codex-rotating-proxy 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,182 @@
+# codex-rotating-proxy
+
+OpenAI API proxy that rotates between multiple ChatGPT/OpenAI accounts when rate limits hit.
+
+```
+┌──────────┐     ┌───────────────┐     ┌─────────────┐
+│  your    │────▶│  codex-proxy  │────▶│ OpenAI API  │
+│  tool    │◀────│    :4000      │◀────│             │
+└──────────┘     └──────┬────────┘     └─────────────┘
+                        │
+                   ┌────┴────┐
+                   │  Pool   │
+                   ├─────────┤
+                   │ acc-1 ● │ ← active
+                   │ acc-2 ○ │ ← standby
+                   │ acc-3 ◑ │ ← cooldown
+                   └─────────┘
+```
+
+## Why
+
+If you have multiple ChatGPT Plus/Pro subscriptions and keep hitting rate limits in your coding tool, this proxy sits between the tool and the API. It sticks with one account until it hits a limit, then automatically rotates to the next.
+
+Works with [opencode](https://opencode.ai), [aider](https://aider.chat), [continue](https://continue.dev), or any tool that talks to an OpenAI-compatible API.
+
+## Quick start
+
+```bash
+npm install -g codex-rotating-proxy
+
+# Log in with your OpenAI accounts (opens browser)
+codex-proxy login personal
+codex-proxy login work
+
+# Start the proxy
+codex-proxy start
+```
+
+Then point your tool to `http://localhost:4000/v1`.
+
+## Requirements
+
+Node.js 22.6+
+
+## How login works
+
+`codex-proxy login` uses the same OAuth flow as the official [Codex CLI](https://github.com/openai/codex) — it opens your browser to OpenAI's login page, you sign in with your ChatGPT account, and the token is captured automatically. No manual key copying needed.
+
+```
+$ codex-proxy login personal
+  Opening browser to sign in with OpenAI...
+✓ Connected "personal" (you@email.com)
+```
+
+Tokens are automatically refreshed when they expire. If a token gets a 401 mid-session, the proxy refreshes it transparently and retries.
+
+## Commands
+
+### `codex-proxy login [name]`
+
+Opens your browser to sign in with OpenAI. Saves the account for rotation.
+
+```bash
+codex-proxy login             # name is derived from your email
+codex-proxy login work        # explicitly name the account
+```
+
+### `codex-proxy logout <name>`
+
+Remove an account from the pool.
+
+### `codex-proxy accounts`
+
+List all connected accounts with masked tokens.
+
+```
+  personal         sk-1••••Qx2Q  2h ago
+  work             sk-9••••kPz   5m ago
+```
+
+### `codex-proxy start`
+
+Start the proxy server. Foreground by default.
+
+```bash
+codex-proxy start                  # foreground (Ctrl+C to stop)
+codex-proxy start -d               # background (daemon)
+codex-proxy start -p 5000          # custom port
+```
+
+### `codex-proxy stop`
+
+Stop a running daemon.
+
+### `codex-proxy status`
+
+Show whether the proxy is running and live account health:
+
+```
+  Proxy  running (PID 12345)
+
+  ● personal         active           42 req   0 err
+  ◑ work             cooldown 38m     18 req   2 err
+```
+
+### `codex-proxy config`
+
+View or update settings:
+
+```bash
+codex-proxy config                     # show current
+codex-proxy config --port 5000         # change port
+codex-proxy config --cooldown 30       # cooldown minutes
+```
+
+## Using with opencode
+
+Add the proxy as your OpenAI provider base URL in `~/.config/opencode/opencode.json`:
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "provider": {
+    "openai": {
+      "options": {
+        "baseURL": "http://localhost:4000/v1"
+      }
+    }
+  }
+}
+```
+
+Then set your model as usual — the proxy forwards whatever model the client requests:
+
+```json
+{
+  "model": "openai/gpt-4o"
+}
+```
+
+Start both:
+
+```bash
+codex-proxy start -d    # start proxy in background
+opencode                # start coding
+```
+
+### Using with aider
+
+```bash
+export OPENAI_API_BASE=http://localhost:4000/v1
+export OPENAI_API_KEY=unused    # proxy handles auth
+aider
+```
+
+### Using with any OpenAI-compatible tool
+
+Set the base URL to `http://localhost:4000/v1`. Set the API key to any non-empty value — the proxy replaces it with the real token from your account pool.
+
+## How it works
+
+- **Sticky routing** — stays on one account until it hits a rate limit, then rotates to the next
+- **Auto-rotation** — detects HTTP 429, 402, and quota-related 403 responses
+- **Token refresh** — OAuth tokens are automatically refreshed on 401; no manual re-login needed
+- **Streaming** — full SSE streaming support for chat completions
+- **Hot reload** — logging in while the proxy is running adds the new account immediately
+- **Zero dependencies** — just Node.js
+
+## Data
+
+All data is stored in `~/.codex-proxy/`:
+
+| File | Contents |
+|------|----------|
+| `accounts.json` | Account tokens and refresh tokens |
+| `settings.json` | Port, upstream URL, cooldown |
+| `proxy.pid` | PID of running daemon |
+| `proxy.log` | Daemon log output |
+
+## License
+
+MIT

package/bin/codex-proxy

@@ -0,0 +1,10 @@
+#!/bin/sh
+# Resolve symlinks (npm link creates one)
+SELF="$0"
+while [ -L "$SELF" ]; do
+  DIR="$(cd "$(dirname "$SELF")" && pwd)"
+  SELF="$(readlink "$SELF")"
+  case "$SELF" in /*) ;; *) SELF="$DIR/$SELF" ;; esac
+done
+SCRIPT_DIR="$(cd "$(dirname "$SELF")" && pwd)"
+exec node --experimental-strip-types "$SCRIPT_DIR/../src/cli.ts" "$@"

package/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "codex-rotating-proxy",
+  "version": "0.1.0",
+  "description": "OpenAI API proxy that rotates between multiple accounts when rate limits hit",
+  "type": "module",
+  "bin": {
+    "codex-proxy": "bin/codex-proxy"
+  },
+  "scripts": {
+    "dev": "node --experimental-strip-types src/cli.ts",
+    "postinstall": "chmod +x bin/codex-proxy 2>/dev/null || true"
+  },
+  "keywords": ["openai", "proxy", "rate-limit", "rotation", "chatgpt", "codex"],
+  "license": "MIT",
+  "engines": {
+    "node": ">=22.6.0"
+  }
+}

package/src/cli.ts

@@ -0,0 +1,307 @@
+import { spawn } from "node:child_process";
+import { openSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import {
+  getAccounts,
+  getSettings,
+  updateSettings,
+  removeAccount,
+  readPid,
+  isRunning,
+  removePid,
+  ensureDataDir,
+  LOG_FILE,
+} from "./config.ts";
+import { loginFlow } from "./login.ts";
+import { startProxy } from "./server.ts";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const VERSION = "0.1.0";
+
+// ── Parse args ──────────────────────────────────────────────────
+const args = process.argv.slice(2);
+const command = args[0];
+const flags = new Set(args.slice(1));
+const getFlag = (short: string, long: string): string | undefined => {
+  for (let i = 1; i < args.length; i++) {
+    if (args[i] === short || args[i] === long) return args[i + 1];
+  }
+  return undefined;
+};
+const positional = args.slice(1).filter((a) => !a.startsWith("-"));
+
+// ── Colors ──────────────────────────────────────────────────────
+const dim = (s: string) => `\x1b[2m${s}\x1b[0m`;
+const cyan = (s: string) => `\x1b[36m${s}\x1b[0m`;
+const green = (s: string) => `\x1b[32m${s}\x1b[0m`;
+const red = (s: string) => `\x1b[31m${s}\x1b[0m`;
+const yellow = (s: string) => `\x1b[33m${s}\x1b[0m`;
+const bold = (s: string) => `\x1b[1m${s}\x1b[0m`;
+
+// ── Commands ────────────────────────────────────────────────────
+async function main(): Promise<void> {
+  ensureDataDir();
+
+  switch (command) {
+    case "start":
+      return cmdStart();
+    case "stop":
+      return cmdStop();
+    case "status":
+      return cmdStatus();
+    case "login":
+      return cmdLogin();
+    case "logout":
+    case "remove":
+      return cmdLogout();
+    case "accounts":
+    case "list":
+      return cmdAccounts();
+    case "config":
+      return cmdConfig();
+    case "-v":
+    case "--version":
+      console.log(VERSION);
+      return;
+    case "-h":
+    case "--help":
+    case "help":
+    case undefined:
+      return cmdHelp();
+    default:
+      console.log(red(`Unknown command: ${command}`));
+      console.log(`Run ${cyan("codex-proxy --help")} for usage.`);
+      process.exit(1);
+  }
+}
+
+// ── start ───────────────────────────────────────────────────────
+function cmdStart(): void {
+  const pid = readPid();
+  if (pid && isRunning(pid)) {
+    console.log(yellow(`Proxy already running (PID ${pid}).`));
+    console.log(`Run ${cyan("codex-proxy stop")} first, or ${cyan("codex-proxy status")} to check.`);
+    return;
+  }
+
+  // Apply flag overrides
+  const port = getFlag("-p", "--port");
+  const upstream = getFlag("-u", "--upstream");
+  if (port) updateSettings({ port: parseInt(port) });
+  if (upstream) updateSettings({ upstream });
+
+  const isDaemon = flags.has("-d") || flags.has("--daemon");
+
+  if (isDaemon) {
+    const logFd = openSync(LOG_FILE, "a");
+    const child = spawn(
+      process.execPath,
+      ["--experimental-strip-types", join(__dirname, "server.ts")],
+      {
+        detached: true,
+        stdio: ["ignore", logFd, logFd],
+        env: { ...process.env, CODEX_PROXY_DAEMON: "1" },
+      }
+    );
+    child.unref();
+
+    const settings = getSettings();
+    console.log(green(`✓`) + ` Proxy started in background (PID ${child.pid})`);
+    console.log(`  ${dim("port")}      ${settings.port}`);
+    console.log(`  ${dim("log")}       ${LOG_FILE}`);
+    console.log(`  ${dim("stop")}      codex-proxy stop`);
+    return;
+  }
+
+  // Foreground
+  startProxy();
+}
+
+// ── stop ────────────────────────────────────────────────────────
+async function cmdStop(): Promise<void> {
+  const pid = readPid();
+  if (!pid || !isRunning(pid)) {
+    console.log(dim("Proxy is not running."));
+    removePid();
+    return;
+  }
+
+  process.kill(pid, "SIGTERM");
+  for (let i = 0; i < 30; i++) {
+    if (!isRunning(pid)) break;
+    await sleep(100);
+  }
+  removePid();
+  console.log(green("✓") + ` Proxy stopped (PID ${pid})`);
+}
+
+// ── status ──────────────────────────────────────────────────────
+async function cmdStatus(): Promise<void> {
+  const pid = readPid();
+  const running = pid !== null && isRunning(pid);
+
+  if (!running) {
+    console.log(`  ${bold("Proxy")}  ${dim("stopped")}`);
+    if (pid) removePid();
+  } else {
+    console.log(`  ${bold("Proxy")}  ${green("running")} ${dim(`(PID ${pid})`)}`);
+
+    try {
+      const settings = getSettings();
+      const res = await fetch(`http://localhost:${settings.port}/_status`);
+      const data = (await res.json()) as { accounts: any[] };
+      console.log();
+      printAccountTable(data.accounts);
+    } catch {
+      console.log(dim("  Could not reach proxy for live status."));
+    }
+  }
+
+  if (!running) {
+    const accounts = getAccounts();
+    if (accounts.length === 0) {
+      console.log(
+        `\n  No accounts. Run ${cyan("codex-proxy login")} to add one.`
+      );
+    } else {
+      console.log(`\n  ${bold("Accounts")}  ${accounts.length} configured`);
+      for (const a of accounts) {
+        console.log(`    ${a.name}  ${dim(maskToken(a.token))}`);
+      }
+    }
+  }
+}
+
+// ── login ───────────────────────────────────────────────────────
+function cmdLogin(): Promise<void> {
+  return loginFlow(positional[0]);
+}
+
+// ── logout ──────────────────────────────────────────────────────
+function cmdLogout(): void {
+  const name = positional[0];
+  if (!name) {
+    console.log(red("Usage: codex-proxy logout <account-name>"));
+    return;
+  }
+  if (removeAccount(name)) {
+    console.log(green("✓") + ` Removed "${name}"`);
+  } else {
+    console.log(red(`Account "${name}" not found.`));
+  }
+}
+
+// ── accounts ────────────────────────────────────────────────────
+function cmdAccounts(): void {
+  const accounts = getAccounts();
+  if (accounts.length === 0) {
+    console.log(dim("No accounts. Run codex-proxy login to add one."));
+    return;
+  }
+  console.log();
+  for (const a of accounts) {
+    const ago = timeAgo(new Date(a.addedAt));
+    console.log(`  ${bold(a.name.padEnd(16))} ${dim(maskToken(a.token))}  ${dim(ago)}`);
+  }
+  console.log();
+}
+
+// ── config ──────────────────────────────────────────────────────
+function cmdConfig(): void {
+  const s = getSettings();
+  console.log();
+  console.log(`  ${dim("port")}       ${s.port}`);
+  console.log(`  ${dim("upstream")}   ${s.upstream}`);
+  console.log(`  ${dim("cooldown")}   ${s.cooldownMinutes}m`);
+  console.log();
+  console.log(
+    dim(`  Edit: codex-proxy config --port 5000`)
+  );
+
+  // Handle inline config changes
+  const port = getFlag("-p", "--port") ?? getFlag("--port", "--port");
+  const upstream = getFlag("-u", "--upstream") ?? getFlag("--upstream", "--upstream");
+  const cooldown = getFlag("-c", "--cooldown") ?? getFlag("--cooldown", "--cooldown");
+
+  const changes: Partial<{ port: number; upstream: string; cooldownMinutes: number }> = {};
+  if (port) changes.port = parseInt(port);
+  if (upstream) changes.upstream = upstream;
+  if (cooldown) changes.cooldownMinutes = parseInt(cooldown);
+
+  if (Object.keys(changes).length > 0) {
+    updateSettings(changes);
+    console.log(green("\n  ✓ Updated"));
+  }
+}
+
+// ── help ────────────────────────────────────────────────────────
+function cmdHelp(): void {
+  console.log(`
+  ${bold("codex-proxy")} ${dim(`v${VERSION}`)} — OpenAI API proxy with account rotation
+
+  ${bold("Usage")}
+    codex-proxy <command> [options]
+
+  ${bold("Commands")}
+    ${cyan("login")}  [name]         Add an account via browser
+    ${cyan("logout")} <name>         Remove an account
+    ${cyan("accounts")}               List all connected accounts
+    ${cyan("start")}                  Start the proxy server
+    ${cyan("stop")}                   Stop the proxy server
+    ${cyan("status")}                 Show proxy and account status
+    ${cyan("config")}                 Show or update configuration
+
+  ${bold("Options")}  ${dim("(for start)")}
+    -p, --port <n>           Port number ${dim("(default: 4000)")}
+    -u, --upstream <url>     Upstream API URL ${dim("(default: https://api.openai.com)")}
+    -d, --daemon             Run in background
+
+  ${bold("Quick start")}
+    ${dim("$")} codex-proxy login
+    ${dim("$")} codex-proxy login work
+    ${dim("$")} codex-proxy start
+
+  ${bold("Configure your tool")}
+    Point your OpenAI-compatible tool to ${cyan("http://localhost:4000/v1")}
+`);
+}
+
+// ── Helpers ─────────────────────────────────────────────────────
+function maskToken(token: string): string {
+  if (token.length <= 8) return "••••••••";
+  return token.slice(0, 4) + "••••" + token.slice(-4);
+}
+
+function timeAgo(date: Date): string {
+  const sec = Math.floor((Date.now() - date.getTime()) / 1000);
+  if (sec < 60) return "just now";
+  if (sec < 3600) return `${Math.floor(sec / 60)}m ago`;
+  if (sec < 86400) return `${Math.floor(sec / 3600)}h ago`;
+  return `${Math.floor(sec / 86400)}d ago`;
+}
+
+function printAccountTable(accounts: any[]): void {
+  for (const a of accounts) {
+    const indicator = a.status === "ready" ? green("●") : yellow("◑");
+    const status =
+      a.status === "ready"
+        ? a.active
+          ? green("active")
+          : dim("standby")
+        : yellow(`cooldown ${a.cooldownRemaining}`);
+    const stats = dim(
+      `${String(a.totalRequests).padStart(4)} req  ${String(a.errors).padStart(2)} err`
+    );
+    console.log(`  ${indicator} ${bold(a.name.padEnd(16))} ${status.padEnd(30)} ${stats}`);
+  }
+}
+
+function sleep(ms: number): Promise<void> {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+main().catch((err) => {
+  console.error(red(err.message));
+  process.exit(1);
+});

package/src/config.ts

@@ -0,0 +1,113 @@
+import { mkdirSync, readFileSync, writeFileSync, unlinkSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+
+// ── Paths ───────────────────────────────────────────────────────
+export const DATA_DIR = join(homedir(), ".codex-proxy");
+const ACCOUNTS_FILE = join(DATA_DIR, "accounts.json");
+const SETTINGS_FILE = join(DATA_DIR, "settings.json");
+export const PID_FILE = join(DATA_DIR, "proxy.pid");
+export const LOG_FILE = join(DATA_DIR, "proxy.log");
+
+// ── Types ───────────────────────────────────────────────────────
+export interface Account {
+  name: string;
+  token: string;
+  refreshToken?: string;
+  accountId?: string;
+  addedAt: string;
+  lastRefresh?: string;
+}
+
+export interface Settings {
+  port: number;
+  upstream: string;
+  cooldownMinutes: number;
+}
+
+const DEFAULTS: Settings = {
+  port: 4000,
+  upstream: "https://api.openai.com",
+  cooldownMinutes: 60,
+};
+
+// ── Helpers ─────────────────────────────────────────────────────
+export function ensureDataDir(): void {
+  mkdirSync(DATA_DIR, { recursive: true });
+}
+
+function readJson<T>(path: string, fallback: T): T {
+  try {
+    return JSON.parse(readFileSync(path, "utf-8"));
+  } catch {
+    return fallback;
+  }
+}
+
+function writeJson(path: string, data: unknown): void {
+  ensureDataDir();
+  writeFileSync(path, JSON.stringify(data, null, 2) + "\n");
+}
+
+// ── Accounts ────────────────────────────────────────────────────
+export function getAccounts(): Account[] {
+  return readJson<{ accounts: Account[] }>(ACCOUNTS_FILE, { accounts: [] })
+    .accounts;
+}
+
+export function addAccount(account: Account): void {
+  const accounts = getAccounts();
+  const idx = accounts.findIndex((a) => a.name === account.name);
+  if (idx >= 0) accounts[idx] = account;
+  else accounts.push(account);
+  writeJson(ACCOUNTS_FILE, { accounts });
+}
+
+export function removeAccount(name: string): boolean {
+  const accounts = getAccounts();
+  const filtered = accounts.filter((a) => a.name !== name);
+  if (filtered.length === accounts.length) return false;
+  writeJson(ACCOUNTS_FILE, { accounts: filtered });
+  return true;
+}
+
+// ── Settings ────────────────────────────────────────────────────
+export function getSettings(): Settings {
+  return {
+    ...DEFAULTS,
+    ...readJson<Partial<Settings>>(SETTINGS_FILE, {}),
+  };
+}
+
+export function updateSettings(partial: Partial<Settings>): void {
+  writeJson(SETTINGS_FILE, { ...getSettings(), ...partial });
+}
+
+// ── PID ─────────────────────────────────────────────────────────
+export function readPid(): number | null {
+  try {
+    return parseInt(readFileSync(PID_FILE, "utf-8").trim());
+  } catch {
+    return null;
+  }
+}
+
+export function writePid(pid: number): void {
+  ensureDataDir();
+  writeFileSync(PID_FILE, String(pid));
+}
+
+export function removePid(): void {
+  try {
+    unlinkSync(PID_FILE);
+  } catch {}
+}
+
+export function isRunning(pid: number): boolean {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}

package/src/login.ts

@@ -0,0 +1,261 @@
+import { createServer } from "node:http";
+import { randomBytes, createHash } from "node:crypto";
+import { exec } from "node:child_process";
+import { addAccount, type Account } from "./config.ts";
+
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const ISSUER = "https://auth.openai.com";
+const AUTHORIZE_URL = `${ISSUER}/oauth/authorize`;
+const TOKEN_URL = `${ISSUER}/oauth/token`;
+const SCOPES = "openid profile email offline_access";
+const REFRESH_SCOPES = "openid profile email";
+
+// ── PKCE ────────────────────────────────────────────────────────
+function generatePKCE(): { verifier: string; challenge: string } {
+  const verifier = randomBytes(64).toString("base64url");
+  const challenge = createHash("sha256").update(verifier).digest("base64url");
+  return { verifier, challenge };
+}
+
+// ── Login flow ──────────────────────────────────────────────────
+export async function loginFlow(accountName?: string): Promise<void> {
+  const { verifier, challenge } = generatePKCE();
+  const state = randomBytes(32).toString("base64url");
+
+  return new Promise<void>((resolve, reject) => {
+    let port: number = 1455;
+
+    const server = createServer(async (req, res) => {
+      const url = new URL(req.url ?? "/", `http://localhost:${port}`);
+
+      if (url.pathname !== "/auth/callback") {
+        res.writeHead(404);
+        res.end();
+        return;
+      }
+
+      const error = url.searchParams.get("error");
+      if (error) {
+        const desc = url.searchParams.get("error_description") ?? error;
+        res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+        res.end(resultPage(false, desc));
+        finish(reject, server, new Error(desc));
+        return;
+      }
+
+      if (url.searchParams.get("state") !== state) {
+        res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+        res.end(resultPage(false, "State mismatch — try again."));
+        finish(reject, server, new Error("state mismatch"));
+        return;
+      }
+
+      const code = url.searchParams.get("code")!;
+
+      try {
+        // Step 1: exchange authorization code for tokens
+        const tokens = await tokenRequest({
+          grant_type: "authorization_code",
+          code,
+          redirect_uri: `http://localhost:${port}/auth/callback`,
+          client_id: CLIENT_ID,
+          code_verifier: verifier,
+        });
+
+        // Step 2: exchange id_token for an OpenAI API key
+        const apiKey = await exchangeForApiKey(tokens.id_token);
+
+        // Parse JWT for display info + account ID
+        const claims = parseJwt(tokens.id_token);
+        const email = (claims.email as string) ?? "unknown";
+        const authClaims = (claims["https://api.openai.com/auth"] ?? {}) as Record<string, string>;
+        const accountId = authClaims.chatgpt_account_id;
+        const name = accountName || email.split("@")[0];
+
+        addAccount({
+          name,
+          token: apiKey,
+          refreshToken: tokens.refresh_token,
+          accountId,
+          addedAt: new Date().toISOString(),
+          lastRefresh: new Date().toISOString(),
+        });
+
+        res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+        res.end(resultPage(true, `Connected as "${name}" (${email})`));
+
+        console.log(`\x1b[32m✓\x1b[0m Connected "${name}" (${email})`);
+        finish(resolve, server);
+      } catch (err: any) {
+        res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+        res.end(resultPage(false, err.message));
+        finish(reject, server, err);
+      }
+    });
+
+    // Use port 1455 — same as official Codex CLI (registered redirect_uri)
+    server.listen(1455, () => {
+      port = 1455;
+
+      const params = new URLSearchParams({
+        response_type: "code",
+        client_id: CLIENT_ID,
+        redirect_uri: `http://localhost:${port}/auth/callback`,
+        scope: SCOPES,
+        code_challenge: challenge,
+        code_challenge_method: "S256",
+        state,
+      });
+
+      const authUrl = `${AUTHORIZE_URL}?${params}`;
+
+      console.log("  Opening browser to sign in with OpenAI...");
+      console.log(
+        `  If it doesn't open, visit:\n  \x1b[36m${authUrl}\x1b[0m\n`
+      );
+
+      openBrowser(authUrl);
+    });
+
+    server.on("error", (err: NodeJS.ErrnoException) => {
+      if (err.code === "EADDRINUSE") {
+        console.error(
+          "\x1b[31mPort 1455 is in use (maybe Codex CLI is running?).\x1b[0m"
+        );
+        console.error("Close it and try again.");
+      }
+      reject(err);
+    });
+  });
+}
+
+// ── Token refresh ───────────────────────────────────────────────
+export async function refreshAccount(
+  account: Account
+): Promise<string | null> {
+  if (!account.refreshToken) return null;
+
+  try {
+    const tokens = await tokenRequest({
+      client_id: CLIENT_ID,
+      grant_type: "refresh_token",
+      refresh_token: account.refreshToken,
+      scope: REFRESH_SCOPES,
+    });
+
+    const apiKey = await exchangeForApiKey(tokens.id_token);
+
+    addAccount({
+      ...account,
+      token: apiKey,
+      refreshToken: tokens.refresh_token,
+      lastRefresh: new Date().toISOString(),
+    });
+
+    return apiKey;
+  } catch {
+    return null;
+  }
+}
+
+// ── Helpers ─────────────────────────────────────────────────────
+async function tokenRequest(
+  params: Record<string, string>
+): Promise<{ id_token: string; access_token: string; refresh_token: string }> {
+  const res = await fetch(TOKEN_URL, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams(params).toString(),
+  });
+
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Token request failed (${res.status}): ${text}`);
+  }
+
+  return res.json() as any;
+}
+
+async function exchangeForApiKey(idToken: string): Promise<string> {
+  const res = await tokenRequest({
+    grant_type: "urn:ietf:params:oauth:grant-type:token-exchange",
+    requested_token: "openai-api-key",
+    subject_token: idToken,
+    subject_token_type: "urn:ietf:params:oauth:token-type:id_token",
+    client_id: CLIENT_ID,
+  });
+
+  return res.access_token;
+}
+
+function parseJwt(token: string): Record<string, unknown> {
+  const payload = token.split(".")[1];
+  return JSON.parse(Buffer.from(payload, "base64url").toString());
+}
+
+function openBrowser(url: string): void {
+  const cmd =
+    process.platform === "darwin"
+      ? `open "${url}"`
+      : process.platform === "win32"
+        ? `start "" "${url}"`
+        : `xdg-open "${url}"`;
+  exec(cmd, () => {});
+}
+
+function finish(
+  cb: (value?: any) => void,
+  server: ReturnType<typeof createServer>,
+  err?: Error
+): void {
+  setTimeout(() => {
+    server.close();
+    if (err) cb(err);
+    else cb();
+  }, 500);
+}
+
+// ── Callback result page ────────────────────────────────────────
+function resultPage(success: boolean, message: string): string {
+  const icon = success ? "&#x2713;" : "&#x2717;";
+  const color = success ? "#3fb950" : "#f85149";
+  const title = success ? "Connected!" : "Something went wrong";
+  const sub = success
+    ? "You can close this tab and return to your terminal."
+    : "Check your terminal for details.";
+
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>codex-proxy</title>
+<style>
+  * { box-sizing: border-box; margin: 0; padding: 0; }
+  body {
+    background: #0d1117; color: #c9d1d9;
+    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+    display: flex; justify-content: center; align-items: center;
+    min-height: 100vh; padding: 1rem;
+  }
+  .card {
+    background: #161b22; border: 1px solid #30363d;
+    border-radius: 12px; padding: 2.5rem;
+    max-width: 420px; width: 100%; text-align: center;
+  }
+  .icon { font-size: 3rem; color: ${color}; margin-bottom: 0.75rem; }
+  h1 { font-size: 1.4rem; margin-bottom: 0.5rem; color: ${color}; }
+  .msg { color: #c9d1d9; margin-bottom: 1rem; font-size: 0.95rem; }
+  .sub { color: #8b949e; font-size: 0.85rem; }
+</style>
+</head>
+<body>
+<div class="card">
+  <div class="icon">${icon}</div>
+  <h1>${title}</h1>
+  <p class="msg">${message}</p>
+  <p class="sub">${sub}</p>
+</div>
+</body>
+</html>`;
+}

package/src/pool.ts

@@ -0,0 +1,136 @@
+import type { Account } from "./config.ts";
+
+interface AccountState {
+  account: Account;
+  status: "ready" | "cooldown";
+  cooldownUntil: number;
+  totalRequests: number;
+  errors: number;
+}
+
+export class AccountPool {
+  private states: AccountState[];
+  private index = 0;
+  private cooldownMs: number;
+
+  constructor(accounts: Account[], cooldownMinutes: number) {
+    this.cooldownMs = cooldownMinutes * 60_000;
+    this.states = accounts.map((account) => ({
+      account,
+      status: "ready" as const,
+      cooldownUntil: 0,
+      totalRequests: 0,
+      errors: 0,
+    }));
+  }
+
+  get size(): number {
+    return this.states.length;
+  }
+
+  /** Sticky — stays on current account until it hits a limit, then rotates. */
+  getNext(): { account: Account; name: string } | null {
+    const now = Date.now();
+
+    for (const s of this.states) {
+      if (s.status === "cooldown" && now >= s.cooldownUntil) {
+        s.status = "ready";
+        log("green", `↩ ${s.account.name} back from cooldown`);
+      }
+    }
+
+    // Prefer current (sticky)
+    if (this.states[this.index]?.status === "ready") {
+      this.states[this.index].totalRequests++;
+      return {
+        account: this.states[this.index].account,
+        name: this.states[this.index].account.name,
+      };
+    }
+
+    // Find next ready
+    for (let i = 1; i < this.states.length; i++) {
+      const idx = (this.index + i) % this.states.length;
+      if (this.states[idx].status === "ready") {
+        this.index = idx;
+        this.states[idx].totalRequests++;
+        return {
+          account: this.states[idx].account,
+          name: this.states[idx].account.name,
+        };
+      }
+    }
+
+    return null;
+  }
+
+  markCooldown(name: string): void {
+    const state = this.states.find((s) => s.account.name === name);
+    if (!state) return;
+    state.status = "cooldown";
+    state.cooldownUntil = Date.now() + this.cooldownMs;
+    state.errors++;
+    const idx = this.states.indexOf(state);
+    this.index = (idx + 1) % this.states.length;
+    log(
+      "yellow",
+      `⏸ ${name} → cooldown for ${Math.round(this.cooldownMs / 60_000)}m`
+    );
+  }
+
+  reload(accounts: Account[]): void {
+    // Preserve state for existing accounts, add new ones
+    const oldMap = new Map(this.states.map((s) => [s.account.name, s]));
+    this.states = accounts.map((account) => {
+      const existing = oldMap.get(account.name);
+      if (existing) {
+        existing.account = account; // update token
+        return existing;
+      }
+      return {
+        account,
+        status: "ready" as const,
+        cooldownUntil: 0,
+        totalRequests: 0,
+        errors: 0,
+      };
+    });
+    if (this.index >= this.states.length) this.index = 0;
+  }
+
+  updateToken(name: string, newToken: string): void {
+    const state = this.states.find((s) => s.account.name === name);
+    if (state) state.account.token = newToken;
+  }
+
+  getStatus(): object[] {
+    const now = Date.now();
+    return this.states.map((s, i) => ({
+      name: s.account.name,
+      active: i === this.index && s.status === "ready",
+      status: s.status,
+      cooldownRemaining:
+        s.status === "cooldown"
+          ? Math.max(0, Math.ceil((s.cooldownUntil - now) / 60_000)) + "m"
+          : null,
+      totalRequests: s.totalRequests,
+      errors: s.errors,
+    }));
+  }
+}
+
+// ── Logging ─────────────────────────────────────────────────────
+const C: Record<string, string> = {
+  red: "\x1b[31m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  cyan: "\x1b[36m",
+  dim: "\x1b[2m",
+  reset: "\x1b[0m",
+};
+
+export function log(color: string, msg: string): void {
+  const c = C[color] ?? "";
+  const ts = new Date().toLocaleTimeString("en-US", { hour12: false });
+  console.log(`${C.dim}${ts}${C.reset} ${c}${msg}${C.reset}`);
+}

package/src/server.ts

@@ -0,0 +1,247 @@
+import { createServer, type IncomingMessage, type ServerResponse } from "node:http";
+import { execSync } from "node:child_process";
+import { type as osType, release, arch } from "node:os";
+import { getAccounts, getSettings, writePid, removePid, type Account } from "./config.ts";
+import { refreshAccount } from "./login.ts";
+import { AccountPool, log } from "./pool.ts";
+
+const ROTATE_ON = new Set([429, 402]);
+const STRIP_REQ = new Set([
+  "host", "authorization", "connection", "content-length",
+  "user-agent", "originator",
+]);
+const STRIP_RES = new Set(["transfer-encoding", "connection"]);
+
+// ── Codex-style User-Agent ──────────────────────────────────────
+// Map TERM_PROGRAM values to Codex CLI terminal tokens
+const TERMINAL_MAP: Record<string, string> = {
+  "iterm.app": "iterm2",
+  "iterm": "iterm2",
+  "apple_terminal": "apple-terminal",
+  "terminal": "apple-terminal",
+  "warpterminal": "warp",
+  "wezterm": "wezterm",
+  "vscode": "vscode",
+  "ghostty": "ghostty",
+  "alacritty": "alacritty",
+  "kitty": "kitty",
+  "konsole": "konsole",
+  "gnome-terminal": "gnome-terminal",
+  "windows terminal": "windows-terminal",
+};
+
+function buildUserAgent(): string {
+  let os = osType();
+  let ver = release();
+  if (os === "Darwin") {
+    os = "Mac OS";
+    try { ver = execSync("sw_vers -productVersion", { encoding: "utf-8" }).trim(); } catch {}
+  }
+  const raw = (process.env.TERM_PROGRAM ?? "").toLowerCase().replace(/\.app$/i, "");
+  const terminal = TERMINAL_MAP[raw] ?? (raw || "unknown-terminal");
+  return `codex_cli_rs/0.1.0 (${os} ${ver}; ${arch()}) ${terminal}`;
+}
+
+const CODEX_USER_AGENT = buildUserAgent();
+
+function codexHeaders(account: Account): Record<string, string> {
+  const h: Record<string, string> = {
+    "user-agent": CODEX_USER_AGENT,
+    "originator": "codex_cli_rs",
+  };
+  if (account.accountId) {
+    h["chatgpt-account-id"] = account.accountId;
+  }
+  return h;
+}
+
+export function startProxy(): void {
+  const settings = getSettings();
+  const accounts = getAccounts();
+  const upstream = settings.upstream.replace(/\/$/, "");
+
+  if (accounts.length === 0) {
+    console.error(
+      "\x1b[31mNo accounts configured. Run `codex-proxy login` first.\x1b[0m"
+    );
+    process.exit(1);
+  }
+
+  const pool = new AccountPool(accounts, settings.cooldownMinutes);
+
+  const server = createServer(async (req: IncomingMessage, res: ServerResponse) => {
+    const url = new URL(req.url ?? "/", `http://localhost:${settings.port}`);
+
+    // ── Internal endpoints ────────────────────────────────────
+    if (url.pathname === "/_status") {
+      json(res, 200, { accounts: pool.getStatus() });
+      return;
+    }
+
+    if (url.pathname === "/_reload") {
+      pool.reload(getAccounts());
+      log("green", "↻ accounts reloaded");
+      json(res, 200, { ok: true, accounts: pool.size });
+      return;
+    }
+
+    // ── Buffer body for retries ───────────────────────────────
+    const chunks: Buffer[] = [];
+    for await (const chunk of req) chunks.push(chunk as Buffer);
+    let body = chunks.length > 0 ? Buffer.concat(chunks) : null;
+
+    // ── Forward headers ───────────────────────────────────────
+    const fwdHeaders: Record<string, string> = {};
+    for (const [k, v] of Object.entries(req.headers)) {
+      if (v && !STRIP_REQ.has(k.toLowerCase())) {
+        fwdHeaders[k] = Array.isArray(v) ? v.join(", ") : v;
+      }
+    }
+
+    // ── Try each account ──────────────────────────────────────
+    for (let attempt = 0; attempt < pool.size; attempt++) {
+      const entry = pool.getNext();
+      if (!entry) break;
+
+      const target = `${upstream}${url.pathname}${url.search}`;
+      log("cyan", `→ ${req.method} ${url.pathname} via ${entry.name}`);
+
+      // Inner loop: try once, and if 401 + refreshable, refresh and retry
+      let currentToken = entry.account.token;
+      for (let retry = 0; retry < 2; retry++) {
+        try {
+          const fetchRes = await fetch(target, {
+            method: req.method,
+            headers: {
+              ...fwdHeaders,
+              ...codexHeaders(entry.account),
+              authorization: `Bearer ${currentToken}`,
+              ...(body ? { "content-length": String(body.byteLength) } : {}),
+            },
+            body,
+          });
+
+          // ── 401: try token refresh before rotating ────────
+          if (fetchRes.status === 401 && retry === 0 && entry.account.refreshToken) {
+            await fetchRes.text();
+            log("yellow", `⟳ ${entry.name} got 401 — refreshing token`);
+            const newToken = await refreshAccount(entry.account);
+            if (newToken) {
+              currentToken = newToken;
+              entry.account.token = newToken;
+              pool.updateToken(entry.name, newToken);
+              log("green", `✓ ${entry.name} token refreshed`);
+              continue; // retry inner loop
+            }
+            log("red", `✗ ${entry.name} refresh failed — rotating`);
+            pool.markCooldown(entry.name);
+            break; // move to next account
+          }
+
+          // ── Rate limit / quota → rotate ───────────────────
+          if (ROTATE_ON.has(fetchRes.status)) {
+            await fetchRes.text();
+            log("red", `✗ ${entry.name} hit ${fetchRes.status} — rotating`);
+            pool.markCooldown(entry.name);
+            break;
+          }
+
+          if (fetchRes.status === 403) {
+            const text = await fetchRes.text();
+            if (/quota|limit|exceeded|rate/i.test(text)) {
+              log("red", `✗ ${entry.name} 403 quota — rotating`);
+              pool.markCooldown(entry.name);
+              break;
+            }
+            log("yellow", `✗ 403 (not quota) — forwarding`);
+            forward(res, 403, fetchRes.headers, text);
+            return;
+          }
+
+          // ── Stream response back ──────────────────────────
+          log("green", `✓ ${fetchRes.status}`);
+          const resHeaders: Record<string, string> = {};
+          fetchRes.headers.forEach((v, k) => {
+            if (!STRIP_RES.has(k.toLowerCase())) resHeaders[k] = v;
+          });
+          res.writeHead(fetchRes.status, resHeaders);
+
+          if (fetchRes.body) {
+            const reader = (fetchRes.body as ReadableStream<Uint8Array>).getReader();
+            try {
+              while (true) {
+                const { done, value } = await reader.read();
+                if (done) break;
+                res.write(value);
+              }
+            } catch {}
+            res.end();
+          } else {
+            res.end();
+          }
+          return;
+        } catch (err) {
+          log("red", `✗ ${entry.name} network error: ${err}`);
+          pool.markCooldown(entry.name);
+          break;
+        }
+      }
+    }
+
+    log("red", "✗ all accounts exhausted");
+    json(res, 503, {
+      error: {
+        message: "All accounts exhausted. Check /_status for cooldown times.",
+        type: "proxy_error",
+      },
+    });
+  });
+
+  // ── Lifecycle ─────────────────────────────────────────────────
+  writePid(process.pid);
+
+  const shutdown = () => {
+    log("yellow", "shutting down...");
+    removePid();
+    server.close(() => process.exit(0));
+    setTimeout(() => process.exit(0), 3000);
+  };
+  process.on("SIGTERM", shutdown);
+  process.on("SIGINT", shutdown);
+
+  server.listen(settings.port, () => {
+    console.log();
+    console.log("  \x1b[36mcodex-proxy\x1b[0m");
+    console.log(`  upstream   ${upstream}`);
+    console.log(`  port       ${settings.port}`);
+    console.log(`  accounts   ${accounts.map((a) => a.name).join(", ")}`);
+    console.log(`  cooldown   ${settings.cooldownMinutes}m`);
+    console.log();
+    log("green", `listening on http://localhost:${settings.port}`);
+    console.log();
+  });
+}
+
+function json(res: ServerResponse, status: number, data: unknown): void {
+  res.writeHead(status, { "content-type": "application/json" });
+  res.end(JSON.stringify(data, null, 2));
+}
+
+function forward(
+  res: ServerResponse,
+  status: number,
+  headers: Headers,
+  body: string
+): void {
+  const h: Record<string, string> = {};
+  headers.forEach((v, k) => {
+    if (!STRIP_RES.has(k.toLowerCase())) h[k] = v;
+  });
+  res.writeHead(status, h);
+  res.end(body);
+}
+
+// Allow running directly for daemon mode
+if (process.env.CODEX_PROXY_DAEMON === "1") {
+  startProxy();
+}