skalpel 2.0.19 → 2.0.21

package/dist/proxy/index.cjs

@@ -40,7 +40,9 @@ var init_dispatcher = __esm({
       keepAliveTimeout: 1e4,
       keepAliveMaxTimeout: 6e4,
       connections: 100,
-      pipelining: 1
+      pipelining: 1,
+      allowH2: false
+      // Force HTTP/1.1 to prevent GCP LB WebSocket downgrade
     });
   }
 });
@@ -660,6 +662,12 @@ __export(handler_exports, {
   isSkalpelBackendFailure: () => isSkalpelBackendFailure,
   shouldRouteToSkalpel: () => shouldRouteToSkalpel
 });
+function validateCodexAuth(oauthToken, inboundAuth) {
+  if (!oauthToken && !inboundAuth) {
+    return { valid: false, error: "no_credentials" };
+  }
+  return { valid: true };
+}
 function collectBody(req) {
   return new Promise((resolve, reject) => {
     const chunks = [];
@@ -924,6 +932,18 @@ async function handleWebSocketBridge(clientWs, req, config, source, logger) {
     const oauthHeader = req.headers["authorization"] ?? "";
     oauthToken = oauthHeader.toLowerCase().startsWith("bearer ") ? oauthHeader.slice(7).trim() : "";
   }
+  const authResult = validateCodexAuth(freshOauthToken, oauthToken);
+  if (!authResult.valid) {
+    clientWs.send(JSON.stringify({
+      type: "error",
+      error: {
+        code: "no_credentials",
+        message: "Codex requires OAuth login. Run: codex login"
+      }
+    }));
+    clientWs.close(4e3, "no credentials");
+    return;
+  }
   const backend = new BackendWsClient({
     url: backendUrl,
     apiKey: config.apiKey,
@@ -1031,6 +1051,18 @@ function parseSseEvents(buffer) {
   return { events, rest };
 }
 async function fallbackToHttp(clientWs, config, source, logger, requestBody, inboundAuth) {
+  const preflightAuth = validateCodexAuth(getFreshAccessToken(), inboundAuth);
+  if (!preflightAuth.valid) {
+    clientWs.send(JSON.stringify({
+      type: "error",
+      error: {
+        code: "no_credentials",
+        message: "Codex requires OAuth login. Run: codex login"
+      }
+    }));
+    clientWs.close(4e3, "no credentials");
+    return;
+  }
   try {
     const freshToken = getFreshAccessToken();
     const authHeader = freshToken !== null ? `Bearer ${freshToken}` : inboundAuth;
@@ -1060,17 +1092,37 @@ async function fallbackToHttp(clientWs, config, source, logger, requestBody, inb
       },
       body: requestBody
     });
-    if (!resp.ok || resp.body === null) {
-      clientWs.send(
-        JSON.stringify({
-          type: "error",
-          error: { code: resp.status, message: `http fallback status ${resp.status}` }
-        })
-      );
+    if (!resp.ok) {
+      let errorBody = "";
       try {
-        clientWs.close(1011, "http fallback failed");
+        const bodyPromise = resp.text();
+        const timeoutPromise = new Promise(
+          (_, reject) => setTimeout(() => reject(new Error("body read timeout")), 5e3)
+        );
+        errorBody = await Promise.race([bodyPromise, timeoutPromise]);
+      } catch (e) {
+        errorBody = `status ${resp.status}`;
+      }
+      let errorMessage = `Backend error: ${resp.status}`;
+      try {
+        const parsed = JSON.parse(errorBody);
+        errorMessage = parsed?.error?.message || parsed?.detail || errorMessage;
       } catch {
+        if (errorBody.length < 200) errorMessage = errorBody;
       }
+      clientWs.send(JSON.stringify({
+        type: "error",
+        error: { code: resp.status, message: errorMessage }
+      }));
+      clientWs.close(1011, "backend error");
+      return;
+    }
+    if (resp.body === null) {
+      clientWs.send(JSON.stringify({
+        type: "error",
+        error: { code: resp.status, message: "empty response body" }
+      }));
+      clientWs.close(1011, "empty body");
       return;
     }
     const reader = resp.body.getReader();