codexapp 0.1.9 → 0.1.11

package/dist/index.html

@@ -4,8 +4,8 @@
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>Codex Web Local</title>
-    <script type="module" crossorigin src="/assets/index-DrAmX48U.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/index-BIm_B5t3.css">
+    <script type="module" crossorigin src="/assets/index-DMpyfM80.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-CKknL24Z.css">
   </head>
   <body class="bg-slate-950">
     <div id="app"></div>

package/dist-cli/index.js

@@ -3,6 +3,7 @@
 // src/cli/index.ts
 import { createServer as createServer2 } from "http";
 import { existsSync } from "fs";
+import { accessSync, constants } from "fs";
 import { readFile as readFile2 } from "fs/promises";
 import { homedir as homedir2 } from "os";
 import { join as join3 } from "path";
@@ -10,6 +11,7 @@ import { spawn as spawn2, spawnSync } from "child_process";
 import { fileURLToPath as fileURLToPath2 } from "url";
 import { dirname as dirname2 } from "path";
 import { Command } from "commander";
+import qrcode from "qrcode-terminal";
 
 // src/server/httpServer.ts
 import { fileURLToPath } from "url";
@@ -1163,13 +1165,9 @@ function createCodexBridgeMiddleware() {
         res.setHeader("Cache-Control", "no-cache, no-transform");
         res.setHeader("Connection", "keep-alive");
         res.setHeader("X-Accel-Buffering", "no");
-        const unsubscribe = appServer.onNotification((notification) => {
+        const unsubscribe = middleware.subscribeNotifications((notification) => {
           if (res.writableEnded || res.destroyed) return;
-          const payload = {
-            ...notification,
-            atIso: (/* @__PURE__ */ new Date()).toISOString()
-          };
-          res.write(`data: ${JSON.stringify(payload)}
+          res.write(`data: ${JSON.stringify(notification)}
 
 `);
         });
@@ -1200,20 +1198,20 @@ data: ${JSON.stringify({ ok: true })}
   middleware.dispose = () => {
     appServer.dispose();
   };
+  middleware.subscribeNotifications = (listener) => {
+    return appServer.onNotification((notification) => {
+      listener({
+        ...notification,
+        atIso: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    });
+  };
   return middleware;
 }
 
 // src/server/authMiddleware.ts
 import { randomBytes, timingSafeEqual } from "crypto";
 var TOKEN_COOKIE = "codex_web_local_token";
-function isLocalhostRequest(req) {
-  const remote = req.socket.remoteAddress ?? "";
-  if (remote === "127.0.0.1" || remote === "::1" || remote === "::ffff:127.0.0.1") {
-    return true;
-  }
-  const host = (req.headers.host ?? "").toLowerCase();
-  return host.startsWith("localhost:") || host === "localhost" || host.startsWith("127.0.0.1:");
-}
 function constantTimeCompare(a, b) {
   const bufA = Buffer.from(a);
   const bufB = Buffer.from(b);
@@ -1232,6 +1230,22 @@ function parseCookies(header) {
   }
   return cookies;
 }
+function isLocalhostRemote(remote) {
+  return remote === "127.0.0.1" || remote === "::1" || remote === "::ffff:127.0.0.1";
+}
+function isLocalhostHost(host) {
+  const normalized = host.toLowerCase();
+  return normalized.startsWith("localhost:") || normalized === "localhost" || normalized.startsWith("127.0.0.1:");
+}
+function isAuthorizedByRequestLike(remoteAddress, hostHeader, cookieHeader, validTokens) {
+  const remote = remoteAddress ?? "";
+  if (isLocalhostRemote(remote) || isLocalhostHost(hostHeader ?? "")) {
+    return true;
+  }
+  const cookies = parseCookies(cookieHeader);
+  const token = cookies[TOKEN_COOKIE];
+  return Boolean(token && validTokens.has(token));
+}
 var LOGIN_PAGE_HTML = `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -1273,10 +1287,10 @@ form.addEventListener('submit',async e=>{
 </script>
 </body>
 </html>`;
-function createAuthMiddleware(password) {
+function createAuthSession(password) {
   const validTokens = /* @__PURE__ */ new Set();
-  return (req, res, next) => {
-    if (isLocalhostRequest(req)) {
+  const middleware = (req, res, next) => {
+    if (isAuthorizedByRequestLike(req.socket.remoteAddress, req.headers.host, req.headers.cookie, validTokens)) {
       next();
       return;
     }
@@ -1294,9 +1308,9 @@ function createAuthMiddleware(password) {
             res.status(401).json({ error: "Invalid password" });
             return;
           }
-          const token2 = randomBytes(32).toString("hex");
-          validTokens.add(token2);
-          res.setHeader("Set-Cookie", `${TOKEN_COOKIE}=${token2}; Path=/; HttpOnly; SameSite=Strict`);
+          const token = randomBytes(32).toString("hex");
+          validTokens.add(token);
+          res.setHeader("Set-Cookie", `${TOKEN_COOKIE}=${token}; Path=/; HttpOnly; SameSite=Strict`);
           res.json({ ok: true });
         } catch {
           res.status(400).json({ error: "Invalid request body" });
@@ -1304,18 +1318,17 @@ function createAuthMiddleware(password) {
       });
       return;
     }
-    const cookies = parseCookies(req.headers.cookie);
-    const token = cookies[TOKEN_COOKIE];
-    if (token && validTokens.has(token)) {
-      next();
-      return;
-    }
     res.setHeader("Content-Type", "text/html; charset=utf-8");
     res.status(200).send(LOGIN_PAGE_HTML);
   };
+  return {
+    middleware,
+    isRequestAuthorized: (req) => isAuthorizedByRequestLike(req.socket.remoteAddress, req.headers.host, req.headers.cookie, validTokens)
+  };
 }
 
 // src/server/httpServer.ts
+import { WebSocketServer } from "ws";
 var __dirname = dirname(fileURLToPath(import.meta.url));
 var distDir = join2(__dirname, "..", "dist");
 var IMAGE_CONTENT_TYPES = {
@@ -1343,8 +1356,9 @@ function normalizeLocalImagePath(rawPath) {
 function createServer(options = {}) {
   const app = express();
   const bridge = createCodexBridgeMiddleware();
-  if (options.password) {
-    app.use(createAuthMiddleware(options.password));
+  const authSession = options.password ? createAuthSession(options.password) : null;
+  if (authSession) {
+    app.use(authSession.middleware);
   }
   app.use(bridge);
   app.get("/codex-local-image", (req, res) => {
@@ -1372,7 +1386,33 @@ function createServer(options = {}) {
   });
   return {
     app,
-    dispose: () => bridge.dispose()
+    dispose: () => bridge.dispose(),
+    attachWebSocket: (server) => {
+      const wss = new WebSocketServer({ noServer: true });
+      server.on("upgrade", (req, socket, head) => {
+        const url = new URL(req.url ?? "", "http://localhost");
+        if (url.pathname !== "/codex-api/ws") {
+          return;
+        }
+        if (authSession && !authSession.isRequestAuthorized(req)) {
+          socket.write("HTTP/1.1 401 Unauthorized\r\nConnection: close\r\n\r\n");
+          socket.destroy();
+          return;
+        }
+        wss.handleUpgrade(req, socket, head, (ws) => {
+          wss.emit("connection", ws, req);
+        });
+      });
+      wss.on("connection", (ws) => {
+        ws.send(JSON.stringify({ method: "ready", params: { ok: true }, atIso: (/* @__PURE__ */ new Date()).toISOString() }));
+        const unsubscribe = bridge.subscribeNotifications((notification) => {
+          if (ws.readyState !== 1) return;
+          ws.send(JSON.stringify(notification));
+        });
+        ws.on("close", unsubscribe);
+        ws.on("error", unsubscribe);
+      });
+    }
   };
 }
 
@@ -1423,6 +1463,42 @@ function runWithStatus(command, args) {
 function getUserNpmPrefix() {
   return join3(homedir2(), ".npm-global");
 }
+function installGlobalNpmPackageWithFallback(pkg, label) {
+  const npmPrefix = spawnSync("npm", ["config", "get", "prefix"], {
+    stdio: ["ignore", "pipe", "ignore"],
+    encoding: "utf8"
+  }).stdout?.trim();
+  const globalPrefixWritable = Boolean(npmPrefix && (() => {
+    try {
+      accessSync(npmPrefix, constants.W_OK);
+      return true;
+    } catch {
+      return false;
+    }
+  })());
+  if (!globalPrefixWritable && !isTermuxRuntime()) {
+    const userPrefix2 = getUserNpmPrefix();
+    console.log(`
+Global npm prefix is not writable. Installing with --prefix ${userPrefix2}...
+`);
+    runOrFail("npm", ["install", "-g", "--prefix", userPrefix2, pkg], `${label} (user prefix)`);
+    process.env.PATH = `${join3(userPrefix2, "bin")}:${process.env.PATH ?? ""}`;
+    return;
+  }
+  const status = runWithStatus("npm", ["install", "-g", pkg]);
+  if (status === 0) {
+    return;
+  }
+  if (isTermuxRuntime()) {
+    throw new Error(`${label} failed with exit code ${String(status)}`);
+  }
+  const userPrefix = getUserNpmPrefix();
+  console.log(`
+Global npm install requires elevated permissions. Retrying with --prefix ${userPrefix}...
+`);
+  runOrFail("npm", ["install", "-g", "--prefix", userPrefix, pkg], `${label} (user prefix)`);
+  process.env.PATH = `${join3(userPrefix, "bin")}:${process.env.PATH ?? ""}`;
+}
 function resolveCodexCommand() {
   if (canRun("codex", ["--version"])) {
     return "codex";
@@ -1448,32 +1524,17 @@ function hasCodexAuth() {
 function ensureCodexInstalled() {
   let codexCommand = resolveCodexCommand();
   if (!codexCommand) {
-    const installWithFallback = (pkg, label) => {
-      const status = runWithStatus("npm", ["install", "-g", pkg]);
-      if (status === 0) {
-        return;
-      }
-      if (isTermuxRuntime()) {
-        throw new Error(`${label} failed with exit code ${String(status)}`);
-      }
-      const userPrefix = getUserNpmPrefix();
-      console.log(`
-Global npm install requires elevated permissions. Retrying with --prefix ${userPrefix}...
-`);
-      runOrFail("npm", ["install", "-g", "--prefix", userPrefix, pkg], `${label} (user prefix)`);
-      process.env.PATH = `${join3(userPrefix, "bin")}:${process.env.PATH ?? ""}`;
-    };
     if (isTermuxRuntime()) {
       console.log("\nCodex CLI not found. Installing Termux-compatible Codex CLI from npm...\n");
-      installWithFallback("@mmmbuto/codex-cli-termux", "Codex CLI install");
+      installGlobalNpmPackageWithFallback("@mmmbuto/codex-cli-termux", "Codex CLI install");
       codexCommand = resolveCodexCommand();
       if (!codexCommand) {
         console.log("\nTermux npm package did not expose `codex`. Installing official CLI fallback...\n");
-        installWithFallback("@openai/codex", "Codex CLI fallback install");
+        installGlobalNpmPackageWithFallback("@openai/codex", "Codex CLI fallback install");
       }
     } else {
       console.log("\nCodex CLI not found. Installing official Codex CLI from npm...\n");
-      installWithFallback("@openai/codex", "Codex CLI install");
+      installGlobalNpmPackageWithFallback("@openai/codex", "Codex CLI install");
     }
     codexCommand = resolveCodexCommand();
     if (!codexCommand && !isTermuxRuntime()) {
@@ -1489,6 +1550,37 @@ Global npm install requires elevated permissions. Retrying with --prefix ${userP
   }
   return codexCommand;
 }
+function resolveCloudflaredCommand() {
+  if (canRun("cloudflared", ["--version"])) {
+    return "cloudflared";
+  }
+  const userCandidate = join3(getUserNpmPrefix(), "bin", "cloudflared");
+  if (existsSync(userCandidate) && canRun(userCandidate, ["--version"])) {
+    return userCandidate;
+  }
+  const prefix = process.env.PREFIX?.trim();
+  if (!prefix) {
+    return null;
+  }
+  const candidate = join3(prefix, "bin", "cloudflared");
+  if (existsSync(candidate) && canRun(candidate, ["--version"])) {
+    return candidate;
+  }
+  return null;
+}
+function ensureCloudflaredInstalled() {
+  let cloudflaredCommand = resolveCloudflaredCommand();
+  if (!cloudflaredCommand) {
+    console.log("\ncloudflared not found. Installing from npm...\n");
+    installGlobalNpmPackageWithFallback("cloudflared", "cloudflared install");
+    cloudflaredCommand = resolveCloudflaredCommand();
+    if (!cloudflaredCommand) {
+      throw new Error("cloudflared install completed but binary is still not available in PATH");
+    }
+    console.log("\ncloudflared installed.\n");
+  }
+  return cloudflaredCommand;
+}
 function resolvePassword(input) {
   if (input === false) {
     return void 0;
@@ -1515,6 +1607,49 @@ function openBrowser(url) {
   });
   child.unref();
 }
+function parseCloudflaredUrl(chunk) {
+  const urlMatch = chunk.match(/https:\/\/[a-zA-Z0-9-]+\.trycloudflare\.com/g);
+  if (!urlMatch || urlMatch.length === 0) {
+    return null;
+  }
+  return urlMatch[urlMatch.length - 1] ?? null;
+}
+async function startCloudflaredTunnel(cloudflaredCommand, localPort) {
+  return new Promise((resolve2, reject) => {
+    const child = spawn2(cloudflaredCommand, ["tunnel", "--url", `http://localhost:${String(localPort)}`], {
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    const timeout = setTimeout(() => {
+      child.kill("SIGTERM");
+      reject(new Error("Timed out waiting for cloudflared tunnel URL"));
+    }, 2e4);
+    const handleData = (value) => {
+      const text = String(value);
+      const parsedUrl = parseCloudflaredUrl(text);
+      if (!parsedUrl) {
+        return;
+      }
+      clearTimeout(timeout);
+      child.stdout?.off("data", handleData);
+      child.stderr?.off("data", handleData);
+      resolve2({ process: child, url: parsedUrl });
+    };
+    const onError = (error) => {
+      clearTimeout(timeout);
+      reject(new Error(`Failed to start cloudflared: ${error.message}`));
+    };
+    child.once("error", onError);
+    child.stdout?.on("data", handleData);
+    child.stderr?.on("data", handleData);
+    child.once("exit", (code) => {
+      if (code === 0) {
+        return;
+      }
+      clearTimeout(timeout);
+      reject(new Error(`cloudflared exited before providing a URL (code ${String(code)})`));
+    });
+  });
+}
 function listenWithFallback(server, startPort) {
   return new Promise((resolve2, reject) => {
     const attempt = (port) => {
@@ -1546,9 +1681,28 @@ async function startServer(options) {
   }
   const requestedPort = parseInt(options.port, 10);
   const password = resolvePassword(options.password);
-  const { app, dispose } = createServer({ password });
+  const { app, dispose, attachWebSocket } = createServer({ password });
   const server = createServer2(app);
+  attachWebSocket(server);
   const port = await listenWithFallback(server, requestedPort);
+  let tunnelChild = null;
+  let tunnelUrl = null;
+  if (options.tunnel) {
+    if (isTermuxRuntime()) {
+      console.log("\n[cloudflared] Tunnel is disabled on Termux.");
+    } else {
+      try {
+        const cloudflaredCommand = ensureCloudflaredInstalled();
+        const tunnel = await startCloudflaredTunnel(cloudflaredCommand, port);
+        tunnelChild = tunnel.process;
+        tunnelUrl = tunnel.url;
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.warn(`
+[cloudflared] Tunnel not started: ${message}`);
+      }
+    }
+  }
   const lines = [
     "",
     "Codex Web Local is running!",
@@ -1563,12 +1717,25 @@ async function startServer(options) {
   if (password) {
     lines.push(`  Password: ${password}`);
   }
+  if (tunnelUrl) {
+    lines.push(`  Tunnel:   ${tunnelUrl}`);
+    lines.push("");
+    lines.push("  Tunnel QR code:");
+    lines.push(`  URL:      ${tunnelUrl}`);
+  }
   printTermuxKeepAlive(lines);
   lines.push("");
   console.log(lines.join("\n"));
+  if (tunnelUrl) {
+    qrcode.generate(tunnelUrl, { small: true });
+    console.log("");
+  }
   openBrowser(`http://localhost:${String(port)}`);
   function shutdown() {
     console.log("\nShutting down...");
+    if (tunnelChild && !tunnelChild.killed) {
+      tunnelChild.kill("SIGTERM");
+    }
     server.close(() => {
       dispose();
       process.exit(0);
@@ -1586,7 +1753,7 @@ async function runLogin() {
   console.log("\nStarting `codex login`...\n");
   runOrFail(codexCommand, ["login"], "Codex login");
 }
-program.option("-p, --port <port>", "port to listen on", "5999").option("--password <pass>", "set a specific password").option("--no-password", "disable password protection").action(async (opts) => {
+program.option("-p, --port <port>", "port to listen on", "5999").option("--password <pass>", "set a specific password").option("--no-password", "disable password protection").option("--tunnel", "start cloudflared tunnel", true).option("--no-tunnel", "disable cloudflared tunnel startup").action(async (opts) => {
   await startServer(opts);
 });
 program.command("login").description("Install/check Codex CLI and run `codex login`").action(runLogin);