codex-antigravity-auth 1.3.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. codex_antigravity_auth-1.3.0/LICENSE +21 -0
  2. codex_antigravity_auth-1.3.0/MANIFEST.in +1 -0
  3. codex_antigravity_auth-1.3.0/PKG-INFO +306 -0
  4. codex_antigravity_auth-1.3.0/README.md +274 -0
  5. codex_antigravity_auth-1.3.0/codex_antigravity_auth/__init__.py +15 -0
  6. codex_antigravity_auth-1.3.0/codex_antigravity_auth/accounts.py +435 -0
  7. codex_antigravity_auth-1.3.0/codex_antigravity_auth/byok.py +632 -0
  8. codex_antigravity_auth-1.3.0/codex_antigravity_auth/cli.py +2716 -0
  9. codex_antigravity_auth-1.3.0/codex_antigravity_auth/constants.py +128 -0
  10. codex_antigravity_auth-1.3.0/codex_antigravity_auth/fingerprint.py +57 -0
  11. codex_antigravity_auth-1.3.0/codex_antigravity_auth/models.py +489 -0
  12. codex_antigravity_auth-1.3.0/codex_antigravity_auth/oauth.py +142 -0
  13. codex_antigravity_auth-1.3.0/codex_antigravity_auth/observability.py +167 -0
  14. codex_antigravity_auth-1.3.0/codex_antigravity_auth/redaction.py +113 -0
  15. codex_antigravity_auth-1.3.0/codex_antigravity_auth/schema.py +81 -0
  16. codex_antigravity_auth-1.3.0/codex_antigravity_auth/server.py +1941 -0
  17. codex_antigravity_auth-1.3.0/codex_antigravity_auth/service.py +214 -0
  18. codex_antigravity_auth-1.3.0/codex_antigravity_auth/skills/anti/SKILL.md +118 -0
  19. codex_antigravity_auth-1.3.0/codex_antigravity_auth/skills/anti/agents/openai.yaml +4 -0
  20. codex_antigravity_auth-1.3.0/codex_antigravity_auth/skills/anti/scripts/anti.py +3045 -0
  21. codex_antigravity_auth-1.3.0/codex_antigravity_auth/skills/anti/tests/test_anti.py +1387 -0
  22. codex_antigravity_auth-1.3.0/codex_antigravity_auth/storage.py +283 -0
  23. codex_antigravity_auth-1.3.0/codex_antigravity_auth/transform.py +957 -0
  24. codex_antigravity_auth-1.3.0/codex_antigravity_auth.egg-info/PKG-INFO +306 -0
  25. codex_antigravity_auth-1.3.0/codex_antigravity_auth.egg-info/SOURCES.txt +41 -0
  26. codex_antigravity_auth-1.3.0/codex_antigravity_auth.egg-info/dependency_links.txt +1 -0
  27. codex_antigravity_auth-1.3.0/codex_antigravity_auth.egg-info/entry_points.txt +2 -0
  28. codex_antigravity_auth-1.3.0/codex_antigravity_auth.egg-info/requires.txt +9 -0
  29. codex_antigravity_auth-1.3.0/codex_antigravity_auth.egg-info/top_level.txt +1 -0
  30. codex_antigravity_auth-1.3.0/pyproject.toml +59 -0
  31. codex_antigravity_auth-1.3.0/setup.cfg +4 -0
  32. codex_antigravity_auth-1.3.0/tests/conftest.py +10 -0
  33. codex_antigravity_auth-1.3.0/tests/test_accounts.py +122 -0
  34. codex_antigravity_auth-1.3.0/tests/test_byok_providers.py +1840 -0
  35. codex_antigravity_auth-1.3.0/tests/test_cli.py +2195 -0
  36. codex_antigravity_auth-1.3.0/tests/test_fidelity_edge_cases.py +74 -0
  37. codex_antigravity_auth-1.3.0/tests/test_fidelity_transforms.py +51 -0
  38. codex_antigravity_auth-1.3.0/tests/test_regressions.py +1353 -0
  39. codex_antigravity_auth-1.3.0/tests/test_schema_sanitization.py +82 -0
  40. codex_antigravity_auth-1.3.0/tests/test_security_hardening.py +345 -0
  41. codex_antigravity_auth-1.3.0/tests/test_server_streaming.py +715 -0
  42. codex_antigravity_auth-1.3.0/tests/test_storage.py +115 -0
  43. codex_antigravity_auth-1.3.0/tests/test_transform.py +129 -0
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Reidar
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
@@ -0,0 +1 @@
1
+ include tests/conftest.py
@@ -0,0 +1,306 @@
1
+ Metadata-Version: 2.4
2
+ Name: codex-antigravity-auth
3
+ Version: 1.3.0
4
+ Summary: Google Antigravity OAuth model access for OpenAI Codex
5
+ License-Expression: MIT
6
+ Project-URL: Homepage, https://github.com/Reedtrullz/codex-antigravity-auth
7
+ Project-URL: Repository, https://github.com/Reedtrullz/codex-antigravity-auth
8
+ Project-URL: Issues, https://github.com/Reedtrullz/codex-antigravity-auth/issues
9
+ Keywords: codex,google-antigravity,oauth,responses-api,byok
10
+ Classifier: Development Status :: 4 - Beta
11
+ Classifier: Environment :: Console
12
+ Classifier: Intended Audience :: Developers
13
+ Classifier: Operating System :: OS Independent
14
+ Classifier: Programming Language :: Python :: 3
15
+ Classifier: Programming Language :: Python :: 3.10
16
+ Classifier: Programming Language :: Python :: 3.11
17
+ Classifier: Programming Language :: Python :: 3.12
18
+ Classifier: Topic :: Internet :: Proxy Servers
19
+ Classifier: Topic :: Software Development :: Libraries :: Python Modules
20
+ Requires-Python: >=3.10
21
+ Description-Content-Type: text/markdown
22
+ License-File: LICENSE
23
+ Requires-Dist: httpx>=0.28
24
+ Requires-Dist: fastapi>=0.110
25
+ Requires-Dist: uvicorn>=0.28
26
+ Requires-Dist: pyyaml>=6.0
27
+ Requires-Dist: keyring>=25.0.0
28
+ Requires-Dist: cryptography>=42.0.0
29
+ Provides-Extra: dev
30
+ Requires-Dist: pytest>=8.0; extra == "dev"
31
+ Dynamic: license-file
32
+
33
+ # Codex Antigravity Auth
34
+
35
+ Create a clean, reliable local gateway server that makes Google Antigravity Claude Opus/Sonnet feel native in OpenAI Codex (CLI or Desktop), with Gemini and BYOK OpenAI-compatible providers still available.
36
+
37
+ ## Features
38
+ - **OS-Native Keyring Encryption**: Encrypts Google account tokens and stored BYOK provider config at rest via macOS Keychain, Windows Credential Manager, Linux Secret Service, or a private local fallback key.
39
+ - **Transaction-Safe Cooldown Rotations**: Automatically rotates accounts on backend failures (such as `401`, `403`, or `429` rate limiters) with clean exponential backoff.
40
+ - **High-Fidelity SSE Translation**: Translates stream candidate envelopes, role alignments, reasoning-text deltas, function-call items, and VALIDATED tool parameter modes into Responses API events.
41
+ - **BYOK Provider Routing**: Route model IDs like `deepseek:deepseek-chat`, `xai:grok-code-fast-1`, `kimi:kimi-k2-0711-preview`, `openrouter:deepseek/deepseek-chat`, and custom OpenAI-compatible endpoints through encrypted API-key config.
42
+
43
+ ## Installation
44
+
45
+ From GitHub:
46
+
47
+ ```bash
48
+ uv tool install "git+https://github.com/Reedtrullz/codex-antigravity-auth.git"
49
+ ```
50
+
51
+ From a source checkout:
52
+
53
+ ```bash
54
+ uv tool install .
55
+ ```
56
+
57
+ For active development, keep it editable:
58
+
59
+ ```bash
60
+ uv tool install --editable .
61
+ ```
62
+
63
+ If you are already inside a project virtual environment, this also works:
64
+
65
+ ```bash
66
+ uv pip install -e .
67
+ ```
68
+
69
+ ## Configuration
70
+
71
+ The recommended first-run path is the primary setup command. It validates OAuth credentials, runs Google login, writes Codex config only when `--write` is present, can install the optional `$anti` helper skill, starts the gateway in the background, waits for `/v1/models`, and ends with Codex readiness diagnostics:
72
+
73
+ ```bash
74
+ codex-antigravity setup --write --accounts 1 --model claude-3.5-sonnet --install-skill --start
75
+ ```
76
+
77
+ When `--base-url` is omitted, `setup` derives `http://localhost:<port>/v1` from `--port`; if both `--start --port` and `--base-url` are supplied, their ports must match so Codex is not configured for a different gateway than the one just started.
78
+
79
+ For a read-only preflight that does not mutate OAuth, Codex config, skills, or gateway state:
80
+
81
+ ```bash
82
+ codex-antigravity setup --check
83
+ codex-antigravity setup --json
84
+ ```
85
+
86
+ After setup, inspect native Codex readiness and gateway lifecycle with:
87
+
88
+ ```bash
89
+ codex-antigravity status
90
+ codex-antigravity doctor --codex-ready
91
+ codex-antigravity doctor --codex-ready --json
92
+ codex-antigravity stop
93
+ ```
94
+
95
+ For reboot persistence, install the per-user gateway service after a successful setup:
96
+
97
+ ```bash
98
+ codex-antigravity service install --port 51122 --host 127.0.0.1
99
+ codex-antigravity service status
100
+ codex-antigravity service uninstall
101
+ ```
102
+
103
+ On macOS this writes a user LaunchAgent under `~/Library/LaunchAgents`; on Linux it writes a systemd user unit under `~/.config/systemd/user`; on Windows it creates a per-user Scheduled Task. The regular `start --background` command remains the lightweight non-persistent option.
104
+
105
+ If your Codex provider block drifts, repair only the Codex config without OAuth login, skill install, or gateway mutation:
106
+
107
+ ```bash
108
+ codex-antigravity setup --repair --config ~/.codex/config.toml --model claude-3.5-sonnet
109
+ ```
110
+
111
+ Install the Codex provider block:
112
+
113
+ ```bash
114
+ codex-antigravity configure-codex --write
115
+ ```
116
+
117
+ The command validates the Codex model id, provider id, provider name, and gateway base URL before writing. It updates `~/.codex/config.toml` through a private atomic write, follows an existing symlink to update the real config target, and writes a timestamped private backup first when it changes an existing config. To inspect the TOML without writing it:
118
+
119
+ ```bash
120
+ codex-antigravity configure-codex
121
+ ```
122
+
123
+ Install the optional Codex `$anti` helper skill that ships with this repo:
124
+
125
+ ```bash
126
+ codex-antigravity install-skill
127
+ ```
128
+
129
+ This copies the bundled skill into `~/.codex/skills/anti` for optional review/planning workflows after Claude is already available in Codex. It can use Antigravity Opus/Sonnet as a helper reviewer, consult lane, deep work planner, and bounded multi-model panel from chat prompts like `$anti review this diff with opus`. If you already have a local `anti` skill, the command refuses to overwrite it unless you pass `--force`; forced installs back up the existing skill under a sibling `skills-backups` directory so backups are not indexed as live skills.
130
+
131
+ To verify the V2 helper workflow surface without changing Codex config, run:
132
+
133
+ ```bash
134
+ codex-antigravity setup-v2
135
+ codex-antigravity install-skill --verify
136
+ # If setup-v2 warns that an existing anti skill is stale or locally modified:
137
+ codex-antigravity install-skill --force --verify
138
+ ```
139
+
140
+ `setup-v2 --write` installs or refreshes the bundled skill, but it does not write `~/.codex/config.toml`; use primary `setup --write`, `setup-google`, or `configure-codex --write` when you explicitly want Codex itself pointed at the gateway.
141
+ If an existing `anti` skill differs from the bundled copy, pass `--force` with `install-skill` or `setup-v2 --write` to back it up and replace it before verifying. BYOK provider identity/key checks are skipped by default; add `--check-byok` when you want setup-v2 to inspect provider readiness and confirm configured provider models are advertised by the running gateway.
142
+
143
+ The skill also ships a helper-level panel mode inspired by MoA/Fusion workflows. Codex remains the acting agent; the helper fans out to gateway-advertised models, asks a judge model to synthesize consensus, contradictions, blind spots, and next actions, then returns advisory output for Codex to verify:
144
+
145
+ ```bash
146
+ python3 ~/.codex/skills/anti/scripts/anti.py panel --mode review --scope staged
147
+ python3 ~/.codex/skills/anti/scripts/anti.py panel --mode plan --scope working-tree --prompt "Plan this PR"
148
+ python3 ~/.codex/skills/anti/scripts/anti.py panel --mode ask --model sonnet --model openrouter:deepseek/deepseek-chat --judge opus --prompt "Compare these approaches"
149
+ ```
150
+
151
+ Panel consensus is not proof and should not patch code directly. BYOK panel models such as `openrouter:...` only work when the running gateway advertises them in `/v1/models`, which requires usable provider keys or a key-optional local provider setup.
152
+
153
+ V2 named workflow presets wrap the same advisory engine for common Codex work:
154
+
155
+ ```bash
156
+ python3 ~/.codex/skills/anti/scripts/anti.py workflow review-ready --scope staged
157
+ python3 ~/.codex/skills/anti/scripts/anti.py workflow plan-deep --scope working-tree --prompt "Plan this PR" --progress
158
+ python3 ~/.codex/skills/anti/scripts/anti.py workflow ship-gate --scope diff --base origin/main --json
159
+ python3 ~/.codex/skills/anti/scripts/anti.py workflow provider-compare --model sonnet --model openrouter:deepseek/deepseek-chat --prompt "Compare these approaches"
160
+ python3 ~/.codex/skills/anti/scripts/anti.py runs list
161
+ ```
162
+
163
+ Workflow runs save sanitized summaries under `~/.codex/anti-runs` by default; primitive `consult`, `plan`, `review`, and `panel` commands default to not writing a ledger unless `--save-output summary` or `--save-output full` is passed. `--fallback-model sonnet --fallback-policy on-retryable` and `--progress` are available for long-running model calls that may otherwise fail silently or hit transient backend rotation errors.
164
+
165
+ Before running `codex-antigravity login`, create a Google OAuth desktop client. The local callback listener uses:
166
+
167
+ ```text
168
+ http://localhost:51121/oauth-callback
169
+ ```
170
+
171
+ Then either export the client credentials:
172
+
173
+ ```bash
174
+ export ANTIGRAVITY_CLIENT_ID="your-client-id.apps.googleusercontent.com"
175
+ export ANTIGRAVITY_CLIENT_SECRET="your-client-secret"
176
+ ```
177
+
178
+ Or write them to `~/.codex/antigravity-credentials.json`. This client-credential file is plaintext but permission-repaired to `0600`; account tokens are stored separately in encrypted storage.
179
+
180
+ ```json
181
+ {
182
+ "client_id": "your-client-id.apps.googleusercontent.com",
183
+ "client_secret": "your-client-secret"
184
+ }
185
+ ```
186
+
187
+ Then run the interactive login:
188
+ ```bash
189
+ codex-antigravity login
190
+ ```
191
+
192
+ For first-run native Claude setup, prefer `setup --write`. For the older Google-only flow, or when you want several Google accounts in the rotation pool without installing the skill or starting the gateway, use:
193
+
194
+ ```bash
195
+ codex-antigravity setup-google --accounts 2
196
+ ```
197
+
198
+ `setup-google` first verifies that Google OAuth client credentials are configured, then runs the browser OAuth flow before writing Codex config. That keeps Codex config untouched if login cannot start or complete. It forces Google's account chooser for multi-account setup, stores each account in the encrypted rotation pool, clears stale cooldown state for re-authenticated accounts, writes the Codex provider block after successful login unless `--skip-codex-config` is passed, and runs `doctor` against the same config path unless `--skip-doctor` is passed. You can also add more accounts later:
199
+
200
+ ```bash
201
+ codex-antigravity login --count 2
202
+ codex-antigravity accounts
203
+ ```
204
+
205
+ Start the local gateway:
206
+
207
+ ```bash
208
+ codex-antigravity start
209
+ codex-antigravity start --background
210
+ ```
211
+
212
+ Background mode writes pid/log files under `~/.codex/`. The log file is append-only and created with private permissions; remove or rotate it manually if it grows too large.
213
+
214
+ Request diagnostics are written to a sanitized capped JSONL file under `~/.codex/antigravity-requests.jsonl`. The log records request ids, model/route metadata, latency, status, retry/rotation hints, HTTP status, usage totals when available, and redacted error classes/messages. It never stores prompts, request bodies, OAuth material, provider keys, or account emails.
215
+
216
+ ```bash
217
+ codex-antigravity logs --tail 20
218
+ codex-antigravity logs --follow
219
+ codex-antigravity logs clean
220
+ curl http://127.0.0.1:51122/health
221
+ ```
222
+
223
+ The loopback-only `/health` endpoint reports process health, native model count, BYOK route visibility, anonymous account cooldown summaries, and the request-log path.
224
+
225
+ ### Model catalog overlays
226
+
227
+ Built-in Claude/Gemini model definitions remain authoritative, but you can add local model-picker entries in `~/.codex/antigravity-models.toml`:
228
+
229
+ ```bash
230
+ codex-antigravity models list
231
+ codex-antigravity models add claude-experimental \
232
+ --backend-id claude-experimental-backend \
233
+ --display-name "Claude Experimental" \
234
+ --family claude \
235
+ --context-window 200000 \
236
+ --default-reasoning-level high \
237
+ --alias claude-exp
238
+ codex-antigravity models doctor
239
+ codex-antigravity models remove claude-experimental
240
+ ```
241
+
242
+ Overlay ids must be simple printable model ids, cannot shadow built-in ids, backend ids, or aliases unless `--force` is explicit, and only appear in Codex's picker when the gateway advertises them through `/v1/models`. Runtime catalog loads fail soft to built-ins if the local overlay TOML is malformed; `models list` and `models doctor` stay strict so you can find and repair the overlay. Unknown direct Google model ids can still pass through, but picker visibility requires a built-in or overlay definition.
243
+
244
+ ### BYOK providers
245
+
246
+ Built-in presets are available for OpenRouter, DeepSeek, xAI, Kimi/Moonshot, Ollama, OpenCode-compatible local servers, and custom OpenAI-compatible APIs:
247
+
248
+ ```bash
249
+ codex-antigravity provider presets
250
+ codex-antigravity provider set deepseek --api-key-env DEEPSEEK_API_KEY --model deepseek-chat --model deepseek-reasoner
251
+ codex-antigravity provider set openrouter --api-key-env OPENROUTER_API_KEY --model deepseek/deepseek-chat
252
+ codex-antigravity provider set xai --api-key-env XAI_API_KEY --model grok-code-fast-1
253
+ codex-antigravity provider set kimi --api-key-env KIMI_API_KEY --model kimi-k2-0711-preview
254
+ codex-antigravity provider set ollama --base-url http://localhost:11434/v1 --model gpt-oss:20b
255
+ codex-antigravity provider list
256
+ ```
257
+
258
+ For BYOK-only use, point Codex at a BYOK model when writing the provider block:
259
+
260
+ ```bash
261
+ codex-antigravity configure-codex --write --model deepseek:deepseek-chat
262
+ codex-antigravity doctor --byok-only
263
+ ```
264
+
265
+ `--api-key-env` avoids persisting provider keys and reads them from the gateway process environment. If you intentionally want a provider key stored locally, pass `--api-key`; stored provider keys are encrypted in `~/.codex/antigravity-providers.json`. Built-in provider env vars include `OPENROUTER_API_KEY`, `DEEPSEEK_API_KEY`, `XAI_API_KEY`, `KIMI_API_KEY`, `MOONSHOT_API_KEY`, `OLLAMA_API_KEY`, and `OPENCODE_API_KEY`.
266
+ The `/v1/models` catalog only advertises BYOK models when the provider has a usable stored/env key or explicitly supports key-optional loopback/local use. The generic `custom` preset is not auto-enabled; run `codex-antigravity provider set custom --base-url ... --model ...` before routing `custom:model`.
267
+ When `provider set` is given `--api-key-env`, models are configured but remain hidden from `/v1/models` until that environment variable is available to the running gateway.
268
+ Provider ids reserve model-name separators and may only contain letters, numbers, underscores, and hyphens; model ids themselves may still contain `/` or `:`, but not whitespace or control characters. Unknown `provider:model` prefixes are rejected as BYOK routing errors before any Google account selection.
269
+ Custom provider and Codex gateway base URLs must be absolute `http` or `https` URLs without embedded credentials, whitespace/control characters, query strings, fragments, invalid ports, or malformed bracketed hosts. Plain `http` base URLs are accepted only for loopback/local hosts; remote BYOK providers and remote gateway URLs must use `https`. Non-preset custom BYOK providers must provide a base URL before models are exposed. Stored/env BYOK API keys and extra BYOK provider header values must be printable ASCII without control characters; model-picker display names must not contain control characters. Provider API-key env var names must contain only letters, numbers, and underscores and must not start with a number. Extra headers may not override gateway-managed auth, content, host, or transport headers. Invalid BYOK provider URLs, API keys, env vars, model ids, display names, and headers are rejected before config writes; invalid BYOK provider URLs, timeouts, headers, API keys, and missing API keys are also rejected before streaming starts so Codex gets a normal HTTP error instead of a partial SSE response. Key-optional BYOK providers are only treated as keyless on loopback/local base URLs; remote custom or cloud URLs need a usable stored or env API key before they appear in Codex's picker or route requests. Function/tool names and forced `tool_choice` function names must contain only letters, numbers, underscores, and hyphens, and be 1-64 characters; malformed names are rejected or dropped before routing. Non-streaming Google failure responses use a structured `detail` object with `message` and sanitized `diagnostics`; clients should handle both this shape and older string details. BYOK streams surface provider error frames as failed Responses API streams instead of successful empty completions, ignore never-named tool-call deltas, and wait for complete valid streamed function names instead of emitting empty, partial, or malformed function names. BYOK structured tool outputs are serialized to JSON text before being sent as Chat Completions tool messages.
270
+
271
+ The `configure-codex --write` helper writes this equivalent TOML into `~/.codex/config.toml` after validation:
272
+
273
+ ```toml
274
+ model = "claude-3.5-sonnet"
275
+ model_provider = "antigravity"
276
+ wire_api = "responses"
277
+
278
+ [model_providers.antigravity]
279
+ name = "Google Antigravity"
280
+ base_url = "http://localhost:51122/v1"
281
+ wire_api = "responses"
282
+ ```
283
+
284
+ ## Verification
285
+
286
+ To run connection check diagnostics and verify token security:
287
+ ```bash
288
+ codex-antigravity doctor
289
+ codex-antigravity doctor --codex-ready
290
+ codex-antigravity doctor --byok-only
291
+ ```
292
+
293
+ `doctor` parses the active Codex config, verifies `model_provider = "antigravity"` and the matching provider `base_url`, and exits non-zero on hard readiness failures. `doctor --codex-ready` additionally checks that the gateway is reachable, `/v1/models` advertises the selected Codex model, the model routes to Google or BYOK correctly, and the selected Google family has usable rotation state. Use `--config /path/to/config.toml` to verify a non-default Codex config.
294
+
295
+ The gateway binds to `127.0.0.1` by default. Binding to a non-loopback host requires both `--allow-remote` and an `ANTIGRAVITY_GATEWAY_TOKEN` of at least 32 visible ASCII characters; remote callers must send `Authorization: Bearer <token>`. The built-in server still speaks plain HTTP, so use remote mode only behind a trusted tunnel, local network boundary, or TLS-terminating proxy.
296
+
297
+ And execute full unit test coverage:
298
+ ```bash
299
+ python3 -m pytest
300
+ ```
301
+
302
+ ## Release Automation
303
+
304
+ Tagged releases are prepared for PyPI Trusted Publishing. The `.github/workflows/publish.yml` workflow runs on `v*` tags, builds sdist/wheel artifacts, checks them with Twine, uploads the artifacts between jobs, and publishes with `pypa/gh-action-pypi-publish@release/v1` using OIDC (`id-token: write`) in the `pypi` environment.
305
+
306
+ Before the first PyPI publish, configure the PyPI project `codex-antigravity-auth` with a trusted publisher for this GitHub repository, workflow file `.github/workflows/publish.yml`, and environment `pypi`. No local PyPI API token is required or expected.
@@ -0,0 +1,274 @@
1
+ # Codex Antigravity Auth
2
+
3
+ Create a clean, reliable local gateway server that makes Google Antigravity Claude Opus/Sonnet feel native in OpenAI Codex (CLI or Desktop), with Gemini and BYOK OpenAI-compatible providers still available.
4
+
5
+ ## Features
6
+ - **OS-Native Keyring Encryption**: Encrypts Google account tokens and stored BYOK provider config at rest via macOS Keychain, Windows Credential Manager, Linux Secret Service, or a private local fallback key.
7
+ - **Transaction-Safe Cooldown Rotations**: Automatically rotates accounts on backend failures (such as `401`, `403`, or `429` rate limiters) with clean exponential backoff.
8
+ - **High-Fidelity SSE Translation**: Translates stream candidate envelopes, role alignments, reasoning-text deltas, function-call items, and VALIDATED tool parameter modes into Responses API events.
9
+ - **BYOK Provider Routing**: Route model IDs like `deepseek:deepseek-chat`, `xai:grok-code-fast-1`, `kimi:kimi-k2-0711-preview`, `openrouter:deepseek/deepseek-chat`, and custom OpenAI-compatible endpoints through encrypted API-key config.
10
+
11
+ ## Installation
12
+
13
+ From GitHub:
14
+
15
+ ```bash
16
+ uv tool install "git+https://github.com/Reedtrullz/codex-antigravity-auth.git"
17
+ ```
18
+
19
+ From a source checkout:
20
+
21
+ ```bash
22
+ uv tool install .
23
+ ```
24
+
25
+ For active development, keep it editable:
26
+
27
+ ```bash
28
+ uv tool install --editable .
29
+ ```
30
+
31
+ If you are already inside a project virtual environment, this also works:
32
+
33
+ ```bash
34
+ uv pip install -e .
35
+ ```
36
+
37
+ ## Configuration
38
+
39
+ The recommended first-run path is the primary setup command. It validates OAuth credentials, runs Google login, writes Codex config only when `--write` is present, can install the optional `$anti` helper skill, starts the gateway in the background, waits for `/v1/models`, and ends with Codex readiness diagnostics:
40
+
41
+ ```bash
42
+ codex-antigravity setup --write --accounts 1 --model claude-3.5-sonnet --install-skill --start
43
+ ```
44
+
45
+ When `--base-url` is omitted, `setup` derives `http://localhost:<port>/v1` from `--port`; if both `--start --port` and `--base-url` are supplied, their ports must match so Codex is not configured for a different gateway than the one just started.
46
+
47
+ For a read-only preflight that does not mutate OAuth, Codex config, skills, or gateway state:
48
+
49
+ ```bash
50
+ codex-antigravity setup --check
51
+ codex-antigravity setup --json
52
+ ```
53
+
54
+ After setup, inspect native Codex readiness and gateway lifecycle with:
55
+
56
+ ```bash
57
+ codex-antigravity status
58
+ codex-antigravity doctor --codex-ready
59
+ codex-antigravity doctor --codex-ready --json
60
+ codex-antigravity stop
61
+ ```
62
+
63
+ For reboot persistence, install the per-user gateway service after a successful setup:
64
+
65
+ ```bash
66
+ codex-antigravity service install --port 51122 --host 127.0.0.1
67
+ codex-antigravity service status
68
+ codex-antigravity service uninstall
69
+ ```
70
+
71
+ On macOS this writes a user LaunchAgent under `~/Library/LaunchAgents`; on Linux it writes a systemd user unit under `~/.config/systemd/user`; on Windows it creates a per-user Scheduled Task. The regular `start --background` command remains the lightweight non-persistent option.
72
+
73
+ If your Codex provider block drifts, repair only the Codex config without OAuth login, skill install, or gateway mutation:
74
+
75
+ ```bash
76
+ codex-antigravity setup --repair --config ~/.codex/config.toml --model claude-3.5-sonnet
77
+ ```
78
+
79
+ Install the Codex provider block:
80
+
81
+ ```bash
82
+ codex-antigravity configure-codex --write
83
+ ```
84
+
85
+ The command validates the Codex model id, provider id, provider name, and gateway base URL before writing. It updates `~/.codex/config.toml` through a private atomic write, follows an existing symlink to update the real config target, and writes a timestamped private backup first when it changes an existing config. To inspect the TOML without writing it:
86
+
87
+ ```bash
88
+ codex-antigravity configure-codex
89
+ ```
90
+
91
+ Install the optional Codex `$anti` helper skill that ships with this repo:
92
+
93
+ ```bash
94
+ codex-antigravity install-skill
95
+ ```
96
+
97
+ This copies the bundled skill into `~/.codex/skills/anti` for optional review/planning workflows after Claude is already available in Codex. It can use Antigravity Opus/Sonnet as a helper reviewer, consult lane, deep work planner, and bounded multi-model panel from chat prompts like `$anti review this diff with opus`. If you already have a local `anti` skill, the command refuses to overwrite it unless you pass `--force`; forced installs back up the existing skill under a sibling `skills-backups` directory so backups are not indexed as live skills.
98
+
99
+ To verify the V2 helper workflow surface without changing Codex config, run:
100
+
101
+ ```bash
102
+ codex-antigravity setup-v2
103
+ codex-antigravity install-skill --verify
104
+ # If setup-v2 warns that an existing anti skill is stale or locally modified:
105
+ codex-antigravity install-skill --force --verify
106
+ ```
107
+
108
+ `setup-v2 --write` installs or refreshes the bundled skill, but it does not write `~/.codex/config.toml`; use primary `setup --write`, `setup-google`, or `configure-codex --write` when you explicitly want Codex itself pointed at the gateway.
109
+ If an existing `anti` skill differs from the bundled copy, pass `--force` with `install-skill` or `setup-v2 --write` to back it up and replace it before verifying. BYOK provider identity/key checks are skipped by default; add `--check-byok` when you want setup-v2 to inspect provider readiness and confirm configured provider models are advertised by the running gateway.
110
+
111
+ The skill also ships a helper-level panel mode inspired by MoA/Fusion workflows. Codex remains the acting agent; the helper fans out to gateway-advertised models, asks a judge model to synthesize consensus, contradictions, blind spots, and next actions, then returns advisory output for Codex to verify:
112
+
113
+ ```bash
114
+ python3 ~/.codex/skills/anti/scripts/anti.py panel --mode review --scope staged
115
+ python3 ~/.codex/skills/anti/scripts/anti.py panel --mode plan --scope working-tree --prompt "Plan this PR"
116
+ python3 ~/.codex/skills/anti/scripts/anti.py panel --mode ask --model sonnet --model openrouter:deepseek/deepseek-chat --judge opus --prompt "Compare these approaches"
117
+ ```
118
+
119
+ Panel consensus is not proof and should not patch code directly. BYOK panel models such as `openrouter:...` only work when the running gateway advertises them in `/v1/models`, which requires usable provider keys or a key-optional local provider setup.
120
+
121
+ V2 named workflow presets wrap the same advisory engine for common Codex work:
122
+
123
+ ```bash
124
+ python3 ~/.codex/skills/anti/scripts/anti.py workflow review-ready --scope staged
125
+ python3 ~/.codex/skills/anti/scripts/anti.py workflow plan-deep --scope working-tree --prompt "Plan this PR" --progress
126
+ python3 ~/.codex/skills/anti/scripts/anti.py workflow ship-gate --scope diff --base origin/main --json
127
+ python3 ~/.codex/skills/anti/scripts/anti.py workflow provider-compare --model sonnet --model openrouter:deepseek/deepseek-chat --prompt "Compare these approaches"
128
+ python3 ~/.codex/skills/anti/scripts/anti.py runs list
129
+ ```
130
+
131
+ Workflow runs save sanitized summaries under `~/.codex/anti-runs` by default; primitive `consult`, `plan`, `review`, and `panel` commands default to not writing a ledger unless `--save-output summary` or `--save-output full` is passed. `--fallback-model sonnet --fallback-policy on-retryable` and `--progress` are available for long-running model calls that may otherwise fail silently or hit transient backend rotation errors.
132
+
133
+ Before running `codex-antigravity login`, create a Google OAuth desktop client. The local callback listener uses:
134
+
135
+ ```text
136
+ http://localhost:51121/oauth-callback
137
+ ```
138
+
139
+ Then either export the client credentials:
140
+
141
+ ```bash
142
+ export ANTIGRAVITY_CLIENT_ID="your-client-id.apps.googleusercontent.com"
143
+ export ANTIGRAVITY_CLIENT_SECRET="your-client-secret"
144
+ ```
145
+
146
+ Or write them to `~/.codex/antigravity-credentials.json`. This client-credential file is plaintext but permission-repaired to `0600`; account tokens are stored separately in encrypted storage.
147
+
148
+ ```json
149
+ {
150
+ "client_id": "your-client-id.apps.googleusercontent.com",
151
+ "client_secret": "your-client-secret"
152
+ }
153
+ ```
154
+
155
+ Then run the interactive login:
156
+ ```bash
157
+ codex-antigravity login
158
+ ```
159
+
160
+ For first-run native Claude setup, prefer `setup --write`. For the older Google-only flow, or when you want several Google accounts in the rotation pool without installing the skill or starting the gateway, use:
161
+
162
+ ```bash
163
+ codex-antigravity setup-google --accounts 2
164
+ ```
165
+
166
+ `setup-google` first verifies that Google OAuth client credentials are configured, then runs the browser OAuth flow before writing Codex config. That keeps Codex config untouched if login cannot start or complete. It forces Google's account chooser for multi-account setup, stores each account in the encrypted rotation pool, clears stale cooldown state for re-authenticated accounts, writes the Codex provider block after successful login unless `--skip-codex-config` is passed, and runs `doctor` against the same config path unless `--skip-doctor` is passed. You can also add more accounts later:
167
+
168
+ ```bash
169
+ codex-antigravity login --count 2
170
+ codex-antigravity accounts
171
+ ```
172
+
173
+ Start the local gateway:
174
+
175
+ ```bash
176
+ codex-antigravity start
177
+ codex-antigravity start --background
178
+ ```
179
+
180
+ Background mode writes pid/log files under `~/.codex/`. The log file is append-only and created with private permissions; remove or rotate it manually if it grows too large.
181
+
182
+ Request diagnostics are written to a sanitized capped JSONL file under `~/.codex/antigravity-requests.jsonl`. The log records request ids, model/route metadata, latency, status, retry/rotation hints, HTTP status, usage totals when available, and redacted error classes/messages. It never stores prompts, request bodies, OAuth material, provider keys, or account emails.
183
+
184
+ ```bash
185
+ codex-antigravity logs --tail 20
186
+ codex-antigravity logs --follow
187
+ codex-antigravity logs clean
188
+ curl http://127.0.0.1:51122/health
189
+ ```
190
+
191
+ The loopback-only `/health` endpoint reports process health, native model count, BYOK route visibility, anonymous account cooldown summaries, and the request-log path.
192
+
193
+ ### Model catalog overlays
194
+
195
+ Built-in Claude/Gemini model definitions remain authoritative, but you can add local model-picker entries in `~/.codex/antigravity-models.toml`:
196
+
197
+ ```bash
198
+ codex-antigravity models list
199
+ codex-antigravity models add claude-experimental \
200
+ --backend-id claude-experimental-backend \
201
+ --display-name "Claude Experimental" \
202
+ --family claude \
203
+ --context-window 200000 \
204
+ --default-reasoning-level high \
205
+ --alias claude-exp
206
+ codex-antigravity models doctor
207
+ codex-antigravity models remove claude-experimental
208
+ ```
209
+
210
+ Overlay ids must be simple printable model ids, cannot shadow built-in ids, backend ids, or aliases unless `--force` is explicit, and only appear in Codex's picker when the gateway advertises them through `/v1/models`. Runtime catalog loads fail soft to built-ins if the local overlay TOML is malformed; `models list` and `models doctor` stay strict so you can find and repair the overlay. Unknown direct Google model ids can still pass through, but picker visibility requires a built-in or overlay definition.
211
+
212
+ ### BYOK providers
213
+
214
+ Built-in presets are available for OpenRouter, DeepSeek, xAI, Kimi/Moonshot, Ollama, OpenCode-compatible local servers, and custom OpenAI-compatible APIs:
215
+
216
+ ```bash
217
+ codex-antigravity provider presets
218
+ codex-antigravity provider set deepseek --api-key-env DEEPSEEK_API_KEY --model deepseek-chat --model deepseek-reasoner
219
+ codex-antigravity provider set openrouter --api-key-env OPENROUTER_API_KEY --model deepseek/deepseek-chat
220
+ codex-antigravity provider set xai --api-key-env XAI_API_KEY --model grok-code-fast-1
221
+ codex-antigravity provider set kimi --api-key-env KIMI_API_KEY --model kimi-k2-0711-preview
222
+ codex-antigravity provider set ollama --base-url http://localhost:11434/v1 --model gpt-oss:20b
223
+ codex-antigravity provider list
224
+ ```
225
+
226
+ For BYOK-only use, point Codex at a BYOK model when writing the provider block:
227
+
228
+ ```bash
229
+ codex-antigravity configure-codex --write --model deepseek:deepseek-chat
230
+ codex-antigravity doctor --byok-only
231
+ ```
232
+
233
+ `--api-key-env` avoids persisting provider keys and reads them from the gateway process environment. If you intentionally want a provider key stored locally, pass `--api-key`; stored provider keys are encrypted in `~/.codex/antigravity-providers.json`. Built-in provider env vars include `OPENROUTER_API_KEY`, `DEEPSEEK_API_KEY`, `XAI_API_KEY`, `KIMI_API_KEY`, `MOONSHOT_API_KEY`, `OLLAMA_API_KEY`, and `OPENCODE_API_KEY`.
234
+ The `/v1/models` catalog only advertises BYOK models when the provider has a usable stored/env key or explicitly supports key-optional loopback/local use. The generic `custom` preset is not auto-enabled; run `codex-antigravity provider set custom --base-url ... --model ...` before routing `custom:model`.
235
+ When `provider set` is given `--api-key-env`, models are configured but remain hidden from `/v1/models` until that environment variable is available to the running gateway.
236
+ Provider ids reserve model-name separators and may only contain letters, numbers, underscores, and hyphens; model ids themselves may still contain `/` or `:`, but not whitespace or control characters. Unknown `provider:model` prefixes are rejected as BYOK routing errors before any Google account selection.
237
+ Custom provider and Codex gateway base URLs must be absolute `http` or `https` URLs without embedded credentials, whitespace/control characters, query strings, fragments, invalid ports, or malformed bracketed hosts. Plain `http` base URLs are accepted only for loopback/local hosts; remote BYOK providers and remote gateway URLs must use `https`. Non-preset custom BYOK providers must provide a base URL before models are exposed. Stored/env BYOK API keys and extra BYOK provider header values must be printable ASCII without control characters; model-picker display names must not contain control characters. Provider API-key env var names must contain only letters, numbers, and underscores and must not start with a number. Extra headers may not override gateway-managed auth, content, host, or transport headers. Invalid BYOK provider URLs, API keys, env vars, model ids, display names, and headers are rejected before config writes; invalid BYOK provider URLs, timeouts, headers, API keys, and missing API keys are also rejected before streaming starts so Codex gets a normal HTTP error instead of a partial SSE response. Key-optional BYOK providers are only treated as keyless on loopback/local base URLs; remote custom or cloud URLs need a usable stored or env API key before they appear in Codex's picker or route requests. Function/tool names and forced `tool_choice` function names must contain only letters, numbers, underscores, and hyphens, and be 1-64 characters; malformed names are rejected or dropped before routing. Non-streaming Google failure responses use a structured `detail` object with `message` and sanitized `diagnostics`; clients should handle both this shape and older string details. BYOK streams surface provider error frames as failed Responses API streams instead of successful empty completions, ignore never-named tool-call deltas, and wait for complete valid streamed function names instead of emitting empty, partial, or malformed function names. BYOK structured tool outputs are serialized to JSON text before being sent as Chat Completions tool messages.
238
+
239
+ The `configure-codex --write` helper writes this equivalent TOML into `~/.codex/config.toml` after validation:
240
+
241
+ ```toml
242
+ model = "claude-3.5-sonnet"
243
+ model_provider = "antigravity"
244
+ wire_api = "responses"
245
+
246
+ [model_providers.antigravity]
247
+ name = "Google Antigravity"
248
+ base_url = "http://localhost:51122/v1"
249
+ wire_api = "responses"
250
+ ```
251
+
252
+ ## Verification
253
+
254
+ To run connection check diagnostics and verify token security:
255
+ ```bash
256
+ codex-antigravity doctor
257
+ codex-antigravity doctor --codex-ready
258
+ codex-antigravity doctor --byok-only
259
+ ```
260
+
261
+ `doctor` parses the active Codex config, verifies `model_provider = "antigravity"` and the matching provider `base_url`, and exits non-zero on hard readiness failures. `doctor --codex-ready` additionally checks that the gateway is reachable, `/v1/models` advertises the selected Codex model, the model routes to Google or BYOK correctly, and the selected Google family has usable rotation state. Use `--config /path/to/config.toml` to verify a non-default Codex config.
262
+
263
+ The gateway binds to `127.0.0.1` by default. Binding to a non-loopback host requires both `--allow-remote` and an `ANTIGRAVITY_GATEWAY_TOKEN` of at least 32 visible ASCII characters; remote callers must send `Authorization: Bearer <token>`. The built-in server still speaks plain HTTP, so use remote mode only behind a trusted tunnel, local network boundary, or TLS-terminating proxy.
264
+
265
+ And execute full unit test coverage:
266
+ ```bash
267
+ python3 -m pytest
268
+ ```
269
+
270
+ ## Release Automation
271
+
272
+ Tagged releases are prepared for PyPI Trusted Publishing. The `.github/workflows/publish.yml` workflow runs on `v*` tags, builds sdist/wheel artifacts, checks them with Twine, uploads the artifacts between jobs, and publishes with `pypa/gh-action-pypi-publish@release/v1` using OIDC (`id-token: write`) in the `pypi` environment.
273
+
274
+ Before the first PyPI publish, configure the PyPI project `codex-antigravity-auth` with a trusted publisher for this GitHub repository, workflow file `.github/workflows/publish.yml`, and environment `pypi`. No local PyPI API token is required or expected.
@@ -0,0 +1,15 @@
1
+ """Codex Antigravity Auth package."""
2
+
3
+ __all__ = ["app", "main"]
4
+
5
+
6
+ def __getattr__(name):
7
+ if name == "app":
8
+ from .server import app
9
+
10
+ return app
11
+ if name == "main":
12
+ from .cli import main
13
+
14
+ return main
15
+ raise AttributeError(name)