ccproxy-api 0.1.4__py3-none-any.whl → 0.1.6__py3-none-any.whl

ccproxy/api/routes/health.py

@@ -41,6 +41,16 @@ class ClaudeCliStatus(str, Enum):
     ERROR = "error"
 
 
+class CodexCliStatus(str, Enum):
+    """Codex CLI status enumeration."""
+
+    AVAILABLE = "available"
+    NOT_INSTALLED = "not_installed"
+    BINARY_FOUND_BUT_ERRORS = "binary_found_but_errors"
+    TIMEOUT = "timeout"
+    ERROR = "error"
+
+
 class ClaudeCliInfo(BaseModel):
     """Claude CLI information with structured data."""
 
@@ -52,8 +62,21 @@ class ClaudeCliInfo(BaseModel):
     return_code: str | None = None
 
 
+class CodexCliInfo(BaseModel):
+    """Codex CLI information with structured data."""
+
+    status: CodexCliStatus
+    version: str | None = None
+    binary_path: str | None = None
+    version_output: str | None = None
+    error: str | None = None
+    return_code: str | None = None
+
+
 # Cache for Claude CLI check results
 _claude_cli_cache: tuple[float, tuple[str, dict[str, Any]]] | None = None
+# Cache for Codex CLI check results
+_codex_cli_cache: tuple[float, tuple[str, dict[str, Any]]] | None = None
 _cache_ttl_seconds = 300  # Cache for 5 minutes
 
 
@@ -153,6 +176,11 @@ def _get_claude_cli_path() -> str | None:
     return shutil.which("claude")
 
 
+def _get_codex_cli_path() -> str | None:
+    """Get Codex CLI path with caching. Returns None if not found."""
+    return shutil.which("codex")
+
+
 async def check_claude_code() -> tuple[str, dict[str, Any]]:
     """Check Claude Code CLI installation and version by running 'claude --version'.
 
@@ -313,6 +341,162 @@ async def get_claude_cli_info() -> ClaudeCliInfo:
     )
 
 
+async def check_codex_cli() -> tuple[str, dict[str, Any]]:
+    """Check Codex CLI installation and version by running 'codex --version'.
+    Results are cached for 5 minutes to avoid repeated subprocess calls.
+    Returns:
+        Tuple of (status, details) where status is 'pass'/'fail'/'warn'
+        Details include CLI version and binary path
+    """
+    global _codex_cli_cache
+    # Check if we have a valid cached result
+    current_time = time.time()
+    if _codex_cli_cache is not None:
+        cache_time, cached_result = _codex_cli_cache
+        if current_time - cache_time < _cache_ttl_seconds:
+            logger.debug("codex_cli_check_cache_hit")
+            return cached_result
+
+    logger.debug("codex_cli_check_cache_miss")
+
+    # First check if codex binary exists in PATH (cached)
+    codex_path = _get_codex_cli_path()
+    if not codex_path:
+        result = (
+            "warn",
+            {
+                "installation_status": "not_found",
+                "cli_status": "not_installed",
+                "error": "Codex CLI binary not found in PATH",
+                "version": None,
+                "binary_path": None,
+            },
+        )
+        # Cache the result
+        _codex_cli_cache = (current_time, result)
+        return result
+
+    try:
+        # Run 'codex --version' to get actual version
+        process = await asyncio.create_subprocess_exec(
+            "codex",
+            "--version",
+            stdout=asyncio.subprocess.PIPE,
+            stderr=asyncio.subprocess.PIPE,
+        )
+
+        stdout, stderr = await process.communicate()
+
+        if process.returncode == 0:
+            version_output = stdout.decode().strip()
+            # Extract version from output (e.g., "codex 0.21.0" -> "0.21.0")
+            if version_output:
+                import re
+
+                # Try to find a version pattern (e.g., "0.21.0", "v1.0.0")
+                version_match = re.search(
+                    r"\b(?:v)?(\d+\.\d+(?:\.\d+)?)\b", version_output
+                )
+                if version_match:
+                    version = version_match.group(1)
+                else:
+                    # Fallback: take the last part if no version pattern found
+                    parts = version_output.split()
+                    version = parts[-1] if parts else "unknown"
+            else:
+                version = "unknown"
+
+            result = (
+                "pass",
+                {
+                    "installation_status": "found",
+                    "cli_status": "available",
+                    "version": version,
+                    "binary_path": codex_path,
+                    "version_output": version_output,
+                },
+            )
+            # Cache the result
+            _codex_cli_cache = (current_time, result)
+            return result
+        else:
+            # Binary exists but --version failed
+            error_output = stderr.decode().strip() if stderr else "Unknown error"
+            result = (
+                "warn",
+                {
+                    "installation_status": "found_with_issues",
+                    "cli_status": "binary_found_but_errors",
+                    "error": f"'codex --version' failed: {error_output}",
+                    "version": None,
+                    "binary_path": codex_path,
+                    "return_code": str(process.returncode),
+                },
+            )
+            # Cache the result
+            _codex_cli_cache = (current_time, result)
+            return result
+
+    except TimeoutError:
+        result = (
+            "warn",
+            {
+                "installation_status": "found_with_issues",
+                "cli_status": "timeout",
+                "error": "Timeout running 'codex --version'",
+                "version": None,
+                "binary_path": codex_path,
+            },
+        )
+        # Cache the result
+        _codex_cli_cache = (current_time, result)
+        return result
+
+    except Exception as e:
+        result = (
+            "fail",
+            {
+                "installation_status": "error",
+                "cli_status": "error",
+                "error": f"Unexpected error running 'codex --version': {str(e)}",
+                "version": None,
+                "binary_path": codex_path,
+            },
+        )
+        # Cache the result
+        _codex_cli_cache = (current_time, result)
+        return result
+
+
+async def get_codex_cli_info() -> CodexCliInfo:
+    """Get Codex CLI information as a structured Pydantic model.
+    Returns:
+        CodexCliInfo: Structured information about Codex CLI installation and status
+    """
+    cli_status, cli_details = await check_codex_cli()
+
+    # Map the status to our enum values
+    if cli_status == "pass":
+        status_value = CodexCliStatus.AVAILABLE
+    elif cli_details.get("cli_status") == "not_installed":
+        status_value = CodexCliStatus.NOT_INSTALLED
+    elif cli_details.get("cli_status") == "binary_found_but_errors":
+        status_value = CodexCliStatus.BINARY_FOUND_BUT_ERRORS
+    elif cli_details.get("cli_status") == "timeout":
+        status_value = CodexCliStatus.TIMEOUT
+    else:
+        status_value = CodexCliStatus.ERROR
+
+    return CodexCliInfo(
+        status=status_value,
+        version=cli_details.get("version"),
+        binary_path=cli_details.get("binary_path"),
+        version_output=cli_details.get("version_output"),
+        error=cli_details.get("error"),
+        return_code=cli_details.get("return_code"),
+    )
+
+
 async def _check_claude_sdk() -> tuple[str, dict[str, Any]]:
     """Check Claude SDK installation and version.
 
@@ -392,11 +576,17 @@ async def readiness_probe(response: Response) -> dict[str, Any]:
     # Check OAuth credentials, CLI, and SDK separately
     oauth_status, oauth_details = await _check_oauth2_credentials()
     cli_status, cli_details = await check_claude_code()
+    codex_cli_status, codex_cli_details = await check_codex_cli()
     sdk_status, sdk_details = await _check_claude_sdk()
 
     # Service is ready if no check returns "fail"
     # "warn" statuses (missing credentials/CLI/SDK) don't prevent readiness
-    if oauth_status == "fail" or cli_status == "fail" or sdk_status == "fail":
+    if (
+        oauth_status == "fail"
+        or cli_status == "fail"
+        or codex_cli_status == "fail"
+        or sdk_status == "fail"
+    ):
         response.status_code = status.HTTP_503_SERVICE_UNAVAILABLE
         failed_components = []
 
@@ -404,6 +594,8 @@ async def readiness_probe(response: Response) -> dict[str, Any]:
             failed_components.append("oauth2_credentials")
         if cli_status == "fail":
             failed_components.append("claude_cli")
+        if codex_cli_status == "fail":
+            failed_components.append("codex_cli")
         if sdk_status == "fail":
             failed_components.append("claude_sdk")
 
@@ -424,6 +616,12 @@ async def readiness_probe(response: Response) -> dict[str, Any]:
                         "output": cli_details.get("error", "Claude CLI error"),
                     }
                 ],
+                "codex_cli": [
+                    {
+                        "status": codex_cli_status,
+                        "output": codex_cli_details.get("error", "Codex CLI error"),
+                    }
+                ],
                 "claude_sdk": [
                     {
                         "status": sdk_status,
@@ -450,6 +648,12 @@ async def readiness_probe(response: Response) -> dict[str, Any]:
                     "output": f"Claude CLI: {cli_details.get('cli_status', 'unknown')}",
                 }
             ],
+            "codex_cli": [
+                {
+                    "status": codex_cli_status,
+                    "output": f"Codex CLI: {codex_cli_details.get('cli_status', 'unknown')}",
+                }
+            ],
             "claude_sdk": [
                 {
                     "status": sdk_status,
@@ -479,14 +683,25 @@ async def detailed_health_check(response: Response) -> dict[str, Any]:
     # Perform all health checks
     oauth_status, oauth_details = await _check_oauth2_credentials()
     cli_status, cli_details = await check_claude_code()
+    codex_cli_status, codex_cli_details = await check_codex_cli()
     sdk_status, sdk_details = await _check_claude_sdk()
 
     # Determine overall status - prioritize failures, then warnings
     overall_status = "pass"
-    if oauth_status == "fail" or cli_status == "fail" or sdk_status == "fail":
+    if (
+        oauth_status == "fail"
+        or cli_status == "fail"
+        or codex_cli_status == "fail"
+        or sdk_status == "fail"
+    ):
         overall_status = "fail"
         response.status_code = status.HTTP_503_SERVICE_UNAVAILABLE
-    elif oauth_status == "warn" or cli_status == "warn" or sdk_status == "warn":
+    elif (
+        oauth_status == "warn"
+        or cli_status == "warn"
+        or codex_cli_status == "warn"
+        or sdk_status == "warn"
+    ):
         overall_status = "warn"
         response.status_code = status.HTTP_200_OK
 
@@ -519,6 +734,16 @@ async def detailed_health_check(response: Response) -> dict[str, Any]:
                     **cli_details,
                 }
             ],
+            "codex_cli": [
+                {
+                    "componentId": "codex-cli",
+                    "componentType": "external_dependency",
+                    "status": codex_cli_status,
+                    "time": current_time,
+                    "output": f"Codex CLI: {codex_cli_details.get('cli_status', 'unknown')}",
+                    **codex_cli_details,
+                }
+            ],
             "claude_sdk": [
                 {
                     "componentId": "claude-sdk",

ccproxy/api/routes/proxy.py

@@ -38,9 +38,11 @@ async def create_openai_chat_completion(
         )
 
         # Handle the request using proxy service directly
+        # Strip the /api prefix from the path
+        service_path = request.url.path.removeprefix("/api")
         response = await proxy_service.handle_request(
             method=request.method,
-            path=request.url.path,
+            path=service_path,
             headers=headers,
             body=body,
             query_params=query_params,
@@ -55,6 +57,8 @@ async def create_openai_chat_completion(
             # Tuple response - handle regular response
             status_code, response_headers, response_body = response
             if status_code >= 400:
+                # Store headers for preservation middleware
+                request.state.preserve_headers = response_headers
                 # Forward error response directly with headers
                 return ProxyResponse(
                     content=response_body,
@@ -128,9 +132,11 @@ async def create_anthropic_message(
         )
 
         # Handle the request using proxy service directly
+        # Strip the /api prefix from the path
+        service_path = request.url.path.removeprefix("/api")
         response = await proxy_service.handle_request(
             method=request.method,
-            path=request.url.path,
+            path=service_path,
             headers=headers,
             body=body,
             query_params=query_params,
@@ -145,6 +151,8 @@ async def create_anthropic_message(
             # Tuple response - handle regular response
             status_code, response_headers, response_body = response
             if status_code >= 400:
+                # Store headers for preservation middleware
+                request.state.preserve_headers = response_headers
                 # Forward error response directly with headers
                 return ProxyResponse(
                     content=response_body,
@@ -163,15 +171,26 @@ async def create_anthropic_message(
                         if line.strip():
                             yield f"{line}\n".encode()
 
+                # Start with the response headers from proxy service
+                streaming_headers = response_headers.copy()
+
+                # Ensure critical headers for streaming
+                streaming_headers["Cache-Control"] = "no-cache"
+                streaming_headers["Connection"] = "keep-alive"
+
+                # Set content-type if not already set by upstream
+                if "content-type" not in streaming_headers:
+                    streaming_headers["content-type"] = "text/event-stream"
+
                 return StreamingResponse(
                     stream_generator(),
                     media_type="text/event-stream",
-                    headers={
-                        "Cache-Control": "no-cache",
-                        "Connection": "keep-alive",
-                    },
+                    headers=streaming_headers,
                 )
             else:
+                # Store headers for preservation middleware
+                request.state.preserve_headers = response_headers
+
                 # Parse JSON response
                 response_data = json.loads(response_body.decode())
 

ccproxy/api/services/permission_service.py

@@ -35,7 +35,7 @@ class PermissionService:
     async def start(self) -> None:
         if self._expiry_task is None:
             self._expiry_task = asyncio.create_task(self._expiry_checker())
-            logger.info("permission_service_started")
+            logger.debug("permission_service_started")
 
     async def stop(self) -> None:
         self._shutdown = True
@@ -44,7 +44,7 @@ class PermissionService:
             with contextlib.suppress(asyncio.CancelledError):
                 await self._expiry_task
             self._expiry_task = None
-        logger.info("permission_service_stopped")
+        logger.debug("permission_service_stopped")
 
     async def request_permission(self, tool_name: str, input: dict[str, str]) -> str:
         """Create a new permission request.

ccproxy/auth/openai/__init__.py

@@ -0,0 +1,13 @@
+"""OpenAI authentication components for Codex integration."""
+
+from .credentials import OpenAICredentials, OpenAITokenManager
+from .oauth_client import OpenAIOAuthClient
+from .storage import OpenAITokenStorage
+
+
+__all__ = [
+    "OpenAICredentials",
+    "OpenAITokenManager",
+    "OpenAIOAuthClient",
+    "OpenAITokenStorage",
+]

ccproxy/auth/openai/credentials.py

@@ -0,0 +1,166 @@
+"""OpenAI credentials management for Codex authentication."""
+
+from datetime import UTC, datetime
+from typing import Any
+
+import jwt
+import structlog
+from pydantic import BaseModel, Field, field_validator
+
+from .storage import OpenAITokenStorage
+
+
+logger = structlog.get_logger(__name__)
+
+
+class OpenAICredentials(BaseModel):
+    """OpenAI authentication credentials model."""
+
+    access_token: str = Field(..., description="OpenAI access token (JWT)")
+    refresh_token: str = Field(..., description="OpenAI refresh token")
+    expires_at: datetime = Field(..., description="Token expiration timestamp")
+    account_id: str = Field(..., description="OpenAI account ID extracted from token")
+    active: bool = Field(default=True, description="Whether credentials are active")
+
+    @field_validator("expires_at", mode="before")
+    @classmethod
+    def parse_expires_at(cls, v: Any) -> datetime:
+        """Parse expiration timestamp."""
+        if isinstance(v, datetime):
+            # Ensure timezone-aware datetime
+            if v.tzinfo is None:
+                return v.replace(tzinfo=UTC)
+            return v
+
+        if isinstance(v, str):
+            # Handle ISO format strings
+            try:
+                dt = datetime.fromisoformat(v.replace("Z", "+00:00"))
+                if dt.tzinfo is None:
+                    dt = dt.replace(tzinfo=UTC)
+                return dt
+            except ValueError as e:
+                raise ValueError(f"Invalid datetime format: {v}") from e
+
+        if isinstance(v, int | float):
+            # Handle Unix timestamps
+            return datetime.fromtimestamp(v, tz=UTC)
+
+        raise ValueError(f"Cannot parse datetime from {type(v)}: {v}")
+
+    @field_validator("account_id", mode="before")
+    @classmethod
+    def extract_account_id(cls, v: Any, info: Any) -> str:
+        """Extract account ID from access token if not provided."""
+        if isinstance(v, str) and v:
+            return v
+
+        # Try to extract from access_token
+        access_token = None
+        if hasattr(info, "data") and info.data and isinstance(info.data, dict):
+            access_token = info.data.get("access_token")
+
+        if access_token and isinstance(access_token, str):
+            try:
+                # Decode JWT without verification to extract claims
+                decoded = jwt.decode(access_token, options={"verify_signature": False})
+                if "org_id" in decoded and isinstance(decoded["org_id"], str):
+                    return decoded["org_id"]
+                elif "sub" in decoded and isinstance(decoded["sub"], str):
+                    return decoded["sub"]
+                elif "account_id" in decoded and isinstance(decoded["account_id"], str):
+                    return decoded["account_id"]
+            except Exception as e:
+                logger.warning("Failed to extract account_id from token", error=str(e))
+
+        raise ValueError(
+            "account_id is required and could not be extracted from access_token"
+        )
+
+    def is_expired(self) -> bool:
+        """Check if the access token is expired."""
+        now = datetime.now(UTC)
+        return now >= self.expires_at
+
+    def expires_in_seconds(self) -> int:
+        """Get seconds until token expires."""
+        now = datetime.now(UTC)
+        delta = self.expires_at - now
+        return max(0, int(delta.total_seconds()))
+
+    def to_dict(self) -> dict[str, Any]:
+        """Convert to dictionary for storage."""
+        return {
+            "access_token": self.access_token,
+            "refresh_token": self.refresh_token,
+            "expires_at": self.expires_at.isoformat(),
+            "account_id": self.account_id,
+            "active": self.active,
+        }
+
+    @classmethod
+    def from_dict(cls, data: dict[str, Any]) -> "OpenAICredentials":
+        """Create from dictionary."""
+        return cls(**data)
+
+
+class OpenAITokenManager:
+    """Manages OpenAI token storage and refresh operations."""
+
+    def __init__(self, storage: OpenAITokenStorage | None = None):
+        """Initialize token manager.
+
+        Args:
+            storage: Token storage backend. If None, uses default TOML file storage.
+        """
+        self.storage = storage or OpenAITokenStorage()
+
+    async def load_credentials(self) -> OpenAICredentials | None:
+        """Load credentials from storage."""
+        try:
+            return await self.storage.load()
+        except Exception as e:
+            logger.error("Failed to load OpenAI credentials", error=str(e))
+            return None
+
+    async def save_credentials(self, credentials: OpenAICredentials) -> bool:
+        """Save credentials to storage."""
+        try:
+            return await self.storage.save(credentials)
+        except Exception as e:
+            logger.error("Failed to save OpenAI credentials", error=str(e))
+            return False
+
+    async def delete_credentials(self) -> bool:
+        """Delete credentials from storage."""
+        try:
+            return await self.storage.delete()
+        except Exception as e:
+            logger.error("Failed to delete OpenAI credentials", error=str(e))
+            return False
+
+    async def has_credentials(self) -> bool:
+        """Check if credentials exist."""
+        try:
+            return await self.storage.exists()
+        except Exception:
+            return False
+
+    async def get_valid_token(self) -> str | None:
+        """Get a valid access token, refreshing if necessary."""
+        credentials = await self.load_credentials()
+        if not credentials or not credentials.active:
+            return None
+
+        # If token is not expired, return it
+        if not credentials.is_expired():
+            return credentials.access_token
+
+        # TODO: Implement token refresh logic
+        # For now, return None if expired (user needs to re-authenticate)
+        logger.warning("OpenAI token expired, refresh not yet implemented")
+        return None
+
+    def get_storage_location(self) -> str:
+        """Get storage location description."""
+        return self.storage.get_location()