 
-- OpenAI-compatible:
-  - `POST /v1/chat/completions`
+---
 
-- Accounts:
-  - `GET  /accounts`
-  - `POST /accounts/add`
-  - `POST /accounts/add/manual`
-  - `POST /accounts/switch`
-  - `POST /accounts/refresh`, `POST /accounts/refresh/all`
 
-- Logs:
-  - `GET /api/logs`
-  - `GET /api/logs/stream?history=true`
+## Documentation
 
-Full reference: `docs/API.md`.
+- [**Architecture**](./docs/ARCHITECTURE.md) - Design and flow
+- [**API Reference**](./docs/API.md) - Endpoints and model list
+- [**Accounts**](./docs/ACCOUNTS.md) - Multi-account management
+- [**OAuth**](./docs/OAUTH.md) - Authentication details
+- [**OpenClaw**](./docs/OPENCLAW.md) - Using with messaging gateways
+- [**Claude Code**](./docs/CLAUDE_INTEGRATION.md) - Detailed CLI setup guide
 
----
+## Legal
 
-## Documentation
-
-- `docs/ARCHITECTURE.md` — system overview and data flow
-- `docs/API.md` — endpoints, formats, streaming
-- `docs/OAUTH.md` — OAuth PKCE implementation + headless flow
-- `docs/ACCOUNTS.md` — multi-account storage, switching, refresh, quota caching
-- `docs/CLAUDE_INTEGRATION.md` — how to use with Claude Code
-- `docs/OPENCLAW.md` — using the proxy behind OpenClaw
+See [Legal Notices](./docs/legal.md).
 
 ---
 
-## Notes / limitations
+## Credits
+
+This project is based on insights and code from:
 
-- This project is intended for **local** or **trusted** environments.
-- Some behavior differs from Antigravity proxy; this repo focuses on ChatGPT Codex routing.
+- [badrisnarayanan/antigravity-claude-proxy](https://github.com/badrisnarayanan/antigravity-claude-proxy)
+- [1rgs/claude-code-proxy](https://github.com/1rgs/claude-code-proxy)
 
 ---
 
 ## License
 
-MIT
+MIT

package/docs/API.md

@@ -4,6 +4,8 @@
 
 ### Haiku Routing Settings
 
+The `claude-haiku-4` (“Haiku”) lane can be configured to route via an alternate provider (e.g. **OpenRouter**) for supported models (e.g. **MiniMax M2.5** / **GLM-5**).
+
 ```bash
 GET /settings/haiku-model
 
@@ -29,8 +31,6 @@ Content-Type: application/json
 }
 ```
 
-`claude-haiku-4` requests are routed according to this server-wide setting.
-
 ### Chat Completions (OpenAI-compatible)
 
 ```bash
@@ -81,22 +81,21 @@ Content-Type: application/json
 
 ## Account Management
 
+Common endpoints:
+
 | Endpoint | Method | Description |
 |----------|--------|-------------|
 | `/accounts` | GET | List all accounts |
 | `/accounts/status` | GET | Get account status summary |
 | `/accounts/add` | POST | Start OAuth flow (returns URL) |
 | `/accounts/switch` | POST | Switch active account |
-| `/accounts/:email` | DELETE | Remove account |
-| `/accounts/refresh` | POST | Refresh active account token |
-| `/accounts/refresh/all` | POST | Refresh all tokens |
-| `/accounts/:email/refresh` | POST | Refresh specific account |
-| `/accounts/import` | POST | Import from `~/.codex/auth.json` |
 | `/accounts/models` | GET | Get models for account |
 | `/accounts/quota` | GET | Get quota info |
 | `/accounts/quota/all` | GET | Refresh all quotas |
 | `/accounts/usage` | GET | Get usage stats |
 
+(Additional maintenance endpoints exist for token refresh/import/removal; see the source if you need them.)
+
 ### Add Account
 
 ```bash
@@ -163,7 +162,7 @@ GET /health
 {
   "status": "ok",
   "total": 2,
-  "active": "user@gmail.com",
+  "active": "active@example.com",
   "accounts": [...]
 }
 ```

package/docs/ARCHITECTURE.md

@@ -4,22 +4,22 @@
 
 ```
 ┌──────────────────┐     ┌─────────────────────┐     ┌────────────────────────────┐
-│   Claude Code    │────▶│  This Proxy Server  │────▶│  ChatGPT Backend API        │
-│   (Anthropic     │     │  (Anthropic format)  │     │  (chatgpt.com/backend-api/  │
-│    API format)   │     │                      │     │   codex/responses)          │
+│   Claude Code    │────▶│  This Proxy Server  │────▶│  ChatGPT Codex backend      │
+│   (Anthropic     │     │  (Anthropic format) │     │  (internal API)             │
+│    API format)   │     │                     │     │                             │
 └──────────────────┘     └─────────────────────┘     └────────────────────────────┘
                                    │
                                    ▼
                          ┌─────────────────────┐
                          │  Account Manager    │
-                         │  (~/.codex-claude-  │
-                         │   proxy/accounts.json)
+                         │  (local storage)    │
+                         │                     │
                          └─────────────────────┘
 ```
 
 ## Key Discovery
 
-The endpoint `https://chatgpt.com/backend-api/codex/responses` bypasses Cloudflare protection when called with proper authentication headers.
+This proxy forwards requests from Anthropic-compatible clients (like Claude Code) to the ChatGPT Codex backend, handling authentication, format conversion, and streaming.
 
 ## Project Structure
 
@@ -36,28 +36,22 @@ codex-claude-proxy/
 ├── public/
 │   ├── index.html
 │   ├── css/style.css
-│   └── js/app.js              # Alpine UI logic
+│   └── js/app.js              # Web UI logic
 └── src/
-    ├── index.js              # Express server + routes
-    ├── oauth.js              # OAuth 2.0 with PKCE
-    ├── account-manager.js    # Multi-account storage
-    ├── format-converter.js   # Anthropic ↔ OpenAI format
-    ├── response-streamer.js  # SSE streaming
-    ├── direct-api.js         # ChatGPT API client
-    ├── kilo-api.js           # Alternate upstream client
-    ├── kilo-format-converter.js # Anthropic ↔ OpenAI Chat conversion
-    ├── kilo-streamer.js      # Streaming adapter
-    ├── model-api.js          # Models & quota
-    ├── server-settings.js    # Server-wide settings persistence
-    └── claude-config.js      # Claude CLI config
+    ├── index.js               # App entrypoint
+    ├── server.js              # Express server setup
+    ├── routes/api-routes.js   # API route registrations
+    └── ...                    # OAuth, accounts, converters, upstream clients
 ```
 
+(See the `src/` directory for the full implementation; this doc focuses on the high-level shape.)
+
 ## Module Responsibilities
 
 | File | Purpose |
 |------|---------|
 | `index.js` | Entry point (starts server) |
-| `server.js` | Express server, routes, request handling |
+| `server.js` | Express server, routes, request handling (CORS restricted) |
 | `routes/api-routes.js` | API route registrations (mounted by server) |
 | `oauth.js` | OAuth 2.0 PKCE flow, token exchange |
 | `account-manager.js` | Account persistence, switching, token refresh |
@@ -69,7 +63,7 @@ codex-claude-proxy/
 | `kilo-streamer.js` | Streaming adapter |
 | `server-settings.js` | Server-wide settings persistence |
 | `model-api.js` | Fetch models, usage, quota |
-| `claude-config.js` | Read/write `~/.claude/settings.json` |
+| `claude-config.js` | Read/write Claude Code settings |
 
 ## Data Flow
 
@@ -125,9 +119,4 @@ Haiku routing is controlled by a server-wide setting (`/settings/haiku-model`).
 
 ## Data Storage
 
-| Location | Contents |
-|----------|----------|
-| `~/.codex-claude-proxy/accounts.json` | Account registry, active account |
-| `~/.codex-claude-proxy/accounts/<email>/auth.json` | Per-account tokens |
-| `~/.claude/settings.json` | Claude CLI config (we update this) |
-| `~/.codex/auth.json` | Codex app auth (read for import) |
+Account and configuration files are stored under your home directory (platform-specific). See `docs/ACCOUNTS.md` and `docs/CLAUDE_INTEGRATION.md` for details.

package/docs/OAUTH.md

@@ -1,201 +1,21 @@
 # OAuth Implementation
 
-## Configuration
+This proxy uses **OAuth 2.0 with PKCE** for secure authentication with ChatGPT.
 
-```javascript
-OAUTH_CONFIG = {
-  clientId: 'app_EMoamEEZ73f0CkXaXp7hrann',
-  authUrl: 'https://auth.openai.com/oauth/authorize',
-  tokenUrl: 'https://auth.openai.com/oauth/token',
-  scopes: ['openid', 'profile', 'email', 'offline_access'],
-  callbackPort: 1455,
-  callbackPath: '/auth/callback'
-}
-```
+## Quick Start
+- **WebUI (Recommended)**: Open `http://localhost:8081` → **Add Account** → **Connect**.
+- **Headless**: Use `codex-claude-proxy accounts add --no-browser`.
 
-## Authorization Methods
+## OAuth Config
+- **Client ID**: `app_EMoamEEZ73f0CkXaXp7hrann`
+- **Auth URL**: `https://auth.openai.com/oauth/authorize`
+- **Redirect**: `http://localhost:1455/auth/callback`
 
-### Method A: WebUI (Recommended)
-
-1. Open `http://localhost:8081` in your browser
-2. Click **Add Account** → **Connect via OAuth**
-3. Complete authorization in the popup
-
-### Method B: WebUI Manual Mode (Headless)
-
-For servers without a browser:
-
-1. Click **Add Account** → **Manual Authorization**
-2. Copy the OAuth URL
-3. Open URL on another device (your local machine)
-4. Complete authorization
-5. Copy the callback URL or authorization code
-6. Paste back in the WebUI
-
-### Method C: CLI (Desktop)
-
-```bash
-npm run accounts:add
-# Opens browser for OAuth
-```
-
-### Method D: CLI Headless Mode
-
-```bash
-npm run accounts:add:headless
-# Prints URL, you paste the callback URL/code
-```
-
-### Method E: API (Headless)
-
-```bash
-# 1. Get OAuth URL and verifier
-curl -X POST http://localhost:8081/accounts/add
-
-# Response includes oauth_url, verifier, state
-
-# 2. Open URL on another device, complete auth
-
-# 3. Submit authorization code
-curl -X POST http://localhost:8081/accounts/add/manual \
-  -H "Content-Type: application/json" \
-  -d '{"code":"<code_or_callback_url>","verifier":"<verifier_from_step_1>"}'
-```
-
-## PKCE Flow
-
-### 1. Generate PKCE Challenge
-
-```javascript
-// Verifier: 32 random bytes, base64url encoded
-verifier = crypto.randomBytes(32).toString('base64url')
-
-// Challenge: SHA256 hash of verifier
-challenge = sha256(verifier).base64url
-```
-
-### 2. Authorization URL
-
-```
-https://auth.openai.com/oauth/authorize?
-  response_type=code
-  &client_id=app_EMoamEEZ73f0CkXaXp7hrann
-  &redirect_uri=http://localhost:1455/auth/callback
-  &scope=openid profile email offline_access
-  &code_challenge=<challenge>
-  &code_challenge_method=S256
-  &state=<random_state>
-  &prompt=login
-  &max_age=0
-```
-
-**Key parameters for multi-account:**
-- `prompt=login` - Forces login screen (ignores session cookies)
-- `max_age=0` - Forces re-authentication
-
-### 3. Token Exchange
-
-```javascript
-POST https://auth.openai.com/oauth/token
-Content-Type: application/x-www-form-urlencoded
-
-grant_type=authorization_code
-&code=<authorization_code>
-&redirect_uri=http://localhost:1455/auth/callback
-&client_id=app_EMoamEEZ73f0CkXaXp7hrann
-&code_verifier=<verifier>
-```
-
-### 4. Token Response
-
-```json
-{
-  "access_token": "eyJhbGciOiJSUzI1NiIs...",
-  "refresh_token": "rt_WpTMn1...",
-  "id_token": "eyJhbGciOiJSUzI1NiIs...",
-  "expires_in": 3600,
-  "token_type": "Bearer"
-}
-```
-
-## JWT Claims
-
-Decoded `access_token` payload:
-
-```json
-{
-  "https://api.openai.com/auth": {
-    "chatgpt_account_id": "d41e9636-...",
-    "chatgpt_plan_type": "plus",
-    "chatgpt_user_id": "user-..."
-  },
-  "https://api.openai.com/profile": {
-    "email": "user@gmail.com",
-    "email_verified": true
-  },
-  "exp": 1770886178
-}
-```
-
-## Token Refresh
-
-```javascript
-POST https://auth.openai.com/oauth/token
-Content-Type: application/x-www-form-urlencoded
-
-grant_type=refresh_token
-&refresh_token=<refresh_token>
-&client_id=app_EMoamEEZ73f0CkXaXp7hrann
-```
-
-## Auto-Refresh
-
-- Tokens auto-refresh every **55 minutes**
-- Proactive refresh before API calls if expiring within 5 minutes
-- Startup refresh 2 seconds after server start
-
-## Web Flow vs CLI Flow
-
-### Web Flow (WebUI)
-
-1. `POST /accounts/add` → returns OAuth URL
-2. Frontend opens popup with URL
-3. User authenticates in popup
-4. Browser redirects to callback
-5. Server handles callback, stores tokens
-6. Popup notifies parent via `postMessage`
-
-### CLI Flow
-
-1. `POST /accounts/add` → starts callback server on port 1455
-2. Server opens browser with OAuth URL
-3. User authenticates
-4. Browser redirects to callback
-5. Server exchanges code for tokens
-
-## Multi-Account Support
-
-The key to multi-account support is forcing a fresh login each time:
-
-1. `prompt=login` - Shows login screen even if already logged in
-2. `max_age=0` - Requires re-authentication
-3. Each account stored with unique email as identifier
+## Features
+- **Auto-Refresh**: Tokens refresh every 55 minutes.
+- **Multi-Account**: Uses `prompt=login` to force account switching.
+- **Headless Support**: Manual code entry for servers without browsers.
 
 ## Troubleshooting
-
-### OAuth returns existing account
-
-- Browser may have aggressive cookie caching
-- Try manual logout: https://auth.openai.com/logout
-- Clear browser cookies for auth.openai.com
-
-### Callback timeout
-
-- Default timeout: 2 minutes
-- Ensure port 1455 is available
-- Check firewall isn't blocking localhost
-
-### Token refresh fails
-
-- Refresh token may have expired
-- Re-add the account via WebUI
+- **Existing Account**: If it keeps picking the same account, logout at `auth.openai.com` or clear cookies.
+- **Port 1455**: Must be available for the CLI callback.

package/docs/OPENCLAW.md

@@ -1,338 +1,33 @@
 # Using with OpenClaw
 
-[OpenClaw](https://docs.openclaw.ai/) (formerly ClawdBot/Moltbot) is an AI agent gateway that connects to messaging apps like Telegram, WhatsApp, Discord, Slack, and iMessage. You can configure it to use this proxy for GPT-5 Codex models.
+[OpenClaw](https://docs.openclaw.ai/) is an AI agent gateway. This proxy provides the Anthropic-compatible API it needs.
 
-## What is OpenClaw?
+## Quick Integration
 
-OpenClaw acts as a bridge between messaging platforms and AI models:
-
-```
-┌──────────────┐     ┌─────────────┐     ┌─────────────────────┐     ┌──────────────┐
-│  Telegram    │────▶│             │     │  Codex-Claude-Proxy │     │  ChatGPT     │
-│  WhatsApp    │     │  OpenClaw   │────▶│  (Anthropic API)    │────▶│  Codex API   │
-│  Discord     │     │  Gateway    │     │                     │     │              │
-│  Slack       │     │             │     │                     │     │              │
-│  iMessage    │     │             │     │                     │     │              │
-└──────────────┘     └─────────────┘     └─────────────────────┘     └──────────────┘
-```
-
-OpenClaw expects providers to expose an Anthropic-compatible or OpenAI-compatible API, which this proxy provides.
-
-## Prerequisites
-
-- OpenClaw installed:
-  ```bash
-  npm install -g openclaw@latest
-  ```
-- Codex-Claude-Proxy running on port 8081 (or your configured port)
-- At least one ChatGPT account linked to the proxy
-
-## Configure OpenClaw
-
-Edit your OpenClaw config file:
-- **macOS/Linux**: `~/.openclaw/openclaw.json`
-- **Windows**: `%USERPROFILE%\.openclaw\openclaw.json`
-
-### Basic Configuration
-
-```json
-{
-  "models": {
-    "mode": "merge",
-    "providers": {
+1.  **Add Provider** to `~/.openclaw/openclaw.json`:
+    ```json
+    {
       "codex-proxy": {
         "baseUrl": "http://127.0.0.1:8081",
         "apiKey": "test",
         "api": "anthropic-messages",
         "models": [
-          {
-            "id": "gpt-5.3-codex",
-            "name": "GPT-5.3 Codex",
-            "reasoning": true,
-            "input": ["text", "image"],
-            "cost": { "input": 0, "output": 0, "cacheRead": 0, "cacheWrite": 0 },
-            "contextWindow": 200000,
-            "maxTokens": 128000
-          },
-          {
-            "id": "gpt-5.2-codex",
-            "name": "GPT-5.2 Codex",
-            "reasoning": true,
-            "input": ["text", "image"],
-            "cost": { "input": 0, "output": 0, "cacheRead": 0, "cacheWrite": 0 },
-            "contextWindow": 200000,
-            "maxTokens": 128000
-          },
-          {
-            "id": "gpt-5.2",
-            "name": "GPT-5.2",
-            "reasoning": false,
-            "input": ["text", "image"],
-            "cost": { "input": 0, "output": 0, "cacheRead": 0, "cacheWrite": 0 },
-            "contextWindow": 128000,
-            "maxTokens": 16384
-          }
+          { "id": "claude-sonnet-4-5", "name": "GPT-5.2 Codex" },
+          { "id": "claude-opus-4-5", "name": "GPT-5.3 Codex" }
         ]
       }
     }
-  },
-  "agents": {
-    "defaults": {
-      "model": {
-        "primary": "codex-proxy/gpt-5.2-codex",
-        "fallbacks": ["codex-proxy/gpt-5.2"]
-      },
-      "models": {
-        "codex-proxy/gpt-5.2-codex": {}
-      }
-    }
-  }
-}
-```
-
-### Using Claude Model Names (Auto-Mapped)
-
-The proxy automatically maps Claude model names to Codex equivalents. You can use familiar names:
-
-```json
-{
-  "models": {
-    "mode": "merge",
-    "providers": {
-      "codex-proxy": {
-        "baseUrl": "http://127.0.0.1:8081",
-        "apiKey": "test",
-        "api": "anthropic-messages",
-        "models": [
-          {
-            "id": "claude-opus-4-5",
-            "name": "Claude Opus 4.5 (GPT-5.3 Codex)",
-            "reasoning": true,
-            "input": ["text", "image"],
-            "cost": { "input": 0, "output": 0, "cacheRead": 0, "cacheWrite": 0 },
-            "contextWindow": 200000,
-            "maxTokens": 128000
-          },
-          {
-            "id": "claude-sonnet-4-5",
-            "name": "Claude Sonnet 4.5 (GPT-5.2 Codex)",
-            "reasoning": true,
-            "input": ["text", "image"],
-            "cost": { "input": 0, "output": 0, "cacheRead": 0, "cacheWrite": 0 },
-            "contextWindow": 200000,
-            "maxTokens": 128000
-          },
-          {
-            "id": "claude-haiku-4",
-            "name": "Claude Haiku 4 (GPT-5.2)",
-            "reasoning": false,
-            "input": ["text", "image"],
-            "cost": { "input": 0, "output": 0, "cacheRead": 0, "cacheWrite": 0 },
-            "contextWindow": 128000,
-            "maxTokens": 16384
-          }
-        ]
-      }
-    }
-  },
-  "agents": {
-    "defaults": {
-      "model": {
-        "primary": "codex-proxy/claude-sonnet-4-5",
-        "fallbacks": ["codex-proxy/claude-haiku-4"]
-      }
-    }
-  }
-}
-```
-
-> **Note**: The `reasoning` field indicates whether the model supports extended thinking/reasoning. Set to `true` for Codex models which excel at complex reasoning tasks.
-
-## Model Reference
-
-| Proxy Model | Mapped From | Best For |
-|-------------|-------------|----------|
-| `gpt-5.3-codex` | `claude-opus-4-5` | Most capable, complex coding tasks |
-| `gpt-5.2-codex` | `claude-sonnet-4-5` | Balanced performance, recommended default |
-| `gpt-5.2` | `claude-haiku-4` | Fast responses, simpler tasks |
-
-## Start Both Services
-
-```bash
-# Terminal 1: Start the proxy
-cd codex-claude-proxy
-npm start
-
-# Terminal 2: Start OpenClaw gateway
-openclaw gateway
-```
-
-## Verify Configuration
-
-```bash
-# Check available models
-openclaw models list
-
-# Check gateway status
-openclaw status
-```
-
-You should see models prefixed with `codex-proxy/` in the list.
-
-## Switch Models
-
-To change the default model:
-
-```bash
-openclaw models set codex-proxy/gpt-5.3-codex
-```
-
-Or edit the `model.primary` field in your config file.
-
-## API Compatibility
-
-The proxy exposes an **Anthropic Messages API** compatible interface:
-
-| Endpoint | Description |
-|----------|-------------|
-| `POST /v1/messages` | Main chat endpoint |
-| `GET /v1/models` | List available models |
-| `POST /v1/messages/count_tokens` | Token counting |
-
-OpenClaw's `api: "anthropic-messages"` setting tells it to use the Anthropic format, which this proxy fully supports including:
-- Streaming responses (SSE)
-- Tool/function calling
-- Multi-turn conversations
-- Image inputs
-- System prompts
-
-## Multi-Account Support
-
-The proxy supports multiple ChatGPT accounts with automatic switching:
-
-```bash
-# Add accounts via Web UI at http://localhost:8081
-# Or via CLI:
-npm run accounts:add
-
-# List accounts
-curl http://localhost:8081/accounts
-```
-
-When one account hits rate limits, the proxy can automatically switch to another. This provides seamless continuity for OpenClaw users.
-
-## Advanced Configuration
-
-### Custom Port
-
-If running the proxy on a different port:
-
-```json
-{
-  "models": {
-    "providers": {
-      "codex-proxy": {
-        "baseUrl": "http://127.0.0.1:3000",
-        ...
-      }
-    }
-  }
-}
-```
-
-### VPS/Remote Server
-
-When running on a VPS, bind the proxy to localhost only:
-
-```bash
-HOST=127.0.0.1 PORT=8081 npm start
-```
-
-Then use SSH port forwarding on your local machine:
-
-```bash
-ssh -L 8081:127.0.0.1:8081 user@your-vps
-```
-
-Configure OpenClaw to use the local tunnel:
+    ```
+2.  **Set Primary Model**:
+    ```bash
+    openclaw models set codex-proxy/claude-sonnet-4-5
+    ```
 
-```json
-{
-  "baseUrl": "http://127.0.0.1:8081"
-}
-```
-
-### Authentication
-
-To protect the proxy with an API key:
-
-```bash
-API_KEY=your-secret-key npm start
-```
-
-Update OpenClaw config:
-
-```json
-{
-  "providers": {
-    "codex-proxy": {
-      "baseUrl": "http://127.0.0.1:8081",
-      "apiKey": "your-secret-key",
-      ...
-    }
-  }
-}
-```
+## Key Benefits
+- **Multi-Account**: Proxy handles rate limits by switching ChatGPT accounts.
+- **SSE Streaming**: Full real-time response support.
+- **Tool Calling**: Native support for agentic workflows.
 
 ## Troubleshooting
-
-### Connection Refused
-
-Ensure the proxy is running:
-```bash
-curl http://127.0.0.1:8081/health
-```
-
-### Models Not Showing
-
-1. Verify config file is valid JSON
-2. Check `mode` is set to `"merge"`
-3. Restart OpenClaw after config changes:
-   ```bash
-   openclaw gateway restart
-   ```
-
-### Rate Limiting
-
-If you see rate limit errors:
-1. Add more ChatGPT accounts to the proxy
-2. The proxy will auto-switch between accounts
-3. Check `/accounts` endpoint for account status
-
-### Use 127.0.0.1 Not localhost
-
-Always use `127.0.0.1` instead of `localhost` in `baseUrl`:
-- Avoids DNS resolution issues
-- Explicitly stays on loopback interface
-- Prevents accidental exposure on VPS
-
-## Comparison: Codex Proxy vs Antigravity Proxy
-
-| Feature | Codex-Claude-Proxy | Antigravity Proxy |
-|---------|-------------------|-------------------|
-| Backend API | ChatGPT Codex API | Google Cloud Code API |
-| Models | GPT-5.2/5.3 Codex | Gemini 3, Claude (via Google) |
-| Auth | ChatGPT OAuth | Google OAuth |
-| Account Source | ChatGPT accounts | Google accounts |
-| Rate Limits | ChatGPT limits | Google Cloud quotas |
-| Best For | Codex-native access | Google Cloud users |
-
-Both proxies expose the same Anthropic-compatible API, so OpenClaw configuration is nearly identical.
-
-## Further Reading
-
-- [OpenClaw Documentation](https://docs.openclaw.ai/)
-- [OpenClaw Configuration Reference](https://docs.openclaw.ai/gateway/configuration)
-- [Proxy API Reference](./API.md)
-- [Account Management](./ACCOUNTS.md)
-- [OAuth Setup](./OAUTH.md)
+- Use `127.0.0.1` instead of `localhost`.
+- Verify proxy health: `curl http://127.0.0.1:8081/health`.

package/docs/legal.md

@@ -0,0 +1,11 @@
+# Legal
+
+- **Not affiliated with OpenAI or Anthropic.** This is an independent open-source project and is not endorsed by, sponsored by, or affiliated with OpenAI or Anthropic.
+
+- "ChatGPT", "OpenAI", and "Codex" are trademarks of OpenAI.
+
+- "Claude" and "Anthropic" are trademarks of Anthropic PBC.
+
+- "Kilo" and "Kilo Search" are trademarks of their respective owners.
+
+- Software is provided "as is", without warranty. You are responsible for complying with all applicable Terms of Service and Acceptable Use Policies.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codex-claude-proxy",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Multi-account proxy server for OpenAI Codex CLI with Claude API compatibility",
   "type": "module",
   "main": "src/index.js",

package/public/js/app.js

@@ -1,6 +1,6 @@
 document.addEventListener('alpine:init', () => {
     Alpine.data('app', () => ({
-        version: '2.0.0',
+        version: '1.0.2',
         connectionStatus: 'connecting',
         activeTab: 'dashboard',
         sidebarOpen: window.innerWidth >= 1024,

package/src/account-manager.js

@@ -26,10 +26,10 @@ const tokenCache = new Map();
 
 function ensureConfigDir() {
     if (!existsSync(CONFIG_DIR)) {
-        mkdirSync(CONFIG_DIR, { recursive: true });
+        mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
     }
     if (!existsSync(ACCOUNTS_DIR)) {
-        mkdirSync(ACCOUNTS_DIR, { recursive: true });
+        mkdirSync(ACCOUNTS_DIR, { recursive: true, mode: 0o700 });
     }
 }
 
@@ -64,7 +64,7 @@ function loadAccounts() {
 
 function saveAccounts(data) {
     ensureConfigDir();
-    writeFileSync(ACCOUNTS_FILE, JSON.stringify(data, null, 2));
+    writeFileSync(ACCOUNTS_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });
 }
 
 function getActiveAccount() {
@@ -80,7 +80,7 @@ function updateAccountAuth(account) {
     const authFile = getAccountAuthFile(account.email);
     
     if (!existsSync(accountDir)) {
-        mkdirSync(accountDir, { recursive: true });
+        mkdirSync(accountDir, { recursive: true, mode: 0o700 });
     }
     
     const authData = {
@@ -96,7 +96,7 @@ function updateAccountAuth(account) {
     };
     
     try {
-        writeFileSync(authFile, JSON.stringify(authData, null, 2));
+        writeFileSync(authFile, JSON.stringify(authData, null, 2), { mode: 0o600 });
         console.log(`[AccountManager] Updated auth for: ${account.email}`);
     } catch (e) {
         console.error('[AccountManager] Failed to update auth:', e.message);

package/src/claude-config.js

@@ -60,13 +60,13 @@ export async function updateClaudeConfig(updates) {
     
     const configDir = path.dirname(configPath);
     try {
-        await fs.mkdir(configDir, { recursive: true });
+        await fs.mkdir(configDir, { recursive: true, mode: 0o700 });
     } catch (error) {
         // Ignore if exists
     }
     
     try {
-        await fs.writeFile(configPath, JSON.stringify(newConfig, null, 2), 'utf8');
+        await fs.writeFile(configPath, JSON.stringify(newConfig, null, 2), { encoding: 'utf8', mode: 0o600 });
         console.log(`[ClaudeConfig] Updated config at ${configPath}`);
         return newConfig;
     } catch (error) {

package/src/cli/accounts.js

@@ -39,9 +39,9 @@ function saveAccounts(data) {
     try {
         const dir = dirname(ACCOUNTS_FILE);
         if (!existsSync(dir)) {
-            mkdirSync(dir, { recursive: true });
+            mkdirSync(dir, { recursive: true, mode: 0o700 });
         }
-        writeFileSync(ACCOUNTS_FILE, JSON.stringify(data, null, 2));
+        writeFileSync(ACCOUNTS_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });
         console.log(`\n✓ Saved ${data.accounts.length} account(s) to ${ACCOUNTS_FILE}`);
     } catch (error) {
         console.error('Error saving accounts:', error.message);

package/src/index.js

@@ -13,7 +13,7 @@ startServer({ port: PORT });
 
 console.log(`
 ╔══════════════════════════════════════════════════════════════╗
-║                 Codex Claude Proxy v2.0.0                    ║
+║                 Codex Claude Proxy v1.0.2                    ║
 ║                   (Direct API Mode)                          ║
 ╠══════════════════════════════════════════════════════════════╣
 ║  Server:   http://localhost:${PORT}                          ║

package/src/server-settings.js

@@ -10,7 +10,7 @@ const DEFAULT_SETTINGS = {
 
 function ensureConfigDir() {
     if (!existsSync(CONFIG_DIR)) {
-        mkdirSync(CONFIG_DIR, { recursive: true });
+        mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
     }
 }
 
@@ -35,7 +35,7 @@ export function setServerSettings(patch = {}) {
     const next = { ...current, ...patch };
 
     ensureConfigDir();
-    writeFileSync(SETTINGS_FILE, JSON.stringify(next, null, 2));
+    writeFileSync(SETTINGS_FILE, JSON.stringify(next, null, 2), { mode: 0o600 });
     return next;
 }
 

package/src/server.js

@@ -14,7 +14,34 @@ export function createServer({ port }) {
   startAutoRefresh();
 
   const app = express();
-  app.use(cors());
+  app.disable('x-powered-by');
+  
+  // High-level request logging
+  app.use((req, res, next) => {
+    const start = Date.now();
+    res.on('finish', () => {
+      const duration = Date.now() - start;
+      const msg = `[${req.method}] ${req.originalUrl} ${res.statusCode} (${duration}ms)`;
+      if (res.statusCode >= 400) {
+        console.log(`\x1b[31m${msg}\x1b[0m`); // Red for error
+      } else if (req.originalUrl !== '/health') { // Skip health check logs to reduce noise
+        console.log(`\x1b[36m${msg}\x1b[0m`); // Cyan for success
+      }
+    });
+    next();
+  });
+
+  app.use(cors({
+    origin: [
+      `http://localhost:${port}`,
+      `http://127.0.0.1:${port}`,
+      'http://localhost',
+      'http://127.0.0.1'
+    ],
+    methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+    allowedHeaders: ['Content-Type', 'Authorization'],
+    credentials: false
+  }));
   app.use(express.json({ limit: '10mb' }));
 
   registerApiRoutes(app, { port });