axio-transport-codex 0.1.0__tar.gz

axio_transport_codex-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,40 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+
+env:
+  FORCE_COLOR: 1
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v6
+
+      - name: Set version from release tag
+        run: uv version "${GITHUB_REF_NAME#v}"
+
+      - name: Build package
+        run: uv build
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    runs-on: ubuntu-latest
+    needs: build
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - uses: pypa/gh-action-pypi-publish@release/v1

axio_transport_codex-0.1.0/.github/workflows/tests.yml

@@ -0,0 +1,44 @@
+name: tests
+
+on:
+  push:
+    branches: [ master, main ]
+  pull_request:
+    branches: [ master, main ]
+
+env:
+  FORCE_COLOR: 1
+
+jobs:
+  ruff:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v6
+      - run: uv sync --frozen
+      - run: uv run ruff check
+      - run: uv run ruff format --check
+
+  mypy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v6
+      - run: uv sync --frozen
+      - run: uv run mypy .
+
+  tests:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python:
+          - "3.12"
+          - "3.13"
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v6
+        with:
+          python-version: ${{ matrix.python }}
+      - run: uv sync --frozen
+      - run: uv run pytest -vv --cov=axio_transport_codex --cov-report=term-missing

axio_transport_codex-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Axio contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

axio_transport_codex-0.1.0/Makefile

@@ -0,0 +1,16 @@
+.PHONY: fmt lint typecheck test all
+
+fmt:
+	uv run ruff format src/ tests/
+	uv run ruff check --fix src/ tests/
+
+lint:
+	uv run ruff check src/ tests/
+
+typecheck:
+	uv run mypy src/
+
+test:
+	uv run pytest tests/ -v
+
+all: fmt lint typecheck test

axio_transport_codex-0.1.0/PKG-INFO

@@ -0,0 +1,11 @@
+Metadata-Version: 2.4
+Name: axio-transport-codex
+Version: 0.1.0
+Summary: ChatGPT (Codex) OAuth transport for Axio using Responses API
+License: MIT
+License-File: LICENSE
+Requires-Python: >=3.12
+Requires-Dist: aiohttp>=3.11
+Requires-Dist: axio
+Provides-Extra: tui
+Requires-Dist: textual>=2.1.0; extra == 'tui'

axio_transport_codex-0.1.0/README.md

@@ -0,0 +1,15 @@
+# axio-transport-codex
+
+ChatGPT (Codex) OAuth transport for Axio using Responses API.
+
+Part of the [axio-agent](https://github.com/axio-agent) ecosystem.
+
+## Installation
+
+```bash
+pip install axio-transport-codex
+```
+
+## License
+
+MIT

axio_transport_codex-0.1.0/pyproject.toml

@@ -0,0 +1,40 @@
+[project]
+name = "axio-transport-codex"
+version = "0.1.0"
+description = "ChatGPT (Codex) OAuth transport for Axio using Responses API"
+requires-python = ">=3.12"
+license = {text = "MIT"}
+dependencies = ["axio", "aiohttp>=3.11"]
+
+[project.optional-dependencies]
+tui = ["textual>=2.1.0"]
+
+[project.entry-points."axio.transport"]
+codex = "axio_transport_codex:CodexTransport"
+
+[project.entry-points."axio.transport.settings"]
+codex = "axio_transport_codex:CodexSettingsScreen"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/axio_transport_codex"]
+
+[tool.pytest.ini_options]
+asyncio_mode = "auto"
+
+[tool.ruff]
+line-length = 119
+target-version = "py312"
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "UP"]
+
+[tool.mypy]
+strict = true
+python_version = "3.12"
+
+[dependency-groups]
+dev = ["pytest>=8", "pytest-asyncio>=0.24", "mypy>=1.14", "ruff>=0.9"]

axio_transport_codex-0.1.0/src/axio_transport_codex/__init__.py

@@ -0,0 +1,12 @@
+"""ChatGPT (Codex) OAuth transport for Axio — Responses API."""
+
+from axio_transport_codex.transport import CODEX_MODELS, CodexTransport
+
+__all__ = ["CODEX_MODELS", "CodexTransport"]
+
+try:
+    from axio_transport_codex.settings import CodexSettingsScreen
+
+    __all__ += ["CodexSettingsScreen"]
+except ImportError:
+    pass

axio_transport_codex-0.1.0/src/axio_transport_codex/oauth.py

@@ -0,0 +1,218 @@
+"""OAuth2 PKCE flow for ChatGPT (Codex) authentication."""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import json
+import logging
+import secrets
+import time
+import webbrowser
+from asyncio import Event
+from typing import Any
+from urllib.parse import urlencode
+
+import aiohttp
+from aiohttp import web
+
+logger = logging.getLogger(__name__)
+
+AUTH_URL = "https://auth.openai.com/oauth/authorize"
+TOKEN_URL = "https://auth.openai.com/oauth/token"
+CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann"
+SCOPES = "openid profile email offline_access api.connectors.read api.connectors.invoke"
+ORIGINATOR = "codex_cli_rs"
+
+
+def _generate_pkce() -> tuple[str, str]:
+    """Generate PKCE code_verifier and code_challenge (S256)."""
+    verifier = secrets.token_urlsafe(96)
+    digest = hashlib.sha256(verifier.encode("ascii")).digest()
+    challenge = base64.urlsafe_b64encode(digest).rstrip(b"=").decode("ascii")
+    return verifier, challenge
+
+
+def _decode_jwt_payload(token: str) -> dict[str, Any]:
+    """Decode JWT payload without verification (base64 only)."""
+    parts = token.split(".")
+    if len(parts) < 2:
+        return {}
+    payload = parts[1]
+    # Add padding
+    padding = 4 - len(payload) % 4
+    if padding != 4:
+        payload += "=" * padding
+    raw = base64.urlsafe_b64decode(payload)
+    return json.loads(raw)  # type: ignore[no-any-return]
+
+
+def _extract_account_id(access_token: str) -> str:
+    """Extract account_id from JWT payload."""
+    jwt_payload = _decode_jwt_payload(access_token)
+    orgs = jwt_payload.get("organizations", [])
+    if orgs and isinstance(orgs, list) and isinstance(orgs[0], dict):
+        account_id: str = orgs[0].get("id", "")
+        if account_id:
+            return account_id
+    return str(jwt_payload.get("sub", ""))
+
+
+async def run_oauth_flow() -> dict[str, str]:
+    """Run full OAuth2 PKCE flow with localhost callback.
+
+    Opens browser for ChatGPT sign-in, waits for callback, exchanges code for tokens.
+
+    Returns dict with keys: access_token, refresh_token, expires_at, account_id.
+    """
+    code_verifier, code_challenge = _generate_pkce()
+    state = secrets.token_urlsafe(32)
+
+    result: dict[str, str] = {}
+    error: str | None = None
+    done = Event()
+
+    async def callback_handler(request: web.Request) -> web.Response:
+        nonlocal result, error
+
+        received_state = request.query.get("state", "")
+        if received_state != state:
+            error = f"State mismatch: expected {state!r}, got {received_state!r}"
+            done.set()
+            return web.Response(text="Authentication failed: state mismatch", status=400)
+
+        if "error" in request.query:
+            error = request.query.get("error_description", request.query["error"])
+            done.set()
+            return web.Response(text=f"Authentication failed: {error}", status=400)
+
+        code = request.query.get("code", "")
+        if not code:
+            error = "No authorization code received"
+            done.set()
+            return web.Response(text="Authentication failed: no code", status=400)
+
+        # Exchange code for tokens
+        try:
+            async with aiohttp.ClientSession() as session:
+                token_data = await _exchange_code(session, code, code_verifier)
+            result = token_data
+        except Exception as exc:
+            error = str(exc)
+            done.set()
+            return web.Response(text=f"Token exchange failed: {exc}", status=500)
+
+        done.set()
+        return web.Response(
+            text="<html><body><h2>Authentication successful!</h2>"
+            "<p>You can close this tab and return to the app.</p></body></html>",
+            content_type="text/html",
+        )
+
+    app = web.Application()
+    app.router.add_get("/auth/callback", callback_handler)
+
+    runner = web.AppRunner(app)
+    await runner.setup()
+    site = web.TCPSite(runner, "127.0.0.1", 1455)
+    await site.start()
+
+    redirect_uri = "http://localhost:1455/auth/callback"
+
+    # Build authorization URL (matching codex-cli exactly)
+    params = urlencode(
+        {
+            "response_type": "code",
+            "client_id": CLIENT_ID,
+            "redirect_uri": redirect_uri,
+            "scope": SCOPES,
+            "code_challenge": code_challenge,
+            "code_challenge_method": "S256",
+            "id_token_add_organizations": "true",
+            "codex_cli_simplified_flow": "true",
+            "state": state,
+            "originator": ORIGINATOR,
+        }
+    )
+    auth_url = f"{AUTH_URL}?{params}"
+
+    logger.info("Opening browser for OAuth sign-in...")
+    webbrowser.open(auth_url)
+
+    try:
+        await done.wait()
+    finally:
+        await runner.cleanup()
+
+    if error:
+        raise RuntimeError(f"OAuth flow failed: {error}")
+
+    return result
+
+
+async def _exchange_code(
+    session: aiohttp.ClientSession,
+    code: str,
+    code_verifier: str,
+) -> dict[str, str]:
+    """Exchange authorization code for tokens via form-encoded POST."""
+    redirect_uri = "http://localhost:1455/auth/callback"
+    form_data = {
+        "grant_type": "authorization_code",
+        "code": code,
+        "redirect_uri": redirect_uri,
+        "client_id": CLIENT_ID,
+        "code_verifier": code_verifier,
+    }
+
+    async with session.post(
+        TOKEN_URL,
+        data=form_data,
+        headers={"Content-Type": "application/x-www-form-urlencoded"},
+    ) as resp:
+        if resp.status != 200:
+            body = await resp.text()
+            raise RuntimeError(f"Token exchange failed ({resp.status}): {body}")
+        data: dict[str, Any] = await resp.json()
+
+    access_token: str = data["access_token"]
+    refresh_token: str = data.get("refresh_token", "")
+    expires_in: int = data.get("expires_in", 3600)
+    expires_at = str(int(time.time()) + expires_in)
+    account_id = _extract_account_id(access_token)
+
+    return {
+        "access_token": access_token,
+        "refresh_token": refresh_token,
+        "expires_at": expires_at,
+        "account_id": account_id,
+    }
+
+
+async def refresh_access_token(refresh_token: str) -> dict[str, str]:
+    """Refresh an expired access token (JSON POST, matching codex-cli)."""
+    payload = {
+        "grant_type": "refresh_token",
+        "client_id": CLIENT_ID,
+        "refresh_token": refresh_token,
+    }
+
+    async with aiohttp.ClientSession() as session:
+        async with session.post(TOKEN_URL, json=payload) as resp:
+            if resp.status != 200:
+                body = await resp.text()
+                raise RuntimeError(f"Token refresh failed ({resp.status}): {body}")
+            data: dict[str, Any] = await resp.json()
+
+    access_token: str = data["access_token"]
+    new_refresh: str = data.get("refresh_token", refresh_token)
+    expires_in: int = data.get("expires_in", 3600)
+    expires_at = str(int(time.time()) + expires_in)
+    account_id = _extract_account_id(access_token)
+
+    return {
+        "access_token": access_token,
+        "refresh_token": new_refresh,
+        "expires_at": expires_at,
+        "account_id": account_id,
+    }

axio_transport_codex-0.1.0/src/axio_transport_codex/settings.py

@@ -0,0 +1,78 @@
+"""Textual settings screen for ChatGPT (Codex) transport."""
+
+from __future__ import annotations
+
+try:
+    from textual.app import ComposeResult
+    from textual.binding import Binding
+    from textual.containers import Container, Horizontal
+    from textual.screen import ModalScreen
+    from textual.widgets import Button, Static
+
+    class CodexSettingsScreen(ModalScreen[dict[str, str] | None]):
+        """Sign in / sign out screen for ChatGPT OAuth."""
+
+        BINDINGS = [Binding("escape", "cancel", "Cancel")]
+        CSS = """
+        CodexSettingsScreen { align: center middle; }
+        #codex-settings {
+            width: 70; height: auto; border: heavy $accent;
+            background: $panel; padding: 1 2;
+        }
+        .field-label { margin-top: 1; }
+        .settings-buttons { height: auto; margin-top: 1; }
+        .settings-buttons Button { margin: 0 1; }
+        """
+
+        def __init__(self, settings: dict[str, str]) -> None:
+            super().__init__()
+            self._settings = settings
+            self._signed_in = bool(settings.get("api_key"))
+
+        def compose(self) -> ComposeResult:
+            with Container(id="codex-settings"):
+                yield Static("[bold]ChatGPT (Codex) Settings[/]")
+                if self._signed_in:
+                    account = self._settings.get("account_id", "unknown")
+                    yield Static(f"Signed in (account: {account[:16]}...)", classes="field-label")
+                    with Horizontal(classes="settings-buttons"):
+                        yield Button("Sign Out", id="btn-signout", variant="warning")
+                        yield Button("Cancel", id="btn-cancel")
+                else:
+                    yield Static(
+                        "Sign in with your ChatGPT account to use this transport.",
+                        classes="field-label",
+                    )
+                    with Horizontal(classes="settings-buttons"):
+                        yield Button("Sign in with ChatGPT", id="btn-signin", variant="primary")
+                        yield Button("Cancel", id="btn-cancel")
+
+        def on_button_pressed(self, event: Button.Pressed) -> None:
+            if event.button.id == "btn-signin":
+                self.run_worker(self._do_signin(), exclusive=True)
+            elif event.button.id == "btn-signout":
+                self.dismiss({})
+            else:
+                self.dismiss(None)
+
+        async def _do_signin(self) -> None:
+            from .oauth import run_oauth_flow
+
+            try:
+                tokens = await run_oauth_flow()
+                # Map access_token → api_key for registry compatibility
+                settings: dict[str, str] = {
+                    "api_key": tokens["access_token"],
+                    "refresh_token": tokens.get("refresh_token", ""),
+                    "expires_at": tokens.get("expires_at", ""),
+                    "account_id": tokens.get("account_id", ""),
+                }
+                self.dismiss(settings)
+            except Exception as exc:
+                self.notify(f"Sign-in failed: {exc}", severity="error")
+
+        def action_cancel(self) -> None:
+            self.dismiss(None)
+
+except ImportError:
+    pass