sneakoscope 0.9.4 → 0.9.7

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sneakoscope",
   "displayName": "ㅅㅋㅅ",
-  "version": "0.9.4",
+  "version": "0.9.7",
   "description": "Sneakoscope Codex: database-safe Codex CLI/App harness with Team, Goal, AutoResearch, TriWiki, and Honest Mode.",
   "type": "module",
   "homepage": "https://github.com/mandarange/Sneakoscope-Codex#readme",

package/src/cli/install-helpers.mjs

@@ -95,6 +95,17 @@ async function reportPostinstallCodexLbAuth() {
   } else if (reconcile?.status === 'failed') {
     console.log(`codex-lb auth: ChatGPT OAuth reconciliation could not complete (${reconcile.reason || 'unknown'}${reconcile.error ? `: ${reconcile.error}` : ''}). Run \`sks codex-lb repair\` to retry.`);
   }
+  if (codexLbAuth.base_url && codexLbAuth.codex_lb?.env_key_configured && canAskYesNo() && process.env.SKS_SKIP_CODEX_LB_KEY_PROMPT !== '1') {
+    const changeKey = (await askPostinstallQuestion('codex-lb key changed? Update now? [y/N] ')).trim();
+    if (/^(y|yes|예|네|응)$/i.test(changeKey)) {
+      const newKey = (await askPostinstallQuestion('New codex-lb API key (sk-clb-...): ')).trim();
+      if (newKey) {
+        const result = await configureCodexLb({ host: codexLbAuth.base_url, apiKey: newKey });
+        if (result.ok) console.log(`codex-lb key updated: ${result.base_url}`);
+        else console.log(`codex-lb key update failed: ${result.status}${result.error ? `: ${result.error}` : ''}`);
+      }
+    }
+  }
   return codexLbAuth;
 }
 
@@ -457,6 +468,7 @@ export async function repairCodexLbAuth(opts = {}) {
       codex_lb: status
     };
   }
+  await migrateCodexAuthKeyFormat({ home: opts.home });
   const codexEnvironment = await syncCodexLbProviderEnvironment(status, opts);
   const apiKey = parseCodexLbEnvKey(await readText(status.env_path, ''));
   const codexLogin = await maybeSyncCodexLbSharedLogin(apiKey, { ...opts, home: opts.home || process.env.HOME || os.homedir(), force: true });
@@ -482,6 +494,7 @@ export async function ensureCodexLbAuthDuringInstall(opts = {}) {
   if (process.env.SKS_SKIP_POSTINSTALL_CODEX_LB_AUTH === '1' && !opts.force) return { status: 'skipped', reason: 'SKS_SKIP_POSTINSTALL_CODEX_LB_AUTH=1' };
   const status = await codexLbStatus(opts);
   if (!status.selected && !status.provider_configured && !status.env_file) return { status: 'not_configured', codex_lb: status };
+  await migrateCodexAuthKeyFormat({ home: opts.home });
   if (status.ok && (!status.selected || !status.provider_requires_openai_auth)) return repairCodexLbAuth(opts);
   if (!status.ok) {
     if (status.base_url && (status.env_key_configured || status.provider_configured || status.selected || status.env_base_url_configured)) return repairCodexLbAuth(opts);
@@ -552,6 +565,28 @@ function parseCodexAuthApiKey(text = '') {
   }
 }
 
+// Migrate auth.json from legacy {"auth_mode":"apikey","key":"..."} to the codex 0.130.0+
+// format {"auth_mode":"apikey","OPENAI_API_KEY":"..."}. Safe: preserves key value, only renames field.
+async function migrateCodexAuthKeyFormat(opts = {}) {
+  const home = opts.home || process.env.HOME || os.homedir();
+  const authPath = opts.authPath || codexAuthPath(home);
+  const text = await readText(authPath, '');
+  if (!text.trim()) return { status: 'skipped', reason: 'empty' };
+  try {
+    const parsed = JSON.parse(text);
+    if (parsed?.auth_mode !== 'apikey') return { status: 'skipped', reason: 'not_apikey' };
+    if (parsed.OPENAI_API_KEY) return { status: 'skipped', reason: 'already_migrated' };
+    const legacyKey = parsed.key || parsed.api_key || parsed.apiKey || parsed.openai_api_key;
+    if (!legacyKey) return { status: 'skipped', reason: 'no_key_found' };
+    const replacement = `${JSON.stringify({ auth_mode: 'apikey', OPENAI_API_KEY: legacyKey })}\n`;
+    await writeTextAtomic(authPath, replacement);
+    await fsp.chmod(authPath, 0o600).catch(() => {});
+    return { status: 'migrated', auth_path: authPath };
+  } catch {
+    return { status: 'skipped', reason: 'parse_error' };
+  }
+}
+
 // When codex-lb is selected with env_key auth AND auth.json also carries a real ChatGPT OAuth
 // token blob, Codex CLI/App can pick the OAuth bearer over the env_key bearer and fail against
 // the load balancer. We back the OAuth blob up to ~/.codex/auth.chatgpt-backup.json and replace
@@ -597,7 +632,7 @@ export async function reconcileCodexLbAuthConflict(opts = {}) {
     };
   }
   try {
-    const replacement = `${JSON.stringify({ auth_mode: 'apikey', key: apiKey }, null, 2)}\n`;
+    const replacement = `${JSON.stringify({ auth_mode: 'apikey', OPENAI_API_KEY: apiKey }, null, 2)}\n`;
     await writeTextAtomic(authPath, replacement);
     await fsp.chmod(authPath, 0o600).catch(() => {});
   } catch (err) {
@@ -793,8 +828,34 @@ export async function maybePromptCodexLbSetupForLaunch(args = [], opts = {}) {
     if (codexLogin.status === 'synced') console.log('codex-lb auth synced with Codex CLI login cache.');
     const chainHealth = await checkCodexLbResponseChain(status, opts);
     if (!chainHealth.ok && chainHealth.chain_unhealthy) {
-      console.log(`codex-lb response chain check failed (${chainHealth.status}); bypassing codex-lb for this launch.`);
-      return { status: 'chain_unhealthy', ...status, ok: false, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth, bypass_codex_lb: true };
+      // `previous_response_not_found` is normal for stateless LB deployments that don't persist
+      // Responses across requests. The codex-lb provider still works fine — only the chained
+      // health probe fails. Keep codex-lb active and just warn.
+      if (chainHealth.status === 'previous_response_not_found') {
+        console.log('codex-lb response chain check: previous_response_id not persisted by the load balancer (this is normal for stateless deployments). Keeping codex-lb active.');
+        return { status: 'present', ...status, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth };
+      }
+      // Hard chain failure (auth rejected, timeout, missing base URL, etc.). Don't silently
+      // demote a configured codex-lb to ChatGPT OAuth — surface the failure and let the user
+      // decide. Default keeps codex-lb (just press Enter).
+      console.log(`codex-lb response chain check failed (${chainHealth.status}${chainHealth.error ? `: ${chainHealth.error}` : ''}).`);
+      if (process.env.SKS_CODEX_LB_AUTOBYPASS === '1') {
+        console.log('SKS_CODEX_LB_AUTOBYPASS=1 set; bypassing codex-lb to ChatGPT OAuth for this launch.');
+        return { status: 'chain_unhealthy', ...status, ok: false, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth, bypass_codex_lb: true };
+      }
+      if (canAskYesNo()) {
+        const answer = (await askPostinstallQuestion('Use codex-lb anyway, or fall back to ChatGPT OAuth? [LB/oauth] ')).trim().toLowerCase();
+        if (/^(oauth|o|chatgpt|fall ?back|n|no|아니|아니요|ㄴ)$/.test(answer)) {
+          console.log('Falling back to ChatGPT OAuth for this launch. Re-enable codex-lb anytime with `sks codex-lb repair`.');
+          return { status: 'chain_unhealthy', ...status, ok: false, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth, bypass_codex_lb: true };
+        }
+        console.log('Keeping codex-lb active. To switch back to ChatGPT OAuth: `sks codex-lb release`.');
+        return { status: 'present', ...status, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth };
+      }
+      // Non-interactive context with no opt-out env var. The user explicitly configured codex-lb,
+      // so default to keeping it active rather than silently swapping providers.
+      console.log('Non-interactive launch + chain check failure. Keeping codex-lb active. Set SKS_CODEX_LB_AUTOBYPASS=1 to auto-bypass to ChatGPT OAuth.');
+      return { status: 'present', ...status, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth };
     }
     return { status: 'present', ...status, codex_environment: codexEnvironment, codex_login: codexLogin, chain_health: chainHealth };
   }
@@ -1541,7 +1602,7 @@ export async function selftestCodexLb(tmp) {
   // NOTE: printf format uses literal double-quotes inside single-quoted shell strings so the
   // fake login writes proper JSON in both bash and dash (where `\"` is a non-standard printf
   // escape that dash emits literally and bash collapses to `"`).
-  await writeTextAtomic(codexLbFakeCodex, "#!/bin/sh\nif [ \"$1\" = \"--version\" ]; then echo \"codex-cli 99.0.0\"; exit 0; fi\nif [ \"$1\" = \"login\" ] && [ \"$2\" = \"status\" ]; then echo \"logged in with browser auth\"; exit 0; fi\nif [ \"$1\" = \"login\" ] && [ \"$2\" = \"--with-api-key\" ]; then read key; mkdir -p \"$HOME/.codex\"; printf '{\"auth_mode\":\"apikey\",\"key\":\"%s\"}\\n' \"$key\" > \"$HOME/.codex/auth.json\"; printf '%s\\n' \"$key\" >> \"$HOME/.codex/login-calls.log\"; exit 0; fi\necho \"fake codex unsupported\" >&2\nexit 1\n");
+  await writeTextAtomic(codexLbFakeCodex, "#!/bin/sh\nif [ \"$1\" = \"--version\" ]; then echo \"codex-cli 99.0.0\"; exit 0; fi\nif [ \"$1\" = \"login\" ] && [ \"$2\" = \"status\" ]; then echo \"logged in with browser auth\"; exit 0; fi\nif [ \"$1\" = \"login\" ] && [ \"$2\" = \"--with-api-key\" ]; then read key; mkdir -p \"$HOME/.codex\"; printf '{\"auth_mode\":\"apikey\",\"OPENAI_API_KEY\":\"%s\"}\\n' \"$key\" > \"$HOME/.codex/auth.json\"; printf '%s\\n' \"$key\" >> \"$HOME/.codex/login-calls.log\"; exit 0; fi\necho \"fake codex unsupported\" >&2\nexit 1\n");
   await fsp.chmod(codexLbFakeCodex, 0o755);
   await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), 'model = "gpt-5.5"\nmodel_reasoning_effort = "low"\nservice_tier = "fast"\n\n[profiles.custom]\nmodel_reasoning_effort = "low"\n\n[notice]\nfast_default_opt_out = true\n\n[features]\ncodex_hooks = true\n');
   const codexLbEnvForSelftest = { HOME: codexLbHome, SKS_GLOBAL_ROOT: path.join(tmp, 'codex-lb-global'), PATH: `${codexLbFakeBin}${path.delimiter}${process.env.PATH || ''}`, SKS_SKIP_CODEX_LB_LAUNCH_ENV: '1' };
@@ -1684,7 +1745,7 @@ export async function selftestCodexLb(tmp) {
   // the provider stays selected and whether the backup file is removed after restore.
   const codexLbReleaseConfig = 'model_provider = "codex-lb"\n\n[model_providers.codex-lb]\nname = "OpenAI"\nbase_url = "https://lb.example.test/backend-api/codex"\nwire_api = "responses"\nenv_key = "CODEX_LB_API_KEY"\nsupports_websockets = true\nrequires_openai_auth = true\n';
   const codexLbReleaseEnv = "export CODEX_LB_BASE_URL='https://lb.example.test/backend-api/codex'\nexport CODEX_LB_API_KEY='sk-test'\n";
-  const codexLbReleaseApikeyAuth = '{"auth_mode":"apikey","key":"sk-test"}\n';
+  const codexLbReleaseApikeyAuth = '{"auth_mode":"apikey","OPENAI_API_KEY":"sk-test"}\n';
   const codexLbReleaseOauthBackup = `${oauthAuthJson}\n`;
   // Happy path: deselect model_provider and preserve backup file.
   await writeTextAtomic(path.join(codexLbHome, '.codex', 'auth.json'), codexLbReleaseApikeyAuth);
@@ -1897,7 +1958,42 @@ export async function selftestCodexLb(tmp) {
       return new Response(JSON.stringify({ error: { type: 'invalid_request_error', code: 'previous_response_not_found', message: 'Previous response not found.', param: 'previous_response_id' } }), { status: 400, headers: { 'content-type': 'application/json' } });
     }
   });
-  if (nonInteractiveBrokenLaunch.status !== 'chain_unhealthy' || nonInteractiveBrokenLaunch.bypass_codex_lb !== true || nonInteractiveBrokenLaunch.chain_health?.status !== 'previous_response_not_found') throw new Error('selftest: non-interactive codex-lb launch path did not bypass on previous_response_not_found');
+  if (nonInteractiveBrokenLaunch.status !== 'present' || nonInteractiveBrokenLaunch.bypass_codex_lb === true || nonInteractiveBrokenLaunch.chain_health?.status !== 'previous_response_not_found') throw new Error('selftest: previous_response_not_found should keep codex-lb active (stateless LB is normal), not silently bypass to ChatGPT OAuth');
+  // Hard chain failure (e.g. 500) in non-interactive context should still keep codex-lb by default — the user explicitly configured it, so don't silently swap providers.
+  const hardBrokenLaunchCalls = [];
+  const hardBrokenLaunch = await maybePromptCodexLbSetupForLaunch([], {
+    home: codexLbHome,
+    apiKey: 'sk-test',
+    codexBin: path.join(codexLbFakeBin, 'codex'),
+    syncLaunchEnv: false,
+    timeoutMs: 1000,
+    fetch: async (_url, init) => {
+      hardBrokenLaunchCalls.push({ body: JSON.parse(init.body) });
+      if (!hardBrokenLaunchCalls[hardBrokenLaunchCalls.length - 1].body.previous_response_id) return new Response(JSON.stringify({ id: 'resp_hardbroken_first' }), { status: 200, headers: { 'content-type': 'application/json' } });
+      return new Response(JSON.stringify({ error: { type: 'server_error', code: 'internal_error', message: 'simulated upstream failure' } }), { status: 500, headers: { 'content-type': 'application/json' } });
+    }
+  });
+  if (hardBrokenLaunch.status !== 'present' || hardBrokenLaunch.bypass_codex_lb === true || hardBrokenLaunch.chain_health?.status !== 'second_request_failed') throw new Error('selftest: hard codex-lb chain failure in non-interactive launch should default to keeping codex-lb active, not silently bypass');
+  // SKS_CODEX_LB_AUTOBYPASS=1 restores the old silent-bypass behavior for CI/automation.
+  process.env.SKS_CODEX_LB_AUTOBYPASS = '1';
+  let autobypassLaunch;
+  try {
+    autobypassLaunch = await maybePromptCodexLbSetupForLaunch([], {
+      home: codexLbHome,
+      apiKey: 'sk-test',
+      codexBin: path.join(codexLbFakeBin, 'codex'),
+      syncLaunchEnv: false,
+      timeoutMs: 1000,
+      fetch: async (_url, init) => {
+        const body = JSON.parse(init.body);
+        if (!body.previous_response_id) return new Response(JSON.stringify({ id: 'resp_autobypass_first' }), { status: 200, headers: { 'content-type': 'application/json' } });
+        return new Response(JSON.stringify({ error: { type: 'server_error', code: 'internal_error', message: 'simulated upstream failure' } }), { status: 500, headers: { 'content-type': 'application/json' } });
+      }
+    });
+  } finally {
+    delete process.env.SKS_CODEX_LB_AUTOBYPASS;
+  }
+  if (autobypassLaunch.status !== 'chain_unhealthy' || autobypassLaunch.bypass_codex_lb !== true || autobypassLaunch.chain_health?.status !== 'second_request_failed') throw new Error('selftest: SKS_CODEX_LB_AUTOBYPASS=1 should bypass codex-lb on hard chain failure');
   await writeTextAtomic(path.join(codexLbHome, '.codex', 'config.toml'), 'model = "gpt-5.5"\nservice_tier = "fast"\n');
   await writeTextAtomic(path.join(codexLbHome, '.codex', 'sks-codex-lb.env'), "export CODEX_LB_BASE_URL='https://lb.example.test/backend-api/codex'\nexport CODEX_LB_API_KEY='sk-test'\n");
   const missingProviderLaunchCalls = [];

package/src/cli/main.mjs

@@ -1248,13 +1248,20 @@ async function codexLbCommand(action = 'status', args = []) {
     return;
   }
   if (sub === 'setup' || sub === 'reconfigure') {
-    const host = readOption(args, '--host', readOption(args, '--domain', null));
-    const apiKey = readOption(args, '--api-key', readOption(args, '--key', null));
+    let host = readOption(args, '--host', readOption(args, '--domain', null));
+    let apiKey = readOption(args, '--api-key', readOption(args, '--key', null));
     if (!host || !apiKey) {
       if (json) return console.log(JSON.stringify({ ok: false, reason: 'missing_host_or_api_key' }, null, 2));
-      console.error('Usage: sks codex-lb setup|reconfigure --host <domain> --api-key <key>');
-      process.exitCode = 1;
-      return;
+      if (!canAskYesNo()) {
+        console.error('Usage: sks codex-lb setup|reconfigure --host <domain> --api-key <key>');
+        process.exitCode = 1;
+        return;
+      }
+      console.log('codex-lb setup — configure your Codex load balancer connection.\n');
+      if (!host) host = (await askPostinstallQuestion('Your codex-lb domain (e.g. https://codex.example.com/backend-api/codex): ')).trim();
+      if (!host) { console.error('Setup cancelled: no domain provided.'); process.exitCode = 1; return; }
+      if (!apiKey) apiKey = (await askPostinstallQuestion('Your codex-lb API key (sk-clb-...): ')).trim();
+      if (!apiKey) { console.error('Setup cancelled: no API key provided.'); process.exitCode = 1; return; }
     }
     const result = await configureCodexLb({ host, apiKey });
     if (json) return console.log(JSON.stringify(result, null, 2));
@@ -2070,6 +2077,11 @@ function readFlagValue(args, name, fallback) {
 }
 
 async function selftest() {
+  // Force non-interactive mode for the entire selftest so any in-process call that hits
+  // canAskYesNo() (codex-lb provider-restore prompt, chain-failure prompt, etc.) takes the
+  // non-interactive fallback path instead of bubbling a live readline prompt up to the
+  // user's terminal (e.g. during `npm publish` -> prepublishOnly -> release:check -> selftest).
+  process.env.CI = 'true';
   const tmp = tmpdir();
   process.chdir(tmp);
   await initProject(tmp, {});

package/src/core/fsx.mjs

@@ -5,7 +5,7 @@ import os from 'node:os';
 import crypto from 'node:crypto';
 import { spawn } from 'node:child_process';
 
-export const PACKAGE_VERSION = '0.9.4';
+export const PACKAGE_VERSION = '0.9.7';
 export const DEFAULT_PROCESS_TAIL_BYTES = 256 * 1024;
 export const DEFAULT_PROCESS_TIMEOUT_MS = 30 * 60 * 1000;