codexui-android 0.1.82 → 0.1.85

package/dist-cli/index.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import "./chunk-UUZOL7SL.js";
+import "./chunk-JQMCS7KJ.js";
 
 // src/cli/index.ts
 import { createServer as createServer2 } from "http";
@@ -227,7 +227,7 @@ import * as Sentry4 from "@sentry/node";
 import { spawn as spawn4 } from "child_process";
 import { createHash as createHash2, randomBytes } from "crypto";
 import { mkdtemp as mkdtemp3, readFile as readFile3, rm as rm4, mkdir as mkdir4, stat as stat4 } from "fs/promises";
-import { createReadStream } from "fs";
+import { createReadStream, readFileSync } from "fs";
 import { request as httpRequest } from "http";
 import { request as httpsRequest } from "https";
 import { homedir as homedir4 } from "os";
@@ -480,6 +480,22 @@ async function validateSwitchedAccount(appServer) {
     quotaSnapshot: pickCodexRateLimitSnapshot(quotaPayload)
   };
 }
+async function validateSwitchedAccountWithTimeout(appServer) {
+  let timeoutHandle = null;
+  try {
+    return await Promise.race([
+      validateSwitchedAccount(appServer),
+      new Promise((_, reject) => {
+        timeoutHandle = setTimeout(() => {
+          reject(new Error(`Account switch validation timed out after ${ACCOUNT_INSPECTION_TIMEOUT_MS}ms`));
+        }, ACCOUNT_INSPECTION_TIMEOUT_MS);
+        timeoutHandle.unref?.();
+      })
+    ]);
+  } finally {
+    if (timeoutHandle) clearTimeout(timeoutHandle);
+  }
+}
 async function restoreActiveAuth(raw) {
   const path = getActiveAuthPath();
   if (raw === null) {
@@ -794,7 +810,7 @@ async function handleAccountRoutes(req, res, url, context) {
         const imported = await importAccountFromAuthPath(getActiveAuthPath());
         try {
           appServer.dispose();
-          const inspection = await validateSwitchedAccount(appServer);
+          const inspection = await validateSwitchedAccountWithTimeout(appServer);
           const state = await readStoredAccountsState();
           const importedAccountId = imported.importedAccountId;
           const target = state.accounts.find((entry) => entry.accountId === importedAccountId) ?? null;
@@ -893,7 +909,7 @@ async function handleAccountRoutes(req, res, url, context) {
         await writeFile(getActiveAuthPath(), targetRaw, { encoding: "utf8", mode: 384 });
         try {
           appServer.dispose();
-          const inspection = await validateSwitchedAccount(appServer);
+          const inspection = await validateSwitchedAccountWithTimeout(appServer);
           const nextEntry = {
             ...target,
             email: inspection.metadata.email ?? target.email,
@@ -1034,7 +1050,7 @@ async function handleAccountRoutes(req, res, url, context) {
         await writeFile(getActiveAuthPath(), replacementRaw, { encoding: "utf8", mode: 384 });
         try {
           appServer.dispose();
-          const inspection = await validateSwitchedAccount(appServer);
+          const inspection = await validateSwitchedAccountWithTimeout(appServer);
           const activatedReplacement = {
             ...replacement,
             email: inspection.metadata.email ?? replacement.email,
@@ -3141,8 +3157,27 @@ function getErrorMessage4(payload, fallback) {
   }
   return fallback;
 }
+function normalizeTelegramAllowlist(values) {
+  const rawValues = Array.isArray(values) ? values : [];
+  const allowAllUsers = rawValues.some((value) => typeof value === "string" && value.trim() === "*");
+  const allowedUserIds = Array.from(new Set(rawValues.map((value) => {
+    if (typeof value === "number" && Number.isFinite(value)) {
+      return Math.trunc(value);
+    }
+    if (typeof value === "string" && value.trim().length > 0) {
+      const normalized = value.trim().replace(/^(telegram|tg):/i, "").trim();
+      if (/^-?\d+$/.test(normalized)) {
+        return Number.parseInt(normalized, 10);
+      }
+    }
+    return Number.NaN;
+  }).filter((value) => Number.isFinite(value)))).slice(0, 100);
+  return { allowAllUsers, allowedUserIds };
+}
 var TelegramThreadBridge = class {
   constructor(appServer, options = {}) {
+    this.allowAllUsers = false;
+    this.allowedUserIds = /* @__PURE__ */ new Set();
     this.threadIdByChatId = /* @__PURE__ */ new Map();
     this.chatIdsByThreadId = /* @__PURE__ */ new Map();
     this.lastForwardedTurnByThreadId = /* @__PURE__ */ new Map();
@@ -3153,6 +3188,9 @@ var TelegramThreadBridge = class {
     this.appServer = appServer;
     this.token = process.env.TELEGRAM_BOT_TOKEN?.trim() ?? "";
     this.defaultCwd = process.env.TELEGRAM_DEFAULT_CWD?.trim() ?? process.cwd();
+    this.configureAllowedUserIds(
+      (process.env.TELEGRAM_ALLOWED_USER_IDS ?? "").split(",").map((value) => value.trim()).filter(Boolean)
+    );
     this.onChatSeen = options.onChatSeen;
   }
   start() {
@@ -3220,9 +3258,16 @@ var TelegramThreadBridge = class {
       active: this.active,
       mappedChats: this.threadIdByChatId.size,
       mappedThreads: this.chatIdsByThreadId.size,
+      allowedUsers: this.allowedUserIds.size,
+      allowAllUsers: this.allowAllUsers,
       lastError: this.lastError
     };
   }
+  configureAllowedUserIds(allowedUserIds) {
+    const normalized = normalizeTelegramAllowlist(allowedUserIds);
+    this.allowAllUsers = normalized.allowAllUsers;
+    this.allowedUserIds = new Set(normalized.allowedUserIds);
+  }
   connectThread(threadId, chatId, token) {
     const normalizedThreadId = threadId.trim();
     if (!normalizedThreadId) {
@@ -3276,8 +3321,13 @@ var TelegramThreadBridge = class {
     }
     const message = update.message;
     const chatId = message?.chat?.id;
+    const senderId = message?.from?.id;
     const text = message?.text?.trim();
     if (typeof chatId !== "number" || !text) return;
+    if (!this.isAllowedSender(senderId)) {
+      await this.sendTelegramMessage(chatId, this.unauthorizedMessage(senderId));
+      return;
+    }
     this.markChatSeen(chatId);
     if (text === "/start") {
       await this.sendThreadPicker(chatId);
@@ -3310,6 +3360,16 @@ var TelegramThreadBridge = class {
     const callbackId = typeof callbackQuery.id === "string" ? callbackQuery.id : "";
     const data = typeof callbackQuery.data === "string" ? callbackQuery.data : "";
     const chatId = callbackQuery.message?.chat?.id;
+    const senderId = callbackQuery.from?.id;
+    if (!this.isAllowedSender(senderId)) {
+      if (callbackId) {
+        await this.answerCallbackQuery(callbackId, this.unauthorizedCallbackMessage(senderId));
+      }
+      if (typeof chatId === "number") {
+        await this.sendTelegramMessage(chatId, this.unauthorizedMessage(senderId));
+      }
+      return;
+    }
     if (typeof chatId === "number") {
       this.markChatSeen(chatId);
     }
@@ -3331,6 +3391,25 @@ var TelegramThreadBridge = class {
       await this.sendTelegramMessage(chatId, history);
     }
   }
+  isAllowedSender(senderId) {
+    if (this.allowAllUsers) {
+      return typeof senderId === "number" && Number.isFinite(senderId);
+    }
+    return typeof senderId === "number" && Number.isFinite(senderId) && this.allowedUserIds.has(Math.trunc(senderId));
+  }
+  unauthorizedMessage(senderId) {
+    const normalizedSenderId = typeof senderId === "number" && Number.isFinite(senderId) ? String(Math.trunc(senderId)) : "unknown";
+    return `Unauthorized sender.
+
+Your Telegram user ID: ${normalizedSenderId}
+Add this ID to the bot allowlist before using the bridge.`;
+  }
+  unauthorizedCallbackMessage(senderId) {
+    if (typeof senderId === "number" && Number.isFinite(senderId)) {
+      return `Unauthorized: ${String(Math.trunc(senderId))}`;
+    }
+    return "Unauthorized sender";
+  }
   async answerCallbackQuery(callbackQueryId, text) {
     await fetch(this.apiUrl("answerCallbackQuery"), {
       method: "POST",
@@ -3499,6 +3578,163 @@ ${summary}`;
   }
 };
 
+// src/server/freeMode.ts
+var ENCRYPTED_KEYS = [
+  "FhkYWwEZE0MYBhAGUEADDBYFBEoDBxIHVUpUVRIMVUYDAkEHVRYNAxABUUAEAUMDV0pUDEQAU0ZTDEQCVERQVkoBVhAEBBBXAQ==",
+  "FhkYWwEZE0MYVkIGUkNUUkpVXUsBBUUAVEYHUEIMBhQCVxZWBBcHVkoNUENRAxAMA0MHARBXBkVUAUVQXBAFAUVXVxFWBUtWBw==",
+  "FhkYWwEZE0MYVhFWAUJUUBEMURMHAUoEAUcABRAEURRXARBRU0ZUBBFVB0YAAUNVVUYBDBBSABRUAhdVXUUBUhANV0IMBBABBA==",
+  "FhkYWwEZE0MYUBIDABMBVkMHURcGDRVSXRMFBUUCBBQBVhUBUBEGDBAAVkpTVUoGUBYMBhJXB0ANABUEARBQB0RRXUBRBUNQBw==",
+  "FhkYWwEZE0MYVhcFBhMFARJXVBMADRdWVxYHBkQNA0cBBEsGVEBRAkYCXEFXURBXABZQDEZSXBQHAkJSAUABVxIMA0NWAEcMUA==",
+  "FhkYWwEZE0MYAEQAXEZQURUGARFRBkRWVENWDUYFBkQHBEJWU0dQUkdWBhZXARYMAERXURcBUUQNDUAGAEoEB0ABV0NTUkQDBw==",
+  "FhkYWwEZE0MYABdRURBXVkYDURZWUUIAUEcMBEcMUUpXVxEGVhEMBktVXBBWAEFQBBBRVhECUEQEBkFQUUpRVRUMV0dRA0QGUw==",
+  "FhkYWwEZE0MYVUMCUUIHAUFRVksFVhYMARRRBBIAVBMBDEFVAxMAAUpRXUsEBkMHVhAHBUdSVxECABJSVRdRBkMEURANAEdXVA==",
+  "FhkYWwEZE0MYUkEFVEVUBEoMVkINDUFQUENQAkBSAEVQVhcEAEsDBxVWUkBWAkRSA0ANV0FVBkYMVxcBXUQEUEQCARYDDEpWXA==",
+  "FhkYWwEZE0MYDBcCXBANBRdVU0YEAEsMAUoNUkoMUBYDABcHVEBQBkRVUxdWBUUAAURUVxUGB0oDVxIHABRUAhJRAEUDUkECXQ==",
+  "FhkYWwEZE0MYVhUHVBEBURFQA0EBVRcNUUZXAhVXVkpQAEUHBhNTDUQMXRAGA0JQA0BRBRUHVRQMURVWXUoBVxcEBEYEAEACUQ==",
+  "FhkYWwEZE0MYA0UCB0ZTABUNBhRTAUYAUENQUEANBEMCARdQBkRRBRYDUhdWVhACXBcGBhIDVBFRBRJQUREGDRAAUhQHUhUBAA==",
+  "FhkYWwEZE0MYAUsMARACBBYGVxQHARVQVxRRBRcNUkAFUUQCXBEAUkcBXEMBBEYCXRENBUsBVRYABUJXU0FUAEYBUUpWABEGUw==",
+  "FhkYWwEZE0MYAEdSUBcNAUoFUERUAkcFAEQAB0IBUxcFDUIMBEpQVktWUxdUB0MBXUEBBhIMXRQEUBFQXEMFAEBQXUEMVkoBUQ==",
+  "FhkYWwEZE0MYDBYNUUVUA0ECUREMVhUEBkoCVxJSXEtRUENQVxAMBBcMAxACVkVVBEEDUEYDAURWA0oDXUYAAEEEVxQABUANVg==",
+  "FhkYWwEZE0MYVhcHBhcFV0EBUEdWVxdSU0sMABFSUEIHA0EAU0dWBkcFXEZRBENXAUEDV0AFUkEABBAEXBdXAhZRBEAAUUBSVg==",
+  "FhkYWwEZE0MYV0MHAxYBDUsHB0oFVRJWAUoABEQGAUEHDRdRUBQHBREFUkpQVUYHVkVTDBcDXUYHBkJXUhENVUIAVUtTDRcMVA==",
+  "FhkYWwEZE0MYBxVXBEsAUkYBA0EEAUIGBkRQA0MNABZRVkcHA0JTUEdWUkNRBBUEXUFUB0oFB0QGDBdWUUsEV0NXBBQBVRUEVg==",
+  "FhkYWwEZE0MYVxcCVBYHAEsNVBEADEENUkMAUhFWXBNUVxdWBxNWURYAVEEAUUdSURAHDUsAUkEABBJSVRZQV0YNVRBRDUVSBw==",
+  "FhkYWwEZE0MYAEQEV0YGVxcMVkRQUEsGUEBRUEADAEYEV0NRBBRWBUpXV0oMA0NRXBBRAkAMXUZWURBSXEZRB0EEVBQNVxYBXQ==",
+  "FhkYWwEZE0MYA0IBUhADUERXB0MNB0MHVUtUDRUNBEpXVkEGUBMABkZVUENUAkBVXRAEDEAHBkJWABAEURNWDEcEABQCVUdVVA==",
+  "FhkYWwEZE0MYUhcEBBYCAUFSXUAEAEEBV0sDDRAFV0YDV0NVBENXB0QNVxdUAkYMXUQGA0tRV0tWVUoDAxcGUUVVVUQHDBEDBA==",
+  "FhkYWwEZE0MYA0QBBEIAB0INXUtTBxYFVBFXABJSBkYEAxIAVEAGVkZSB0tQUEoHBkcGBBUHVENWAUNRUEYCAhJSXRcNUEQGUA==",
+  "FhkYWwEZE0MYUBJQUEIFUkBXARBUBUIDAxBQVhJVVkUMVhEDAEYNVxEGBhRUVkJWURYDAUAAAUUMARVRBhYAUkAEUkUEAhYCVg==",
+  "FhkYWwEZE0MYVUYGVBcEDEAFVhACVkFWXBFTAxAMUUpQURENARYBVhABAEINAEQCAUECDEsCBEUBVxBXBxRUVxdQBBRXVkcCUA==",
+  "FhkYWwEZE0MYV0YMVxBTVUNQBERRURVSUxQGUUVWB0MGVUMHV0cHUkMEAEMDDUMCVEcGVkNVB0oDURdVAUFQBkIAURYDBhAHAA==",
+  "FhkYWwEZE0MYUhYCXEsNVUAEURFXBkcHABFQBxcFUENWVkpVAxZWAhEBAxMBBkRRVUtQDEZWXEoBBxUNVkYBBhJQUBBQUUoDBw==",
+  "FhkYWwEZE0MYB0YGXUIGDRIHVRZQVUJSV0UNB0oNAxQADRUMVUcEBhdQV0AHDUZXAEtQVkVQUhBRBUBSUEQCVkRSBEUDUkQEVQ==",
+  "FhkYWwEZE0MYB0MGAUEADERVV0RXDUJSUUMAUEdRAUMCBxZSBktQDUMEBkIBBkIDAEMNURdRXUoFB0RWVEZRDUFXAEJTVRVWVg==",
+  "FhkYWwEZE0MYAkQDAxcFBEpXVEIEDUJSB0tXBhVXUkIDAEEMBBBXDUdRVRcNBURVAxZXUUENARYNBkMAUBBTDUsGVUFWDEcAVQ==",
+  "FhkYWwEZE0MYDRFQVUsCBRIMXBEFBEYEBEMBAUAMVkoCDUoABEcNV0YMU0pWABJXURcAAEIEUBcGVxcGUhZWBUIAVUQCUkVVAA==",
+  "FhkYWwEZE0MYUhcDVURUDBBSVkVWAEYCBkoMUEVVU0cEAxcFVhcDVUEBAEpXUhIAXEUNBUQBAxYGUhFXVUUHBBUAVkpRURAAVQ==",
+  "FhkYWwEZE0MYUEtVV0BQV0tXB0dXVkNRVRRQBUADABFTURYDVBdXUEFSXEpXB0dQVBQEA0oAVUpTBEYEVBMNDEMDU0BUBUINUg==",
+  "FhkYWwEZE0MYUEpQBxZTBkFXXEZWAkEEBxEHB0RXVktQUEMDARRRABEFAUIABEAMARRRDUACBBAMUEMMUxcEUUEEAEoAURBQBg==",
+  "FhkYWwEZE0MYUEINARRQAhcCUEJRUBIFBEIHBkJQB0tWVhINXRBUUBdVBkcMBUZVUxNTAUsMU0cFAEtSXUJXDRJSBkVUAUoBVA==",
+  "FhkYWwEZE0MYUEBWAUtXBxEHUhNTBRZVB0UEB0MDA0sCBEAABkNUAUQCBxYAAEVQUEYDVkoDVxAFVUFVVUcMAUECBkoGUUsCUA==",
+  "FhkYWwEZE0MYBBUBUEFTBUIDAxAGBUcFARBWBRJXUUJTAkUGURQBUUUEB0EFBBBVVURQBEEAUBMAVhINVUEBVUcMA0sNVUNQVg==",
+  "FhkYWwEZE0MYDUMDA0MNA0oAV0BQUEEFBEUBAkpQXBAMBUsCVRZXVkIAXBMEAktXBhYABkcAUhMAUhYBA0BTAURVURMBA0ACXA==",
+  "FhkYWwEZE0MYUhdXUUMDAEQNBhZTAEdWXUYHBxEHXUQCDBYCBkEBBEIDAEBQBkEAUkUBBREMUEUNAEUMBENUBhZXVkVQV0NWBw==",
+  "FhkYWwEZE0MYUBdVU0VXVkpQUkEEBkFSVhZRDEQMXBdQA0QDXUIHUEtWBEABAERXBEoMAxEDUxYMDUVRXUJTUBcFBhQCVkcAVQ==",
+  "FhkYWwEZE0MYDRcBUBYCUEpRABQNVRcHBkQABkZXUkBWURFVU0sMBxINURQMAREHUUcHAUYDB0QBAUNVVUAAARUGUEoAABYGXA==",
+  "FhkYWwEZE0MYAhUCUktQV0oEBxcCVUoCB0pTAUJQXUJTARYAXUsNDRUDUkVQARIHUUJUBEMEVxMFBhEAUUUCBRIAXBMBVUAHAA==",
+  "FhkYWwEZE0MYARcCAUMDVxFQBEZXUEcCAEYDVksNVUpQB0MEB0EEAhVWXRcEUUBQXEoGA0BSAEVWBhdXVUACUUZSUEZXBUZRVg==",
+  "FhkYWwEZE0MYA0oBUhEHABYCBkcMUUcGXRdUDRZXVBZTARUHVkQGV0UAAUoDBxJRVRQBA0oFAUEGBERSVhMGBEBWBEpRAUMGVg==",
+  "FhkYWwEZE0MYVhANVBFXDEoAXEoMBhYMUxMNUEECVEoMAkQFVxANVRcFABdRDRVWXUACBBYHVURUUBACXUNUV0IMAUcCAUIHBw==",
+  "FhkYWwEZE0MYUEUCB0UNDBEFVhQGBhJSBkYHBEMNBhAGUkAFA0AMBUAGUEYDAUZQVUdWUhcHUEcAUhEFB0FQV0VQAUtXBEcDBw==",
+  "FhkYWwEZE0MYAUNSURNTBRANUkRWVxYHXEYMAUYBB0cCBksCAEUHUkVSVUdRURIEBxADBhECVxNRUEcFUxQMUEMMA0MFBEENBA==",
+  "FhkYWwEZE0MYBxBWVkZQAkENVhYNBBUDXBADAUANUkBRVkICBEtRVxEEAEFUDUIDUkNXAxEDAUcHARIAVEJTA0oNVkANB0EGXA==",
+  "FhkYWwEZE0MYV0IGAREGUhZVUEFXVkJVVUECDBcFARcNUhZQXBEFAkMBU0sDUEIFBhcCV0cCXUBTVRADV0YEA0ZQUxACUUsEXA==",
+  "FhkYWwEZE0MYVUoNVUNQURVQUREDAxJSB0AAAkMCABQDAUMGVBYABBJWBxADBENRVEsAVxcAAEdTARUDBBEFUhZSUEQDDRcAXA==",
+  "FhkYWwEZE0MYBhdRVUQBVhcGBhENV0QEAEIGVxcBUxQNUUcAVxZWBEEEVUBTARYGAUFUAUUHBEQEDUsDVEJXDEQNU0sCV0YMAA==",
+  "FhkYWwEZE0MYVktRAENWAkEBXUsGUUEDUkMHB0FXB0cCAhEHARZUBxJWB0IDBERRUkUAAxYDUkYBUkYDV0QDVUcHVxAGA0INVA==",
+  "FhkYWwEZE0MYBkIAVBABVUINV0NTVxYGAUYFVUMBUxYMURAGBksAVUJVBkoHUUQMA0cMAUdQVkUGBUpSAEZTVRANUBYEUEQBVA==",
+  "FhkYWwEZE0MYDEMDA0oCVURRUBZWUkANUEQBAkBSXBBRB0BSVBYGVkAFVRAGDEYDVkMEDBBSBkQHV0JRA0JUBRcFXURTDRZRUw==",
+  "FhkYWwEZE0MYUBJSVEUNUhcGBkYGAhYDUEcAUEsEBxdUUBZSXEcGDEINXEoDBxcFUkdWBEBRVxYNDUYAUBMBVkcCUBcHUUsAXA==",
+  "FhkYWwEZE0MYA0QNUEtWAUMEAEoBUEoAAREDVRYHVkoEV0ZQBEEEUkEAAUIEAUcCVhEHUBUDB0FRVktVVEFXARIHA0NWBUpXBg==",
+  "FhkYWwEZE0MYV0oCAxFXV0YMUxFQAUAAUEVWA0cEB0pUUBAFXUIHDRdQAEQAUkMGU0AEVxEDBBEBAhBRV0QEAxVWU0NQBxECBw==",
+  "FhkYWwEZE0MYUkoCBBMEUkYDBhYFB0IFVkQMVUpSBksMUUcFUxEEDRZVVkUADEoCVhcHUkEHUxACUUJXBBdTVUQDAEFRBxUGAw==",
+  "FhkYWwEZE0MYV0BXBEUCURUNXUYABUpQURYBBUYFVENXBhYCXRBWDUsHA0NRB0oGUREHDRYGUxMBAksEUkINVkNVBEIBAxdWUA==",
+  "FhkYWwEZE0MYBEoCA0MNDEUAXUNUAxYHXBRRURACUEFQBxYDB0dUBksDA0QFVksMAxQFAEZRAxNTA0cMVUENVxEEAUFRBUAHBA==",
+  "FhkYWwEZE0MYB0ENVkAABxEFXEZQAUYHBhMFBBJQBkMCUUZRBERTAkBRBhADVxYEXEADB0RSUUtRUREBXRdXBkAGBEUNBEQCUg==",
+  "FhkYWwEZE0MYVhFVXBAFDBYFBkFTAhIGB0ZRBEJVXURTBBFWBxNUVkBXBEMMBkIHURcDAksAVEMEV0dSUhdXBBJWUkJWAxBRVg==",
+  "FhkYWwEZE0MYBRFRXUoBBUcGBhZUAUBVABYEVkICVkNXDUcMABYFVxdXU0sEBkcFXEYBURUFVUYFABJSA0dTABdRVBRQVRENVg==",
+  "FhkYWwEZE0MYV0VQVhEHVkVVAEFQAhcHBEMMUUANVxNUBUJWVRcEVUoEBBcDUkcNBkoCUUVVVBcDVRZQBBBUVRYNXBZWBUMAAQ==",
+  "FhkYWwEZE0MYAhIHARYBVxIABhYBVxVWUkVXV0ICXUUADBZQAUYBBEUBUEsFBRcFARcGUEtVXEoGABYAUkEGDEBRVUMBB0IFXQ==",
+  "FhkYWwEZE0MYBBUCXEEFBEJVVxZQBEICUxFRBUUNBksHBhFXUUANVhUCV0EMB0QDVURWDBFSVkYDAxYAABdXBhIEUEQMBEUCUg==",
+  "FhkYWwEZE0MYDUsDBEoNAEECURBTAUJXUEpWVUdSBEAMDRBVUkYAUUoDAxFTDEpVVxEHAUYNVUMGVkYAA0cBBRJWBBAHUUIMVw==",
+  "FhkYWwEZE0MYUUUFXUBTUEYHUkoHBBIFBEpRV0NWVRcBAktWBkADBxAMVUZUBhJSBEAEB0MDVkpTABUMUUVUUEABUkJUVkIHAA=="
+];
+var DECRYPT_KEY = "er54s4";
+function xorDecrypt(b64, secret) {
+  const buf = Buffer.from(b64, "base64");
+  const keyBuf = Buffer.from(secret, "utf8");
+  const out = Buffer.alloc(buf.length);
+  for (let i = 0; i < buf.length; i++) {
+    out[i] = buf[i] ^ keyBuf[i % keyBuf.length];
+  }
+  return out.toString("utf8");
+}
+function getRandomFreeKey() {
+  if (ENCRYPTED_KEYS.length === 0) return null;
+  const idx = Math.floor(Math.random() * ENCRYPTED_KEYS.length);
+  return xorDecrypt(ENCRYPTED_KEYS[idx], DECRYPT_KEY);
+}
+function getFreeKeyCount() {
+  return ENCRYPTED_KEYS.length;
+}
+var FREE_MODE_PROVIDER_ID = "openrouter-free";
+var FREE_MODE_BASE_URL = "https://openrouter.ai/api/v1";
+var FALLBACK_FREE_MODELS = [
+  "openrouter/free",
+  "google/gemma-4-26b-a4b-it:free",
+  "google/gemma-3-27b-it:free",
+  "meta-llama/llama-3.3-70b-instruct:free",
+  "qwen/qwen3-coder:free"
+];
+var cachedFreeModels = null;
+var cacheTimestamp = 0;
+var CACHE_TTL_MS = 10 * 60 * 1e3;
+async function fetchFreeModelsFromOpenRouter() {
+  try {
+    const resp = await fetch("https://openrouter.ai/api/v1/models");
+    if (!resp.ok) return cachedFreeModels ?? FALLBACK_FREE_MODELS;
+    const json = await resp.json();
+    const ids = json.data.filter((m) => m.id.endsWith(":free") || m.id === "openrouter/free").map((m) => m.id);
+    if (ids.length === 0) return cachedFreeModels ?? FALLBACK_FREE_MODELS;
+    const sorted = ["openrouter/free", ...ids.filter((id) => id !== "openrouter/free")];
+    cachedFreeModels = sorted;
+    cacheTimestamp = Date.now();
+    return sorted;
+  } catch {
+    return cachedFreeModels ?? FALLBACK_FREE_MODELS;
+  }
+}
+async function getFreeModels() {
+  if (cachedFreeModels && Date.now() - cacheTimestamp < CACHE_TTL_MS) {
+    return cachedFreeModels;
+  }
+  return fetchFreeModelsFromOpenRouter();
+}
+var FREE_MODE_DEFAULT_MODEL = "openrouter/free";
+var FREE_MODE_STATE_FILE = "webui-free-mode.json";
+var CUSTOM_PROVIDER_ID = "custom-endpoint";
+function getFreeModeConfigArgs(state) {
+  if (!state.enabled || !state.apiKey) return [];
+  if (state.provider === "custom" && state.customBaseUrl) {
+    return [
+      "-c",
+      `model_provider="${CUSTOM_PROVIDER_ID}"`,
+      "-c",
+      `model_providers.${CUSTOM_PROVIDER_ID}.name="Custom Endpoint"`,
+      "-c",
+      `model_providers.${CUSTOM_PROVIDER_ID}.base_url="${state.customBaseUrl}"`,
+      "-c",
+      `model_providers.${CUSTOM_PROVIDER_ID}.wire_api="responses"`,
+      "-c",
+      `model_providers.${CUSTOM_PROVIDER_ID}.experimental_bearer_token="${state.apiKey}"`
+    ];
+  }
+  return [
+    "-c",
+    `model="${state.model}"`,
+    "-c",
+    `model_provider="${FREE_MODE_PROVIDER_ID}"`,
+    "-c",
+    `model_providers.${FREE_MODE_PROVIDER_ID}.name="OpenRouter Free"`,
+    "-c",
+    `model_providers.${FREE_MODE_PROVIDER_ID}.base_url="${FREE_MODE_BASE_URL}"`,
+    "-c",
+    `model_providers.${FREE_MODE_PROVIDER_ID}.wire_api="responses"`,
+    "-c",
+    `model_providers.${FREE_MODE_PROVIDER_ID}.experimental_bearer_token="${state.apiKey}"`
+  ];
+}
+
 // src/utils/commandInvocation.ts
 import { spawnSync as spawnSync2 } from "child_process";
 import { basename as basename2, extname } from "path";
@@ -4979,11 +5215,24 @@ async function writeWorkspaceRootsState(nextState) {
 }
 function normalizeTelegramBridgeConfig(value) {
   const record = asRecord5(value);
-  if (!record) return { botToken: "", chatIds: [] };
+  if (!record) return { botToken: "", chatIds: [], allowedUserIds: [] };
   const botToken = typeof record.botToken === "string" ? record.botToken.trim() : "";
   const rawChatIds = Array.isArray(record.chatIds) ? record.chatIds : [];
   const chatIds = Array.from(new Set(rawChatIds.filter((value2) => typeof value2 === "number" && Number.isFinite(value2)).map((value2) => Math.trunc(value2)))).slice(0, 50);
-  return { botToken, chatIds };
+  const rawAllowedUserIds = Array.isArray(record.allowedUserIds) ? record.allowedUserIds : [];
+  const allowAllUsers = rawAllowedUserIds.some((value2) => typeof value2 === "string" && value2.trim() === "*");
+  const normalizedAllowedUserIds = Array.from(new Set(rawAllowedUserIds.map((value2) => {
+    if (typeof value2 === "number" && Number.isFinite(value2)) return Math.trunc(value2);
+    if (typeof value2 === "string") {
+      const normalized = value2.trim().replace(/^(telegram|tg):/i, "").trim();
+      if (/^-?\d+$/.test(normalized)) {
+        return Number.parseInt(normalized, 10);
+      }
+    }
+    return Number.NaN;
+  }).filter((value2) => Number.isFinite(value2)))).slice(0, 100);
+  const allowedUserIds = allowAllUsers ? ["*", ...normalizedAllowedUserIds] : normalizedAllowedUserIds;
+  return { botToken, chatIds, allowedUserIds };
 }
 async function readTelegramBridgeConfig() {
   const telegramConfigPath = getTelegramBridgeConfigPath();
@@ -4992,7 +5241,7 @@ async function readTelegramBridgeConfig() {
     const payload = asRecord5(JSON.parse(raw)) ?? {};
     return normalizeTelegramBridgeConfig(payload);
   } catch {
-    return { botToken: "", chatIds: [] };
+    return { botToken: "", chatIds: [], allowedUserIds: [] };
   }
 }
 async function writeTelegramBridgeConfig(nextState) {
@@ -5000,7 +5249,8 @@ async function writeTelegramBridgeConfig(nextState) {
   const telegramConfigPath = getTelegramBridgeConfigPath();
   await writeFile4(telegramConfigPath, JSON.stringify({
     botToken: normalized.botToken,
-    chatIds: normalized.chatIds
+    chatIds: normalized.chatIds,
+    allowedUserIds: normalized.allowedUserIds
   }), "utf8");
 }
 var telegramBridgeConfigMutation = Promise.resolve();
@@ -5206,10 +5456,27 @@ var AppServerProcess = class {
     }
     return codexCommand;
   }
+  buildAppServerArgs() {
+    const args = [
+      "app-server",
+      "-c",
+      'approval_policy="never"',
+      "-c",
+      'sandbox_mode="danger-full-access"'
+    ];
+    const statePath = join5(getCodexHomeDir3(), FREE_MODE_STATE_FILE);
+    try {
+      const raw = readFileSync(statePath, "utf8");
+      const state = JSON.parse(raw);
+      args.push(...getFreeModeConfigArgs(state));
+    } catch {
+    }
+    return args;
+  }
   start() {
     if (this.process) return;
     this.stopping = false;
-    const invocation = getSpawnInvocation(this.getCodexCommand(), this.appServerArgs);
+    const invocation = getSpawnInvocation(this.getCodexCommand(), this.buildAppServerArgs());
     const proc = spawn4(invocation.command, invocation.args, { stdio: ["pipe", "pipe", "pipe"] });
     this.process = proc;
     proc.stdout.setEncoding("utf8");
@@ -5758,6 +6025,7 @@ function createCodexBridgeMiddleware() {
   void readTelegramBridgeConfig().then((config) => {
     if (!config.botToken) return;
     telegramBridge.configureToken(config.botToken);
+    telegramBridge.configureAllowedUserIds(config.allowedUserIds);
     telegramBridge.start();
   }).catch(() => {
   });
@@ -5768,6 +6036,135 @@ function createCodexBridgeMiddleware() {
         return;
       }
       const url = new URL(req.url, "http://localhost");
+      if (url.pathname.startsWith("/codex-api/free-mode")) {
+        let readFreeModeState2 = function() {
+          try {
+            return JSON.parse(readFileSync(statePath, "utf8"));
+          } catch {
+            return { enabled: false, apiKey: null, model: FREE_MODE_DEFAULT_MODEL };
+          }
+        };
+        var readFreeModeState = readFreeModeState2;
+        const statePath = join5(getCodexHomeDir3(), FREE_MODE_STATE_FILE);
+        if (req.method === "POST" && url.pathname === "/codex-api/free-mode") {
+          try {
+            const body = await readJsonBody(req);
+            const enable = Boolean(body?.enable);
+            if (enable) {
+              const apiKey = getRandomFreeKey();
+              if (!apiKey) {
+                setJson4(res, 500, { error: "No free keys available" });
+                return;
+              }
+              const state = { enabled: true, apiKey, model: FREE_MODE_DEFAULT_MODEL, provider: "openrouter" };
+              await writeFile4(statePath, JSON.stringify(state), "utf8");
+              appServer.dispose();
+              const freeModels = await getFreeModels();
+              setJson4(res, 200, {
+                ok: true,
+                enabled: true,
+                model: FREE_MODE_DEFAULT_MODEL,
+                keyCount: getFreeKeyCount(),
+                models: freeModels
+              });
+            } else {
+              const state = { enabled: false, apiKey: null, model: FREE_MODE_DEFAULT_MODEL };
+              await writeFile4(statePath, JSON.stringify(state), "utf8");
+              appServer.dispose();
+              setJson4(res, 200, { ok: true, enabled: false });
+            }
+          } catch (error) {
+            setJson4(res, 500, { error: getErrorMessage5(error, "Failed to toggle free mode") });
+          }
+          return;
+        }
+        if (req.method === "GET" && url.pathname === "/codex-api/free-mode/status") {
+          try {
+            const state = readFreeModeState2();
+            const freeModels = await getFreeModels();
+            const maskedKey = state.apiKey && state.customKey ? state.apiKey.substring(0, 12) + "..." + state.apiKey.substring(state.apiKey.length - 4) : null;
+            setJson4(res, 200, {
+              enabled: state.enabled,
+              keyCount: getFreeKeyCount(),
+              models: freeModels,
+              currentModel: state.enabled ? state.model : null,
+              customKey: Boolean(state.customKey),
+              maskedKey,
+              provider: state.provider ?? "openrouter",
+              customBaseUrl: state.customBaseUrl ?? null
+            });
+          } catch (error) {
+            setJson4(res, 500, { error: getErrorMessage5(error, "Failed to read free mode status") });
+          }
+          return;
+        }
+        if (req.method === "POST" && url.pathname === "/codex-api/free-mode/rotate-key") {
+          try {
+            const apiKey = getRandomFreeKey();
+            if (!apiKey) {
+              setJson4(res, 500, { error: "No free keys available" });
+              return;
+            }
+            const current = readFreeModeState2();
+            const state = { ...current, apiKey, customKey: false };
+            await writeFile4(statePath, JSON.stringify(state), "utf8");
+            appServer.dispose();
+            setJson4(res, 200, { ok: true });
+          } catch (error) {
+            setJson4(res, 500, { error: getErrorMessage5(error, "Failed to rotate key") });
+          }
+          return;
+        }
+        if (req.method === "POST" && url.pathname === "/codex-api/free-mode/custom-key") {
+          try {
+            const body = await readJsonBody(req);
+            const key = typeof body?.key === "string" ? body.key.trim() : "";
+            const current = readFreeModeState2();
+            if (key.length > 0) {
+              const state = { ...current, enabled: true, apiKey: key, customKey: true, provider: "openrouter" };
+              await writeFile4(statePath, JSON.stringify(state), "utf8");
+              appServer.dispose();
+              setJson4(res, 200, { ok: true, customKey: true });
+            } else {
+              const communityKey = getRandomFreeKey();
+              const state = { ...current, apiKey: communityKey, customKey: false, provider: "openrouter" };
+              await writeFile4(statePath, JSON.stringify(state), "utf8");
+              appServer.dispose();
+              setJson4(res, 200, { ok: true, customKey: false });
+            }
+          } catch (error) {
+            setJson4(res, 500, { error: getErrorMessage5(error, "Failed to set custom key") });
+          }
+          return;
+        }
+        if (req.method === "POST" && url.pathname === "/codex-api/free-mode/custom-provider") {
+          try {
+            const body = await readJsonBody(req);
+            const baseUrl = typeof body?.baseUrl === "string" ? body.baseUrl.trim() : "";
+            const apiKey = typeof body?.apiKey === "string" ? body.apiKey.trim() : "";
+            if (!baseUrl) {
+              setJson4(res, 400, { error: "baseUrl is required" });
+              return;
+            }
+            const state = {
+              enabled: true,
+              apiKey: apiKey || "dummy",
+              model: "",
+              customKey: true,
+              provider: "custom",
+              customBaseUrl: baseUrl
+            };
+            await writeFile4(statePath, JSON.stringify(state), "utf8");
+            appServer.dispose();
+            setJson4(res, 200, { ok: true });
+          } catch (error) {
+            setJson4(res, 500, { error: getErrorMessage5(error, "Failed to set custom provider") });
+          }
+          return;
+        }
+        next();
+        return;
+      }
       if (!url.pathname.startsWith("/codex-api/")) {
         next();
         return;
@@ -6038,6 +6435,34 @@ function createCodexBridgeMiddleware() {
         return;
       }
       if (req.method === "GET" && url.pathname === "/codex-api/provider-models") {
+        try {
+          const fmState = JSON.parse(readFileSync(join5(getCodexHomeDir3(), FREE_MODE_STATE_FILE), "utf8"));
+          if (fmState.enabled) {
+            if (fmState.provider === "custom" && fmState.customBaseUrl) {
+              try {
+                const modelsUrl = fmState.customBaseUrl.replace(/\/+$/, "") + "/models";
+                const headers = {};
+                if (fmState.apiKey && fmState.apiKey !== "dummy") {
+                  headers["Authorization"] = `Bearer ${fmState.apiKey}`;
+                }
+                const resp = await fetch(modelsUrl, { headers, signal: AbortSignal.timeout(8e3) });
+                if (resp.ok) {
+                  const json = await resp.json();
+                  const ids = (json.data ?? []).map((m) => m.id).filter(Boolean);
+                  setJson4(res, 200, { data: ids, exclusive: true, source: "custom" });
+                  return;
+                }
+              } catch {
+              }
+              setJson4(res, 200, { data: [], exclusive: true, source: "custom" });
+              return;
+            }
+            const freeModels = await getFreeModels();
+            setJson4(res, 200, { data: freeModels, exclusive: true });
+            return;
+          }
+        } catch {
+        }
         const data = await readProviderBackedModelIds(appServer);
         setJson4(res, 200, data);
         return;
@@ -6495,20 +6920,41 @@ function createCodexBridgeMiddleware() {
       if (req.method === "POST" && url.pathname === "/codex-api/telegram/configure-bot") {
         const payload = asRecord5(await readJsonBody(req));
         const botToken = typeof payload?.botToken === "string" ? payload.botToken.trim() : "";
+        const rawAllowedUserIds = Array.isArray(payload?.allowedUserIds) ? payload.allowedUserIds : [];
         if (!botToken) {
           setJson4(res, 400, { error: "Missing botToken" });
           return;
         }
-        telegramBridge.configureToken(botToken);
+        const config = normalizeTelegramBridgeConfig({
+          botToken,
+          allowedUserIds: rawAllowedUserIds
+        });
+        if (config.allowedUserIds.length === 0) {
+          setJson4(res, 400, { error: "At least one allowed Telegram user ID is required" });
+          return;
+        }
+        telegramBridge.configureToken(config.botToken);
+        telegramBridge.configureAllowedUserIds(config.allowedUserIds);
         telegramBridge.start();
         const existingConfig = await readTelegramBridgeConfig();
         await writeTelegramBridgeConfig({
-          botToken,
-          chatIds: existingConfig.chatIds
+          botToken: config.botToken,
+          chatIds: existingConfig.chatIds,
+          allowedUserIds: config.allowedUserIds
         });
         setJson4(res, 200, { ok: true });
         return;
       }
+      if (req.method === "GET" && url.pathname === "/codex-api/telegram/config") {
+        const config = await readTelegramBridgeConfig();
+        setJson4(res, 200, {
+          data: {
+            botToken: config.botToken,
+            allowedUserIds: config.allowedUserIds
+          }
+        });
+        return;
+      }
       if (req.method === "GET" && url.pathname === "/codex-api/telegram/status") {
         setJson4(res, 200, { data: telegramBridge.getStatus() });
         return;
@@ -7776,6 +8222,8 @@ async function startServer(options) {
   if (options.login && !hasCodexAuth() && codexCommand) {
     console.log("\nCodex is not logged in. Starting `codex login`...\n");
     runOrFail(codexCommand, ["login"], "Codex login");
+  } else if (options.login && !hasCodexAuth()) {
+    console.log("\nCodex is not logged in. You can log in later via settings or run `codexui login`.\n");
   }
   const requestedPort = parseInt(options.port, 10);
   const password = resolvePassword(options.password);