codex-webapp 0.1.0-beta.1

package/SECURITY.md

@@ -0,0 +1,56 @@
+# Security Policy
+
+Codex WebApp is a local-first companion UI. Treat Codex remote-control
+as a powerful local execution surface.
+
+Remote use requires Tailscale, Cloudflare Access, or an equivalent trusted
+access boundary. Exposing a raw app-server on a public IP can give another
+person practical control over your local development machine.
+
+The bundled UI server is static and localhost-first. It binds to `127.0.0.1` by
+default and refuses non-loopback hosts unless the operator passes
+`--allow-non-loopback`. That flag is not an authentication layer; it only records
+that the operator has intentionally moved the server outside loopback and must
+already have a trusted boundary.
+
+## Supported Surface
+
+This public package candidate supports:
+
+- local Codex CLI readiness checks
+- local `codex remote-control` startup
+- browser/mobile UI scaffolding
+- trusted-network operation behind localhost, Tailscale, Cloudflare Access, or
+  an equivalent private access boundary
+
+## Not Supported
+
+Do not use this package to:
+
+- expose a raw app-server to the public internet
+- bypass Codex approval or sandbox policy
+- store tokens, cookies, session IDs, private keys, or customer data
+- represent the tool as an official OpenAI product
+- turn a completed Codex turn into a deployment or release approval
+
+## Reporting
+
+Please report security issues privately to the maintainer before opening a
+public issue. Public reports should avoid logs, screenshots, URLs, or examples
+that include secrets, internal repository names, customer data, or private
+network details.
+
+## Safe Defaults
+
+The public module should fail closed when:
+
+- Codex CLI is missing
+- Codex CLI is older than `0.130.0`
+- `codex remote-control --help` fails
+- no trusted access boundary is configured for remote use
+- the UI server is asked to bind to a non-loopback host without explicit
+  operator override
+- unknown app-server events cannot be safely classified
+
+Maintainers and contributors are not responsible for damage caused by exposing the
+server without a VPN, trusted proxy, or equivalent access control.

package/SUPPORT.md

@@ -0,0 +1,64 @@
+# Support
+
+Codex WebApp is a local-first companion UI. Start with the checks below before
+opening an issue.
+
+Before asking for help:
+
+```bash
+npx codex-webapp doctor
+npx codex-webapp start --dry-run
+npx codex-webapp smoke --url http://127.0.0.1:8214/
+```
+
+When reporting an issue, include:
+
+- OS and shell
+- Node.js version
+- Codex CLI version
+- command output from `doctor`
+- whether the Codex-style browser UI opened locally
+
+Do not include:
+
+- API keys
+- OAuth tokens
+- cookies
+- session IDs
+- private repository names or contents
+- customer data
+- private network URLs
+
+Security issues should be reported privately first. Public issues should use
+redacted logs only.
+
+## Failure Matrix
+
+| Symptom | First check | What to tell a non-engineer |
+|---|---|---|
+| Codex is missing | `codex --version` | Codex is not installed on this machine yet. Ask Codex App to explain the update command before continuing. |
+| Codex is too old | `codex --version` | `remote-control` needs Codex `0.130.0` or newer. Update Codex, then rerun `doctor`. |
+| `remote-control` is unavailable | `codex remote-control --help` | Codex is installed, but this build does not expose the remote-control command. Update Codex and retry. |
+| Package is unavailable | `npx codex-webapp doctor` | The package may not be public on npm yet. Check npm package status or test from a local tarball during validation. |
+| Port is busy | `start --dry-run` or `start` output | Change the local port with `--port <port>` and retry. |
+| UI does not open | `smoke --url <printed-url>` | The server may not be running or the wrong URL was opened. Smoke-test the exact printed URL. |
+| Browser/mobile cannot reach it | trusted access boundary | Keep localhost local. For phone or another PC, set up Tailscale, Cloudflare Access, or an equivalent private boundary first. |
+| Smoke fails | `smoke` output | Capture the first failed step and stop. Do not keep retrying with private URLs or secrets in the transcript. |
+
+## Codex App Diagnosis Prompt
+
+```text
+Please diagnose this Codex WebApp setup failure.
+
+Do not print tokens, cookies, private repo contents, customer data, or internal URLs.
+Use only redacted command output.
+
+Check in this order:
+1. Codex version.
+2. Whether `codex remote-control --help` works.
+3. `npx codex-webapp doctor`.
+4. `npx codex-webapp start --dry-run`.
+5. Smoke test against the exact URL printed by start.
+
+Tell me the first failed step, likely cause, and the next safe action.
+```

package/bin/codex-webapp.mjs

@@ -0,0 +1,4 @@
+#!/usr/bin/env node
+import { main } from "../src/commands.js";
+
+await main(process.argv);

package/docs/assets/codex-webapp-mobile.svg

@@ -0,0 +1,50 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="1280" height="720" viewBox="0 0 1280 720" role="img" aria-labelledby="title desc">
+  <title id="title">Mobile and trusted-access concept</title>
+  <desc id="desc">A public-safe concept image showing Codex App, a local machine, trusted access, and a phone browser.</desc>
+  <defs>
+    <linearGradient id="panel" x1="0" x2="1" y1="0" y2="1">
+      <stop offset="0%" stop-color="#f8f7f2"/>
+      <stop offset="100%" stop-color="#e8eee7"/>
+    </linearGradient>
+    <filter id="shadow" x="-20%" y="-20%" width="140%" height="140%">
+      <feDropShadow dx="0" dy="18" stdDeviation="22" flood-color="#000000" flood-opacity="0.24"/>
+    </filter>
+  </defs>
+  <rect width="1280" height="720" fill="#111111"/>
+  <text x="72" y="92" font-family="Inter, Arial, sans-serif" font-size="44" font-weight="800" fill="#ffffff">Codex-style browser access, without exposing the raw server</text>
+  <text x="72" y="134" font-family="Inter, Arial, sans-serif" font-size="22" fill="#b9b9b9">Codex App stays the starting point. Trusted access is the boundary.</text>
+  <g transform="translate(80 208)" filter="url(#shadow)">
+    <rect width="300" height="360" rx="26" fill="url(#panel)"/>
+    <text x="36" y="58" font-family="Inter, Arial, sans-serif" font-size="26" font-weight="800" fill="#161616">Codex App</text>
+    <rect x="36" y="94" width="228" height="178" rx="18" fill="#222222"/>
+    <text x="58" y="136" font-family="SFMono-Regular, Consolas, monospace" font-size="16" fill="#eeeeee">Please set up</text>
+    <text x="58" y="166" font-family="SFMono-Regular, Consolas, monospace" font-size="16" fill="#eeeeee">codex-webapp</text>
+    <text x="58" y="210" font-family="SFMono-Regular, Consolas, monospace" font-size="16" fill="#77d99d">doctor</text>
+    <text x="58" y="240" font-family="SFMono-Regular, Consolas, monospace" font-size="16" fill="#77d99d">smoke</text>
+    <text x="36" y="318" font-family="Inter, Arial, sans-serif" font-size="18" fill="#4d554f">Paste one prompt. Codex runs the setup path.</text>
+  </g>
+  <g transform="translate(490 208)" filter="url(#shadow)">
+    <rect width="300" height="360" rx="26" fill="url(#panel)"/>
+    <text x="36" y="58" font-family="Inter, Arial, sans-serif" font-size="26" font-weight="800" fill="#161616">Local Machine</text>
+    <rect x="42" y="106" width="216" height="128" rx="18" fill="#ffffff" stroke="#cfd8cf"/>
+    <rect x="74" y="144" width="152" height="16" rx="8" fill="#2f7a5b"/>
+    <rect x="74" y="180" width="104" height="16" rx="8" fill="#8b948e"/>
+    <text x="56" y="276" font-family="SFMono-Regular, Consolas, monospace" font-size="18" fill="#2a2a2a">127.0.0.1:8214</text>
+    <text x="36" y="318" font-family="Inter, Arial, sans-serif" font-size="18" fill="#4d554f">Raw server stays local by default.</text>
+  </g>
+  <g transform="translate(900 176)" filter="url(#shadow)">
+    <rect width="240" height="430" rx="38" fill="#f7f7f4"/>
+    <rect x="20" y="20" width="200" height="390" rx="28" fill="#151515"/>
+    <rect x="48" y="64" width="144" height="12" rx="6" fill="#444444"/>
+    <text x="48" y="158" font-family="Inter, Arial, sans-serif" font-size="26" font-weight="800" fill="#f4f4f4">What should</text>
+    <text x="48" y="192" font-family="Inter, Arial, sans-serif" font-size="26" font-weight="800" fill="#f4f4f4">we build?</text>
+    <rect x="42" y="260" width="156" height="52" rx="26" fill="#2d2d2d"/>
+    <circle cx="172" cy="286" r="18" fill="#a8a8a8"/>
+  </g>
+  <path d="M398 388 H470" stroke="#f2f2f2" stroke-width="8" stroke-linecap="round"/>
+  <path d="M452 368 L476 388 L452 408" fill="none" stroke="#f2f2f2" stroke-width="8" stroke-linecap="round" stroke-linejoin="round"/>
+  <path d="M808 388 H880" stroke="#f2f2f2" stroke-width="8" stroke-linecap="round"/>
+  <path d="M862 368 L886 388 L862 408" fill="none" stroke="#f2f2f2" stroke-width="8" stroke-linecap="round" stroke-linejoin="round"/>
+  <rect x="392" y="594" width="496" height="56" rx="28" fill="#2f7a5b"/>
+  <text x="430" y="630" font-family="Inter, Arial, sans-serif" font-size="22" font-weight="800" fill="#ffffff">Tailscale / Cloudflare Access / trusted boundary</text>
+</svg>

package/docs/assets/codex-webapp-overview.svg

@@ -0,0 +1,53 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="1280" height="720" viewBox="0 0 1280 720" role="img" aria-labelledby="title desc">
+  <title id="title">Codex WebApp overview</title>
+  <desc id="desc">A public-safe overview showing Codex App prompt, npm beta package, local browser UI, smoke evidence, and trusted access boundary.</desc>
+  <defs>
+    <linearGradient id="bg" x1="0" x2="1" y1="0" y2="1">
+      <stop offset="0%" stop-color="#111111"/>
+      <stop offset="100%" stop-color="#1f2a24"/>
+    </linearGradient>
+    <filter id="shadow" x="-20%" y="-20%" width="140%" height="140%">
+      <feDropShadow dx="0" dy="18" stdDeviation="20" flood-color="#000000" flood-opacity="0.32"/>
+    </filter>
+  </defs>
+  <rect width="1280" height="720" fill="url(#bg)"/>
+  <rect x="48" y="44" width="1184" height="632" rx="28" fill="#f6f4ef"/>
+  <text x="96" y="122" font-family="Inter, Arial, sans-serif" font-size="48" font-weight="800" fill="#151515">Codex WebApp</text>
+  <text x="96" y="164" font-family="Inter, Arial, sans-serif" font-size="22" fill="#4b514c">Prompt-driven browser companion for Codex App users</text>
+  <g transform="translate(96 220)" filter="url(#shadow)">
+    <rect width="310" height="312" rx="18" fill="#ffffff" stroke="#d7d1c5"/>
+    <text x="28" y="52" font-family="Inter, Arial, sans-serif" font-size="24" font-weight="800" fill="#151515">1. Paste Prompt</text>
+    <rect x="28" y="84" width="254" height="150" rx="14" fill="#151515"/>
+    <text x="48" y="122" font-family="SFMono-Regular, Consolas, monospace" font-size="17" fill="#eeeeee">Use npm package:</text>
+    <text x="48" y="154" font-family="SFMono-Regular, Consolas, monospace" font-size="17" fill="#77d99d">codex-webapp...</text>
+    <text x="48" y="188" font-family="SFMono-Regular, Consolas, monospace" font-size="17" fill="#eeeeee">doctor</text>
+    <text x="48" y="216" font-family="SFMono-Regular, Consolas, monospace" font-size="17" fill="#eeeeee">start --dry-run</text>
+    <text x="28" y="270" font-family="Inter, Arial, sans-serif" font-size="17" fill="#596159">Codex App can run the setup path without making the user type every command.</text>
+  </g>
+  <g transform="translate(486 220)" filter="url(#shadow)">
+    <rect width="310" height="312" rx="18" fill="#ffffff" stroke="#d7d1c5"/>
+    <text x="28" y="52" font-family="Inter, Arial, sans-serif" font-size="24" font-weight="800" fill="#151515">2. Start Locally</text>
+    <rect x="28" y="84" width="254" height="150" rx="14" fill="#eef2ec"/>
+    <circle cx="70" cy="132" r="14" fill="#2f7a5b"/>
+    <rect x="96" y="118" width="142" height="12" rx="6" fill="#2f7a5b"/>
+    <rect x="70" y="170" width="168" height="12" rx="6" fill="#8a948d"/>
+    <rect x="70" y="202" width="116" height="12" rx="6" fill="#8a948d"/>
+    <text x="28" y="270" font-family="Inter, Arial, sans-serif" font-size="17" fill="#596159">The raw browser server stays on localhost by default.</text>
+  </g>
+  <g transform="translate(876 220)" filter="url(#shadow)">
+    <rect width="310" height="312" rx="18" fill="#ffffff" stroke="#d7d1c5"/>
+    <text x="28" y="52" font-family="Inter, Arial, sans-serif" font-size="24" font-weight="800" fill="#151515">3. Verify UI</text>
+    <rect x="28" y="84" width="254" height="150" rx="14" fill="#151515"/>
+    <rect x="50" y="112" width="210" height="18" rx="9" fill="#3a3a3a"/>
+    <text x="64" y="166" font-family="Inter, Arial, sans-serif" font-size="24" font-weight="700" fill="#eeeeee">What should</text>
+    <text x="64" y="200" font-family="Inter, Arial, sans-serif" font-size="24" font-weight="700" fill="#eeeeee">we build?</text>
+    <text x="28" y="270" font-family="Inter, Arial, sans-serif" font-size="17" fill="#596159">Smoke tests prove a Codex-style surface is reachable before sharing evidence.</text>
+  </g>
+  <path d="M423 376 H466" stroke="#2f7a5b" stroke-width="8" stroke-linecap="round"/>
+  <path d="M453 358 L474 376 L453 394" fill="none" stroke="#2f7a5b" stroke-width="8" stroke-linecap="round" stroke-linejoin="round"/>
+  <path d="M813 376 H856" stroke="#2f7a5b" stroke-width="8" stroke-linecap="round"/>
+  <path d="M843 358 L864 376 L843 394" fill="none" stroke="#2f7a5b" stroke-width="8" stroke-linecap="round" stroke-linejoin="round"/>
+  <rect x="96" y="586" width="1088" height="48" rx="24" fill="#2f7a5b"/>
+  <text x="126" y="617" font-family="Inter, Arial, sans-serif" font-size="20" font-weight="700" fill="#ffffff">Trusted access boundary:</text>
+  <text x="374" y="617" font-family="Inter, Arial, sans-serif" font-size="20" fill="#ffffff">localhost first, then Tailscale or Cloudflare Access. Never expose the raw server directly.</text>
+</svg>

package/docs/codex-app-install.md

@@ -0,0 +1,40 @@
+# Codex App Web Companion Install UX Guide
+
+Audience: a Codex App user who may not operate a terminal directly.
+
+Codex WebApp is an unofficial companion UI. It is not
+affiliated with or endorsed by OpenAI.
+
+This is a prompt-driven npm package path, not a native Codex App marketplace
+install. Codex App runs the setup commands for the user.
+
+The intended experience is simple: paste one instruction into Codex App, let
+Codex check/install the companion, start the local Codex-style Web surface, and
+run a smoke test. For access from another PC or a phone, keep the machine behind
+Tailscale, Cloudflare Access, or an equivalent trusted boundary.
+
+## Paste Prompt
+
+Paste this prompt into Codex App:
+
+```text
+Please verify Codex WebApp on this machine.
+
+Constraints:
+- Treat it as an unofficial companion UI, not an OpenAI-endorsed tool.
+- Do not paste or print tokens, cookies, private repository content, customer data, or internal URLs.
+- Keep any raw Codex browser server or app-server on localhost or behind Tailscale, Cloudflare Access, or an equivalent trusted boundary.
+
+Steps:
+1. Check whether Codex is available and whether `codex remote-control --help` works.
+2. If Codex is older than 0.130.0, explain the update that is needed.
+3. Run `npx codex-webapp doctor`.
+4. Run `npx codex-webapp start --dry-run`.
+5. If a UI server is available, run `npx codex-webapp smoke --url http://127.0.0.1:8214/`.
+6. Use `--browser --screenshot artifacts/codex-webapp.png` only when browser evidence is needed.
+7. Summarize pass/fail status and start a small diagnosis if a step fails.
+```
+
+The proof we want is not that a developer can type commands. The proof is that
+a Codex App user can paste one instruction, receive a clear readiness result,
+and get browser-smoke evidence or a useful failure diagnosis.

package/docs/i18n/README.ko.md

@@ -0,0 +1,95 @@
+> **Unofficial community project.** This project is not affiliated with,
+> endorsed by, sponsored by, or associated with OpenAI or the official Codex App.
+
+# Codex WebApp
+
+[English](../../README.md) / [日本語](../../README.ja.md) / 한국어 / [简体中文](./README.zh-CN.md)
+
+Codex App 사용자를 위한 브라우저 companion입니다.
+
+Codex App에 붙여 넣을 수 있는 프롬프트, `doctor`, 안전한 로컬 실행, 그리고 실제 Codex 스타일 브라우저 화면이 열리는지 확인하는 smoke test를 제공합니다.
+
+![Codex WebApp overview](../assets/codex-webapp-overview.svg)
+
+> OpenAI와 제휴하거나 OpenAI가 보증한 공식 제품이 아닙니다.
+>
+> 원본 UI 서버는 기본적으로 `localhost`에만 두세요. 휴대폰이나 다른 PC에서 접근하려면 Tailscale, Cloudflare Access, 또는 동등한 신뢰 경계를 먼저 설정하세요. 공개 IP에 직접 노출하지 마세요.
+
+Note: The software interface is currently available mainly in English. This
+Korean documentation has been translated for setup convenience.
+
+## 빠른 시작: Codex App
+
+아래 프롬프트를 Codex App에 붙여 넣으세요.
+
+```text
+Please set up Codex WebApp on this machine.
+
+Use this npm package:
+codex-webapp@beta
+
+Please:
+1. Check my Codex version.
+2. Run the package doctor.
+3. Run start in dry-run mode first.
+4. Start the local browser UI only on localhost.
+5. Smoke-test the printed local URL.
+
+Keep everything on localhost unless I already have Tailscale, Cloudflare Access,
+or another trusted access boundary set up.
+
+Do not print tokens, cookies, private repo contents, customer data, or internal URLs.
+```
+
+Codex는 내부적으로 다음과 같은 명령을 실행합니다.
+
+```bash
+npx -y codex-webapp@beta doctor
+npx -y codex-webapp@beta start --dry-run
+npx -y codex-webapp@beta start
+```
+
+`npx`는 npm에 공개된 패키지를 임시로 실행하는 도구입니다. 사용자가 직접 프로젝트를 만들거나 의존성을 관리할 필요를 줄여 줍니다.
+
+## 터미널로 실행
+
+```bash
+codex --version
+codex remote-control --help
+npx -y codex-webapp@beta doctor
+npx -y codex-webapp@beta start --dry-run
+npx -y codex-webapp@beta start
+```
+
+기본 로컬 URL:
+
+```text
+http://127.0.0.1:8214/
+```
+
+## Smoke Test
+
+```bash
+npx -y codex-webapp@beta smoke \
+  --url http://127.0.0.1:8214/
+```
+
+공개 이슈나 스크린샷에는 토큰, 쿠키, private repository, 고객 데이터, 내부 URL을 넣지 마세요.
+
+## 현재 beta의 범위
+
+이 패키지는 Codex App native marketplace plugin, browser extension, one-click installer, managed hosting service가 아닙니다. Codex App에 프롬프트를 붙여 넣고, Codex가 `npx`로 npm 패키지를 실행하는 방식입니다.
+
+현재 beta는 experimental이며 compatibility-first입니다. 현재 `0xcaff/codex-web` commit `585613f5a3a355af5aefc388ca4e31b07a472cda`를 참조하는 Codex 스타일 browser runtime을 실행하고, 그 주변에 설치, 안전, 문서, 검증 evidence 계층을 더합니다.
+
+## Security And Privacy
+
+이 CLI wrapper는 사용자의 prompt, repository, token, cookie, customer data를 이 프로젝트가 운영하는 third-party server로 전송하지 않습니다. 이 패키지는 browser extension을 설치하지 않으며 browser token을 `localStorage`, `chrome.storage`, extension profile에 저장하지 않습니다.
+
+공개 issue나 screenshot에는 secret, private repository, customer data, internal URL을 포함하지 마세요.
+
+## Acknowledgements
+
+현재 beta는 Codex 스타일 브라우저 화면을 제공하는 public project `0xcaff/codex-web`의 접근 방식을 사용하고 참조합니다. 이 프로젝트는 그 주변에 배포, doctor, 안전 경계, 문서, 검증 evidence 계층을 추가합니다.
+
+License: [Apache-2.0](../../LICENSE.md)

package/docs/i18n/README.zh-CN.md

@@ -0,0 +1,95 @@
+> **Unofficial community project.** This project is not affiliated with,
+> endorsed by, sponsored by, or associated with OpenAI or the official Codex App.
+
+# Codex WebApp
+
+[English](../../README.md) / [日本語](../../README.ja.md) / [한국어](./README.ko.md) / 简体中文
+
+这是面向 Codex App 用户的浏览器 companion。
+
+它提供可直接粘贴到 Codex App 的提示词、友好的 `doctor` 检查、安全的本地启动器，以及用于确认真实 Codex 风格浏览器界面是否可访问的 smoke test。
+
+![Codex WebApp overview](../assets/codex-webapp-overview.svg)
+
+> 本项目不隶属于 OpenAI，也未获得 OpenAI 的官方认可或背书。
+>
+> 原始 UI 服务器默认应只监听 `localhost`。如果需要从手机或另一台电脑访问，请先使用 Tailscale、Cloudflare Access，或同等的可信访问边界。不要把原始服务器直接暴露到公网 IP。
+
+Note: The software interface is currently available mainly in English. This
+Simplified Chinese documentation has been translated for setup convenience.
+
+## Codex App 快速开始
+
+把下面的提示词粘贴到 Codex App：
+
+```text
+Please set up Codex WebApp on this machine.
+
+Use this npm package:
+codex-webapp@beta
+
+Please:
+1. Check my Codex version.
+2. Run the package doctor.
+3. Run start in dry-run mode first.
+4. Start the local browser UI only on localhost.
+5. Smoke-test the printed local URL.
+
+Keep everything on localhost unless I already have Tailscale, Cloudflare Access,
+or another trusted access boundary set up.
+
+Do not print tokens, cookies, private repo contents, customer data, or internal URLs.
+```
+
+Codex 通常会为你执行类似命令：
+
+```bash
+npx -y codex-webapp@beta doctor
+npx -y codex-webapp@beta start --dry-run
+npx -y codex-webapp@beta start
+```
+
+`npx` 的简单解释：它会临时运行一个已经发布到 npm 的包，减少手动安装和管理项目依赖的麻烦。
+
+## 终端快速开始
+
+```bash
+codex --version
+codex remote-control --help
+npx -y codex-webapp@beta doctor
+npx -y codex-webapp@beta start --dry-run
+npx -y codex-webapp@beta start
+```
+
+默认本地地址：
+
+```text
+http://127.0.0.1:8214/
+```
+
+## Smoke Test
+
+```bash
+npx -y codex-webapp@beta smoke \
+  --url http://127.0.0.1:8214/
+```
+
+公开 issue 或截图时，请不要包含 token、cookie、私有仓库、客户数据或内部 URL。
+
+## 当前 beta 的范围
+
+这不是 Codex App native marketplace plugin、browser extension、one-click installer 或 managed hosting service。它的使用方式是：把提示词粘贴到 Codex App，让 Codex 通过 `npx` 执行 npm 包。
+
+当前 beta 是 experimental，并采用 compatibility-first 方针。它目前运行一个引用 `0xcaff/codex-web` commit `585613f5a3a355af5aefc388ca4e31b07a472cda` 的 Codex 风格 browser runtime，并在其周围增加安装、安全、文档和验证证据层。
+
+## Security And Privacy
+
+此 CLI wrapper 不会把你的 prompt、repository、token、cookie 或 customer data 发送到由本项目运营的 third-party server。本包不会安装 browser extension，也不会把 browser token 写入 `localStorage`、`chrome.storage` 或 extension profile。
+
+公开 issue 或截图时，请不要包含 secret、私有仓库、客户数据或内部 URL。
+
+## Acknowledgements
+
+当前 beta 使用并感谢 public project `0xcaff/codex-web` 提供的 Codex 风格浏览器界面思路。本项目在此基础上增加分发、doctor、安全边界、文档和验证证据层。
+
+License: [Apache-2.0](../../LICENSE.md)

package/docs/ja-quickstart.md

@@ -0,0 +1,75 @@
+# Codex WebApp 日本語クイックスタート
+
+ブラウザでCodexを開きたいのに画面が出なくて困っている人向けの手順です。このパッケージは、Codexの準備確認、Codex-style Web UIの起動、表示疎通、そして安全境界の確認を親切にするための非公式WebApp surfaceです。
+
+> OpenAI公式プロダクトではありません。OpenAIによる承認・提携・endorsementはありません。
+
+## 1. Codexを最新版へ更新
+
+`remote-control` は Codex CLI `0.130.0` 以降が必要です。
+
+```bash
+npm install -g @openai/codex@latest
+```
+
+## 2. remote-control が入っているか確認
+
+```bash
+codex --version
+codex remote-control --help
+```
+
+`codex-cli 0.130.0` 以上で、helpが表示されればOKです。
+
+## 3. friendly doctor を実行
+
+```bash
+npx codex-webapp@beta doctor
+```
+
+Codexが古い、または `remote-control` が見つからない場合は、次に打つべきコマンドを表示します。
+
+## 4. Codex-style Web UI を起動
+
+```bash
+npx codex-webapp@beta start
+```
+
+このコマンドは起動前に確認プロンプトを出します。自動化された信頼済み環境だけで `--yes` を使ってください。
+
+```bash
+npx codex-webapp@beta start --yes
+```
+
+## 5. ブラウザで表示できるか確認
+
+UIサーバーが起動している状態で、実ブラウザ疎通を確認します。
+
+```bash
+npx codex-webapp@beta smoke \
+  --url http://127.0.0.1:8214/
+```
+
+通常のsmokeはPlaywrightなしで、UI URLを取得して `What should we build` が含まれているか確認します。
+
+スクリーンショットも残したい場合は、Playwrightを使うdeep smokeを実行します。
+
+```bash
+npx codex-webapp@beta smoke \
+  --browser \
+  --url http://127.0.0.1:8214/ \
+  --screenshot artifacts/codex-webapp.png
+```
+
+deep smokeでPlaywrightが無い場合は入れてください。
+
+```bash
+npm install -D playwright
+npx playwright install chromium
+```
+
+## セキュリティ境界
+
+raw Codex browser serverやapp-serverをpublic IPへ直接公開しないでください。モバイルから使う場合は、先にTailscale、Cloudflare Access、または同等の信頼済みアクセス境界を用意してください。
+
+issueやチャットに、token、cookie、private repoの中身、顧客データ、内部URLを貼らないでください。

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "codex-webapp",
+  "version": "0.1.0-beta.1",
+  "description": "Unofficial. Respectful web app surface, doctor, and safety wrapper for Codex App users.",
+  "type": "module",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/penso-os/codex-webapp.git"
+  },
+  "bugs": {
+    "url": "https://github.com/penso-os/codex-webapp/issues"
+  },
+  "homepage": "https://github.com/penso-os/codex-webapp#readme",
+  "keywords": [
+    "codex",
+    "codex-app",
+    "remote-control",
+    "webapp",
+    "browser-ui"
+  ],
+  "bin": {
+    "codex-webapp": "bin/codex-webapp.mjs"
+  },
+  "scripts": {
+    "doctor": "node ./bin/codex-webapp.mjs doctor",
+    "smoke": "node ./bin/codex-webapp.mjs smoke",
+    "test": "node --test",
+    "start:dry-run": "node ./bin/codex-webapp.mjs start --dry-run"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "files": [
+    "bin",
+    "docs",
+    "src",
+    "ACKNOWLEDGEMENTS.md",
+    "README.md",
+    "README.ja.md",
+    "SECURITY.md",
+    "SUPPORT.md",
+    "CONTRIBUTING.md",
+    "LICENSE.md"
+  ]
+}