groove-dev 0.27.74 → 0.27.77

package/node_modules/@groove-dev/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@groove-dev/cli",
-  "version": "0.27.74",
+  "version": "0.27.77",
   "description": "GROOVE CLI — manage AI coding agents from your terminal",
   "license": "FSL-1.1-Apache-2.0",
   "type": "module",

package/node_modules/@groove-dev/daemon/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@groove-dev/daemon",
-  "version": "0.27.74",
+  "version": "0.27.77",
   "description": "GROOVE daemon — agent orchestration engine",
   "license": "FSL-1.1-Apache-2.0",
   "type": "module",

package/node_modules/@groove-dev/daemon/src/api.js

@@ -9,6 +9,7 @@ import { spawn, execFile, execFileSync } from 'child_process';
 import { createHash, randomUUID } from 'crypto';
 import { hostname, networkInterfaces, homedir } from 'os';
 import { StringDecoder } from 'string_decoder';
+import { request as httpRequest } from 'http';
 import { lookup as mimeLookup } from './mimetypes.js';
 import { listProviders, getProvider, clearInstallCache, getProviderMetadata, getProviderPath, setProviderPaths } from './providers/index.js';
 import { OllamaProvider } from './providers/ollama.js';
@@ -97,12 +98,18 @@ export function createApi(app, daemon) {
     next();
   });
 
-  // Security headers
+  // Security headers — preview proxy routes get relaxed framing policy so the
+  // GUI can iframe the proxied dev server content.
   app.use((req, res, next) => {
     res.setHeader('X-Content-Type-Options', 'nosniff');
-    res.setHeader('X-Frame-Options', 'DENY');
     res.setHeader('X-XSS-Protection', '0');
-    res.setHeader('Content-Security-Policy', "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; connect-src 'self' ws://localhost:* ws://127.0.0.1:* http://localhost:* http://127.0.0.1:*; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'");
+    const isPreviewProxy = req.path.match(/^\/api\/preview\/[^/]+\/proxy/);
+    if (isPreviewProxy) {
+      res.setHeader('Content-Security-Policy', "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'");
+    } else {
+      res.setHeader('X-Frame-Options', 'DENY');
+      res.setHeader('Content-Security-Policy', "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; connect-src 'self' ws://localhost:* ws://127.0.0.1:* http://localhost:* http://127.0.0.1:*; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-src 'self'; frame-ancestors 'none'");
+    }
     next();
   });
 
@@ -1258,6 +1265,66 @@ export function createApi(app, daemon) {
     }
   });
 
+  // --- Image Generation ---
+
+  app.post('/api/conversations/:id/generate-image', async (req, res) => {
+    try {
+      const { prompt, model, size, quality } = req.body;
+      if (!prompt || typeof prompt !== 'string' || !prompt.trim()) {
+        return res.status(400).json({ error: 'prompt is required' });
+      }
+      const conv = daemon.conversations.get(req.params.id);
+      if (!conv) return res.status(404).json({ error: 'Conversation not found' });
+
+      let providerName = conv.provider;
+      let provider = getProvider(providerName);
+
+      // If a specific image model was requested, find the right provider
+      if (model) {
+        const imageProviders = ['codex', 'grok', 'nano-banana'];
+        for (const pid of imageProviders) {
+          const p = getProvider(pid);
+          if (p?.constructor.models.some((m) => m.id === model)) {
+            provider = p;
+            providerName = pid;
+            break;
+          }
+        }
+      }
+
+      if (!provider?.generateImage) {
+        return res.status(400).json({ error: 'Provider does not support image generation' });
+      }
+
+      const apiKey = daemon.conversations._getApiKey(providerName);
+      if (!apiKey) {
+        return res.status(400).json({ error: `No API key configured for ${providerName}` });
+      }
+
+      daemon.broadcast({
+        type: 'conversation:image-progress',
+        data: { conversationId: req.params.id, status: 'generating', prompt: prompt.trim() },
+      });
+
+      const result = await provider.generateImage(prompt.trim(), { model, size, quality, apiKey });
+
+      daemon.broadcast({
+        type: 'conversation:image',
+        data: { conversationId: req.params.id, ...result, prompt: prompt.trim() },
+      });
+
+      daemon.conversations.touchUpdatedAt(req.params.id);
+      daemon.audit.log('conversation.image', { id: req.params.id, model: result.model, provider: result.provider });
+      res.json(result);
+    } catch (err) {
+      daemon.broadcast({
+        type: 'conversation:image-progress',
+        data: { conversationId: req.params.id, status: 'error', error: err.message },
+      });
+      res.status(500).json({ error: err.message });
+    }
+  });
+
   // --- Approvals ---
 
   app.get('/api/approvals', (req, res) => {
@@ -3385,6 +3452,191 @@ Keep responses concise. Help them think, don't lecture them about the system the
     res.json(result);
   });
 
+  // --- Preview Proxy (same-origin iframe support) ---
+  // Forwards HTTP requests to the dev server so the GUI can iframe the preview
+  // without cross-origin issues. WebSocket upgrade for HMR is handled in index.js.
+  app.all('/api/preview/:teamId/proxy/*', (req, res) => {
+    const entry = daemon.preview?.get(req.params.teamId);
+    if (!entry || !entry.url) return res.status(404).json({ error: 'No active preview for this team' });
+
+    let targetUrl;
+    try { targetUrl = new URL(entry.url); } catch { return res.status(500).json({ error: 'Invalid preview URL' }); }
+
+    const proxyPath = req.params[0] || '';
+    const search = req.url.includes('?') ? '?' + req.url.split('?').slice(1).join('?') : '';
+    const fullPath = '/' + proxyPath + search;
+
+    const headers = { ...req.headers };
+    delete headers.host;
+    headers.host = targetUrl.host;
+
+    const proxyReq = httpRequest({
+      hostname: targetUrl.hostname,
+      port: targetUrl.port,
+      path: fullPath,
+      method: req.method,
+      headers,
+    }, (proxyRes) => {
+      const fwdHeaders = { ...proxyRes.headers };
+      delete fwdHeaders['content-security-policy'];
+      delete fwdHeaders['x-frame-options'];
+      res.writeHead(proxyRes.statusCode, fwdHeaders);
+      proxyRes.pipe(res);
+    });
+
+    proxyReq.on('error', (err) => {
+      if (!res.headersSent) res.status(502).json({ error: `Proxy error: ${err.message}` });
+    });
+    req.pipe(proxyReq);
+  });
+
+  // Also handle the bare path (no trailing wildcard)
+  app.all('/api/preview/:teamId/proxy', (req, res) => {
+    const entry = daemon.preview?.get(req.params.teamId);
+    if (!entry || !entry.url) return res.status(404).json({ error: 'No active preview for this team' });
+
+    let targetUrl;
+    try { targetUrl = new URL(entry.url); } catch { return res.status(500).json({ error: 'Invalid preview URL' }); }
+
+    const search = req.url.includes('?') ? '?' + req.url.split('?').slice(1).join('?') : '';
+
+    const headers = { ...req.headers };
+    delete headers.host;
+    headers.host = targetUrl.host;
+
+    const proxyReq = httpRequest({
+      hostname: targetUrl.hostname,
+      port: targetUrl.port,
+      path: '/' + search,
+      method: req.method,
+      headers,
+    }, (proxyRes) => {
+      const fwdHeaders = { ...proxyRes.headers };
+      delete fwdHeaders['content-security-policy'];
+      delete fwdHeaders['x-frame-options'];
+      res.writeHead(proxyRes.statusCode, fwdHeaders);
+      proxyRes.pipe(res);
+    });
+
+    proxyReq.on('error', (err) => {
+      if (!res.headersSent) res.status(502).json({ error: `Proxy error: ${err.message}` });
+    });
+    req.pipe(proxyReq);
+  });
+
+  // --- Iteration endpoint (planner routing for live preview feedback) ---
+  app.post('/api/preview/:teamId/iterate', async (req, res) => {
+    try {
+      const { message, screenshot } = req.body;
+      if (!message || typeof message !== 'string' || !message.trim()) {
+        return res.status(400).json({ error: 'message is required and must be a non-empty string' });
+      }
+
+      const teamId = req.params.teamId;
+      const agents = daemon.registry.getAll().filter((a) => a.teamId === teamId);
+      const planner = agents.find((a) => a.role === 'planner');
+
+      if (!planner) {
+        return res.status(400).json({ error: 'No planner found for this team. Iteration routing requires a planner-based team.' });
+      }
+
+      const terminal = new Set(['completed', 'crashed', 'stopped', 'killed']);
+      const feedbackPrompt = [
+        'ITERATION REQUEST: The user is viewing the live preview and wants changes.',
+        '',
+        `User feedback: ${message.trim()}`,
+        '',
+        screenshot ? 'The user attached a screenshot highlighting what they want changed.' : '',
+        '',
+        'Analyze this feedback and route it to the appropriate team agent (frontend, backend, or fullstack) by writing .groove/recommended-team.json. Be specific about what files to change and what the change should be.',
+      ].filter(Boolean).join('\n');
+
+      if (terminal.has(planner.status)) {
+        const newAgent = await daemon.processes.spawn({
+          role: planner.role,
+          scope: planner.scope,
+          provider: planner.provider,
+          model: planner.model,
+          prompt: feedbackPrompt,
+          permission: planner.permission || 'full',
+          workingDir: planner.workingDir,
+          name: planner.name,
+          teamId: planner.teamId,
+        });
+        daemon.audit.log('preview.iterate', { teamId, plannerId: newAgent.id, respawned: true });
+        return res.json({ status: 'routed', plannerAgent: newAgent.id, message: 'Feedback sent to respawned planner for routing' });
+      }
+
+      if (daemon.processes.hasAgentLoop(planner.id)) {
+        await daemon.processes.sendMessage(planner.id, feedbackPrompt);
+      } else if (daemon.processes.isRunning(planner.id)) {
+        daemon.processes.queueMessage(planner.id, feedbackPrompt);
+      } else {
+        return res.status(400).json({ error: 'Planner exists but is not reachable. Try again.' });
+      }
+
+      daemon.audit.log('preview.iterate', { teamId, plannerId: planner.id, respawned: false });
+      res.json({ status: 'routed', plannerAgent: planner.id, message: 'Feedback sent to planner for routing' });
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  // --- Screenshot storage for preview iteration ---
+  app.post('/api/preview/:teamId/screenshot', (req, res) => {
+    try {
+      const { image, filename } = req.body;
+      if (!image || typeof image !== 'string') {
+        return res.status(400).json({ error: 'image (base64 string) is required' });
+      }
+
+      const teamId = req.params.teamId;
+      const agents = daemon.registry.getAll().filter((a) => a.teamId === teamId);
+      const teamAgent = agents[0];
+      if (!teamAgent) return res.status(404).json({ error: 'No agents found for this team' });
+
+      const workDir = teamAgent.workingDir || daemon.projectDir;
+      const screenshotDir = resolve(workDir, '.groove', 'screenshots');
+      mkdirSync(screenshotDir, { recursive: true });
+
+      const ts = Date.now();
+      const safeName = (filename || 'screenshot').replace(/[^a-zA-Z0-9._-]/g, '_');
+      const fname = `${ts}-${safeName}.png`;
+      const filePath = resolve(screenshotDir, fname);
+
+      const base64Data = image.replace(/^data:image\/\w+;base64,/, '');
+      writeFileSync(filePath, Buffer.from(base64Data, 'base64'));
+
+      const relativePath = `.groove/screenshots/${fname}`;
+      daemon.audit.log('preview.screenshot', { teamId, path: relativePath });
+      res.json({
+        path: relativePath,
+        url: `/api/preview/${teamId}/screenshots/${fname}`,
+      });
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  app.get('/api/preview/:teamId/screenshots/:filename', (req, res) => {
+    const teamId = req.params.teamId;
+    const fname = req.params.filename;
+    if (!fname || fname.includes('..') || fname.includes('/') || fname.includes('\\')) {
+      return res.status(400).json({ error: 'Invalid filename' });
+    }
+
+    const agents = daemon.registry.getAll().filter((a) => a.teamId === teamId);
+    const teamAgent = agents[0];
+    if (!teamAgent) return res.status(404).json({ error: 'No agents found for this team' });
+
+    const workDir = teamAgent.workingDir || daemon.projectDir;
+    const filePath = resolve(workDir, '.groove', 'screenshots', fname);
+    if (!existsSync(filePath)) return res.status(404).json({ error: 'Screenshot not found' });
+
+    res.setHeader('Content-Type', 'image/png');
+    createReadStream(filePath).pipe(res);
+  });
+
   // Clean up stale artifacts. Scope to a single team when teamId is provided —
   // wiping every agent's working dir on a global cleanup would delete other
   // in-flight teams' unlaunched plans. When called with no teamId, only the
@@ -4166,7 +4418,7 @@ Keep responses concise. Help them think, don't lecture them about the system the
     const ALLOWED_KEYS = [
       'port', 'journalistInterval', 'rotationThreshold', 'autoRotation',
       'qcThreshold', 'maxAgents', 'defaultProvider', 'defaultWorkingDir',
-      'onboardingDismissed', 'defaultModel',
+      'onboardingDismissed', 'defaultModel', 'defaultChatProvider', 'defaultChatModel',
     ];
     for (const key of Object.keys(req.body)) {
       if (!ALLOWED_KEYS.includes(key)) {

package/node_modules/@groove-dev/daemon/src/conversations.js

@@ -56,6 +56,13 @@ export class ConversationManager {
   }
 
   async create(provider, model, title, mode = 'api') {
+    if (!provider && this.daemon.config?.defaultChatProvider) {
+      provider = this.daemon.config.defaultChatProvider;
+    }
+    if (!model && this.daemon.config?.defaultChatModel) {
+      model = this.daemon.config.defaultChatModel;
+    }
+
     const id = randomUUID().slice(0, 12);
     const now = new Date().toISOString();
 
@@ -285,6 +292,8 @@ export class ConversationManager {
       'claude-code': 'ANTHROPIC_API_KEY',
       'codex': 'OPENAI_API_KEY',
       'gemini': 'GEMINI_API_KEY',
+      'grok': 'XAI_API_KEY',
+      'nano-banana': 'GEMINI_API_KEY',
     };
     const envVar = envMap[providerName];
     if (envVar && process.env[envVar]) return process.env[envVar];
@@ -355,6 +364,13 @@ export class ConversationManager {
     // Fallback: headless CLI spawn (for providers without streamChat or missing API key)
     const prompt = this._buildHistoryPrompt(history, message);
     const headlessCmd = provider.buildHeadlessCommand(prompt, modelId);
+    if (!headlessCmd) {
+      this.daemon.broadcast({
+        type: 'conversation:error',
+        data: { conversationId: id, error: `${providerName} requires an API key for chat` },
+      });
+      return;
+    }
     const { command, args, env, stdin: stdinData, cwd } = headlessCmd;
 
     const spawnOpts = {

package/node_modules/@groove-dev/daemon/src/index.js

@@ -1,7 +1,7 @@
 // GROOVE Daemon — Entry Point
 // FSL-1.1-Apache-2.0 — see LICENSE
 
-import { createServer as createHttpServer } from 'http';
+import { createServer as createHttpServer, request as httpProxyRequest } from 'http';
 import { createServer as createNetServer } from 'net';
 import { execFileSync } from 'child_process';
 import { resolve } from 'path';
@@ -208,6 +208,46 @@ export class Daemon {
         this.federationWss.handleUpgrade(req, socket, head, (ws) => {
           this.federation.handleWsUpgrade(ws, daemonId, callerIp, signatureHeader);
         });
+      } else if (req.url?.startsWith('/api/preview/') && req.url.includes('/proxy')) {
+        // HMR WebSocket proxy — forward to the dev server's WebSocket
+        const match = req.url.match(/^\/api\/preview\/([^/]+)\/proxy\/?(.*)$/);
+        if (!match || !this.preview) { socket.destroy(); return; }
+        const entry = this.preview.get(match[1]);
+        if (!entry?.url) { socket.destroy(); return; }
+        let targetUrl;
+        try { targetUrl = new URL(entry.url); } catch { socket.destroy(); return; }
+        const wsPath = '/' + (match[2] || '');
+        const opts = {
+          hostname: targetUrl.hostname,
+          port: targetUrl.port,
+          path: wsPath,
+          method: 'GET',
+          headers: { ...req.headers, host: targetUrl.host },
+        };
+        const upstream = httpProxyRequest(opts);
+        upstream.on('upgrade', (_res, upSocket, upHead) => {
+          const skipHeaders = new Set(['upgrade', 'connection', 'sec-websocket-accept']);
+          const extra = Object.entries(_res.headers)
+            .filter(([k]) => !skipHeaders.has(k))
+            .map(([k, v]) => `${k}: ${v}\r\n`).join('');
+          socket.write(
+            'HTTP/1.1 101 Switching Protocols\r\n' +
+            `Upgrade: ${_res.headers.upgrade || 'websocket'}\r\n` +
+            `Connection: Upgrade\r\n` +
+            `Sec-WebSocket-Accept: ${_res.headers['sec-websocket-accept'] || ''}\r\n` +
+            extra +
+            '\r\n'
+          );
+          if (upHead.length) socket.write(upHead);
+          upSocket.pipe(socket);
+          socket.pipe(upSocket);
+          upSocket.on('error', () => socket.destroy());
+          socket.on('error', () => upSocket.destroy());
+          upSocket.on('close', () => socket.destroy());
+          socket.on('close', () => upSocket.destroy());
+        });
+        upstream.on('error', () => socket.destroy());
+        upstream.end();
       } else {
         this.wss.handleUpgrade(req, socket, head, (ws) => {
           this.wss.emit('connection', ws, req);

package/node_modules/@groove-dev/daemon/src/preview.js

@@ -17,7 +17,7 @@ import { existsSync, readFileSync, statSync } from 'fs';
 import { createServer } from 'http';
 import { lookup as mimeLookup } from './mimetypes.js';
 
-const READY_TIMEOUT_MS = 60_000;  // give dev servers a minute to boot
+const READY_TIMEOUT_MS = 120_000;  // give dev servers 2 minutes (large projects need npm install)
 const MAX_STDOUT_BYTES = 256 * 1024;
 // Strip CSI/OSC/other ANSI escape sequences — Vite prints URLs with inline
 // bold/color codes (e.g. "http://localhost:\x1b[1m5175\x1b[22m/") which would
@@ -147,11 +147,41 @@ export class PreviewService {
     });
   }
 
+  _autoDetectDevCommand(baseDir) {
+    const pkgPath = resolve(baseDir, 'package.json');
+    if (!existsSync(pkgPath)) return null;
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+      const scripts = pkg.scripts || {};
+      for (const name of ['dev', 'start', 'serve']) {
+        if (scripts[name]) return `npm run ${name}`;
+      }
+    } catch { /* malformed package.json */ }
+    return null;
+  }
+
   _launchDevServer(teamId, baseDir, preview) {
-    const command = String(preview.command || '').trim();
+    let command = String(preview.command || '').trim();
+    if (!command) {
+      command = this._autoDetectDevCommand(baseDir) || '';
+    }
     if (!command) {
       return Promise.resolve({ launched: false, reason: 'no_command' });
     }
+    // If command references an npm script, verify it exists in package.json
+    const npmRunMatch = command.match(/npm\s+run\s+(\S+)/);
+    if (npmRunMatch) {
+      const scriptName = npmRunMatch[1];
+      const pkgPath = resolve(baseDir, 'package.json');
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+        if (!pkg.scripts || !pkg.scripts[scriptName]) {
+          return Promise.resolve({ launched: false, reason: 'no_dev_script' });
+        }
+      } catch {
+        return Promise.resolve({ launched: false, reason: 'no_dev_script' });
+      }
+    }
     const urlPattern = preview.urlPattern
       ? new RegExp(preview.urlPattern)
       : /https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0):\d+/;

package/node_modules/@groove-dev/daemon/src/process.js

@@ -114,6 +114,9 @@ CRITICAL — NEVER DO THESE:
 - NEVER kill the daemon process. No "kill <pid>", "pkill groove", "killall node", etc.
 - NEVER run "./promote.sh", "./promote-local.sh", or any publish/deploy script.
 - NEVER start long-running dev servers (vite dev, npm start, next dev, etc.).
+- NEVER use 'git add -f' or 'git add --force' to bypass .gitignore. If a file is gitignored, it should stay gitignored. Only stage files that git tracks normally. If .gitignore prevents staging, report it in your output — do NOT force-add.
+- NEVER use 'git push --force' or 'git push -f'. Force-pushing can destroy shared history.
+- NEVER modify .gitignore to include files that were previously excluded.
 
 Restarting the daemon destroys ALL other agents currently running in other teams. Verification is done via "npm run build" and "npm test", which exit cleanly. If code changes require a daemon restart to take effect, report that in your output so the user can restart manually — do NOT do it yourself.
 
@@ -1161,6 +1164,11 @@ For normal file edits within your scope, proceed without review.
     const workingDir = plan.workingDir;
     preview.launch(teamId, workingDir, plan.preview).then((result) => {
       if (!result.launched) {
+        const intentionalSkips = new Set(['no_preview', 'cli', 'none', 'no_command', 'no_dev_script']);
+        if (intentionalSkips.has(result.reason)) {
+          console.log(`[Groove] Preview for team ${teamId} intentionally skipped: ${result.reason}`);
+          return;
+        }
         console.warn(`[Groove] Preview for team ${teamId} did not launch: ${result.reason}`);
         this.daemon.broadcast({
           type: 'preview:failed',
@@ -1171,7 +1179,7 @@ For normal file edits within your scope, proceed without review.
       }
     }).catch((err) => {
       console.error(`[Groove] Preview launch error for team ${teamId}:`, err.message);
-      this.daemon.broadcast({ type: 'preview:failed', teamId, reason: err.message });
+      this.daemon.broadcast({ type: 'preview:failed', teamId, kind: plan.preview?.kind, reason: err.message });
     });
   }
 

package/node_modules/@groove-dev/daemon/src/providers/base.js

@@ -37,6 +37,10 @@ export class Provider {
     return null;
   }
 
+  async generateImage(prompt, options = {}) {
+    return null;
+  }
+
   static setupGuide() {
     return { installSteps: [], authMethods: [], authInstructions: {} };
   }

package/node_modules/@groove-dev/daemon/src/providers/codex.js

@@ -43,6 +43,8 @@ export class CodexProvider extends Provider {
     { id: 'gpt-5.4-nano', name: 'GPT-5.4 Nano', tier: 'light', maxContext: 200000, pricing: { input: 0.0004, output: 0.0016 } },
     { id: 'gpt-5-mini', name: 'GPT-5 Mini', tier: 'medium', maxContext: 200000, pricing: { input: 0.0005, output: 0.002 } },
     { id: 'gpt-5-nano', name: 'GPT-5 Nano', tier: 'light', maxContext: 200000, pricing: { input: 0.0001, output: 0.0004 } },
+    { id: 'gpt-image-2', name: 'GPT Image 2', tier: 'medium', type: 'image', pricing: { perImage: 0.07 } },
+    { id: 'gpt-image-1', name: 'GPT Image 1', tier: 'medium', type: 'image', pricing: { perImage: 0.02 } },
   ];
 
   static isInstalled() {
@@ -186,6 +188,42 @@ export class CodexProvider extends Provider {
     return controller;
   }
 
+  async generateImage(prompt, options = {}) {
+    const apiKey = options.apiKey;
+    if (!apiKey) throw new Error('OPENAI_API_KEY required for image generation');
+
+    const body = {
+      model: options.model || 'gpt-image-1',
+      prompt,
+      n: 1,
+    };
+    if (options.size) body.size = options.size;
+    if (options.quality) body.quality = options.quality;
+
+    const res = await fetch('https://api.openai.com/v1/images/generations', {
+      method: 'POST',
+      headers: {
+        'Authorization': `Bearer ${apiKey}`,
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify(body),
+    });
+
+    if (!res.ok) {
+      const text = await res.text();
+      throw new Error(`OpenAI Image API ${res.status}: ${text.slice(0, 200)}`);
+    }
+
+    const data = await res.json();
+    const image = data.data?.[0];
+    return {
+      url: image?.url || null,
+      b64_json: image?.b64_json || null,
+      model: body.model,
+      provider: 'codex',
+    };
+  }
+
   parseOutput(line) {
     const trimmed = line.trim();
     if (!trimmed) return null;