commons-proxy 2.0.0 → 2.1.0

package/README.md

@@ -7,9 +7,9 @@
 
 <a href="https://buymeacoffee.com/badrinarayanans" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png" alt="Buy Me A Coffee" height="50"></a>
 
-A **universal AI proxy server** exposing an **Anthropic-compatible API** backed by **multiple providers** (Google Cloud Code, Anthropic, OpenAI, GitHub Models, GitHub Copilot, OpenRouter), enabling you to use Claude, Gemini, GPT, and more with **Claude Code CLI**.
+A **universal AI proxy server** exposing an **Anthropic-compatible API** backed by **multiple providers** (Google Cloud Code, Anthropic, OpenAI, GitHub Models, GitHub Copilot, ChatGPT Plus/Pro, OpenRouter), enabling you to use Claude, Gemini, GPT, and more with **Claude Code CLI**.
 
-> 🎉 **v2.0.0 Released**: Now supporting Anthropic, OpenAI, GitHub Models, GitHub Copilot, and OpenRouter in addition to Google Cloud Code!
+> 🎉 **v2.1.0 Released**: Now supporting Anthropic, OpenAI, GitHub Models, GitHub Copilot, ChatGPT Plus/Pro (Codex), and OpenRouter in addition to Google Cloud Code!
 
 📚 **Quick Links**: [Installation](#installation) | [Provider Setup](docs/PROVIDERS.md) | [Docker](#option-3-docker-recommended-for-production) | [Contributing](CONTRIBUTING.md)
 
@@ -23,7 +23,8 @@ A **universal AI proxy server** exposing an **Anthropic-compatible API** backed
 └──────────────────┘     └─────────────────────┘     │  • OpenAI API           │
                                                       │  • GitHub Models        │
                                                       │  • GitHub Copilot       │
-                                                      │  • OpenRouter            │
+                                                      │  • ChatGPT Plus/Pro     │
+                                                      │  • OpenRouter           │
                                                       └─────────────────────────┘
 ```
 
@@ -36,7 +37,7 @@ A **universal AI proxy server** exposing an **Anthropic-compatible API** backed
 
 **Key Features**:
 - 🔄 **Multi-Provider Support**: Use Google, Anthropic, OpenAI, GitHub Models, GitHub Copilot, and OpenRouter accounts
-- 🔐 **Flexible Authentication**: OAuth 2.0 (Google), Device Auth (Copilot), or API Keys (others)
+- 🔐 **Flexible Authentication**: OAuth 2.0 (Google), Device Auth (Copilot, Codex), or API Keys (others)
 - ⚖️ **Intelligent Load Balancing**: Hybrid/Sticky/Round-Robin strategies
 - 📊 **Real-time Quota Tracking**: Dashboard shows usage across all providers
 - 💾 **Prompt Caching**: Maintains cache continuity with sticky account selection
@@ -50,7 +51,8 @@ A **universal AI proxy server** exposing an **Anthropic-compatible API** backed
 | **Anthropic** | API Key | Claude 3.5 Sonnet/Opus/Haiku | ⚠️ Manual (console) | ✅ Supported |
 | **OpenAI** | API Key | GPT-4 Turbo, GPT-4, GPT-3.5 Turbo | ⚠️ Manual (console) | ✅ Supported |
 | **GitHub Models** | Personal Access Token | GitHub Marketplace models | ⚠️ GitHub API limits | ✅ Supported |
-| **GitHub Copilot** | Device Authorization | GPT-4o, GPT-4, Claude 3.5 Sonnet, o1 | ⚠️ Copilot limits | ✅ Supported |
+| **GitHub Copilot** | Device Authorization | GPT-4o, Claude Sonnet 4, o1, o3-mini | ⚠️ Copilot limits | ✅ Supported |
+| **ChatGPT Plus/Pro** | OAuth (Browser/Device) | GPT-5 Codex, GPT-5.1 Codex | ⚠️ Subscription limits | ✅ New |
 | **OpenRouter** | API Key | 100+ models (Claude, GPT, Gemini, Llama, etc.) | ✅ Credit-based | ✅ Supported |
 
 **Quota Tracking Legend**:
@@ -739,10 +741,9 @@ See [CLAUDE.md](./CLAUDE.md) for detailed architecture documentation, including:
 
 ## Credits
 
-This project is based on insights and code from:
-
-- [opencode-antigravity-auth](https://github.com/NoeFabris/opencode-antigravity-auth) - CommonsProxy OAuth plugin for OpenCode
-- [claude-code-proxy](https://github.com/1rgs/claude-code-proxy) - Anthropic API proxy using LiteLLM
+- **[opencode](https://github.com/nichochar/opencode)** — Authentication flows for GitHub Copilot (device auth) and ChatGPT Plus/Pro (Codex OAuth) are inspired by opencode's plugin architecture. Copilot client ID, header handling, and Codex PKCE/device auth flows adapted from opencode's `copilot.ts` and `codex.ts` plugins.
+- **[opencode-antigravity-auth](https://github.com/NoeFabris/opencode-antigravity-auth)** — CommonsProxy OAuth plugin for OpenCode
+- **[claude-code-proxy](https://github.com/1rgs/claude-code-proxy)** — Anthropic API proxy using LiteLLM
 
 ---
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "commons-proxy",
-  "version": "2.0.0",
-  "description": "Universal AI proxy server with multi-provider support (Google Cloud Code, Anthropic, OpenAI, GitHub Models, GitHub Copilot, OpenRouter) - Anthropic-compatible API for Claude Code CLI",
+  "version": "2.1.0",
+  "description": "Universal AI proxy server with multi-provider support (Google Cloud Code, Anthropic, OpenAI, GitHub Models, GitHub Copilot, ChatGPT Plus/Pro, OpenRouter) - Anthropic-compatible API for Claude Code CLI",
   "main": "src/index.js",
   "type": "module",
   "bin": {
@@ -53,6 +53,8 @@
     "llm-proxy",
     "llm",
     "copilot",
+    "codex",
+    "chatgpt",
     "proxy",
     "vertex-ai",
     "gemini",

package/src/cli/accounts.js

@@ -21,6 +21,7 @@ import { dirname } from 'path';
 import { spawn } from 'child_process';
 import net from 'net';
 import { ACCOUNT_CONFIG_PATH, DEFAULT_PORT, MAX_ACCOUNTS } from '../constants.js';
+import { COPILOT_CONFIG } from '../providers/copilot.js';
 import {
     getAuthorizationUrl,
     startCallbackServer,
@@ -511,7 +512,7 @@ async function addCopilotAccount(rl) {
                         'User-Agent': 'commons-proxy/2.0.0'
                     },
                     body: JSON.stringify({
-                        client_id: 'Iv1.b507a08c87ecfe98',
+                        client_id: COPILOT_CONFIG.clientId,
                         device_code: deviceData.device_code,
                         grant_type: 'urn:ietf:params:oauth:grant-type:device_code'
                     })

package/src/constants.js

@@ -328,6 +328,15 @@ export const PROVIDER_CONFIG = {
         color: '#6d28d9', // Purple
         icon: 'openrouter',
         requiresProjectId: false
+    },
+    codex: {
+        id: 'codex',
+        name: 'ChatGPT Plus/Pro (Codex)',
+        authType: 'device-auth', // OpenAI Device Authorization Flow
+        apiEndpoint: 'https://chatgpt.com/backend-api/codex/responses',
+        color: '#10b981', // Green (OpenAI family)
+        icon: 'openai',
+        requiresProjectId: false
     }
 };
 
@@ -338,7 +347,8 @@ export const PROVIDER_NAMES = {
     openai: 'OpenAI',
     github: 'GitHub Models',
     copilot: 'GitHub Copilot',
-    openrouter: 'OpenRouter'
+    openrouter: 'OpenRouter',
+    codex: 'ChatGPT Plus/Pro (Codex)'
 };
 
 // Provider colors for UI visualization
@@ -348,7 +358,8 @@ export const PROVIDER_COLORS = {
     openai: '#10b981',
     github: '#6366f1',
     copilot: '#f97316',
-    openrouter: '#6d28d9'
+    openrouter: '#6d28d9',
+    codex: '#10b981'
 };
 
 export default {

package/src/providers/codex-auth.js

@@ -0,0 +1,440 @@
+/**
+ * OpenAI Codex OAuth Provider
+ *
+ * Enables ChatGPT Plus/Pro users to authenticate via OAuth (browser or device flow).
+ * Inspired by opencode's codex.ts plugin implementation.
+ *
+ * Supports two auth methods:
+ * 1. Browser OAuth (PKCE flow with local callback server)
+ * 2. Headless device auth (for SSH/remote environments)
+ *
+ * Credits: Authentication flow based on opencode (https://github.com/nichochar/opencode)
+ */
+
+import crypto from 'crypto';
+import http from 'http';
+import { logger } from '../utils/logger.js';
+
+// OpenAI Codex OAuth configuration (from opencode's codex.ts)
+const CODEX_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
+const CODEX_ISSUER = 'https://auth.openai.com';
+const CODEX_API_ENDPOINT = 'https://chatgpt.com/backend-api/codex/responses';
+const CODEX_OAUTH_PORT = 1455;
+const OAUTH_POLLING_SAFETY_MARGIN_MS = 3000;
+
+/**
+ * Generate PKCE code verifier and challenge
+ */
+function generatePKCE() {
+    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~';
+    const bytes = crypto.randomBytes(43);
+    const verifier = Array.from(bytes).map(b => chars[b % chars.length]).join('');
+
+    const challenge = crypto
+        .createHash('sha256')
+        .update(verifier)
+        .digest('base64url');
+
+    return { verifier, challenge };
+}
+
+/**
+ * Generate random state parameter
+ */
+function generateState() {
+    return crypto.randomBytes(32).toString('base64url');
+}
+
+/**
+ * Parse JWT claims from an ID token or access token
+ * @param {string} token - JWT token
+ * @returns {Object|undefined} Parsed claims
+ */
+export function parseJwtClaims(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3) return undefined;
+    try {
+        return JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+    } catch {
+        return undefined;
+    }
+}
+
+/**
+ * Extract ChatGPT account ID from JWT claims
+ * @param {Object} claims - JWT claims
+ * @returns {string|undefined} Account ID
+ */
+export function extractAccountIdFromClaims(claims) {
+    return (
+        claims.chatgpt_account_id ||
+        claims['https://api.openai.com/auth']?.chatgpt_account_id ||
+        claims.organizations?.[0]?.id
+    );
+}
+
+/**
+ * Extract account ID from token response
+ * @param {Object} tokens - Token response with id_token and access_token
+ * @returns {string|undefined} Account ID
+ */
+export function extractAccountId(tokens) {
+    if (tokens.id_token) {
+        const claims = parseJwtClaims(tokens.id_token);
+        const accountId = claims && extractAccountIdFromClaims(claims);
+        if (accountId) return accountId;
+    }
+    if (tokens.access_token) {
+        const claims = parseJwtClaims(tokens.access_token);
+        return claims ? extractAccountIdFromClaims(claims) : undefined;
+    }
+    return undefined;
+}
+
+/**
+ * Build the OAuth authorization URL
+ * @param {string} redirectUri - Redirect URI for callback
+ * @param {Object} pkce - PKCE codes { verifier, challenge }
+ * @param {string} state - State parameter
+ * @returns {string} Authorization URL
+ */
+function buildAuthorizeUrl(redirectUri, pkce, state) {
+    const params = new URLSearchParams({
+        response_type: 'code',
+        client_id: CODEX_CLIENT_ID,
+        redirect_uri: redirectUri,
+        scope: 'openid profile email offline_access',
+        code_challenge: pkce.challenge,
+        code_challenge_method: 'S256',
+        id_token_add_organizations: 'true',
+        codex_cli_simplified_flow: 'true',
+        state,
+        originator: 'commons-proxy'
+    });
+    return `${CODEX_ISSUER}/oauth/authorize?${params.toString()}`;
+}
+
+/**
+ * Exchange authorization code for tokens
+ * @param {string} code - Authorization code
+ * @param {string} redirectUri - Redirect URI used in authorization
+ * @param {Object} pkce - PKCE codes { verifier }
+ * @returns {Promise<Object>} Token response
+ */
+async function exchangeCodeForTokens(code, redirectUri, pkce) {
+    const response = await fetch(`${CODEX_ISSUER}/oauth/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+            grant_type: 'authorization_code',
+            code,
+            redirect_uri: redirectUri,
+            client_id: CODEX_CLIENT_ID,
+            code_verifier: pkce.verifier
+        }).toString()
+    });
+
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Token exchange failed: ${response.status} ${text}`);
+    }
+
+    return response.json();
+}
+
+/**
+ * Refresh an access token using a refresh token
+ * @param {string} refreshToken - OAuth refresh token
+ * @returns {Promise<Object>} Token response
+ */
+export async function refreshCodexAccessToken(refreshToken) {
+    const response = await fetch(`${CODEX_ISSUER}/oauth/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+            client_id: CODEX_CLIENT_ID
+        }).toString()
+    });
+
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Token refresh failed: ${response.status} ${text}`);
+    }
+
+    return response.json();
+}
+
+// ============================================================================
+// Browser OAuth Flow (PKCE with local callback server)
+// ============================================================================
+
+const HTML_SUCCESS = `<!doctype html>
+<html>
+  <head><title>CommonsProxy - Authorization Successful</title>
+    <style>
+      body { font-family: system-ui, -apple-system, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #131010; color: #f1ecec; }
+      .container { text-align: center; padding: 2rem; }
+      h1 { color: #28a745; margin-bottom: 1rem; }
+      p { color: #b7b1b1; }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <h1>Authorization Successful</h1>
+      <p>You can close this window and return to CommonsProxy.</p>
+    </div>
+    <script>setTimeout(() => window.close(), 2000)</script>
+  </body>
+</html>`;
+
+const HTML_ERROR = (error) => `<!doctype html>
+<html>
+  <head><title>CommonsProxy - Authorization Failed</title>
+    <style>
+      body { font-family: system-ui, -apple-system, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #131010; color: #f1ecec; }
+      .container { text-align: center; padding: 2rem; }
+      h1 { color: #dc3545; margin-bottom: 1rem; }
+      p { color: #b7b1b1; }
+      .error { color: #ff917b; font-family: monospace; margin-top: 1rem; padding: 1rem; background: #3c140d; border-radius: 0.5rem; }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <h1>Authorization Failed</h1>
+      <p>An error occurred during authorization.</p>
+      <div class="error">${error}</div>
+    </div>
+  </body>
+</html>`;
+
+/**
+ * Start browser OAuth flow for OpenAI Codex
+ * Returns authorization URL and a promise that resolves with tokens
+ *
+ * @returns {Promise<{url: string, promise: Promise<Object>, abort: Function}>}
+ */
+export async function startCodexBrowserAuth() {
+    const pkce = generatePKCE();
+    const state = generateState();
+    const port = CODEX_OAUTH_PORT;
+    const redirectUri = `http://localhost:${port}/auth/callback`;
+    const authUrl = buildAuthorizeUrl(redirectUri, pkce, state);
+
+    let server = null;
+    let pendingResolve = null;
+    let pendingReject = null;
+    let timeoutId = null;
+
+    const promise = new Promise((resolve, reject) => {
+        pendingResolve = resolve;
+        pendingReject = reject;
+
+        server = http.createServer(async (req, res) => {
+            const url = new URL(req.url, `http://localhost:${port}`);
+
+            if (url.pathname === '/auth/callback') {
+                const code = url.searchParams.get('code');
+                const returnedState = url.searchParams.get('state');
+                const error = url.searchParams.get('error');
+                const errorDescription = url.searchParams.get('error_description');
+
+                if (error) {
+                    const errorMsg = errorDescription || error;
+                    res.writeHead(200, { 'Content-Type': 'text/html' });
+                    res.end(HTML_ERROR(errorMsg));
+                    reject(new Error(errorMsg));
+                    cleanup();
+                    return;
+                }
+
+                if (!code) {
+                    res.writeHead(400, { 'Content-Type': 'text/html' });
+                    res.end(HTML_ERROR('Missing authorization code'));
+                    reject(new Error('Missing authorization code'));
+                    cleanup();
+                    return;
+                }
+
+                if (returnedState !== state) {
+                    res.writeHead(400, { 'Content-Type': 'text/html' });
+                    res.end(HTML_ERROR('Invalid state - potential CSRF attack'));
+                    reject(new Error('State mismatch'));
+                    cleanup();
+                    return;
+                }
+
+                res.writeHead(200, { 'Content-Type': 'text/html' });
+                res.end(HTML_SUCCESS);
+
+                try {
+                    const tokens = await exchangeCodeForTokens(code, redirectUri, pkce);
+                    const accountId = extractAccountId(tokens);
+                    resolve({
+                        accessToken: tokens.access_token,
+                        refreshToken: tokens.refresh_token,
+                        idToken: tokens.id_token,
+                        expiresIn: tokens.expires_in,
+                        accountId
+                    });
+                } catch (err) {
+                    reject(err);
+                }
+                cleanup();
+                return;
+            }
+
+            res.writeHead(404);
+            res.end('Not found');
+        });
+
+        server.listen(port, () => {
+            logger.info(`[CodexAuth] OAuth callback server listening on port ${port}`);
+        });
+
+        server.on('error', (err) => {
+            reject(new Error(`Failed to start OAuth server on port ${port}: ${err.message}`));
+        });
+
+        // 5 minute timeout
+        timeoutId = setTimeout(() => {
+            reject(new Error('OAuth callback timeout'));
+            cleanup();
+        }, 5 * 60 * 1000);
+    });
+
+    const cleanup = () => {
+        if (timeoutId) clearTimeout(timeoutId);
+        if (server) {
+            server.close();
+            server = null;
+        }
+    };
+
+    const abort = () => {
+        if (pendingReject) {
+            pendingReject(new Error('OAuth flow aborted'));
+        }
+        cleanup();
+    };
+
+    return { url: authUrl, promise, abort };
+}
+
+// ============================================================================
+// Headless Device Auth Flow
+// ============================================================================
+
+/**
+ * Initiate headless device authorization for OpenAI Codex
+ * Returns device code info for user to complete in browser
+ *
+ * @returns {Promise<Object>} { deviceAuthId, userCode, interval }
+ */
+export async function initiateCodexDeviceAuth() {
+    const response = await fetch(`${CODEX_ISSUER}/api/accounts/deviceauth/usercode`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'User-Agent': 'commons-proxy/2.0.0'
+        },
+        body: JSON.stringify({ client_id: CODEX_CLIENT_ID })
+    });
+
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Failed to initiate device authorization: ${response.status} ${text}`);
+    }
+
+    const data = await response.json();
+    return {
+        deviceAuthId: data.device_auth_id,
+        userCode: data.user_code,
+        interval: Math.max(parseInt(data.interval) || 5, 1),
+        verificationUri: `${CODEX_ISSUER}/codex/device`
+    };
+}
+
+/**
+ * Poll for device auth token completion
+ * Single poll attempt - caller should retry
+ *
+ * @param {string} deviceAuthId - Device auth ID from initiateCodexDeviceAuth
+ * @param {string} userCode - User code from initiateCodexDeviceAuth
+ * @returns {Promise<Object>} { completed, tokens?, pending? }
+ */
+export async function pollCodexDeviceAuth(deviceAuthId, userCode) {
+    const response = await fetch(`${CODEX_ISSUER}/api/accounts/deviceauth/token`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'User-Agent': 'commons-proxy/2.0.0'
+        },
+        body: JSON.stringify({
+            device_auth_id: deviceAuthId,
+            user_code: userCode
+        })
+    });
+
+    if (response.ok) {
+        const data = await response.json();
+
+        // Exchange the authorization code for tokens
+        const tokenResponse = await fetch(`${CODEX_ISSUER}/oauth/token`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: new URLSearchParams({
+                grant_type: 'authorization_code',
+                code: data.authorization_code,
+                redirect_uri: `${CODEX_ISSUER}/deviceauth/callback`,
+                client_id: CODEX_CLIENT_ID,
+                code_verifier: data.code_verifier
+            }).toString()
+        });
+
+        if (!tokenResponse.ok) {
+            throw new Error(`Token exchange failed: ${tokenResponse.status}`);
+        }
+
+        const tokens = await tokenResponse.json();
+        const accountId = extractAccountId(tokens);
+
+        return {
+            completed: true,
+            tokens: {
+                accessToken: tokens.access_token,
+                refreshToken: tokens.refresh_token,
+                idToken: tokens.id_token,
+                expiresIn: tokens.expires_in,
+                accountId
+            }
+        };
+    }
+
+    // 403/404 means still pending
+    if (response.status === 403 || response.status === 404) {
+        return { completed: false, pending: true };
+    }
+
+    // Other errors
+    return { completed: false, error: `Unexpected response: ${response.status}` };
+}
+
+// Export configuration
+export const CODEX_CONFIG = {
+    clientId: CODEX_CLIENT_ID,
+    issuer: CODEX_ISSUER,
+    apiEndpoint: CODEX_API_ENDPOINT,
+    oauthPort: CODEX_OAUTH_PORT
+};
+
+export default {
+    startCodexBrowserAuth,
+    initiateCodexDeviceAuth,
+    pollCodexDeviceAuth,
+    refreshCodexAccessToken,
+    extractAccountId,
+    parseJwtClaims,
+    CODEX_CONFIG
+};

package/src/providers/copilot.js

@@ -11,15 +11,16 @@
 import BaseProvider from './base-provider.js';
 
 // GitHub Copilot OAuth configuration
-const COPILOT_CLIENT_ID = 'Iv1.b507a08c87ecfe98';
+// Client ID from opencode's copilot plugin (newer OAuth app)
+const COPILOT_CLIENT_ID = 'Ov23li8tweQw6odWQebz';
 const COPILOT_DEVICE_CODE_URL = 'https://github.com/login/device/code';
 const COPILOT_ACCESS_TOKEN_URL = 'https://github.com/login/oauth/access_token';
 const COPILOT_API_URL = 'https://api.githubcopilot.com';
 const COPILOT_TOKEN_URL = 'https://api.github.com/copilot_internal/v2/token';
 
-// In-memory cache for short-lived Copilot API tokens
-// Maps GitHub access token -> { token, expiresAt }
-const copilotTokenCache = new Map();
+// Polling safety margin to avoid hitting the server too early (from opencode)
+const OAUTH_POLLING_SAFETY_MARGIN_MS = 3000;
+
 
 export class CopilotProvider extends BaseProvider {
     constructor(config = {}) {
@@ -63,16 +64,6 @@ export class CopilotProvider extends BaseProvider {
 
             const userData = await userResponse.json();
 
-            // Try to get a Copilot token to verify Copilot access
-            try {
-                await this._getCopilotToken(account.apiKey);
-            } catch (copilotError) {
-                return {
-                    valid: false,
-                    error: `GitHub token valid but Copilot access denied: ${copilotError.message}. Ensure you have an active GitHub Copilot subscription.`
-                };
-            }
-
             const email = userData.email || `${userData.login}@github`;
             return { valid: true, email };
         } catch (error) {
@@ -82,60 +73,21 @@ export class CopilotProvider extends BaseProvider {
     }
 
     /**
-     * Get Copilot API token from the stored GitHub access token.
-     * Copilot tokens are short-lived (~30 min), so we cache and refresh.
+     * Get access token for Copilot API requests.
+     * Following opencode's approach: use the GitHub OAuth token directly
+     * as Bearer auth with proper Copilot headers.
      *
      * @param {Object} account - Account with apiKey (GitHub access token)
-     * @returns {Promise<string>} Copilot API token
+     * @returns {Promise<string>} GitHub access token (used directly as Bearer)
      */
     async getAccessToken(account) {
         if (!account.apiKey) {
             throw new Error('Account missing GitHub access token');
         }
 
-        const copilotToken = await this._getCopilotToken(account.apiKey);
-        return copilotToken;
-    }
-
-    /**
-     * Internal: Get or refresh Copilot API token
-     *
-     * @param {string} githubToken - GitHub OAuth access token
-     * @returns {Promise<string>} Copilot API token
-     */
-    async _getCopilotToken(githubToken) {
-        // Check cache
-        const cached = copilotTokenCache.get(githubToken);
-        if (cached && cached.expiresAt > Date.now() + 60000) {
-            // Return cached token if it has > 1 minute left
-            return cached.token;
-        }
-
-        const response = await fetch(this.config.tokenUrl, {
-            method: 'GET',
-            headers: {
-                'Authorization': `Bearer ${githubToken}`,
-                'User-Agent': 'commons-proxy/2.0.0',
-                'Accept': 'application/json'
-            }
-        });
-
-        if (!response.ok) {
-            const text = await response.text();
-            throw new Error(`Failed to get Copilot token: ${response.status} ${text}`);
-        }
-
-        const data = await response.json();
-        const expiresAt = data.expires_at
-            ? new Date(data.expires_at * 1000).getTime()
-            : Date.now() + 30 * 60 * 1000; // Default 30 min
-
-        copilotTokenCache.set(githubToken, {
-            token: data.token,
-            expiresAt
-        });
-
-        return data.token;
+        // opencode uses the GitHub token directly as Bearer auth
+        // with Copilot-specific headers, no separate token exchange needed
+        return account.apiKey;
     }
 
     /**
@@ -201,6 +153,7 @@ export class CopilotProvider extends BaseProvider {
 
     /**
      * Get available models from Copilot
+     * Updated model list to match current Copilot offerings (aligned with opencode)
      *
      * @param {Object} account - Account object
      * @param {string} token - Copilot API token
@@ -209,12 +162,15 @@ export class CopilotProvider extends BaseProvider {
     async getAvailableModels(account, token) {
         return [
             { id: 'gpt-4o', name: 'GPT-4o', family: 'gpt' },
+            { id: 'gpt-4o-mini', name: 'GPT-4o Mini', family: 'gpt' },
             { id: 'gpt-4', name: 'GPT-4', family: 'gpt' },
             { id: 'gpt-4-turbo', name: 'GPT-4 Turbo', family: 'gpt' },
-            { id: 'gpt-3.5-turbo', name: 'GPT-3.5 Turbo', family: 'gpt' },
+            { id: 'claude-sonnet-4', name: 'Claude Sonnet 4', family: 'claude' },
             { id: 'claude-3.5-sonnet', name: 'Claude 3.5 Sonnet', family: 'claude' },
+            { id: 'claude-haiku-3.5', name: 'Claude Haiku 3.5', family: 'claude' },
             { id: 'o1-preview', name: 'o1 Preview', family: 'o1' },
-            { id: 'o1-mini', name: 'o1 Mini', family: 'o1' }
+            { id: 'o1-mini', name: 'o1 Mini', family: 'o1' },
+            { id: 'o3-mini', name: 'o3 Mini', family: 'o3' }
         ];
     }
 
@@ -273,10 +229,13 @@ export class CopilotProvider extends BaseProvider {
 
     /**
      * Initiate device authorization flow
+     * Uses the same flow as opencode's copilot plugin
+     * @param {string} [domain='github.com'] - GitHub domain (for Enterprise support)
      * @returns {Promise<Object>} Device code response with verification_uri and user_code
      */
-    static async initiateDeviceAuth() {
-        const response = await fetch(COPILOT_DEVICE_CODE_URL, {
+    static async initiateDeviceAuth(domain = 'github.com') {
+        const deviceCodeUrl = `https://${domain}/login/device/code`;
+        const response = await fetch(deviceCodeUrl, {
             method: 'POST',
             headers: {
                 'Accept': 'application/json',
@@ -299,22 +258,24 @@ export class CopilotProvider extends BaseProvider {
 
     /**
      * Poll for access token after user completes device auth
+     * Matches opencode's polling logic with proper slow_down handling per RFC 8628
      * @param {string} deviceCode - Device code from initiateDeviceAuth
      * @param {number} interval - Polling interval in seconds
      * @param {AbortSignal} [signal] - Optional abort signal
+     * @param {string} [domain='github.com'] - GitHub domain (for Enterprise support)
      * @returns {Promise<Object>} { accessToken, tokenType }
      */
-    static async pollForToken(deviceCode, interval = 5, signal = null) {
-        const maxAttempts = 60; // 5 minutes max
+    static async pollForToken(deviceCode, interval = 5, signal = null, domain = 'github.com') {
+        const accessTokenUrl = `https://${domain}/login/oauth/access_token`;
 
-        for (let attempt = 0; attempt < maxAttempts; attempt++) {
+        while (true) {
             if (signal?.aborted) {
                 throw new Error('Device auth polling aborted');
             }
 
-            await new Promise(resolve => setTimeout(resolve, interval * 1000));
+            await new Promise(resolve => setTimeout(resolve, interval * 1000 + OAUTH_POLLING_SAFETY_MARGIN_MS));
 
-            const response = await fetch(COPILOT_ACCESS_TOKEN_URL, {
+            const response = await fetch(accessTokenUrl, {
                 method: 'POST',
                 headers: {
                     'Accept': 'application/json',
@@ -329,7 +290,7 @@ export class CopilotProvider extends BaseProvider {
             });
 
             if (!response.ok) {
-                continue;
+                return { accessToken: null, error: 'failed' };
             }
 
             const data = await response.json();
@@ -346,16 +307,23 @@ export class CopilotProvider extends BaseProvider {
             }
 
             if (data.error === 'slow_down') {
+                // Per RFC 8628 section 3.5: add 5 seconds to current polling interval
                 interval += 5;
+                // Use server-provided interval if available
+                if (data.interval && typeof data.interval === 'number' && data.interval > 0) {
+                    interval = data.interval;
+                }
                 continue;
             }
 
+            if (data.error === 'expired_token') {
+                throw new Error('Device code expired. Please try again.');
+            }
+
             if (data.error) {
                 throw new Error(`OAuth error: ${data.error_description || data.error}`);
             }
         }
-
-        throw new Error('Authorization timed out after 5 minutes');
     }
 
     /**
@@ -385,6 +353,31 @@ export class CopilotProvider extends BaseProvider {
             name: data.name || data.login
         };
     }
+
+    /**
+     * Build request headers for Copilot API calls.
+     * Matches opencode's copilot plugin header format.
+     *
+     * @param {string} githubToken - GitHub OAuth access token
+     * @param {Object} [options] - Additional options
+     * @param {boolean} [options.isAgent=false] - Whether this is an agent-initiated request
+     * @param {boolean} [options.isVision=false] - Whether this request contains vision content
+     * @returns {Object} Headers object
+     */
+    static buildCopilotHeaders(githubToken, options = {}) {
+        const headers = {
+            'Authorization': `Bearer ${githubToken}`,
+            'User-Agent': 'commons-proxy/2.0.0',
+            'Openai-Intent': 'conversation-edits',
+            'x-initiator': options.isAgent ? 'agent' : 'user'
+        };
+
+        if (options.isVision) {
+            headers['Copilot-Vision-Request'] = 'true';
+        }
+
+        return headers;
+    }
 }
 
 // Export config constants for use by other modules

package/src/providers/index.js

@@ -128,10 +128,11 @@ export function registerAuthProvider(id, provider) {
  * @returns {Array<{id: string, name: string, authType: string}>} Provider list
  */
 export function getAllAuthProviders() {
+    const deviceAuthProviders = new Set(['copilot', 'codex']);
     return Array.from(authProviders.entries()).map(([id, provider]) => ({
         id,
         name: provider.name,
-        authType: id === 'google' ? 'oauth' : (id === 'copilot' ? 'device-auth' : 'api-key')
+        authType: id === 'google' ? 'oauth' : (deviceAuthProviders.has(id) ? 'device-auth' : 'api-key')
     }));
 }
 

package/src/webui/index.js

@@ -24,6 +24,8 @@ import { logger } from '../utils/logger.js';
 import { getAuthorizationUrl, completeOAuthFlow, startCallbackServer } from '../auth/oauth.js';
 import { loadAccounts, saveAccounts } from '../account-manager/storage.js';
 import { getAllAuthProviders, getAuthProvider } from '../providers/index.js';
+import { COPILOT_CONFIG } from '../providers/copilot.js';
+import { initiateCodexDeviceAuth, pollCodexDeviceAuth, startCodexBrowserAuth, CODEX_CONFIG } from '../providers/codex-auth.js';
 
 // Get package version
 const __filename = fileURLToPath(import.meta.url);
@@ -449,8 +451,8 @@ export function mountWebUI(app, dirname, accountManager) {
                 return res.status(400).json({ status: 'error', error: 'provider is required' });
             }
 
-            // For non-Google, non-Copilot providers, API key is required
-            if (provider !== 'google' && provider !== 'copilot' && !apiKey) {
+            // For non-Google, non-Copilot, non-Codex providers, API key is required
+            if (provider !== 'google' && provider !== 'copilot' && provider !== 'codex' && !apiKey) {
                 return res.status(400).json({ status: 'error', error: 'apiKey is required for this provider' });
             }
 
@@ -547,7 +549,7 @@ export function mountWebUI(app, dirname, accountManager) {
                     'User-Agent': 'commons-proxy/2.0.0'
                 },
                 body: JSON.stringify({
-                    client_id: 'Iv1.b507a08c87ecfe98',
+                    client_id: COPILOT_CONFIG.clientId,
                     device_code: flow.deviceCode,
                     grant_type: 'urn:ietf:params:oauth:grant-type:device_code'
                 })
@@ -597,6 +599,161 @@ export function mountWebUI(app, dirname, accountManager) {
         }
     });
 
+    // ==========================================
+    // OpenAI Codex Auth API (ChatGPT Plus/Pro)
+    // Inspired by opencode's codex.ts plugin
+    // ==========================================
+
+    // Pending Codex device auth flows
+    const pendingCodexFlows = new Map();
+
+    /**
+     * POST /api/codex/device-auth - Initiate Codex headless device authorization
+     */
+    app.post('/api/codex/device-auth', async (req, res) => {
+        try {
+            const deviceData = await initiateCodexDeviceAuth();
+
+            const flowId = crypto.randomUUID();
+            pendingCodexFlows.set(flowId, {
+                deviceAuthId: deviceData.deviceAuthId,
+                userCode: deviceData.userCode,
+                interval: deviceData.interval,
+                timestamp: Date.now()
+            });
+
+            // Clean up old flows (> 10 mins)
+            const now = Date.now();
+            for (const [key, val] of pendingCodexFlows.entries()) {
+                if (now - val.timestamp > 10 * 60 * 1000) {
+                    pendingCodexFlows.delete(key);
+                }
+            }
+
+            res.json({
+                status: 'ok',
+                flowId,
+                verificationUri: deviceData.verificationUri,
+                userCode: deviceData.userCode,
+                interval: deviceData.interval
+            });
+        } catch (error) {
+            logger.error('[WebUI] Codex device auth error:', error);
+            res.status(500).json({ status: 'error', error: error.message });
+        }
+    });
+
+    /**
+     * POST /api/codex/poll-token - Poll for Codex token after user authorizes
+     */
+    app.post('/api/codex/poll-token', async (req, res) => {
+        try {
+            const { flowId } = req.body;
+            if (!flowId) {
+                return res.status(400).json({ status: 'error', error: 'flowId is required' });
+            }
+
+            const flow = pendingCodexFlows.get(flowId);
+            if (!flow) {
+                return res.status(400).json({ status: 'error', error: 'Flow not found or expired' });
+            }
+
+            const result = await pollCodexDeviceAuth(flow.deviceAuthId, flow.userCode);
+
+            if (result.completed && result.tokens) {
+                const email = `codex-${result.tokens.accountId || 'user'}@chatgpt`;
+
+                await addAccount({
+                    email,
+                    provider: 'codex',
+                    source: 'oauth',
+                    refreshToken: result.tokens.refreshToken,
+                    apiKey: result.tokens.accessToken,
+                    accountId: result.tokens.accountId
+                });
+
+                await accountManager.reload();
+                pendingCodexFlows.delete(flowId);
+
+                logger.success(`[WebUI] Codex account ${email} added via device auth`);
+
+                res.json({
+                    status: 'ok',
+                    completed: true,
+                    email,
+                    message: `Account ${email} added successfully`
+                });
+            } else if (result.pending) {
+                res.json({ status: 'ok', completed: false, pending: true });
+            } else if (result.error) {
+                pendingCodexFlows.delete(flowId);
+                res.json({ status: 'error', error: result.error });
+            } else {
+                res.json({ status: 'ok', completed: false, pending: true });
+            }
+        } catch (error) {
+            logger.error('[WebUI] Codex poll token error:', error);
+            res.status(500).json({ status: 'error', error: error.message });
+        }
+    });
+
+    /**
+     * POST /api/codex/browser-auth - Initiate Codex browser OAuth (PKCE)
+     */
+    app.post('/api/codex/browser-auth', async (req, res) => {
+        try {
+            const { url, promise, abort } = await startCodexBrowserAuth();
+
+            const flowId = crypto.randomUUID();
+            pendingCodexFlows.set(flowId, {
+                type: 'browser',
+                promise,
+                abort,
+                timestamp: Date.now()
+            });
+
+            // Handle async completion
+            promise
+                .then(async (tokens) => {
+                    try {
+                        const email = `codex-${tokens.accountId || 'user'}@chatgpt`;
+
+                        await addAccount({
+                            email,
+                            provider: 'codex',
+                            source: 'oauth',
+                            refreshToken: tokens.refreshToken,
+                            apiKey: tokens.accessToken,
+                            accountId: tokens.accountId
+                        });
+
+                        await accountManager.reload();
+                        logger.success(`[WebUI] Codex account ${email} added via browser auth`);
+                    } catch (err) {
+                        logger.error('[WebUI] Codex browser auth completion error:', err);
+                    } finally {
+                        pendingCodexFlows.delete(flowId);
+                    }
+                })
+                .catch((err) => {
+                    if (!err.message?.includes('aborted')) {
+                        logger.error('[WebUI] Codex browser auth error:', err);
+                    }
+                    pendingCodexFlows.delete(flowId);
+                });
+
+            res.json({
+                status: 'ok',
+                flowId,
+                url,
+                message: 'Open the URL in your browser to authorize'
+            });
+        } catch (error) {
+            logger.error('[WebUI] Codex browser auth error:', error);
+            res.status(500).json({ status: 'error', error: error.message });
+        }
+    });
+
     // ==========================================
     // Configuration API
     // ==========================================