copilot-reverse 0.2.1 → 0.4.0

package/dist/providers/copilot/responses-upstream.js

@@ -0,0 +1,161 @@
+import { randomUUID } from "node:crypto";
+// Outbound translation to GitHub Copilot's OpenAI Responses API. Newer Copilot models (e.g. gpt-5.5)
+// are served ONLY on /responses — their `supported_endpoints` omits /chat/completions — so the adapter
+// routes them here instead of the chat path. This is the mirror image of core/responses-inbound.ts
+// (which translates Codex's INBOUND /responses calls); here we SEND /responses to Copilot.
+export const RESPONSES_URL = "https://api.githubcopilot.com/responses";
+function textOf(content) {
+    return content.filter((b) => b.type === "text").map((b) => b.text).join("");
+}
+// One canonical message can expand into several Responses items (parallel tool calls / results).
+function messageToItems(m) {
+    const items = [];
+    const toolResults = m.content.filter((b) => b.type === "tool_result");
+    for (const tr of toolResults)
+        items.push({ type: "function_call_output", call_id: tr.toolUseId, output: tr.content });
+    if (toolResults.length)
+        return items; // a tool message carries only results
+    const toolUses = m.content.filter((b) => b.type === "tool_use");
+    for (const tu of toolUses)
+        items.push({ type: "function_call", call_id: tu.id, name: tu.name, arguments: JSON.stringify(tu.input ?? {}) });
+    // Assistant text becomes an output_text part; user/system text an input_text part. Images are input_image.
+    const text = textOf(m.content);
+    const images = m.content.filter((b) => b.type === "image");
+    const parts = [];
+    const textType = m.role === "assistant" ? "output_text" : "input_text";
+    if (text)
+        parts.push({ type: textType, text });
+    for (const img of images)
+        parts.push({ type: "input_image", image_url: img.dataUrl });
+    if (parts.length)
+        items.push({ type: "message", role: m.role, content: parts });
+    return items;
+}
+export function canonicalToResponsesBody(req) {
+    const system = req.messages.filter((m) => m.role === "system").map((m) => textOf(m.content)).filter(Boolean).join("\n");
+    const input = [];
+    for (const m of req.messages) {
+        if (m.role === "system")
+            continue;
+        input.push(...messageToItems(m));
+    }
+    // Function tools translate to {type:"function",…}; hosted tools (web_search) pass through as {type}.
+    const tools = [
+        ...(req.tools ?? []).map((t) => ({ type: "function", name: t.name, description: t.description, parameters: t.parameters })),
+        ...(req.hostedTools ?? []).map((type) => ({ type })),
+    ];
+    return {
+        model: req.model, input, stream: req.stream,
+        ...(system ? { instructions: system } : {}),
+        ...(req.temperature !== undefined ? { temperature: req.temperature } : {}),
+        ...(req.maxTokens !== undefined ? { max_output_tokens: req.maxTokens } : {}),
+        ...(tools.length ? { tools } : {}),
+    };
+}
+// ---- non-stream response: Responses object -> canonical -----------------------------------------
+function safeJson(s) { try {
+    return s ? JSON.parse(s) : {};
+}
+catch {
+    return {};
+} }
+function mapIncomplete(reason) {
+    return reason === "max_output_tokens" ? "length" : "stop";
+}
+export function parseResponsesResult(data) {
+    const content = [];
+    let sawTool = false;
+    for (const item of data.output ?? []) {
+        if (item.type === "message") {
+            const text = (item.content ?? []).filter((p) => p.type === "output_text").map((p) => p.text ?? "").join("");
+            if (text)
+                content.push({ type: "text", text });
+        }
+        else if (item.type === "function_call") {
+            sawTool = true;
+            content.push({ type: "tool_use", id: item.call_id ?? item.id, name: item.name ?? "", input: safeJson(item.arguments) });
+        }
+    }
+    const finishReason = data.status === "incomplete" ? mapIncomplete(data.incomplete_details?.reason) : sawTool ? "tool_use" : "stop";
+    return {
+        id: data.id ?? `resp-${randomUUID().replace(/-/g, "")}`, model: data.model, content, finishReason,
+        usage: { promptTokens: data.usage?.input_tokens ?? 0, completionTokens: data.usage?.output_tokens ?? 0 },
+    };
+}
+// ---- streaming: Responses SSE -> canonical chunks ------------------------------------------------
+// Copilot's Responses stream is item-centric: each output item is announced by response.output_item.added
+// (carrying the item's type + identity), then text streams via response.output_text.delta and tool args
+// via response.function_call_arguments.delta. We map item output_index -> a canonical tool index so deltas
+// attach to the right call. The terminal event is response.completed (or response.incomplete on a cap).
+export async function* streamResponses(res) {
+    if (!res.body) {
+        yield { kind: "done", done: true, finishReason: "stop" };
+        return;
+    }
+    const reader = res.body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = "";
+    let finishReason = "stop";
+    let usage;
+    const toolByOutputIndex = new Map(); // responses output_index -> canonical tool index
+    let nextToolIndex = 0;
+    const usageOf = (u) => u ? { promptTokens: u.input_tokens ?? 0, completionTokens: u.output_tokens ?? 0, cachedTokens: u.input_tokens_details?.cached_tokens ?? 0 } : undefined;
+    for (;;) {
+        const { value, done } = await reader.read();
+        if (done)
+            break;
+        buffer += decoder.decode(value, { stream: true });
+        const frames = buffer.split("\n\n");
+        buffer = frames.pop() ?? "";
+        for (const frame of frames) {
+            const line = frame.split("\n").find((l) => l.startsWith("data: "));
+            if (!line)
+                continue;
+            const payload = line.slice(6).trim();
+            if (!payload || payload === "[DONE]")
+                continue;
+            let ev;
+            try {
+                ev = JSON.parse(payload);
+            }
+            catch {
+                continue;
+            }
+            switch (ev.type) {
+                case "response.output_item.added": {
+                    const item = ev.item ?? {};
+                    if (item.type === "function_call") {
+                        const idx = nextToolIndex++;
+                        toolByOutputIndex.set(ev.output_index, idx);
+                        yield { kind: "tool_use_start", index: idx, id: item.call_id ?? item.id ?? `call_${idx}`, name: item.name ?? "", done: false };
+                    }
+                    break;
+                }
+                case "response.output_text.delta":
+                    if (ev.delta)
+                        yield { kind: "text", delta: ev.delta, done: false };
+                    break;
+                case "response.function_call_arguments.delta": {
+                    const idx = toolByOutputIndex.get(ev.output_index);
+                    if (idx !== undefined && ev.delta)
+                        yield { kind: "tool_use_delta", index: idx, argsDelta: ev.delta, done: false };
+                    break;
+                }
+                case "response.completed":
+                    if (toolByOutputIndex.size)
+                        finishReason = "tool_use";
+                    usage = usageOf(ev.response?.usage) ?? usage;
+                    break;
+                case "response.incomplete":
+                    finishReason = mapIncomplete(ev.response?.incomplete_details?.reason);
+                    usage = usageOf(ev.response?.usage) ?? usage;
+                    break;
+                case "response.failed":
+                case "error":
+                    finishReason = "error";
+                    break;
+            }
+        }
+    }
+    yield { kind: "done", done: true, finishReason, usage };
+}

package/dist/providers/webiq/client.js

@@ -0,0 +1,66 @@
+// Microsoft Web IQ REST client. Two grounding endpoints used to back Claude Code's server-side
+// web_search / web_fetch tools, which our gateway executes itself (Copilot can't). Every call
+// returns a discriminated result instead of throwing: a failed search must degrade to a message the
+// model can read and answer around, never abort the in-flight turn.
+const SEARCH_URL = "https://api.microsoft.ai/v3/search/web";
+const BROWSE_URL = "https://api.microsoft.ai/v3/browse";
+const DEFAULT_TIMEOUT_MS = 15_000;
+const headers = (key) => ({ host: "api.microsoft.ai", "x-apikey": key, "content-type": "application/json" });
+// Status -> readable, model-facing reason. Kept identical across both endpoints so the model gets a
+// consistent, actionable string it can reason about (e.g. fall back to its own knowledge).
+function statusError(status, kind) {
+    if (status === 401 || status === 403)
+        return "web search unavailable: WebIQ API key missing or invalid — run /webiq to set it";
+    if (status === 429)
+        return "web search unavailable: WebIQ rate limit exceeded — try again shortly";
+    if (status === 404 && kind === "fetch")
+        return "web fetch failed: the page was not found or is not indexed";
+    return `web ${kind} failed: WebIQ returned ${status}`;
+}
+async function post(url, key, body, fetchFn, timeoutMs) {
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), timeoutMs);
+    try {
+        return await fetchFn(url, { method: "POST", headers: headers(key), body: JSON.stringify(body), signal: ctrl.signal });
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+export async function webSearch(key, params, fetchFn = fetch, timeoutMs = DEFAULT_TIMEOUT_MS) {
+    if (!key)
+        return { ok: false, error: statusError(401, "search") };
+    try {
+        const res = await post(SEARCH_URL, key, { maxResults: 10, contentFormat: "passage", ...params }, fetchFn, timeoutMs);
+        if (!res.ok)
+            return { ok: false, error: statusError(res.status, "search") };
+        const data = (await res.json());
+        return { ok: true, results: data.webResults ?? [] };
+    }
+    catch {
+        return { ok: false, error: "web search failed: could not reach WebIQ" };
+    }
+}
+export async function webFetch(key, params, fetchFn = fetch, timeoutMs = DEFAULT_TIMEOUT_MS) {
+    if (!key)
+        return { ok: false, error: statusError(401, "fetch") };
+    try {
+        const res = await post(BROWSE_URL, key, { maxLength: 10_000, contentFormat: "markdown", ...params }, fetchFn, timeoutMs);
+        if (!res.ok)
+            return { ok: false, error: statusError(res.status, "fetch") };
+        const data = (await res.json());
+        return { ok: true, title: data.title ?? "", url: data.url ?? params.url, content: data.content ?? "" };
+    }
+    catch {
+        return { ok: false, error: "web fetch failed: could not reach WebIQ" };
+    }
+}
+// Render results as the tool_result text fed back to the model — compact, citation-friendly.
+export function formatSearchResults(results) {
+    if (!results.length)
+        return "no results found";
+    return results.map((r, i) => `[${i + 1}] ${r.title}\n${r.url}\n${r.content}`.trim()).join("\n\n");
+}
+export function formatFetchResult(r) {
+    return `${r.title}\n${r.url}\n\n${r.content}`.trim();
+}

package/dist/shared/webiq-key.js

@@ -0,0 +1,59 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync, rmSync } from "node:fs";
+import { join } from "node:path";
+// WebIQ config for the gateway-run web_search / web_fetch tools: the API key plus the active backend
+// MODE. Stored like the GitHub token (plaintext, 0600, in the data dir). The WEBIQ_API_KEY env var
+// takes precedence for the key so CI / headless runs can inject it. Read lazily per request → no
+// worker restart on change.
+//
+//   mode "copilot" (DEFAULT) — borrow gpt-5-mini's native web_search; no key needed.
+//   mode "webiq"             — force ALL models through WebIQ using the stored key.
+const file = (dir) => join(dir, "webiq.json");
+function read(dir) {
+    if (!existsSync(file(dir)))
+        return {};
+    try {
+        return JSON.parse(readFileSync(file(dir), "utf8"));
+    }
+    catch {
+        return {};
+    }
+}
+function write(dir, data) {
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+    writeFileSync(file(dir), JSON.stringify(data), { mode: 0o600 });
+}
+export function writeWebIqKey(key, dir) {
+    write(dir, { ...read(dir), apiKey: key });
+}
+export function readWebIqKey(dir) {
+    if (process.env.WEBIQ_API_KEY)
+        return process.env.WEBIQ_API_KEY;
+    return read(dir).apiKey ?? null;
+}
+// Reset everything — drop the key AND revert to the default copilot backend.
+export function clearWebIqKey(dir) {
+    rmSync(file(dir), { force: true });
+}
+export function readWebSearchMode(dir) {
+    return read(dir).mode === "webiq" ? "webiq" : "copilot";
+}
+export function writeWebSearchMode(dir, mode) {
+    write(dir, { ...read(dir), mode });
+}
+// Master switch for the Copilot "borrow" backend (gpt-5-mini's native web_search). Currently OFF:
+// gpt-5-mini is badly congested on Copilot's /responses (503 "high demand", 20s–7min), while WebIQ is
+// sub-second. So web search routes through WebIQ only; with no key it is unavailable. Flip this to
+// `true` to bring borrow search back (the borrow code path is kept intact). NOTE: this gates only the
+// Claude gateway backend — Codex's native /responses web_search is unaffected (it uses fast gpt-5
+// models directly, not gpt-5-mini).
+export const COPILOT_WEB_SEARCH_ENABLED = false;
+// Resolve which backend a gateway web_search/web_fetch call should use. Pure (no I/O) so both flag
+// states are unit-tested. `enabled` defaults to the live flag; tests pass it explicitly.
+export function resolveWebSearchBackend(mode, hasKey, enabled = COPILOT_WEB_SEARCH_ENABLED) {
+    if (!enabled)
+        return hasKey ? "webiq" : "unavailable"; // borrow disabled → WebIQ or nothing
+    if (mode === "webiq" && hasKey)
+        return "webiq";
+    return "copilot"; // default borrow (and the webiq-without-key fallback)
+}

package/dist/tui/app.js

@@ -6,12 +6,30 @@ import { Repl } from "./repl.js";
 import { SetupWizard } from "./setup/wizard.js";
 import { ModelScreen } from "./screens/model.js";
 import { ConfigScreen } from "./screens/config.js";
+import { WebIqKeyScreen } from "./screens/webiq-key.js";
+import { summarizeStatus } from "./status-summary.js";
 import { theme } from "./theme.js";
 const stateColor = {
     ready: theme.ready, starting: theme.starting, crashed: theme.crashed, unhealthy: theme.unhealthy,
 };
 const EMPTY_STATUS = { claude: { user: false, project: false }, codex: { user: false, project: false } };
 const SPINNER = ["✶", "✸", "✹", "✺", "✹", "✷"];
+// Startup overview card. GitHub shows a login STATE (no real token expiry exists). Web search shows
+// the resolved backend: "via WebIQ", "via Copilot (native)", or "unavailable — run /webiq".
+// `extra` appends detail lines (e.g. worker restart history for /status).
+function statusCard(s, extra = []) {
+    const gh = s.github === "connected" ? "✓ connected" : s.github === "expired" ? "✗ expired — run /login" : "✗ signed out — run /login";
+    const web = s.webSearch === "webiq" ? "✓ via WebIQ" : s.webSearch === "copilot" ? "✓ via Copilot (native)" : "✗ unavailable — run /webiq";
+    const clients = `claude ${s.clients.claude ? "✓" : "○"}  codex ${s.clients.codex ? "✓" : "○"}`;
+    const tone = s.github === "connected" ? "ok" : "error";
+    return { type: "card", title: "status", tone, lines: [
+            `GitHub login   ${gh}`,
+            `web search     ${web}`,
+            `worker         ${s.worker}`,
+            `clients        ${clients}`,
+            ...extra,
+        ] };
+}
 const fmtElapsed = (ms) => {
     const s = Math.floor(ms / 1000);
     return s >= 60 ? `${Math.floor(s / 60)}m ${s % 60}s` : `${s}s`;
@@ -36,13 +54,15 @@ function ClientBadge({ name, status }) {
     const cell = (label, on) => (_jsxs(Text, { color: on ? theme.ready : theme.muted, children: [label, ":", on ? "✓" : "○"] }));
     return (_jsxs(Text, { color: theme.muted, children: [name, " ", cell("u", status.user), " ", cell("p", status.project)] }));
 }
-export function App({ registry, title, workerState = "starting", initialModel = "—", statusSource, readStatus, modelLimits, onChat, loadModels, setup, info, onModelChange, pickModelOnStart, login, }) {
+export function App({ registry, title, workerState = "starting", initialModel = "—", statusSource, readStatus, modelLimits, onChat, loadModels, setup, info, onModelChange, pickModelOnStart, login, enableWebiq, disableWebiq, webSearchBackend, startupStatus, githubStatus, }) {
     const cmds = registry.list().map((c) => ({ name: c.name, describe: c.describe }));
-    const [entries, setEntries] = useState([
+    const [entries, setEntries] = useState(() => [
+        ...(startupStatus ? [statusCard(startupStatus)] : []),
         { type: "system", text: "Type a message to chat with the assistant, or /help for commands." },
     ]);
     const [state, setState] = useState(workerState);
     const [status, setStatus] = useState(() => readStatus?.() ?? EMPTY_STATUS);
+    const [webBackend, setWebBackend] = useState(() => webSearchBackend?.() ?? "unavailable");
     const [model, setModel] = useState(initialModel);
     const [screen, setScreen] = useState(pickModelOnStart && loadModels ? { kind: "model" } : null);
     const [, setNow] = useState(0); // ticks the live loading line while the assistant streams
@@ -50,7 +70,8 @@ export function App({ registry, title, workerState = "starting", initialModel =
     const loginInFlight = useRef(false); // guards against starting a second device-login flow
     const add = (e) => setEntries((p) => [...p, e].slice(-100));
     const refreshStatus = () => { if (readStatus)
-        setStatus(readStatus()); };
+        setStatus(readStatus()); if (webSearchBackend)
+        setWebBackend(webSearchBackend()); };
     // esc interrupts an in-flight assistant turn (the Repl doesn't use esc, so this is unambiguous).
     useInput((_input, key) => { if (key.escape)
         abortRef.current?.abort(); });
@@ -92,6 +113,38 @@ export function App({ registry, title, workerState = "starting", initialModel =
             setScreen({ kind: "model" });
             return;
         }
+        // Web-search backend controls. "/webiq clean" clears the key; "/webiq" opens the key screen and
+        // switches to the WebIQ backend on submit. After either, re-read the resolved backend for the HUD.
+        if (t === "/webiq clean" && disableWebiq) {
+            disableWebiq();
+            setWebBackend(webSearchBackend?.() ?? "unavailable");
+            add({ type: "card", title: "/webiq", tone: "ok", lines: ["✓ WebIQ key cleared"] });
+            return;
+        }
+        if (t === "/webiq" && enableWebiq) {
+            setScreen({ kind: "webiq-key" });
+            return;
+        }
+        if (t === "/status" && (startupStatus || githubStatus || webSearchBackend)) {
+            // Render the live status overview (same card as startup), then the worker restart history.
+            const github = githubStatus ? await githubStatus() : (startupStatus?.github ?? "signed-out");
+            let worker = state, restarts = [];
+            try {
+                const s = await statusSource?.();
+                if (s) {
+                    worker = s.workerState;
+                    restarts = s.restarts.slice(0, 5).map((r) => `  ${r.reason} exit=${r.exitCode ?? "-"} ${r.stderrTail.slice(0, 60)}`);
+                }
+            }
+            catch { /* daemon momentarily down — show what we have */ }
+            const summary = summarizeStatus({
+                hasToken: github !== "signed-out", tokenValid: github === "connected",
+                webSearch: webSearchBackend?.() ?? webBackend, worker,
+                clients: { claude: status.claude.user || status.claude.project, codex: status.codex.user || status.codex.project },
+            });
+            add(statusCard(summary, restarts.length ? ["", "recent restarts:", ...restarts] : []));
+            return;
+        }
         if (t === "/config" && info) {
             setScreen({ kind: "config" });
             return;
@@ -181,6 +234,9 @@ export function App({ registry, title, workerState = "starting", initialModel =
                     setScreen(null);
             } }));
     }
+    else if (screen?.kind === "webiq-key" && enableWebiq) {
+        body = (_jsx(WebIqKeyScreen, { onSubmit: (k) => { enableWebiq(k); setWebBackend(webSearchBackend?.() ?? "webiq"); setScreen(null); add({ type: "card", title: "/webiq", tone: "ok", lines: ["✓ WebIQ enabled — all web search now routes through Microsoft Web IQ"] }); }, onCancel: () => { setScreen(null); add({ type: "system", text: "webiq cancelled" }); } }));
+    }
     else {
         body = _jsx(Repl, { onSubmit: handle, commands: cmds });
     }
@@ -197,5 +253,5 @@ export function App({ registry, title, workerState = "starting", initialModel =
                         return (_jsxs(Box, { flexDirection: "column", children: [_jsxs(Text, { color: theme.accent, children: ["\u273D ", _jsxs(Text, { color: theme.muted, children: [frame, " ", loadingVerb(elapsed), "\u2026 (esc to interrupt \u00B7 ", fmtElapsed(elapsed), " \u00B7 \u2193 ", fmtTokens(tokens), " tokens \u00B7 thinking)"] })] }), e.text ? _jsx(Text, { color: color, children: e.text }) : null] }, i));
                     }
                     return _jsx(Text, { color: color, children: e.text }, i);
-                }) }), body, _jsxs(Box, { paddingX: 1, children: [_jsx(Text, { color: theme.muted, children: "model " }), _jsx(Text, { color: theme.accent, children: model }), _jsx(Text, { color: theme.muted, children: "  \u00B7  daemon " }), _jsx(Text, { color: stateColor[state], children: state }), _jsx(Text, { color: theme.muted, children: "  \u00B7  " }), _jsx(ClientBadge, { name: "claude", status: status.claude }), _jsx(Text, { color: theme.muted, children: "  " }), _jsx(ClientBadge, { name: "codex", status: status.codex }), _jsx(Text, { color: theme.muted, children: "  \u00B7  /help" })] })] }));
+                }) }), body, _jsxs(Box, { flexDirection: "column", paddingX: 1, children: [_jsxs(Box, { children: [_jsx(Text, { color: theme.muted, children: "model " }), _jsx(Text, { color: theme.accent, children: model }), _jsx(Text, { color: theme.muted, children: "  \u00B7  daemon " }), _jsx(Text, { color: stateColor[state], children: state }), _jsx(Text, { color: theme.muted, children: "  \u00B7  web " }), _jsx(Text, { color: webBackend === "unavailable" ? theme.muted : theme.ready, children: webBackend === "webiq" ? "✓ webiq" : webBackend === "copilot" ? "✓ copilot" : "✗ /webiq" })] }), _jsxs(Box, { children: [_jsx(ClientBadge, { name: "claude", status: status.claude }), _jsx(Text, { color: theme.muted, children: "  " }), _jsx(ClientBadge, { name: "codex", status: status.codex }), _jsx(Text, { color: theme.muted, children: "  \u00B7  /help" })] })] })] }));
 }

package/dist/tui/screens/webiq-key.js

@@ -0,0 +1,30 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useState } from "react";
+import { Box, Text, useInput } from "ink";
+import { theme } from "../theme.js";
+// Masked single-line input for the WebIQ API key. Mirrors the Repl's end-of-line editing (append /
+// backspace), but renders bullets instead of the secret. Enter submits a non-empty key; Esc cancels.
+export function WebIqKeyScreen({ onSubmit, onCancel }) {
+    const [value, setValue] = useState("");
+    useInput((input, key) => {
+        if (key.escape) {
+            onCancel();
+            return;
+        }
+        if (key.return) {
+            const k = value.trim();
+            if (k)
+                onSubmit(k);
+            else
+                onCancel();
+            return;
+        }
+        if (key.backspace || key.delete) {
+            setValue((v) => v.slice(0, -1));
+            return;
+        }
+        if (input && !key.ctrl && !key.meta)
+            setValue((v) => v + input);
+    });
+    return (_jsxs(Box, { flexDirection: "column", borderStyle: "round", borderColor: theme.accent, paddingX: 1, marginBottom: 1, children: [_jsx(Text, { color: theme.accent, bold: true, children: "web search support \u2014 paste your WebIQ API key" }), _jsx(Text, { color: theme.muted, children: "enables web_search / web_fetch for connected clients \u00B7 enter to save \u00B7 esc to cancel" }), _jsxs(Box, { children: [_jsx(Text, { color: theme.prompt, children: "key › " }), _jsx(Text, { children: "•".repeat(value.length) }), _jsx(Text, { inverse: true, children: " " })] })] }));
+}

package/dist/tui/setup/codex-toml.js

@@ -3,7 +3,9 @@ import { homedir } from "node:os";
 import { join, dirname } from "node:path";
 // Codex reads ~/.codex/config.toml. copilot-reverse writes a managed provider block there (model,
 // provider, context window) while preserving the user's other top-level keys. Mirrors
-// agent-maestro's `configureCodex`, but uses wire_api="chat" since our proxy is chat/completions.
+// agent-maestro's `configureCodex`. Codex removed wire_api="chat" (codex#7782), so we write
+// "responses" and serve the OpenAI Responses API at /openai/responses (Codex appends /responses to
+// base_url verbatim — no /v1 auto-added).
 export const PROVIDER_ID = "copilot-reverse";
 export function codexTomlPath(home = homedir()) {
     return join(home, ".codex", "config.toml");
@@ -14,34 +16,57 @@ export function applyCodexToml(opts) {
     const path = codexTomlPath(opts.home);
     if (!existsSync(dirname(path)))
         mkdirSync(dirname(path), { recursive: true });
-    // Read existing top-level lines, dropping our managed keys and any prior managed provider table,
-    // but keeping everything else (approval_policy, other providers, etc.) verbatim.
+    // Parse existing content into top-level (pre-table) bare keys vs. table blocks, dropping our
+    // managed keys and any prior managed provider table. We MUST keep top-level keys and tables
+    // separate: in TOML a bare `key = value` after a `[table]` header belongs to that table, so
+    // appending our `model_provider` at the end (after the user's [windows]/[marketplaces] tables)
+    // silently nested it under the last table — Codex then couldn't see it and fell back to "openai".
     const existing = existsSync(path) ? readFileSync(path, "utf8") : "";
-    const kept = [];
-    let inOurTable = false;
+    const keptTopKeys = []; // bare key=value lines before any table
+    const keptTables = []; // everything from the first [table] onward (preserved verbatim)
+    let inTable = false; // have we passed the first table header?
+    let inOurTable = false; // are we inside our own [model_providers.copilot-reverse] block?
     for (const line of existing.split(/\r?\n/)) {
-        const tableMatch = /^\s*\[/.test(line);
-        if (tableMatch)
+        if (/^\s*\[/.test(line)) {
+            inTable = true;
             inOurTable = line.trim() === `[model_providers.${PROVIDER_ID}]`;
+        }
         if (inOurTable)
-            continue; // skip our previously-written provider table
+            continue; // skip our previously-written provider table entirely
         const keyMatch = /^\s*([A-Za-z_][A-Za-z0-9_]*)\s*=/.exec(line);
+        // Drop our managed top keys wherever they appear. They belong at the top level, but a previous
+        // buggy version wrote them AFTER tables (where TOML nests them) — so filter them in the table
+        // region too, otherwise the rewrite would duplicate them.
         if (keyMatch && MANAGED_TOP_KEYS.includes(keyMatch[1]))
-            continue; // skip our managed top keys
-        kept.push(line);
+            continue;
+        (inTable ? keptTables : keptTopKeys).push(line);
     }
-    const head = kept.join("\n").replace(/\n{3,}/g, "\n\n").trim();
-    const managed = [
+    // Reassemble in valid TOML order: ALL top-level keys (ours + the user's) first, then all table
+    // blocks (the user's preserved tables, then our managed provider table last).
+    const topKeys = [
         `model = "${opts.model}"`,
         `model_provider = "${PROVIDER_ID}"`,
         ...(opts.contextWindow ? [`model_context_window = ${opts.contextWindow}`] : []),
-        "",
+        ...keptTopKeys.filter((l) => l.trim()), // the user's other top-level keys (approval_policy, etc.)
+    ];
+    const ourTable = [
         `[model_providers.${PROVIDER_ID}]`,
         `name = "copilot-reverse"`,
         `base_url = "${opts.baseUrl}"`,
-        `wire_api = "chat"`,
-    ].join("\n");
-    const body = (head ? `${head}\n\n` : "") + managed + "\n";
+        `wire_api = "responses"`,
+        // Auth: inline a static bearer token so Codex talks to our local proxy instead of falling back
+        // to the OpenAI login flow. env_key is unreliable here (a standalone Codex CLI won't see our
+        // .env), so we embed the placeholder directly — the worker ignores the key value anyway.
+        `requires_openai_auth = false`,
+        `experimental_bearer_token = "${opts.apiKey ?? "copilot-reverse-local"}"`,
+    ];
+    const userTables = keptTables.join("\n").replace(/\n{3,}/g, "\n\n").trim();
+    const managed = [
+        topKeys.join("\n"),
+        ...(userTables ? [userTables] : []),
+        ourTable.join("\n"),
+    ].join("\n\n");
+    const body = managed + "\n";
     writeFileSync(path, body);
     return { path, changed: MANAGED_TOP_KEYS };
 }

package/dist/tui/slash/commands.js

@@ -45,6 +45,10 @@ export function buildRegistry(ctx, endpoint, opts = {}) {
     reg.add({ name: "/login", describe: "sign in to GitHub (device-code)", run: async () => opts.login ? opts.login() : ["login not available"] });
     reg.add({ name: "/logout", describe: "sign out — remove the stored GitHub token", run: async () => opts.logout ? opts.logout() : ["logout not available"] });
     reg.add({ name: "/model", describe: "switch the chat model", run: async () => ["opening model picker…"] });
+    // Web search works out of the box via Copilot; /webiq opts into Microsoft Web IQ, /webiq clean
+    // reverts. Handled in the App (opens the key screen / toggles), so this is a no-op stub that exists
+    // only so the command is recognized and not reported as unknown.
+    reg.add({ name: "/webiq", describe: "use Microsoft Web IQ for web search (/webiq clean to revert)", run: async () => ["opening webiq…"] });
     reg.add({ name: "/config", describe: "view & change configuration", run: async () => ["opening config panel…"] });
     reg.add({ name: "/dashboard", describe: "open the web dashboard in your browser", run: async () => {
             if (!opts.dashboardUrl)

package/dist/tui/status-summary.js

@@ -0,0 +1,13 @@
+export function githubLoginState(hasToken, tokenValid) {
+    if (!hasToken)
+        return "signed-out";
+    return tokenValid ? "connected" : "expired";
+}
+export function summarizeStatus(i) {
+    return {
+        github: githubLoginState(i.hasToken, i.tokenValid),
+        webSearch: i.webSearch,
+        worker: i.worker,
+        clients: i.clients,
+    };
+}

package/dist/version.js

@@ -1,2 +1,2 @@
 // AUTO-GENERATED by scripts/gen-version.mjs from package.json — do not edit.
-export const APP_VERSION = "0.2.1";
+export const APP_VERSION = "0.4.0";