tsugite-codex-cli 0.15.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,5 @@
1
+ """Tsugite plugin: ChatGPT subscription auth via Codex CLI token store."""
2
+
3
+ from tsugite_codex_cli.provider import CodexCliProvider, create_provider
4
+
5
+ __all__ = ["CodexCliProvider", "create_provider"]
@@ -0,0 +1,166 @@
1
+ """Codex CLI OAuth token store: read, refresh, atomic writeback of ~/.codex/auth.json."""
2
+
3
+ from __future__ import annotations
4
+
5
+ import asyncio
6
+ import base64
7
+ import json
8
+ import os
9
+ import time
10
+ from pathlib import Path
11
+
12
+ import httpx
13
+ import portalocker
14
+
15
+ # Hardcoded OAuth client id used by the upstream Codex CLI.
16
+ CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann"
17
+ TOKEN_ENDPOINT = "https://auth.openai.com/oauth/token"
18
+ REFRESH_SKEW_SECONDS = 30
19
+ REFRESH_TIMEOUT_SECONDS = 30
20
+
21
+ # Refresh-token failures that require the user to re-run `codex login`.
22
+ _RE_LOGIN_ERRORS = {
23
+ "invalid_grant",
24
+ "refresh_token_expired",
25
+ "refresh_token_reused",
26
+ "refresh_token_invalidated",
27
+ }
28
+
29
+
30
+ class CodexAuthError(Exception):
31
+ """Raised when the Codex auth store is missing, in apikey mode, or refresh fails."""
32
+
33
+
34
+ def _resolve_home(home: Path | None) -> Path:
35
+ if home is not None:
36
+ return home
37
+ env = os.environ.get("CODEX_HOME")
38
+ if env:
39
+ return Path(env)
40
+ return Path.home() / ".codex"
41
+
42
+
43
+ def _decode_jwt_exp(token: str) -> int | None:
44
+ """Return the `exp` claim from a JWT, or None if it can't be decoded."""
45
+ try:
46
+ payload_b64 = token.split(".")[1]
47
+ padding = "=" * (-len(payload_b64) % 4)
48
+ payload = json.loads(base64.urlsafe_b64decode(payload_b64 + padding))
49
+ exp = payload.get("exp")
50
+ return int(exp) if exp is not None else None
51
+ except (IndexError, ValueError, json.JSONDecodeError):
52
+ return None
53
+
54
+
55
+ class CodexAuthStore:
56
+ """Token store backed by ~/.codex/auth.json (override via $CODEX_HOME)."""
57
+
58
+ def __init__(self, home: Path | None = None):
59
+ self._home = _resolve_home(home)
60
+ self._auth_path = self._home / "auth.json"
61
+ self._lock_path = self._home / "auth.json.lock"
62
+ self._async_lock = asyncio.Lock()
63
+
64
+ async def get_access_token(self) -> tuple[str, str]:
65
+ """Return (access_token, account_id), refreshing if near expiry."""
66
+ async with self._async_lock:
67
+ return await asyncio.to_thread(self._sync_get_or_refresh)
68
+
69
+ def _sync_get_or_refresh(self) -> tuple[str, str]:
70
+ if not self._auth_path.exists():
71
+ raise CodexAuthError(f"No Codex auth file at {self._auth_path}. Run `codex login` first.")
72
+
73
+ # Lock the sidecar, not auth.json itself: os.replace unlinks the inode and
74
+ # any waiter blocked on the original file descriptor would never wake.
75
+ self._home.mkdir(parents=True, exist_ok=True)
76
+ with open(self._lock_path, "a+") as lock_fh:
77
+ portalocker.lock(lock_fh, portalocker.LOCK_EX)
78
+ try:
79
+ os.chmod(self._lock_path, 0o600)
80
+ except OSError:
81
+ pass
82
+ try:
83
+ return self._read_check_refresh()
84
+ finally:
85
+ portalocker.unlock(lock_fh)
86
+
87
+ def _read_check_refresh(self) -> tuple[str, str]:
88
+ data = self._load_json()
89
+ auth_mode = data.get("auth_mode")
90
+ if auth_mode != "chatgpt":
91
+ raise CodexAuthError(
92
+ f"Codex auth mode is {auth_mode!r}; this provider requires ChatGPT subscription auth. "
93
+ "Run `codex login` and choose the ChatGPT sign-in."
94
+ )
95
+
96
+ tokens = data.get("tokens") or {}
97
+ access_token = tokens.get("access_token")
98
+ refresh_token = tokens.get("refresh_token")
99
+ account_id = tokens.get("account_id")
100
+ if not access_token or not refresh_token or not account_id:
101
+ raise CodexAuthError(f"Codex auth file at {self._auth_path} is missing tokens. Run `codex login`.")
102
+
103
+ exp = _decode_jwt_exp(access_token)
104
+ now = int(time.time())
105
+ if exp is None or exp - now <= REFRESH_SKEW_SECONDS:
106
+ new_tokens = self._refresh(refresh_token)
107
+ # Merge so we keep account_id and any unknown sibling fields.
108
+ data["tokens"] = {**tokens, **new_tokens}
109
+ data["last_refresh"] = time.strftime("%Y-%m-%dT%H:%M:%S+00:00", time.gmtime())
110
+ self._write_atomic(data)
111
+ access_token = new_tokens.get("access_token", access_token)
112
+
113
+ return access_token, account_id
114
+
115
+ def _load_json(self) -> dict:
116
+ try:
117
+ return json.loads(self._auth_path.read_text())
118
+ except (OSError, json.JSONDecodeError) as exc:
119
+ raise CodexAuthError(f"Could not read {self._auth_path}: {exc}. Run `codex login`.") from exc
120
+
121
+ def _refresh(self, refresh_token: str) -> dict:
122
+ try:
123
+ resp = httpx.post(
124
+ TOKEN_ENDPOINT,
125
+ data={
126
+ "client_id": CLIENT_ID,
127
+ "grant_type": "refresh_token",
128
+ "refresh_token": refresh_token,
129
+ },
130
+ timeout=REFRESH_TIMEOUT_SECONDS,
131
+ )
132
+ except httpx.HTTPError as exc:
133
+ raise CodexAuthError(f"OAuth refresh request failed: {exc}") from exc
134
+
135
+ if resp.status_code >= 400:
136
+ body: dict = {}
137
+ try:
138
+ body = resp.json() if resp.text else {}
139
+ except ValueError:
140
+ pass
141
+ err = body.get("error", "")
142
+ if err in _RE_LOGIN_ERRORS:
143
+ raise CodexAuthError(f"Codex refresh token rejected ({err}). Run `codex login` to sign in again.")
144
+ raise CodexAuthError(f"OAuth refresh returned HTTP {resp.status_code}: {body or resp.text}")
145
+
146
+ try:
147
+ body = resp.json()
148
+ except ValueError as exc:
149
+ raise CodexAuthError(f"OAuth refresh returned non-JSON body: {resp.text}") from exc
150
+
151
+ new_tokens: dict = {}
152
+ for key in ("access_token", "refresh_token", "id_token"):
153
+ if body.get(key):
154
+ new_tokens[key] = body[key]
155
+ if "access_token" not in new_tokens:
156
+ raise CodexAuthError(f"OAuth refresh response missing access_token: {body}")
157
+ return new_tokens
158
+
159
+ def _write_atomic(self, data: dict) -> None:
160
+ tmp_path = self._auth_path.with_suffix(self._auth_path.suffix + ".tmp")
161
+ tmp_path.write_text(json.dumps(data, indent=2))
162
+ try:
163
+ os.chmod(tmp_path, 0o600)
164
+ except OSError:
165
+ pass
166
+ os.replace(tmp_path, self._auth_path)
@@ -0,0 +1,332 @@
1
+ """Codex CLI provider: ChatGPT subscription auth via OpenAI Responses API."""
2
+
3
+ from __future__ import annotations
4
+
5
+ import asyncio
6
+ import json
7
+ import logging
8
+ from typing import Any, AsyncIterator
9
+
10
+ import httpx
11
+
12
+ from tsugite.providers.base import CompletionResponse, ModelInfo, StreamChunk, Usage, default_count_tokens
13
+ from tsugite.providers.model_registry import get_model_info as _get_model_info
14
+ from tsugite.providers.model_registry import register_models
15
+ from tsugite.user_agent import set_user_agent_header
16
+ from tsugite_codex_cli.auth import CodexAuthError, CodexAuthStore
17
+
18
+ logger = logging.getLogger(__name__)
19
+
20
+ API_BASE = "https://chatgpt.com/backend-api/codex"
21
+ _REASONING_LEVELS = ["low", "medium", "high"]
22
+ # gpt-5.5 added xhigh; older codex models don't accept it.
23
+ _REASONING_LEVELS_V5_5 = ["low", "medium", "high", "xhigh"]
24
+
25
+
26
+ def _codex_model_info(max_input_tokens: int, effort_levels: list[str] = _REASONING_LEVELS) -> ModelInfo:
27
+ # Subscription billing means per-token cost is not surfaced here.
28
+ return ModelInfo(
29
+ max_input_tokens=max_input_tokens,
30
+ max_output_tokens=128_000,
31
+ input_cost_per_million=0.0,
32
+ output_cost_per_million=0.0,
33
+ supports_vision=True,
34
+ supports_reasoning=True,
35
+ supported_effort_levels=effort_levels,
36
+ )
37
+
38
+
39
+ _CODEX_CLI_MODELS: dict[str, ModelInfo] = {
40
+ "codex_cli/gpt-5.5": _codex_model_info(1_050_000, effort_levels=_REASONING_LEVELS_V5_5),
41
+ "codex_cli/gpt-5.4": _codex_model_info(1_050_000),
42
+ "codex_cli/gpt-5.4-mini": _codex_model_info(272_000),
43
+ "codex_cli/gpt-5.4-nano": _codex_model_info(272_000),
44
+ }
45
+
46
+ # Used when /models is unreachable; kept in sync with the registry above.
47
+ _FALLBACK_MODELS = [k.split("/", 1)[1] for k in _CODEX_CLI_MODELS]
48
+
49
+
50
+ class CodexResponsesError(Exception):
51
+ """Raised when chatgpt.com/backend-api/codex/responses returns a 4xx/5xx error."""
52
+
53
+ def __init__(self, message: str, status_code: int):
54
+ super().__init__(message)
55
+ self.status_code = status_code
56
+
57
+
58
+ def _translate_content_block(block: Any) -> Any:
59
+ """Chat-Completions-shape block → Responses input_* shape (request side only)."""
60
+ if not isinstance(block, dict):
61
+ return block
62
+ btype = block.get("type")
63
+ if btype == "text":
64
+ return {"type": "input_text", "text": block.get("text", "")}
65
+ if btype == "image_url":
66
+ image_url = block.get("image_url")
67
+ if isinstance(image_url, dict):
68
+ image_url = image_url.get("url", "")
69
+ return {"type": "input_image", "image_url": image_url}
70
+ if btype == "file":
71
+ file_field = block.get("file") or {}
72
+ return {"type": "input_file", **file_field}
73
+ return block
74
+
75
+
76
+ def _translate_message_content(content: Any) -> Any:
77
+ if isinstance(content, list):
78
+ return [_translate_content_block(b) for b in content]
79
+ return content
80
+
81
+
82
+ def _normalise_kwargs(kwargs: dict) -> dict:
83
+ """Map Chat-Completions-style kwargs onto Responses request fields."""
84
+ body: dict[str, Any] = {}
85
+ for key, value in kwargs.items():
86
+ if value is None or key.startswith("_"):
87
+ continue
88
+ if key == "max_tokens":
89
+ body["max_output_tokens"] = value
90
+ elif key == "reasoning_effort":
91
+ body["reasoning"] = {"effort": value}
92
+ elif key == "response_format":
93
+ body["text"] = {"format": value}
94
+ elif key in {"temperature", "top_p", "stop", "presence_penalty", "frequency_penalty"}:
95
+ body[key] = value
96
+ else:
97
+ logger.debug("codex_cli: dropping unknown kwarg %s for /responses", key)
98
+ return body
99
+
100
+
101
+ def _build_usage(usage_in: dict | None) -> Usage:
102
+ if not usage_in:
103
+ return Usage()
104
+ input_tokens = int(usage_in.get("input_tokens") or 0)
105
+ output_tokens = int(usage_in.get("output_tokens") or 0)
106
+ total = usage_in.get("total_tokens")
107
+ total_tokens = int(total) if total is not None else input_tokens + output_tokens
108
+ details = usage_in.get("output_tokens_details") or {}
109
+ reasoning_tokens = details.get("reasoning_tokens")
110
+ return Usage(
111
+ prompt_tokens=input_tokens,
112
+ completion_tokens=output_tokens,
113
+ total_tokens=total_tokens,
114
+ reasoning_tokens=int(reasoning_tokens) if reasoning_tokens is not None else None,
115
+ )
116
+
117
+
118
+ class CodexCliProvider:
119
+ """ChatGPT subscription provider routing through the Codex Responses API."""
120
+
121
+ # Stateless across calls (auth refresh is internal), so the registry can cache one instance.
122
+ cacheable = True
123
+
124
+ def __init__(self, name: str = "codex_cli"):
125
+ self.name = name
126
+ self._auth = CodexAuthStore()
127
+ self._client: httpx.AsyncClient | None = None
128
+ self._client_loop: asyncio.AbstractEventLoop | None = None
129
+ register_models(_CODEX_CLI_MODELS)
130
+
131
+ def _get_client(self) -> httpx.AsyncClient:
132
+ try:
133
+ current_loop = asyncio.get_running_loop()
134
+ except RuntimeError:
135
+ current_loop = None
136
+ if self._client is None or self._client.is_closed or self._client_loop is not current_loop:
137
+ self._client = httpx.AsyncClient(timeout=300)
138
+ self._client_loop = current_loop
139
+ return self._client
140
+
141
+ def _build_headers(self, access_token: str, account_id: str) -> dict[str, str]:
142
+ headers: dict[str, str] = {
143
+ "Content-Type": "application/json",
144
+ "Authorization": f"Bearer {access_token}",
145
+ "ChatGPT-Account-ID": account_id,
146
+ }
147
+ set_user_agent_header(headers)
148
+ return headers
149
+
150
+ def _build_request_body(self, messages: list[dict], model: str, stream: bool, **kwargs: Any) -> dict:
151
+ instructions_parts: list[str] = []
152
+ input_messages: list[dict] = []
153
+ for msg in messages:
154
+ role = msg.get("role")
155
+ content = msg.get("content", "")
156
+ if role == "system":
157
+ if isinstance(content, list):
158
+ for block in content:
159
+ if isinstance(block, dict) and block.get("type") == "text":
160
+ instructions_parts.append(block.get("text", ""))
161
+ elif isinstance(block, str):
162
+ instructions_parts.append(block)
163
+ elif isinstance(content, str):
164
+ instructions_parts.append(content)
165
+ continue
166
+ translated = {"role": role, "content": _translate_message_content(content)}
167
+ input_messages.append(translated)
168
+
169
+ # store=false and instructions are both mandatory on the Codex backend
170
+ # (omitting either 400s with `{"detail":"Store must be set to false"}`
171
+ # or `{"detail":"Instructions are required"}`).
172
+ body: dict[str, Any] = {
173
+ "model": model,
174
+ "input": input_messages,
175
+ "store": False,
176
+ "instructions": "\n".join(instructions_parts),
177
+ }
178
+ if stream:
179
+ body["stream"] = True
180
+ body.update(_normalise_kwargs(kwargs))
181
+ return body
182
+
183
+ @staticmethod
184
+ def _error_from_response(resp: httpx.Response) -> CodexResponsesError:
185
+ # Caller must `await resp.aread()` first when resp came from client.stream(),
186
+ # otherwise resp.json()/resp.text raise httpx.ResponseNotRead.
187
+ message: str | None = None
188
+ try:
189
+ payload = resp.json()
190
+ except (ValueError, json.JSONDecodeError):
191
+ payload = None
192
+ if isinstance(payload, dict):
193
+ err = payload.get("error")
194
+ if isinstance(err, dict):
195
+ message = err.get("message")
196
+ elif isinstance(err, str):
197
+ message = err
198
+ if not message:
199
+ try:
200
+ text = (resp.text or "").strip()
201
+ except httpx.ResponseNotRead:
202
+ text = ""
203
+ message = text or f"HTTP {resp.status_code}"
204
+ return CodexResponsesError(message, status_code=resp.status_code)
205
+
206
+ @staticmethod
207
+ def _error_from_event(event: dict) -> CodexResponsesError:
208
+ """Translate a `response.failed` / `error` SSE event into a typed exception."""
209
+ message = None
210
+ response_obj = event.get("response") or {}
211
+ err = response_obj.get("error") or event.get("error") or {}
212
+ if isinstance(err, dict):
213
+ message = err.get("message")
214
+ elif isinstance(err, str):
215
+ message = err
216
+ if not message:
217
+ message = event.get("message") or "Codex stream reported an error"
218
+ return CodexResponsesError(message, status_code=200)
219
+
220
+ async def acompletion(
221
+ self,
222
+ messages: list[dict],
223
+ model: str,
224
+ stream: bool = False,
225
+ **kwargs: Any,
226
+ ) -> CompletionResponse | AsyncIterator[StreamChunk]:
227
+ access_token, account_id = await self._auth.get_access_token()
228
+ # Codex backend mandates stream=true; non-stream callers get the chunks
229
+ # collected into a CompletionResponse below.
230
+ body = self._build_request_body(messages, model, stream=True, **kwargs)
231
+ headers = self._build_headers(access_token, account_id)
232
+ url = f"{API_BASE}/responses"
233
+
234
+ if stream:
235
+ return self._stream(url, headers, body)
236
+ return await self._collect_stream(url, headers, body)
237
+
238
+ async def _collect_stream(self, url: str, headers: dict, body: dict) -> CompletionResponse:
239
+ parts: list[str] = []
240
+ reasoning_parts: list[str] = []
241
+ usage = Usage()
242
+ async for chunk in self._stream(url, headers, body):
243
+ if chunk.content:
244
+ parts.append(chunk.content)
245
+ if chunk.reasoning_content:
246
+ reasoning_parts.append(chunk.reasoning_content)
247
+ if chunk.done and chunk.usage is not None:
248
+ usage = chunk.usage
249
+ return CompletionResponse(
250
+ content="".join(parts),
251
+ reasoning_content="".join(reasoning_parts) or None,
252
+ usage=usage,
253
+ cost=0.0,
254
+ )
255
+
256
+ async def _stream(self, url: str, headers: dict, body: dict) -> AsyncIterator[StreamChunk]:
257
+ client = self._get_client()
258
+ usage: Usage = Usage()
259
+ async with client.stream("POST", url, json=body, headers=headers) as resp:
260
+ if resp.status_code >= 400:
261
+ await resp.aread()
262
+ raise self._error_from_response(resp)
263
+ async for line in resp.aiter_lines():
264
+ if not line or not line.startswith("data:"):
265
+ continue
266
+ payload = line[5:].strip()
267
+ if not payload or payload == "[DONE]":
268
+ continue
269
+ try:
270
+ event = json.loads(payload)
271
+ except json.JSONDecodeError:
272
+ continue
273
+ etype = event.get("type")
274
+ if etype == "response.output_text.delta":
275
+ delta = event.get("delta") or ""
276
+ if delta:
277
+ yield StreamChunk(content=delta)
278
+ elif etype in ("response.reasoning_summary_text.delta", "response.reasoning.delta"):
279
+ delta = event.get("delta") or ""
280
+ if delta:
281
+ yield StreamChunk(reasoning_content=delta)
282
+ elif etype == "response.completed":
283
+ response_obj = event.get("response") or {}
284
+ usage = _build_usage(response_obj.get("usage"))
285
+ elif etype in ("response.failed", "response.incomplete", "error"):
286
+ raise self._error_from_event(event)
287
+ yield StreamChunk(content="", done=True, usage=usage, cost=0.0)
288
+
289
+ def count_tokens(self, text: str, model: str) -> int:
290
+ # All current Codex models share the GPT-4o/o-series o200k_base BPE; base's
291
+ # default_count_tokens only matches gpt-4o/o1/o3/o4 prefixes so it would
292
+ # silently fall back to cl100k for gpt-5.x.
293
+ try:
294
+ import tiktoken
295
+
296
+ return len(tiktoken.get_encoding("o200k_base").encode(text))
297
+ except Exception:
298
+ return default_count_tokens(text, model)
299
+
300
+ def get_model_info(self, model: str) -> ModelInfo | None:
301
+ return _get_model_info(self.name, model)
302
+
303
+ def set_context(self, **kwargs: Any) -> None:
304
+ pass
305
+
306
+ def get_state(self) -> dict | None:
307
+ return None
308
+
309
+ async def stop(self) -> None:
310
+ # No-op: the provider is cached and the httpx client is shared across
311
+ # concurrent agent runs. Closing it here would break in-flight streams
312
+ # on parallel sessions. The client is released when the process exits.
313
+ pass
314
+
315
+ async def list_models(self) -> list[str]:
316
+ # Auth lookup is inside the try: model-picker UIs should always get a
317
+ # usable list even before `codex login` has been run.
318
+ try:
319
+ access_token, account_id = await self._auth.get_access_token()
320
+ client = self._get_client()
321
+ resp = await client.get(
322
+ f"{API_BASE}/models?client_version=1.0.0",
323
+ headers=self._build_headers(access_token, account_id),
324
+ )
325
+ resp.raise_for_status()
326
+ return [m["id"] for m in resp.json().get("data", [])]
327
+ except (httpx.HTTPError, KeyError, ValueError, CodexAuthError):
328
+ return list(_FALLBACK_MODELS)
329
+
330
+
331
+ def create_provider(name: str = "codex_cli", **kwargs: Any) -> CodexCliProvider:
332
+ return CodexCliProvider(name=name)
@@ -0,0 +1,6 @@
1
+ Metadata-Version: 2.4
2
+ Name: tsugite-codex-cli
3
+ Version: 0.15.0
4
+ Summary: Tsugite plugin: ChatGPT subscription auth via Codex CLI token store
5
+ Requires-Python: >=3.11
6
+ Requires-Dist: tsugite-cli==0.15.0
@@ -0,0 +1,7 @@
1
+ tsugite_codex_cli/__init__.py,sha256=tZ_eIMDcSVfezP4tAuW2QKqKYC4V0Ws2nrdPGOt7sBw,200
2
+ tsugite_codex_cli/auth.py,sha256=6qpERP_7cDIZOmhsfosZpK3R3lbnoymY_ofBu4qeBj8,6231
3
+ tsugite_codex_cli/provider.py,sha256=5OrSAJ-iD1P-HZ6EbGhkErb9lxtSdd9idP9YfKO05Bg,13502
4
+ tsugite_codex_cli-0.15.0.dist-info/METADATA,sha256=Ce9OCOpdEmthudiCS0xjsTFzYIWAos35BRHgYIIij_k,198
5
+ tsugite_codex_cli-0.15.0.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
6
+ tsugite_codex_cli-0.15.0.dist-info/entry_points.txt,sha256=_BSdcMg4JaKs3Au1MdEyW41zJa9fNZAgS5NNwYul0is,66
7
+ tsugite_codex_cli-0.15.0.dist-info/RECORD,,
@@ -0,0 +1,4 @@
1
+ Wheel-Version: 1.0
2
+ Generator: hatchling 1.30.1
3
+ Root-Is-Purelib: true
4
+ Tag: py3-none-any
@@ -0,0 +1,2 @@
1
+ [tsugite.providers]
2
+ codex_cli = tsugite_codex_cli:create_provider