ccproxy-api 0.1.4__py3-none-any.whl → 0.1.6__py3-none-any.whl

ccproxy/cli/commands/auth.py

@@ -3,7 +3,12 @@
 import asyncio
 from datetime import UTC, datetime
 from pathlib import Path
-from typing import Annotated
+from typing import TYPE_CHECKING, Annotated
+
+
+if TYPE_CHECKING:
+    from ccproxy.auth.openai import OpenAIOAuthClient, OpenAITokenManager
+    from ccproxy.config.codex import CodexSettings
 
 import typer
 from rich import box
@@ -563,5 +568,397 @@ def renew(
         raise typer.Exit(1) from e
 
 
+# OpenAI Codex Authentication Commands
+
+
+def get_openai_token_manager() -> "OpenAITokenManager":
+    """Get OpenAI token manager dependency."""
+    from ccproxy.auth.openai import OpenAITokenManager
+
+    return OpenAITokenManager()
+
+
+def get_openai_oauth_client(settings: "CodexSettings") -> "OpenAIOAuthClient":
+    """Get OpenAI OAuth client dependency."""
+    from ccproxy.auth.openai import OpenAIOAuthClient
+
+    token_manager = get_openai_token_manager()
+    return OpenAIOAuthClient(settings, token_manager)
+
+
+@app.command(name="login-openai")
+def login_openai_command(
+    no_browser: Annotated[
+        bool,
+        typer.Option(
+            "--no-browser",
+            help="Don't automatically open browser for authentication",
+        ),
+    ] = False,
+) -> None:
+    """Login to OpenAI using OAuth authentication.
+
+    This command will start a local callback server and open your web browser
+    to authenticate with OpenAI. The credentials will be saved to ~/.codex/auth.json.
+
+    Examples:
+        ccproxy auth login-openai
+        ccproxy auth login-openai --no-browser
+    """
+    import asyncio
+
+    from ccproxy.config.codex import CodexSettings
+
+    toolkit = get_rich_toolkit()
+    toolkit.print("[bold cyan]OpenAI OAuth Login[/bold cyan]", centered=True)
+    toolkit.print_line()
+
+    try:
+        # Get Codex settings
+        settings = CodexSettings()
+
+        # Check if already logged in
+        token_manager = get_openai_token_manager()
+        existing_creds = asyncio.run(token_manager.load_credentials())
+
+        if existing_creds and not existing_creds.is_expired():
+            console.print(
+                "[yellow]You are already logged in with valid OpenAI credentials.[/yellow]"
+            )
+            console.print(
+                "Use [cyan]ccproxy auth openai-info[/cyan] to view current credentials."
+            )
+
+            overwrite = typer.confirm(
+                "Do you want to login again and overwrite existing credentials?"
+            )
+            if not overwrite:
+                console.print("Login cancelled.")
+                return
+
+        # Create OAuth client and perform login
+        oauth_client = get_openai_oauth_client(settings)
+
+        console.print("Starting OpenAI OAuth login process...")
+        console.print(
+            "A temporary server will start on port 1455 for the OAuth callback..."
+        )
+
+        if no_browser:
+            console.print("Browser will NOT be opened automatically.")
+        else:
+            console.print("Your browser will open for authentication.")
+
+        try:
+            credentials = asyncio.run(
+                oauth_client.authenticate(open_browser=not no_browser)
+            )
+
+            toolkit.print("Successfully logged in to OpenAI!", tag="success")
+
+            # Show credential info
+            console.print("\n[dim]Credential information:[/dim]")
+            console.print(f"  Account ID: {credentials.account_id}")
+            console.print(
+                f"  Expires: {credentials.expires_at.strftime('%Y-%m-%d %H:%M:%S UTC')}"
+            )
+            console.print(f"  Active: {'Yes' if credentials.active else 'No'}")
+
+        except Exception as e:
+            logger.error(f"OpenAI login failed: {e}")
+            toolkit.print(f"Login failed: {e}", tag="error")
+            raise typer.Exit(1) from e
+
+    except KeyboardInterrupt:
+        console.print("\n[yellow]Login cancelled by user.[/yellow]")
+        raise typer.Exit(1) from None
+    except Exception as e:
+        toolkit.print(f"Error during OpenAI login: {e}", tag="error")
+        raise typer.Exit(1) from e
+
+
+@app.command(name="logout-openai")
+def logout_openai_command() -> None:
+    """Logout from OpenAI and remove saved credentials.
+
+    This command will remove the OpenAI credentials file (~/.codex/auth.json)
+    and invalidate the current session.
+
+    Examples:
+        ccproxy auth logout-openai
+    """
+    import asyncio
+
+    toolkit = get_rich_toolkit()
+    toolkit.print("[bold cyan]OpenAI Logout[/bold cyan]", centered=True)
+    toolkit.print_line()
+
+    try:
+        token_manager = get_openai_token_manager()
+
+        # Check if credentials exist
+        existing_creds = asyncio.run(token_manager.load_credentials())
+        if not existing_creds:
+            console.print(
+                "[yellow]No OpenAI credentials found. Already logged out.[/yellow]"
+            )
+            return
+
+        # Confirm logout
+        confirm = typer.confirm(
+            "Are you sure you want to logout and remove OpenAI credentials?"
+        )
+        if not confirm:
+            console.print("Logout cancelled.")
+            return
+
+        # Delete credentials
+        success = asyncio.run(token_manager.delete_credentials())
+
+        if success:
+            toolkit.print("Successfully logged out from OpenAI!", tag="success")
+            console.print("OpenAI credentials have been removed.")
+        else:
+            toolkit.print("Failed to remove OpenAI credentials", tag="error")
+            raise typer.Exit(1)
+
+    except Exception as e:
+        toolkit.print(f"Error during OpenAI logout: {e}", tag="error")
+        raise typer.Exit(1) from e
+
+
+@app.command(name="openai-info")
+def openai_info_command() -> None:
+    """Display OpenAI credential information.
+
+    Shows detailed information about the current OpenAI credentials including
+    account ID, token expiration, and storage location.
+
+    Examples:
+        ccproxy auth openai-info
+    """
+    import asyncio
+    import base64
+    import json
+    from datetime import UTC, datetime
+
+    from rich import box
+    from rich.table import Table
+
+    toolkit = get_rich_toolkit()
+    toolkit.print("[bold cyan]OpenAI Credential Information[/bold cyan]", centered=True)
+    toolkit.print_line()
+
+    try:
+        token_manager = get_openai_token_manager()
+        credentials = asyncio.run(token_manager.load_credentials())
+
+        if not credentials:
+            toolkit.print("No OpenAI credentials found", tag="error")
+            console.print("\n[dim]Expected location:[/dim]")
+            storage_location = token_manager.storage.get_location()
+            console.print(f"  - {storage_location}")
+            console.print("\n[dim]To login:[/dim]")
+            console.print("  ccproxy auth login-openai")
+            raise typer.Exit(1)
+
+        # Decode JWT token to extract additional information
+        jwt_payload = {}
+        jwt_header = {}
+        if credentials.access_token:
+            try:
+                # Split JWT into parts
+                parts = credentials.access_token.split(".")
+                if len(parts) == 3:
+                    # Decode header and payload (add padding if needed)
+                    header_b64 = parts[0] + "=" * (4 - len(parts[0]) % 4)
+                    payload_b64 = parts[1] + "=" * (4 - len(parts[1]) % 4)
+
+                    jwt_header = json.loads(base64.urlsafe_b64decode(header_b64))
+                    jwt_payload = json.loads(base64.urlsafe_b64decode(payload_b64))
+            except Exception as decode_error:
+                logger.debug(f"Failed to decode JWT token: {decode_error}")
+
+        # Display account section
+        console.print("\n[bold]OpenAI Account[/bold]")
+        console.print(f"  L Account ID: {credentials.account_id}")
+        console.print(f"  L Status: {'Active' if credentials.active else 'Inactive'}")
+
+        # Extract additional info from JWT payload
+        if jwt_payload:
+            # Get OpenAI auth info from the JWT
+            openai_auth = jwt_payload.get("https://api.openai.com/auth", {})
+            if openai_auth:
+                if "email" in jwt_payload:
+                    console.print(f"  L Email: {jwt_payload['email']}")
+                    if jwt_payload.get("email_verified"):
+                        console.print("  L Email Verified: Yes")
+
+                if openai_auth.get("chatgpt_plan_type"):
+                    console.print(
+                        f"  L Plan Type: {openai_auth['chatgpt_plan_type'].upper()}"
+                    )
+
+                if openai_auth.get("chatgpt_user_id"):
+                    console.print(f"  L User ID: {openai_auth['chatgpt_user_id']}")
+
+                # Subscription info
+                if openai_auth.get("chatgpt_subscription_active_start"):
+                    console.print(
+                        f"  L Subscription Start: {openai_auth['chatgpt_subscription_active_start']}"
+                    )
+                if openai_auth.get("chatgpt_subscription_active_until"):
+                    console.print(
+                        f"  L Subscription Until: {openai_auth['chatgpt_subscription_active_until']}"
+                    )
+
+                # Organizations
+                orgs = openai_auth.get("organizations", [])
+                if orgs:
+                    for org in orgs:
+                        if org.get("is_default"):
+                            console.print(
+                                f"  L Organization: {org.get('title', 'Unknown')} ({org.get('role', 'member')})"
+                            )
+                            console.print(f"  L Org ID: {org.get('id', 'Unknown')}")
+
+        # Create details table
+        console.print()
+        table = Table(
+            show_header=True,
+            header_style="bold cyan",
+            box=box.ROUNDED,
+            title="Token Details",
+            title_style="bold white",
+        )
+        table.add_column("Property", style="cyan")
+        table.add_column("Value", style="white")
+
+        # File location
+        storage_location = token_manager.storage.get_location()
+        table.add_row("Storage Location", storage_location)
+
+        # Token algorithm and type from JWT header
+        if jwt_header:
+            table.add_row("Algorithm", jwt_header.get("alg", "Unknown"))
+            table.add_row("Token Type", jwt_header.get("typ", "Unknown"))
+            if jwt_header.get("kid"):
+                table.add_row("Key ID", jwt_header["kid"])
+
+        # Token status
+        table.add_row(
+            "Token Expired",
+            "[red]Yes[/red]" if credentials.is_expired() else "[green]No[/green]",
+        )
+
+        # Expiration details
+        exp_dt = credentials.expires_at
+        table.add_row("Expires At", exp_dt.strftime("%Y-%m-%d %H:%M:%S UTC"))
+
+        # Time until expiration
+        now = datetime.now(UTC)
+        time_diff = exp_dt - now
+        if time_diff.total_seconds() > 0:
+            days = time_diff.days
+            hours = (time_diff.seconds % 86400) // 3600
+            minutes = (time_diff.seconds % 3600) // 60
+            table.add_row(
+                "Time Remaining", f"{days} days, {hours} hours, {minutes} minutes"
+            )
+        else:
+            table.add_row("Time Remaining", "[red]Expired[/red]")
+
+        # JWT timestamps if available
+        if jwt_payload:
+            if "iat" in jwt_payload:
+                iat_dt = datetime.fromtimestamp(jwt_payload["iat"], tz=UTC)
+                table.add_row("Issued At", iat_dt.strftime("%Y-%m-%d %H:%M:%S UTC"))
+
+            if "auth_time" in jwt_payload:
+                auth_dt = datetime.fromtimestamp(jwt_payload["auth_time"], tz=UTC)
+                table.add_row("Auth Time", auth_dt.strftime("%Y-%m-%d %H:%M:%S UTC"))
+
+        # JWT issuer and audience
+        if jwt_payload:
+            if "iss" in jwt_payload:
+                table.add_row("Issuer", jwt_payload["iss"])
+            if "aud" in jwt_payload:
+                audience = jwt_payload["aud"]
+                if isinstance(audience, list):
+                    audience = ", ".join(audience)
+                table.add_row("Audience", audience)
+            if "jti" in jwt_payload:
+                table.add_row("JWT ID", jwt_payload["jti"])
+            if "sid" in jwt_payload:
+                table.add_row("Session ID", jwt_payload["sid"])
+
+        # Token preview (first and last 8 chars)
+        if credentials.access_token:
+            token_preview = (
+                f"{credentials.access_token[:12]}...{credentials.access_token[-8:]}"
+            )
+            table.add_row("Access Token", f"[dim]{token_preview}[/dim]")
+
+        # Refresh token status
+        has_refresh = bool(credentials.refresh_token)
+        table.add_row(
+            "Refresh Token",
+            "[green]Available[/green]"
+            if has_refresh
+            else "[yellow]Not available[/yellow]",
+        )
+
+        console.print(table)
+
+        # Show usage instructions
+        console.print("\n[dim]Commands:[/dim]")
+        console.print("  ccproxy auth login-openai    - Re-authenticate")
+        console.print("  ccproxy auth logout-openai   - Remove credentials")
+
+    except Exception as e:
+        toolkit.print(f"Error getting OpenAI credential info: {e}", tag="error")
+        raise typer.Exit(1) from e
+
+
+@app.command(name="openai-status")
+def openai_status_command() -> None:
+    """Check OpenAI authentication status.
+
+    Quick status check for OpenAI credentials without detailed information.
+    Useful for scripts and automation.
+
+    Examples:
+        ccproxy auth openai-status
+    """
+    import asyncio
+
+    try:
+        token_manager = get_openai_token_manager()
+        credentials = asyncio.run(token_manager.load_credentials())
+
+        if not credentials:
+            console.print("[red]✗[/red] Not logged in to OpenAI")
+            raise typer.Exit(1)
+
+        if credentials.is_expired():
+            console.print("[yellow]⚠[/yellow] OpenAI credentials expired")
+            console.print(
+                f"  Expired: {credentials.expires_at.strftime('%Y-%m-%d %H:%M:%S UTC')}"
+            )
+            raise typer.Exit(1)
+
+        console.print("[green]✓[/green] OpenAI credentials valid")
+        console.print(f"  Account: {credentials.account_id}")
+        console.print(
+            f"  Expires: {credentials.expires_at.strftime('%Y-%m-%d %H:%M:%S UTC')}"
+        )
+
+    except SystemExit:
+        raise
+    except Exception as e:
+        console.print(f"[red]✗[/red] Error checking OpenAI status: {e}")
+        raise typer.Exit(1) from e
+
+
 if __name__ == "__main__":
     app()

ccproxy/cli/commands/serve.py

@@ -10,6 +10,7 @@ import uvicorn
 from click import get_current_context
 from structlog import get_logger
 
+from ccproxy._version import __version__
 from ccproxy.cli.helpers import (
     get_rich_toolkit,
     is_running_in_docker,
@@ -35,7 +36,9 @@ from ..options.claude_options import (
     validate_max_thinking_tokens,
     validate_max_turns,
     validate_permission_mode,
+    validate_pool_size,
     validate_sdk_message_mode,
+    validate_system_prompt_injection_mode,
 )
 from ..options.security_options import SecurityOptions, validate_auth_token
 from ..options.server_options import (
@@ -442,6 +445,48 @@ def api(
             rich_help_panel="Claude Settings",
         ),
     ] = None,
+    sdk_pool: Annotated[
+        bool,
+        typer.Option(
+            "--sdk-pool/--no-sdk-pool",
+            help="Enable/disable general Claude SDK client connection pooling",
+            rich_help_panel="Claude Settings",
+        ),
+    ] = False,
+    sdk_pool_size: Annotated[
+        int | None,
+        typer.Option(
+            "--sdk-pool-size",
+            help="Number of clients to maintain in the general pool (1-20)",
+            callback=validate_pool_size,
+            rich_help_panel="Claude Settings",
+        ),
+    ] = None,
+    sdk_session_pool: Annotated[
+        bool,
+        typer.Option(
+            "--sdk-session-pool/--no-sdk-session-pool",
+            help="Enable/disable session-aware Claude SDK client pooling",
+            rich_help_panel="Claude Settings",
+        ),
+    ] = False,
+    system_prompt_injection_mode: Annotated[
+        str | None,
+        typer.Option(
+            "--system-prompt-injection-mode",
+            help="System prompt injection mode: minimal (Claude Code ID only), full (all detected system messages)",
+            callback=validate_system_prompt_injection_mode,
+            rich_help_panel="Claude Settings",
+        ),
+    ] = None,
+    builtin_permissions: Annotated[
+        bool,
+        typer.Option(
+            "--builtin-permissions/--no-builtin-permissions",
+            help="Enable built-in permission handling infrastructure (MCP server and SSE endpoints). When disabled, users can configure custom MCP servers and permission tools.",
+            rich_help_panel="Claude Settings",
+        ),
+    ] = True,
     # Core settings
     docker: Annotated[
         bool,
@@ -526,6 +571,31 @@ def api(
             rich_help_panel="Docker Settings",
         ),
     ] = None,
+    # Network control flags
+    no_network_calls: Annotated[
+        bool,
+        typer.Option(
+            "--no-network-calls",
+            help="Disable all network calls (version checks and pricing updates)",
+            rich_help_panel="Privacy Settings",
+        ),
+    ] = False,
+    disable_version_check: Annotated[
+        bool,
+        typer.Option(
+            "--disable-version-check",
+            help="Disable version update checks (prevents calls to GitHub API)",
+            rich_help_panel="Privacy Settings",
+        ),
+    ] = False,
+    disable_pricing_updates: Annotated[
+        bool,
+        typer.Option(
+            "--disable-pricing-updates",
+            help="Disable pricing data updates (prevents downloads from GitHub)",
+            rich_help_panel="Privacy Settings",
+        ),
+    ] = False,
 ) -> None:
     """
     Start the CCProxy API server.
@@ -573,10 +643,28 @@ def api(
             cwd=cwd,
             permission_prompt_tool_name=permission_prompt_tool_name,
             sdk_message_mode=sdk_message_mode,
+            sdk_pool=sdk_pool,
+            sdk_pool_size=sdk_pool_size,
+            sdk_session_pool=sdk_session_pool,
+            system_prompt_injection_mode=system_prompt_injection_mode,
+            builtin_permissions=builtin_permissions,
         )
 
         security_options = SecurityOptions(auth_token=auth_token)
 
+        # Handle network control flags
+        scheduler_overrides = {}
+        if no_network_calls:
+            # Disable both network features
+            scheduler_overrides["pricing_update_enabled"] = False
+            scheduler_overrides["version_check_enabled"] = False
+        else:
+            # Handle individual flags
+            if disable_pricing_updates:
+                scheduler_overrides["pricing_update_enabled"] = False
+            if disable_version_check:
+                scheduler_overrides["version_check_enabled"] = False
+
         # Extract CLI overrides from structured option containers
         cli_overrides = config_manager.get_cli_overrides_from_args(
             # Server options
@@ -599,8 +687,17 @@ def api(
             permission_prompt_tool_name=claude_options.permission_prompt_tool_name,
             cwd=claude_options.cwd,
             sdk_message_mode=claude_options.sdk_message_mode,
+            sdk_pool=claude_options.sdk_pool,
+            sdk_pool_size=claude_options.sdk_pool_size,
+            sdk_session_pool=claude_options.sdk_session_pool,
+            system_prompt_injection_mode=claude_options.system_prompt_injection_mode,
+            builtin_permissions=claude_options.builtin_permissions,
         )
 
+        # Add scheduler overrides if any
+        if scheduler_overrides:
+            cli_overrides["scheduler"] = scheduler_overrides
+
         # Load settings with CLI overrides
         settings = config_manager.load_settings(
             config_path=config, cli_overrides=cli_overrides
@@ -613,7 +710,6 @@ def api(
 
         # Always reconfigure logging to ensure log level changes are picked up
         # Use JSON logs if explicitly requested via env var
-        print(f"{settings.server.log_level} {settings.server.log_file}")
         setup_logging(
             json_logs=settings.server.log_format == "json",
             log_level_name=settings.server.log_level,
@@ -633,6 +729,7 @@ def api(
         logger.info(
             "cli_command_starting",
             command="serve",
+            version=__version__,
             docker=docker,
             port=server_options.port,
             host=server_options.host,
@@ -800,6 +897,7 @@ def claude(
         logger.info(
             "cli_command_starting",
             command="claude",
+            version=__version__,
             docker=docker,
             args=args if args else [],
         )

ccproxy/cli/options/claude_options.py

@@ -93,6 +93,38 @@ def validate_sdk_message_mode(
     return value
 
 
+def validate_pool_size(
+    ctx: typer.Context, param: typer.CallbackParam, value: int | None
+) -> int | None:
+    """Validate pool size."""
+    if value is None:
+        return None
+
+    if value < 1:
+        raise typer.BadParameter("Pool size must be at least 1")
+
+    if value > 20:
+        raise typer.BadParameter("Pool size must not exceed 20")
+
+    return value
+
+
+def validate_system_prompt_injection_mode(
+    ctx: typer.Context, param: typer.CallbackParam, value: str | None
+) -> str | None:
+    """Validate system prompt injection mode."""
+    if value is None:
+        return None
+
+    valid_modes = {"minimal", "full"}
+    if value not in valid_modes:
+        raise typer.BadParameter(
+            f"System prompt injection mode must be one of: {', '.join(valid_modes)}"
+        )
+
+    return value
+
+
 # Factory functions removed - use Annotated syntax directly in commands
 
 
@@ -115,6 +147,11 @@ class ClaudeOptions:
         cwd: str | None = None,
         permission_prompt_tool_name: str | None = None,
         sdk_message_mode: str | None = None,
+        sdk_pool: bool = False,
+        sdk_pool_size: int | None = None,
+        sdk_session_pool: bool = False,
+        system_prompt_injection_mode: str | None = None,
+        builtin_permissions: bool = True,
     ):
         """Initialize Claude options.
 
@@ -129,6 +166,11 @@ class ClaudeOptions:
             cwd: Working directory path
             permission_prompt_tool_name: Permission prompt tool name
             sdk_message_mode: SDK message handling mode
+            sdk_pool: Enable general Claude SDK client connection pooling
+            sdk_pool_size: Number of clients to maintain in the general pool
+            sdk_session_pool: Enable session-aware Claude SDK client pooling
+            system_prompt_injection_mode: System prompt injection mode
+            builtin_permissions: Enable built-in permission handling infrastructure
         """
         self.max_thinking_tokens = max_thinking_tokens
         self.allowed_tools = allowed_tools
@@ -140,3 +182,8 @@ class ClaudeOptions:
         self.cwd = cwd
         self.permission_prompt_tool_name = permission_prompt_tool_name
         self.sdk_message_mode = sdk_message_mode
+        self.sdk_pool = sdk_pool
+        self.sdk_pool_size = sdk_pool_size
+        self.sdk_session_pool = sdk_session_pool
+        self.system_prompt_injection_mode = system_prompt_injection_mode
+        self.builtin_permissions = builtin_permissions

ccproxy/config/__init__.py

@@ -2,7 +2,6 @@
 
 from .auth import AuthSettings, CredentialStorageSettings, OAuthSettings
 from .docker_settings import DockerSettings
-from .loader import ConfigLoader, load_config
 from .reverse_proxy import ReverseProxySettings
 from .settings import Settings, get_settings
 from .validators import (
@@ -26,8 +25,6 @@ __all__ = [
     "CredentialStorageSettings",
     "ReverseProxySettings",
     "DockerSettings",
-    "ConfigLoader",
-    "load_config",
     "ConfigValidationError",
     "validate_config_dict",
     "validate_cors_origins",