codex-auth-helper 0.1.0__tar.gz

codex_auth_helper-0.1.0/.gitignore

@@ -0,0 +1,207 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[codz]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py.cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+#poetry.toml
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
+#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
+#pdm.lock
+#pdm.toml
+.pdm-python
+.pdm-build/
+
+# pixi
+#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
+#pixi.lock
+#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
+#   in the .venv directory. It is recommended not to include this directory in version control.
+.pixi
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.envrc
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+# Abstra
+# Abstra is an AI-powered process automation framework.
+# Ignore directories containing user credentials, local state, and settings.
+# Learn more at https://abstra.io/docs
+.abstra/
+
+# Visual Studio Code
+#  Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#  that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
+#  and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#  you could uncomment the following to ignore the entire vscode folder
+# .vscode/
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Cursor
+#  Cursor is an AI-powered code editor. `.cursorignore` specifies files/directories to
+#  exclude from AI features like autocomplete and code analysis. Recommended for sensitive data
+#  refer to https://docs.cursor.com/context/ignore-files
+.cursorignore
+.cursorindexingignore
+
+# Marimo
+marimo/_static/
+marimo/_lsp/
+__marimo__/

codex_auth_helper-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 vCode
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

codex_auth_helper-0.1.0/PKG-INFO

@@ -0,0 +1,156 @@
+Metadata-Version: 2.4
+Name: codex-auth-helper
+Version: 0.1.0
+Summary: Codex auth helpers for pydantic-ai OpenAI Responses models.
+Project-URL: Homepage, https://github.com/vcoderun/codex-auth-helper
+Project-URL: Issues, https://github.com/vcoderun/codex-auth-helper/issues
+Project-URL: Repository, https://github.com/vcoderun/codex-auth-helper
+License: MIT
+License-File: LICENSE
+Requires-Python: >=3.11
+Requires-Dist: httpx>=0.28.1
+Requires-Dist: openai>=1.109.1
+Requires-Dist: pydantic-ai-slim>=1.73.0
+Requires-Dist: typing-extensions>=4.12.0
+Description-Content-Type: text/markdown
+
+# codex-auth-helper
+
+`codex-auth-helper` turns an existing local Codex auth session into a
+`pydantic-ai` model.
+
+It reads `~/.codex/auth.json`, refreshes access tokens when needed, builds a
+custom `AsyncOpenAI` client for the Codex Responses endpoint, and returns a
+ready-to-use `CodexResponsesModel`.
+
+## What It Does
+
+- Reads tokens from `~/.codex/auth.json`
+- Derives `ChatGPT-Account-Id` from the auth file or token claims
+- Refreshes expired access tokens with `https://auth.openai.com/oauth/token`
+- Writes refreshed tokens back to the auth file
+- Builds an OpenAI-compatible client pointed at `https://chatgpt.com/backend-api/codex`
+- Returns a `pydantic-ai` responses model that already applies the Codex backend requirements
+
+The helper enforces two backend-specific behaviors for you:
+
+- `openai_store=False`
+- streamed responses even when `pydantic-ai` calls the non-streamed `request()` path
+
+## What It Does Not Do
+
+- It does not log you into Codex
+- It does not create `~/.codex/auth.json`
+- It does not currently support `pydantic_ai.models.openai.OpenAIChatModel` or Chat Completions flows
+- `OpenAIChatModel` support is planned for a later release
+- It does not replace `pydantic-ai`; it only provides a model/client factory
+
+## Install
+
+```bash
+uv pip install codex-auth-helper
+```
+
+You also need an existing Codex auth session on the same machine:
+
+```text
+~/.codex/auth.json
+```
+
+If you have not logged in yet:
+
+```bash
+codex login
+```
+
+## Quick Start
+
+```python
+from codex_auth_helper import create_codex_responses_model
+from pydantic_ai import Agent
+
+model = create_codex_responses_model("gpt-5")
+agent = Agent(model, instructions="You are a helpful coding assistant.")
+
+result = agent.run_sync("Naber")
+print(result.output)
+```
+
+## Custom Auth Path
+
+If you want to read a different auth file, pass a custom config:
+
+```python
+from pathlib import Path
+
+from codex_auth_helper import CodexAuthConfig, create_codex_responses_model
+
+config = CodexAuthConfig(auth_path=Path("/tmp/codex-auth.json"))
+model = create_codex_responses_model("gpt-5", config=config)
+```
+
+## Passing Extra OpenAI Responses Settings
+
+Additional `OpenAIResponsesModelSettings` can still be passed through. The helper
+keeps `openai_store=False` unless you explicitly override the model after
+construction.
+
+```python
+from codex_auth_helper import create_codex_responses_model
+
+model = create_codex_responses_model(
+    "gpt-5",
+    settings={
+        "openai_reasoning_summary": "concise",
+    },
+)
+```
+
+## Lower-Level Client Factory
+
+If you only want the authenticated OpenAI client, use `create_codex_async_openai(...)`:
+
+```python
+from codex_auth_helper import create_codex_async_openai
+
+client = create_codex_async_openai()
+```
+
+This returns `CodexAsyncOpenAI`, a subclass of `openai.AsyncOpenAI`.
+
+## Public API
+
+```python
+from codex_auth_helper import (
+    CodexAsyncOpenAI,
+    CodexAuthConfig,
+    CodexAuthState,
+    CodexAuthStore,
+    CodexResponsesModel,
+    CodexTokenManager,
+    create_codex_async_openai,
+    create_codex_responses_model,
+)
+```
+
+## Errors
+
+Typical failure modes:
+
+- `Codex auth file was not found ...`
+  The machine is not logged into Codex yet.
+- `Codex auth file ... does not contain valid JSON`
+  The auth file is corrupt or partially written.
+- `ModelHTTPError ... Store must be set to false`
+  Means you are not using the helper-backed model instance.
+- `ModelHTTPError ... Stream must be set to true`
+  Means you are not using `CodexResponsesModel`.
+
+## Package Notes
+
+This package is intentionally small and focused:
+
+- auth file parsing
+- token refresh
+- Codex-specific OpenAI client wiring
+- `pydantic-ai` responses model factory

codex_auth_helper-0.1.0/README.md

@@ -0,0 +1,140 @@
+# codex-auth-helper
+
+`codex-auth-helper` turns an existing local Codex auth session into a
+`pydantic-ai` model.
+
+It reads `~/.codex/auth.json`, refreshes access tokens when needed, builds a
+custom `AsyncOpenAI` client for the Codex Responses endpoint, and returns a
+ready-to-use `CodexResponsesModel`.
+
+## What It Does
+
+- Reads tokens from `~/.codex/auth.json`
+- Derives `ChatGPT-Account-Id` from the auth file or token claims
+- Refreshes expired access tokens with `https://auth.openai.com/oauth/token`
+- Writes refreshed tokens back to the auth file
+- Builds an OpenAI-compatible client pointed at `https://chatgpt.com/backend-api/codex`
+- Returns a `pydantic-ai` responses model that already applies the Codex backend requirements
+
+The helper enforces two backend-specific behaviors for you:
+
+- `openai_store=False`
+- streamed responses even when `pydantic-ai` calls the non-streamed `request()` path
+
+## What It Does Not Do
+
+- It does not log you into Codex
+- It does not create `~/.codex/auth.json`
+- It does not currently support `pydantic_ai.models.openai.OpenAIChatModel` or Chat Completions flows
+- `OpenAIChatModel` support is planned for a later release
+- It does not replace `pydantic-ai`; it only provides a model/client factory
+
+## Install
+
+```bash
+uv pip install codex-auth-helper
+```
+
+You also need an existing Codex auth session on the same machine:
+
+```text
+~/.codex/auth.json
+```
+
+If you have not logged in yet:
+
+```bash
+codex login
+```
+
+## Quick Start
+
+```python
+from codex_auth_helper import create_codex_responses_model
+from pydantic_ai import Agent
+
+model = create_codex_responses_model("gpt-5")
+agent = Agent(model, instructions="You are a helpful coding assistant.")
+
+result = agent.run_sync("Naber")
+print(result.output)
+```
+
+## Custom Auth Path
+
+If you want to read a different auth file, pass a custom config:
+
+```python
+from pathlib import Path
+
+from codex_auth_helper import CodexAuthConfig, create_codex_responses_model
+
+config = CodexAuthConfig(auth_path=Path("/tmp/codex-auth.json"))
+model = create_codex_responses_model("gpt-5", config=config)
+```
+
+## Passing Extra OpenAI Responses Settings
+
+Additional `OpenAIResponsesModelSettings` can still be passed through. The helper
+keeps `openai_store=False` unless you explicitly override the model after
+construction.
+
+```python
+from codex_auth_helper import create_codex_responses_model
+
+model = create_codex_responses_model(
+    "gpt-5",
+    settings={
+        "openai_reasoning_summary": "concise",
+    },
+)
+```
+
+## Lower-Level Client Factory
+
+If you only want the authenticated OpenAI client, use `create_codex_async_openai(...)`:
+
+```python
+from codex_auth_helper import create_codex_async_openai
+
+client = create_codex_async_openai()
+```
+
+This returns `CodexAsyncOpenAI`, a subclass of `openai.AsyncOpenAI`.
+
+## Public API
+
+```python
+from codex_auth_helper import (
+    CodexAsyncOpenAI,
+    CodexAuthConfig,
+    CodexAuthState,
+    CodexAuthStore,
+    CodexResponsesModel,
+    CodexTokenManager,
+    create_codex_async_openai,
+    create_codex_responses_model,
+)
+```
+
+## Errors
+
+Typical failure modes:
+
+- `Codex auth file was not found ...`
+  The machine is not logged into Codex yet.
+- `Codex auth file ... does not contain valid JSON`
+  The auth file is corrupt or partially written.
+- `ModelHTTPError ... Store must be set to false`
+  Means you are not using the helper-backed model instance.
+- `ModelHTTPError ... Stream must be set to true`
+  Means you are not using `CodexResponsesModel`.
+
+## Package Notes
+
+This package is intentionally small and focused:
+
+- auth file parsing
+- token refresh
+- Codex-specific OpenAI client wiring
+- `pydantic-ai` responses model factory

codex_auth_helper-0.1.0/pyproject.toml

@@ -0,0 +1,25 @@
+[project]
+name = "codex-auth-helper"
+version = "0.1.0"
+description = "Codex auth helpers for pydantic-ai OpenAI Responses models."
+readme = "README.md"
+requires-python = ">=3.11"
+license = { text = "MIT" }
+dependencies = [
+    "httpx>=0.28.1",
+    "openai>=1.109.1",
+    "pydantic-ai-slim>=1.73.0",
+    "typing-extensions>=4.12.0",
+]
+
+[project.urls]
+Homepage = "https://github.com/vcoderun/codex-auth-helper"
+Issues = "https://github.com/vcoderun/codex-auth-helper/issues"
+Repository = "https://github.com/vcoderun/codex-auth-helper"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/codex_auth_helper"]

codex_auth_helper-0.1.0/src/codex_auth_helper/__init__.py

@@ -0,0 +1,17 @@
+from __future__ import annotations as _annotations
+
+from .auth import CodexAuthConfig, CodexAuthState, CodexAuthStore, CodexTokenManager
+from .client import CodexAsyncOpenAI, create_codex_async_openai
+from .factory import create_codex_responses_model
+from .model import CodexResponsesModel
+
+__all__ = (
+    "CodexAsyncOpenAI",
+    "CodexAuthConfig",
+    "CodexAuthState",
+    "CodexResponsesModel",
+    "CodexAuthStore",
+    "CodexTokenManager",
+    "create_codex_async_openai",
+    "create_codex_responses_model",
+)

codex_auth_helper-0.1.0/src/codex_auth_helper/auth/__init__.py

@@ -0,0 +1,13 @@
+from __future__ import annotations as _annotations
+
+from .config import CodexAuthConfig
+from .manager import CodexTokenManager
+from .state import CodexAuthState
+from .store import CodexAuthStore
+
+__all__ = (
+    "CodexAuthConfig",
+    "CodexAuthState",
+    "CodexAuthStore",
+    "CodexTokenManager",
+)

codex_auth_helper-0.1.0/src/codex_auth_helper/auth/config.py

@@ -0,0 +1,22 @@
+from __future__ import annotations as _annotations
+
+from dataclasses import dataclass, field
+from datetime import timedelta
+from pathlib import Path
+
+__all__ = ("CodexAuthConfig",)
+
+
+def default_auth_path() -> Path:
+    return Path.home() / ".codex" / "auth.json"
+
+
+@dataclass(frozen=True, slots=True)
+class CodexAuthConfig:
+    auth_path: Path = field(default_factory=default_auth_path)
+    api_base_url: str = "https://chatgpt.com/backend-api/codex"
+    client_id: str = "app_EMoamEEZ73f0CkXaXp7hrann"
+    default_token_ttl: timedelta = timedelta(hours=1)
+    issuer: str = "https://auth.openai.com"
+    refresh_margin: timedelta = timedelta(seconds=30)
+    timeout_seconds: float = 30.0

codex_auth_helper-0.1.0/src/codex_auth_helper/auth/manager.py

@@ -0,0 +1,115 @@
+from __future__ import annotations as _annotations
+
+import asyncio
+from collections.abc import Mapping
+from dataclasses import dataclass, field
+from datetime import UTC, datetime
+
+import httpx
+
+from .config import CodexAuthConfig
+from .state import CodexAuthState
+from .store import CodexAuthStore
+
+__all__ = ("CodexTokenManager",)
+
+
+def _now_utc() -> datetime:
+    return datetime.now(tz=UTC)
+
+
+def _response_mapping(response: httpx.Response) -> dict[str, object]:
+    payload = response.json()
+    if not isinstance(payload, dict):
+        raise ValueError("Expected the token endpoint to return an object.")
+    return payload
+
+
+def _string_value(data: Mapping[str, object], key: str) -> str | None:
+    value = data.get(key)
+    return value if isinstance(value, str) and value else None
+
+
+@dataclass(slots=True)
+class CodexTokenManager:
+    config: CodexAuthConfig
+    store: CodexAuthStore
+    http_client: httpx.AsyncClient
+    owns_http_client: bool = False
+    _lock: asyncio.Lock = field(default_factory=asyncio.Lock, init=False)
+    _state: CodexAuthState = field(init=False, repr=False)
+
+    def __post_init__(self) -> None:
+        self._state = self.store.read_state()
+
+    @property
+    def current_state(self) -> CodexAuthState:
+        return self._state
+
+    @property
+    def current_account_id(self) -> str | None:
+        return self._state.account_id
+
+    async def close(self) -> None:
+        if self.owns_http_client:
+            await self.http_client.aclose()
+
+    async def get_access_token(self) -> str:
+        async with self._lock:
+            if self._should_refresh(self._state):
+                self._state = await self._refresh_locked()
+            return self._state.access_token
+
+    async def prepare_account_header(self, request: httpx.Request) -> None:
+        if request.url.host != "chatgpt.com":
+            return
+        account_id = self.current_account_id
+        if account_id is not None:
+            request.headers["ChatGPT-Account-Id"] = account_id
+
+    def _refresh_deadline(self, state: CodexAuthState) -> datetime | None:
+        if state.expires_at is not None:
+            return state.expires_at
+        if state.last_refresh is not None:
+            return state.last_refresh + self.config.default_token_ttl
+        return None
+
+    def _should_refresh(self, state: CodexAuthState) -> bool:
+        deadline = self._refresh_deadline(state)
+        if deadline is None:
+            return False
+        return deadline <= _now_utc() + self.config.refresh_margin
+
+    async def _refresh_locked(self) -> CodexAuthState:
+        response = await self.http_client.post(
+            f"{self.config.issuer}/oauth/token",
+            content=str(
+                httpx.QueryParams(
+                    {
+                        "client_id": self.config.client_id,
+                        "grant_type": "refresh_token",
+                        "refresh_token": self._state.refresh_token,
+                    }
+                )
+            ),
+            headers={"Content-Type": "application/x-www-form-urlencoded"},
+        )
+        response.raise_for_status()
+
+        payload = _response_mapping(response)
+        refreshed_state = CodexAuthState.from_json_dict(
+            {
+                "OPENAI_API_KEY": self._state.openai_api_key,
+                "auth_mode": self._state.auth_mode,
+                "last_refresh": _now_utc().isoformat().replace("+00:00", "Z"),
+                "tokens": {
+                    "access_token": _string_value(payload, "access_token"),
+                    "account_id": _string_value(payload, "account_id") or self._state.account_id,
+                    "id_token": _string_value(payload, "id_token") or self._state.id_token,
+                    "refresh_token": _string_value(payload, "refresh_token")
+                    or self._state.refresh_token,
+                },
+            }
+        )
+        self.store.write_state(refreshed_state)
+        return refreshed_state

codex_auth_helper-0.1.0/src/codex_auth_helper/auth/state.py

@@ -0,0 +1,165 @@
+from __future__ import annotations as _annotations
+
+import base64
+import json
+from collections.abc import Mapping
+from dataclasses import dataclass
+from datetime import UTC, datetime
+from typing import Final
+
+__all__ = ("CodexAuthState",)
+
+_AUTH_CLAIMS_KEY: Final[str] = "https://api.openai.com/auth"
+_ORGANIZATIONS_KEY: Final[str] = "organizations"
+
+
+def _require_str(data: dict[str, object], key: str) -> str:
+    value = data.get(key)
+    if not isinstance(value, str) or not value:
+        raise ValueError(f"Expected a non-empty string for `{key}`.")
+    return value
+
+
+def _optional_str(data: dict[str, object], key: str) -> str | None:
+    value = data.get(key)
+    return value if isinstance(value, str) and value else None
+
+
+def _as_string_mapping(value: object) -> dict[str, object] | None:
+    if not isinstance(value, dict):
+        return None
+
+    normalized: dict[str, object] = {}
+    for key, item in value.items():
+        if isinstance(key, str):
+            normalized[key] = item
+    return normalized
+
+
+def _parse_timestamp(value: str | None) -> datetime | None:
+    if value is None:
+        return None
+    normalized = value.replace("Z", "+00:00")
+    return datetime.fromisoformat(normalized).astimezone(UTC)
+
+
+def _encode_timestamp(value: datetime | None) -> str | None:
+    if value is None:
+        return None
+    return value.astimezone(UTC).isoformat().replace("+00:00", "Z")
+
+
+def _parse_jwt_claims(token: str) -> dict[str, object] | None:
+    parts = token.split(".")
+    if len(parts) != 3:
+        return None
+    payload = parts[1] + "=" * (-len(parts[1]) % 4)
+    try:
+        claims = json.loads(base64.urlsafe_b64decode(payload.encode("utf-8")))
+    except (ValueError, json.JSONDecodeError):
+        return None
+    return _as_string_mapping(claims)
+
+
+def _extract_account_id_from_claims(claims: Mapping[str, object]) -> str | None:
+    direct_account_id = claims.get("chatgpt_account_id")
+    if isinstance(direct_account_id, str) and direct_account_id:
+        return direct_account_id
+
+    auth_claims = claims.get(_AUTH_CLAIMS_KEY)
+    auth_mapping = _as_string_mapping(auth_claims)
+    if auth_mapping is not None:
+        nested_account_id = auth_mapping.get("chatgpt_account_id")
+        if isinstance(nested_account_id, str) and nested_account_id:
+            return nested_account_id
+
+    organizations = claims.get(_ORGANIZATIONS_KEY)
+    if isinstance(organizations, list) and organizations:
+        organization = _as_string_mapping(organizations[0])
+        if organization is not None:
+            organization_id = organization.get("id")
+            if isinstance(organization_id, str) and organization_id:
+                return organization_id
+
+    return None
+
+
+def _extract_account_id(
+    *, access_token: str, account_id: str | None, id_token: str | None
+) -> str | None:
+    if account_id is not None:
+        return account_id
+
+    if id_token is not None:
+        id_claims = _parse_jwt_claims(id_token)
+        if id_claims is not None:
+            id_account_id = _extract_account_id_from_claims(id_claims)
+            if id_account_id is not None:
+                return id_account_id
+
+    access_claims = _parse_jwt_claims(access_token)
+    if access_claims is None:
+        return None
+    return _extract_account_id_from_claims(access_claims)
+
+
+def _extract_expiry(*, access_token: str, id_token: str | None) -> datetime | None:
+    for token in (id_token, access_token):
+        if token is None:
+            continue
+        claims = _parse_jwt_claims(token)
+        if claims is None:
+            continue
+        exp = claims.get("exp")
+        if isinstance(exp, int):
+            return datetime.fromtimestamp(exp, tz=UTC)
+    return None
+
+
+@dataclass(frozen=True, slots=True)
+class CodexAuthState:
+    access_token: str
+    refresh_token: str
+    account_id: str | None = None
+    auth_mode: str | None = None
+    expires_at: datetime | None = None
+    id_token: str | None = None
+    last_refresh: datetime | None = None
+    openai_api_key: str | None = None
+
+    @classmethod
+    def from_json_dict(cls, data: dict[str, object]) -> CodexAuthState:
+        tokens = _as_string_mapping(data.get("tokens"))
+        if tokens is None:
+            raise ValueError("Expected `tokens` to be an object.")
+
+        access_token = _require_str(tokens, "access_token")
+        id_token = _optional_str(tokens, "id_token")
+
+        return cls(
+            access_token=access_token,
+            refresh_token=_require_str(tokens, "refresh_token"),
+            account_id=_extract_account_id(
+                access_token=access_token,
+                account_id=_optional_str(tokens, "account_id"),
+                id_token=id_token,
+            ),
+            auth_mode=_optional_str(data, "auth_mode"),
+            expires_at=_extract_expiry(access_token=access_token, id_token=id_token),
+            id_token=id_token,
+            last_refresh=_parse_timestamp(_optional_str(data, "last_refresh")),
+            openai_api_key=_optional_str(data, "OPENAI_API_KEY"),
+        )
+
+    def to_json_dict(self) -> dict[str, object]:
+        return {
+            "OPENAI_API_KEY": self.openai_api_key,
+            "auth_mode": self.auth_mode,
+            "last_refresh": _encode_timestamp(self.last_refresh),
+            "tokens": {
+                "access_token": self.access_token,
+                "account_id": self.account_id,
+                "id_token": self.id_token,
+                "refresh_token": self.refresh_token,
+            },
+        }

codex_auth_helper-0.1.0/src/codex_auth_helper/auth/store.py

@@ -0,0 +1,37 @@
+from __future__ import annotations as _annotations
+
+import json
+from dataclasses import dataclass
+from json import JSONDecodeError
+from pathlib import Path
+
+from .state import CodexAuthState
+
+__all__ = ("CodexAuthStore",)
+
+
+@dataclass(slots=True)
+class CodexAuthStore:
+    path: Path
+
+    def read_state(self) -> CodexAuthState:
+        try:
+            text = self.path.read_text(encoding="utf-8")
+        except FileNotFoundError as exc:
+            raise FileNotFoundError(f"Codex auth file was not found at `{self.path}`.") from exc
+
+        try:
+            raw = json.loads(text)
+        except JSONDecodeError as exc:
+            raise ValueError(
+                f"Codex auth file at `{self.path}` does not contain valid JSON."
+            ) from exc
+
+        if not isinstance(raw, dict):
+            raise ValueError(f"Codex auth file at `{self.path}` must contain a JSON object.")
+        return CodexAuthState.from_json_dict(raw)
+
+    def write_state(self, state: CodexAuthState) -> None:
+        self.path.parent.mkdir(parents=True, exist_ok=True)
+        encoded = json.dumps(state.to_json_dict(), indent=2) + "\n"
+        self.path.write_text(encoded, encoding="utf-8")

codex_auth_helper-0.1.0/src/codex_auth_helper/client.py

@@ -0,0 +1,58 @@
+from __future__ import annotations as _annotations
+
+import httpx
+from openai import AsyncOpenAI, Omit
+from typing_extensions import override
+
+from .auth import CodexAuthConfig, CodexAuthStore, CodexTokenManager
+
+__all__ = ("CodexAsyncOpenAI", "create_codex_async_openai")
+
+
+class CodexAsyncOpenAI(AsyncOpenAI):
+    def __init__(
+        self,
+        *,
+        base_url: str,
+        http_client: httpx.AsyncClient,
+        token_manager: CodexTokenManager,
+    ) -> None:
+        self.token_manager = token_manager
+        super().__init__(
+            api_key=token_manager.get_access_token,
+            base_url=base_url,
+            http_client=http_client,
+        )
+
+    @property
+    @override
+    def default_headers(self) -> dict[str, str | Omit]:
+        headers = dict(super().default_headers)
+        account_id = self.token_manager.current_account_id
+        if account_id is not None:
+            headers["ChatGPT-Account-Id"] = account_id
+        return headers
+
+
+def create_codex_async_openai(
+    *,
+    config: CodexAuthConfig | None = None,
+    http_client: httpx.AsyncClient | None = None,
+) -> CodexAsyncOpenAI:
+    resolved_config = config or CodexAuthConfig()
+    owns_http_client = http_client is None
+    resolved_http_client = http_client or httpx.AsyncClient(
+        follow_redirects=True,
+        timeout=resolved_config.timeout_seconds,
+    )
+    token_manager = CodexTokenManager(
+        config=resolved_config,
+        store=CodexAuthStore(resolved_config.auth_path),
+        http_client=resolved_http_client,
+        owns_http_client=owns_http_client,
+    )
+    return CodexAsyncOpenAI(
+        base_url=resolved_config.api_base_url,
+        http_client=resolved_http_client,
+        token_manager=token_manager,
+    )

codex_auth_helper-0.1.0/src/codex_auth_helper/factory.py

@@ -0,0 +1,30 @@
+from __future__ import annotations as _annotations
+
+import httpx
+from pydantic_ai.models.openai import OpenAIResponsesModelSettings
+from pydantic_ai.providers.openai import OpenAIProvider
+
+from .auth import CodexAuthConfig
+from .client import create_codex_async_openai
+from .model import CodexResponsesModel
+
+__all__ = ("create_codex_responses_model",)
+
+
+def create_codex_responses_model(
+    model_name: str,
+    *,
+    config: CodexAuthConfig | None = None,
+    http_client: httpx.AsyncClient | None = None,
+    settings: OpenAIResponsesModelSettings | None = None,
+) -> CodexResponsesModel:
+    client = create_codex_async_openai(config=config, http_client=http_client)
+    model_settings: OpenAIResponsesModelSettings = {"openai_store": False}
+    if settings is not None:
+        model_settings.update(settings)
+        model_settings.setdefault("openai_store", False)
+    return CodexResponsesModel(
+        model_name,
+        provider=OpenAIProvider(openai_client=client),
+        settings=model_settings,
+    )

codex_auth_helper-0.1.0/src/codex_auth_helper/model.py

@@ -0,0 +1,25 @@
+from __future__ import annotations as _annotations
+
+from pydantic_ai.messages import ModelRequest, ModelResponse
+from pydantic_ai.models import ModelRequestParameters
+from pydantic_ai.models.openai import OpenAIResponsesModel
+from pydantic_ai.settings import ModelSettings
+
+__all__ = ("CodexResponsesModel",)
+
+
+class CodexResponsesModel(OpenAIResponsesModel):
+    async def request(
+        self,
+        messages: list[ModelRequest | ModelResponse],
+        model_settings: ModelSettings | None,
+        model_request_parameters: ModelRequestParameters,
+    ) -> ModelResponse:
+        async with super().request_stream(
+            messages,
+            model_settings,
+            model_request_parameters,
+        ) as streamed_response:
+            async for _ in streamed_response:
+                pass
+            return streamed_response.get()

codex_auth_helper-0.1.0/src/codex_auth_helper/py.typed

@@ -0,0 +1 @@
+