feat: desktop context injection, multi-turn sessions, TLS impersonation & auto-update

- Inject Codex Desktop system prompt into every request for full feature parity
- Add previous_response_id for multi-turn conversation continuity
- Add curl-impersonate auto-detection with Chrome TLS fingerprint fallback
- Fix appcast XML parsing for element-style Sparkle tags
- Remove private maintenance scripts from public repo
- Add README with setup and usage instructions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitignore

@@ -1,7 +1,26 @@
 node_modules/
 dist/
 data/
+docs/
+bin/
 .env
 *.log
 .asar-out/
+tmp/
 .claude/settings.local.json
+
+# Maintenance scripts (private — not for public repo)
+scripts/extract-fingerprint.ts
+scripts/full-update.ts
+scripts/apply-update.ts
+scripts/setup-curl.ts
+scripts/check-update.ts
+scripts/test-*.ts
+scripts/cron-update.sh
+config/extraction-patterns.yaml
+
+# Design / internal files
+stitch-designs/
+stitch-screens/
+CLAUDE.md
+*.tar.gz

README.md

@@ -0,0 +1,167 @@
+# Codex Proxy
+
+A reverse proxy that exposes the [Codex Desktop](https://openai.com/codex) API as an OpenAI-compatible `/v1/chat/completions` endpoint. Use any OpenAI-compatible client (Cursor, Continue, VS Code, etc.) with Codex models — for free.
+
+## Architecture
+
+```
+OpenAI-compatible client
+        │
+   POST /v1/chat/completions
+        │
+        ▼
+  ┌─────────────┐     POST /backend-api/codex/responses
+  │ Codex Proxy │ ──────────────────────────────────────► chatgpt.com
+  │  :8080      │ ◄──────────────────────────────────────  (SSE stream)
+  └─────────────┘
+        │
+   SSE chat.completion.chunk
+        │
+        ▼
+    Client
+```
+
+The proxy translates OpenAI Chat Completions format to the Codex Responses API format, handles authentication (OAuth PKCE), multi-account rotation, and Cloudflare bypass via curl subprocess.
+
+## Quick Start
+
+```bash
+# 1. Install dependencies
+npm install
+
+# 2. Start the proxy (dev mode with hot reload)
+npm run dev
+
+# 3. Open the dashboard and log in with your ChatGPT account
+#    http://localhost:8080
+
+# 4. Test a chat completion
+curl http://localhost:8080/v1/chat/completions \
+  -H "Content-Type: application/json" \
+  -d '{
+    "model": "codex",
+    "messages": [{"role": "user", "content": "Hello!"}],
+    "stream": true
+  }'
+```
+
+## Features
+
+- **OpenAI-compatible API** — drop-in replacement for `/v1/chat/completions` and `/v1/models`
+- **OAuth PKCE login** — native browser-based login, no manual token copying
+- **Multi-account rotation** — add multiple ChatGPT accounts with automatic load balancing (`least_used` or `round_robin`)
+- **Auto token refresh** — JWT tokens are refreshed automatically before expiry
+- **Cloudflare bypass** — all upstream requests use curl subprocess with native TLS
+- **Quota monitoring** — real-time Codex usage/quota display per account
+- **Web dashboard** — manage accounts, view usage, and monitor status at `http://localhost:8080`
+- **Auto-update detection** — polls the Codex Desktop appcast for new versions
+
+## Available Models
+
+| Model ID | Alias | Description |
+|----------|-------|-------------|
+| `gpt-5.3-codex` | `codex` | Latest frontier agentic coding model (default) |
+| `gpt-5.2-codex` | — | Previous generation coding model |
+| `gpt-5.1-codex-max` | `codex-max` | Maximum capability coding model |
+| `gpt-5.2` | — | General-purpose model |
+| `gpt-5.1-codex-mini` | `codex-mini` | Lightweight, fast coding model |
+
+## API Usage
+
+### Chat Completions (streaming)
+
+```bash
+curl http://localhost:8080/v1/chat/completions \
+  -H "Content-Type: application/json" \
+  -d '{
+    "model": "codex",
+    "messages": [
+      {"role": "system", "content": "You are a helpful coding assistant."},
+      {"role": "user", "content": "Write a Python function to check if a number is prime."}
+    ],
+    "stream": true
+  }'
+```
+
+### Chat Completions (non-streaming)
+
+```bash
+curl http://localhost:8080/v1/chat/completions \
+  -H "Content-Type: application/json" \
+  -d '{
+    "model": "codex",
+    "messages": [{"role": "user", "content": "Hello!"}],
+    "stream": false
+  }'
+```
+
+### List Models
+
+```bash
+curl http://localhost:8080/v1/models
+```
+
+### Check Account Quota
+
+```bash
+curl "http://localhost:8080/auth/accounts?quota=true"
+```
+
+## Configuration
+
+All configuration is in `config/default.yaml`:
+
+| Section | Key Settings |
+|---------|-------------|
+| `api` | `base_url`, `timeout_seconds` |
+| `client` | `originator`, `app_version`, `platform`, `arch` |
+| `model` | `default` model, `default_reasoning_effort` |
+| `auth` | `oauth_client_id`, `rotation_strategy`, `rate_limit_backoff_seconds` |
+| `server` | `host`, `port`, `proxy_api_key` |
+
+Environment variable overrides:
+
+| Variable | Overrides |
+|----------|-----------|
+| `PORT` | `server.port` |
+| `CODEX_PLATFORM` | `client.platform` |
+| `CODEX_ARCH` | `client.arch` |
+| `CODEX_JWT_TOKEN` | `auth.jwt_token` |
+
+## Client Setup Examples
+
+### Cursor
+
+Settings > Models > OpenAI API Base:
+```
+http://localhost:8080/v1
+```
+
+### Continue (VS Code)
+
+`~/.continue/config.json`:
+```json
+{
+  "models": [{
+    "title": "Codex",
+    "provider": "openai",
+    "model": "codex",
+    "apiBase": "http://localhost:8080/v1"
+  }]
+}
+```
+
+## Scripts
+
+| Command | Description |
+|---------|-------------|
+| `npm run dev` | Start dev server with hot reload |
+| `npm run build` | Compile TypeScript to `dist/` |
+| `npm start` | Run compiled server |
+| `npm run check-update` | Check for new Codex Desktop versions |
+| `npm run extract -- --path <asar>` | Extract fingerprint from Codex app |
+| `npm run apply-update` | Apply extracted fingerprint updates |
+
+## License
+
+For personal use only. This project is not affiliated with OpenAI.

config/default.yaml

@@ -4,8 +4,8 @@ api:
 
 client:
   originator: "Codex Desktop"
-  app_version: "260202.0859"
-  build_number: "517"
+  app_version: "26.217.1959"
+  build_number: "669"
   platform: "darwin"
   arch: "arm64"
 
@@ -36,6 +36,12 @@ session:
   ttl_minutes: 60
   cleanup_interval_minutes: 5
 
+tls:
+  # curl binary path. "auto" = detect bin/curl-impersonate-chrome, fallback to system curl
+  curl_binary: "auto"
+  # Chrome profile for --impersonate flag (auto-detected when curl-impersonate supports it)
+  impersonate_profile: "chrome136"
+
 streaming:
   status_as_content: false
   chunk_size: 100

config/extraction-patterns.yaml

@@ -1,74 +0,0 @@
-# Regex patterns for extracting values from Codex Desktop's main.js
-# These patterns are applied to the beautified (js-beautify) output.
-# Update these when the minified variable names change across versions.
-#
-# NOTE: Use single-quoted YAML strings for regex patterns. In YAML single quotes,
-# backslashes are literal (no escaping needed). Only '' is special (escaped single quote).
-
-# Version info from package.json (no regex needed — direct JSON parse)
-package_json:
-  version_key: "version"
-  build_number_key: "codexBuildNumber"
-  sparkle_feed_key: "codexSparkleFeedUrl"
-
-# Patterns for main.js content extraction
-main_js:
-  # API base URL
-  api_base_url:
-    pattern: 'https://[^"]+/backend-api'
-    description: "WHAM API base URL"
-
-  # Originator header value — in beautified code: variable = "Codex Desktop";
-  originator:
-    pattern: '= "(Codex [^"]+)"'
-    group: 1
-    description: "originator header sent with requests"
-
-  # Model IDs — match quoted gpt-X.Y(-codex)(-variant) strings
-  # In beautified code: = "gpt-5.3-codex", LF = "gpt-5.1-codex-mini", etc.
-  models:
-    pattern: '"(gpt-[0-9]+[.][0-9]+(?:-codex)?(?:-[a-z]+)?)"'
-    group: 1
-    global: true
-    description: "All model ID strings"
-
-  # WHAM API endpoint paths
-  wham_endpoints:
-    pattern: '"(/wham/[^"]+)"'
-    group: 1
-    global: true
-    description: "WHAM API endpoint paths"
-
-  # User-Agent template
-  user_agent:
-    pattern: "Codex Desktop/"
-    description: "User-Agent prefix check"
-
-  # Desktop context system prompt (variable oF)
-  desktop_context:
-    start_marker: "# Codex desktop context"
-    end_marker: "</app-context>"
-    description: "Full desktop context system prompt"
-
-  # Title generation prompt (function KZ)
-  title_generation:
-    start_marker: "You are a helpful assistant. You will be presented with a user prompt"
-    end_pattern: '.join('
-    description: "Task title generation system prompt"
-
-  # PR generation prompt (function n9)
-  pr_generation:
-    start_marker: "You are a helpful assistant. Generate a pull request title"
-    end_pattern: '.join('
-    description: "PR title/body generation system prompt"
-
-  # Automation response template (constant qK)
-  automation_response:
-    start_marker: "Response MUST end with a remark-directive block"
-    end_pattern: "^`;$"
-    description: "Automation response template with directive rules"
-
-# Info.plist keys (macOS only)
-info_plist:
-  version_key: "CFBundleShortVersionString"
-  build_key: "CFBundleVersion"

package.json

@@ -1,7 +1,7 @@
 {
   "name": "codex-proxy",
   "version": "1.0.0",
-  "description": "Reverse proxy that exposes Codex Desktop WHAM API as OpenAI-compatible /v1/chat/completions",
+  "description": "Reverse proxy that exposes Codex Desktop Responses API as OpenAI-compatible /v1/chat/completions",
   "type": "module",
   "scripts": {
     "dev": "tsx watch src/index.ts",
@@ -11,7 +11,10 @@
     "check-update:watch": "tsx scripts/check-update.ts --watch",
     "extract": "tsx scripts/extract-fingerprint.ts",
     "apply-update": "tsx scripts/apply-update.ts",
-    "apply-update:dry": "tsx scripts/apply-update.ts --dry-run"
+    "apply-update:dry": "tsx scripts/apply-update.ts --dry-run",
+    "setup": "tsx scripts/setup-curl.ts",
+    "update": "tsx scripts/full-update.ts",
+    "postinstall": "tsx scripts/setup-curl.ts"
   },
   "dependencies": {
     "hono": "^4.0.0",

public/dashboard.html

@@ -808,15 +808,18 @@
       const model = escapeHtml(document.getElementById('defaultModel').value);
 
       document.getElementById('code-python').innerHTML =
-`import openai
+`from openai import OpenAI
 
-openai.api_base = "${baseUrl}"
-openai.api_key = "${apiKey}"
-response = openai.ChatCompletion.create(
+client = OpenAI(
+    base_url="${baseUrl}",
+    api_key="${apiKey}",
+)
+
+response = client.chat.completions.create(
     model="${model}",
     messages=[
         {"role": "user", "content": "Explain quantum computing in simple terms"}
-    ]
+    ],
 )
 
 print(response.choices[0].message.content)

public/login.html

@@ -1,527 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Codex Proxy - Login</title>
-  <style>
-    * { margin: 0; padding: 0; box-sizing: border-box; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-      background: #0d1117;
-      color: #c9d1d9;
-      min-height: 100vh;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-    }
-    .container {
-      max-width: 420px;
-      width: 100%;
-      padding: 2rem;
-    }
-    .logo {
-      text-align: center;
-      margin-bottom: 2rem;
-    }
-    .logo h1 {
-      font-size: 1.5rem;
-      color: #58a6ff;
-      font-weight: 600;
-    }
-    .logo p {
-      color: #8b949e;
-      margin-top: 0.5rem;
-      font-size: 0.9rem;
-    }
-    .card {
-      background: #161b22;
-      border: 1px solid #30363d;
-      border-radius: 12px;
-      padding: 2rem;
-    }
-    .btn {
-      display: block;
-      width: 100%;
-      padding: 12px 16px;
-      border: none;
-      border-radius: 8px;
-      font-size: 1rem;
-      font-weight: 500;
-      cursor: pointer;
-      text-align: center;
-      text-decoration: none;
-      transition: background 0.2s;
-    }
-    .btn-primary {
-      background: #238636;
-      color: #fff;
-    }
-    .btn-primary:hover {
-      background: #2ea043;
-    }
-    .btn-primary:disabled {
-      opacity: 0.5;
-      cursor: not-allowed;
-    }
-    .divider {
-      text-align: center;
-      margin: 1.5rem 0;
-      color: #484f58;
-      font-size: 0.85rem;
-    }
-    .divider::before, .divider::after {
-      content: '';
-      display: inline-block;
-      width: 30%;
-      height: 1px;
-      background: #30363d;
-      vertical-align: middle;
-      margin: 0 0.5rem;
-    }
-    .input-group {
-      margin-bottom: 1rem;
-    }
-    .input-group label {
-      display: block;
-      font-size: 0.85rem;
-      color: #8b949e;
-      margin-bottom: 0.5rem;
-    }
-    .input-group textarea {
-      width: 100%;
-      padding: 10px;
-      background: #0d1117;
-      border: 1px solid #30363d;
-      border-radius: 6px;
-      color: #c9d1d9;
-      font-family: monospace;
-      font-size: 0.85rem;
-      resize: vertical;
-      min-height: 80px;
-    }
-    .input-group textarea:focus {
-      outline: none;
-      border-color: #58a6ff;
-    }
-    .error {
-      color: #f85149;
-      font-size: 0.85rem;
-      margin-top: 0.5rem;
-      display: none;
-    }
-    .success {
-      color: #3fb950;
-      font-size: 0.85rem;
-      margin-top: 0.5rem;
-      display: none;
-    }
-    .help {
-      margin-top: 1rem;
-      font-size: 0.8rem;
-      color: #484f58;
-      line-height: 1.5;
-    }
-    #pasteSection {
-      display: none;
-    }
-    .paste-instructions {
-      background: #0d1117;
-      border: 1px solid #30363d;
-      border-radius: 6px;
-      padding: 0.75rem;
-      margin-bottom: 1rem;
-      font-size: 0.82rem;
-      line-height: 1.5;
-      color: #8b949e;
-    }
-    .paste-instructions strong {
-      color: #c9d1d9;
-    }
-    .paste-instructions ol {
-      margin: 0.5rem 0 0 1.2rem;
-    }
-    .btn-secondary {
-      display: block;
-      width: 100%;
-      padding: 12px 16px;
-      border: 1px solid #30363d;
-      border-radius: 8px;
-      background: #21262d;
-      color: #c9d1d9;
-      font-size: 1rem;
-      font-weight: 500;
-      cursor: pointer;
-      text-align: center;
-      transition: background 0.2s;
-    }
-    .btn-secondary:hover { background: #30363d; }
-    .btn-secondary:disabled { opacity: 0.5; cursor: not-allowed; }
-    .device-code-box {
-      background: #0d1117;
-      border: 1px solid #30363d;
-      border-radius: 8px;
-      padding: 1.5rem;
-      text-align: center;
-      margin-top: 1rem;
-      display: none;
-    }
-    .device-code-box .user-code {
-      font-family: monospace;
-      font-size: 2rem;
-      font-weight: 700;
-      color: #58a6ff;
-      letter-spacing: 0.15em;
-      margin: 0.75rem 0;
-    }
-    .device-code-box .verify-link {
-      color: #3fb950;
-      text-decoration: none;
-      font-size: 0.9rem;
-    }
-    .device-code-box .verify-link:hover { text-decoration: underline; }
-    .device-code-box .status-text {
-      color: #8b949e;
-      font-size: 0.82rem;
-      margin-top: 0.75rem;
-    }
-    .spinner {
-      display: inline-block;
-      width: 14px;
-      height: 14px;
-      border: 2px solid rgba(255,255,255,0.3);
-      border-top-color: #fff;
-      border-radius: 50%;
-      animation: spin 0.8s linear infinite;
-      vertical-align: middle;
-      margin-right: 6px;
-    }
-    @keyframes spin { to { transform: rotate(360deg); } }
-  </style>
-</head>
-<body>
-  <div class="container">
-    <div class="logo">
-      <h1>Codex Proxy</h1>
-      <p>OpenAI-compatible API for Codex Desktop</p>
-    </div>
-    <div class="card">
-      <button class="btn btn-primary" id="loginBtn" onclick="startLogin()">
-        Login with ChatGPT
-      </button>
-
-      <div id="pasteSection">
-        <div class="paste-instructions">
-          <strong>Remote login:</strong> If the popup shows an error or you're on a different machine:
-          <ol>
-            <li>Complete login in the popup</li>
-            <li>Copy the full URL from the popup's address bar<br>(starts with <code>http://localhost:...</code>)</li>
-            <li>Paste it below and click Submit</li>
-          </ol>
-        </div>
-        <div class="input-group">
-          <label>Paste the callback URL here</label>
-          <textarea id="callbackInput" placeholder="http://localhost:54321/auth/callback?code=...&state=..."></textarea>
-        </div>
-        <button class="btn btn-primary" id="relayBtn" onclick="submitRelay()">
-          Submit Callback URL
-        </button>
-        <div class="error" id="relayError"></div>
-        <div class="success" id="relaySuccess"></div>
-      </div>
-
-      <div class="divider">or</div>
-
-      <button class="btn btn-primary" id="deviceCodeBtn" onclick="startDeviceCode()">
-        Sign in with Device Code
-      </button>
-      <div class="device-code-box" id="deviceCodeBox">
-        <div style="color:#8b949e;font-size:0.85rem">Enter this code at:</div>
-        <a class="verify-link" id="deviceVerifyLink" href="#" target="_blank" rel="noopener"></a>
-        <div class="user-code" id="deviceUserCode"></div>
-        <div class="status-text" id="deviceStatus"><span class="spinner"></span> Waiting for authorization...</div>
-        <div class="error" id="deviceError"></div>
-        <div class="success" id="deviceSuccess"></div>
-      </div>
-
-      <div style="margin-top:0.75rem">
-        <button class="btn-secondary" id="cliImportBtn" onclick="importCli()">
-          Import CLI Token (~/.codex/auth.json)
-        </button>
-        <div class="error" id="cliError"></div>
-        <div class="success" id="cliSuccess"></div>
-      </div>
-
-      <div class="divider">or</div>
-
-      <div id="manualSection">
-        <div class="input-group">
-          <label>Paste your ChatGPT access token</label>
-          <textarea id="tokenInput" placeholder="eyJhbGciOiJSUzI1NiIs..."></textarea>
-        </div>
-        <button class="btn btn-primary" id="submitToken" onclick="submitToken()">
-          Submit Token
-        </button>
-        <div class="error" id="errorMsg"></div>
-        <div class="success" id="successMsg"></div>
-        <div class="help">
-          To get your token: Open ChatGPT in browser &rarr; DevTools (F12) &rarr;
-          Application &rarr; Cookies &rarr; find <code>__Secure-next-auth.session-token</code>
-          or check Network tab for <code>Authorization: Bearer ...</code> header.
-        </div>
-      </div>
-    </div>
-  </div>
-
-  <script>
-    let pollTimer = null;
-
-    // Listen for postMessage from OAuth callback popup (cross-port communication)
-    window.addEventListener('message', (event) => {
-      if (event.data?.type === 'oauth-callback-success') {
-        if (pollTimer) clearInterval(pollTimer);
-        window.location.href = '/';
-      }
-    });
-
-    async function startLogin() {
-      const btn = document.getElementById('loginBtn');
-      btn.disabled = true;
-      btn.innerHTML = '<span class="spinner"></span> Opening login...';
-
-      try {
-        const resp = await fetch('/auth/login-start', { method: 'POST' });
-        const data = await resp.json();
-
-        if (!resp.ok || !data.authUrl) {
-          throw new Error(data.error || 'Failed to start login');
-        }
-
-        // Open Auth0 in popup
-        const popup = window.open(data.authUrl, 'oauth_login', 'width=600,height=700,scrollbars=yes');
-
-        // Show paste section
-        document.getElementById('pasteSection').style.display = 'block';
-        btn.innerHTML = 'Login with ChatGPT';
-        btn.disabled = false;
-
-        // Poll auth status — if callback server handles it, we auto-redirect
-        startPolling();
-
-      } catch (err) {
-        btn.innerHTML = 'Login with ChatGPT';
-        btn.disabled = false;
-        const errEl = document.getElementById('relayError');
-        errEl.textContent = err.message;
-        errEl.style.display = 'block';
-        document.getElementById('pasteSection').style.display = 'block';
-      }
-    }
-
-    function startPolling() {
-      if (pollTimer) clearInterval(pollTimer);
-      pollTimer = setInterval(async () => {
-        try {
-          const resp = await fetch('/auth/status');
-          const data = await resp.json();
-          if (data.authenticated) {
-            clearInterval(pollTimer);
-            window.location.href = '/';
-          }
-        } catch {}
-      }, 2000);
-
-      // Stop polling after 5 minutes
-      setTimeout(() => {
-        if (pollTimer) clearInterval(pollTimer);
-      }, 5 * 60 * 1000);
-    }
-
-    async function submitRelay() {
-      const callbackUrl = document.getElementById('callbackInput').value.trim();
-      const errEl = document.getElementById('relayError');
-      const successEl = document.getElementById('relaySuccess');
-      errEl.style.display = 'none';
-      successEl.style.display = 'none';
-
-      if (!callbackUrl) {
-        errEl.textContent = 'Please paste the callback URL';
-        errEl.style.display = 'block';
-        return;
-      }
-
-      const btn = document.getElementById('relayBtn');
-      btn.disabled = true;
-      btn.innerHTML = '<span class="spinner"></span> Exchanging...';
-
-      try {
-        const resp = await fetch('/auth/code-relay', {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify({ callbackUrl }),
-        });
-        const data = await resp.json();
-
-        if (resp.ok && data.success) {
-          successEl.textContent = 'Login successful! Redirecting...';
-          successEl.style.display = 'block';
-          if (pollTimer) clearInterval(pollTimer);
-          setTimeout(() => window.location.href = '/', 1000);
-        } else {
-          errEl.textContent = data.error || 'Failed to exchange code';
-          errEl.style.display = 'block';
-        }
-      } catch (err) {
-        errEl.textContent = 'Network error: ' + err.message;
-        errEl.style.display = 'block';
-      } finally {
-        btn.innerHTML = 'Submit Callback URL';
-        btn.disabled = false;
-      }
-    }
-
-    // ── Device Code Flow ──────────────────────────────
-    let devicePollTimer = null;
-
-    async function startDeviceCode() {
-      const btn = document.getElementById('deviceCodeBtn');
-      const box = document.getElementById('deviceCodeBox');
-      const errEl = document.getElementById('deviceError');
-      const successEl = document.getElementById('deviceSuccess');
-      const statusEl = document.getElementById('deviceStatus');
-      errEl.style.display = 'none';
-      successEl.style.display = 'none';
-
-      btn.disabled = true;
-      btn.innerHTML = '<span class="spinner"></span> Requesting code...';
-
-      try {
-        const resp = await fetch('/auth/device-login', { method: 'POST' });
-        const data = await resp.json();
-
-        if (!resp.ok || !data.userCode) {
-          throw new Error(data.error || 'Failed to request device code');
-        }
-
-        // Show the code box
-        box.style.display = 'block';
-        document.getElementById('deviceUserCode').textContent = data.userCode;
-        const link = document.getElementById('deviceVerifyLink');
-        link.href = data.verificationUriComplete || data.verificationUri;
-        link.textContent = data.verificationUri;
-        statusEl.innerHTML = '<span class="spinner"></span> Waiting for authorization...';
-
-        btn.innerHTML = 'Sign in with Device Code';
-        btn.disabled = false;
-
-        // Start polling
-        const interval = (data.interval || 5) * 1000;
-        const deviceCode = data.deviceCode;
-        if (devicePollTimer) clearInterval(devicePollTimer);
-
-        devicePollTimer = setInterval(async () => {
-          try {
-            const pollResp = await fetch('/auth/device-poll/' + encodeURIComponent(deviceCode));
-            const pollData = await pollResp.json();
-
-            if (pollData.success) {
-              clearInterval(devicePollTimer);
-              statusEl.innerHTML = '';
-              successEl.textContent = 'Login successful! Redirecting...';
-              successEl.style.display = 'block';
-              if (pollTimer) clearInterval(pollTimer);
-              setTimeout(() => window.location.href = '/', 1000);
-            } else if (pollData.error) {
-              clearInterval(devicePollTimer);
-              statusEl.innerHTML = '';
-              errEl.textContent = pollData.error;
-              errEl.style.display = 'block';
-            }
-            // if pollData.pending, keep polling
-          } catch {}
-        }, interval);
-
-        // Stop after expiry
-        setTimeout(() => {
-          if (devicePollTimer) {
-            clearInterval(devicePollTimer);
-            statusEl.textContent = 'Code expired. Please try again.';
-          }
-        }, (data.expiresIn || 900) * 1000);
-
-      } catch (err) {
-        btn.innerHTML = 'Sign in with Device Code';
-        btn.disabled = false;
-        errEl.textContent = err.message;
-        errEl.style.display = 'block';
-      }
-    }
-
-    // ── CLI Token Import ─────────────────────────────
-    async function importCli() {
-      const btn = document.getElementById('cliImportBtn');
-      const errEl = document.getElementById('cliError');
-      const successEl = document.getElementById('cliSuccess');
-      errEl.style.display = 'none';
-      successEl.style.display = 'none';
-      btn.disabled = true;
-      btn.textContent = 'Importing...';
-
-      try {
-        const resp = await fetch('/auth/import-cli', { method: 'POST' });
-        const data = await resp.json();
-
-        if (resp.ok && data.success) {
-          successEl.textContent = 'CLI token imported! Redirecting...';
-          successEl.style.display = 'block';
-          if (pollTimer) clearInterval(pollTimer);
-          setTimeout(() => window.location.href = '/', 1000);
-        } else {
-          errEl.textContent = data.error || 'Failed to import CLI token';
-          errEl.style.display = 'block';
-        }
-      } catch (err) {
-        errEl.textContent = 'Network error: ' + err.message;
-        errEl.style.display = 'block';
-      } finally {
-        btn.textContent = 'Import CLI Token (~/.codex/auth.json)';
-        btn.disabled = false;
-      }
-    }
-
-    async function submitToken() {
-      const token = document.getElementById('tokenInput').value.trim();
-      const errorEl = document.getElementById('errorMsg');
-      const successEl = document.getElementById('successMsg');
-      errorEl.style.display = 'none';
-      successEl.style.display = 'none';
-
-      if (!token) {
-        errorEl.textContent = 'Please paste a token';
-        errorEl.style.display = 'block';
-        return;
-      }
-
-      try {
-        const resp = await fetch('/auth/token', {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify({ token }),
-        });
-        const data = await resp.json();
-        if (resp.ok) {
-          successEl.textContent = 'Login successful! Redirecting...';
-          successEl.style.display = 'block';
-          setTimeout(() => window.location.href = '/', 1000);
-        } else {
-          errorEl.textContent = data.error || 'Invalid token';
-          errorEl.style.display = 'block';
-        }
-      } catch (err) {
-        errorEl.textContent = 'Network error: ' + err.message;
-        errorEl.style.display = 'block';
-      }
-    }
-  </script>
-</body>
-</html>

scripts/apply-update.ts

@@ -1,354 +0,0 @@
-#!/usr/bin/env tsx
-/**
- * apply-update.ts — Compares extracted fingerprint with current config and applies updates.
- *
- * Usage:
- *   npx tsx scripts/apply-update.ts [--dry-run]
- *
- * --dry-run: Show what would change without modifying files.
- */
-
-import { readFileSync, writeFileSync, existsSync } from "fs";
-import { resolve } from "path";
-import { createHash } from "crypto";
-import yaml from "js-yaml";
-
-const ROOT = resolve(import.meta.dirname, "..");
-const CONFIG_PATH = resolve(ROOT, "config/default.yaml");
-const FINGERPRINT_PATH = resolve(ROOT, "config/fingerprint.yaml");
-const EXTRACTED_PATH = resolve(ROOT, "data/extracted-fingerprint.json");
-const MODELS_PATH = resolve(ROOT, "config/models.yaml");
-const PROMPTS_DIR = resolve(ROOT, "config/prompts");
-
-type ChangeType = "auto" | "semi-auto" | "alert";
-
-interface Change {
-  type: ChangeType;
-  category: string;
-  description: string;
-  current: string;
-  updated: string;
-  file: string;
-}
-
-interface ExtractedFingerprint {
-  app_version: string;
-  build_number: string;
-  api_base_url: string | null;
-  originator: string | null;
-  models: string[];
-  wham_endpoints: string[];
-  user_agent_contains: string;
-  prompts: {
-    desktop_context_hash: string | null;
-    desktop_context_path: string | null;
-    title_generation_hash: string | null;
-    title_generation_path: string | null;
-    pr_generation_hash: string | null;
-    pr_generation_path: string | null;
-    automation_response_hash: string | null;
-    automation_response_path: string | null;
-  };
-}
-
-function loadExtracted(): ExtractedFingerprint {
-  if (!existsSync(EXTRACTED_PATH)) {
-    throw new Error(
-      `No extracted fingerprint found at ${EXTRACTED_PATH}.\n` +
-      `Run: npm run extract -- --path <codex-path>`
-    );
-  }
-  return JSON.parse(readFileSync(EXTRACTED_PATH, "utf-8"));
-}
-
-function loadCurrentConfig(): Record<string, unknown> {
-  return yaml.load(readFileSync(CONFIG_PATH, "utf-8")) as Record<string, unknown>;
-}
-
-function detectChanges(extracted: ExtractedFingerprint): Change[] {
-  const changes: Change[] = [];
-  const config = loadCurrentConfig();
-  const client = config.client as Record<string, string>;
-
-  // Version
-  if (extracted.app_version !== client.app_version) {
-    changes.push({
-      type: "auto",
-      category: "version",
-      description: "App version changed",
-      current: client.app_version,
-      updated: extracted.app_version,
-      file: CONFIG_PATH,
-    });
-  }
-
-  // Build number
-  if (extracted.build_number !== client.build_number) {
-    changes.push({
-      type: "auto",
-      category: "build",
-      description: "Build number changed",
-      current: client.build_number,
-      updated: extracted.build_number,
-      file: CONFIG_PATH,
-    });
-  }
-
-  // Originator
-  if (extracted.originator && extracted.originator !== client.originator) {
-    changes.push({
-      type: "auto",
-      category: "originator",
-      description: "Originator header changed",
-      current: client.originator,
-      updated: extracted.originator,
-      file: CONFIG_PATH,
-    });
-  }
-
-  // API base URL
-  const api = config.api as Record<string, string>;
-  if (extracted.api_base_url && extracted.api_base_url !== api.base_url) {
-    changes.push({
-      type: "alert",
-      category: "api_url",
-      description: "API base URL changed (CRITICAL)",
-      current: api.base_url,
-      updated: extracted.api_base_url,
-      file: CONFIG_PATH,
-    });
-  }
-
-  // Models — compare against config/models.yaml
-  const modelsYaml = yaml.load(readFileSync(MODELS_PATH, "utf-8")) as {
-    models: { id: string }[];
-  };
-  const currentModels = modelsYaml.models.map((m) => m.id);
-  const extractedModels = extracted.models.filter((m) => m.includes("codex") || currentModels.includes(m));
-
-  const newModels = extractedModels.filter((m) => !currentModels.includes(m));
-  const removedModels = currentModels.filter((m) => !extractedModels.includes(m));
-
-  if (newModels.length > 0) {
-    changes.push({
-      type: "semi-auto",
-      category: "models_added",
-      description: `New models found: ${newModels.join(", ")}`,
-      current: currentModels.join(", "),
-      updated: extractedModels.join(", "),
-      file: MODELS_PATH,
-    });
-  }
-
-  if (removedModels.length > 0) {
-    changes.push({
-      type: "semi-auto",
-      category: "models_removed",
-      description: `Models removed: ${removedModels.join(", ")}`,
-      current: currentModels.join(", "),
-      updated: extractedModels.join(", "),
-      file: MODELS_PATH,
-    });
-  }
-
-  // WHAM endpoints — check for new ones
-  const knownEndpoints = [
-    "/wham/tasks", "/wham/environments", "/wham/accounts/check",
-    "/wham/usage",
-  ];
-  const newEndpoints = extracted.wham_endpoints.filter(
-    (ep) => !knownEndpoints.some((k) => ep.startsWith(k))
-  );
-  if (newEndpoints.length > 0) {
-    changes.push({
-      type: "alert",
-      category: "endpoints",
-      description: `New WHAM endpoints found: ${newEndpoints.join(", ")}`,
-      current: "(known set)",
-      updated: newEndpoints.join(", "),
-      file: "src/proxy/wham-api.ts",
-    });
-  }
-
-  // System prompts — check hash changes
-  const promptConfigs = [
-    { name: "desktop-context", hash: extracted.prompts.desktop_context_hash, path: extracted.prompts.desktop_context_path },
-    { name: "title-generation", hash: extracted.prompts.title_generation_hash, path: extracted.prompts.title_generation_path },
-    { name: "pr-generation", hash: extracted.prompts.pr_generation_hash, path: extracted.prompts.pr_generation_path },
-    { name: "automation-response", hash: extracted.prompts.automation_response_hash, path: extracted.prompts.automation_response_path },
-  ];
-
-  for (const { name, hash, path } of promptConfigs) {
-    if (!hash || !path) continue;
-
-    const configPromptPath = resolve(PROMPTS_DIR, `${name}.md`);
-    if (!existsSync(configPromptPath)) {
-      changes.push({
-        type: "semi-auto",
-        category: `prompt_${name}`,
-        description: `New prompt file: ${name}.md (not in config/prompts/)`,
-        current: "(missing)",
-        updated: hash,
-        file: configPromptPath,
-      });
-      continue;
-    }
-
-    const currentContent = readFileSync(configPromptPath, "utf-8");
-    const currentHash = `sha256:${createHash("sha256").update(currentContent).digest("hex").slice(0, 16)}`;
-
-    if (currentHash !== hash) {
-      changes.push({
-        type: "semi-auto",
-        category: `prompt_${name}`,
-        description: `System prompt changed: ${name}`,
-        current: currentHash,
-        updated: hash,
-        file: configPromptPath,
-      });
-    }
-  }
-
-  return changes;
-}
-
-function applyAutoChanges(changes: Change[], dryRun: boolean): void {
-  const autoChanges = changes.filter((c) => c.type === "auto");
-
-  if (autoChanges.length === 0) {
-    console.log("\n  No auto-applicable changes.");
-    return;
-  }
-
-  // Group config changes
-  const configChanges = autoChanges.filter((c) => c.file === CONFIG_PATH);
-
-  if (configChanges.length > 0 && !dryRun) {
-    let configContent = readFileSync(CONFIG_PATH, "utf-8");
-
-    for (const change of configChanges) {
-      switch (change.category) {
-        case "version":
-          configContent = configContent.replace(
-            /app_version:\s*"[^"]+"/,
-            `app_version: "${change.updated}"`,
-          );
-          break;
-        case "build":
-          configContent = configContent.replace(
-            /build_number:\s*"[^"]+"/,
-            `build_number: "${change.updated}"`,
-          );
-          break;
-        case "originator":
-          configContent = configContent.replace(
-            /originator:\s*"[^"]+"/,
-            `originator: "${change.updated}"`,
-          );
-          break;
-      }
-    }
-
-    writeFileSync(CONFIG_PATH, configContent);
-    console.log(`  [APPLIED] config/default.yaml updated`);
-  }
-}
-
-function displayReport(changes: Change[], dryRun: boolean): void {
-  console.log("\n╔══════════════════════════════════════════╗");
-  console.log(`║  Update Analysis ${dryRun ? "(DRY RUN)" : ""}                    ║`);
-  console.log("╠══════════════════════════════════════════╣");
-
-  if (changes.length === 0) {
-    console.log("║  No changes detected — up to date!       ║");
-    console.log("╚══════════════════════════════════════════╝");
-    return;
-  }
-
-  console.log("╚══════════════════════════════════════════╝\n");
-
-  // Auto changes
-  const auto = changes.filter((c) => c.type === "auto");
-  if (auto.length > 0) {
-    console.log(`  AUTO-APPLY (${auto.length}):`);
-    for (const c of auto) {
-      const action = dryRun ? "WOULD APPLY" : "APPLIED";
-      console.log(`    [${action}] ${c.description}`);
-      console.log(`      ${c.current} → ${c.updated}`);
-    }
-  }
-
-  // Semi-auto changes
-  const semi = changes.filter((c) => c.type === "semi-auto");
-  if (semi.length > 0) {
-    console.log(`\n  SEMI-AUTO (needs review) (${semi.length}):`);
-    for (const c of semi) {
-      console.log(`    [REVIEW] ${c.description}`);
-      console.log(`      File: ${c.file}`);
-      console.log(`      Current: ${c.current}`);
-      console.log(`      New:     ${c.updated}`);
-    }
-  }
-
-  // Alerts
-  const alerts = changes.filter((c) => c.type === "alert");
-  if (alerts.length > 0) {
-    console.log(`\n  *** ALERTS (${alerts.length}) ***`);
-    for (const c of alerts) {
-      console.log(`    [ALERT] ${c.description}`);
-      console.log(`      File: ${c.file}`);
-      console.log(`      Current: ${c.current}`);
-      console.log(`      New:     ${c.updated}`);
-    }
-  }
-
-  // Prompt diffs
-  const promptChanges = changes.filter((c) => c.category.startsWith("prompt_"));
-  if (promptChanges.length > 0) {
-    console.log("\n  PROMPT CHANGES:");
-    console.log("  To apply prompt updates, copy from data/extracted-prompts/ to config/prompts/:");
-    for (const c of promptChanges) {
-      const name = c.category.replace("prompt_", "");
-      console.log(`    cp data/extracted-prompts/${name}.md config/prompts/${name}.md`);
-    }
-  }
-
-  console.log("");
-}
-
-async function main() {
-  const dryRun = process.argv.includes("--dry-run");
-
-  console.log("[apply-update] Loading extracted fingerprint...");
-  const extracted = loadExtracted();
-  console.log(`  Extracted: v${extracted.app_version} (build ${extracted.build_number})`);
-
-  console.log("[apply-update] Comparing with current config...");
-  const changes = detectChanges(extracted);
-
-  displayReport(changes, dryRun);
-
-  if (!dryRun) {
-    applyAutoChanges(changes, dryRun);
-  }
-
-  // Summary
-  const auto = changes.filter((c) => c.type === "auto").length;
-  const semi = changes.filter((c) => c.type === "semi-auto").length;
-  const alerts = changes.filter((c) => c.type === "alert").length;
-
-  console.log(`[apply-update] Summary: ${auto} auto, ${semi} semi-auto, ${alerts} alerts`);
-
-  if (semi > 0 || alerts > 0) {
-    console.log("[apply-update] Manual review needed for semi-auto and alert items above.");
-  }
-
-  if (dryRun && auto > 0) {
-    console.log("[apply-update] Run without --dry-run to apply auto changes.");
-  }
-}
-
-main().catch((err) => {
-  console.error("[apply-update] Fatal:", err);
-  process.exit(1);
-});

scripts/check-update.ts

@@ -1,157 +0,0 @@
-#!/usr/bin/env tsx
-/**
- * check-update.ts — Polls the Codex Sparkle appcast feed for new versions.
- *
- * Usage:
- *   npx tsx scripts/check-update.ts [--watch]
- *
- * With --watch: polls every 30 minutes and keeps running.
- * Without: runs once and exits.
- */
-
-import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
-import { resolve } from "path";
-import yaml from "js-yaml";
-
-const ROOT = resolve(import.meta.dirname, "..");
-const CONFIG_PATH = resolve(ROOT, "config/default.yaml");
-const STATE_PATH = resolve(ROOT, "data/update-state.json");
-const APPCAST_URL = "https://persistent.oaistatic.com/codex-app-prod/appcast.xml";
-const POLL_INTERVAL_MS = 30 * 60 * 1000; // 30 minutes
-
-interface UpdateState {
-  last_check: string;
-  latest_version: string | null;
-  latest_build: string | null;
-  download_url: string | null;
-  update_available: boolean;
-  current_version: string;
-  current_build: string;
-}
-
-interface CurrentConfig {
-  app_version: string;
-  build_number: string;
-}
-
-function loadCurrentConfig(): CurrentConfig {
-  const raw = yaml.load(readFileSync(CONFIG_PATH, "utf-8")) as Record<string, unknown>;
-  const client = raw.client as Record<string, string>;
-  return {
-    app_version: client.app_version,
-    build_number: client.build_number,
-  };
-}
-
-/**
- * Parse appcast XML to extract version info.
- * Uses regex-based parsing to avoid heavy XML dependencies.
- */
-function parseAppcast(xml: string): {
-  version: string | null;
-  build: string | null;
-  downloadUrl: string | null;
-} {
-  // Extract the latest <item> (first one is usually the latest)
-  const itemMatch = xml.match(/<item>([\s\S]*?)<\/item>/i);
-  if (!itemMatch) {
-    return { version: null, build: null, downloadUrl: null };
-  }
-  const item = itemMatch[1];
-
-  // sparkle:shortVersionString = display version
-  const versionMatch = item.match(/sparkle:shortVersionString="([^"]+)"/);
-  // sparkle:version = build number
-  const buildMatch = item.match(/sparkle:version="([^"]+)"/);
-  // url = download URL from enclosure
-  const urlMatch = item.match(/url="([^"]+)"/);
-
-  return {
-    version: versionMatch?.[1] ?? null,
-    build: buildMatch?.[1] ?? null,
-    downloadUrl: urlMatch?.[1] ?? null,
-  };
-}
-
-async function checkOnce(): Promise<UpdateState> {
-  const current = loadCurrentConfig();
-
-  console.log(`[check-update] Current: v${current.app_version} (build ${current.build_number})`);
-  console.log(`[check-update] Fetching ${APPCAST_URL}...`);
-
-  const res = await fetch(APPCAST_URL);
-  if (!res.ok) {
-    throw new Error(`Failed to fetch appcast: ${res.status} ${res.statusText}`);
-  }
-
-  const xml = await res.text();
-  const { version, build, downloadUrl } = parseAppcast(xml);
-
-  if (!version || !build) {
-    console.warn("[check-update] Could not parse version from appcast");
-    return {
-      last_check: new Date().toISOString(),
-      latest_version: null,
-      latest_build: null,
-      download_url: null,
-      update_available: false,
-      current_version: current.app_version,
-      current_build: current.build_number,
-    };
-  }
-
-  const updateAvailable =
-    version !== current.app_version || build !== current.build_number;
-
-  const state: UpdateState = {
-    last_check: new Date().toISOString(),
-    latest_version: version,
-    latest_build: build,
-    download_url: downloadUrl,
-    update_available: updateAvailable,
-    current_version: current.app_version,
-    current_build: current.build_number,
-  };
-
-  if (updateAvailable) {
-    console.log(`\n  *** UPDATE AVAILABLE ***`);
-    console.log(`  New version: ${version} (build ${build})`);
-    console.log(`  Current:     ${current.app_version} (build ${current.build_number})`);
-    if (downloadUrl) {
-      console.log(`  Download:    ${downloadUrl}`);
-    }
-    console.log(`\n  Run: npm run extract -- --path <new-codex-path>`);
-    console.log(`  Then: npm run apply-update\n`);
-  } else {
-    console.log(`[check-update] Up to date: v${version} (build ${build})`);
-  }
-
-  // Write state
-  mkdirSync(resolve(ROOT, "data"), { recursive: true });
-  writeFileSync(STATE_PATH, JSON.stringify(state, null, 2));
-  console.log(`[check-update] State written to ${STATE_PATH}`);
-
-  return state;
-}
-
-async function main() {
-  const watch = process.argv.includes("--watch");
-
-  await checkOnce();
-
-  if (watch) {
-    console.log(`[check-update] Watching for updates every ${POLL_INTERVAL_MS / 60000} minutes...`);
-    setInterval(async () => {
-      try {
-        await checkOnce();
-      } catch (err) {
-        console.error("[check-update] Poll error:", err);
-      }
-    }, POLL_INTERVAL_MS);
-  }
-}
-
-main().catch((err) => {
-  console.error("[check-update] Fatal:", err);
-  process.exit(1);
-});

scripts/extract-fingerprint.ts

@@ -1,445 +0,0 @@
-#!/usr/bin/env tsx
-/**
- * extract-fingerprint.ts — Extracts key fingerprint values from a Codex Desktop
- * installation (macOS .app or Windows extracted ASAR).
- *
- * Usage:
- *   npx tsx scripts/extract-fingerprint.ts --path "C:/path/to/Codex" [--asar-out ./asar-out]
- *
- * The path can point to:
- *   - A macOS .app bundle (Codex.app)
- *   - A directory containing an already-extracted ASAR (with package.json and .vite/build/main.js)
- *   - A Windows install dir containing resources/app.asar
- */
-
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
-import { resolve, join } from "path";
-import { createHash } from "crypto";
-import { execSync } from "child_process";
-import yaml from "js-yaml";
-
-const ROOT = resolve(import.meta.dirname, "..");
-const OUTPUT_PATH = resolve(ROOT, "data/extracted-fingerprint.json");
-const PROMPTS_DIR = resolve(ROOT, "data/extracted-prompts");
-const PATTERNS_PATH = resolve(ROOT, "config/extraction-patterns.yaml");
-
-interface ExtractionPatterns {
-  package_json: { version_key: string; build_number_key: string; sparkle_feed_key: string };
-  main_js: Record<string, {
-    pattern?: string;
-    group?: number;
-    global?: boolean;
-    start_marker?: string;
-    end_marker?: string;
-    end_pattern?: string;
-    description: string;
-  }>;
-}
-
-interface ExtractedFingerprint {
-  app_version: string;
-  build_number: string;
-  api_base_url: string | null;
-  originator: string | null;
-  models: string[];
-  wham_endpoints: string[];
-  user_agent_contains: string;
-  sparkle_feed_url: string | null;
-  prompts: {
-    desktop_context_hash: string | null;
-    desktop_context_path: string | null;
-    title_generation_hash: string | null;
-    title_generation_path: string | null;
-    pr_generation_hash: string | null;
-    pr_generation_path: string | null;
-    automation_response_hash: string | null;
-    automation_response_path: string | null;
-  };
-  extracted_at: string;
-  source_path: string;
-}
-
-function sha256(content: string): string {
-  return `sha256:${createHash("sha256").update(content, "utf-8").digest("hex").slice(0, 16)}`;
-}
-
-function loadPatterns(): ExtractionPatterns {
-  const raw = yaml.load(readFileSync(PATTERNS_PATH, "utf-8")) as ExtractionPatterns;
-  return raw;
-}
-
-/**
- * Find the extracted ASAR root given an input path.
- * Tries multiple layout conventions.
- */
-function findAsarRoot(inputPath: string): string {
-  // Direct: path has package.json (already extracted)
-  if (existsSync(join(inputPath, "package.json"))) {
-    return inputPath;
-  }
-
-  // macOS .app bundle
-  const macResources = join(inputPath, "Contents/Resources");
-  if (existsSync(join(macResources, "app.asar"))) {
-    return extractAsar(join(macResources, "app.asar"));
-  }
-
-  // Windows: resources/app.asar
-  const winResources = join(inputPath, "resources");
-  if (existsSync(join(winResources, "app.asar"))) {
-    return extractAsar(join(winResources, "app.asar"));
-  }
-
-  // Already extracted: check for nested 'extracted' dir
-  const extractedDir = join(inputPath, "extracted");
-  if (existsSync(join(extractedDir, "package.json"))) {
-    return extractedDir;
-  }
-
-  // Check recovered/extracted pattern
-  const recoveredExtracted = join(inputPath, "recovered/extracted");
-  if (existsSync(join(recoveredExtracted, "package.json"))) {
-    return recoveredExtracted;
-  }
-
-  throw new Error(
-    `Cannot find Codex source at ${inputPath}. Expected package.json or app.asar.`
-  );
-}
-
-function extractAsar(asarPath: string): string {
-  const outDir = resolve(ROOT, ".asar-out");
-  console.log(`[extract] Extracting ASAR: ${asarPath} → ${outDir}`);
-  execSync(`npx @electron/asar extract "${asarPath}" "${outDir}"`, {
-    stdio: "inherit",
-  });
-  return outDir;
-}
-
-/**
- * Step A: Extract from package.json
- */
-function extractFromPackageJson(root: string): {
-  version: string;
-  buildNumber: string;
-  sparkleFeedUrl: string | null;
-} {
-  const pkgPath = join(root, "package.json");
-  const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
-
-  return {
-    version: pkg.version ?? "unknown",
-    buildNumber: String(pkg.codexBuildNumber ?? "unknown"),
-    sparkleFeedUrl: pkg.codexSparkleFeedUrl ?? null,
-  };
-}
-
-/**
- * Step B: Extract values from main.js using patterns
- */
-function extractFromMainJs(
-  content: string,
-  patterns: ExtractionPatterns["main_js"],
-): {
-  apiBaseUrl: string | null;
-  originator: string | null;
-  models: string[];
-  whamEndpoints: string[];
-  userAgentContains: string;
-} {
-  // API base URL
-  let apiBaseUrl: string | null = null;
-  const apiPattern = patterns.api_base_url;
-  if (apiPattern?.pattern) {
-    const m = content.match(new RegExp(apiPattern.pattern));
-    if (m) apiBaseUrl = m[0];
-  }
-
-  // Fail fast on critical fields
-  if (!apiBaseUrl) {
-    console.error("[extract] CRITICAL: Failed to extract API base URL from main.js");
-    console.error("[extract] The extraction pattern may need updating for this version.");
-    throw new Error("Failed to extract critical field: api_base_url");
-  }
-
-  // Originator
-  let originator: string | null = null;
-  const origPattern = patterns.originator;
-  if (origPattern?.pattern) {
-    const m = content.match(new RegExp(origPattern.pattern));
-    if (m) originator = m[origPattern.group ?? 0] ?? m[0];
-  }
-
-  // Fail fast on critical fields
-  if (!originator) {
-    console.error("[extract] CRITICAL: Failed to extract originator from main.js");
-    console.error("[extract] The extraction pattern may need updating for this version.");
-    throw new Error("Failed to extract critical field: originator");
-  }
-
-  // Models — deduplicate, use capture group if specified
-  const models: Set<string> = new Set();
-  const modelPattern = patterns.models;
-  if (modelPattern?.pattern) {
-    const re = new RegExp(modelPattern.pattern, "g");
-    const groupIdx = modelPattern.group ?? 0;
-    for (const m of content.matchAll(re)) {
-      models.add(m[groupIdx] ?? m[0]);
-    }
-  }
-
-  // WHAM endpoints — deduplicate, use capture group if specified
-  const endpoints: Set<string> = new Set();
-  const epPattern = patterns.wham_endpoints;
-  if (epPattern?.pattern) {
-    const re = new RegExp(epPattern.pattern, "g");
-    const epGroupIdx = epPattern.group ?? 0;
-    for (const m of content.matchAll(re)) {
-      endpoints.add(m[epGroupIdx] ?? m[0]);
-    }
-  }
-
-  return {
-    apiBaseUrl,
-    originator,
-    models: [...models].sort(),
-    whamEndpoints: [...endpoints].sort(),
-    userAgentContains: "Codex Desktop/",
-  };
-}
-
-/**
- * Step B (continued): Extract system prompts from main.js
- */
-function extractPrompts(content: string): {
-  desktopContext: string | null;
-  titleGeneration: string | null;
-  prGeneration: string | null;
-  automationResponse: string | null;
-} {
-  // Desktop context: from "# Codex desktop context" to the end of the template literal
-  let desktopContext: string | null = null;
-  const dcStart = content.indexOf("# Codex desktop context");
-  if (dcStart !== -1) {
-    // Find the closing backtick of the template literal
-    // Look backwards from dcStart for the opening backtick to understand nesting
-    // Then scan forward for the matching close
-    const afterStart = content.indexOf("`;", dcStart);
-    if (afterStart !== -1) {
-      desktopContext = content.slice(dcStart, afterStart).trim();
-    }
-  }
-
-  // Title generation: from the function that builds the array
-  let titleGeneration: string | null = null;
-  const titleMarker = "You are a helpful assistant. You will be presented with a user prompt";
-  const titleStart = content.indexOf(titleMarker);
-  if (titleStart !== -1) {
-    // Find the enclosing array end: ].join(
-    const joinIdx = content.indexOf("].join(", titleStart);
-    if (joinIdx !== -1) {
-      // Extract the array content between [ and ]
-      const bracketStart = content.lastIndexOf("[", titleStart);
-      if (bracketStart !== -1) {
-        const arrayContent = content.slice(bracketStart + 1, joinIdx);
-        // Parse string literals from the array
-        titleGeneration = parseStringArray(arrayContent);
-      }
-    }
-  }
-
-  // PR generation
-  let prGeneration: string | null = null;
-  const prMarker = "You are a helpful assistant. Generate a pull request title";
-  const prStart = content.indexOf(prMarker);
-  if (prStart !== -1) {
-    const joinIdx = content.indexOf("].join(", prStart);
-    if (joinIdx !== -1) {
-      const bracketStart = content.lastIndexOf("[", prStart);
-      if (bracketStart !== -1) {
-        const arrayContent = content.slice(bracketStart + 1, joinIdx);
-        prGeneration = parseStringArray(arrayContent);
-      }
-    }
-  }
-
-  // Automation response: template literal starting with "Response MUST end with"
-  let automationResponse: string | null = null;
-  const autoMarker = "Response MUST end with a remark-directive block";
-  const autoStart = content.indexOf(autoMarker);
-  if (autoStart !== -1) {
-    const afterAuto = content.indexOf("`;", autoStart);
-    if (afterAuto !== -1) {
-      automationResponse = content.slice(autoStart, afterAuto).trim();
-    }
-  }
-
-  return { desktopContext, titleGeneration, prGeneration, automationResponse };
-}
-
-/**
- * Parse a JavaScript string array content into a single joined string.
- * Handles simple quoted strings separated by commas.
- */
-function parseStringArray(arrayContent: string): string {
-  const lines: string[] = [];
-  // Match quoted strings (both single and double quotes) and template literals
-  const stringRe = /"((?:[^"\\]|\\.)*)"|'((?:[^'\\]|\\.)*)'/g;
-  for (const m of arrayContent.matchAll(stringRe)) {
-    const str = m[1] ?? m[2] ?? "";
-    // Unescape common sequences
-    lines.push(
-      str
-        .replace(/\\n/g, "\n")
-        .replace(/\\t/g, "\t")
-        .replace(/\\"/g, '"')
-        .replace(/\\'/g, "'")
-        .replace(/\\\\/g, "\\")
-    );
-  }
-  return lines.join("\n");
-}
-
-function savePrompt(name: string, content: string | null): { hash: string | null; path: string | null } {
-  if (!content) return { hash: null, path: null };
-
-  mkdirSync(PROMPTS_DIR, { recursive: true });
-  const filePath = join(PROMPTS_DIR, `${name}.md`);
-  writeFileSync(filePath, content);
-
-  return {
-    hash: sha256(content),
-    path: filePath,
-  };
-}
-
-async function main() {
-  // Parse --path argument
-  const pathIdx = process.argv.indexOf("--path");
-  if (pathIdx === -1 || !process.argv[pathIdx + 1]) {
-    console.error("Usage: npx tsx scripts/extract-fingerprint.ts --path <codex-path>");
-    console.error("");
-    console.error("  <codex-path> can be:");
-    console.error("    - macOS: /path/to/Codex.app");
-    console.error("    - Windows: C:/path/to/Codex (containing resources/app.asar)");
-    console.error("    - Extracted: directory with package.json and .vite/build/main.js");
-    process.exit(1);
-  }
-
-  const inputPath = resolve(process.argv[pathIdx + 1]);
-  console.log(`[extract] Input: ${inputPath}`);
-
-  // Find ASAR root
-  const asarRoot = findAsarRoot(inputPath);
-  console.log(`[extract] ASAR root: ${asarRoot}`);
-
-  // Load extraction patterns
-  const patterns = loadPatterns();
-
-  // Step A: package.json
-  console.log("[extract] Reading package.json...");
-  const { version, buildNumber, sparkleFeedUrl } = extractFromPackageJson(asarRoot);
-  console.log(`  version: ${version}`);
-  console.log(`  build:   ${buildNumber}`);
-
-  // Step B: main.js
-  console.log("[extract] Loading main.js...");
-  const mainJs = await (async () => {
-    const mainPath = join(asarRoot, ".vite/build/main.js");
-    if (!existsSync(mainPath)) {
-      console.warn("[extract] main.js not found, skipping JS extraction");
-      return null;
-    }
-
-    const content = readFileSync(mainPath, "utf-8");
-    const lineCount = content.split("\n").length;
-
-    if (lineCount < 100 && content.length > 100000) {
-      console.log("[extract] main.js appears minified, attempting beautify...");
-      try {
-        const jsBeautify = await import("js-beautify");
-        return jsBeautify.default.js(content, { indent_size: 2 });
-      } catch {
-        console.warn("[extract] js-beautify not available, using raw content");
-        return content;
-      }
-    }
-    return content;
-  })();
-
-  let mainJsResults = {
-    apiBaseUrl: null as string | null,
-    originator: null as string | null,
-    models: [] as string[],
-    whamEndpoints: [] as string[],
-    userAgentContains: "Codex Desktop/",
-  };
-
-  let promptResults = {
-    desktopContext: null as string | null,
-    titleGeneration: null as string | null,
-    prGeneration: null as string | null,
-    automationResponse: null as string | null,
-  };
-
-  if (mainJs) {
-    console.log(`[extract] main.js loaded (${mainJs.split("\n").length} lines)`);
-
-    mainJsResults = extractFromMainJs(mainJs, patterns.main_js);
-    console.log(`  API base URL:  ${mainJsResults.apiBaseUrl}`);
-    console.log(`  originator:    ${mainJsResults.originator}`);
-    console.log(`  models:        ${mainJsResults.models.join(", ")}`);
-    console.log(`  WHAM endpoints: ${mainJsResults.whamEndpoints.length} found`);
-
-    // Extract system prompts
-    console.log("[extract] Extracting system prompts...");
-    promptResults = extractPrompts(mainJs);
-    console.log(`  desktop-context:     ${promptResults.desktopContext ? "found" : "NOT FOUND"}`);
-    console.log(`  title-generation:    ${promptResults.titleGeneration ? "found" : "NOT FOUND"}`);
-    console.log(`  pr-generation:       ${promptResults.prGeneration ? "found" : "NOT FOUND"}`);
-    console.log(`  automation-response: ${promptResults.automationResponse ? "found" : "NOT FOUND"}`);
-  }
-
-  // Save extracted prompts
-  const dc = savePrompt("desktop-context", promptResults.desktopContext);
-  const tg = savePrompt("title-generation", promptResults.titleGeneration);
-  const pr = savePrompt("pr-generation", promptResults.prGeneration);
-  const ar = savePrompt("automation-response", promptResults.automationResponse);
-
-  // Build output
-  const fingerprint: ExtractedFingerprint = {
-    app_version: version,
-    build_number: buildNumber,
-    api_base_url: mainJsResults.apiBaseUrl,
-    originator: mainJsResults.originator,
-    models: mainJsResults.models,
-    wham_endpoints: mainJsResults.whamEndpoints,
-    user_agent_contains: mainJsResults.userAgentContains,
-    sparkle_feed_url: sparkleFeedUrl,
-    prompts: {
-      desktop_context_hash: dc.hash,
-      desktop_context_path: dc.path,
-      title_generation_hash: tg.hash,
-      title_generation_path: tg.path,
-      pr_generation_hash: pr.hash,
-      pr_generation_path: pr.path,
-      automation_response_hash: ar.hash,
-      automation_response_path: ar.path,
-    },
-    extracted_at: new Date().toISOString(),
-    source_path: inputPath,
-  };
-
-  // Write output
-  mkdirSync(resolve(ROOT, "data"), { recursive: true });
-  writeFileSync(OUTPUT_PATH, JSON.stringify(fingerprint, null, 2));
-
-  console.log(`\n[extract] Fingerprint written to ${OUTPUT_PATH}`);
-  console.log(`[extract] Prompts written to ${PROMPTS_DIR}/`);
-  console.log("[extract] Done.");
-}
-
-main().catch((err) => {
-  console.error("[extract] Fatal:", err);
-  process.exit(1);
-});

scripts/test-create-env-gh.ts

@@ -1,74 +0,0 @@
-import { loadConfig, loadFingerprint } from '../src/config.js';
-import { ProxyClient } from '../src/proxy/client.js';
-import { AuthManager } from '../src/auth/manager.js';
-
-async function main() {
-  loadConfig(); loadFingerprint();
-  const am = new AuthManager();
-  const tk = await am.getToken();
-  if (!tk) { console.log('Not auth'); return; }
-  const c = new ProxyClient(tk, am.getAccountId());
-
-  // Create environment: github/octocat/Hello-World
-  console.log('=== Create env ===');
-  const r = await c.post('wham/environments', {
-    machine_id: '6993d698c6a48190bcc7ed131c5f34b4',
-    repos: ['github/octocat/Hello-World'],
-    label: 'proxy-env',
-  });
-  console.log(r.status, JSON.stringify(r.body).slice(0, 800));
-
-  if (r.ok) {
-    const env = r.body as { environment_id?: string; id?: string };
-    const envId = env.environment_id || env.id;
-    console.log('Environment ID:', envId);
-
-    if (envId) {
-      // Create task with this environment
-      console.log('\n=== Create task with env ===');
-      const tr = await c.post('wham/tasks', {
-        new_task: {
-          branch: 'main',
-          environment_id: envId,
-          run_environment_in_qa_mode: false,
-        },
-        input_items: [{ type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hello in one sentence.' }] }],
-        model: 'gpt-5.1-codex-mini',
-        developer_instructions: null,
-        base_instructions: null,
-        personality: null,
-        approval_policy: 'never',
-        sandbox: 'workspace-write',
-        ephemeral: null,
-      });
-      console.log(tr.status, JSON.stringify(tr.body).slice(0, 800));
-
-      const taskBody = tr.body as { task?: { id?: string; current_turn_id?: string } };
-      if (tr.ok && taskBody?.task?.id) {
-        const taskId = taskBody.task.id;
-        const turnId = taskBody.task.current_turn_id;
-        console.log('\nPolling...');
-        for (let i = 0; i < 60; i++) {
-          await new Promise(res => setTimeout(res, 3000));
-          const poll = await c.get(
-            'wham/tasks/' + encodeURIComponent(taskId) + '/turns/' + encodeURIComponent(turnId!)
-          );
-          const pd = poll.body as { turn?: { turn_status?: string; output_items?: unknown[]; error?: unknown } };
-          const st = pd?.turn?.turn_status;
-          console.log('  ' + i + ': ' + st);
-          if (st === 'completed' || st === 'failed' || st === 'cancelled') {
-            if (pd?.turn?.error) console.log('  Error:', JSON.stringify(pd.turn.error));
-            if (pd?.turn?.output_items) console.log('  Output:', JSON.stringify(pd.turn.output_items).slice(0, 1000));
-            break;
-          }
-        }
-      }
-    }
-  }
-
-  // Also try listing environments now
-  console.log('\n=== List environments ===');
-  const le = await c.get('wham/environments');
-  console.log(le.status, JSON.stringify(le.body).slice(0, 400));
-}
-main().catch(e => console.error(e));

scripts/test-create-env-real.ts

@@ -1,128 +0,0 @@
-import { loadConfig, loadFingerprint } from '../src/config.js';
-import { ProxyClient } from '../src/proxy/client.js';
-import { AuthManager } from '../src/auth/manager.js';
-import { buildHeadersWithContentType } from '../src/fingerprint/manager.js';
-
-async function main() {
-  loadConfig(); loadFingerprint();
-  const am = new AuthManager();
-  const tk = await am.getToken();
-  if (!tk) { console.log('Not authenticated'); return; }
-  const aid = am.getAccountId();
-  const c = new ProxyClient(tk, aid);
-  const base = 'https://chatgpt.com/backend-api';
-
-  const machineId = '6993d698c6a48190bcc7ed131c5f34b4';
-
-  // Test 1: Create environment with a real public GitHub repo
-  console.log('=== Test 1: POST /wham/environments with real repo ===');
-  try {
-    const r = await c.post('wham/environments', {
-      machine_id: machineId,
-      repos: [{ provider: 'github', owner: 'octocat', name: 'Hello-World' }],
-      label: 'test-env',
-    });
-    console.log(r.status, JSON.stringify(r.body).slice(0, 600));
-  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
-
-  // Test 2: Different repos format
-  console.log('\n=== Test 2: repos as string array ===');
-  try {
-    const r = await c.post('wham/environments', {
-      machine_id: machineId,
-      repos: ['octocat/Hello-World'],
-      label: 'test-env-2',
-    });
-    console.log(r.status, JSON.stringify(r.body).slice(0, 600));
-  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
-
-  // Test 3: Minimal environment creation
-  console.log('\n=== Test 3: minimal env ===');
-  try {
-    const r = await c.post('wham/environments', {
-      machine_id: machineId,
-    });
-    console.log(r.status, JSON.stringify(r.body).slice(0, 600));
-  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
-
-  // Test 4: Create environment via different endpoint
-  console.log('\n=== Test 4: POST /wham/environments/create ===');
-  try {
-    const r = await c.post('wham/environments/create', {
-      machine_id: machineId,
-      repos: ['octocat/Hello-World'],
-    });
-    console.log(r.status, JSON.stringify(r.body).slice(0, 600));
-  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
-
-  // Test 5: Try the webview approach - look at how the webview creates environments
-  // The webview uses POST /wham/tasks with environment embedded
-  // Let me try creating a task without environment_id but with DELETE of the key
-  console.log('\n=== Test 5: POST /wham/tasks with environment_id deleted (raw fetch) ===');
-  try {
-    const body: Record<string, unknown> = {
-      new_task: {
-        branch: 'main',
-        run_environment_in_qa_mode: false,
-      },
-      input_items: [{ type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hello' }] }],
-      model: 'gpt-5.1-codex-mini',
-      developer_instructions: null,
-      base_instructions: null,
-      personality: null,
-      approval_policy: 'never',
-      sandbox: 'workspace-write',
-      ephemeral: null,
-    };
-    // Verify environment_id is truly not in the JSON
-    console.log('Body keys:', Object.keys(body.new_task as object));
-    const res = await fetch(`${base}/wham/tasks`, {
-      method: 'POST',
-      headers: buildHeadersWithContentType(tk, aid),
-      body: JSON.stringify(body),
-    });
-    const data = await res.json();
-    console.log(res.status, JSON.stringify(data).slice(0, 600));
-  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
-
-  // Test 6: What about follow_up without new_task?
-  console.log('\n=== Test 6: POST /wham/tasks without new_task (just input_items) ===');
-  try {
-    const body = {
-      input_items: [{ type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hello' }] }],
-      model: 'gpt-5.1-codex-mini',
-    };
-    const res = await fetch(`${base}/wham/tasks`, {
-      method: 'POST',
-      headers: buildHeadersWithContentType(tk, aid),
-      body: JSON.stringify(body),
-    });
-    const data = await res.json();
-    console.log(res.status, JSON.stringify(data).slice(0, 600));
-  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
-
-  // Test 7: Maybe the issue is that we need to send a requestBody wrapper?
-  // The webview uses: CodexRequest.safePost("/wham/tasks", { requestBody: {...} })
-  console.log('\n=== Test 7: POST /wham/tasks with requestBody wrapper ===');
-  try {
-    const body = {
-      requestBody: {
-        new_task: {
-          branch: 'main',
-          run_environment_in_qa_mode: false,
-        },
-        input_items: [{ type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hello' }] }],
-        model: 'gpt-5.1-codex-mini',
-      },
-    };
-    const res = await fetch(`${base}/wham/tasks`, {
-      method: 'POST',
-      headers: buildHeadersWithContentType(tk, aid),
-      body: JSON.stringify(body),
-    });
-    const data = await res.json();
-    console.log(res.status, JSON.stringify(data).slice(0, 600));
-  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
-}
-
-main().catch(e => console.error(e));

scripts/test-env-full.ts

@@ -1,113 +0,0 @@
-import { loadConfig, loadFingerprint } from '../src/config.js';
-import { ProxyClient } from '../src/proxy/client.js';
-import { AuthManager } from '../src/auth/manager.js';
-import { buildHeaders, buildHeadersWithContentType } from '../src/fingerprint/manager.js';
-
-async function main() {
-  loadConfig(); loadFingerprint();
-  const am = new AuthManager();
-  const tk = await am.getToken();
-  if (!tk) { console.log('Not authenticated'); return; }
-  const aid = am.getAccountId();
-  const c = new ProxyClient(tk, aid);
-  const base = 'https://chatgpt.com/backend-api';
-
-  // Try all possible environment-related endpoints
-  const endpoints = [
-    { method: 'GET', path: 'wham/environments' },
-    { method: 'GET', path: 'wham/machines' },
-    { method: 'GET', path: 'wham/accounts/check' },
-    { method: 'GET', path: 'wham/usage' },
-    { method: 'GET', path: 'wham/tasks' },
-    // Codex CLI endpoints
-    { method: 'GET', path: 'api/codex/environments' },
-    // Try to see if there's a way to check features
-    { method: 'GET', path: 'wham/features' },
-    { method: 'GET', path: 'wham/config' },
-    // Try without environment at all — use ephemeral
-    { method: 'POST', path: 'wham/tasks', body: {
-      new_task: { branch: 'main', environment_id: null, run_environment_in_qa_mode: false },
-      input_items: [{ type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hi' }] }],
-      model: 'gpt-5.1-codex-mini',
-      ephemeral: true,
-    }},
-    // Try with ephemeral flag and no environment
-    { method: 'POST', path: 'wham/tasks', body: {
-      new_task: { branch: 'main' },
-      input_items: [{ type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hi' }] }],
-      model: 'gpt-5.1-codex-mini',
-      ephemeral: true,
-      approval_policy: 'never',
-      sandbox: 'workspace-write',
-    }},
-  ];
-
-  for (const ep of endpoints) {
-    console.log(`\n=== ${ep.method} /${ep.path} ===`);
-    try {
-      let res: Response;
-      if (ep.method === 'POST') {
-        res = await fetch(`${base}/${ep.path}`, {
-          method: 'POST',
-          headers: buildHeadersWithContentType(tk, aid),
-          body: JSON.stringify(ep.body),
-        });
-      } else {
-        res = await fetch(`${base}/${ep.path}`, {
-          headers: buildHeaders(tk, aid),
-        });
-      }
-      const ct = res.headers.get('content-type') || '';
-      if (ct.includes('json')) {
-        const data = await res.json();
-        console.log(res.status, JSON.stringify(data).slice(0, 600));
-      } else {
-        const text = await res.text();
-        console.log(res.status, text.slice(0, 300));
-      }
-    } catch (e: unknown) {
-      console.log('Error:', (e as Error).message);
-    }
-  }
-
-  // Also try listing existing tasks to see if any have environment info
-  console.log('\n=== GET /wham/tasks (list existing tasks) ===');
-  try {
-    const r = await fetch(`${base}/wham/tasks`, {
-      headers: buildHeaders(tk, aid),
-    });
-    const data = await r.json() as { items?: Array<{ id?: string; task_status_display?: unknown }> };
-    console.log(r.status);
-    if (data.items) {
-      console.log('Total tasks:', data.items.length);
-      for (const t of data.items.slice(0, 3)) {
-        console.log('  Task:', t.id, JSON.stringify(t.task_status_display).slice(0, 200));
-      }
-    } else {
-      console.log(JSON.stringify(data).slice(0, 400));
-    }
-  } catch (e: unknown) {
-    console.log('Error:', (e as Error).message);
-  }
-
-  // Check a specific task to see its environment info
-  console.log('\n=== Check a recent task for environment details ===');
-  try {
-    const r = await fetch(`${base}/wham/tasks`, {
-      headers: buildHeaders(tk, aid),
-    });
-    const data = await r.json() as { items?: Array<{ id?: string }> };
-    if (data.items && data.items.length > 0) {
-      const taskId = data.items[0].id!;
-      const tr = await fetch(`${base}/wham/tasks/${encodeURIComponent(taskId)}`, {
-        headers: buildHeaders(tk, aid),
-      });
-      const td = await tr.json();
-      console.log('Task detail:', JSON.stringify(td).slice(0, 1000));
-    }
-  } catch (e: unknown) {
-    console.log('Error:', (e as Error).message);
-  }
-}
-
-main().catch(e => console.error(e));

scripts/test-repo-format.ts

@@ -1,27 +0,0 @@
-import { loadConfig, loadFingerprint } from '../src/config.js';
-import { ProxyClient } from '../src/proxy/client.js';
-import { AuthManager } from '../src/auth/manager.js';
-
-async function main() {
-  loadConfig(); loadFingerprint();
-  const am = new AuthManager();
-  const tk = await am.getToken();
-  if (!tk) { console.log('Not auth'); return; }
-  const c = new ProxyClient(tk, am.getAccountId());
-  const mid = '6993d698c6a48190bcc7ed131c5f34b4';
-
-  const formats = [
-    'github:octocat/Hello-World',
-    'octocat/Hello-World',
-    'github/octocat/hello-world',
-    'https://github.com/octocat/Hello-World',
-  ];
-
-  for (const repo of formats) {
-    console.log('--- repos: ["' + repo + '"] ---');
-    const r = await c.post('wham/environments', { machine_id: mid, repos: [repo], label: 'test' });
-    console.log(r.status, JSON.stringify(r.body).slice(0, 300));
-    console.log('');
-  }
-}
-main().catch(e => console.error(e));

scripts/test-repo2.ts

@@ -1,23 +0,0 @@
-import { loadConfig, loadFingerprint } from '../src/config.js';
-import { ProxyClient } from '../src/proxy/client.js';
-import { AuthManager } from '../src/auth/manager.js';
-async function main() {
-  loadConfig(); loadFingerprint();
-  const am = new AuthManager();
-  const tk = await am.getToken();
-  if (!tk) { console.log('no auth'); return; }
-  const c = new ProxyClient(tk, am.getAccountId());
-  const mid = '6993d698c6a48190bcc7ed131c5f34b4';
-  const tests = [
-    'github/torvalds/linux',
-    'github/facebook/react',
-    'torvalds/linux',
-  ];
-  for (const repo of tests) {
-    console.log('repos: [' + repo + ']');
-    const r = await c.post('wham/environments', { machine_id: mid, repos: [repo], label: 'test' });
-    console.log(r.status, JSON.stringify(r.body).slice(0, 400));
-    console.log('');
-  }
-}
-main();

scripts/test-responses-api.ts

@@ -1,99 +0,0 @@
-import { loadConfig, loadFingerprint } from '../src/config.js';
-import { AuthManager } from '../src/auth/manager.js';
-import { buildHeadersWithContentType } from '../src/fingerprint/manager.js';
-
-async function main() {
-  loadConfig(); loadFingerprint();
-  const am = new AuthManager();
-  const tk = await am.getToken();
-  if (!tk) { console.log('no auth token'); return; }
-  const aid = am.getAccountId();
-
-  const base = 'https://chatgpt.com/backend-api/codex';
-  const hdrs = buildHeadersWithContentType(tk, aid);
-
-  // Test 1: non-streaming
-  console.log('=== Test 1: POST /codex/responses (non-streaming) ===');
-  try {
-    const r = await fetch(base + '/responses', {
-      method: 'POST',
-      headers: hdrs,
-      body: JSON.stringify({
-        model: 'gpt-5.1-codex-mini',
-        instructions: 'You are a helpful assistant.',
-        input: [{ role: 'user', content: 'Say hello in one sentence.' }],
-        stream: false,
-        store: false,
-      }),
-    });
-    console.log('Status:', r.status, r.statusText);
-    const ct = r.headers.get('content-type') || '';
-    console.log('Content-Type:', ct);
-    if (ct.includes('json')) {
-      const j = await r.json();
-      console.log('Body:', JSON.stringify(j, null, 2).slice(0, 3000));
-    } else {
-      const t = await r.text();
-      console.log('Body:', t.slice(0, 2000));
-    }
-  } catch (e: any) {
-    console.log('Error:', e.message);
-  }
-
-  // Test 2: streaming
-  console.log('\n=== Test 2: POST /codex/responses (streaming) ===');
-  try {
-    const streamHdrs = { ...hdrs, 'Accept': 'text/event-stream' };
-    const r = await fetch(base + '/responses', {
-      method: 'POST',
-      headers: streamHdrs,
-      body: JSON.stringify({
-        model: 'gpt-5.1-codex-mini',
-        instructions: 'You are a helpful assistant.',
-        input: [{ role: 'user', content: 'Say hello in one sentence.' }],
-        stream: true,
-        store: false,
-      }),
-    });
-    console.log('Status:', r.status, r.statusText);
-    const ct = r.headers.get('content-type') || '';
-    console.log('Content-Type:', ct);
-
-    if (r.status !== 200) {
-      const t = await r.text();
-      console.log('Error body:', t.slice(0, 1000));
-    } else {
-      const reader = r.body!.getReader();
-      const decoder = new TextDecoder();
-      let fullText = '';
-      let chunks = 0;
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done) break;
-        const chunk = decoder.decode(value, { stream: true });
-        fullText += chunk;
-        chunks++;
-        if (chunks <= 10) {
-          console.log(`--- Chunk ${chunks} ---`);
-          console.log(chunk.slice(0, 300));
-        }
-      }
-      console.log('\nTotal chunks:', chunks);
-      console.log('Full response length:', fullText.length);
-      // Show some events
-      const events = fullText.split('\n\n').filter(e => e.trim());
-      console.log('Total SSE events:', events.length);
-      // Show last few events
-      const last5 = events.slice(-5);
-      console.log('\nLast 5 events:');
-      for (const ev of last5) {
-        console.log(ev.slice(0, 300));
-        console.log('---');
-      }
-    }
-  } catch (e: any) {
-    console.log('Error:', e.message);
-  }
-}
-
-main();

scripts/test-snapshot.ts

@@ -1,117 +0,0 @@
-import { loadConfig, loadFingerprint } from '../src/config.js';
-import { ProxyClient } from '../src/proxy/client.js';
-import { AuthManager } from '../src/auth/manager.js';
-
-async function main() {
-  loadConfig(); loadFingerprint();
-  const am = new AuthManager();
-  const tk = await am.getToken();
-  if (!tk) { console.log('Not authenticated'); return; }
-  const c = new ProxyClient(tk, am.getAccountId());
-
-  // Step 1: Get upload URL for a worktree snapshot
-  console.log('=== Step 1: POST /wham/worktree_snapshots/upload_url ===');
-  const r1 = await c.post('wham/worktree_snapshots/upload_url', {
-    file_name: 'snapshot.tar.gz',
-    file_size: 100,
-    repo_name: 'workspace',
-  });
-  console.log('Status:', r1.status);
-  console.log('Body:', JSON.stringify(r1.body).slice(0, 800));
-
-  if (!r1.ok) {
-    console.log('Failed to get upload URL');
-    return;
-  }
-
-  const body1 = r1.body as { upload_url?: string; file_id?: string; status?: string };
-  console.log('Upload URL:', body1.upload_url?.slice(0, 100));
-  console.log('File ID:', body1.file_id);
-
-  // Step 2: Upload a minimal tar.gz (empty)
-  if (body1.upload_url) {
-    console.log('\n=== Step 2: Upload minimal snapshot ===');
-    // Create a minimal gzip file (empty gzip)
-    const emptyGzip = Buffer.from([
-      0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00,
-    ]);
-
-    const uploadRes = await fetch(body1.upload_url, {
-      method: 'PUT',
-      body: emptyGzip,
-      headers: { 'Content-Type': 'application/gzip' },
-    });
-    console.log('Upload status:', uploadRes.status);
-    const uploadText = await uploadRes.text();
-    console.log('Upload response:', uploadText.slice(0, 300));
-  }
-
-  // Step 3: Finish upload
-  if (body1.file_id) {
-    console.log('\n=== Step 3: POST /wham/worktree_snapshots/finish_upload ===');
-    const r3 = await c.post('wham/worktree_snapshots/finish_upload', {
-      file_id: body1.file_id,
-    });
-    console.log('Status:', r3.status);
-    console.log('Body:', JSON.stringify(r3.body).slice(0, 800));
-
-    // Step 4: Create a task with this file_id
-    console.log('\n=== Step 4: Create task with valid file_id ===');
-    const r4 = await c.post('wham/tasks', {
-      new_task: {
-        branch: 'main',
-        environment_id: null,
-        environment: {
-          repos: [{
-            kind: 'local_worktree',
-            name: 'workspace',
-            remotes: {},
-            commit_sha: '0000000000000000000000000000000000000000',
-            branch: 'main',
-            file_id: body1.file_id,
-          }],
-        },
-        run_environment_in_qa_mode: false,
-      },
-      input_items: [
-        { type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hello in one sentence.' }] }
-      ],
-      model: 'gpt-5.1-codex-mini',
-      developer_instructions: null,
-      base_instructions: null,
-      personality: null,
-      approval_policy: 'never',
-      sandbox: 'workspace-write',
-      ephemeral: null,
-    });
-    console.log('Task status:', r4.status);
-    console.log('Task body:', JSON.stringify(r4.body).slice(0, 600));
-
-    // Step 5: Poll for result
-    const taskBody = r4.body as { task?: { id?: string; current_turn_id?: string } };
-    if (r4.ok && taskBody?.task?.id) {
-      const taskId = taskBody.task.id;
-      const turnId = taskBody.task.current_turn_id!;
-      console.log('\n=== Step 5: Poll for turn completion ===');
-      console.log('Task:', taskId);
-      console.log('Turn:', turnId);
-
-      for (let i = 0; i < 30; i++) {
-        await new Promise(res => setTimeout(res, 3000));
-        const tr = await c.get(`wham/tasks/${encodeURIComponent(taskId)}/turns/${encodeURIComponent(turnId)}`);
-        const td = tr.body as { turn?: { turn_status?: string; output_items?: unknown[]; error?: unknown } };
-        const status = td?.turn?.turn_status;
-        console.log(`  Poll ${i}: status=${status}`);
-        if (status === 'completed' || status === 'failed' || status === 'cancelled') {
-          if (td?.turn?.error) console.log('  Error:', JSON.stringify(td.turn.error));
-          if (td?.turn?.output_items) console.log('  Output:', JSON.stringify(td.turn.output_items).slice(0, 500));
-          break;
-        }
-      }
-    }
-  }
-}
-
-main().catch(e => console.error(e));

src/auth/oauth-pkce.ts

@@ -9,6 +9,7 @@ import { readFileSync, existsSync } from "fs";
 import { resolve } from "path";
 import { homedir } from "os";
 import { getConfig } from "../config.js";
+import { curlFetchPost } from "../tls/curl-fetch.js";
 
 export interface PKCEChallenge {
   codeVerifier: string;
@@ -120,18 +121,17 @@ export async function exchangeCode(
     code_verifier: codeVerifier,
   });
 
-  const resp = await fetch(config.auth.oauth_token_endpoint, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body: body.toString(),
-  });
+  const resp = await curlFetchPost(
+    config.auth.oauth_token_endpoint,
+    "application/x-www-form-urlencoded",
+    body.toString(),
+  );
 
   if (!resp.ok) {
-    const text = await resp.text();
-    throw new Error(`Token exchange failed (${resp.status}): ${text}`);
+    throw new Error(`Token exchange failed (${resp.status}): ${resp.body}`);
   }
 
-  return resp.json() as Promise<TokenResponse>;
+  return JSON.parse(resp.body) as TokenResponse;
 }
 
 /**
@@ -148,18 +148,17 @@ export async function refreshAccessToken(
     refresh_token: refreshToken,
   });
 
-  const resp = await fetch(config.auth.oauth_token_endpoint, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body: body.toString(),
-  });
+  const resp = await curlFetchPost(
+    config.auth.oauth_token_endpoint,
+    "application/x-www-form-urlencoded",
+    body.toString(),
+  );
 
   if (!resp.ok) {
-    const text = await resp.text();
-    throw new Error(`Token refresh failed (${resp.status}): ${text}`);
+    throw new Error(`Token refresh failed (${resp.status}): ${resp.body}`);
   }
 
-  return resp.json() as Promise<TokenResponse>;
+  return JSON.parse(resp.body) as TokenResponse;
 }
 
 // ── Pending session management ─────────────────────────────────────
@@ -343,18 +342,17 @@ export async function requestDeviceCode(): Promise<DeviceCodeResponse> {
     scope: "openid profile email offline_access",
   });
 
-  const resp = await fetch("https://auth.openai.com/oauth/device/code", {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body: body.toString(),
-  });
+  const resp = await curlFetchPost(
+    "https://auth.openai.com/oauth/device/code",
+    "application/x-www-form-urlencoded",
+    body.toString(),
+  );
 
   if (!resp.ok) {
-    const text = await resp.text();
-    throw new Error(`Device code request failed (${resp.status}): ${text}`);
+    throw new Error(`Device code request failed (${resp.status}): ${resp.body}`);
   }
 
-  return resp.json() as Promise<DeviceCodeResponse>;
+  return JSON.parse(resp.body) as DeviceCodeResponse;
 }
 
 /**
@@ -370,20 +368,20 @@ export async function pollDeviceToken(deviceCode: string): Promise<TokenResponse
     client_id: config.auth.oauth_client_id,
   });
 
-  const resp = await fetch(config.auth.oauth_token_endpoint, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body: body.toString(),
-  });
+  const resp = await curlFetchPost(
+    config.auth.oauth_token_endpoint,
+    "application/x-www-form-urlencoded",
+    body.toString(),
+  );
 
   if (!resp.ok) {
-    const data = (await resp.json()) as { error?: string; error_description?: string };
+    const data = JSON.parse(resp.body) as { error?: string; error_description?: string };
     const err = new Error(data.error_description || data.error || `Poll failed (${resp.status})`);
     (err as any).code = data.error;
     throw err;
   }
 
-  return resp.json() as Promise<TokenResponse>;
+  return JSON.parse(resp.body) as TokenResponse;
 }
 
 // ── CLI Token Import ───────────────────────────────────────────────

src/config.ts

@@ -42,6 +42,10 @@ const ConfigSchema = z.object({
     ttl_minutes: z.number().default(60),
     cleanup_interval_minutes: z.number().default(5),
   }),
+  tls: z.object({
+    curl_binary: z.string().default("auto"),
+    impersonate_profile: z.string().default("chrome136"),
+  }).default({}),
   streaming: z.object({
     status_as_content: z.boolean().default(false),
     chunk_size: z.number().default(100),

src/proxy/codex-api.ts

@@ -11,6 +11,7 @@
 
 import { spawn, execFile } from "child_process";
 import { getConfig } from "../config.js";
+import { resolveCurlBinary, getChromeTlsArgs } from "../tls/curl-binary.js";
 import {
   buildHeaders,
   buildHeadersWithContentType,
@@ -107,11 +108,11 @@ export class CodexApi {
   ): Promise<CurlResponse> {
     return new Promise((resolve, reject) => {
       const args = [
+        ...getChromeTlsArgs(), // Chrome TLS profile (ciphers, HTTP/2, etc.)
         "-s", "-S",            // silent but show errors
         "--compressed",         // curl negotiates compression
         "-N",                   // no output buffering (SSE)
         "-i",                   // include response headers in stdout
-        "--http1.1",            // force HTTP/1.1
         "-X", "POST",
         "--data-binary", "@-",  // read body from stdin
       ];
@@ -120,16 +121,17 @@ export class CodexApi {
         args.push("--max-time", String(timeoutSec));
       }
 
-      // Remove Accept-Encoding — let curl negotiate via --compressed
-      const filteredHeaders = { ...headers };
-      delete filteredHeaders["Accept-Encoding"];
-
-      for (const [key, value] of Object.entries(filteredHeaders)) {
+      // Pass all headers explicitly in our fingerprint order.
+      // Accept-Encoding is kept so curl doesn't inject its own at position 2.
+      // --compressed still handles auto-decompression of the response.
+      for (const [key, value] of Object.entries(headers)) {
         args.push("-H", `${key}: ${value}`);
       }
+      // Suppress curl's auto Expect: 100-continue (Chromium never sends it)
+      args.push("-H", "Expect:");
       args.push(url);
 
-      const child = spawn("curl", args, {
+      const child = spawn(resolveCurlBinary(), args, {
         stdio: ["pipe", "pipe", "pipe"],
       });
 
@@ -244,15 +246,15 @@ export class CodexApi {
     // to fail when it can't decompress the response.
     delete headers["Accept-Encoding"];
 
-    // Build curl args
-    const args = ["-s", "--compressed", "--max-time", "15"];
+    // Build curl args (Chrome TLS profile + request params)
+    const args = [...getChromeTlsArgs(), "-s", "--compressed", "--max-time", "15"];
     for (const [key, value] of Object.entries(headers)) {
       args.push("-H", `${key}: ${value}`);
     }
     args.push(url);
 
     const body = await new Promise<string>((resolve, reject) => {
-      execFile("curl", args, { maxBuffer: 1024 * 1024 }, (err, stdout, stderr) => {
+      execFile(resolveCurlBinary(), args, { maxBuffer: 1024 * 1024 }, (err, stdout, stderr) => {
         if (err) {
           reject(new CodexApiError(0, `curl failed: ${err.message} ${stderr}`));
         } else {

src/routes/chat.ts

@@ -112,7 +112,14 @@ export function createChatRoutes(
 
     const { entryId, token, accountId } = acquired;
     const codexApi = new CodexApi(token, accountId, cookieJar, entryId);
-    const codexRequest = translateToCodexRequest(req);
+
+    // Find existing session for multi-turn previous_response_id
+    const existingSession = sessionManager.findSession(req.messages);
+    const previousResponseId = existingSession?.responseId ?? null;
+    const codexRequest = translateToCodexRequest(req, previousResponseId);
+    if (previousResponseId) {
+      console.log(`[Chat] Account ${entryId} | Multi-turn: previous_response_id=${previousResponseId}`);
+    }
     console.log(
       `[Chat] Account ${entryId} | Codex request:`,
       JSON.stringify(codexRequest).slice(0, 300),
@@ -129,12 +136,21 @@ export function createChatRoutes(
         c.header("Connection", "keep-alive");
 
         return stream(c, async (s) => {
+          let sessionTaskId: string | null = null;
           try {
             for await (const chunk of streamCodexToOpenAI(
               codexApi,
               rawResponse,
               codexRequest.model,
               (u) => { usageInfo = u; },
+              (respId) => {
+                if (!sessionTaskId) {
+                  // First call: create session
+                  sessionTaskId = `task-${Date.now()}`;
+                  sessionManager.storeSession(sessionTaskId, "turn-1", req.messages);
+                }
+                sessionManager.updateResponseId(sessionTaskId, respId);
+              },
             )) {
               await s.write(chunk);
             }
@@ -148,6 +164,12 @@ export function createChatRoutes(
           rawResponse,
           codexRequest.model,
         );
+        // Store session with responseId for multi-turn
+        if (result.responseId) {
+          const taskId = `task-${Date.now()}`;
+          sessionManager.storeSession(taskId, "turn-1", req.messages);
+          sessionManager.updateResponseId(taskId, result.responseId);
+        }
         accountPool.release(entryId, result.usage);
         return c.json(result.response);
       }

src/session/manager.ts

@@ -5,6 +5,7 @@ interface Session {
   taskId: string;
   turnId: string;
   messageHash: string;
+  responseId: string | null;
   createdAt: number;
 }
 
@@ -63,10 +64,19 @@ export class SessionManager {
       taskId,
       turnId,
       messageHash: hash,
+      responseId: null,
       createdAt: Date.now(),
     });
   }
 
+  /**
+   * Update the response ID for an existing session (for multi-turn previous_response_id)
+   */
+  updateResponseId(taskId: string, responseId: string): void {
+    const session = this.sessions.get(taskId);
+    if (session) session.responseId = responseId;
+  }
+
   /**
    * Update turn ID for an existing session
    */

src/tls/curl-binary.ts

@@ -0,0 +1,151 @@
+/**
+ * Resolves the curl binary and Chrome TLS profile args.
+ *
+ * When curl-impersonate is available, we call it directly (NOT via the
+ * curl_chrome136 wrapper script) and pass the TLS-level parameters ourselves.
+ * This avoids duplicate -H headers between the wrapper and our fingerprint manager.
+ *
+ * The Chrome TLS args are extracted from curl_chrome136 wrapper script.
+ * HTTP headers (-H flags) are intentionally excluded — our fingerprint manager
+ * in manager.ts handles those to match Codex Desktop exactly.
+ */
+
+import { existsSync } from "fs";
+import { execFileSync } from "child_process";
+import { resolve } from "path";
+import { getConfig } from "../config.js";
+
+const IS_WIN = process.platform === "win32";
+const BINARY_NAME = IS_WIN ? "curl-impersonate.exe" : "curl-impersonate";
+
+/**
+ * Chrome 136 TLS profile parameters.
+ * Extracted from curl_chrome136 wrapper (lexiforest/curl-impersonate v1.4.4).
+ * These control TLS fingerprint, HTTP/2 framing, and protocol negotiation.
+ * HTTP-level headers are NOT included — our fingerprint manager handles those.
+ */
+const CHROME_TLS_ARGS: string[] = [
+  // ── TLS cipher suites (exact Chrome 136 order) ──
+  "--ciphers",
+  [
+    "TLS_AES_128_GCM_SHA256",
+    "TLS_AES_256_GCM_SHA384",
+    "TLS_CHACHA20_POLY1305_SHA256",
+    "ECDHE-ECDSA-AES128-GCM-SHA256",
+    "ECDHE-RSA-AES128-GCM-SHA256",
+    "ECDHE-ECDSA-AES256-GCM-SHA384",
+    "ECDHE-RSA-AES256-GCM-SHA384",
+    "ECDHE-ECDSA-CHACHA20-POLY1305",
+    "ECDHE-RSA-CHACHA20-POLY1305",
+    "ECDHE-RSA-AES128-SHA",
+    "ECDHE-RSA-AES256-SHA",
+    "AES128-GCM-SHA256",
+    "AES256-GCM-SHA384",
+    "AES128-SHA",
+    "AES256-SHA",
+  ].join(":"),
+  // ── Elliptic curves (includes post-quantum X25519MLKEM768) ──
+  "--curves", "X25519MLKEM768:X25519:P-256:P-384",
+  // ── HTTP/2 with Chrome-exact SETTINGS frame ──
+  "--http2",
+  "--http2-settings", "1:65536;2:0;4:6291456;6:262144",
+  "--http2-window-update", "15663105",
+  "--http2-stream-weight", "256",
+  "--http2-stream-exclusive", "1",
+  // ── TLS extensions (Chrome fingerprint) ──
+  "--tlsv1.2",
+  "--alps",
+  "--tls-permute-extensions",
+  "--cert-compression", "brotli",
+  "--tls-grease",
+  "--tls-use-new-alps-codepoint",
+  "--tls-signed-cert-timestamps",
+  "--ech", "grease",
+  // ── Compression & cookies ──
+  "--compressed",
+];
+
+let _resolved: string | null = null;
+let _isImpersonate = false;
+let _tlsArgs: string[] | null = null;
+
+/**
+ * Resolve the curl binary path. Result is cached after first call.
+ */
+export function resolveCurlBinary(): string {
+  if (_resolved) return _resolved;
+
+  const config = getConfig();
+  const setting = config.tls.curl_binary;
+
+  if (setting !== "auto") {
+    _resolved = setting;
+    _isImpersonate = setting.includes("curl-impersonate");
+    console.log(`[TLS] Using configured curl binary: ${_resolved}`);
+    return _resolved;
+  }
+
+  // Auto-detect: look for curl-impersonate in bin/
+  const binPath = resolve(process.cwd(), "bin", BINARY_NAME);
+  if (existsSync(binPath)) {
+    _resolved = binPath;
+    _isImpersonate = true;
+    console.log(`[TLS] Using curl-impersonate: ${_resolved}`);
+    return _resolved;
+  }
+
+  // Fallback to system curl
+  _resolved = "curl";
+  _isImpersonate = false;
+  console.warn(
+    `[TLS] curl-impersonate not found at ${binPath}. ` +
+    `Falling back to system curl. Run "npm run setup" to install curl-impersonate.`,
+  );
+  return _resolved;
+}
+
+/**
+ * Detect if curl-impersonate supports the --impersonate flag.
+ * If supported, returns ["--impersonate", profile] which replaces CHROME_TLS_ARGS.
+ * Otherwise returns the manual CHROME_TLS_ARGS.
+ */
+function detectImpersonateSupport(binary: string): string[] {
+  try {
+    const helpOutput = execFileSync(binary, ["--help", "all"], {
+      encoding: "utf-8",
+      timeout: 5000,
+    });
+    if (helpOutput.includes("--impersonate")) {
+      const profile = getConfig().tls.impersonate_profile ?? "chrome136";
+      console.log(`[TLS] Using --impersonate ${profile}`);
+      return ["--impersonate", profile];
+    }
+  } catch {
+    // --help failed, fall back to manual args
+  }
+  return CHROME_TLS_ARGS;
+}
+
+/**
+ * Get Chrome TLS profile args to prepend to curl commands.
+ * Returns empty array when using system curl (args are curl-impersonate specific).
+ * Uses --impersonate flag when available, otherwise falls back to manual CHROME_TLS_ARGS.
+ */
+export function getChromeTlsArgs(): string[] {
+  // Ensure binary is resolved first
+  resolveCurlBinary();
+  if (!_isImpersonate) return [];
+  if (!_tlsArgs) {
+    _tlsArgs = detectImpersonateSupport(_resolved!);
+  }
+  return [..._tlsArgs];
+}
+
+/**
+ * Reset the cached binary path (useful for testing).
+ */
+export function resetCurlBinaryCache(): void {
+  _resolved = null;
+  _isImpersonate = false;
+  _tlsArgs = null;
+}

src/tls/curl-fetch.ts

@@ -0,0 +1,89 @@
+/**
+ * Simple GET/POST helpers using curl-impersonate.
+ *
+ * Drop-in replacement for Node.js fetch() that routes through
+ * curl-impersonate with Chrome TLS profile to avoid fingerprinting.
+ *
+ * Used for non-streaming requests (OAuth, appcast, etc.).
+ */
+
+import { execFile } from "child_process";
+import { resolveCurlBinary, getChromeTlsArgs } from "./curl-binary.js";
+
+export interface CurlFetchResponse {
+  status: number;
+  body: string;
+  ok: boolean;
+}
+
+const STATUS_SEPARATOR = "\n__CURL_HTTP_STATUS__";
+
+/**
+ * Perform a GET request via curl-impersonate.
+ */
+export function curlFetchGet(url: string): Promise<CurlFetchResponse> {
+  const args = [
+    ...getChromeTlsArgs(),
+    "-s", "-S",
+    "--compressed",
+    "--max-time", "30",
+    "-w", STATUS_SEPARATOR + "%{http_code}",
+    url,
+  ];
+
+  return execCurl(args);
+}
+
+/**
+ * Perform a POST request via curl-impersonate.
+ */
+export function curlFetchPost(
+  url: string,
+  contentType: string,
+  body: string,
+): Promise<CurlFetchResponse> {
+  const args = [
+    ...getChromeTlsArgs(),
+    "-s", "-S",
+    "--compressed",
+    "--max-time", "30",
+    "-X", "POST",
+    "-H", `Content-Type: ${contentType}`,
+    "-d", body,
+    "-w", STATUS_SEPARATOR + "%{http_code}",
+    url,
+  ];
+
+  return execCurl(args);
+}
+
+function execCurl(args: string[]): Promise<CurlFetchResponse> {
+  return new Promise((resolve, reject) => {
+    execFile(
+      resolveCurlBinary(),
+      args,
+      { maxBuffer: 2 * 1024 * 1024 },
+      (err, stdout, stderr) => {
+        if (err) {
+          reject(new Error(`curl failed: ${err.message} ${stderr}`));
+          return;
+        }
+
+        const sepIdx = stdout.lastIndexOf(STATUS_SEPARATOR);
+        if (sepIdx === -1) {
+          reject(new Error(`curl: missing status separator in output`));
+          return;
+        }
+
+        const body = stdout.slice(0, sepIdx);
+        const status = parseInt(stdout.slice(sepIdx + STATUS_SEPARATOR.length), 10);
+
+        resolve({
+          status,
+          body,
+          ok: status >= 200 && status < 300,
+        });
+      },
+    );
+  });
+}

src/translation/codex-to-openai.ts

@@ -37,6 +37,7 @@ export async function* streamCodexToOpenAI(
   rawResponse: Response,
   model: string,
   onUsage?: (usage: UsageInfo) => void,
+  onResponseId?: (id: string) => void,
 ): AsyncGenerator<string> {
   const chunkId = `chatcmpl-${randomUUID().replace(/-/g, "").slice(0, 24)}`;
   const created = Math.floor(Date.now() / 1000);
@@ -63,9 +64,12 @@ export async function* streamCodexToOpenAI(
     switch (evt.event) {
       case "response.created":
       case "response.in_progress": {
-        // Extract response ID for headers
+        // Extract response ID for headers and multi-turn
         const resp = data.response as Record<string, unknown> | undefined;
-        if (resp?.id) responseId = resp.id as string;
+        if (resp?.id) {
+          responseId = resp.id as string;
+          onResponseId?.(responseId);
+        }
         break;
       }
 
@@ -135,17 +139,25 @@ export async function collectCodexResponse(
   codexApi: CodexApi,
   rawResponse: Response,
   model: string,
-): Promise<{ response: ChatCompletionResponse; usage: UsageInfo }> {
+): Promise<{ response: ChatCompletionResponse; usage: UsageInfo; responseId: string | null }> {
   const id = `chatcmpl-${randomUUID().replace(/-/g, "").slice(0, 24)}`;
   const created = Math.floor(Date.now() / 1000);
   let fullText = "";
   let promptTokens = 0;
   let completionTokens = 0;
+  let responseId: string | null = null;
 
   for await (const evt of codexApi.parseStream(rawResponse)) {
     const data = evt.data as Record<string, unknown>;
 
     switch (evt.event) {
+      case "response.created":
+      case "response.in_progress": {
+        const resp = data.response as Record<string, unknown> | undefined;
+        if (resp?.id) responseId = resp.id as string;
+        break;
+      }
+
       case "response.output_text.delta": {
         const delta = (data.delta as string) ?? "";
         fullText += delta;
@@ -153,8 +165,8 @@ export async function collectCodexResponse(
       }
 
       case "response.completed": {
-        // Try to extract usage from the completed response
         const resp = data.response as Record<string, unknown> | undefined;
+        if (resp?.id) responseId = resp.id as string;
         if (resp?.usage) {
           const usage = resp.usage as Record<string, number>;
           promptTokens = usage.input_tokens ?? 0;
@@ -191,5 +203,6 @@ export async function collectCodexResponse(
       input_tokens: promptTokens,
       output_tokens: completionTokens,
     },
+    responseId,
   };
 }

src/translation/openai-to-codex.ts

@@ -2,6 +2,8 @@
  * Translate OpenAI Chat Completions request → Codex Responses API request.
  */
 
+import { readFileSync } from "fs";
+import { resolve } from "path";
 import type { ChatCompletionRequest } from "../types/openai.js";
 import type {
   CodexResponsesRequest,
@@ -10,6 +12,19 @@ import type {
 import { resolveModelId, getModelInfo } from "../routes/models.js";
 import { getConfig } from "../config.js";
 
+const DESKTOP_CONTEXT = loadDesktopContext();
+
+function loadDesktopContext(): string {
+  try {
+    return readFileSync(
+      resolve(process.cwd(), "config/prompts/desktop-context.md"),
+      "utf-8",
+    );
+  } catch {
+    return "";
+  }
+}
+
 /**
  * Convert a ChatCompletionRequest to a CodexResponsesRequest.
  *
@@ -21,12 +36,16 @@ import { getConfig } from "../config.js";
  */
 export function translateToCodexRequest(
   req: ChatCompletionRequest,
+  previousResponseId?: string | null,
 ): CodexResponsesRequest {
   // Collect system messages as instructions
   const systemMessages = req.messages.filter((m) => m.role === "system");
-  const instructions =
+  const userInstructions =
     systemMessages.map((m) => m.content).join("\n\n") ||
     "You are a helpful assistant.";
+  const instructions = DESKTOP_CONTEXT
+    ? `${DESKTOP_CONTEXT}\n\n${userInstructions}`
+    : userInstructions;
 
   // Build input items from non-system messages
   const input: CodexInputItem[] = [];
@@ -58,6 +77,11 @@ export function translateToCodexRequest(
     tools: [],
   };
 
+  // Add previous response ID for multi-turn conversations
+  if (previousResponseId) {
+    request.previous_response_id = previousResponseId;
+  }
+
   // Add reasoning effort if applicable
   const effort =
     req.reasoning_effort ??

src/update-checker.ts

@@ -8,6 +8,7 @@ import { resolve } from "path";
 import yaml from "js-yaml";
 import { mutateClientConfig } from "./config.js";
 import { jitterInt } from "./utils/jitter.js";
+import { curlFetchGet } from "./tls/curl-fetch.js";
 
 const CONFIG_PATH = resolve(process.cwd(), "config/default.yaml");
 const STATE_PATH = resolve(process.cwd(), "data/update-state.json");
@@ -44,8 +45,13 @@ function parseAppcast(xml: string): {
   const itemMatch = xml.match(/<item>([\s\S]*?)<\/item>/i);
   if (!itemMatch) return { version: null, build: null, downloadUrl: null };
   const item = itemMatch[1];
-  const versionMatch = item.match(/sparkle:shortVersionString="([^"]+)"/);
-  const buildMatch = item.match(/sparkle:version="([^"]+)"/);
+  // Support both attribute syntax (sparkle:version="X") and element syntax (<sparkle:version>X</sparkle:version>)
+  const versionMatch =
+    item.match(/sparkle:shortVersionString="([^"]+)"/) ??
+    item.match(/<sparkle:shortVersionString>([^<]+)<\/sparkle:shortVersionString>/);
+  const buildMatch =
+    item.match(/sparkle:version="([^"]+)"/) ??
+    item.match(/<sparkle:version>([^<]+)<\/sparkle:version>/);
   const urlMatch = item.match(/url="([^"]+)"/);
   return {
     version: versionMatch?.[1] ?? null,
@@ -64,11 +70,11 @@ function applyVersionUpdate(version: string, build: string): void {
 
 export async function checkForUpdate(): Promise<UpdateState> {
   const current = loadCurrentConfig();
-  const res = await fetch(APPCAST_URL);
+  const res = await curlFetchGet(APPCAST_URL);
   if (!res.ok) {
-    throw new Error(`Failed to fetch appcast: ${res.status} ${res.statusText}`);
+    throw new Error(`Failed to fetch appcast: ${res.status}`);
   }
-  const xml = await res.text();
+  const xml = res.body;
   const { version, build, downloadUrl } = parseAppcast(xml);
 
   const updateAvailable = !!(version && build &&