oh-my-harness 0.16.0 → 0.18.0

package/README.md

@@ -125,7 +125,10 @@ your-project/
   │ • Claude CLI   │──▶│   NL Processing     │◀── "React + FastAPI
   │ • Claude API   │   │   (describe your    │     TDD enforced"
   │ • OpenAI API   │   │                     │
-  │ • Gemini API   │   └────────┬────────────┘
+  │ • Gemini API   │   │                     │
+  │ • Codex OAuth  │   │                     │
+  │ • Codex OAuth  │   │                     │
+  │   API          │   └────────┬────────────┘
   └────────────────┘            │
    (global AI config)   ┌────────▼────────────┐
                         │  Project Detector   │  ← Auto-detects language,
@@ -176,8 +179,10 @@ oh-my-harness supports multiple AI providers for natural language mode:
 |----------|-------|------------------|---------|
 | **Claude CLI** | `claude` command installed | Opus 4.6, Sonnet 4.6, Haiku 4.5 | ✓ |
 | **Claude API** | Set `ANTHROPIC_API_KEY` | Opus 4.6, Sonnet 4.6, Haiku 4.5 | Sonnet 4.6 |
-| **OpenAI API** | Set `OPENAI_API_KEY` | GPT-5.4, GPT-5.4-mini, GPT-5.4-nano, GPT-4.1, GPT-4.1-mini, o3, o4-mini | GPT-5.4 |
+| **OpenAI API** | Set `OPENAI_API_KEY` | GPT-5.5, GPT-5.4, GPT-5.4-mini, GPT-5.4-nano, GPT-4.1, GPT-4.1-mini, o3, o4-mini | GPT-5.5 |
 | **Gemini API** | Set `GOOGLE_API_KEY` | Gemini 2.5 Pro, Gemini 2.5 Flash, Gemini 2.5 Flash Lite, Gemini 3.1 Pro Preview | Gemini 2.5 Pro |
+| **Codex OAuth** | `codex` command installed + `codex login`; runs `codex exec` | GPT-5.5, GPT-5.4, GPT-5.4-mini | GPT-5.5 |
+| **Codex OAuth API** | `omh config` device-code login; imports `~/.codex/auth.json` once if present, then uses `~/.omh` | GPT-5.5, GPT-5.4, GPT-5.4-mini | GPT-5.5 |
 
 Configuration is saved to `~/.omh/config.json` and selected via interactive UI on first use:
 
@@ -452,6 +457,8 @@ oh-my-harness/
 - **Node.js** >= 20
 - **Claude CLI** (optional, for default NL mode) — [Install guide](https://docs.anthropic.com/en/docs/claude-code)
 - **API Keys** (optional, for Claude/OpenAI/Gemini API modes) — set `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, or `GOOGLE_API_KEY`
+- **Codex CLI OAuth** (optional, for `codex` CLI-wrapper mode) — install `codex` and run `codex login`
+- **Codex OAuth API** (optional, experimental direct mode) — run `omh config` and choose Codex OAuth API to complete device-code sign-in; credentials are stored under `~/.omh`
 
 ---
 
@@ -465,7 +472,7 @@ oh-my-harness/
 - [x] `omh stats` — TUI analytics dashboard (ink)
 - [x] Stateful hook logging — events.jsonl
 - [x] TDD Guard — enforce test-first workflow
-- [x] Multi-provider AI support — Claude API, OpenAI, Gemini
+- [x] Multi-provider AI support — Claude API, OpenAI, Gemini, Codex OAuth
 - [x] Interactive model selection per provider
 - [x] GitHub star prompt — first-time only
 - [x] Codex emitter — `AGENTS.md` + `.codex/hooks.json` + `.codex/config.toml`
@@ -473,6 +480,7 @@ oh-my-harness/
 - [x] Pi ([pi.dev](https://pi.dev)) emitter — bridge extension (`.pi/extensions/omh-harness.ts`) reusing the same `.omh/hooks/*.sh`
 - [x] `ask` mode — request approval before executing risky tools (Claude native prompt / Pi `ctx.ui.select`; Codex falls back to block)
 - [x] `omh uninstall` — remove generated artifacts while preserving user content
+- [x] `omh config` — view, reconfigure, or reset the saved AI provider (rotate expired keys, switch provider/model)
 - [ ] Community harness.yaml registry — share and reuse configs
 - [ ] `omh modify "change X"` — NL config editing
 

package/dist/cli/commands/config.d.ts

@@ -0,0 +1,26 @@
+import { type ProviderConfig } from "../../nl/config-store.js";
+export interface ConfigOptions {
+    /** Print the current provider config (masked) without changing anything. */
+    show?: boolean;
+    /** Delete the saved provider config. */
+    reset?: boolean;
+    /** Skip confirmation prompts. */
+    yes?: boolean;
+    /**
+     * Interactive provider setup. Injectable for tests; defaults to the clack TUI.
+     * Returns the saved config, or undefined if the user cancelled.
+     */
+    setupRunner?: () => Promise<ProviderConfig | undefined>;
+    /** Confirmation prompt. Injectable for tests; defaults to the clack TUI. */
+    confirm?: (message: string) => Promise<boolean>;
+}
+export interface ConfigResult {
+    exitCode: number;
+}
+/**
+ * `omh config`: view, reconfigure, or reset the saved AI provider used for
+ * natural-language mode (~/.omh/config.json). Without flags it shows the current
+ * config and launches the provider setup flow so a user can rotate an expired
+ * key or switch providers.
+ */
+export declare function configCommand(options?: ConfigOptions): Promise<ConfigResult>;

package/dist/cli/commands/config.js

@@ -0,0 +1,90 @@
+import chalk from "chalk";
+import { loadProviderConfig, deleteProviderConfig, maskApiKey, } from "../../nl/config-store.js";
+const NO_CONFIG_MESSAGE = "No AI provider configured yet. Run `omh config` (or `omh init`) to set one up.";
+function printSummary(config) {
+    console.log(chalk.bold("Current AI provider configuration:"));
+    console.log(`  provider: ${chalk.cyan(config.provider)}`);
+    console.log(`  method:   ${chalk.cyan(config.method)}`);
+    if (config.method === "api") {
+        console.log(`  model:    ${chalk.cyan(config.model ?? "(default)")}`);
+        console.log(`  api key:  ${chalk.dim(maskApiKey(config.apiKey))}`);
+    }
+    else if (config.method === "oauth") {
+        console.log(`  model:    ${chalk.cyan(config.model ?? "(default)")}`);
+        console.log(`  command:  ${chalk.cyan(config.cliCommand ?? config.provider)}`);
+        console.log(`  auth:     ${chalk.dim("uses Codex CLI OAuth session; run `codex login` to sign in")}`);
+    }
+    else if (config.method === "oauth-api") {
+        console.log(`  model:    ${chalk.cyan(config.model ?? "(default)")}`);
+        console.log(`  auth:     ${chalk.dim("uses Codex OAuth token from ~/.omh; run `omh config` to sign in or refresh")}`);
+    }
+    else {
+        console.log(`  command:  ${chalk.cyan(config.cliCommand ?? config.provider)}`);
+    }
+}
+async function defaultConfirm(message) {
+    const p = await import("@clack/prompts");
+    const answer = await p.confirm({ message });
+    if (p.isCancel(answer))
+        return false;
+    return answer === true;
+}
+async function defaultSetupRunner() {
+    const { runProviderSetup } = await import("../tui/provider-setup.js");
+    return runProviderSetup();
+}
+/**
+ * `omh config`: view, reconfigure, or reset the saved AI provider used for
+ * natural-language mode (~/.omh/config.json). Without flags it shows the current
+ * config and launches the provider setup flow so a user can rotate an expired
+ * key or switch providers.
+ */
+export async function configCommand(options = {}) {
+    // --show and --reset express contradictory intent; fail loudly rather than
+    // silently letting one win.
+    if (options.show && options.reset) {
+        console.error("`--show` and `--reset` cannot be used together.");
+        return { exitCode: 1 };
+    }
+    const existing = await loadProviderConfig();
+    // --show: read-only summary.
+    if (options.show) {
+        if (!existing) {
+            console.log(NO_CONFIG_MESSAGE);
+            return { exitCode: 0 };
+        }
+        printSummary(existing);
+        return { exitCode: 0 };
+    }
+    // --reset: delete the saved config.
+    if (options.reset) {
+        if (!existing) {
+            console.log(NO_CONFIG_MESSAGE);
+            return { exitCode: 0 };
+        }
+        const confirm = options.confirm ?? defaultConfirm;
+        const ok = options.yes ? true : await confirm("Delete the saved AI provider configuration?");
+        if (!ok) {
+            console.log("Aborted. Configuration left unchanged.");
+            return { exitCode: 0 };
+        }
+        await deleteProviderConfig();
+        console.log(chalk.green("Removed ~/.omh/config.json"));
+        return { exitCode: 0 };
+    }
+    // Default: show current config (if any), then reconfigure.
+    if (existing) {
+        printSummary(existing);
+        console.log("");
+    }
+    else {
+        console.log("No AI provider configured yet. Let's set one up.\n");
+    }
+    const setupRunner = options.setupRunner ?? defaultSetupRunner;
+    const updated = await setupRunner();
+    if (!updated) {
+        // Setup was cancelled; nothing changed.
+        return { exitCode: 0 };
+    }
+    return { exitCode: 0 };
+}

package/dist/cli/commands/doctor.d.ts

@@ -21,6 +21,13 @@ export interface DoctorResult {
      * warning unless `strict` is set.
      */
     inSync?: boolean;
+    /**
+     * Whether an AI provider is configured for natural-language mode
+     * (~/.omh/config.json). Informational only — it never affects health, since
+     * the provider is global and optional. Surfaced so users can discover
+     * `omh config` to rotate an expired key or switch provider/model.
+     */
+    providerConfigured: boolean;
     messages: string[];
 }
 export declare function doctorCommand(options?: DoctorOptions): Promise<DoctorResult>;

package/dist/cli/commands/doctor.js

@@ -3,6 +3,7 @@ import path from "node:path";
 import { parse } from "smol-toml";
 import { OMH_HOOKS_DIR } from "../../utils/paths.js";
 import { computeDrift, HarnessNotFoundError } from "../../core/drift.js";
+import { loadProviderConfig } from "../../nl/config-store.js";
 export async function doctorCommand(options = {}) {
     const projectDir = options.projectDir ?? process.cwd();
     const messages = [];
@@ -154,6 +155,10 @@ export async function doctorCommand(options = {}) {
         }
         // No harness.yaml → leave inSync undefined (drift not applicable).
     }
+    // 9. AI provider config (~/.omh/config.json). Global and optional, so this is
+    // purely informational (INFO) and never affects health — it just surfaces
+    // `omh config` so users can rotate an expired key or switch provider/model.
+    const providerConfigured = await checkProviderConfig(messages);
     const checksHealthy = Object.values(checks).every(Boolean);
     const healthy = checksHealthy && (!options.strict || inSync !== false);
     const exitCode = healthy ? 0 : 1;
@@ -169,5 +174,35 @@ export async function doctorCommand(options = {}) {
             console.log(`  ${msg}`);
         }
     }
-    return { healthy, exitCode, checks, inSync, messages };
+    return { healthy, exitCode, checks, inSync, providerConfigured, messages };
+}
+/**
+ * Inspects the global AI provider config and appends an INFO hint to `messages`.
+ * Returns whether a provider is configured. Never reads or echoes the API key.
+ */
+async function checkProviderConfig(messages) {
+    const config = await loadProviderConfig();
+    if (!config) {
+        messages.push("INFO: No AI provider configured for natural-language mode — run `omh config` to set one up.");
+        return false;
+    }
+    if (config.method === "api") {
+        const model = config.model ? `, ${config.model}` : "";
+        messages.push(`INFO: AI provider: ${config.provider} (api${model}). ` +
+            "If your API key expired, run `omh config` to update it or switch provider.");
+    }
+    else if (config.method === "oauth") {
+        const model = config.model ? `, ${config.model}` : "";
+        messages.push(`INFO: AI provider: ${config.provider} (oauth${model}). ` +
+            "Uses Codex CLI auth; run `codex login` if the session expired.");
+    }
+    else if (config.method === "oauth-api") {
+        const model = config.model ? `, ${config.model}` : "";
+        messages.push(`INFO: AI provider: ${config.provider} (oauth-api${model}). ` +
+            "Uses ~/.omh Codex OAuth auth store; run `omh config` if the token expired.");
+    }
+    else {
+        messages.push(`INFO: AI provider: ${config.provider} (cli). Run \`omh config\` to switch provider or model.`);
+    }
+    return true;
 }

package/dist/cli/index.js

@@ -87,6 +87,19 @@ export function createCli() {
             process.exitCode = result.exitCode;
         }
     });
+    program
+        .command("config")
+        .description("View, reconfigure, or reset the saved AI provider")
+        .option("--show", "Show the current provider config (API key masked)")
+        .option("--reset", "Delete the saved provider config")
+        .option("-y, --yes", "Skip confirmation prompts")
+        .action(async (options) => {
+        const { configCommand } = await import("./commands/config.js");
+        const result = await configCommand(options);
+        if (result.exitCode !== 0) {
+            process.exitCode = result.exitCode;
+        }
+    });
     program
         .command("stats")
         .description("TUI dashboard for harness analytics")

package/dist/cli/tui/provider-setup.js

@@ -1,5 +1,6 @@
 import * as p from "@clack/prompts";
 import { getAvailableProviders, getProviderDefinition, } from "../../nl/provider-registry.js";
+import { ensureCodexOauthApiAuth } from "../../nl/providers/codex-oauth-api.js";
 import { saveProviderConfig, } from "../../nl/config-store.js";
 export async function runProviderSetup() {
     p.intro("AI Provider Setup");
@@ -17,15 +18,18 @@ export async function runProviderSetup() {
         return undefined;
     }
     const def = getProviderDefinition(providerName);
-    // Step 2: Select method (CLI or API)
+    // Step 2: Select method (CLI, API, or OAuth)
     let method;
-    if (def.supportsCli && def.supportsApi) {
+    const methodOptions = [
+        def.supportsCli ? { value: "cli", label: `CLI tool (${def.cliCommand ?? def.name})` } : undefined,
+        def.supportsApi ? { value: "api", label: "API Key" } : undefined,
+        def.supportsOAuth ? { value: "oauth", label: `Codex OAuth (${def.cliCommand ?? def.name} login)` } : undefined,
+        def.supportsOAuthApi ? { value: "oauth-api", label: "Codex OAuth API (~/.omh auth store)" } : undefined,
+    ].filter((option) => option !== undefined);
+    if (methodOptions.length > 1) {
         const selected = await p.select({
             message: "How would you like to connect?",
-            options: [
-                { value: "cli", label: `CLI tool (${def.cliCommand ?? def.name})` },
-                { value: "api", label: "API Key" },
-            ],
+            options: methodOptions,
         });
         if (p.isCancel(selected)) {
             p.cancel("Provider setup cancelled.");
@@ -33,11 +37,11 @@ export async function runProviderSetup() {
         }
         method = selected;
     }
-    else if (def.supportsCli) {
-        method = "cli";
+    else if (methodOptions[0]) {
+        method = methodOptions[0].value;
     }
     else {
-        method = "api";
+        throw new Error(`Provider "${def.name}" has no supported authentication method`);
     }
     const config = {
         provider: providerName,
@@ -75,6 +79,33 @@ export async function runProviderSetup() {
         }
         config.model = selectedModel;
     }
+    else if (method === "oauth" || method === "oauth-api") {
+        if (method === "oauth") {
+            config.cliCommand = def.cliCommand ?? def.name;
+        }
+        const selectedModel = await p.select({
+            message: "Select model:",
+            options: def.availableModels.map((m) => ({
+                value: m.id,
+                label: m.label,
+                hint: m.id === def.defaultModel ? "default" : undefined,
+            })),
+            initialValue: def.defaultModel,
+        });
+        if (p.isCancel(selectedModel)) {
+            p.cancel("Provider setup cancelled.");
+            return undefined;
+        }
+        config.model = selectedModel;
+        if (method === "oauth-api") {
+            await ensureCodexOauthApiAuth({
+                onDeviceCode: ({ url, code }) => {
+                    p.note(`Open ${url} and enter code: ${code}`, "Codex OAuth API sign-in");
+                },
+            });
+            p.log.success("Codex OAuth API session saved under ~/.omh.");
+        }
+    }
     else {
         config.cliCommand = def.cliCommand ?? def.name;
     }

package/dist/nl/config-store.d.ts

@@ -1,6 +1,6 @@
 export interface ProviderConfig {
-    provider: "claude" | "openai" | "gemini";
-    method: "cli" | "api";
+    provider: "claude" | "openai" | "gemini" | "codex" | "codex-oauth-api";
+    method: "cli" | "api" | "oauth" | "oauth-api";
     apiKey?: string;
     model?: string;
     cliCommand?: string;
@@ -9,3 +9,10 @@ export declare function getConfigDir(): string;
 export declare function hasProviderConfig(): Promise<boolean>;
 export declare function loadProviderConfig(): Promise<ProviderConfig | undefined>;
 export declare function saveProviderConfig(config: ProviderConfig): Promise<void>;
+export declare function deleteProviderConfig(): Promise<void>;
+/**
+ * Masks an API key for display, keeping a short prefix and suffix so the user
+ * can recognize which key is stored without revealing it. Keys short enough
+ * that a prefix/suffix would overlap are masked entirely.
+ */
+export declare function maskApiKey(apiKey: string | undefined): string;

package/dist/nl/config-store.js

@@ -34,3 +34,17 @@ export async function saveProviderConfig(config) {
     await fs.writeFile(configPath, payload, { encoding: "utf-8", mode: 0o600 });
     await fs.chmod(configPath, 0o600);
 }
+export async function deleteProviderConfig() {
+    await fs.rm(getConfigPath(), { force: true });
+}
+/**
+ * Masks an API key for display, keeping a short prefix and suffix so the user
+ * can recognize which key is stored without revealing it. Keys short enough
+ * that a prefix/suffix would overlap are masked entirely.
+ */
+export function maskApiKey(apiKey) {
+    const key = apiKey?.trim() ?? "";
+    if (key.length <= 8)
+        return "****";
+    return `${key.slice(0, 3)}…${key.slice(-4)}`;
+}

package/dist/nl/provider-registry.d.ts

@@ -12,6 +12,8 @@ export interface ProviderDefinition {
     displayName: string;
     supportsCli: boolean;
     supportsApi: boolean;
+    supportsOAuth: boolean;
+    supportsOAuthApi: boolean;
     defaultModel: string;
     availableModels: ModelEntry[];
     cliCommand?: string;

package/dist/nl/provider-registry.js

@@ -2,12 +2,16 @@ import { createClaudeCliProvider } from "./providers/claude-cli.js";
 import { createClaudeApiProvider } from "./providers/claude-api.js";
 import { createOpenaiApiProvider } from "./providers/openai-api.js";
 import { createGeminiApiProvider } from "./providers/gemini-api.js";
+import { createCodexOauthProvider } from "./providers/codex-oauth.js";
+import { createCodexOauthApiProvider } from "./providers/codex-oauth-api.js";
 const providers = [
     {
         name: "claude",
         displayName: "Claude (Anthropic)",
         supportsCli: true,
         supportsApi: true,
+        supportsOAuth: false,
+        supportsOAuthApi: false,
         defaultModel: "claude-sonnet-4-6",
         availableModels: [
             { id: "claude-opus-4-6", label: "Claude Opus 4.6 — most capable, 1M context" },
@@ -18,12 +22,15 @@ const providers = [
     },
     {
         name: "openai",
-        displayName: "OpenAI (GPT-5.4)",
+        displayName: "OpenAI (GPT-5.5)",
         supportsCli: false,
         supportsApi: true,
-        defaultModel: "gpt-5.4",
+        supportsOAuth: false,
+        supportsOAuthApi: false,
+        defaultModel: "gpt-5.5",
         availableModels: [
-            { id: "gpt-5.4", label: "GPT-5.4 — flagship, agentic & coding" },
+            { id: "gpt-5.5", label: "GPT-5.5 — newest frontier, complex reasoning & coding" },
+            { id: "gpt-5.4", label: "GPT-5.4 — previous flagship, agentic & coding" },
             { id: "gpt-5.4-mini", label: "GPT-5.4 Mini — strongest mini model" },
             { id: "gpt-5.4-nano", label: "GPT-5.4 Nano — cheapest GPT-5.4 class" },
             { id: "gpt-4.1", label: "GPT-4.1 — best non-reasoning, coding" },
@@ -37,6 +44,8 @@ const providers = [
         displayName: "Gemini (Google)",
         supportsCli: false,
         supportsApi: true,
+        supportsOAuth: false,
+        supportsOAuthApi: false,
         defaultModel: "gemini-2.5-pro",
         availableModels: [
             { id: "gemini-2.5-pro", label: "Gemini 2.5 Pro — most advanced stable" },
@@ -46,6 +55,35 @@ const providers = [
             { id: "gemini-3-flash-preview", label: "Gemini 3 Flash Preview — frontier performance (preview)" },
         ],
     },
+    {
+        name: "codex",
+        displayName: "Codex OAuth (OpenAI ChatGPT login)",
+        supportsCli: false,
+        supportsApi: false,
+        supportsOAuth: true,
+        supportsOAuthApi: false,
+        defaultModel: "gpt-5.5",
+        availableModels: [
+            { id: "gpt-5.5", label: "GPT-5.5 — frontier Codex reasoning when available" },
+            { id: "gpt-5.4", label: "GPT-5.4 — previous Codex default-capable flagship" },
+            { id: "gpt-5.4-mini", label: "GPT-5.4 Mini — faster Codex runs" },
+        ],
+        cliCommand: "codex",
+    },
+    {
+        name: "codex-oauth-api",
+        displayName: "Codex OAuth API (ChatGPT token direct)",
+        supportsCli: false,
+        supportsApi: false,
+        supportsOAuth: false,
+        supportsOAuthApi: true,
+        defaultModel: "gpt-5.5",
+        availableModels: [
+            { id: "gpt-5.5", label: "GPT-5.5 — direct Codex OAuth Responses endpoint" },
+            { id: "gpt-5.4", label: "GPT-5.4 — previous direct Codex OAuth model" },
+            { id: "gpt-5.4-mini", label: "GPT-5.4 Mini — faster direct Codex OAuth runs" },
+        ],
+    },
 ];
 export function getAvailableProviders() {
     return [...providers];
@@ -62,15 +100,41 @@ export function createProvider(config) {
     if (!def) {
         throw new Error(`Unknown AI provider: "${config.provider}". Available: ${providers.map((p) => p.name).join(", ")}`);
     }
-    if (config.method !== "cli" && config.method !== "api") {
+    if (config.method !== "cli" && config.method !== "api" && config.method !== "oauth" && config.method !== "oauth-api") {
         throw new Error(`Unsupported provider method: "${String(config.method)}"`);
     }
+    if (config.method === "cli" && !def.supportsCli) {
+        throw new Error(`Provider "${config.provider}" does not support CLI mode`);
+    }
+    if (config.method === "api" && !def.supportsApi) {
+        throw new Error(`Provider "${config.provider}" does not support API mode`);
+    }
+    if (config.method === "oauth" && !def.supportsOAuth) {
+        throw new Error(`Provider "${config.provider}" does not support OAuth mode`);
+    }
+    if (config.method === "oauth-api" && !def.supportsOAuthApi) {
+        throw new Error(`Provider "${config.provider}" does not support OAuth API mode`);
+    }
     if (config.method === "cli") {
         if (config.provider === "claude") {
             return createClaudeCliProvider(config.cliCommand ?? "claude");
         }
         throw new Error(`Provider "${config.provider}" does not support CLI mode`);
     }
+    if (config.method === "oauth") {
+        if (config.provider === "codex") {
+            const model = config.model?.trim() || def.defaultModel;
+            return createCodexOauthProvider(config.cliCommand ?? "codex", model);
+        }
+        throw new Error(`Provider "${config.provider}" does not support OAuth mode`);
+    }
+    if (config.method === "oauth-api") {
+        if (config.provider === "codex-oauth-api") {
+            const model = config.model?.trim() || def.defaultModel;
+            return createCodexOauthApiProvider({ model });
+        }
+        throw new Error(`Provider "${config.provider}" does not support OAuth API mode`);
+    }
     // API mode
     const apiKey = config.apiKey?.trim();
     if (!apiKey) {

package/dist/nl/providers/codex-oauth-api.d.ts

@@ -0,0 +1,48 @@
+import type { LLMProvider } from "../provider-registry.js";
+export interface CodexOauthApiProviderOptions {
+    model?: string;
+    authPath?: string;
+    codexCliAuthPath?: string;
+    responsesUrl?: string;
+    timeoutMs?: number;
+}
+export interface CodexOauthApiLoginOptions {
+    authPath?: string;
+    issuer?: string;
+    tokenUrl?: string;
+    timeoutMs?: number;
+    pollIntervalMs?: number;
+    maxWaitMs?: number;
+    onDeviceCode?: (info: {
+        url: string;
+        code: string;
+    }) => void | Promise<void>;
+}
+interface CodexAuthFile {
+    provider?: string;
+    source?: string;
+    OPENAI_API_KEY?: string | null;
+    tokens?: {
+        access_token?: string;
+        refresh_token?: string;
+        id_token?: string;
+        account_id?: string;
+    };
+    last_refresh?: string;
+    auth_mode?: string;
+}
+interface AuthState {
+    accessToken: string;
+    refreshToken?: string;
+    idToken?: string;
+    accountId?: string;
+    authPath?: string;
+    authFile?: CodexAuthFile;
+}
+export declare function getCodexOauthApiAuthPath(): string;
+export declare function loginCodexOauthApi(options?: CodexOauthApiLoginOptions): Promise<AuthState>;
+export declare function ensureCodexOauthApiAuth(options?: CodexOauthApiLoginOptions & {
+    codexCliAuthPath?: string;
+}): Promise<AuthState>;
+export declare function createCodexOauthApiProvider(options?: CodexOauthApiProviderOptions): LLMProvider;
+export {};

package/dist/nl/providers/codex-oauth-api.js

@@ -0,0 +1,416 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { getConfigDir } from "../config-store.js";
+const DEFAULT_MODEL = "gpt-5.5";
+const ISSUER = "https://auth.openai.com";
+const RESPONSES_URL = "https://chatgpt.com/backend-api/codex/responses";
+const TOKEN_URL = `${ISSUER}/oauth/token`;
+const CODEX_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const REQUEST_TIMEOUT_MS = 120_000;
+const MAX_ATTEMPTS = 3;
+const AUTH_FILENAME = "codex-oauth-api-auth.json";
+export function getCodexOauthApiAuthPath() {
+    return path.join(getConfigDir(), AUTH_FILENAME);
+}
+function getCodexCliAuthPath() {
+    const codexHome = process.env.CODEX_HOME?.trim() || path.join(process.env.HOME ?? os.homedir(), ".codex");
+    return path.join(codexHome, "auth.json");
+}
+function decodeJwtPayload(token) {
+    const payload = token?.split(".")[1];
+    if (!payload)
+        return undefined;
+    try {
+        const padded = `${payload}${"=".repeat((4 - (payload.length % 4)) % 4)}`;
+        return JSON.parse(Buffer.from(padded.replace(/-/g, "+").replace(/_/g, "/"), "base64").toString("utf-8"));
+    }
+    catch {
+        return undefined;
+    }
+}
+function readNestedAccountId(payload) {
+    if (!payload)
+        return undefined;
+    const authClaim = payload["https://api.openai.com/auth"];
+    const nested = authClaim && typeof authClaim === "object"
+        ? authClaim.chatgpt_account_id
+        : undefined;
+    const dotted = payload["https://api.openai.com/auth.chatgpt_account_id"];
+    const direct = payload.chatgpt_account_id;
+    const orgs = payload.organizations;
+    const firstOrg = Array.isArray(orgs) ? orgs[0]?.id : undefined;
+    const candidate = nested ?? dotted ?? direct ?? firstOrg;
+    return typeof candidate === "string" && candidate.trim() ? candidate : undefined;
+}
+function extractAccountId(tokens) {
+    return tokens?.account_id
+        ?? readNestedAccountId(decodeJwtPayload(tokens?.id_token))
+        ?? readNestedAccountId(decodeJwtPayload(tokens?.access_token));
+}
+async function readAuthFile(authPath) {
+    try {
+        return JSON.parse(await fs.readFile(authPath, "utf-8"));
+    }
+    catch {
+        return undefined;
+    }
+}
+async function writeAuthFile(authPath, authFile) {
+    await fs.mkdir(path.dirname(authPath), { recursive: true });
+    await fs.writeFile(authPath, `${JSON.stringify(authFile, null, 2)}\n`, { encoding: "utf-8", mode: 0o600 });
+    await fs.chmod(authPath, 0o600);
+}
+function authStateFromFile(authFile, authPath) {
+    const accessToken = authFile.tokens?.access_token?.trim();
+    if (!accessToken)
+        return undefined;
+    return {
+        accessToken,
+        refreshToken: authFile.tokens?.refresh_token,
+        idToken: authFile.tokens?.id_token,
+        accountId: extractAccountId(authFile.tokens),
+        authPath,
+        authFile,
+    };
+}
+async function importCodexCliAuth(cliAuthPath, authPath) {
+    const cliAuth = await readAuthFile(cliAuthPath);
+    const state = cliAuth ? authStateFromFile(cliAuth, authPath) : undefined;
+    if (!state || !cliAuth?.tokens)
+        return undefined;
+    const nextAuth = {
+        provider: "codex-oauth-api",
+        source: "codex-cli-import",
+        auth_mode: "chatgpt",
+        tokens: {
+            ...cliAuth.tokens,
+            account_id: extractAccountId(cliAuth.tokens),
+        },
+        last_refresh: new Date().toISOString(),
+    };
+    await writeAuthFile(authPath, nextAuth);
+    return authStateFromFile(nextAuth, authPath);
+}
+async function loadAuthState(authPath, cliAuthPath) {
+    const envToken = process.env.CODEX_ACCESS_TOKEN?.trim() || process.env.CODEX_API_KEY?.trim();
+    if (envToken) {
+        return {
+            accessToken: envToken,
+            accountId: readNestedAccountId(decodeJwtPayload(envToken)),
+        };
+    }
+    const omhAuth = await readAuthFile(authPath);
+    const omhState = omhAuth ? authStateFromFile(omhAuth, authPath) : undefined;
+    if (omhState)
+        return omhState;
+    const imported = await importCodexCliAuth(cliAuthPath, authPath);
+    if (imported)
+        return imported;
+    throw new Error(`Codex OAuth API credentials not found. Run \`omh config\` and choose Codex OAuth API to sign in, ` +
+        `or set CODEX_ACCESS_TOKEN.`);
+}
+async function persistRefreshedAuth(state, tokenResponse) {
+    if (!state.authPath || !state.authFile || !tokenResponse.access_token) {
+        return state;
+    }
+    const nextTokens = {
+        ...state.authFile.tokens,
+        access_token: tokenResponse.access_token,
+        refresh_token: tokenResponse.refresh_token ?? state.refreshToken,
+        id_token: tokenResponse.id_token ?? state.idToken,
+    };
+    const accountId = extractAccountId(nextTokens) ?? state.accountId;
+    if (accountId)
+        nextTokens.account_id = accountId;
+    const nextAuth = {
+        ...state.authFile,
+        provider: "codex-oauth-api",
+        auth_mode: "chatgpt",
+        tokens: nextTokens,
+        last_refresh: new Date().toISOString(),
+    };
+    await writeAuthFile(state.authPath, nextAuth);
+    return {
+        accessToken: tokenResponse.access_token,
+        refreshToken: nextTokens.refresh_token,
+        idToken: nextTokens.id_token,
+        accountId,
+        authPath: state.authPath,
+        authFile: nextAuth,
+    };
+}
+async function refreshAuth(state, timeoutMs) {
+    if (!state.refreshToken) {
+        throw new Error("Codex OAuth API token expired and no refresh token is available. Run `omh config` again.");
+    }
+    const response = await fetchWithTimeout(TOKEN_URL, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+            client_id: CODEX_CLIENT_ID,
+            grant_type: "refresh_token",
+            refresh_token: state.refreshToken,
+        }).toString(),
+    }, timeoutMs);
+    if (!response.ok) {
+        throw new Error(`Codex OAuth token refresh failed (${response.status}): ${await response.text()}`);
+    }
+    const tokenResponse = (await response.json());
+    if (!tokenResponse.access_token) {
+        throw new Error("Codex OAuth token refresh returned no access token");
+    }
+    return persistRefreshedAuth(state, tokenResponse);
+}
+async function fetchWithTimeout(url, init, timeoutMs) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        return await fetch(url, { ...init, signal: controller.signal });
+    }
+    catch (err) {
+        if (err.name === "AbortError") {
+            throw new Error(`Codex OAuth API request timed out after ${Math.ceil(timeoutMs / 1000)} seconds`);
+        }
+        throw err;
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+function buildHeaders(state) {
+    const headers = {
+        "Authorization": `Bearer ${state.accessToken}`,
+        "Content-Type": "application/json",
+        "Accept": "text/event-stream, application/json",
+        "originator": "codex_cli_rs",
+        "User-Agent": "codex_cli_rs/0.0.1",
+    };
+    if (state.accountId) {
+        headers["ChatGPT-Account-ID"] = state.accountId;
+    }
+    return headers;
+}
+function buildBody(prompt, model) {
+    return JSON.stringify({
+        model,
+        instructions: "You are a concise assistant. Return only the requested answer.",
+        input: [
+            {
+                role: "user",
+                content: [{ type: "input_text", text: prompt }],
+            },
+        ],
+        store: false,
+        stream: true,
+    });
+}
+function extractTextFromJson(data) {
+    if (typeof data !== "object" || data === null)
+        return "";
+    const root = data;
+    if (typeof root.output_text === "string")
+        return root.output_text;
+    if (typeof root.delta === "string")
+        return root.delta;
+    if (typeof root.text === "string")
+        return root.text;
+    if (root.response) {
+        const nested = extractTextFromJson(root.response);
+        if (nested)
+            return nested;
+    }
+    const output = Array.isArray(root.output) ? root.output : [];
+    const parts = [];
+    for (const item of output) {
+        if (typeof item !== "object" || item === null)
+            continue;
+        const outputItem = item;
+        if (typeof outputItem.text === "string")
+            parts.push(outputItem.text);
+        const content = Array.isArray(outputItem.content) ? outputItem.content : [];
+        for (const contentItem of content) {
+            if (typeof contentItem !== "object" || contentItem === null)
+                continue;
+            const maybeText = contentItem.text
+                ?? contentItem.output_text;
+            if (typeof maybeText === "string")
+                parts.push(maybeText);
+        }
+    }
+    return parts.join("");
+}
+function parseResponseText(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed)
+        return "";
+    if (!trimmed.includes("data:")) {
+        return extractTextFromJson(JSON.parse(trimmed));
+    }
+    const deltas = [];
+    let completedText = "";
+    for (const line of trimmed.split(/\r?\n/)) {
+        if (!line.startsWith("data:"))
+            continue;
+        const payload = line.slice("data:".length).trim();
+        if (!payload || payload === "[DONE]")
+            continue;
+        const event = JSON.parse(payload);
+        if (event.type === "response.output_text.delta" && typeof event.delta === "string") {
+            deltas.push(event.delta);
+            continue;
+        }
+        if (event.type === "response.completed" && event.response) {
+            completedText = extractTextFromJson(event.response);
+        }
+    }
+    return deltas.join("") || completedText;
+}
+function isRetryableStatus(status) {
+    return status === 429 || status >= 500;
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function parseJsonResponse(response, label) {
+    try {
+        return await response.json();
+    }
+    catch (err) {
+        throw new Error(`${label} returned invalid JSON: ${err.message}`);
+    }
+}
+export async function loginCodexOauthApi(options = {}) {
+    const authPath = options.authPath ?? getCodexOauthApiAuthPath();
+    const issuer = (options.issuer ?? ISSUER).replace(/\/$/, "");
+    const tokenUrl = options.tokenUrl ?? `${issuer}/oauth/token`;
+    const timeoutMs = options.timeoutMs ?? REQUEST_TIMEOUT_MS;
+    const maxWaitMs = options.maxWaitMs ?? 15 * 60 * 1000;
+    const deviceResponse = await fetchWithTimeout(`${issuer}/api/accounts/deviceauth/usercode`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ client_id: CODEX_CLIENT_ID }),
+    }, timeoutMs);
+    if (!deviceResponse.ok) {
+        throw new Error(`Codex device authorization failed (${deviceResponse.status}): ${await deviceResponse.text()}`);
+    }
+    const device = await parseJsonResponse(deviceResponse, "Codex device authorization");
+    const deviceAuthId = device.device_auth_id?.trim();
+    const userCode = device.user_code?.trim();
+    if (!deviceAuthId || !userCode) {
+        throw new Error("Codex device authorization response was missing device_auth_id or user_code");
+    }
+    const deviceUrl = `${issuer}/codex/device`;
+    await options.onDeviceCode?.({ url: deviceUrl, code: userCode });
+    const parsedInterval = typeof device.interval === "number" ? device.interval : Number.parseInt(String(device.interval ?? "5"), 10);
+    const pollIntervalMs = options.pollIntervalMs ?? Math.max(Number.isFinite(parsedInterval) ? parsedInterval : 5, 1) * 1000;
+    const startedAt = Date.now();
+    let authorizationCode = "";
+    let codeVerifier = "";
+    while (Date.now() - startedAt < maxWaitMs) {
+        const pollResponse = await fetchWithTimeout(`${issuer}/api/accounts/deviceauth/token`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ device_auth_id: deviceAuthId, user_code: userCode }),
+        }, timeoutMs);
+        if (pollResponse.ok) {
+            const poll = await parseJsonResponse(pollResponse, "Codex device authorization poll");
+            authorizationCode = poll.authorization_code?.trim() ?? "";
+            codeVerifier = poll.code_verifier?.trim() ?? "";
+            break;
+        }
+        if (pollResponse.status !== 403 && pollResponse.status !== 404) {
+            throw new Error(`Codex device authorization poll failed (${pollResponse.status}): ${await pollResponse.text()}`);
+        }
+        await sleep(pollIntervalMs);
+    }
+    if (!authorizationCode || !codeVerifier) {
+        throw new Error("Codex device authorization timed out before sign-in completed");
+    }
+    const tokenResponse = await fetchWithTimeout(tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+            grant_type: "authorization_code",
+            code: authorizationCode,
+            redirect_uri: `${issuer}/deviceauth/callback`,
+            client_id: CODEX_CLIENT_ID,
+            code_verifier: codeVerifier,
+        }).toString(),
+    }, timeoutMs);
+    if (!tokenResponse.ok) {
+        throw new Error(`Codex OAuth token exchange failed (${tokenResponse.status}): ${await tokenResponse.text()}`);
+    }
+    const tokens = await parseJsonResponse(tokenResponse, "Codex OAuth token exchange");
+    if (!tokens.access_token) {
+        throw new Error("Codex OAuth token exchange returned no access token");
+    }
+    const nextAuth = {
+        provider: "codex-oauth-api",
+        source: "device-code",
+        auth_mode: "chatgpt",
+        tokens: {
+            access_token: tokens.access_token,
+            refresh_token: tokens.refresh_token,
+            id_token: tokens.id_token,
+        },
+        last_refresh: new Date().toISOString(),
+    };
+    const accountId = extractAccountId(nextAuth.tokens);
+    if (accountId && nextAuth.tokens)
+        nextAuth.tokens.account_id = accountId;
+    await writeAuthFile(authPath, nextAuth);
+    const state = authStateFromFile(nextAuth, authPath);
+    if (!state)
+        throw new Error("Codex OAuth API login did not persist a usable access token");
+    return state;
+}
+export async function ensureCodexOauthApiAuth(options = {}) {
+    const authPath = options.authPath ?? getCodexOauthApiAuthPath();
+    try {
+        return await loadAuthState(authPath, options.codexCliAuthPath ?? getCodexCliAuthPath());
+    }
+    catch {
+        return loginCodexOauthApi({ ...options, authPath });
+    }
+}
+export function createCodexOauthApiProvider(options = {}) {
+    const model = options.model?.trim() || DEFAULT_MODEL;
+    const responsesUrl = options.responsesUrl ?? RESPONSES_URL;
+    const authPath = options.authPath ?? getCodexOauthApiAuthPath();
+    const codexCliAuthPath = options.codexCliAuthPath ?? getCodexCliAuthPath();
+    const timeoutMs = options.timeoutMs ?? REQUEST_TIMEOUT_MS;
+    return {
+        name: "codex-oauth-api",
+        run: async (prompt) => {
+            let authState = await loadAuthState(authPath, codexCliAuthPath);
+            let lastError;
+            for (let attempt = 1; attempt <= MAX_ATTEMPTS; attempt++) {
+                const response = await fetchWithTimeout(responsesUrl, {
+                    method: "POST",
+                    headers: buildHeaders(authState),
+                    body: buildBody(prompt, model),
+                }, timeoutMs);
+                if (response.status === 401 && attempt === 1) {
+                    authState = await refreshAuth(authState, timeoutMs);
+                    continue;
+                }
+                if (!response.ok) {
+                    const body = await response.text();
+                    if (isRetryableStatus(response.status) && attempt < MAX_ATTEMPTS) {
+                        lastError = new Error(`Codex OAuth API error (${response.status}): ${body}`);
+                        await sleep(Math.pow(2, attempt - 1) * 1000);
+                        continue;
+                    }
+                    throw new Error(`Codex OAuth API error (${response.status}): ${body}`);
+                }
+                const text = parseResponseText(await response.text());
+                if (!text) {
+                    throw new Error("Codex OAuth API returned no text content");
+                }
+                return text;
+            }
+            throw lastError ?? new Error("Codex OAuth API request failed after retries");
+        },
+    };
+}

package/dist/nl/providers/codex-oauth.d.ts

@@ -0,0 +1,5 @@
+import type { LLMProvider } from "../provider-registry.js";
+export interface CodexOauthProviderOptions {
+    timeoutMs?: number;
+}
+export declare function createCodexOauthProvider(command?: string, model?: string, options?: CodexOauthProviderOptions): LLMProvider;

package/dist/nl/providers/codex-oauth.js

@@ -0,0 +1,75 @@
+import { spawn } from "node:child_process";
+const DEFAULT_COMMAND = "codex";
+const DEFAULT_MODEL = "gpt-5.5";
+const DEFAULT_TIMEOUT_MS = 120_000;
+export function createCodexOauthProvider(command = DEFAULT_COMMAND, model = DEFAULT_MODEL, options = {}) {
+    return {
+        name: "codex",
+        run: async (prompt) => {
+            return new Promise((resolve, reject) => {
+                let settled = false;
+                const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+                let timeout;
+                const finalize = (fn) => {
+                    if (settled)
+                        return;
+                    settled = true;
+                    if (timeout)
+                        clearTimeout(timeout);
+                    fn();
+                };
+                const args = [
+                    "--ask-for-approval",
+                    "never",
+                    "exec",
+                    "--ephemeral",
+                    "--skip-git-repo-check",
+                    "--sandbox",
+                    "read-only",
+                    "--color",
+                    "never",
+                    "-m",
+                    model,
+                    "-",
+                ];
+                const proc = spawn(command, args, {
+                    stdio: ["pipe", "pipe", "pipe"],
+                    env: { ...process.env },
+                });
+                timeout = setTimeout(() => {
+                    proc.kill("SIGTERM");
+                    finalize(() => {
+                        reject(new Error(`${command} timed out after ${Math.ceil(timeoutMs / 1000)} seconds`));
+                    });
+                }, timeoutMs);
+                let stdout = "";
+                let stderr = "";
+                proc.stdout.on("data", (data) => {
+                    stdout += data.toString();
+                });
+                proc.stderr.on("data", (data) => {
+                    stderr += data.toString();
+                });
+                proc.on("error", (err) => {
+                    if (err.code === "ENOENT") {
+                        finalize(() => reject(new Error(`${command} Codex CLI not found. Install Codex and sign in with ChatGPT using: codex login`)));
+                    }
+                    else {
+                        finalize(() => reject(err));
+                    }
+                });
+                proc.on("close", (code) => {
+                    if (code === 0) {
+                        finalize(() => resolve(stdout.trim()));
+                        return;
+                    }
+                    const details = (stderr || stdout).trim();
+                    finalize(() => reject(new Error(`${command} exited with code ${code}: ${details || "no output"}\n` +
+                        "Codex OAuth mode uses your Codex CLI ChatGPT login. Run `codex login` and retry.")));
+                });
+                proc.stdin.write(prompt);
+                proc.stdin.end();
+            });
+        },
+    };
+}

package/dist/nl/providers/openai-api.js

@@ -1,4 +1,4 @@
-const DEFAULT_MODEL = "gpt-5.4";
+const DEFAULT_MODEL = "gpt-5.5";
 const API_URL = "https://api.openai.com/v1/chat/completions";
 const REQUEST_TIMEOUT_MS = 60_000;
 const MAX_ATTEMPTS = 3;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oh-my-harness",
-  "version": "0.16.0",
+  "version": "0.18.0",
   "description": "Tame your AI coding agents with natural language",
   "type": "module",
   "bin": {