Merge pull request #1 from icebear0828/refactor/code-audit-cleanup

config/default.yaml

@@ -29,6 +29,10 @@ environment:
   default_id: null
   default_branch: "main"
 
+session:
+  ttl_minutes: 60
+  cleanup_interval_minutes: 5
+
 streaming:
   status_as_content: false
   chunk_size: 100

src/auth/chatgpt-oauth.ts

@@ -247,12 +247,13 @@ export async function loginViaCli(): Promise<{
 
     // Step 1: Send the initialize handshake
     const config = getConfig();
+    const originator = config.client.originator;
     sendRpc(
       "initialize",
       {
         clientInfo: {
-          name: "Codex Desktop",
-          title: "Codex Desktop",
+          name: originator,
+          title: originator,
           version: config.client.app_version,
         },
       },
@@ -380,12 +381,13 @@ export async function refreshTokenViaCli(): Promise<string> {
 
     // Send initialize
     const config = getConfig();
+    const originator = config.client.originator;
     sendRpc(
       "initialize",
       {
         clientInfo: {
-          name: "Codex Desktop",
-          title: "Codex Desktop",
+          name: originator,
+          title: originator,
           version: config.client.app_version,
         },
       },

src/auth/manager.ts

@@ -1,165 +0,0 @@
-import { readFileSync, writeFileSync, unlinkSync, existsSync, mkdirSync } from "fs";
-import { resolve, dirname } from "path";
-import { randomBytes } from "crypto";
-import { getConfig } from "../config.js";
-import {
-  decodeJwtPayload,
-  extractChatGptAccountId,
-  extractUserProfile,
-  isTokenExpired,
-} from "./jwt-utils.js";
-
-interface PersistedAuth {
-  token: string;
-  proxyApiKey: string | null;
-  userInfo: { email?: string; accountId?: string; planType?: string } | null;
-}
-
-const AUTH_FILE = resolve(process.cwd(), "data", "auth.json");
-
-export class AuthManager {
-  private token: string | null = null;
-  private userInfo: { email?: string; accountId?: string; planType?: string } | null = null;
-  private proxyApiKey: string | null = null;
-  private refreshLock: Promise<string | null> | null = null;
-
-  constructor() {
-    this.loadPersisted();
-
-    // Override with config jwt_token if set
-    const config = getConfig();
-    if (config.auth.jwt_token) {
-      this.setToken(config.auth.jwt_token);
-    }
-
-    // Override with env var if set
-    const envToken = process.env.CODEX_JWT_TOKEN;
-    if (envToken) {
-      this.setToken(envToken);
-    }
-  }
-
-  async getToken(forceRefresh?: boolean): Promise<string | null> {
-    if (forceRefresh || (this.token && this.isExpired())) {
-      // Use a lock to prevent concurrent refresh attempts
-      if (!this.refreshLock) {
-        this.refreshLock = this.attemptRefresh();
-      }
-      try {
-        return await this.refreshLock;
-      } finally {
-        this.refreshLock = null;
-      }
-    }
-    return this.token;
-  }
-
-  setToken(token: string): void {
-    this.token = token;
-
-    // Extract user info from JWT claims
-    const profile = extractUserProfile(token);
-    const accountId = extractChatGptAccountId(token);
-    this.userInfo = {
-      email: profile?.email,
-      accountId: accountId ?? undefined,
-      planType: profile?.chatgpt_plan_type,
-    };
-
-    // Generate proxy API key if we don't have one yet
-    if (!this.proxyApiKey) {
-      this.proxyApiKey = this.generateApiKey();
-    }
-
-    this.persist();
-  }
-
-  clearToken(): void {
-    this.token = null;
-    this.userInfo = null;
-    this.proxyApiKey = null;
-    try {
-      if (existsSync(AUTH_FILE)) {
-        unlinkSync(AUTH_FILE);
-      }
-    } catch {
-      // ignore cleanup errors
-    }
-  }
-
-  isAuthenticated(): boolean {
-    return this.token !== null && !this.isExpired();
-  }
-
-  getUserInfo(): { email?: string; accountId?: string; planType?: string } | null {
-    return this.userInfo;
-  }
-
-  getAccountId(): string | null {
-    if (!this.token) return null;
-    return extractChatGptAccountId(this.token);
-  }
-
-  getProxyApiKey(): string | null {
-    return this.proxyApiKey;
-  }
-
-  validateProxyApiKey(key: string): boolean {
-    if (!this.proxyApiKey) return false;
-    return key === this.proxyApiKey;
-  }
-
-  // --- private helpers ---
-
-  private isExpired(): boolean {
-    if (!this.token) return true;
-    const config = getConfig();
-    return isTokenExpired(this.token, config.auth.refresh_margin_seconds);
-  }
-
-  private async attemptRefresh(): Promise<string | null> {
-    // We cannot auto-refresh without Codex CLI interaction.
-    // If the token is expired, the user needs to re-login.
-    if (this.token && isTokenExpired(this.token)) {
-      this.token = null;
-      this.userInfo = null;
-    }
-    return this.token;
-  }
-
-  private persist(): void {
-    try {
-      const dir = dirname(AUTH_FILE);
-      if (!existsSync(dir)) {
-        mkdirSync(dir, { recursive: true });
-      }
-      const data: PersistedAuth = {
-        token: this.token!,
-        proxyApiKey: this.proxyApiKey,
-        userInfo: this.userInfo,
-      };
-      writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2), "utf-8");
-    } catch {
-      // Persist is best-effort
-    }
-  }
-
-  private loadPersisted(): void {
-    try {
-      if (!existsSync(AUTH_FILE)) return;
-      const raw = readFileSync(AUTH_FILE, "utf-8");
-      const data = JSON.parse(raw) as PersistedAuth;
-      if (data.token && typeof data.token === "string") {
-        this.token = data.token;
-        this.proxyApiKey = data.proxyApiKey ?? null;
-        this.userInfo = data.userInfo ?? null;
-      }
-    } catch {
-      // If the file is corrupt, start fresh
-    }
-  }
-
-  private generateApiKey(): string {
-    return "codex-proxy-" + randomBytes(24).toString("hex");
-  }
-}

src/config.ts

@@ -35,6 +35,10 @@ const ConfigSchema = z.object({
     default_id: z.string().nullable().default(null),
     default_branch: z.string().default("main"),
   }),
+  session: z.object({
+    ttl_minutes: z.number().default(60),
+    cleanup_interval_minutes: z.number().default(5),
+  }),
   streaming: z.object({
     status_as_content: z.boolean().default(false),
     chunk_size: z.number().default(100),

src/proxy/client.ts

@@ -1,246 +0,0 @@
-/**
- * ProxyClient — fetch wrapper with auth headers, retry on 401, and SSE streaming.
- *
- * Mirrors the Codex Desktop ElectronFetchWrapper pattern.
- */
-
-import { getConfig } from "../config.js";
-import {
-  buildHeaders,
-  buildHeadersWithContentType,
-} from "../fingerprint/manager.js";
-
-export interface FetchOptions {
-  method?: string;
-  headers?: Record<string, string>;
-  body?: string;
-  signal?: AbortSignal;
-}
-
-export interface FetchResponse {
-  status: number;
-  headers: Record<string, string>;
-  body: unknown;
-  ok: boolean;
-}
-
-export class ProxyClient {
-  private token: string;
-  private accountId: string | null;
-
-  constructor(token: string, accountId: string | null) {
-    this.token = token;
-    this.accountId = accountId;
-  }
-
-  /** Update the bearer token (e.g. after a refresh). */
-  setToken(token: string): void {
-    this.token = token;
-  }
-
-  /** Update the account ID. */
-  setAccountId(accountId: string | null): void {
-    this.accountId = accountId;
-  }
-
-  // ---- public helpers ----
-
-  /** GET request, returns parsed JSON body. */
-  async get(path: string): Promise<FetchResponse> {
-    const url = this.ensureAbsoluteUrl(path);
-    const res = await this.fetchWithRetry(url, {
-      method: "GET",
-      headers: buildHeaders(this.token, this.accountId),
-    });
-    const body = await res.json();
-    return {
-      status: res.status,
-      headers: Object.fromEntries(res.headers.entries()),
-      body,
-      ok: res.ok,
-    };
-  }
-
-  /** POST request with JSON body, returns parsed JSON body. */
-  async post(path: string, body: unknown): Promise<FetchResponse> {
-    const url = this.ensureAbsoluteUrl(path);
-    const res = await this.fetchWithRetry(url, {
-      method: "POST",
-      headers: buildHeadersWithContentType(this.token, this.accountId),
-      body: JSON.stringify(body),
-    });
-    const resBody = await res.json();
-    return {
-      status: res.status,
-      headers: Object.fromEntries(res.headers.entries()),
-      body: resBody,
-      ok: res.ok,
-    };
-  }
-
-  /** GET an SSE endpoint — yields parsed `{ event?, data }` objects. */
-  async *stream(
-    path: string,
-    signal?: AbortSignal,
-  ): AsyncGenerator<{ event?: string; data: unknown }> {
-    const url = this.ensureAbsoluteUrl(path);
-    const res = await this.fetchWithRetry(url, {
-      method: "GET",
-      headers: {
-        ...buildHeaders(this.token, this.accountId),
-        Accept: "text/event-stream",
-      },
-      signal,
-    });
-
-    if (!res.ok) {
-      const text = await res.text();
-      throw new Error(`SSE request failed (${res.status}): ${text}`);
-    }
-
-    if (!res.body) {
-      throw new Error("Response body is null — cannot stream");
-    }
-
-    const reader = res.body
-      .pipeThrough(new TextDecoderStream())
-      .getReader();
-
-    let buffer = "";
-    try {
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done) break;
-
-        buffer += value;
-
-        // Process complete SSE messages (separated by double newline)
-        const parts = buffer.split("\n\n");
-        // Last part may be incomplete — keep it in the buffer
-        buffer = parts.pop()!;
-
-        for (const part of parts) {
-          if (!part.trim()) continue;
-          for (const parsed of this.parseSSE(part)) {
-            if (parsed.data === "[DONE]") return;
-            try {
-              yield { event: parsed.event, data: JSON.parse(parsed.data) };
-            } catch {
-              yield { event: parsed.event, data: parsed.data };
-            }
-          }
-        }
-      }
-
-      // Process any remaining data in the buffer
-      if (buffer.trim()) {
-        for (const parsed of this.parseSSE(buffer)) {
-          if (parsed.data === "[DONE]") return;
-          try {
-            yield { event: parsed.event, data: JSON.parse(parsed.data) };
-          } catch {
-            yield { event: parsed.event, data: parsed.data };
-          }
-        }
-      }
-    } finally {
-      reader.releaseLock();
-    }
-  }
-
-  // ---- internal helpers ----
-
-  /**
-   * Resolve a relative URL to absolute using the configured base_url.
-   * Mirrors Codex's ensureAbsoluteUrl.
-   */
-  private ensureAbsoluteUrl(url: string): string {
-    if (/^https?:\/\//i.test(url) || url.startsWith("data:")) return url;
-    const base = getConfig().api.base_url;
-    return `${base}/${url.replace(/^\/+/, "")}`;
-  }
-
-  /**
-   * Fetch with a single 401 retry (re-builds auth headers on retry).
-   */
-  private async fetchWithRetry(
-    url: string,
-    options: FetchOptions,
-    onRefreshToken?: () => Promise<string | null>,
-  ): Promise<Response> {
-    const config = getConfig();
-    const timeout = config.api.timeout_seconds * 1000;
-
-    const doFetch = (opts: FetchOptions): Promise<Response> => {
-      const controller = new AbortController();
-      const timer = setTimeout(() => controller.abort(), timeout);
-      const mergedSignal = opts.signal
-        ? AbortSignal.any([opts.signal, controller.signal])
-        : controller.signal;
-
-      return fetch(url, {
-        method: opts.method ?? "GET",
-        headers: opts.headers,
-        body: opts.body,
-        signal: mergedSignal,
-      }).finally(() => clearTimeout(timer));
-    };
-
-    const res = await doFetch(options);
-
-    // Single retry on 401 if a refresh callback is provided
-    if (res.status === 401 && onRefreshToken) {
-      const newToken = await onRefreshToken();
-      if (newToken) {
-        this.token = newToken;
-        const retryHeaders = options.headers?.["Content-Type"]
-          ? buildHeadersWithContentType(this.token, this.accountId)
-          : buildHeaders(this.token, this.accountId);
-        return doFetch({ ...options, headers: retryHeaders });
-      }
-    }
-
-    return res;
-  }
-
-  /**
-   * Parse raw SSE text block into individual events.
-   */
-  private *parseSSE(
-    text: string,
-  ): Generator<{ event?: string; data: string }> {
-    let event: string | undefined;
-    let dataLines: string[] = [];
-
-    for (const line of text.split("\n")) {
-      if (line.startsWith("event:")) {
-        event = line.slice(6).trim();
-      } else if (line.startsWith("data:")) {
-        dataLines.push(line.slice(5).trimStart());
-      } else if (line === "" && dataLines.length > 0) {
-        yield { event, data: dataLines.join("\n") };
-        event = undefined;
-        dataLines = [];
-      }
-    }
-
-    // Yield any remaining accumulated data
-    if (dataLines.length > 0) {
-      yield { event, data: dataLines.join("\n") };
-    }
-  }
-}
-
-/**
- * Replace `{param}` placeholders in a URL template with encoded values.
- */
-export function serializePath(
-  template: string,
-  params: Record<string, string>,
-): string {
-  let path = template;
-  for (const [key, value] of Object.entries(params)) {
-    path = path.replace(`{${key}}`, encodeURIComponent(value));
-  }
-  return path;
-}

src/routes/models.ts

@@ -143,11 +143,14 @@ export function getModelCatalog(): CodexModelInfo[] {
 
 // --- Routes ---
 
+/** Stable timestamp used for all model `created` fields (2023-11-14T22:13:20Z). */
+const MODEL_CREATED_TIMESTAMP = 1700000000;
+
 function toOpenAIModel(info: CodexModelInfo): OpenAIModel {
   return {
     id: info.id,
     object: "model",
-    created: 1700000000,
+    created: MODEL_CREATED_TIMESTAMP,
     owned_by: "openai",
   };
 }
@@ -155,11 +158,11 @@ function toOpenAIModel(info: CodexModelInfo): OpenAIModel {
 app.get("/v1/models", (c) => {
   // Include catalog models + aliases as separate entries
   const models: OpenAIModel[] = MODEL_CATALOG.map(toOpenAIModel);
-  for (const [alias, target] of Object.entries(MODEL_ALIASES)) {
+  for (const [alias] of Object.entries(MODEL_ALIASES)) {
     models.push({
       id: alias,
       object: "model",
-      created: 1700000000,
+      created: MODEL_CREATED_TIMESTAMP,
       owned_by: "openai",
     });
   }
@@ -180,7 +183,7 @@ app.get("/v1/models/:modelId", (c) => {
     return c.json({
       id: modelId,
       object: "model",
-      created: 1700000000,
+      created: MODEL_CREATED_TIMESTAMP,
       owned_by: "openai",
     });
   }

src/session/manager.ts

@@ -1,4 +1,5 @@
 import { createHash } from "crypto";
+import { getConfig } from "../config.js";
 
 interface Session {
   taskId: string;
@@ -11,10 +12,10 @@ export class SessionManager {
   private sessions = new Map<string, Session>();
   private ttlMs: number;
 
-  constructor(ttlMinutes: number = 60) {
-    this.ttlMs = ttlMinutes * 60 * 1000;
-    // Periodically clean expired sessions
-    setInterval(() => this.cleanup(), 5 * 60 * 1000);
+  constructor() {
+    const { ttl_minutes, cleanup_interval_minutes } = getConfig().session;
+    this.ttlMs = ttl_minutes * 60 * 1000;
+    setInterval(() => this.cleanup(), cleanup_interval_minutes * 60 * 1000);
   }
 
   /**