Initial commit: Codex Proxy with quota API and Cloudflare bypass

OpenAI-compatible proxy that translates Chat Completions API to ChatGPT's
Codex Responses API. Includes multi-account management, official quota
querying via curl subprocess (bypasses Cloudflare TLS fingerprinting),
per-account cookie jar, and full API documentation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.claude/settings.local.json

@@ -0,0 +1,41 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(du:*)",
+      "Bash(npx tsc:*)",
+      "Bash(npx tsx --eval:*)",
+      "Bash(npx tsx:*)",
+      "Bash(node -e:*)",
+      "Bash(ping:*)",
+      "Bash(curl:*)",
+      "Bash(netstat:*)",
+      "Bash(taskkill:*)",
+      "Bash(while read pid)",
+      "Bash(do taskkill //PID $pid //F)",
+      "Bash(done echo \"killed\")",
+      "Bash(ssh:*)",
+      "Bash(scp:*)",
+      "Bash(npm run dev:*)",
+      "Bash(tasklist:*)",
+      "Bash(sort:*)",
+      "Bash(done)",
+      "Bash(# Check if there''s a Session Storage with task data for f in \"\"C:/Users/14323/AppData/Roaming/Codex/Session Storage/\"\"*.log; do strings \"\"$f\"\")",
+      "Bash(\"D:/xwechat_files/wxid_l9axc218tplc22_eddc/msg/file/2026-02/Codex-win32-x64/Codex-win32-x64/resources/codex.exe\" features)",
+      "Bash(\"D:/xwechat_files/wxid_l9axc218tplc22_eddc/msg/file/2026-02/Codex-win32-x64/Codex-win32-x64/resources/codex.exe\" features list)",
+      "Bash(\"D:/xwechat_files/wxid_l9axc218tplc22_eddc/msg/file/2026-02/Codex-win32-x64/Codex-win32-x64/resources/codex.exe\" cloud --help)",
+      "Bash(\"D:/xwechat_files/wxid_l9axc218tplc22_eddc/msg/file/2026-02/Codex-win32-x64/Codex-win32-x64/resources/codex.exe\" cloud exec --help)",
+      "Bash(\"D:/xwechat_files/wxid_l9axc218tplc22_eddc/msg/file/2026-02/Codex-win32-x64/Codex-win32-x64/resources/codex.exe\" debug --help)",
+      "Bash(npm run build:*)",
+      "Bash(for model in gpt-5.3-codex gpt-5.2-codex gpt-5.1-codex-max gpt-5.2 gpt-5.1-codex-mini)",
+      "Bash(do echo \"=== $model ===\")",
+      "Bash(python:*)",
+      "WebSearch",
+      "Bash(xargs:*)",
+      "Bash(node:*)",
+      "WebFetch(domain:github.com)",
+      "Bash(python3 -c \"import sys,json; d=json.load\\(sys.stdin\\); print\\(d[''accounts''][0][''accountId'']\\)\" curl -s -o /dev/null -w \"%{http_code}\"  -H \"Authorization: Bearer $TOKEN\"  -H \"ChatGPT-Account-Id: $ACCT_ID\"  -H \"originator: Codex Desktop\"  -H \"User-Agent: Codex Desktop/260202.0859 \\(darwin; arm64\\)\"  -H \"Accept: application/json\"  \"https://chatgpt.com/backend-api/codex/usage\")",
+      "Bash(git init:*)",
+      "Bash(git add:*)"
+    ]
+  }
+}

.env.example

@@ -0,0 +1,4 @@
+CODEX_JWT_TOKEN=       # Optional: paste ChatGPT JWT directly (skip OAuth)
+CODEX_PLATFORM=darwin  # darwin/win32/linux
+CODEX_ARCH=arm64       # arm64/x64
+PORT=8080

.gitignore

@@ -0,0 +1,6 @@
+node_modules/
+dist/
+data/
+.env
+*.log
+.asar-out/

config/default.yaml

@@ -0,0 +1,38 @@
+api:
+  base_url: "https://chatgpt.com/backend-api"
+  timeout_seconds: 60
+
+client:
+  originator: "Codex Desktop"
+  app_version: "260202.0859"
+  build_number: "517"
+  platform: "darwin"
+  arch: "arm64"
+
+model:
+  default: "gpt-5.3-codex"
+  default_reasoning_effort: "medium"
+
+auth:
+  jwt_token: null
+  chatgpt_oauth: true
+  refresh_margin_seconds: 300
+  rotation_strategy: "least_used"
+  rate_limit_backoff_seconds: 60
+
+server:
+  host: "0.0.0.0"
+  port: 8080
+  proxy_api_key: null
+
+environment:
+  default_id: null
+  default_branch: "main"
+
+streaming:
+  status_as_content: false
+  chunk_size: 100
+  chunk_delay_ms: 10
+  heartbeat_interval_s: 15
+  poll_interval_s: 2
+  timeout_s: 300

config/extraction-patterns.yaml

@@ -0,0 +1,74 @@
+# Regex patterns for extracting values from Codex Desktop's main.js
+# These patterns are applied to the beautified (js-beautify) output.
+# Update these when the minified variable names change across versions.
+#
+# NOTE: Use single-quoted YAML strings for regex patterns. In YAML single quotes,
+# backslashes are literal (no escaping needed). Only '' is special (escaped single quote).
+
+# Version info from package.json (no regex needed — direct JSON parse)
+package_json:
+  version_key: "version"
+  build_number_key: "codexBuildNumber"
+  sparkle_feed_key: "codexSparkleFeedUrl"
+
+# Patterns for main.js content extraction
+main_js:
+  # API base URL
+  api_base_url:
+    pattern: 'https://[^"]+/backend-api'
+    description: "WHAM API base URL"
+
+  # Originator header value — in beautified code: variable = "Codex Desktop";
+  originator:
+    pattern: '= "(Codex [^"]+)"'
+    group: 1
+    description: "originator header sent with requests"
+
+  # Model IDs — match quoted gpt-X.Y(-codex)(-variant) strings
+  # In beautified code: = "gpt-5.3-codex", LF = "gpt-5.1-codex-mini", etc.
+  models:
+    pattern: '"(gpt-[0-9]+[.][0-9]+(?:-codex)?(?:-[a-z]+)?)"'
+    group: 1
+    global: true
+    description: "All model ID strings"
+
+  # WHAM API endpoint paths
+  wham_endpoints:
+    pattern: '"(/wham/[^"]+)"'
+    group: 1
+    global: true
+    description: "WHAM API endpoint paths"
+
+  # User-Agent template
+  user_agent:
+    pattern: "Codex Desktop/"
+    description: "User-Agent prefix check"
+
+  # Desktop context system prompt (variable oF)
+  desktop_context:
+    start_marker: "# Codex desktop context"
+    end_marker: "</app-context>"
+    description: "Full desktop context system prompt"
+
+  # Title generation prompt (function KZ)
+  title_generation:
+    start_marker: "You are a helpful assistant. You will be presented with a user prompt"
+    end_pattern: '.join('
+    description: "Task title generation system prompt"
+
+  # PR generation prompt (function n9)
+  pr_generation:
+    start_marker: "You are a helpful assistant. Generate a pull request title"
+    end_pattern: '.join('
+    description: "PR title/body generation system prompt"
+
+  # Automation response template (constant qK)
+  automation_response:
+    start_marker: "Response MUST end with a remark-directive block"
+    end_pattern: "^`;$"
+    description: "Automation response template with directive rules"
+
+# Info.plist keys (macOS only)
+info_plist:
+  version_key: "CFBundleShortVersionString"
+  build_key: "CFBundleVersion"

config/fingerprint.yaml

@@ -0,0 +1,4 @@
+user_agent_template: "Codex Desktop/{version} ({platform}; {arch})"
+auth_domains: ["chatgpt.com", "*.chatgpt.com", "openai.com", "*.openai.com"]
+auth_domain_exclusions: ["ab.chatgpt.com"]
+header_order: ["Authorization", "ChatGPT-Account-Id", "originator", "User-Agent", "Content-Type"]

config/prompts/automation-response.md

@@ -0,0 +1,51 @@
+Response MUST end with a remark-directive block.
+
+## Responding
+
+- Answer the user normally and concisely. Explain what you found, what you did, and what the user should focus on now.
+- Automations: use the memory file at `$CODEX_HOME/automations/<automation_id>/memory.md` (create it if missing).
+  - Read it first (if present) to avoid repeating recent work, especially for "changes since last run" tasks.
+  - Memory is important: some tasks must build on prior work, and others must avoid duplicating prior focus.
+  - Before returning the directive, write a concise summary of what you did/decided plus the current run time.
+  - Use the `Automation ID:` value provided in the message to locate/update this file.
+- REQUIRED: End with a valid remark-directive block on its own line (not inline).
+  - Always include an inbox item directive:
+    `::inbox-item{title="Sample title" summary="Place description here"}`
+- If you want to close the thread, add an archive directive on its own line after the inbox item:
+  `::archive-thread`
+
+## Choosing return value
+
+- For recurring/bg threads (e.g., "pull datadog logs and fix any new bugs", "address the PR comments"):
+  - Always return `::inbox-item{...}` with the title/summary the user should see.
+  - Only add `::archive-thread` when there is nothing actionable or new to show. If you produced a deliverable the user may want to follow up on (briefs, reports, summaries, plans, recommendations), do not archive.
+
+## Guidelines
+
+- Directives MUST be on their own line.
+- Output exactly ONE inbox-item directive. Archive-thread is optional.
+- Do NOT use invalid remark-directive formatting.
+- DO NOT place commas between arguments.
+  - Valid: `::inbox-item{title="Sample title" summary="Place description here"}`
+  - Invalid: `::inbox-item{title="Sample title",summary="Place description here"}`
+- When referring to files, use full absolute filesystem links in Markdown (not relative paths).
+  - Valid: [`/Users/alice/project/src/main.ts`](/Users/alice/project/src/main.ts)
+  - Invalid: `src/main.ts` or `[main](src/main.ts)`
+- Try not to ask the user for more input if possible to infer.
+- If a PR is opened by the automation, add the `codex-automation` label when available alongside the normal `codex` label.
+- Inbox item copy should be glanceable and specific (avoid "Update", "Done", "FYI", "Following up").
+  - Title: what this thread now _is_ (state + object). Aim ~4-8 words.
+  - Title should explain what was built or what happened.
+- Summary: what the user should _do/know next_ (next step, blocker, or waiting-on). Aim ~6-14 words.
+- Summary should usually match the general automation name or prompt summary.
+- Both title and summary should be fairly short; usually avoid one-word titles/summaries.
+  - Prefer concrete nouns + verbs; include a crisp status cue when helpful: "blocked", "needs decision", "ready for review".
+
+## Examples (inbox-item)
+
+- Work needed:
+  - `::inbox-item{title="Fix flaky checkout tests" summary="Repro isolated; needs CI run + patch"}`
+- Waiting on user decision:
+  - `::inbox-item{title="Choose API shape for filters" summary="Two options drafted; pick A vs B"}`
+- Status update with next step:
+  - `::inbox-item{title="PR comments addressed" summary="Ready for re-review; focus on auth edge case"}`

config/prompts/desktop-context.md

@@ -0,0 +1,69 @@
+# Codex desktop context
+- You are running inside the Codex (desktop) app, which allows some additional features not available in the CLI alone:
+
+### Images/Visuals
+- In the app, the model can display images using standard Markdown image syntax: ![alt](url)
+- When sending or referencing a local image, always use an absolute filesystem path in the Markdown image tag (e.g., ![alt](/absolute/path.png)); relative paths and plain text will not render the image.
+- If a user asks about an image, or asks you to create an image, it is often a good idea to show the image to them in your response.
+- Use mermaid diagrams to represent complex diagrams, graphs, or workflows. Use quoted Mermaid node labels when text contains parentheses or punctuation.
+- Return web URLs as Markdown links (e.g., [label](https://example.com)).
+
+### Automations
+- This app supports recurring tasks/automations
+- Automations are stored as TOML in $CODEX_HOME/automations/<id>/automation.toml (not in SQLite). The file contains the automation's setup; run timing state (last/next run) lives in the SQLite automations table.
+
+#### When to use directives
+- Only use ::automation-update{...} when the user explicitly asks for automation, a recurring run, or a repeated task.
+- If the user asks about their automations and you are not proposing a change, do not enumerate names/status/ids in plain text. Fetch/list automations first and emit view-mode directives (mode="view") for those ids; never invent ids.
+- Never return raw RRULE strings in user-facing responses. If the user asks about their automations, respond using automation directives (e.g., with an "Open" button if you're not making changes).
+
+#### Directive format
+- Modes: view, suggested update, suggested create. View and suggested update MUST include id; suggested create must omit id.
+- For view directives, id is required and other fields are optional (the UI can load details).
+- For suggested update/create, include name, prompt, rrule, cwds, and status. cwds can be a comma-separated list or a JSON array string.
+- Always come up with a short name for the automation. If the user does not give one, propose a short name and confirm.
+- Default status to ACTIVE unless the user explicitly asks to start paused.
+- Always interpret and schedule times in the user's locale time zone.
+- Directives should be on their own line(s) and be separated by newlines.
+- Do not generate remark directives with multiline attribute values.
+
+#### Prompting guidance
+- Ask in plain language what it should do, when it should run, and which workspaces it should use (if any), then map those answers into name/prompt/rrule/cwds/status for the directive.
+- The automation prompt should describe only the task itself. Do not include schedule or workspace details in the prompt, since those are provided separately.
+- Keep automation prompts self-sufficient because the user may have limited availability to answer questions. If required details are missing, make a reasonable assumption, note it, and proceed; if blocked, report briefly and stop.
+- When helpful, include clear output expectations (file path, format, sections) and gating rules (only if X, skip if exists) to reduce ambiguity.
+- Automations should always open an inbox item.
+  - Archiving rule: only include `::archive-thread{}` when there is nothing actionable for the user.
+  - Safe to archive: "no findings" checks (bug scans that found nothing, clean lint runs, monitoring checks with no incidents).
+  - Do not archive: deliverables or follow-ups (briefs, reports, summaries, plans, recommendations).
+  - If you do archive, include the archive directive after the inbox item.
+- Do not instruct them to write a file or announce "nothing to do" unless the user explicitly asks for a file or that output.
+- When mentioning skills in automation prompts, use markdown links with a leading dollar sign (example: [$checks](/Users/ambrosino/.codex/skills/checks/SKILL.md)).
+
+#### Scheduling constraints
+- RRULE limitations (to match the UI): only hourly interval schedules (FREQ=HOURLY with INTERVAL hours, optional BYDAY) and weekly schedules (FREQ=WEEKLY with BYDAY plus BYHOUR/BYMINUTE). Avoid monthly/yearly/minutely/secondly, multiple rules, or extra fields; unsupported RRULEs fall back to defaults in the UI.
+
+#### Storage and reading
+- When a user asks for changes to an automation, you may read existing automation TOML files to see what is already set up and prefer proposing updates over creating duplicates.
+- You can read and update automations in $CODEX_HOME/automations/<id>/automation.toml and memory.md only when the user explicitly asks you to modify automations.
+- Otherwise, do not change automation files or schedules.
+- Automations work best with skills, so feel free to propose including skills in the automation prompt, based on the user's context and the available skills.
+
+#### Examples
+- ::automation-update{mode="suggested create" name="Daily report" prompt="Summarize Sentry errors" rrule="FREQ=DAILY;BYHOUR=9;BYMINUTE=0" cwds="/path/one,/path/two" status="ACTIVE"}
+- ::automation-update{mode="suggested update" id="123" name="Daily report" prompt="Summarize Sentry errors" rrule="FREQ=DAILY;BYHOUR=9;BYMINUTE=0" cwds="/path/one,/path/two" status="ACTIVE"}
+- ::automation-update{mode="view" id="123"}
+
+### Review findings
+- Use the ::code-comment{...} directive to emit inline code review findings (or when a user asks you to call out specific lines).
+- Emit one directive per finding; emit none when there are no findings.
+- Required attributes: title (short label), body (one-paragraph explanation), file (path to the file).
+- Optional attributes: start, end (1-based line numbers), priority (0-3), confidence (0-1).
+- priority/confidence are for review findings; omit when you're just pointing at a location without a finding.
+- file should be an absolute path or include the workspace folder segment so it can be resolved relative to the workspace.
+- Keep line ranges tight; end defaults to start.
+- Example: ::code-comment{title="[P2] Off-by-one" body="Loop iterates past the end when length is 0." file="/path/to/foo.ts" start=10 end=11 priority=2 confidence=0.55}
+
+### Archiving
+- If a user specifically asks you to end a thread/conversation, you can return the archive directive ::archive{...} to archive the thread/conversation.
+- Example: ::archive{reason="User requested to end conversation"}

config/prompts/pr-generation.md

@@ -0,0 +1,14 @@
+You are a helpful assistant. Generate a pull request title and body.
+Return a JSON object with keys: title, body.
+Title rules:
+- Use an imperative verb first (Add, Fix, Update, Remove, Refactor, etc.).
+- Keep the title under 80 characters.
+- No trailing punctuation.
+Body rules:
+- Keep the body concise and scannable.
+- Use Markdown with short bullets.
+- Include a Summary section and a Testing section.
+- If tests were not run, say "Not run (not requested)".
+- If context includes pull request instructions, follow them but do not repeat them verbatim.
+
+Context:

config/prompts/title-generation.md

@@ -0,0 +1,34 @@
+You are a helpful assistant. You will be presented with a user prompt, and your job is to provide a short title for a task that will be created from that prompt.
+The tasks typically have to do with coding-related tasks, for example requests for bug fixes or questions about a codebase. The title you generate will be shown in the UI to represent the prompt.
+Generate a concise UI title (18-36 characters) for this task.
+Return only the title. No quotes or trailing punctuation.
+Do not use markdown or formatting characters.
+If the task includes a ticket reference (e.g. ABC-123), include it verbatim.
+
+Generate a clear, informative task title based solely on the prompt provided. Follow the rules below to ensure consistency, readability, and usefulness.
+
+How to write a good title:
+Generate a single-line title that captures the question or core change requested. The title should be easy to scan and useful in changelogs or review queues.
+- Use an imperative verb first: "Add", "Fix", "Update", "Refactor", "Remove", "Locate", "Find", etc.
+- Aim for 18-36 characters; keep under 5 words where possible.
+- Capitalize only the first word (unless locale requires otherwise).
+- Write the title in the user's locale.
+- Do not use punctuation at the end.
+- Output the title as plain text with no surrounding quotes or backticks.
+- Use precise, non-redundant language.
+- Translate fixed phrases into the user's locale (e.g., "Fix bug" -> "Corrige el error" in Spanish-ES), but leave code terms in English unless a widely adopted translation exists.
+- If the user provides a title explicitly, reuse it (translated if needed) and skip generation logic.
+- Make it clear when the user is requesting changes (use verbs like "Fix", "Add", etc) vs asking a question (use verbs like "Find", "Locate", "Count").
+- Do NOT respond to the user, answer questions, or attempt to solve the problem; just write a title that can represent the user's query.
+
+Examples:
+- User: "Can we add dark-mode support to the settings page?" -> Add dark-mode support
+- User: "Fehlerbehebung: Beim Anmelden erscheint 500." (de-DE) -> Login-Fehler 500 beheben
+- User: "Refactoriser le composant sidebar pour réduire le code dupliqué." (fr-FR) -> Refactoriser composant sidebar
+- User: "How do I fix our login bug?" -> Troubleshoot login bug
+- User: "Where in the codebase is foo_bar created" -> Locate foo_bar
+- User: "what's 2+2" -> Calculate 2+2
+
+By following these conventions, your titles will be readable, changelog-friendly, and helpful to both users and downstream tools.
+
+User prompt:

docs/api.md

@@ -0,0 +1,342 @@
+# Codex Proxy API Reference
+
+Base URL: `http://localhost:8080`
+
+---
+
+## OpenAI-Compatible Endpoints
+
+### POST /v1/chat/completions
+
+OpenAI Chat Completions API. Translates to Codex Responses API internally.
+
+**Headers:**
+```
+Content-Type: application/json
+Authorization: Bearer <proxy-api-key>   # optional, if proxy_api_key is configured
+```
+
+**Request Body:**
+```json
+{
+  "model": "gpt-5.3-codex",
+  "messages": [
+    { "role": "system", "content": "You are a helpful assistant." },
+    { "role": "user", "content": "Hello" }
+  ],
+  "stream": true,
+  "temperature": 0.7
+}
+```
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `model` | string | Yes | Model ID or alias (`codex`, `codex-max`, `codex-mini`) |
+| `messages` | array | Yes | OpenAI-format message array |
+| `stream` | boolean | No | `true` for SSE streaming (default), `false` for single JSON response |
+| `temperature` | number | No | Sampling temperature |
+
+**Response (streaming):** SSE stream of `chat.completion.chunk` objects, ending with `[DONE]`.
+
+**Response (non-streaming):**
+```json
+{
+  "id": "chatcmpl-...",
+  "object": "chat.completion",
+  "model": "gpt-5.3-codex",
+  "choices": [{ "index": 0, "message": { "role": "assistant", "content": "..." }, "finish_reason": "stop" }],
+  "usage": { "prompt_tokens": 0, "completion_tokens": 0, "total_tokens": 0 }
+}
+```
+
+---
+
+### GET /v1/models
+
+List all available models (OpenAI-compatible format).
+
+**Response:**
+```json
+{
+  "object": "list",
+  "data": [
+    { "id": "gpt-5.3-codex", "object": "model", "created": 1700000000, "owned_by": "openai" },
+    { "id": "codex", "object": "model", "created": 1700000000, "owned_by": "openai" }
+  ]
+}
+```
+
+### GET /v1/models/:modelId
+
+Get a single model by ID or alias.
+
+### GET /v1/models/:modelId/info
+
+Extended model info with reasoning efforts, capabilities, and description.
+
+**Response:**
+```json
+{
+  "id": "gpt-5.3-codex",
+  "model": "gpt-5.3-codex",
+  "displayName": "gpt-5.3-codex",
+  "description": "Latest frontier agentic coding model.",
+  "isDefault": true,
+  "supportedReasoningEfforts": [
+    { "reasoningEffort": "low", "description": "Fast responses with lighter reasoning" },
+    { "reasoningEffort": "medium", "description": "Balances speed and reasoning depth" },
+    { "reasoningEffort": "high", "description": "Greater reasoning depth" },
+    { "reasoningEffort": "xhigh", "description": "Extra high reasoning depth" }
+  ],
+  "defaultReasoningEffort": "medium",
+  "inputModalities": ["text", "image"],
+  "supportsPersonality": true,
+  "upgrade": null
+}
+```
+
+**Model Aliases:**
+
+| Alias | Resolves To |
+|-------|-------------|
+| `codex` | `gpt-5.3-codex` |
+| `codex-max` | `gpt-5.1-codex-max` |
+| `codex-mini` | `gpt-5.1-codex-mini` |
+
+---
+
+## Authentication
+
+### GET /auth/status
+
+Pool-level auth status summary.
+
+**Response:**
+```json
+{
+  "authenticated": true,
+  "user": { "email": "user@example.com", "accountId": "...", "planType": "free" },
+  "proxy_api_key": "codex-proxy-...",
+  "pool": { "total": 1, "active": 1, "expired": 0, "rate_limited": 0, "refreshing": 0, "disabled": 0 }
+}
+```
+
+### GET /auth/login
+
+Start OAuth login via Codex CLI. Returns `authUrl` to open in browser.
+
+**Response:**
+```json
+{ "authUrl": "https://auth0.openai.com/authorize?..." }
+```
+
+### POST /auth/token
+
+Submit a JWT token manually.
+
+**Request Body:**
+```json
+{ "token": "eyJhbGci..." }
+```
+
+### POST /auth/logout
+
+Clear all accounts and tokens.
+
+---
+
+## Account Management
+
+### GET /auth/accounts
+
+List all accounts with usage stats.
+
+**Query Parameters:**
+
+| Param | Type | Description |
+|-------|------|-------------|
+| `quota` | string | Set to `"true"` to include official Codex quota for each active account |
+
+**Response:**
+```json
+{
+  "accounts": [
+    {
+      "id": "3ef8086e25b10091",
+      "email": "user@example.com",
+      "accountId": "0e555622-...",
+      "planType": "free",
+      "status": "active",
+      "usage": {
+        "request_count": 42,
+        "input_tokens": 12000,
+        "output_tokens": 8500,
+        "last_used": "2026-02-17T10:00:00.000Z",
+        "rate_limit_until": null
+      },
+      "addedAt": "2026-02-17T06:38:23.740Z",
+      "expiresAt": "2026-02-27T00:46:57.000Z",
+      "quota": {
+        "plan_type": "free",
+        "rate_limit": {
+          "allowed": true,
+          "limit_reached": false,
+          "used_percent": 5,
+          "reset_at": 1771902673
+        },
+        "code_review_rate_limit": null
+      }
+    }
+  ]
+}
+```
+
+> `quota` field only appears when `?quota=true` and the account is active. Uses `curl` subprocess to bypass Cloudflare TLS fingerprinting.
+
+### POST /auth/accounts
+
+Add a new account via JWT token.
+
+**Request Body:**
+```json
+{ "token": "eyJhbGci..." }
+```
+
+**Response:**
+```json
+{ "success": true, "account": { ... } }
+```
+
+### DELETE /auth/accounts/:id
+
+Remove an account by ID.
+
+### POST /auth/accounts/:id/reset-usage
+
+Reset local usage counters (request_count, tokens) for an account.
+
+### GET /auth/accounts/:id/quota
+
+Query real-time official Codex quota for a single account.
+
+**Response (success):**
+```json
+{
+  "quota": {
+    "plan_type": "free",
+    "rate_limit": {
+      "allowed": true,
+      "limit_reached": false,
+      "used_percent": 5,
+      "reset_at": 1771902673
+    },
+    "code_review_rate_limit": null
+  },
+  "raw": {
+    "plan_type": "free",
+    "rate_limit": {
+      "allowed": true,
+      "limit_reached": false,
+      "primary_window": {
+        "used_percent": 5,
+        "limit_window_seconds": 604800,
+        "reset_after_seconds": 562610,
+        "reset_at": 1771902673
+      },
+      "secondary_window": null
+    },
+    "code_review_rate_limit": { ... },
+    "credits": null,
+    "promo": null
+  }
+}
+```
+
+**Response (error):**
+```json
+{ "error": "Failed to fetch quota from Codex API", "detail": "Codex API error (403): ..." }
+```
+
+| Status | Meaning |
+|--------|---------|
+| 200 | Success |
+| 404 | Account ID not found |
+| 409 | Account is not active (expired/rate_limited/disabled) |
+| 502 | Upstream Codex API error |
+
+---
+
+## System
+
+### GET /health
+
+Health check with auth and pool status.
+
+**Response:**
+```json
+{
+  "status": "ok",
+  "authenticated": true,
+  "user": { "email": "...", "accountId": "...", "planType": "free" },
+  "pool": { "total": 1, "active": 1, "expired": 0, "rate_limited": 0, "refreshing": 0, "disabled": 0 },
+  "timestamp": "2026-02-17T10:00:00.000Z"
+}
+```
+
+### GET /debug/fingerprint
+
+Show current client fingerprint headers, config, and prompt loading status.
+
+### GET /
+
+Web dashboard (HTML). Shows login page if not authenticated, dashboard if authenticated.
+
+---
+
+## Error Format
+
+All errors follow the OpenAI error format for `/v1/*` endpoints:
+```json
+{
+  "error": {
+    "message": "Human-readable description",
+    "type": "invalid_request_error",
+    "param": null,
+    "code": "error_code"
+  }
+}
+```
+
+Management endpoints (`/auth/*`) use a simpler format:
+```json
+{ "error": "Human-readable description" }
+```
+
+---
+
+## Quick Start
+
+```bash
+# 1. Start the proxy
+npx tsx src/index.ts
+
+# 2. Add a token (or use the web UI at http://localhost:8080)
+curl -X POST http://localhost:8080/auth/token \
+  -H "Content-Type: application/json" \
+  -d '{"token": "eyJhbGci..."}'
+
+# 3. Chat (streaming)
+curl http://localhost:8080/v1/chat/completions \
+  -H "Content-Type: application/json" \
+  -d '{
+    "model": "codex",
+    "messages": [{"role": "user", "content": "Hello!"}],
+    "stream": true
+  }'
+
+# 4. Check account quota
+curl http://localhost:8080/auth/accounts
+
+# 5. Check official Codex usage limits
+curl "http://localhost:8080/auth/accounts?quota=true"
+```

docs/implementation-notes.md

@@ -0,0 +1,258 @@
+# Codex Proxy 实现记录
+
+## 项目目标
+
+将 Codex Desktop App（免费）的 API 访问能力提取出来，暴露为标准的 OpenAI `/v1/chat/completions` 兼容接口，使任何支持 OpenAI API 的客户端都能直接调用。
+
+---
+
+## 关键发现：WHAM API vs Codex Responses API
+
+### 最初的方案（失败）
+
+项目最初使用 **WHAM API**（`/backend-api/wham/tasks`）作为后端。这是 Codex Cloud 模式使用的 API，工作流程为：
+
+1. 创建 cloud environment（需要绑定 GitHub 仓库）
+2. 创建 task → 得到 task_id
+3. 轮询 task turn 状态直到完成
+4. 从 turn 的 output_items 中提取回复
+
+**失败原因**：
+- 免费账户没有 cloud environment
+- `listEnvironments` 返回 500
+- `worktree_snapshots/upload_url` 返回 404（功能未开启）
+- 创建的 task 立即失败，返回 `unknown_error`
+
+### 发现真正的 API
+
+通过分析 Codex Desktop 的 CLI 二进制文件（`codex.exe`）中的字符串，发现 CLI 实际使用的是 **Responses API**，而不是 WHAM API。
+
+进一步测试发现正确的端点是：
+
+```
+POST https://chatgpt.com/backend-api/codex/responses
+```
+
+#### 端点探索过程
+
+| 端点 | 状态 | 说明 |
+|------|------|------|
+| `/backend-api/responses` | 404 | 不存在 |
+| `api.openai.com/v1/responses` | 401 | ChatGPT token 没有 API scope |
+| **`/backend-api/codex/responses`** | **400 → 200** | **正确端点** |
+
+#### 必需字段（逐步试错发现）
+
+1. 第一次请求 → `400: "Instructions are required"` → 需要 `instructions` 字段
+2. 加上 instructions → `400: "Store must be set to false"` → 需要 `store: false`
+3. 加上 store: false → `400: "Stream must be set to true"` → 需要 `stream: true`
+4. 全部加上 → `200 OK` ✓
+
+---
+
+## API 格式
+
+### 请求格式
+
+```json
+{
+  "model": "gpt-5.1-codex-mini",
+  "instructions": "You are a helpful assistant.",
+  "input": [
+    { "role": "user", "content": "你好" }
+  ],
+  "stream": true,
+  "store": false,
+  "reasoning": { "effort": "medium" }
+}
+```
+
+**关键约束**：
+- `stream` 必须为 `true`（不支持非流式）
+- `store` 必须为 `false`
+- `instructions` 必填（对应 system message）
+
+### 响应格式（SSE 流）
+
+Codex Responses API 返回标准的 OpenAI Responses API SSE 事件：
+
+```
+event: response.created
+data: {"type":"response.created","response":{"id":"resp_xxx","status":"in_progress",...}}
+
+event: response.output_text.delta
+data: {"type":"response.output_text.delta","delta":"你","item_id":"msg_xxx",...}
+
+event: response.output_text.delta
+data: {"type":"response.output_text.delta","delta":"好","item_id":"msg_xxx",...}
+
+event: response.output_text.done
+data: {"type":"response.output_text.done","text":"你好！",...}
+
+event: response.completed
+data: {"type":"response.completed","response":{"id":"resp_xxx","status":"completed","usage":{...},...}}
+```
+
+主要事件类型：
+- `response.created` — 响应开始
+- `response.in_progress` — 处理中
+- `response.output_item.added` — 输出项添加（reasoning 或 message）
+- `response.output_text.delta` — **文本增量（核心内容）**
+- `response.output_text.done` — 文本完成
+- `response.completed` — 响应完成（包含 usage 统计）
+
+### 认证方式
+
+使用 Codex Desktop App 的 ChatGPT OAuth JWT token，需要以下请求头：
+
+```
+Authorization: Bearer <jwt_token>
+ChatGPT-Account-Id: <account_id>
+originator: Codex Desktop
+User-Agent: Codex Desktop/260202.0859 (win32; x64)
+Content-Type: application/json
+Accept: text/event-stream
+```
+
+---
+
+## 代码实现
+
+### 新增文件
+
+#### `src/proxy/codex-api.ts` — Codex Responses API 客户端
+
+负责：
+- 构建请求并发送到 `/backend-api/codex/responses`
+- 解析 SSE 流，逐个 yield 事件对象
+- 错误处理（超时、HTTP 错误等）
+
+```typescript
+// 核心方法
+async createResponse(request: CodexResponsesRequest): Promise<Response>
+async *parseStream(response: Response): AsyncGenerator<CodexSSEEvent>
+```
+
+#### `src/translation/openai-to-codex.ts` — 请求翻译
+
+将 OpenAI Chat Completions 请求格式转换为 Codex Responses API 格式：
+
+| OpenAI Chat Completions | Codex Responses API |
+|------------------------|---------------------|
+| `messages[role=system]` | `instructions` |
+| `messages[role=user/assistant]` | `input[]` |
+| `model` | `model`（经过 resolveModelId 映射） |
+| `reasoning_effort` | `reasoning.effort` |
+| `stream` | 固定 `true` |
+| — | `store: false`（固定） |
+
+#### `src/translation/codex-to-openai.ts` — 响应翻译
+
+将 Codex Responses SSE 流转换为 OpenAI Chat Completions 格式：
+
+**流式模式** (`streamCodexToOpenAI`)：
+```
+Codex: response.output_text.delta {"delta":"你"}
+  ↓
+OpenAI: data: {"choices":[{"delta":{"content":"你"}}]}
+
+Codex: response.completed
+  ↓
+OpenAI: data: {"choices":[{"delta":{},"finish_reason":"stop"}]}
+OpenAI: data: [DONE]
+```
+
+**非流式模式** (`collectCodexResponse`)：
+- 消费整个 SSE 流，收集所有 text delta
+- 拼接为完整文本
+- 返回标准 `chat.completion` JSON 响应（包含 usage）
+
+### 修改文件
+
+#### `src/routes/chat.ts` — 路由处理器（重写）
+
+**之前**：使用 WhamApi 创建 task → 轮询 turn → 提取结果
+**之后**：使用 CodexApi 发送 responses 请求 → 直接流式/收集结果
+
+核心流程简化为：
+```
+1. 验证认证
+2. 解析请求 (ChatCompletionRequestSchema)
+3. translateToCodexRequest() 转换格式
+4. codexApi.createResponse() 发送请求
+5a. 流式：streamCodexToOpenAI() → 逐块写入 SSE
+5b. 非流式：collectCodexResponse() → 返回 JSON
+```
+
+#### `src/index.ts` — 入口文件（简化）
+
+移除了 WHAM environment 自动发现逻辑（不再需要）。
+
+---
+
+## 之前修复的 Bug（WHAM 阶段）
+
+在切换到 Codex Responses API 之前，还修复了 WHAM API 相关的三个 bug：
+
+1. **`turn_status` vs `status` 字段名不匹配** — WHAM API 返回 `turn_status`，但代码检查 `status`，导致轮询永远不匹配，超时 300 秒
+2. **`getTaskTurn` 响应结构嵌套** — API 返回 `{ task, user_turn, turn }` 但代码把整个响应当作 `WhamTurn`，导致 `output_items` 为 `undefined`
+3. **失败的 turn 返回 200 空内容** — 没有检查 `failed` 状态，直接返回空 content
+
+这些修复在 `src/types/wham.ts`、`src/proxy/wham-api.ts`、`src/translation/stream-adapter.ts` 中。
+
+---
+
+## 测试结果
+
+### 非流式请求
+```bash
+curl http://localhost:8080/v1/chat/completions \
+  -H "Content-Type: application/json" \
+  -d '{"model":"gpt-5.1-codex-mini","messages":[{"role":"user","content":"Say hello"}]}'
+```
+```json
+{
+  "id": "chatcmpl-3125ece443994614aa7b1136",
+  "object": "chat.completion",
+  "choices": [{"message": {"role": "assistant", "content": "Hello!"}, "finish_reason": "stop"}],
+  "usage": {"prompt_tokens": 22, "completion_tokens": 20, "total_tokens": 42}
+}
+```
+响应时间：~2 秒
+
+### 流式请求
+```bash
+curl http://localhost:8080/v1/chat/completions \
+  -H "Content-Type: application/json" \
+  -d '{"model":"gpt-5.1-codex-mini","messages":[{"role":"user","content":"Say hello"}],"stream":true}'
+```
+```
+data: {"choices":[{"delta":{"role":"assistant"}}]}
+data: {"choices":[{"delta":{"content":"Hello"}}]}
+data: {"choices":[{"delta":{"content":"!"}}]}
+data: {"choices":[{"delta":{},"finish_reason":"stop"}}]}
+data: [DONE]
+```
+首 token 时间：~500ms
+
+---
+
+## 文件结构总览
+
+```
+src/
+├── proxy/
+│   ├── codex-api.ts      ← 新增：Codex Responses API 客户端
+│   ├── client.ts          （通用 HTTP 客户端，保留）
+│   └── wham-api.ts        （WHAM 客户端，保留但不再使用）
+├── translation/
+│   ├── openai-to-codex.ts ← 新增：Chat Completions → Codex 格式
+│   ├── codex-to-openai.ts ← 新增：Codex SSE → Chat Completions 格式
+│   ├── openai-to-wham.ts  （旧翻译器，保留）
+│   ├── stream-adapter.ts  （旧流适配器，保留）
+│   └── wham-to-openai.ts  （旧翻译器，保留）
+├── routes/
+│   └── chat.ts            ← 重写：使用 Codex API
+├── index.ts               ← 简化：移除 WHAM env 逻辑
+└── ...
+```

package-lock.json

@@ -0,0 +1,662 @@
+{
+  "name": "codex-proxy",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "codex-proxy",
+      "version": "1.0.0",
+      "dependencies": {
+        "@hono/node-server": "^1.0.0",
+        "hono": "^4.0.0",
+        "js-yaml": "^4.1.0",
+        "undici": "^7.0.0",
+        "zod": "^3.23.0"
+      },
+      "devDependencies": {
+        "@types/js-yaml": "^4.0.0",
+        "@types/node": "^22.0.0",
+        "tsx": "^4.0.0",
+        "typescript": "^5.5.0"
+      }
+    },
+    "node_modules/@esbuild/aix-ppc64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/aix-ppc64/-/aix-ppc64-0.27.3.tgz",
+      "integrity": "sha512-9fJMTNFTWZMh5qwrBItuziu834eOCUcEqymSH7pY+zoMVEZg3gcPuBNxH1EvfVYe9h0x/Ptw8KBzv7qxb7l8dg==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "aix"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/android-arm": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/android-arm/-/android-arm-0.27.3.tgz",
+      "integrity": "sha512-i5D1hPY7GIQmXlXhs2w8AWHhenb00+GxjxRncS2ZM7YNVGNfaMxgzSGuO8o8SJzRc/oZwU2bcScvVERk03QhzA==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/android-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/android-arm64/-/android-arm64-0.27.3.tgz",
+      "integrity": "sha512-YdghPYUmj/FX2SYKJ0OZxf+iaKgMsKHVPF1MAq/P8WirnSpCStzKJFjOjzsW0QQ7oIAiccHdcqjbHmJxRb/dmg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/android-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/android-x64/-/android-x64-0.27.3.tgz",
+      "integrity": "sha512-IN/0BNTkHtk8lkOM8JWAYFg4ORxBkZQf9zXiEOfERX/CzxW3Vg1ewAhU7QSWQpVIzTW+b8Xy+lGzdYXV6UZObQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/darwin-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/darwin-arm64/-/darwin-arm64-0.27.3.tgz",
+      "integrity": "sha512-Re491k7ByTVRy0t3EKWajdLIr0gz2kKKfzafkth4Q8A5n1xTHrkqZgLLjFEHVD+AXdUGgQMq+Godfq45mGpCKg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/darwin-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/darwin-x64/-/darwin-x64-0.27.3.tgz",
+      "integrity": "sha512-vHk/hA7/1AckjGzRqi6wbo+jaShzRowYip6rt6q7VYEDX4LEy1pZfDpdxCBnGtl+A5zq8iXDcyuxwtv3hNtHFg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/freebsd-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.3.tgz",
+      "integrity": "sha512-ipTYM2fjt3kQAYOvo6vcxJx3nBYAzPjgTCk7QEgZG8AUO3ydUhvelmhrbOheMnGOlaSFUoHXB6un+A7q4ygY9w==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/freebsd-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/freebsd-x64/-/freebsd-x64-0.27.3.tgz",
+      "integrity": "sha512-dDk0X87T7mI6U3K9VjWtHOXqwAMJBNN2r7bejDsc+j03SEjtD9HrOl8gVFByeM0aJksoUuUVU9TBaZa2rgj0oA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-arm": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/linux-arm/-/linux-arm-0.27.3.tgz",
+      "integrity": "sha512-s6nPv2QkSupJwLYyfS+gwdirm0ukyTFNl3KTgZEAiJDd+iHZcbTPPcWCcRYH+WlNbwChgH2QkE9NSlNrMT8Gfw==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/linux-arm64/-/linux-arm64-0.27.3.tgz",
+      "integrity": "sha512-sZOuFz/xWnZ4KH3YfFrKCf1WyPZHakVzTiqji3WDc0BCl2kBwiJLCXpzLzUBLgmp4veFZdvN5ChW4Eq/8Fc2Fg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-ia32": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/linux-ia32/-/linux-ia32-0.27.3.tgz",
+      "integrity": "sha512-yGlQYjdxtLdh0a3jHjuwOrxQjOZYD/C9PfdbgJJF3TIZWnm/tMd/RcNiLngiu4iwcBAOezdnSLAwQDPqTmtTYg==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-loong64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/linux-loong64/-/linux-loong64-0.27.3.tgz",
+      "integrity": "sha512-WO60Sn8ly3gtzhyjATDgieJNet/KqsDlX5nRC5Y3oTFcS1l0KWba+SEa9Ja1GfDqSF1z6hif/SkpQJbL63cgOA==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-mips64el": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/linux-mips64el/-/linux-mips64el-0.27.3.tgz",
+      "integrity": "sha512-APsymYA6sGcZ4pD6k+UxbDjOFSvPWyZhjaiPyl/f79xKxwTnrn5QUnXR5prvetuaSMsb4jgeHewIDCIWljrSxw==",
+      "cpu": [
+        "mips64el"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-ppc64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/linux-ppc64/-/linux-ppc64-0.27.3.tgz",
+      "integrity": "sha512-eizBnTeBefojtDb9nSh4vvVQ3V9Qf9Df01PfawPcRzJH4gFSgrObw+LveUyDoKU3kxi5+9RJTCWlj4FjYXVPEA==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-riscv64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/linux-riscv64/-/linux-riscv64-0.27.3.tgz",
+      "integrity": "sha512-3Emwh0r5wmfm3ssTWRQSyVhbOHvqegUDRd0WhmXKX2mkHJe1SFCMJhagUleMq+Uci34wLSipf8Lagt4LlpRFWQ==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-s390x": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/linux-s390x/-/linux-s390x-0.27.3.tgz",
+      "integrity": "sha512-pBHUx9LzXWBc7MFIEEL0yD/ZVtNgLytvx60gES28GcWMqil8ElCYR4kvbV2BDqsHOvVDRrOxGySBM9Fcv744hw==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/linux-x64/-/linux-x64-0.27.3.tgz",
+      "integrity": "sha512-Czi8yzXUWIQYAtL/2y6vogER8pvcsOsk5cpwL4Gk5nJqH5UZiVByIY8Eorm5R13gq+DQKYg0+JyQoytLQas4dA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/netbsd-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.3.tgz",
+      "integrity": "sha512-sDpk0RgmTCR/5HguIZa9n9u+HVKf40fbEUt+iTzSnCaGvY9kFP0YKBWZtJaraonFnqef5SlJ8/TiPAxzyS+UoA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/netbsd-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/netbsd-x64/-/netbsd-x64-0.27.3.tgz",
+      "integrity": "sha512-P14lFKJl/DdaE00LItAukUdZO5iqNH7+PjoBm+fLQjtxfcfFE20Xf5CrLsmZdq5LFFZzb5JMZ9grUwvtVYzjiA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openbsd-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.3.tgz",
+      "integrity": "sha512-AIcMP77AvirGbRl/UZFTq5hjXK+2wC7qFRGoHSDrZ5v5b8DK/GYpXW3CPRL53NkvDqb9D+alBiC/dV0Fb7eJcw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openbsd-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/openbsd-x64/-/openbsd-x64-0.27.3.tgz",
+      "integrity": "sha512-DnW2sRrBzA+YnE70LKqnM3P+z8vehfJWHXECbwBmH/CU51z6FiqTQTHFenPlHmo3a8UgpLyH3PT+87OViOh1AQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openharmony-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.3.tgz",
+      "integrity": "sha512-NinAEgr/etERPTsZJ7aEZQvvg/A6IsZG/LgZy+81wON2huV7SrK3e63dU0XhyZP4RKGyTm7aOgmQk0bGp0fy2g==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/sunos-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/sunos-x64/-/sunos-x64-0.27.3.tgz",
+      "integrity": "sha512-PanZ+nEz+eWoBJ8/f8HKxTTD172SKwdXebZ0ndd953gt1HRBbhMsaNqjTyYLGLPdoWHy4zLU7bDVJztF5f3BHA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "sunos"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/win32-arm64/-/win32-arm64-0.27.3.tgz",
+      "integrity": "sha512-B2t59lWWYrbRDw/tjiWOuzSsFh1Y/E95ofKz7rIVYSQkUYBjfSgf6oeYPNWHToFRr2zx52JKApIcAS/D5TUBnA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-ia32": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/win32-ia32/-/win32-ia32-0.27.3.tgz",
+      "integrity": "sha512-QLKSFeXNS8+tHW7tZpMtjlNb7HKau0QDpwm49u0vUp9y1WOF+PEzkU84y9GqYaAVW8aH8f3GcBck26jh54cX4Q==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/@esbuild/win32-x64/-/win32-x64-0.27.3.tgz",
+      "integrity": "sha512-4uJGhsxuptu3OcpVAzli+/gWusVGwZZHTlS63hh++ehExkVT8SgiEf7/uC/PclrPPkLhZqGgCTjd0VWLo6xMqA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@hono/node-server": {
+      "version": "1.19.9",
+      "resolved": "https://registry.npmmirror.com/@hono/node-server/-/node-server-1.19.9.tgz",
+      "integrity": "sha512-vHL6w3ecZsky+8P5MD+eFfaGTyCeOHUIFYMGpQGbrBTSmNNoxv0if69rEZ5giu36weC5saFuznL411gRX7bJDw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.14.1"
+      },
+      "peerDependencies": {
+        "hono": "^4"
+      }
+    },
+    "node_modules/@types/js-yaml": {
+      "version": "4.0.9",
+      "resolved": "https://registry.npmmirror.com/@types/js-yaml/-/js-yaml-4.0.9.tgz",
+      "integrity": "sha512-k4MGaQl5TGo/iipqb2UDG2UwjXziSWkh0uysQelTlJpX1qGlpUZYm8PnO4DxG1qBomtJUdYJ6qR6xdIah10JLg==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@types/node": {
+      "version": "22.19.11",
+      "resolved": "https://registry.npmmirror.com/@types/node/-/node-22.19.11.tgz",
+      "integrity": "sha512-BH7YwL6rA93ReqeQS1c4bsPpcfOmJasG+Fkr6Y59q83f9M1WcBRHR2vM+P9eOisYRcN3ujQoiZY8uk5W+1WL8w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "undici-types": "~6.21.0"
+      }
+    },
+    "node_modules/argparse": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmmirror.com/argparse/-/argparse-2.0.1.tgz",
+      "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==",
+      "license": "Python-2.0"
+    },
+    "node_modules/esbuild": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmmirror.com/esbuild/-/esbuild-0.27.3.tgz",
+      "integrity": "sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "bin": {
+        "esbuild": "bin/esbuild"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "@esbuild/aix-ppc64": "0.27.3",
+        "@esbuild/android-arm": "0.27.3",
+        "@esbuild/android-arm64": "0.27.3",
+        "@esbuild/android-x64": "0.27.3",
+        "@esbuild/darwin-arm64": "0.27.3",
+        "@esbuild/darwin-x64": "0.27.3",
+        "@esbuild/freebsd-arm64": "0.27.3",
+        "@esbuild/freebsd-x64": "0.27.3",
+        "@esbuild/linux-arm": "0.27.3",
+        "@esbuild/linux-arm64": "0.27.3",
+        "@esbuild/linux-ia32": "0.27.3",
+        "@esbuild/linux-loong64": "0.27.3",
+        "@esbuild/linux-mips64el": "0.27.3",
+        "@esbuild/linux-ppc64": "0.27.3",
+        "@esbuild/linux-riscv64": "0.27.3",
+        "@esbuild/linux-s390x": "0.27.3",
+        "@esbuild/linux-x64": "0.27.3",
+        "@esbuild/netbsd-arm64": "0.27.3",
+        "@esbuild/netbsd-x64": "0.27.3",
+        "@esbuild/openbsd-arm64": "0.27.3",
+        "@esbuild/openbsd-x64": "0.27.3",
+        "@esbuild/openharmony-arm64": "0.27.3",
+        "@esbuild/sunos-x64": "0.27.3",
+        "@esbuild/win32-arm64": "0.27.3",
+        "@esbuild/win32-ia32": "0.27.3",
+        "@esbuild/win32-x64": "0.27.3"
+      }
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmmirror.com/fsevents/-/fsevents-2.3.3.tgz",
+      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/get-tsconfig": {
+      "version": "4.13.6",
+      "resolved": "https://registry.npmmirror.com/get-tsconfig/-/get-tsconfig-4.13.6.tgz",
+      "integrity": "sha512-shZT/QMiSHc/YBLxxOkMtgSid5HFoauqCE3/exfsEcwg1WkeqjG+V40yBbBrsD+jW2HDXcs28xOfcbm2jI8Ddw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "resolve-pkg-maps": "^1.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1"
+      }
+    },
+    "node_modules/hono": {
+      "version": "4.11.9",
+      "resolved": "https://registry.npmmirror.com/hono/-/hono-4.11.9.tgz",
+      "integrity": "sha512-Eaw2YTGM6WOxA6CXbckaEvslr2Ne4NFsKrvc0v97JD5awbmeBLO5w9Ho9L9kmKonrwF9RJlW6BxT1PVv/agBHQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=16.9.0"
+      }
+    },
+    "node_modules/js-yaml": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmmirror.com/js-yaml/-/js-yaml-4.1.1.tgz",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+      "license": "MIT",
+      "dependencies": {
+        "argparse": "^2.0.1"
+      },
+      "bin": {
+        "js-yaml": "bin/js-yaml.js"
+      }
+    },
+    "node_modules/resolve-pkg-maps": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmmirror.com/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz",
+      "integrity": "sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==",
+      "dev": true,
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1"
+      }
+    },
+    "node_modules/tsx": {
+      "version": "4.21.0",
+      "resolved": "https://registry.npmmirror.com/tsx/-/tsx-4.21.0.tgz",
+      "integrity": "sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "esbuild": "~0.27.0",
+        "get-tsconfig": "^4.7.5"
+      },
+      "bin": {
+        "tsx": "dist/cli.mjs"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      },
+      "optionalDependencies": {
+        "fsevents": "~2.3.3"
+      }
+    },
+    "node_modules/typescript": {
+      "version": "5.9.3",
+      "resolved": "https://registry.npmmirror.com/typescript/-/typescript-5.9.3.tgz",
+      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
+      "engines": {
+        "node": ">=14.17"
+      }
+    },
+    "node_modules/undici": {
+      "version": "7.22.0",
+      "resolved": "https://registry.npmmirror.com/undici/-/undici-7.22.0.tgz",
+      "integrity": "sha512-RqslV2Us5BrllB+JeiZnK4peryVTndy9Dnqq62S3yYRRTj0tFQCwEniUy2167skdGOy3vqRzEvl1Dm4sV2ReDg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.18.1"
+      }
+    },
+    "node_modules/undici-types": {
+      "version": "6.21.0",
+      "resolved": "https://registry.npmmirror.com/undici-types/-/undici-types-6.21.0.tgz",
+      "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/zod": {
+      "version": "3.25.76",
+      "resolved": "https://registry.npmmirror.com/zod/-/zod-3.25.76.tgz",
+      "integrity": "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/colinhacks"
+      }
+    }
+  }
+}

package.json

@@ -0,0 +1,31 @@
+{
+  "name": "codex-proxy",
+  "version": "1.0.0",
+  "description": "Reverse proxy that exposes Codex Desktop WHAM API as OpenAI-compatible /v1/chat/completions",
+  "type": "module",
+  "scripts": {
+    "dev": "tsx watch src/index.ts",
+    "build": "tsc",
+    "start": "node dist/index.js",
+    "check-update": "tsx scripts/check-update.ts",
+    "check-update:watch": "tsx scripts/check-update.ts --watch",
+    "extract": "tsx scripts/extract-fingerprint.ts",
+    "apply-update": "tsx scripts/apply-update.ts",
+    "apply-update:dry": "tsx scripts/apply-update.ts --dry-run"
+  },
+  "dependencies": {
+    "hono": "^4.0.0",
+    "@hono/node-server": "^1.0.0",
+    "undici": "^7.0.0",
+    "js-yaml": "^4.1.0",
+    "zod": "^3.23.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.5.0",
+    "tsx": "^4.0.0",
+    "@types/js-yaml": "^4.0.0",
+    "@types/node": "^22.0.0",
+    "js-beautify": "^1.15.0",
+    "@electron/asar": "^3.2.0"
+  }
+}

public/dashboard.html

@@ -0,0 +1,332 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Codex Proxy - Dashboard</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      background: #0d1117;
+      color: #c9d1d9;
+      min-height: 100vh;
+      padding: 2rem;
+    }
+    .container { max-width: 720px; margin: 0 auto; }
+    header {
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      margin-bottom: 2rem;
+      padding-bottom: 1rem;
+      border-bottom: 1px solid #30363d;
+    }
+    header h1 { font-size: 1.3rem; color: #58a6ff; }
+    .user-info { font-size: 0.85rem; color: #8b949e; }
+    .btn-logout {
+      padding: 6px 14px;
+      background: #21262d;
+      border: 1px solid #30363d;
+      border-radius: 6px;
+      color: #c9d1d9;
+      cursor: pointer;
+      font-size: 0.85rem;
+    }
+    .btn-logout:hover { background: #30363d; }
+    .card {
+      background: #161b22;
+      border: 1px solid #30363d;
+      border-radius: 12px;
+      padding: 1.5rem;
+      margin-bottom: 1.5rem;
+    }
+    .card h2 {
+      font-size: 1rem;
+      margin-bottom: 1rem;
+      color: #f0f6fc;
+    }
+    .field {
+      display: flex;
+      align-items: center;
+      gap: 0.75rem;
+      margin-bottom: 0.75rem;
+    }
+    .field label {
+      flex-shrink: 0;
+      width: 100px;
+      font-size: 0.85rem;
+      color: #8b949e;
+    }
+    .field .value {
+      flex: 1;
+      background: #0d1117;
+      padding: 8px 12px;
+      border-radius: 6px;
+      border: 1px solid #30363d;
+      font-family: monospace;
+      font-size: 0.85rem;
+      word-break: break-all;
+    }
+    .btn-copy {
+      padding: 6px 12px;
+      background: #21262d;
+      border: 1px solid #30363d;
+      border-radius: 6px;
+      color: #c9d1d9;
+      cursor: pointer;
+      font-size: 0.8rem;
+      flex-shrink: 0;
+    }
+    .btn-copy:hover { background: #30363d; }
+    .btn-copy.copied { background: #238636; border-color: #238636; }
+    .code-block {
+      background: #0d1117;
+      border: 1px solid #30363d;
+      border-radius: 8px;
+      padding: 1rem;
+      font-family: monospace;
+      font-size: 0.8rem;
+      line-height: 1.6;
+      overflow-x: auto;
+      position: relative;
+      white-space: pre;
+      margin-bottom: 1rem;
+    }
+    .code-block .copy-btn {
+      position: absolute;
+      top: 8px;
+      right: 8px;
+      padding: 4px 10px;
+      background: #21262d;
+      border: 1px solid #30363d;
+      border-radius: 4px;
+      color: #8b949e;
+      cursor: pointer;
+      font-size: 0.75rem;
+    }
+    .code-block .copy-btn:hover { background: #30363d; }
+    .tabs {
+      display: flex;
+      gap: 0.5rem;
+      margin-bottom: 1rem;
+    }
+    .tab {
+      padding: 6px 14px;
+      background: #21262d;
+      border: 1px solid #30363d;
+      border-radius: 6px;
+      color: #8b949e;
+      cursor: pointer;
+      font-size: 0.85rem;
+    }
+    .tab.active { background: #30363d; color: #f0f6fc; }
+    .tab-content { display: none; }
+    .tab-content.active { display: block; }
+    .status-badge {
+      display: inline-block;
+      padding: 2px 8px;
+      border-radius: 10px;
+      font-size: 0.75rem;
+      font-weight: 500;
+    }
+    .status-ok { background: #238636; color: #fff; }
+    .loading { color: #8b949e; font-style: italic; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <header>
+      <div>
+        <h1>Codex Proxy</h1>
+        <span class="user-info" id="userInfo">Loading...</span>
+      </div>
+      <button class="btn-logout" onclick="logout()">Logout</button>
+    </header>
+
+    <div class="card">
+      <h2>API Configuration</h2>
+      <div class="field">
+        <label>Base URL</label>
+        <div class="value" id="baseUrl">Loading...</div>
+        <button class="btn-copy" onclick="copyText('baseUrl', this)">Copy</button>
+      </div>
+      <div class="field">
+        <label>API Key</label>
+        <div class="value" id="apiKey">Loading...</div>
+        <button class="btn-copy" onclick="copyText('apiKey', this)">Copy</button>
+      </div>
+      <div class="field">
+        <label>Model</label>
+        <div class="value" id="defaultModel">codex</div>
+      </div>
+      <div class="field">
+        <label>All Models</label>
+        <div class="value" id="allModels" style="font-size:0.75rem;line-height:1.6">Loading...</div>
+      </div>
+    </div>
+
+    <div class="card">
+      <h2>Usage Examples</h2>
+      <div class="tabs">
+        <div class="tab active" onclick="switchTab('python', this)">Python</div>
+        <div class="tab" onclick="switchTab('curl', this)">curl</div>
+        <div class="tab" onclick="switchTab('node', this)">Node.js</div>
+      </div>
+
+      <div class="tab-content active" id="tab-python">
+        <div class="code-block" id="code-python">
+          <button class="copy-btn" onclick="copyCode('code-python')">Copy</button>
+Loading...
+        </div>
+      </div>
+      <div class="tab-content" id="tab-curl">
+        <div class="code-block" id="code-curl">
+          <button class="copy-btn" onclick="copyCode('code-curl')">Copy</button>
+Loading...
+        </div>
+      </div>
+      <div class="tab-content" id="tab-node">
+        <div class="code-block" id="code-node">
+          <button class="copy-btn" onclick="copyCode('code-node')">Copy</button>
+Loading...
+        </div>
+      </div>
+    </div>
+
+    <div class="card">
+      <h2>Status</h2>
+      <div id="statusInfo" class="loading">Checking...</div>
+    </div>
+  </div>
+
+  <script>
+    let authData = null;
+
+    async function loadStatus() {
+      try {
+        const resp = await fetch('/auth/status');
+        authData = await resp.json();
+
+        if (!authData.authenticated) {
+          window.location.href = '/';
+          return;
+        }
+
+        // User info
+        const user = authData.user || {};
+        document.getElementById('userInfo').textContent =
+          `${user.email || 'Unknown'} (${user.planType || 'unknown plan'})`;
+
+        // API config
+        const baseUrl = `${window.location.origin}/v1`;
+        const apiKey = authData.proxy_api_key || 'any-string';
+        document.getElementById('baseUrl').textContent = baseUrl;
+        document.getElementById('apiKey').textContent = apiKey;
+
+        // Code examples
+        document.getElementById('code-python').innerHTML =
+          `<button class="copy-btn" onclick="copyCode('code-python')">Copy</button>` +
+`from openai import OpenAI
+
+client = OpenAI(
+    base_url="${baseUrl}",
+    api_key="${apiKey}",
+)
+
+response = client.chat.completions.create(
+    model="codex",
+    messages=[
+        {"role": "user", "content": "Write a hello world in Python"}
+    ],
+    stream=True,
+)
+
+for chunk in response:
+    if chunk.choices[0].delta.content:
+        print(chunk.choices[0].delta.content, end="")`;
+
+        document.getElementById('code-curl').innerHTML =
+          `<button class="copy-btn" onclick="copyCode('code-curl')">Copy</button>` +
+`curl ${baseUrl}/chat/completions \\
+  -H "Content-Type: application/json" \\
+  -H "Authorization: Bearer ${apiKey}" \\
+  -d '{
+    "model": "codex",
+    "messages": [
+      {"role": "user", "content": "Write a hello world in Python"}
+    ],
+    "stream": false
+  }'`;
+
+        document.getElementById('code-node').innerHTML =
+          `<button class="copy-btn" onclick="copyCode('code-node')">Copy</button>` +
+`import OpenAI from "openai";
+
+const client = new OpenAI({
+    baseURL: "${baseUrl}",
+    apiKey: "${apiKey}",
+});
+
+const stream = await client.chat.completions.create({
+    model: "codex",
+    messages: [
+        { role: "user", content: "Write a hello world in Python" },
+    ],
+    stream: true,
+});
+
+for await (const chunk of stream) {
+    process.stdout.write(chunk.choices[0]?.delta?.content || "");
+}`;
+
+        // Fetch models
+        try {
+          const modelsResp = await fetch('/v1/models');
+          const modelsData = await modelsResp.json();
+          const modelNames = modelsData.data.map(m => m.id);
+          const defaultModel = modelNames.find(n => n.includes('5.3-codex')) || modelNames[0];
+          document.getElementById('defaultModel').textContent = defaultModel + ' (default)';
+          document.getElementById('allModels').textContent = modelNames.join(', ');
+        } catch {}
+
+        // Health status
+        const health = await fetch('/health').then(r => r.json());
+        document.getElementById('statusInfo').innerHTML =
+          `<span class="status-badge status-ok">Connected</span> ` +
+          `Server running at ${window.location.origin}`;
+      } catch (err) {
+        document.getElementById('statusInfo').textContent = 'Error: ' + err.message;
+      }
+    }
+
+    function switchTab(tab, el) {
+      document.querySelectorAll('.tab').forEach(t => t.classList.remove('active'));
+      document.querySelectorAll('.tab-content').forEach(t => t.classList.remove('active'));
+      el.classList.add('active');
+      document.getElementById('tab-' + tab).classList.add('active');
+    }
+
+    function copyText(id, btn) {
+      const text = document.getElementById(id).textContent;
+      navigator.clipboard.writeText(text);
+      btn.textContent = 'Copied!';
+      btn.classList.add('copied');
+      setTimeout(() => { btn.textContent = 'Copy'; btn.classList.remove('copied'); }, 2000);
+    }
+
+    function copyCode(id) {
+      const el = document.getElementById(id);
+      const code = el.textContent.replace('Copy', '').trim();
+      navigator.clipboard.writeText(code);
+    }
+
+    async function logout() {
+      await fetch('/auth/logout', { method: 'POST' });
+      window.location.href = '/';
+    }
+
+    loadStatus();
+  </script>
+</body>
+</html>

public/login.html

@@ -0,0 +1,306 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Codex Proxy - Login</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      background: #0d1117;
+      color: #c9d1d9;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+    }
+    .container {
+      max-width: 420px;
+      width: 100%;
+      padding: 2rem;
+    }
+    .logo {
+      text-align: center;
+      margin-bottom: 2rem;
+    }
+    .logo h1 {
+      font-size: 1.5rem;
+      color: #58a6ff;
+      font-weight: 600;
+    }
+    .logo p {
+      color: #8b949e;
+      margin-top: 0.5rem;
+      font-size: 0.9rem;
+    }
+    .card {
+      background: #161b22;
+      border: 1px solid #30363d;
+      border-radius: 12px;
+      padding: 2rem;
+    }
+    .btn {
+      display: block;
+      width: 100%;
+      padding: 12px 16px;
+      border: none;
+      border-radius: 8px;
+      font-size: 1rem;
+      font-weight: 500;
+      cursor: pointer;
+      text-align: center;
+      text-decoration: none;
+      transition: background 0.2s;
+    }
+    .btn-primary {
+      background: #238636;
+      color: #fff;
+    }
+    .btn-primary:hover {
+      background: #2ea043;
+    }
+    .btn-primary:disabled {
+      background: #1a5e28;
+      cursor: not-allowed;
+      opacity: 0.7;
+    }
+    .divider {
+      text-align: center;
+      margin: 1.5rem 0;
+      color: #484f58;
+      font-size: 0.85rem;
+    }
+    .divider::before, .divider::after {
+      content: '';
+      display: inline-block;
+      width: 30%;
+      height: 1px;
+      background: #30363d;
+      vertical-align: middle;
+      margin: 0 0.5rem;
+    }
+    .input-group {
+      margin-bottom: 1rem;
+    }
+    .input-group label {
+      display: block;
+      font-size: 0.85rem;
+      color: #8b949e;
+      margin-bottom: 0.5rem;
+    }
+    .input-group textarea {
+      width: 100%;
+      padding: 10px;
+      background: #0d1117;
+      border: 1px solid #30363d;
+      border-radius: 6px;
+      color: #c9d1d9;
+      font-family: monospace;
+      font-size: 0.85rem;
+      resize: vertical;
+      min-height: 80px;
+    }
+    .input-group textarea:focus {
+      outline: none;
+      border-color: #58a6ff;
+    }
+    .error {
+      color: #f85149;
+      font-size: 0.85rem;
+      margin-top: 0.5rem;
+      display: none;
+    }
+    .success {
+      color: #3fb950;
+      font-size: 0.85rem;
+      margin-top: 0.5rem;
+      display: none;
+    }
+    .info {
+      color: #58a6ff;
+      font-size: 0.85rem;
+      margin-top: 0.5rem;
+      display: none;
+    }
+    .help {
+      margin-top: 1rem;
+      font-size: 0.8rem;
+      color: #484f58;
+      line-height: 1.5;
+    }
+    .spinner {
+      display: inline-block;
+      width: 14px;
+      height: 14px;
+      border: 2px solid rgba(255,255,255,0.3);
+      border-top-color: #fff;
+      border-radius: 50%;
+      animation: spin 0.8s linear infinite;
+      vertical-align: middle;
+      margin-right: 6px;
+    }
+    @keyframes spin {
+      to { transform: rotate(360deg); }
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">
+      <h1>Codex Proxy</h1>
+      <p>OpenAI-compatible API for Codex Desktop</p>
+    </div>
+    <div class="card">
+      <button class="btn btn-primary" id="oauthBtn" onclick="startOAuth()">
+        Login with ChatGPT
+      </button>
+      <div class="info" id="oauthInfo"></div>
+      <div class="error" id="oauthError"></div>
+
+      <div class="divider">or</div>
+
+      <div id="manualSection">
+        <div class="input-group">
+          <label>Paste your ChatGPT access token</label>
+          <textarea id="tokenInput" placeholder="eyJhbGciOiJSUzI1NiIs..."></textarea>
+        </div>
+        <button class="btn btn-primary" id="submitToken" onclick="submitToken()">
+          Submit Token
+        </button>
+        <div class="error" id="errorMsg"></div>
+        <div class="success" id="successMsg"></div>
+        <div class="help">
+          To get your token: Open ChatGPT in browser &rarr; DevTools (F12) &rarr;
+          Application &rarr; Cookies &rarr; find <code>__Secure-next-auth.session-token</code>
+          or check Network tab for <code>Authorization: Bearer ...</code> header.
+        </div>
+      </div>
+    </div>
+  </div>
+
+  <script>
+    let polling = false;
+
+    async function startOAuth() {
+      const btn = document.getElementById('oauthBtn');
+      const infoEl = document.getElementById('oauthInfo');
+      const errorEl = document.getElementById('oauthError');
+
+      btn.disabled = true;
+      btn.innerHTML = '<span class="spinner"></span>Connecting to Codex CLI...';
+      infoEl.style.display = 'none';
+      errorEl.style.display = 'none';
+
+      try {
+        const resp = await fetch('/auth/login');
+        const data = await resp.json();
+
+        if (data.authenticated) {
+          window.location.href = '/';
+          return;
+        }
+
+        if (data.error) {
+          errorEl.textContent = data.error;
+          errorEl.style.display = 'block';
+          btn.disabled = false;
+          btn.textContent = 'Login with ChatGPT';
+          return;
+        }
+
+        if (data.authUrl) {
+          // Open Auth0 login in new tab
+          window.open(data.authUrl, '_blank');
+
+          btn.innerHTML = '<span class="spinner"></span>Waiting for login...';
+          infoEl.textContent = 'A new tab has been opened for ChatGPT login. Complete the login there, then this page will update automatically.';
+          infoEl.style.display = 'block';
+
+          // Start polling for auth completion
+          startPolling();
+        }
+      } catch (err) {
+        errorEl.textContent = 'Network error: ' + err.message;
+        errorEl.style.display = 'block';
+        btn.disabled = false;
+        btn.textContent = 'Login with ChatGPT';
+      }
+    }
+
+    function startPolling() {
+      if (polling) return;
+      polling = true;
+
+      const poll = async () => {
+        if (!polling) return;
+        try {
+          const resp = await fetch('/auth/status');
+          const data = await resp.json();
+          if (data.authenticated) {
+            polling = false;
+            document.getElementById('oauthInfo').textContent = 'Login successful! Redirecting...';
+            document.getElementById('oauthInfo').style.display = 'block';
+            setTimeout(() => window.location.href = '/', 500);
+            return;
+          }
+        } catch {
+          // ignore polling errors
+        }
+        if (polling) {
+          setTimeout(poll, 2000);
+        }
+      };
+
+      poll();
+
+      // Stop polling after 5 minutes
+      setTimeout(() => {
+        if (polling) {
+          polling = false;
+          const btn = document.getElementById('oauthBtn');
+          btn.disabled = false;
+          btn.textContent = 'Login with ChatGPT';
+          document.getElementById('oauthInfo').style.display = 'none';
+          document.getElementById('oauthError').textContent = 'Login timed out. Please try again.';
+          document.getElementById('oauthError').style.display = 'block';
+        }
+      }, 5 * 60 * 1000);
+    }
+
+    async function submitToken() {
+      const token = document.getElementById('tokenInput').value.trim();
+      const errorEl = document.getElementById('errorMsg');
+      const successEl = document.getElementById('successMsg');
+      errorEl.style.display = 'none';
+      successEl.style.display = 'none';
+
+      if (!token) {
+        errorEl.textContent = 'Please paste a token';
+        errorEl.style.display = 'block';
+        return;
+      }
+
+      try {
+        const resp = await fetch('/auth/token', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ token }),
+        });
+        const data = await resp.json();
+        if (resp.ok) {
+          successEl.textContent = 'Login successful! Redirecting...';
+          successEl.style.display = 'block';
+          setTimeout(() => window.location.href = '/', 1000);
+        } else {
+          errorEl.textContent = data.error || 'Invalid token';
+          errorEl.style.display = 'block';
+        }
+      } catch (err) {
+        errorEl.textContent = 'Network error: ' + err.message;
+        errorEl.style.display = 'block';
+      }
+    }
+  </script>
+</body>
+</html>

scripts/apply-update.ts

@@ -0,0 +1,352 @@
+#!/usr/bin/env tsx
+/**
+ * apply-update.ts — Compares extracted fingerprint with current config and applies updates.
+ *
+ * Usage:
+ *   npx tsx scripts/apply-update.ts [--dry-run]
+ *
+ * --dry-run: Show what would change without modifying files.
+ */
+
+import { readFileSync, writeFileSync, existsSync } from "fs";
+import { resolve } from "path";
+import { createHash } from "crypto";
+import yaml from "js-yaml";
+
+const ROOT = resolve(import.meta.dirname, "..");
+const CONFIG_PATH = resolve(ROOT, "config/default.yaml");
+const FINGERPRINT_PATH = resolve(ROOT, "config/fingerprint.yaml");
+const EXTRACTED_PATH = resolve(ROOT, "data/extracted-fingerprint.json");
+const MODELS_PATH = resolve(ROOT, "src/routes/models.ts");
+const PROMPTS_DIR = resolve(ROOT, "config/prompts");
+
+type ChangeType = "auto" | "semi-auto" | "alert";
+
+interface Change {
+  type: ChangeType;
+  category: string;
+  description: string;
+  current: string;
+  updated: string;
+  file: string;
+}
+
+interface ExtractedFingerprint {
+  app_version: string;
+  build_number: string;
+  api_base_url: string | null;
+  originator: string | null;
+  models: string[];
+  wham_endpoints: string[];
+  user_agent_contains: string;
+  prompts: {
+    desktop_context_hash: string | null;
+    desktop_context_path: string | null;
+    title_generation_hash: string | null;
+    title_generation_path: string | null;
+    pr_generation_hash: string | null;
+    pr_generation_path: string | null;
+    automation_response_hash: string | null;
+    automation_response_path: string | null;
+  };
+}
+
+function loadExtracted(): ExtractedFingerprint {
+  if (!existsSync(EXTRACTED_PATH)) {
+    throw new Error(
+      `No extracted fingerprint found at ${EXTRACTED_PATH}.\n` +
+      `Run: npm run extract -- --path <codex-path>`
+    );
+  }
+  return JSON.parse(readFileSync(EXTRACTED_PATH, "utf-8"));
+}
+
+function loadCurrentConfig(): Record<string, unknown> {
+  return yaml.load(readFileSync(CONFIG_PATH, "utf-8")) as Record<string, unknown>;
+}
+
+function detectChanges(extracted: ExtractedFingerprint): Change[] {
+  const changes: Change[] = [];
+  const config = loadCurrentConfig();
+  const client = config.client as Record<string, string>;
+
+  // Version
+  if (extracted.app_version !== client.app_version) {
+    changes.push({
+      type: "auto",
+      category: "version",
+      description: "App version changed",
+      current: client.app_version,
+      updated: extracted.app_version,
+      file: CONFIG_PATH,
+    });
+  }
+
+  // Build number
+  if (extracted.build_number !== client.build_number) {
+    changes.push({
+      type: "auto",
+      category: "build",
+      description: "Build number changed",
+      current: client.build_number,
+      updated: extracted.build_number,
+      file: CONFIG_PATH,
+    });
+  }
+
+  // Originator
+  if (extracted.originator && extracted.originator !== client.originator) {
+    changes.push({
+      type: "auto",
+      category: "originator",
+      description: "Originator header changed",
+      current: client.originator,
+      updated: extracted.originator,
+      file: CONFIG_PATH,
+    });
+  }
+
+  // API base URL
+  const api = config.api as Record<string, string>;
+  if (extracted.api_base_url && extracted.api_base_url !== api.base_url) {
+    changes.push({
+      type: "alert",
+      category: "api_url",
+      description: "API base URL changed (CRITICAL)",
+      current: api.base_url,
+      updated: extracted.api_base_url,
+      file: CONFIG_PATH,
+    });
+  }
+
+  // Models — check for additions/removals
+  const modelsTs = readFileSync(MODELS_PATH, "utf-8");
+  const currentModels = [...modelsTs.matchAll(/id:\s*"(gpt-[^"]+)"/g)].map((m) => m[1]);
+  const extractedModels = extracted.models.filter((m) => m.includes("codex") || currentModels.includes(m));
+
+  const newModels = extractedModels.filter((m) => !currentModels.includes(m));
+  const removedModels = currentModels.filter((m) => !extractedModels.includes(m));
+
+  if (newModels.length > 0) {
+    changes.push({
+      type: "semi-auto",
+      category: "models_added",
+      description: `New models found: ${newModels.join(", ")}`,
+      current: currentModels.join(", "),
+      updated: extractedModels.join(", "),
+      file: MODELS_PATH,
+    });
+  }
+
+  if (removedModels.length > 0) {
+    changes.push({
+      type: "semi-auto",
+      category: "models_removed",
+      description: `Models removed: ${removedModels.join(", ")}`,
+      current: currentModels.join(", "),
+      updated: extractedModels.join(", "),
+      file: MODELS_PATH,
+    });
+  }
+
+  // WHAM endpoints — check for new ones
+  const knownEndpoints = [
+    "/wham/tasks", "/wham/environments", "/wham/accounts/check",
+    "/wham/usage",
+  ];
+  const newEndpoints = extracted.wham_endpoints.filter(
+    (ep) => !knownEndpoints.some((k) => ep.startsWith(k))
+  );
+  if (newEndpoints.length > 0) {
+    changes.push({
+      type: "alert",
+      category: "endpoints",
+      description: `New WHAM endpoints found: ${newEndpoints.join(", ")}`,
+      current: "(known set)",
+      updated: newEndpoints.join(", "),
+      file: "src/proxy/wham-api.ts",
+    });
+  }
+
+  // System prompts — check hash changes
+  const promptConfigs = [
+    { name: "desktop-context", hash: extracted.prompts.desktop_context_hash, path: extracted.prompts.desktop_context_path },
+    { name: "title-generation", hash: extracted.prompts.title_generation_hash, path: extracted.prompts.title_generation_path },
+    { name: "pr-generation", hash: extracted.prompts.pr_generation_hash, path: extracted.prompts.pr_generation_path },
+    { name: "automation-response", hash: extracted.prompts.automation_response_hash, path: extracted.prompts.automation_response_path },
+  ];
+
+  for (const { name, hash, path } of promptConfigs) {
+    if (!hash || !path) continue;
+
+    const configPromptPath = resolve(PROMPTS_DIR, `${name}.md`);
+    if (!existsSync(configPromptPath)) {
+      changes.push({
+        type: "semi-auto",
+        category: `prompt_${name}`,
+        description: `New prompt file: ${name}.md (not in config/prompts/)`,
+        current: "(missing)",
+        updated: hash,
+        file: configPromptPath,
+      });
+      continue;
+    }
+
+    const currentContent = readFileSync(configPromptPath, "utf-8");
+    const currentHash = `sha256:${createHash("sha256").update(currentContent).digest("hex").slice(0, 16)}`;
+
+    if (currentHash !== hash) {
+      changes.push({
+        type: "semi-auto",
+        category: `prompt_${name}`,
+        description: `System prompt changed: ${name}`,
+        current: currentHash,
+        updated: hash,
+        file: configPromptPath,
+      });
+    }
+  }
+
+  return changes;
+}
+
+function applyAutoChanges(changes: Change[], dryRun: boolean): void {
+  const autoChanges = changes.filter((c) => c.type === "auto");
+
+  if (autoChanges.length === 0) {
+    console.log("\n  No auto-applicable changes.");
+    return;
+  }
+
+  // Group config changes
+  const configChanges = autoChanges.filter((c) => c.file === CONFIG_PATH);
+
+  if (configChanges.length > 0 && !dryRun) {
+    let configContent = readFileSync(CONFIG_PATH, "utf-8");
+
+    for (const change of configChanges) {
+      switch (change.category) {
+        case "version":
+          configContent = configContent.replace(
+            /app_version:\s*"[^"]+"/,
+            `app_version: "${change.updated}"`,
+          );
+          break;
+        case "build":
+          configContent = configContent.replace(
+            /build_number:\s*"[^"]+"/,
+            `build_number: "${change.updated}"`,
+          );
+          break;
+        case "originator":
+          configContent = configContent.replace(
+            /originator:\s*"[^"]+"/,
+            `originator: "${change.updated}"`,
+          );
+          break;
+      }
+    }
+
+    writeFileSync(CONFIG_PATH, configContent);
+    console.log(`  [APPLIED] config/default.yaml updated`);
+  }
+}
+
+function displayReport(changes: Change[], dryRun: boolean): void {
+  console.log("\n╔══════════════════════════════════════════╗");
+  console.log(`║  Update Analysis ${dryRun ? "(DRY RUN)" : ""}                    ║`);
+  console.log("╠══════════════════════════════════════════╣");
+
+  if (changes.length === 0) {
+    console.log("║  No changes detected — up to date!       ║");
+    console.log("╚══════════════════════════════════════════╝");
+    return;
+  }
+
+  console.log("╚══════════════════════════════════════════╝\n");
+
+  // Auto changes
+  const auto = changes.filter((c) => c.type === "auto");
+  if (auto.length > 0) {
+    console.log(`  AUTO-APPLY (${auto.length}):`);
+    for (const c of auto) {
+      const action = dryRun ? "WOULD APPLY" : "APPLIED";
+      console.log(`    [${action}] ${c.description}`);
+      console.log(`      ${c.current} → ${c.updated}`);
+    }
+  }
+
+  // Semi-auto changes
+  const semi = changes.filter((c) => c.type === "semi-auto");
+  if (semi.length > 0) {
+    console.log(`\n  SEMI-AUTO (needs review) (${semi.length}):`);
+    for (const c of semi) {
+      console.log(`    [REVIEW] ${c.description}`);
+      console.log(`      File: ${c.file}`);
+      console.log(`      Current: ${c.current}`);
+      console.log(`      New:     ${c.updated}`);
+    }
+  }
+
+  // Alerts
+  const alerts = changes.filter((c) => c.type === "alert");
+  if (alerts.length > 0) {
+    console.log(`\n  *** ALERTS (${alerts.length}) ***`);
+    for (const c of alerts) {
+      console.log(`    [ALERT] ${c.description}`);
+      console.log(`      File: ${c.file}`);
+      console.log(`      Current: ${c.current}`);
+      console.log(`      New:     ${c.updated}`);
+    }
+  }
+
+  // Prompt diffs
+  const promptChanges = changes.filter((c) => c.category.startsWith("prompt_"));
+  if (promptChanges.length > 0) {
+    console.log("\n  PROMPT CHANGES:");
+    console.log("  To apply prompt updates, copy from data/extracted-prompts/ to config/prompts/:");
+    for (const c of promptChanges) {
+      const name = c.category.replace("prompt_", "");
+      console.log(`    cp data/extracted-prompts/${name}.md config/prompts/${name}.md`);
+    }
+  }
+
+  console.log("");
+}
+
+async function main() {
+  const dryRun = process.argv.includes("--dry-run");
+
+  console.log("[apply-update] Loading extracted fingerprint...");
+  const extracted = loadExtracted();
+  console.log(`  Extracted: v${extracted.app_version} (build ${extracted.build_number})`);
+
+  console.log("[apply-update] Comparing with current config...");
+  const changes = detectChanges(extracted);
+
+  displayReport(changes, dryRun);
+
+  if (!dryRun) {
+    applyAutoChanges(changes, dryRun);
+  }
+
+  // Summary
+  const auto = changes.filter((c) => c.type === "auto").length;
+  const semi = changes.filter((c) => c.type === "semi-auto").length;
+  const alerts = changes.filter((c) => c.type === "alert").length;
+
+  console.log(`[apply-update] Summary: ${auto} auto, ${semi} semi-auto, ${alerts} alerts`);
+
+  if (semi > 0 || alerts > 0) {
+    console.log("[apply-update] Manual review needed for semi-auto and alert items above.");
+  }
+
+  if (dryRun && auto > 0) {
+    console.log("[apply-update] Run without --dry-run to apply auto changes.");
+  }
+}
+
+main().catch((err) => {
+  console.error("[apply-update] Fatal:", err);
+  process.exit(1);
+});

scripts/check-update.ts

@@ -0,0 +1,157 @@
+#!/usr/bin/env tsx
+/**
+ * check-update.ts — Polls the Codex Sparkle appcast feed for new versions.
+ *
+ * Usage:
+ *   npx tsx scripts/check-update.ts [--watch]
+ *
+ * With --watch: polls every 30 minutes and keeps running.
+ * Without: runs once and exits.
+ */
+
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { resolve } from "path";
+import yaml from "js-yaml";
+
+const ROOT = resolve(import.meta.dirname, "..");
+const CONFIG_PATH = resolve(ROOT, "config/default.yaml");
+const STATE_PATH = resolve(ROOT, "data/update-state.json");
+const APPCAST_URL = "https://persistent.oaistatic.com/codex-app-prod/appcast.xml";
+const POLL_INTERVAL_MS = 30 * 60 * 1000; // 30 minutes
+
+interface UpdateState {
+  last_check: string;
+  latest_version: string | null;
+  latest_build: string | null;
+  download_url: string | null;
+  update_available: boolean;
+  current_version: string;
+  current_build: string;
+}
+
+interface CurrentConfig {
+  app_version: string;
+  build_number: string;
+}
+
+function loadCurrentConfig(): CurrentConfig {
+  const raw = yaml.load(readFileSync(CONFIG_PATH, "utf-8")) as Record<string, unknown>;
+  const client = raw.client as Record<string, string>;
+  return {
+    app_version: client.app_version,
+    build_number: client.build_number,
+  };
+}
+
+/**
+ * Parse appcast XML to extract version info.
+ * Uses regex-based parsing to avoid heavy XML dependencies.
+ */
+function parseAppcast(xml: string): {
+  version: string | null;
+  build: string | null;
+  downloadUrl: string | null;
+} {
+  // Extract the latest <item> (first one is usually the latest)
+  const itemMatch = xml.match(/<item>([\s\S]*?)<\/item>/i);
+  if (!itemMatch) {
+    return { version: null, build: null, downloadUrl: null };
+  }
+  const item = itemMatch[1];
+
+  // sparkle:shortVersionString = display version
+  const versionMatch = item.match(/sparkle:shortVersionString="([^"]+)"/);
+  // sparkle:version = build number
+  const buildMatch = item.match(/sparkle:version="([^"]+)"/);
+  // url = download URL from enclosure
+  const urlMatch = item.match(/url="([^"]+)"/);
+
+  return {
+    version: versionMatch?.[1] ?? null,
+    build: buildMatch?.[1] ?? null,
+    downloadUrl: urlMatch?.[1] ?? null,
+  };
+}
+
+async function checkOnce(): Promise<UpdateState> {
+  const current = loadCurrentConfig();
+
+  console.log(`[check-update] Current: v${current.app_version} (build ${current.build_number})`);
+  console.log(`[check-update] Fetching ${APPCAST_URL}...`);
+
+  const res = await fetch(APPCAST_URL);
+  if (!res.ok) {
+    throw new Error(`Failed to fetch appcast: ${res.status} ${res.statusText}`);
+  }
+
+  const xml = await res.text();
+  const { version, build, downloadUrl } = parseAppcast(xml);
+
+  if (!version || !build) {
+    console.warn("[check-update] Could not parse version from appcast");
+    return {
+      last_check: new Date().toISOString(),
+      latest_version: null,
+      latest_build: null,
+      download_url: null,
+      update_available: false,
+      current_version: current.app_version,
+      current_build: current.build_number,
+    };
+  }
+
+  const updateAvailable =
+    version !== current.app_version || build !== current.build_number;
+
+  const state: UpdateState = {
+    last_check: new Date().toISOString(),
+    latest_version: version,
+    latest_build: build,
+    download_url: downloadUrl,
+    update_available: updateAvailable,
+    current_version: current.app_version,
+    current_build: current.build_number,
+  };
+
+  if (updateAvailable) {
+    console.log(`\n  *** UPDATE AVAILABLE ***`);
+    console.log(`  New version: ${version} (build ${build})`);
+    console.log(`  Current:     ${current.app_version} (build ${current.build_number})`);
+    if (downloadUrl) {
+      console.log(`  Download:    ${downloadUrl}`);
+    }
+    console.log(`\n  Run: npm run extract -- --path <new-codex-path>`);
+    console.log(`  Then: npm run apply-update\n`);
+  } else {
+    console.log(`[check-update] Up to date: v${version} (build ${build})`);
+  }
+
+  // Write state
+  mkdirSync(resolve(ROOT, "data"), { recursive: true });
+  writeFileSync(STATE_PATH, JSON.stringify(state, null, 2));
+  console.log(`[check-update] State written to ${STATE_PATH}`);
+
+  return state;
+}
+
+async function main() {
+  const watch = process.argv.includes("--watch");
+
+  await checkOnce();
+
+  if (watch) {
+    console.log(`[check-update] Watching for updates every ${POLL_INTERVAL_MS / 60000} minutes...`);
+    setInterval(async () => {
+      try {
+        await checkOnce();
+      } catch (err) {
+        console.error("[check-update] Poll error:", err);
+      }
+    }, POLL_INTERVAL_MS);
+  }
+}
+
+main().catch((err) => {
+  console.error("[check-update] Fatal:", err);
+  process.exit(1);
+});

scripts/extract-fingerprint.ts

@@ -0,0 +1,431 @@
+#!/usr/bin/env tsx
+/**
+ * extract-fingerprint.ts — Extracts key fingerprint values from a Codex Desktop
+ * installation (macOS .app or Windows extracted ASAR).
+ *
+ * Usage:
+ *   npx tsx scripts/extract-fingerprint.ts --path "C:/path/to/Codex" [--asar-out ./asar-out]
+ *
+ * The path can point to:
+ *   - A macOS .app bundle (Codex.app)
+ *   - A directory containing an already-extracted ASAR (with package.json and .vite/build/main.js)
+ *   - A Windows install dir containing resources/app.asar
+ */
+
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { resolve, join } from "path";
+import { createHash } from "crypto";
+import { execSync } from "child_process";
+import yaml from "js-yaml";
+
+const ROOT = resolve(import.meta.dirname, "..");
+const OUTPUT_PATH = resolve(ROOT, "data/extracted-fingerprint.json");
+const PROMPTS_DIR = resolve(ROOT, "data/extracted-prompts");
+const PATTERNS_PATH = resolve(ROOT, "config/extraction-patterns.yaml");
+
+interface ExtractionPatterns {
+  package_json: { version_key: string; build_number_key: string; sparkle_feed_key: string };
+  main_js: Record<string, {
+    pattern?: string;
+    group?: number;
+    global?: boolean;
+    start_marker?: string;
+    end_marker?: string;
+    end_pattern?: string;
+    description: string;
+  }>;
+}
+
+interface ExtractedFingerprint {
+  app_version: string;
+  build_number: string;
+  api_base_url: string | null;
+  originator: string | null;
+  models: string[];
+  wham_endpoints: string[];
+  user_agent_contains: string;
+  sparkle_feed_url: string | null;
+  prompts: {
+    desktop_context_hash: string | null;
+    desktop_context_path: string | null;
+    title_generation_hash: string | null;
+    title_generation_path: string | null;
+    pr_generation_hash: string | null;
+    pr_generation_path: string | null;
+    automation_response_hash: string | null;
+    automation_response_path: string | null;
+  };
+  extracted_at: string;
+  source_path: string;
+}
+
+function sha256(content: string): string {
+  return `sha256:${createHash("sha256").update(content, "utf-8").digest("hex").slice(0, 16)}`;
+}
+
+function loadPatterns(): ExtractionPatterns {
+  const raw = yaml.load(readFileSync(PATTERNS_PATH, "utf-8")) as ExtractionPatterns;
+  return raw;
+}
+
+/**
+ * Find the extracted ASAR root given an input path.
+ * Tries multiple layout conventions.
+ */
+function findAsarRoot(inputPath: string): string {
+  // Direct: path has package.json (already extracted)
+  if (existsSync(join(inputPath, "package.json"))) {
+    return inputPath;
+  }
+
+  // macOS .app bundle
+  const macResources = join(inputPath, "Contents/Resources");
+  if (existsSync(join(macResources, "app.asar"))) {
+    return extractAsar(join(macResources, "app.asar"));
+  }
+
+  // Windows: resources/app.asar
+  const winResources = join(inputPath, "resources");
+  if (existsSync(join(winResources, "app.asar"))) {
+    return extractAsar(join(winResources, "app.asar"));
+  }
+
+  // Already extracted: check for nested 'extracted' dir
+  const extractedDir = join(inputPath, "extracted");
+  if (existsSync(join(extractedDir, "package.json"))) {
+    return extractedDir;
+  }
+
+  // Check recovered/extracted pattern
+  const recoveredExtracted = join(inputPath, "recovered/extracted");
+  if (existsSync(join(recoveredExtracted, "package.json"))) {
+    return recoveredExtracted;
+  }
+
+  throw new Error(
+    `Cannot find Codex source at ${inputPath}. Expected package.json or app.asar.`
+  );
+}
+
+function extractAsar(asarPath: string): string {
+  const outDir = resolve(ROOT, ".asar-out");
+  console.log(`[extract] Extracting ASAR: ${asarPath} → ${outDir}`);
+  execSync(`npx @electron/asar extract "${asarPath}" "${outDir}"`, {
+    stdio: "inherit",
+  });
+  return outDir;
+}
+
+/**
+ * Step A: Extract from package.json
+ */
+function extractFromPackageJson(root: string): {
+  version: string;
+  buildNumber: string;
+  sparkleFeedUrl: string | null;
+} {
+  const pkgPath = join(root, "package.json");
+  const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
+
+  return {
+    version: pkg.version ?? "unknown",
+    buildNumber: String(pkg.codexBuildNumber ?? "unknown"),
+    sparkleFeedUrl: pkg.codexSparkleFeedUrl ?? null,
+  };
+}
+
+/**
+ * Step B: Extract values from main.js using patterns
+ */
+function extractFromMainJs(
+  content: string,
+  patterns: ExtractionPatterns["main_js"],
+): {
+  apiBaseUrl: string | null;
+  originator: string | null;
+  models: string[];
+  whamEndpoints: string[];
+  userAgentContains: string;
+} {
+  // API base URL
+  let apiBaseUrl: string | null = null;
+  const apiPattern = patterns.api_base_url;
+  if (apiPattern?.pattern) {
+    const m = content.match(new RegExp(apiPattern.pattern));
+    if (m) apiBaseUrl = m[0];
+  }
+
+  // Originator
+  let originator: string | null = null;
+  const origPattern = patterns.originator;
+  if (origPattern?.pattern) {
+    const m = content.match(new RegExp(origPattern.pattern));
+    if (m) originator = m[origPattern.group ?? 0] ?? m[0];
+  }
+
+  // Models — deduplicate, use capture group if specified
+  const models: Set<string> = new Set();
+  const modelPattern = patterns.models;
+  if (modelPattern?.pattern) {
+    const re = new RegExp(modelPattern.pattern, "g");
+    const groupIdx = modelPattern.group ?? 0;
+    for (const m of content.matchAll(re)) {
+      models.add(m[groupIdx] ?? m[0]);
+    }
+  }
+
+  // WHAM endpoints — deduplicate, use capture group if specified
+  const endpoints: Set<string> = new Set();
+  const epPattern = patterns.wham_endpoints;
+  if (epPattern?.pattern) {
+    const re = new RegExp(epPattern.pattern, "g");
+    const epGroupIdx = epPattern.group ?? 0;
+    for (const m of content.matchAll(re)) {
+      endpoints.add(m[epGroupIdx] ?? m[0]);
+    }
+  }
+
+  return {
+    apiBaseUrl,
+    originator,
+    models: [...models].sort(),
+    whamEndpoints: [...endpoints].sort(),
+    userAgentContains: "Codex Desktop/",
+  };
+}
+
+/**
+ * Step B (continued): Extract system prompts from main.js
+ */
+function extractPrompts(content: string): {
+  desktopContext: string | null;
+  titleGeneration: string | null;
+  prGeneration: string | null;
+  automationResponse: string | null;
+} {
+  // Desktop context: from "# Codex desktop context" to the end of the template literal
+  let desktopContext: string | null = null;
+  const dcStart = content.indexOf("# Codex desktop context");
+  if (dcStart !== -1) {
+    // Find the closing backtick of the template literal
+    // Look backwards from dcStart for the opening backtick to understand nesting
+    // Then scan forward for the matching close
+    const afterStart = content.indexOf("`;", dcStart);
+    if (afterStart !== -1) {
+      desktopContext = content.slice(dcStart, afterStart).trim();
+    }
+  }
+
+  // Title generation: from the function that builds the array
+  let titleGeneration: string | null = null;
+  const titleMarker = "You are a helpful assistant. You will be presented with a user prompt";
+  const titleStart = content.indexOf(titleMarker);
+  if (titleStart !== -1) {
+    // Find the enclosing array end: ].join(
+    const joinIdx = content.indexOf("].join(", titleStart);
+    if (joinIdx !== -1) {
+      // Extract the array content between [ and ]
+      const bracketStart = content.lastIndexOf("[", titleStart);
+      if (bracketStart !== -1) {
+        const arrayContent = content.slice(bracketStart + 1, joinIdx);
+        // Parse string literals from the array
+        titleGeneration = parseStringArray(arrayContent);
+      }
+    }
+  }
+
+  // PR generation
+  let prGeneration: string | null = null;
+  const prMarker = "You are a helpful assistant. Generate a pull request title";
+  const prStart = content.indexOf(prMarker);
+  if (prStart !== -1) {
+    const joinIdx = content.indexOf("].join(", prStart);
+    if (joinIdx !== -1) {
+      const bracketStart = content.lastIndexOf("[", prStart);
+      if (bracketStart !== -1) {
+        const arrayContent = content.slice(bracketStart + 1, joinIdx);
+        prGeneration = parseStringArray(arrayContent);
+      }
+    }
+  }
+
+  // Automation response: template literal starting with "Response MUST end with"
+  let automationResponse: string | null = null;
+  const autoMarker = "Response MUST end with a remark-directive block";
+  const autoStart = content.indexOf(autoMarker);
+  if (autoStart !== -1) {
+    const afterAuto = content.indexOf("`;", autoStart);
+    if (afterAuto !== -1) {
+      automationResponse = content.slice(autoStart, afterAuto).trim();
+    }
+  }
+
+  return { desktopContext, titleGeneration, prGeneration, automationResponse };
+}
+
+/**
+ * Parse a JavaScript string array content into a single joined string.
+ * Handles simple quoted strings separated by commas.
+ */
+function parseStringArray(arrayContent: string): string {
+  const lines: string[] = [];
+  // Match quoted strings (both single and double quotes) and template literals
+  const stringRe = /"((?:[^"\\]|\\.)*)"|'((?:[^'\\]|\\.)*)'/g;
+  for (const m of arrayContent.matchAll(stringRe)) {
+    const str = m[1] ?? m[2] ?? "";
+    // Unescape common sequences
+    lines.push(
+      str
+        .replace(/\\n/g, "\n")
+        .replace(/\\t/g, "\t")
+        .replace(/\\"/g, '"')
+        .replace(/\\'/g, "'")
+        .replace(/\\\\/g, "\\")
+    );
+  }
+  return lines.join("\n");
+}
+
+function savePrompt(name: string, content: string | null): { hash: string | null; path: string | null } {
+  if (!content) return { hash: null, path: null };
+
+  mkdirSync(PROMPTS_DIR, { recursive: true });
+  const filePath = join(PROMPTS_DIR, `${name}.md`);
+  writeFileSync(filePath, content);
+
+  return {
+    hash: sha256(content),
+    path: filePath,
+  };
+}
+
+async function main() {
+  // Parse --path argument
+  const pathIdx = process.argv.indexOf("--path");
+  if (pathIdx === -1 || !process.argv[pathIdx + 1]) {
+    console.error("Usage: npx tsx scripts/extract-fingerprint.ts --path <codex-path>");
+    console.error("");
+    console.error("  <codex-path> can be:");
+    console.error("    - macOS: /path/to/Codex.app");
+    console.error("    - Windows: C:/path/to/Codex (containing resources/app.asar)");
+    console.error("    - Extracted: directory with package.json and .vite/build/main.js");
+    process.exit(1);
+  }
+
+  const inputPath = resolve(process.argv[pathIdx + 1]);
+  console.log(`[extract] Input: ${inputPath}`);
+
+  // Find ASAR root
+  const asarRoot = findAsarRoot(inputPath);
+  console.log(`[extract] ASAR root: ${asarRoot}`);
+
+  // Load extraction patterns
+  const patterns = loadPatterns();
+
+  // Step A: package.json
+  console.log("[extract] Reading package.json...");
+  const { version, buildNumber, sparkleFeedUrl } = extractFromPackageJson(asarRoot);
+  console.log(`  version: ${version}`);
+  console.log(`  build:   ${buildNumber}`);
+
+  // Step B: main.js
+  console.log("[extract] Loading main.js...");
+  const mainJs = await (async () => {
+    const mainPath = join(asarRoot, ".vite/build/main.js");
+    if (!existsSync(mainPath)) {
+      console.warn("[extract] main.js not found, skipping JS extraction");
+      return null;
+    }
+
+    const content = readFileSync(mainPath, "utf-8");
+    const lineCount = content.split("\n").length;
+
+    if (lineCount < 100 && content.length > 100000) {
+      console.log("[extract] main.js appears minified, attempting beautify...");
+      try {
+        const jsBeautify = await import("js-beautify");
+        return jsBeautify.default.js(content, { indent_size: 2 });
+      } catch {
+        console.warn("[extract] js-beautify not available, using raw content");
+        return content;
+      }
+    }
+    return content;
+  })();
+
+  let mainJsResults = {
+    apiBaseUrl: null as string | null,
+    originator: null as string | null,
+    models: [] as string[],
+    whamEndpoints: [] as string[],
+    userAgentContains: "Codex Desktop/",
+  };
+
+  let promptResults = {
+    desktopContext: null as string | null,
+    titleGeneration: null as string | null,
+    prGeneration: null as string | null,
+    automationResponse: null as string | null,
+  };
+
+  if (mainJs) {
+    console.log(`[extract] main.js loaded (${mainJs.split("\n").length} lines)`);
+
+    mainJsResults = extractFromMainJs(mainJs, patterns.main_js);
+    console.log(`  API base URL:  ${mainJsResults.apiBaseUrl}`);
+    console.log(`  originator:    ${mainJsResults.originator}`);
+    console.log(`  models:        ${mainJsResults.models.join(", ")}`);
+    console.log(`  WHAM endpoints: ${mainJsResults.whamEndpoints.length} found`);
+
+    // Extract system prompts
+    console.log("[extract] Extracting system prompts...");
+    promptResults = extractPrompts(mainJs);
+    console.log(`  desktop-context:     ${promptResults.desktopContext ? "found" : "NOT FOUND"}`);
+    console.log(`  title-generation:    ${promptResults.titleGeneration ? "found" : "NOT FOUND"}`);
+    console.log(`  pr-generation:       ${promptResults.prGeneration ? "found" : "NOT FOUND"}`);
+    console.log(`  automation-response: ${promptResults.automationResponse ? "found" : "NOT FOUND"}`);
+  }
+
+  // Save extracted prompts
+  const dc = savePrompt("desktop-context", promptResults.desktopContext);
+  const tg = savePrompt("title-generation", promptResults.titleGeneration);
+  const pr = savePrompt("pr-generation", promptResults.prGeneration);
+  const ar = savePrompt("automation-response", promptResults.automationResponse);
+
+  // Build output
+  const fingerprint: ExtractedFingerprint = {
+    app_version: version,
+    build_number: buildNumber,
+    api_base_url: mainJsResults.apiBaseUrl,
+    originator: mainJsResults.originator,
+    models: mainJsResults.models,
+    wham_endpoints: mainJsResults.whamEndpoints,
+    user_agent_contains: mainJsResults.userAgentContains,
+    sparkle_feed_url: sparkleFeedUrl,
+    prompts: {
+      desktop_context_hash: dc.hash,
+      desktop_context_path: dc.path,
+      title_generation_hash: tg.hash,
+      title_generation_path: tg.path,
+      pr_generation_hash: pr.hash,
+      pr_generation_path: pr.path,
+      automation_response_hash: ar.hash,
+      automation_response_path: ar.path,
+    },
+    extracted_at: new Date().toISOString(),
+    source_path: inputPath,
+  };
+
+  // Write output
+  mkdirSync(resolve(ROOT, "data"), { recursive: true });
+  writeFileSync(OUTPUT_PATH, JSON.stringify(fingerprint, null, 2));
+
+  console.log(`\n[extract] Fingerprint written to ${OUTPUT_PATH}`);
+  console.log(`[extract] Prompts written to ${PROMPTS_DIR}/`);
+  console.log("[extract] Done.");
+}
+
+main().catch((err) => {
+  console.error("[extract] Fatal:", err);
+  process.exit(1);
+});

scripts/test-create-env-gh.ts

@@ -0,0 +1,74 @@
+import { loadConfig, loadFingerprint } from '../src/config.js';
+import { ProxyClient } from '../src/proxy/client.js';
+import { AuthManager } from '../src/auth/manager.js';
+
+async function main() {
+  loadConfig(); loadFingerprint();
+  const am = new AuthManager();
+  const tk = await am.getToken();
+  if (!tk) { console.log('Not auth'); return; }
+  const c = new ProxyClient(tk, am.getAccountId());
+
+  // Create environment: github/octocat/Hello-World
+  console.log('=== Create env ===');
+  const r = await c.post('wham/environments', {
+    machine_id: '6993d698c6a48190bcc7ed131c5f34b4',
+    repos: ['github/octocat/Hello-World'],
+    label: 'proxy-env',
+  });
+  console.log(r.status, JSON.stringify(r.body).slice(0, 800));
+
+  if (r.ok) {
+    const env = r.body as { environment_id?: string; id?: string };
+    const envId = env.environment_id || env.id;
+    console.log('Environment ID:', envId);
+
+    if (envId) {
+      // Create task with this environment
+      console.log('\n=== Create task with env ===');
+      const tr = await c.post('wham/tasks', {
+        new_task: {
+          branch: 'main',
+          environment_id: envId,
+          run_environment_in_qa_mode: false,
+        },
+        input_items: [{ type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hello in one sentence.' }] }],
+        model: 'gpt-5.1-codex-mini',
+        developer_instructions: null,
+        base_instructions: null,
+        personality: null,
+        approval_policy: 'never',
+        sandbox: 'workspace-write',
+        ephemeral: null,
+      });
+      console.log(tr.status, JSON.stringify(tr.body).slice(0, 800));
+
+      const taskBody = tr.body as { task?: { id?: string; current_turn_id?: string } };
+      if (tr.ok && taskBody?.task?.id) {
+        const taskId = taskBody.task.id;
+        const turnId = taskBody.task.current_turn_id;
+        console.log('\nPolling...');
+        for (let i = 0; i < 60; i++) {
+          await new Promise(res => setTimeout(res, 3000));
+          const poll = await c.get(
+            'wham/tasks/' + encodeURIComponent(taskId) + '/turns/' + encodeURIComponent(turnId!)
+          );
+          const pd = poll.body as { turn?: { turn_status?: string; output_items?: unknown[]; error?: unknown } };
+          const st = pd?.turn?.turn_status;
+          console.log('  ' + i + ': ' + st);
+          if (st === 'completed' || st === 'failed' || st === 'cancelled') {
+            if (pd?.turn?.error) console.log('  Error:', JSON.stringify(pd.turn.error));
+            if (pd?.turn?.output_items) console.log('  Output:', JSON.stringify(pd.turn.output_items).slice(0, 1000));
+            break;
+          }
+        }
+      }
+    }
+  }
+
+  // Also try listing environments now
+  console.log('\n=== List environments ===');
+  const le = await c.get('wham/environments');
+  console.log(le.status, JSON.stringify(le.body).slice(0, 400));
+}
+main().catch(e => console.error(e));

scripts/test-create-env-real.ts

@@ -0,0 +1,128 @@
+import { loadConfig, loadFingerprint } from '../src/config.js';
+import { ProxyClient } from '../src/proxy/client.js';
+import { AuthManager } from '../src/auth/manager.js';
+import { buildHeadersWithContentType } from '../src/fingerprint/manager.js';
+
+async function main() {
+  loadConfig(); loadFingerprint();
+  const am = new AuthManager();
+  const tk = await am.getToken();
+  if (!tk) { console.log('Not authenticated'); return; }
+  const aid = am.getAccountId();
+  const c = new ProxyClient(tk, aid);
+  const base = 'https://chatgpt.com/backend-api';
+
+  const machineId = '6993d698c6a48190bcc7ed131c5f34b4';
+
+  // Test 1: Create environment with a real public GitHub repo
+  console.log('=== Test 1: POST /wham/environments with real repo ===');
+  try {
+    const r = await c.post('wham/environments', {
+      machine_id: machineId,
+      repos: [{ provider: 'github', owner: 'octocat', name: 'Hello-World' }],
+      label: 'test-env',
+    });
+    console.log(r.status, JSON.stringify(r.body).slice(0, 600));
+  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
+
+  // Test 2: Different repos format
+  console.log('\n=== Test 2: repos as string array ===');
+  try {
+    const r = await c.post('wham/environments', {
+      machine_id: machineId,
+      repos: ['octocat/Hello-World'],
+      label: 'test-env-2',
+    });
+    console.log(r.status, JSON.stringify(r.body).slice(0, 600));
+  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
+
+  // Test 3: Minimal environment creation
+  console.log('\n=== Test 3: minimal env ===');
+  try {
+    const r = await c.post('wham/environments', {
+      machine_id: machineId,
+    });
+    console.log(r.status, JSON.stringify(r.body).slice(0, 600));
+  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
+
+  // Test 4: Create environment via different endpoint
+  console.log('\n=== Test 4: POST /wham/environments/create ===');
+  try {
+    const r = await c.post('wham/environments/create', {
+      machine_id: machineId,
+      repos: ['octocat/Hello-World'],
+    });
+    console.log(r.status, JSON.stringify(r.body).slice(0, 600));
+  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
+
+  // Test 5: Try the webview approach - look at how the webview creates environments
+  // The webview uses POST /wham/tasks with environment embedded
+  // Let me try creating a task without environment_id but with DELETE of the key
+  console.log('\n=== Test 5: POST /wham/tasks with environment_id deleted (raw fetch) ===');
+  try {
+    const body: Record<string, unknown> = {
+      new_task: {
+        branch: 'main',
+        run_environment_in_qa_mode: false,
+      },
+      input_items: [{ type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hello' }] }],
+      model: 'gpt-5.1-codex-mini',
+      developer_instructions: null,
+      base_instructions: null,
+      personality: null,
+      approval_policy: 'never',
+      sandbox: 'workspace-write',
+      ephemeral: null,
+    };
+    // Verify environment_id is truly not in the JSON
+    console.log('Body keys:', Object.keys(body.new_task as object));
+    const res = await fetch(`${base}/wham/tasks`, {
+      method: 'POST',
+      headers: buildHeadersWithContentType(tk, aid),
+      body: JSON.stringify(body),
+    });
+    const data = await res.json();
+    console.log(res.status, JSON.stringify(data).slice(0, 600));
+  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
+
+  // Test 6: What about follow_up without new_task?
+  console.log('\n=== Test 6: POST /wham/tasks without new_task (just input_items) ===');
+  try {
+    const body = {
+      input_items: [{ type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hello' }] }],
+      model: 'gpt-5.1-codex-mini',
+    };
+    const res = await fetch(`${base}/wham/tasks`, {
+      method: 'POST',
+      headers: buildHeadersWithContentType(tk, aid),
+      body: JSON.stringify(body),
+    });
+    const data = await res.json();
+    console.log(res.status, JSON.stringify(data).slice(0, 600));
+  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
+
+  // Test 7: Maybe the issue is that we need to send a requestBody wrapper?
+  // The webview uses: CodexRequest.safePost("/wham/tasks", { requestBody: {...} })
+  console.log('\n=== Test 7: POST /wham/tasks with requestBody wrapper ===');
+  try {
+    const body = {
+      requestBody: {
+        new_task: {
+          branch: 'main',
+          run_environment_in_qa_mode: false,
+        },
+        input_items: [{ type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hello' }] }],
+        model: 'gpt-5.1-codex-mini',
+      },
+    };
+    const res = await fetch(`${base}/wham/tasks`, {
+      method: 'POST',
+      headers: buildHeadersWithContentType(tk, aid),
+      body: JSON.stringify(body),
+    });
+    const data = await res.json();
+    console.log(res.status, JSON.stringify(data).slice(0, 600));
+  } catch (e: unknown) { console.log('Error:', (e as Error).message); }
+}
+
+main().catch(e => console.error(e));

scripts/test-env-full.ts

@@ -0,0 +1,113 @@
+import { loadConfig, loadFingerprint } from '../src/config.js';
+import { ProxyClient } from '../src/proxy/client.js';
+import { AuthManager } from '../src/auth/manager.js';
+import { buildHeaders, buildHeadersWithContentType } from '../src/fingerprint/manager.js';
+
+async function main() {
+  loadConfig(); loadFingerprint();
+  const am = new AuthManager();
+  const tk = await am.getToken();
+  if (!tk) { console.log('Not authenticated'); return; }
+  const aid = am.getAccountId();
+  const c = new ProxyClient(tk, aid);
+  const base = 'https://chatgpt.com/backend-api';
+
+  // Try all possible environment-related endpoints
+  const endpoints = [
+    { method: 'GET', path: 'wham/environments' },
+    { method: 'GET', path: 'wham/machines' },
+    { method: 'GET', path: 'wham/accounts/check' },
+    { method: 'GET', path: 'wham/usage' },
+    { method: 'GET', path: 'wham/tasks' },
+    // Codex CLI endpoints
+    { method: 'GET', path: 'api/codex/environments' },
+    // Try to see if there's a way to check features
+    { method: 'GET', path: 'wham/features' },
+    { method: 'GET', path: 'wham/config' },
+    // Try without environment at all — use ephemeral
+    { method: 'POST', path: 'wham/tasks', body: {
+      new_task: { branch: 'main', environment_id: null, run_environment_in_qa_mode: false },
+      input_items: [{ type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hi' }] }],
+      model: 'gpt-5.1-codex-mini',
+      ephemeral: true,
+    }},
+    // Try with ephemeral flag and no environment
+    { method: 'POST', path: 'wham/tasks', body: {
+      new_task: { branch: 'main' },
+      input_items: [{ type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hi' }] }],
+      model: 'gpt-5.1-codex-mini',
+      ephemeral: true,
+      approval_policy: 'never',
+      sandbox: 'workspace-write',
+    }},
+  ];
+
+  for (const ep of endpoints) {
+    console.log(`\n=== ${ep.method} /${ep.path} ===`);
+    try {
+      let res: Response;
+      if (ep.method === 'POST') {
+        res = await fetch(`${base}/${ep.path}`, {
+          method: 'POST',
+          headers: buildHeadersWithContentType(tk, aid),
+          body: JSON.stringify(ep.body),
+        });
+      } else {
+        res = await fetch(`${base}/${ep.path}`, {
+          headers: buildHeaders(tk, aid),
+        });
+      }
+      const ct = res.headers.get('content-type') || '';
+      if (ct.includes('json')) {
+        const data = await res.json();
+        console.log(res.status, JSON.stringify(data).slice(0, 600));
+      } else {
+        const text = await res.text();
+        console.log(res.status, text.slice(0, 300));
+      }
+    } catch (e: unknown) {
+      console.log('Error:', (e as Error).message);
+    }
+  }
+
+  // Also try listing existing tasks to see if any have environment info
+  console.log('\n=== GET /wham/tasks (list existing tasks) ===');
+  try {
+    const r = await fetch(`${base}/wham/tasks`, {
+      headers: buildHeaders(tk, aid),
+    });
+    const data = await r.json() as { items?: Array<{ id?: string; task_status_display?: unknown }> };
+    console.log(r.status);
+    if (data.items) {
+      console.log('Total tasks:', data.items.length);
+      for (const t of data.items.slice(0, 3)) {
+        console.log('  Task:', t.id, JSON.stringify(t.task_status_display).slice(0, 200));
+      }
+    } else {
+      console.log(JSON.stringify(data).slice(0, 400));
+    }
+  } catch (e: unknown) {
+    console.log('Error:', (e as Error).message);
+  }
+
+  // Check a specific task to see its environment info
+  console.log('\n=== Check a recent task for environment details ===');
+  try {
+    const r = await fetch(`${base}/wham/tasks`, {
+      headers: buildHeaders(tk, aid),
+    });
+    const data = await r.json() as { items?: Array<{ id?: string }> };
+    if (data.items && data.items.length > 0) {
+      const taskId = data.items[0].id!;
+      const tr = await fetch(`${base}/wham/tasks/${encodeURIComponent(taskId)}`, {
+        headers: buildHeaders(tk, aid),
+      });
+      const td = await tr.json();
+      console.log('Task detail:', JSON.stringify(td).slice(0, 1000));
+    }
+  } catch (e: unknown) {
+    console.log('Error:', (e as Error).message);
+  }
+}
+
+main().catch(e => console.error(e));

scripts/test-repo-format.ts

@@ -0,0 +1,27 @@
+import { loadConfig, loadFingerprint } from '../src/config.js';
+import { ProxyClient } from '../src/proxy/client.js';
+import { AuthManager } from '../src/auth/manager.js';
+
+async function main() {
+  loadConfig(); loadFingerprint();
+  const am = new AuthManager();
+  const tk = await am.getToken();
+  if (!tk) { console.log('Not auth'); return; }
+  const c = new ProxyClient(tk, am.getAccountId());
+  const mid = '6993d698c6a48190bcc7ed131c5f34b4';
+
+  const formats = [
+    'github:octocat/Hello-World',
+    'octocat/Hello-World',
+    'github/octocat/hello-world',
+    'https://github.com/octocat/Hello-World',
+  ];
+
+  for (const repo of formats) {
+    console.log('--- repos: ["' + repo + '"] ---');
+    const r = await c.post('wham/environments', { machine_id: mid, repos: [repo], label: 'test' });
+    console.log(r.status, JSON.stringify(r.body).slice(0, 300));
+    console.log('');
+  }
+}
+main().catch(e => console.error(e));

scripts/test-repo2.ts

@@ -0,0 +1,23 @@
+import { loadConfig, loadFingerprint } from '../src/config.js';
+import { ProxyClient } from '../src/proxy/client.js';
+import { AuthManager } from '../src/auth/manager.js';
+async function main() {
+  loadConfig(); loadFingerprint();
+  const am = new AuthManager();
+  const tk = await am.getToken();
+  if (!tk) { console.log('no auth'); return; }
+  const c = new ProxyClient(tk, am.getAccountId());
+  const mid = '6993d698c6a48190bcc7ed131c5f34b4';
+  const tests = [
+    'github/torvalds/linux',
+    'github/facebook/react',
+    'torvalds/linux',
+  ];
+  for (const repo of tests) {
+    console.log('repos: [' + repo + ']');
+    const r = await c.post('wham/environments', { machine_id: mid, repos: [repo], label: 'test' });
+    console.log(r.status, JSON.stringify(r.body).slice(0, 400));
+    console.log('');
+  }
+}
+main();

scripts/test-responses-api.ts

@@ -0,0 +1,99 @@
+import { loadConfig, loadFingerprint } from '../src/config.js';
+import { AuthManager } from '../src/auth/manager.js';
+import { buildHeadersWithContentType } from '../src/fingerprint/manager.js';
+
+async function main() {
+  loadConfig(); loadFingerprint();
+  const am = new AuthManager();
+  const tk = await am.getToken();
+  if (!tk) { console.log('no auth token'); return; }
+  const aid = am.getAccountId();
+
+  const base = 'https://chatgpt.com/backend-api/codex';
+  const hdrs = buildHeadersWithContentType(tk, aid);
+
+  // Test 1: non-streaming
+  console.log('=== Test 1: POST /codex/responses (non-streaming) ===');
+  try {
+    const r = await fetch(base + '/responses', {
+      method: 'POST',
+      headers: hdrs,
+      body: JSON.stringify({
+        model: 'gpt-5.1-codex-mini',
+        instructions: 'You are a helpful assistant.',
+        input: [{ role: 'user', content: 'Say hello in one sentence.' }],
+        stream: false,
+        store: false,
+      }),
+    });
+    console.log('Status:', r.status, r.statusText);
+    const ct = r.headers.get('content-type') || '';
+    console.log('Content-Type:', ct);
+    if (ct.includes('json')) {
+      const j = await r.json();
+      console.log('Body:', JSON.stringify(j, null, 2).slice(0, 3000));
+    } else {
+      const t = await r.text();
+      console.log('Body:', t.slice(0, 2000));
+    }
+  } catch (e: any) {
+    console.log('Error:', e.message);
+  }
+
+  // Test 2: streaming
+  console.log('\n=== Test 2: POST /codex/responses (streaming) ===');
+  try {
+    const streamHdrs = { ...hdrs, 'Accept': 'text/event-stream' };
+    const r = await fetch(base + '/responses', {
+      method: 'POST',
+      headers: streamHdrs,
+      body: JSON.stringify({
+        model: 'gpt-5.1-codex-mini',
+        instructions: 'You are a helpful assistant.',
+        input: [{ role: 'user', content: 'Say hello in one sentence.' }],
+        stream: true,
+        store: false,
+      }),
+    });
+    console.log('Status:', r.status, r.statusText);
+    const ct = r.headers.get('content-type') || '';
+    console.log('Content-Type:', ct);
+
+    if (r.status !== 200) {
+      const t = await r.text();
+      console.log('Error body:', t.slice(0, 1000));
+    } else {
+      const reader = r.body!.getReader();
+      const decoder = new TextDecoder();
+      let fullText = '';
+      let chunks = 0;
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        const chunk = decoder.decode(value, { stream: true });
+        fullText += chunk;
+        chunks++;
+        if (chunks <= 10) {
+          console.log(`--- Chunk ${chunks} ---`);
+          console.log(chunk.slice(0, 300));
+        }
+      }
+      console.log('\nTotal chunks:', chunks);
+      console.log('Full response length:', fullText.length);
+      // Show some events
+      const events = fullText.split('\n\n').filter(e => e.trim());
+      console.log('Total SSE events:', events.length);
+      // Show last few events
+      const last5 = events.slice(-5);
+      console.log('\nLast 5 events:');
+      for (const ev of last5) {
+        console.log(ev.slice(0, 300));
+        console.log('---');
+      }
+    }
+  } catch (e: any) {
+    console.log('Error:', e.message);
+  }
+}
+
+main();

scripts/test-snapshot.ts

@@ -0,0 +1,117 @@
+import { loadConfig, loadFingerprint } from '../src/config.js';
+import { ProxyClient } from '../src/proxy/client.js';
+import { AuthManager } from '../src/auth/manager.js';
+
+async function main() {
+  loadConfig(); loadFingerprint();
+  const am = new AuthManager();
+  const tk = await am.getToken();
+  if (!tk) { console.log('Not authenticated'); return; }
+  const c = new ProxyClient(tk, am.getAccountId());
+
+  // Step 1: Get upload URL for a worktree snapshot
+  console.log('=== Step 1: POST /wham/worktree_snapshots/upload_url ===');
+  const r1 = await c.post('wham/worktree_snapshots/upload_url', {
+    file_name: 'snapshot.tar.gz',
+    file_size: 100,
+    repo_name: 'workspace',
+  });
+  console.log('Status:', r1.status);
+  console.log('Body:', JSON.stringify(r1.body).slice(0, 800));
+
+  if (!r1.ok) {
+    console.log('Failed to get upload URL');
+    return;
+  }
+
+  const body1 = r1.body as { upload_url?: string; file_id?: string; status?: string };
+  console.log('Upload URL:', body1.upload_url?.slice(0, 100));
+  console.log('File ID:', body1.file_id);
+
+  // Step 2: Upload a minimal tar.gz (empty)
+  if (body1.upload_url) {
+    console.log('\n=== Step 2: Upload minimal snapshot ===');
+    // Create a minimal gzip file (empty gzip)
+    const emptyGzip = Buffer.from([
+      0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00,
+    ]);
+
+    const uploadRes = await fetch(body1.upload_url, {
+      method: 'PUT',
+      body: emptyGzip,
+      headers: { 'Content-Type': 'application/gzip' },
+    });
+    console.log('Upload status:', uploadRes.status);
+    const uploadText = await uploadRes.text();
+    console.log('Upload response:', uploadText.slice(0, 300));
+  }
+
+  // Step 3: Finish upload
+  if (body1.file_id) {
+    console.log('\n=== Step 3: POST /wham/worktree_snapshots/finish_upload ===');
+    const r3 = await c.post('wham/worktree_snapshots/finish_upload', {
+      file_id: body1.file_id,
+    });
+    console.log('Status:', r3.status);
+    console.log('Body:', JSON.stringify(r3.body).slice(0, 800));
+
+    // Step 4: Create a task with this file_id
+    console.log('\n=== Step 4: Create task with valid file_id ===');
+    const r4 = await c.post('wham/tasks', {
+      new_task: {
+        branch: 'main',
+        environment_id: null,
+        environment: {
+          repos: [{
+            kind: 'local_worktree',
+            name: 'workspace',
+            remotes: {},
+            commit_sha: '0000000000000000000000000000000000000000',
+            branch: 'main',
+            file_id: body1.file_id,
+          }],
+        },
+        run_environment_in_qa_mode: false,
+      },
+      input_items: [
+        { type: 'message', role: 'user', content: [{ content_type: 'text', text: 'Say hello in one sentence.' }] }
+      ],
+      model: 'gpt-5.1-codex-mini',
+      developer_instructions: null,
+      base_instructions: null,
+      personality: null,
+      approval_policy: 'never',
+      sandbox: 'workspace-write',
+      ephemeral: null,
+    });
+    console.log('Task status:', r4.status);
+    console.log('Task body:', JSON.stringify(r4.body).slice(0, 600));
+
+    // Step 5: Poll for result
+    const taskBody = r4.body as { task?: { id?: string; current_turn_id?: string } };
+    if (r4.ok && taskBody?.task?.id) {
+      const taskId = taskBody.task.id;
+      const turnId = taskBody.task.current_turn_id!;
+      console.log('\n=== Step 5: Poll for turn completion ===');
+      console.log('Task:', taskId);
+      console.log('Turn:', turnId);
+
+      for (let i = 0; i < 30; i++) {
+        await new Promise(res => setTimeout(res, 3000));
+        const tr = await c.get(`wham/tasks/${encodeURIComponent(taskId)}/turns/${encodeURIComponent(turnId)}`);
+        const td = tr.body as { turn?: { turn_status?: string; output_items?: unknown[]; error?: unknown } };
+        const status = td?.turn?.turn_status;
+        console.log(`  Poll ${i}: status=${status}`);
+        if (status === 'completed' || status === 'failed' || status === 'cancelled') {
+          if (td?.turn?.error) console.log('  Error:', JSON.stringify(td.turn.error));
+          if (td?.turn?.output_items) console.log('  Output:', JSON.stringify(td.turn.output_items).slice(0, 500));
+          break;
+        }
+      }
+    }
+  }
+}
+
+main().catch(e => console.error(e));

src/auth/account-pool.ts

@@ -0,0 +1,473 @@
+/**
+ * AccountPool — multi-account manager with least-used rotation.
+ * Replaces the single-account AuthManager.
+ */
+
+import {
+  readFileSync,
+  writeFileSync,
+  renameSync,
+  existsSync,
+  mkdirSync,
+} from "fs";
+import { resolve, dirname } from "path";
+import { randomBytes } from "crypto";
+import { getConfig } from "../config.js";
+import {
+  decodeJwtPayload,
+  extractChatGptAccountId,
+  extractUserProfile,
+  isTokenExpired,
+} from "./jwt-utils.js";
+import type {
+  AccountEntry,
+  AccountInfo,
+  AccountUsage,
+  AcquiredAccount,
+  AccountsFile,
+} from "./types.js";
+
+const ACCOUNTS_FILE = resolve(process.cwd(), "data", "accounts.json");
+const LEGACY_AUTH_FILE = resolve(process.cwd(), "data", "auth.json");
+
+export class AccountPool {
+  private accounts: Map<string, AccountEntry> = new Map();
+  private acquireLocks: Set<string> = new Set();
+  private roundRobinIndex = 0;
+  private persistTimer: ReturnType<typeof setTimeout> | null = null;
+
+  constructor() {
+    this.migrateFromLegacy();
+    this.loadPersisted();
+
+    // Override with config jwt_token if set
+    const config = getConfig();
+    if (config.auth.jwt_token) {
+      this.addAccount(config.auth.jwt_token);
+    }
+    const envToken = process.env.CODEX_JWT_TOKEN;
+    if (envToken) {
+      this.addAccount(envToken);
+    }
+  }
+
+  // ── Core operations ─────────────────────────────────────────────
+
+  /**
+   * Acquire the best available account for a request.
+   * Returns null if no accounts are available.
+   */
+  acquire(): AcquiredAccount | null {
+    const config = getConfig();
+    const now = new Date();
+
+    // Update statuses before selecting
+    for (const entry of this.accounts.values()) {
+      this.refreshStatus(entry, now);
+    }
+
+    // Filter available accounts
+    const available = [...this.accounts.values()].filter(
+      (a) => a.status === "active" && !this.acquireLocks.has(a.id),
+    );
+
+    if (available.length === 0) return null;
+
+    let selected: AccountEntry;
+    if (config.auth.rotation_strategy === "round_robin") {
+      this.roundRobinIndex = this.roundRobinIndex % available.length;
+      selected = available[this.roundRobinIndex];
+      this.roundRobinIndex++;
+    } else {
+      // least_used: sort by request_count asc, then by last_used asc (LRU)
+      available.sort((a, b) => {
+        const diff = a.usage.request_count - b.usage.request_count;
+        if (diff !== 0) return diff;
+        const aTime = a.usage.last_used ? new Date(a.usage.last_used).getTime() : 0;
+        const bTime = b.usage.last_used ? new Date(b.usage.last_used).getTime() : 0;
+        return aTime - bTime;
+      });
+      selected = available[0];
+    }
+
+    this.acquireLocks.add(selected.id);
+    return {
+      entryId: selected.id,
+      token: selected.token,
+      accountId: selected.accountId,
+    };
+  }
+
+  /**
+   * Release an account after a request completes.
+   */
+  release(
+    entryId: string,
+    usage?: { input_tokens?: number; output_tokens?: number },
+  ): void {
+    this.acquireLocks.delete(entryId);
+    const entry = this.accounts.get(entryId);
+    if (!entry) return;
+
+    entry.usage.request_count++;
+    entry.usage.last_used = new Date().toISOString();
+    if (usage) {
+      entry.usage.input_tokens += usage.input_tokens ?? 0;
+      entry.usage.output_tokens += usage.output_tokens ?? 0;
+    }
+    this.schedulePersist();
+  }
+
+  /**
+   * Mark an account as rate-limited after a 429.
+   */
+  markRateLimited(entryId: string, retryAfterSec?: number): void {
+    this.acquireLocks.delete(entryId);
+    const entry = this.accounts.get(entryId);
+    if (!entry) return;
+
+    const config = getConfig();
+    const backoff = retryAfterSec ?? config.auth.rate_limit_backoff_seconds;
+    const until = new Date(Date.now() + backoff * 1000);
+
+    entry.status = "rate_limited";
+    entry.usage.rate_limit_until = until.toISOString();
+    this.schedulePersist();
+  }
+
+  // ── Account management ──────────────────────────────────────────
+
+  /**
+   * Add an account from a raw JWT token. Returns the entry ID.
+   * Deduplicates by accountId.
+   */
+  addAccount(token: string): string {
+    const accountId = extractChatGptAccountId(token);
+    const profile = extractUserProfile(token);
+
+    // Deduplicate by accountId
+    if (accountId) {
+      for (const existing of this.accounts.values()) {
+        if (existing.accountId === accountId) {
+          // Update the existing entry's token
+          existing.token = token;
+          existing.email = profile?.email ?? existing.email;
+          existing.planType = profile?.chatgpt_plan_type ?? existing.planType;
+          existing.status = isTokenExpired(token) ? "expired" : "active";
+          this.schedulePersist();
+          return existing.id;
+        }
+      }
+    }
+
+    const id = randomBytes(8).toString("hex");
+    const entry: AccountEntry = {
+      id,
+      token,
+      email: profile?.email ?? null,
+      accountId,
+      planType: profile?.chatgpt_plan_type ?? null,
+      proxyApiKey: "codex-proxy-" + randomBytes(24).toString("hex"),
+      status: isTokenExpired(token) ? "expired" : "active",
+      usage: {
+        request_count: 0,
+        input_tokens: 0,
+        output_tokens: 0,
+        last_used: null,
+        rate_limit_until: null,
+      },
+      addedAt: new Date().toISOString(),
+    };
+
+    this.accounts.set(id, entry);
+    this.schedulePersist();
+    return id;
+  }
+
+  removeAccount(id: string): boolean {
+    this.acquireLocks.delete(id);
+    const deleted = this.accounts.delete(id);
+    if (deleted) this.schedulePersist();
+    return deleted;
+  }
+
+  /**
+   * Update an account's token (used by refresh scheduler).
+   */
+  updateToken(entryId: string, newToken: string): void {
+    const entry = this.accounts.get(entryId);
+    if (!entry) return;
+
+    entry.token = newToken;
+    const profile = extractUserProfile(newToken);
+    entry.email = profile?.email ?? entry.email;
+    entry.planType = profile?.chatgpt_plan_type ?? entry.planType;
+    entry.accountId = extractChatGptAccountId(newToken) ?? entry.accountId;
+    entry.status = "active";
+    this.schedulePersist();
+  }
+
+  markStatus(entryId: string, status: AccountEntry["status"]): void {
+    const entry = this.accounts.get(entryId);
+    if (!entry) return;
+    entry.status = status;
+    this.schedulePersist();
+  }
+
+  resetUsage(entryId: string): boolean {
+    const entry = this.accounts.get(entryId);
+    if (!entry) return false;
+    entry.usage = {
+      request_count: 0,
+      input_tokens: 0,
+      output_tokens: 0,
+      last_used: null,
+      rate_limit_until: null,
+    };
+    this.schedulePersist();
+    return true;
+  }
+
+  // ── Query ───────────────────────────────────────────────────────
+
+  getAccounts(): AccountInfo[] {
+    const now = new Date();
+    return [...this.accounts.values()].map((a) => {
+      this.refreshStatus(a, now);
+      return this.toInfo(a);
+    });
+  }
+
+  getEntry(entryId: string): AccountEntry | undefined {
+    return this.accounts.get(entryId);
+  }
+
+  getAllEntries(): AccountEntry[] {
+    return [...this.accounts.values()];
+  }
+
+  // ── Backward-compatible shim (for routes that still expect AuthManager) ──
+
+  isAuthenticated(): boolean {
+    const now = new Date();
+    for (const entry of this.accounts.values()) {
+      this.refreshStatus(entry, now);
+      if (entry.status === "active") return true;
+    }
+    return false;
+  }
+
+  async getToken(): Promise<string | null> {
+    const acq = this.acquire();
+    if (!acq) return null;
+    // Release immediately — shim usage doesn't track per-request
+    this.acquireLocks.delete(acq.entryId);
+    return acq.token;
+  }
+
+  getAccountId(): string | null {
+    const first = [...this.accounts.values()].find((a) => a.status === "active");
+    return first?.accountId ?? null;
+  }
+
+  getUserInfo(): { email?: string; accountId?: string; planType?: string } | null {
+    const first = [...this.accounts.values()].find((a) => a.status === "active");
+    if (!first) return null;
+    return {
+      email: first.email ?? undefined,
+      accountId: first.accountId ?? undefined,
+      planType: first.planType ?? undefined,
+    };
+  }
+
+  getProxyApiKey(): string | null {
+    const first = [...this.accounts.values()].find((a) => a.status === "active");
+    return first?.proxyApiKey ?? null;
+  }
+
+  validateProxyApiKey(key: string): boolean {
+    for (const entry of this.accounts.values()) {
+      if (entry.proxyApiKey === key) return true;
+    }
+    return false;
+  }
+
+  /** Alias for addAccount — used by auth routes */
+  setToken(token: string): void {
+    this.addAccount(token);
+  }
+
+  clearToken(): void {
+    this.accounts.clear();
+    this.acquireLocks.clear();
+    this.persistNow();
+  }
+
+  // ── Pool summary ────────────────────────────────────────────────
+
+  getPoolSummary(): {
+    total: number;
+    active: number;
+    expired: number;
+    rate_limited: number;
+    refreshing: number;
+    disabled: number;
+  } {
+    const now = new Date();
+    let active = 0, expired = 0, rate_limited = 0, refreshing = 0, disabled = 0;
+    for (const entry of this.accounts.values()) {
+      this.refreshStatus(entry, now);
+      switch (entry.status) {
+        case "active": active++; break;
+        case "expired": expired++; break;
+        case "rate_limited": rate_limited++; break;
+        case "refreshing": refreshing++; break;
+        case "disabled": disabled++; break;
+      }
+    }
+    return {
+      total: this.accounts.size,
+      active,
+      expired,
+      rate_limited,
+      refreshing,
+      disabled,
+    };
+  }
+
+  // ── Internal ────────────────────────────────────────────────────
+
+  private refreshStatus(entry: AccountEntry, now: Date): void {
+    // Auto-recover rate-limited accounts
+    if (entry.status === "rate_limited" && entry.usage.rate_limit_until) {
+      if (now >= new Date(entry.usage.rate_limit_until)) {
+        entry.status = "active";
+        entry.usage.rate_limit_until = null;
+      }
+    }
+
+    // Mark expired tokens
+    if (entry.status === "active" && isTokenExpired(entry.token)) {
+      entry.status = "expired";
+    }
+  }
+
+  private toInfo(entry: AccountEntry): AccountInfo {
+    const payload = decodeJwtPayload(entry.token);
+    const exp = payload?.exp;
+    return {
+      id: entry.id,
+      email: entry.email,
+      accountId: entry.accountId,
+      planType: entry.planType,
+      status: entry.status,
+      usage: { ...entry.usage },
+      addedAt: entry.addedAt,
+      expiresAt:
+        typeof exp === "number"
+          ? new Date(exp * 1000).toISOString()
+          : null,
+    };
+  }
+
+  // ── Persistence ─────────────────────────────────────────────────
+
+  private schedulePersist(): void {
+    if (this.persistTimer) return;
+    this.persistTimer = setTimeout(() => {
+      this.persistTimer = null;
+      this.persistNow();
+    }, 1000);
+  }
+
+  persistNow(): void {
+    if (this.persistTimer) {
+      clearTimeout(this.persistTimer);
+      this.persistTimer = null;
+    }
+    try {
+      const dir = dirname(ACCOUNTS_FILE);
+      if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+      const data: AccountsFile = { accounts: [...this.accounts.values()] };
+      writeFileSync(ACCOUNTS_FILE, JSON.stringify(data, null, 2), "utf-8");
+    } catch {
+      // best-effort
+    }
+  }
+
+  private loadPersisted(): void {
+    try {
+      if (!existsSync(ACCOUNTS_FILE)) return;
+      const raw = readFileSync(ACCOUNTS_FILE, "utf-8");
+      const data = JSON.parse(raw) as AccountsFile;
+      if (Array.isArray(data.accounts)) {
+        for (const entry of data.accounts) {
+          if (entry.id && entry.token) {
+            this.accounts.set(entry.id, entry);
+          }
+        }
+      }
+    } catch {
+      // corrupt file, start fresh
+    }
+  }
+
+  private migrateFromLegacy(): void {
+    try {
+      if (existsSync(ACCOUNTS_FILE)) return; // already migrated
+      if (!existsSync(LEGACY_AUTH_FILE)) return;
+
+      const raw = readFileSync(LEGACY_AUTH_FILE, "utf-8");
+      const data = JSON.parse(raw) as {
+        token: string;
+        proxyApiKey?: string | null;
+        userInfo?: { email?: string; accountId?: string; planType?: string } | null;
+      };
+
+      if (!data.token) return;
+
+      const id = randomBytes(8).toString("hex");
+      const accountId = extractChatGptAccountId(data.token);
+      const entry: AccountEntry = {
+        id,
+        token: data.token,
+        email: data.userInfo?.email ?? null,
+        accountId: accountId,
+        planType: data.userInfo?.planType ?? null,
+        proxyApiKey: data.proxyApiKey ?? "codex-proxy-" + randomBytes(24).toString("hex"),
+        status: isTokenExpired(data.token) ? "expired" : "active",
+        usage: {
+          request_count: 0,
+          input_tokens: 0,
+          output_tokens: 0,
+          last_used: null,
+          rate_limit_until: null,
+        },
+        addedAt: new Date().toISOString(),
+      };
+
+      this.accounts.set(id, entry);
+
+      // Write new format
+      const dir = dirname(ACCOUNTS_FILE);
+      if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+      const accountsData: AccountsFile = { accounts: [entry] };
+      writeFileSync(ACCOUNTS_FILE, JSON.stringify(accountsData, null, 2), "utf-8");
+
+      // Rename old file
+      renameSync(LEGACY_AUTH_FILE, LEGACY_AUTH_FILE + ".bak");
+      console.log("[AccountPool] Migrated from auth.json → accounts.json");
+    } catch (err) {
+      console.warn("[AccountPool] Migration failed:", err);
+    }
+  }
+
+  /** Flush pending writes on shutdown */
+  destroy(): void {
+    if (this.persistTimer) {
+      clearTimeout(this.persistTimer);
+      this.persistTimer = null;
+    }
+    this.persistNow();
+  }
+}

src/auth/chatgpt-oauth.ts

@@ -0,0 +1,471 @@
+import { spawn, type ChildProcess } from "child_process";
+import { getConfig } from "../config.js";
+import {
+  decodeJwtPayload,
+  extractChatGptAccountId,
+  isTokenExpired,
+} from "./jwt-utils.js";
+
+export interface OAuthResult {
+  success: boolean;
+  token?: string;
+  error?: string;
+}
+
+const INIT_REQUEST_ID = "__codex-desktop_initialize__";
+
+/**
+ * Approach 1: Login via Codex CLI subprocess (JSON-RPC over stdio).
+ * Spawns `codex app-server` and uses JSON-RPC to initiate OAuth.
+ *
+ * Flow:
+ *   1. Spawn `codex app-server`
+ *   2. Send `initialize` handshake (required before any other request)
+ *   3. Send `account/login/start` with type "chatgpt"
+ *   4. CLI returns an Auth0 authUrl and starts a local callback server
+ *   5. User completes OAuth in browser
+ *   6. CLI sends `account/login/completed` notification with token
+ */
+export async function loginViaCli(): Promise<{
+  authUrl: string;
+  waitForCompletion: () => Promise<OAuthResult>;
+}> {
+  const { command, args } = await resolveCliCommand();
+
+  return new Promise((resolveOuter, rejectOuter) => {
+    const child = spawn(command, args, {
+      stdio: ["pipe", "pipe", "pipe"],
+      ...SPAWN_OPTS,
+    });
+
+    let buffer = "";
+    let rpcId = 1;
+    let authUrl = "";
+    let initialized = false;
+    let outerResolved = false;
+    let awaitingAuthStatus = false;
+    const AUTH_STATUS_ID = "__get_auth_status__";
+
+    // Resolvers for the completion promise (token received)
+    let resolveCompletion: (result: OAuthResult) => void;
+    const completionPromise = new Promise<OAuthResult>((res) => {
+      resolveCompletion = res;
+    });
+
+    const sendRpc = (
+      method: string,
+      params: Record<string, unknown> = {},
+      id?: string | number,
+    ) => {
+      const msgId = id ?? rpcId++;
+      const msg = JSON.stringify({
+        jsonrpc: "2.0",
+        id: msgId,
+        method,
+        params,
+      });
+      child.stdin.write(msg + "\n");
+    };
+
+    // Kill child on completion timeout (5 minutes)
+    const killTimer = setTimeout(() => {
+      if (!outerResolved) {
+        rejectOuter(new Error("OAuth flow timed out (5 minutes)"));
+      }
+      resolveCompletion({
+        success: false,
+        error: "OAuth flow timed out",
+      });
+      child.kill();
+    }, 5 * 60 * 1000);
+
+    const cleanup = () => {
+      clearTimeout(killTimer);
+    };
+
+    child.stdout.on("data", (chunk: Buffer) => {
+      buffer += chunk.toString("utf8");
+      const lines = buffer.split("\n");
+      buffer = lines.pop()!;
+
+      for (const line of lines) {
+        if (!line.trim()) continue;
+        try {
+          const msg = JSON.parse(line);
+
+          // Response to initialize request
+          if (msg.id === INIT_REQUEST_ID && !initialized) {
+            if (msg.error) {
+              const errMsg =
+                msg.error.message ?? "Failed to initialize app-server";
+              cleanup();
+              rejectOuter(new Error(errMsg));
+              resolveCompletion({ success: false, error: errMsg });
+              child.kill();
+              return;
+            }
+            initialized = true;
+            console.log(
+              "[OAuth] Codex app-server initialized:",
+              msg.result?.userAgent ?? "unknown",
+            );
+            // Now send the login request
+            sendRpc("account/login/start", { type: "chatgpt" });
+            continue;
+          }
+
+          // Response to account/login/start
+          if (msg.result && msg.result.authUrl && !outerResolved) {
+            authUrl = msg.result.authUrl;
+            outerResolved = true;
+            console.log(
+              "[OAuth] Auth URL received, loginId:",
+              msg.result.loginId,
+            );
+            resolveOuter({
+              authUrl,
+              waitForCompletion: () => completionPromise,
+            });
+            continue;
+          }
+
+          // Notification: login completed — need to fetch token via getAuthStatus
+          if (msg.method === "account/login/completed" && msg.params) {
+            const { success, error: loginError } = msg.params;
+            console.log("[OAuth] Login completed, success:", success);
+            if (success) {
+              // Login succeeded but the notification doesn't include the token.
+              // We must request it via getAuthStatus.
+              awaitingAuthStatus = true;
+              sendRpc(
+                "getAuthStatus",
+                { includeToken: true, refreshToken: false },
+                AUTH_STATUS_ID,
+              );
+            } else {
+              cleanup();
+              resolveCompletion({
+                success: false,
+                error: loginError ?? "Login failed",
+              });
+              child.kill();
+            }
+            continue;
+          }
+
+          // Response to getAuthStatus — extract the token
+          if (msg.id === AUTH_STATUS_ID && awaitingAuthStatus) {
+            awaitingAuthStatus = false;
+            cleanup();
+            if (msg.error) {
+              resolveCompletion({
+                success: false,
+                error: msg.error.message ?? "Failed to get auth status",
+              });
+            } else {
+              const authToken = msg.result?.authToken ?? null;
+              if (typeof authToken === "string") {
+                console.log("[OAuth] Token received successfully");
+                resolveCompletion({ success: true, token: authToken });
+              } else {
+                resolveCompletion({
+                  success: false,
+                  error: "getAuthStatus returned no token",
+                });
+              }
+            }
+            // Give CLI a moment to clean up, then kill
+            setTimeout(() => child.kill(), 1000);
+            continue;
+          }
+
+          // Notification: account/updated (auth status changed)
+          if (msg.method === "account/updated" && msg.params) {
+            console.log("[OAuth] Account updated:", msg.params.authMode);
+            // If we haven't requested auth status yet and auth mode is set,
+            // this might be our signal to fetch the token
+            if (!awaitingAuthStatus && msg.params.authMode === "chatgpt") {
+              awaitingAuthStatus = true;
+              sendRpc(
+                "getAuthStatus",
+                { includeToken: true, refreshToken: false },
+                AUTH_STATUS_ID,
+              );
+            }
+            continue;
+          }
+
+          // Error response (to our login request)
+          if (msg.error && msg.id !== INIT_REQUEST_ID) {
+            const errMsg = msg.error.message ?? "Unknown JSON-RPC error";
+            cleanup();
+            if (!outerResolved) {
+              outerResolved = true;
+              rejectOuter(new Error(errMsg));
+            }
+            resolveCompletion({ success: false, error: errMsg });
+            child.kill();
+          }
+        } catch {
+          // Skip non-JSON lines (stderr leak, log output, etc.)
+        }
+      }
+    });
+
+    child.stderr?.on("data", (chunk: Buffer) => {
+      const text = chunk.toString("utf8").trim();
+      if (text) {
+        console.log("[OAuth CLI stderr]", text);
+      }
+    });
+
+    child.on("error", (err) => {
+      const msg = `Failed to spawn Codex CLI: ${err.message}`;
+      cleanup();
+      if (!outerResolved) {
+        outerResolved = true;
+        rejectOuter(new Error(msg));
+      }
+      resolveCompletion({ success: false, error: msg });
+    });
+
+    child.on("close", (code) => {
+      cleanup();
+      if (!outerResolved) {
+        outerResolved = true;
+        rejectOuter(
+          new Error(
+            `Codex CLI exited with code ${code} before returning authUrl`,
+          ),
+        );
+      }
+      resolveCompletion({
+        success: false,
+        error: `Codex CLI exited with code ${code}`,
+      });
+    });
+
+    // Step 1: Send the initialize handshake
+    const config = getConfig();
+    sendRpc(
+      "initialize",
+      {
+        clientInfo: {
+          name: "Codex Desktop",
+          title: "Codex Desktop",
+          version: config.client.app_version,
+        },
+      },
+      INIT_REQUEST_ID,
+    );
+  });
+}
+
+/**
+ * Refresh an existing token via Codex CLI (JSON-RPC).
+ * Spawns `codex app-server`, sends `initialize`, then `getAuthStatus` with refreshToken: true.
+ * Returns the new token string, or throws on failure.
+ */
+export async function refreshTokenViaCli(): Promise<string> {
+  const { command, args } = await resolveCliCommand();
+
+  return new Promise((resolve, reject) => {
+    const child = spawn(command, args, {
+      stdio: ["pipe", "pipe", "pipe"],
+      ...SPAWN_OPTS,
+    });
+
+    let buffer = "";
+    const AUTH_STATUS_ID = "__refresh_auth_status__";
+    let initialized = false;
+    let settled = false;
+
+    const killTimer = setTimeout(() => {
+      if (!settled) {
+        settled = true;
+        reject(new Error("Token refresh timed out (30s)"));
+      }
+      child.kill();
+    }, 30_000);
+
+    const cleanup = () => {
+      clearTimeout(killTimer);
+    };
+
+    const sendRpc = (
+      method: string,
+      params: Record<string, unknown> = {},
+      id?: string | number,
+    ) => {
+      const msg = JSON.stringify({
+        jsonrpc: "2.0",
+        id: id ?? 1,
+        method,
+        params,
+      });
+      child.stdin.write(msg + "\n");
+    };
+
+    child.stdout.on("data", (chunk: Buffer) => {
+      buffer += chunk.toString("utf8");
+      const lines = buffer.split("\n");
+      buffer = lines.pop()!;
+
+      for (const line of lines) {
+        if (!line.trim()) continue;
+        try {
+          const msg = JSON.parse(line);
+
+          // Response to initialize
+          if (msg.id === INIT_REQUEST_ID && !initialized) {
+            if (msg.error) {
+              cleanup();
+              settled = true;
+              reject(new Error(msg.error.message ?? "Init failed"));
+              child.kill();
+              return;
+            }
+            initialized = true;
+            // Request auth status with refresh
+            sendRpc(
+              "getAuthStatus",
+              { includeToken: true, refreshToken: true },
+              AUTH_STATUS_ID,
+            );
+            continue;
+          }
+
+          // Response to getAuthStatus
+          if (msg.id === AUTH_STATUS_ID) {
+            cleanup();
+            if (msg.error) {
+              settled = true;
+              reject(new Error(msg.error.message ?? "getAuthStatus failed"));
+            } else {
+              const authToken = msg.result?.authToken ?? null;
+              if (typeof authToken === "string") {
+                settled = true;
+                resolve(authToken);
+              } else {
+                settled = true;
+                reject(new Error("getAuthStatus returned no token"));
+              }
+            }
+            setTimeout(() => child.kill(), 500);
+            continue;
+          }
+        } catch {
+          // skip non-JSON
+        }
+      }
+    });
+
+    child.stderr?.on("data", () => {});
+
+    child.on("error", (err) => {
+      cleanup();
+      if (!settled) {
+        settled = true;
+        reject(new Error(`Failed to spawn Codex CLI: ${err.message}`));
+      }
+    });
+
+    child.on("close", (code) => {
+      cleanup();
+      if (!settled) {
+        settled = true;
+        reject(new Error(`Codex CLI exited with code ${code} during refresh`));
+      }
+    });
+
+    // Send initialize
+    const config = getConfig();
+    sendRpc(
+      "initialize",
+      {
+        clientInfo: {
+          name: "Codex Desktop",
+          title: "Codex Desktop",
+          version: config.client.app_version,
+        },
+      },
+      INIT_REQUEST_ID,
+    );
+  });
+}
+
+/**
+ * Approach 2: Manual token paste (fallback).
+ * Validates a JWT token provided directly by the user.
+ */
+export function validateManualToken(token: string): {
+  valid: boolean;
+  error?: string;
+} {
+  if (!token || typeof token !== "string") {
+    return { valid: false, error: "Token is empty" };
+  }
+
+  const trimmed = token.trim();
+  const payload = decodeJwtPayload(trimmed);
+  if (!payload) {
+    return {
+      valid: false,
+      error: "Invalid JWT format — could not decode payload",
+    };
+  }
+
+  if (isTokenExpired(trimmed)) {
+    return { valid: false, error: "Token is expired" };
+  }
+
+  const accountId = extractChatGptAccountId(trimmed);
+  if (!accountId) {
+    return { valid: false, error: "Token missing chatgpt_account_id claim" };
+  }
+
+  return { valid: true };
+}
+
+/**
+ * Check if the Codex CLI is available on the system.
+ */
+export async function isCodexCliAvailable(): Promise<boolean> {
+  try {
+    await resolveCliCommand();
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// --- private helpers ---
+
+// On Windows, npm-installed binaries (.cmd scripts) require shell: true
+const IS_WINDOWS = process.platform === "win32";
+const SPAWN_OPTS = IS_WINDOWS ? { shell: true as const } : {};
+
+interface CliCommand {
+  command: string;
+  args: string[];
+}
+
+async function resolveCliCommand(): Promise<CliCommand> {
+  // Try `codex` directly first
+  if (await testCli("codex", ["--version"])) {
+    return { command: "codex", args: ["app-server"] };
+  }
+  // Fall back to `npx codex`
+  if (await testCli("npx", ["codex", "--version"])) {
+    return { command: "npx", args: ["codex", "app-server"] };
+  }
+  throw new Error("Neither 'codex' nor 'npx codex' found in PATH");
+}
+
+function testCli(command: string, args: string[]): Promise<boolean> {
+  return new Promise((resolve) => {
+    const child = spawn(command, args, { stdio: "ignore", ...SPAWN_OPTS });
+    child.on("error", () => resolve(false));
+    child.on("close", (code) => resolve(code === 0));
+  });
+}

src/auth/jwt-utils.ts

@@ -0,0 +1,64 @@
+/**
+ * JWT decode utilities for Codex Desktop proxy.
+ * No signature verification — just payload extraction.
+ */
+
+export function decodeJwtPayload(token: string): Record<string, unknown> | null {
+  const parts = token.split(".");
+  if (parts.length < 2) return null;
+  try {
+    const payload = Buffer.from(parts[1], "base64url").toString("utf8");
+    const parsed = JSON.parse(payload);
+    if (typeof parsed === "object" && parsed !== null) {
+      return parsed as Record<string, unknown>;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+export function extractChatGptAccountId(token: string): string | null {
+  const payload = decodeJwtPayload(token);
+  if (!payload) return null;
+  try {
+    const auth = payload["https://api.openai.com/auth"];
+    if (auth && typeof auth === "object" && auth !== null) {
+      const accountId = (auth as Record<string, unknown>).chatgpt_account_id;
+      return typeof accountId === "string" ? accountId : null;
+    }
+  } catch {
+    // ignore
+  }
+  return null;
+}
+
+export function extractUserProfile(
+  token: string,
+): { email?: string; chatgpt_user_id?: string; chatgpt_plan_type?: string } | null {
+  const payload = decodeJwtPayload(token);
+  if (!payload) return null;
+  try {
+    const profile = payload["https://api.openai.com/profile"];
+    if (profile && typeof profile === "object" && profile !== null) {
+      const p = profile as Record<string, unknown>;
+      return {
+        email: typeof p.email === "string" ? p.email : undefined,
+        chatgpt_user_id: typeof p.chatgpt_user_id === "string" ? p.chatgpt_user_id : undefined,
+        chatgpt_plan_type: typeof p.chatgpt_plan_type === "string" ? p.chatgpt_plan_type : undefined,
+      };
+    }
+  } catch {
+    // ignore
+  }
+  return null;
+}
+
+export function isTokenExpired(token: string, marginSeconds = 0): boolean {
+  const payload = decodeJwtPayload(token);
+  if (!payload) return true;
+  const exp = payload.exp;
+  if (typeof exp !== "number") return true;
+  const now = Math.floor(Date.now() / 1000);
+  return now >= exp - marginSeconds;
+}

src/auth/manager.ts

@@ -0,0 +1,165 @@
+import { readFileSync, writeFileSync, unlinkSync, existsSync, mkdirSync } from "fs";
+import { resolve, dirname } from "path";
+import { randomBytes } from "crypto";
+import { getConfig } from "../config.js";
+import {
+  decodeJwtPayload,
+  extractChatGptAccountId,
+  extractUserProfile,
+  isTokenExpired,
+} from "./jwt-utils.js";
+
+interface PersistedAuth {
+  token: string;
+  proxyApiKey: string | null;
+  userInfo: { email?: string; accountId?: string; planType?: string } | null;
+}
+
+const AUTH_FILE = resolve(process.cwd(), "data", "auth.json");
+
+export class AuthManager {
+  private token: string | null = null;
+  private userInfo: { email?: string; accountId?: string; planType?: string } | null = null;
+  private proxyApiKey: string | null = null;
+  private refreshLock: Promise<string | null> | null = null;
+
+  constructor() {
+    this.loadPersisted();
+
+    // Override with config jwt_token if set
+    const config = getConfig();
+    if (config.auth.jwt_token) {
+      this.setToken(config.auth.jwt_token);
+    }
+
+    // Override with env var if set
+    const envToken = process.env.CODEX_JWT_TOKEN;
+    if (envToken) {
+      this.setToken(envToken);
+    }
+  }
+
+  async getToken(forceRefresh?: boolean): Promise<string | null> {
+    if (forceRefresh || (this.token && this.isExpired())) {
+      // Use a lock to prevent concurrent refresh attempts
+      if (!this.refreshLock) {
+        this.refreshLock = this.attemptRefresh();
+      }
+      try {
+        return await this.refreshLock;
+      } finally {
+        this.refreshLock = null;
+      }
+    }
+    return this.token;
+  }
+
+  setToken(token: string): void {
+    this.token = token;
+
+    // Extract user info from JWT claims
+    const profile = extractUserProfile(token);
+    const accountId = extractChatGptAccountId(token);
+    this.userInfo = {
+      email: profile?.email,
+      accountId: accountId ?? undefined,
+      planType: profile?.chatgpt_plan_type,
+    };
+
+    // Generate proxy API key if we don't have one yet
+    if (!this.proxyApiKey) {
+      this.proxyApiKey = this.generateApiKey();
+    }
+
+    this.persist();
+  }
+
+  clearToken(): void {
+    this.token = null;
+    this.userInfo = null;
+    this.proxyApiKey = null;
+    try {
+      if (existsSync(AUTH_FILE)) {
+        unlinkSync(AUTH_FILE);
+      }
+    } catch {
+      // ignore cleanup errors
+    }
+  }
+
+  isAuthenticated(): boolean {
+    return this.token !== null && !this.isExpired();
+  }
+
+  getUserInfo(): { email?: string; accountId?: string; planType?: string } | null {
+    return this.userInfo;
+  }
+
+  getAccountId(): string | null {
+    if (!this.token) return null;
+    return extractChatGptAccountId(this.token);
+  }
+
+  getProxyApiKey(): string | null {
+    return this.proxyApiKey;
+  }
+
+  validateProxyApiKey(key: string): boolean {
+    if (!this.proxyApiKey) return false;
+    return key === this.proxyApiKey;
+  }
+
+  // --- private helpers ---
+
+  private isExpired(): boolean {
+    if (!this.token) return true;
+    const config = getConfig();
+    return isTokenExpired(this.token, config.auth.refresh_margin_seconds);
+  }
+
+  private async attemptRefresh(): Promise<string | null> {
+    // We cannot auto-refresh without Codex CLI interaction.
+    // If the token is expired, the user needs to re-login.
+    if (this.token && isTokenExpired(this.token)) {
+      this.token = null;
+      this.userInfo = null;
+    }
+    return this.token;
+  }
+
+  private persist(): void {
+    try {
+      const dir = dirname(AUTH_FILE);
+      if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+      }
+      const data: PersistedAuth = {
+        token: this.token!,
+        proxyApiKey: this.proxyApiKey,
+        userInfo: this.userInfo,
+      };
+      writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2), "utf-8");
+    } catch {
+      // Persist is best-effort
+    }
+  }
+
+  private loadPersisted(): void {
+    try {
+      if (!existsSync(AUTH_FILE)) return;
+      const raw = readFileSync(AUTH_FILE, "utf-8");
+      const data = JSON.parse(raw) as PersistedAuth;
+      if (data.token && typeof data.token === "string") {
+        this.token = data.token;
+        this.proxyApiKey = data.proxyApiKey ?? null;
+        this.userInfo = data.userInfo ?? null;
+      }
+    } catch {
+      // If the file is corrupt, start fresh
+    }
+  }
+
+  private generateApiKey(): string {
+    return "codex-proxy-" + randomBytes(24).toString("hex");
+  }
+}

src/auth/refresh-scheduler.ts

@@ -0,0 +1,101 @@
+/**
+ * RefreshScheduler — per-account JWT auto-refresh.
+ * Schedules a refresh at `exp - margin` for each account.
+ */
+
+import { getConfig } from "../config.js";
+import { decodeJwtPayload } from "./jwt-utils.js";
+import { refreshTokenViaCli } from "./chatgpt-oauth.js";
+import type { AccountPool } from "./account-pool.js";
+
+export class RefreshScheduler {
+  private timers: Map<string, ReturnType<typeof setTimeout>> = new Map();
+  private pool: AccountPool;
+
+  constructor(pool: AccountPool) {
+    this.pool = pool;
+    this.scheduleAll();
+  }
+
+  /** Schedule refresh for all accounts in the pool. */
+  scheduleAll(): void {
+    for (const entry of this.pool.getAllEntries()) {
+      if (entry.status === "active" || entry.status === "refreshing") {
+        this.scheduleOne(entry.id, entry.token);
+      }
+    }
+  }
+
+  /** Schedule refresh for a single account. */
+  scheduleOne(entryId: string, token: string): void {
+    // Clear existing timer
+    this.clearOne(entryId);
+
+    const payload = decodeJwtPayload(token);
+    if (!payload || typeof payload.exp !== "number") return;
+
+    const config = getConfig();
+    const refreshAt = payload.exp - config.auth.refresh_margin_seconds;
+    const delayMs = (refreshAt - Math.floor(Date.now() / 1000)) * 1000;
+
+    if (delayMs <= 0) {
+      // Already past refresh time — attempt refresh immediately
+      this.doRefresh(entryId);
+      return;
+    }
+
+    const timer = setTimeout(() => {
+      this.timers.delete(entryId);
+      this.doRefresh(entryId);
+    }, delayMs);
+
+    // Prevent the timer from keeping the process alive
+    if (timer.unref) timer.unref();
+
+    this.timers.set(entryId, timer);
+
+    const expiresIn = Math.round(delayMs / 1000);
+    console.log(
+      `[RefreshScheduler] Account ${entryId}: refresh scheduled in ${expiresIn}s`,
+    );
+  }
+
+  /** Cancel timer for one account. */
+  clearOne(entryId: string): void {
+    const timer = this.timers.get(entryId);
+    if (timer) {
+      clearTimeout(timer);
+      this.timers.delete(entryId);
+    }
+  }
+
+  /** Cancel all timers. */
+  destroy(): void {
+    for (const timer of this.timers.values()) {
+      clearTimeout(timer);
+    }
+    this.timers.clear();
+  }
+
+  // ── Internal ────────────────────────────────────────────────────
+
+  private async doRefresh(entryId: string): Promise<void> {
+    const entry = this.pool.getEntry(entryId);
+    if (!entry) return;
+
+    console.log(`[RefreshScheduler] Refreshing account ${entryId} (${entry.email ?? "?"})`);
+    this.pool.markStatus(entryId, "refreshing");
+
+    try {
+      const newToken = await refreshTokenViaCli();
+      this.pool.updateToken(entryId, newToken);
+      console.log(`[RefreshScheduler] Account ${entryId} refreshed successfully`);
+      // Re-schedule for the new token
+      this.scheduleOne(entryId, newToken);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`[RefreshScheduler] Failed to refresh ${entryId}: ${msg}`);
+      this.pool.markStatus(entryId, "expired");
+    }
+  }
+}

src/auth/types.ts

@@ -0,0 +1,72 @@
+/**
+ * Data models for multi-account management.
+ */
+
+export type AccountStatus =
+  | "active"
+  | "expired"
+  | "rate_limited"
+  | "refreshing"
+  | "disabled";
+
+export interface AccountUsage {
+  request_count: number;
+  input_tokens: number;
+  output_tokens: number;
+  last_used: string | null;
+  rate_limit_until: string | null;
+}
+
+export interface AccountEntry {
+  id: string;
+  token: string;
+  email: string | null;
+  accountId: string | null;
+  planType: string | null;
+  proxyApiKey: string;
+  status: AccountStatus;
+  usage: AccountUsage;
+  addedAt: string;
+}
+
+/** Public info (no token) */
+export interface AccountInfo {
+  id: string;
+  email: string | null;
+  accountId: string | null;
+  planType: string | null;
+  status: AccountStatus;
+  usage: AccountUsage;
+  addedAt: string;
+  expiresAt: string | null;
+  quota?: CodexQuota;
+}
+
+/** Official Codex quota from /backend-api/codex/usage */
+export interface CodexQuota {
+  plan_type: string;
+  rate_limit: {
+    allowed: boolean;
+    limit_reached: boolean;
+    used_percent: number | null;
+    reset_at: number | null;
+  };
+  code_review_rate_limit: {
+    allowed: boolean;
+    limit_reached: boolean;
+    used_percent: number | null;
+    reset_at: number | null;
+  } | null;
+}
+
+/** Returned by acquire() */
+export interface AcquiredAccount {
+  entryId: string;
+  token: string;
+  accountId: string | null;
+}
+
+/** Persistence format */
+export interface AccountsFile {
+  accounts: AccountEntry[];
+}

src/config.ts

@@ -0,0 +1,108 @@
+import { readFileSync } from "fs";
+import { resolve } from "path";
+import yaml from "js-yaml";
+import { z } from "zod";
+
+const ConfigSchema = z.object({
+  api: z.object({
+    base_url: z.string().default("https://chatgpt.com/backend-api"),
+    timeout_seconds: z.number().default(60),
+  }),
+  client: z.object({
+    originator: z.string().default("Codex Desktop"),
+    app_version: z.string().default("260202.0859"),
+    build_number: z.string().default("517"),
+    platform: z.string().default("darwin"),
+    arch: z.string().default("arm64"),
+  }),
+  model: z.object({
+    default: z.string().default("gpt-5.3-codex"),
+    default_reasoning_effort: z.string().default("medium"),
+  }),
+  auth: z.object({
+    jwt_token: z.string().nullable().default(null),
+    chatgpt_oauth: z.boolean().default(true),
+    refresh_margin_seconds: z.number().default(300),
+    rotation_strategy: z.enum(["least_used", "round_robin"]).default("least_used"),
+    rate_limit_backoff_seconds: z.number().default(60),
+  }),
+  server: z.object({
+    host: z.string().default("0.0.0.0"),
+    port: z.number().default(8080),
+    proxy_api_key: z.string().nullable().default(null),
+  }),
+  environment: z.object({
+    default_id: z.string().nullable().default(null),
+    default_branch: z.string().default("main"),
+  }),
+  streaming: z.object({
+    status_as_content: z.boolean().default(false),
+    chunk_size: z.number().default(100),
+    chunk_delay_ms: z.number().default(10),
+    heartbeat_interval_s: z.number().default(15),
+    poll_interval_s: z.number().default(2),
+    timeout_s: z.number().default(300),
+  }),
+});
+
+export type AppConfig = z.infer<typeof ConfigSchema>;
+
+const FingerprintSchema = z.object({
+  user_agent_template: z.string(),
+  auth_domains: z.array(z.string()),
+  auth_domain_exclusions: z.array(z.string()),
+  header_order: z.array(z.string()),
+});
+
+export type FingerprintConfig = z.infer<typeof FingerprintSchema>;
+
+function loadYaml(filePath: string): unknown {
+  const content = readFileSync(filePath, "utf-8");
+  return yaml.load(content);
+}
+
+function applyEnvOverrides(raw: Record<string, unknown>): Record<string, unknown> {
+  if (process.env.CODEX_JWT_TOKEN) {
+    (raw.auth as Record<string, unknown>).jwt_token = process.env.CODEX_JWT_TOKEN;
+  }
+  if (process.env.CODEX_PLATFORM) {
+    (raw.client as Record<string, unknown>).platform = process.env.CODEX_PLATFORM;
+  }
+  if (process.env.CODEX_ARCH) {
+    (raw.client as Record<string, unknown>).arch = process.env.CODEX_ARCH;
+  }
+  if (process.env.PORT) {
+    (raw.server as Record<string, unknown>).port = parseInt(process.env.PORT, 10);
+  }
+  return raw;
+}
+
+let _config: AppConfig | null = null;
+let _fingerprint: FingerprintConfig | null = null;
+
+export function loadConfig(configDir?: string): AppConfig {
+  if (_config) return _config;
+  const dir = configDir ?? resolve(process.cwd(), "config");
+  const raw = loadYaml(resolve(dir, "default.yaml")) as Record<string, unknown>;
+  applyEnvOverrides(raw);
+  _config = ConfigSchema.parse(raw);
+  return _config;
+}
+
+export function loadFingerprint(configDir?: string): FingerprintConfig {
+  if (_fingerprint) return _fingerprint;
+  const dir = configDir ?? resolve(process.cwd(), "config");
+  const raw = loadYaml(resolve(dir, "fingerprint.yaml"));
+  _fingerprint = FingerprintSchema.parse(raw);
+  return _fingerprint;
+}
+
+export function getConfig(): AppConfig {
+  if (!_config) throw new Error("Config not loaded. Call loadConfig() first.");
+  return _config;
+}
+
+export function getFingerprint(): FingerprintConfig {
+  if (!_fingerprint) throw new Error("Fingerprint not loaded. Call loadFingerprint() first.");
+  return _fingerprint;
+}

src/fingerprint/manager.ts

@@ -0,0 +1,41 @@
+/**
+ * Fingerprint manager — builds headers that mimic the Codex Desktop client.
+ *
+ * Based on Codex source: applyDesktopAuthHeaders / buildDesktopUserAgent
+ */
+
+import { getConfig, getFingerprint } from "../config.js";
+import { extractChatGptAccountId } from "../auth/jwt-utils.js";
+
+export function buildHeaders(
+  token: string,
+  accountId?: string | null,
+): Record<string, string> {
+  const config = getConfig();
+  const fp = getFingerprint();
+  const headers: Record<string, string> = {};
+
+  headers["Authorization"] = `Bearer ${token}`;
+
+  const acctId = accountId ?? extractChatGptAccountId(token);
+  if (acctId) headers["ChatGPT-Account-Id"] = acctId;
+
+  headers["originator"] = config.client.originator;
+
+  const ua = fp.user_agent_template
+    .replace("{version}", config.client.app_version)
+    .replace("{platform}", config.client.platform)
+    .replace("{arch}", config.client.arch);
+  headers["User-Agent"] = ua;
+
+  return headers;
+}
+
+export function buildHeadersWithContentType(
+  token: string,
+  accountId?: string | null,
+): Record<string, string> {
+  const headers = buildHeaders(token, accountId);
+  headers["Content-Type"] = "application/json";
+  return headers;
+}

src/index.ts

@@ -0,0 +1,96 @@
+import { Hono } from "hono";
+import { serve } from "@hono/node-server";
+import { loadConfig, loadFingerprint, getConfig } from "./config.js";
+import { AccountPool } from "./auth/account-pool.js";
+import { RefreshScheduler } from "./auth/refresh-scheduler.js";
+import { SessionManager } from "./session/manager.js";
+import { logger } from "./middleware/logger.js";
+import { errorHandler } from "./middleware/error-handler.js";
+import { createAuthRoutes } from "./routes/auth.js";
+import { createAccountRoutes } from "./routes/accounts.js";
+import { createChatRoutes } from "./routes/chat.js";
+import modelsApp from "./routes/models.js";
+import { createWebRoutes } from "./routes/web.js";
+import { CookieJar } from "./proxy/cookie-jar.js";
+
+async function main() {
+  // Load configuration
+  console.log("[Init] Loading configuration...");
+  const config = loadConfig();
+  loadFingerprint();
+
+  // Initialize managers
+  const accountPool = new AccountPool();
+  const refreshScheduler = new RefreshScheduler(accountPool);
+  const sessionManager = new SessionManager();
+  const cookieJar = new CookieJar();
+
+  // Create Hono app
+  const app = new Hono();
+
+  // Global middleware
+  app.use("*", logger);
+  app.use("*", errorHandler);
+
+  // Mount routes
+  const authRoutes = createAuthRoutes(accountPool);
+  const accountRoutes = createAccountRoutes(accountPool, refreshScheduler, cookieJar);
+  const chatRoutes = createChatRoutes(accountPool, sessionManager, cookieJar);
+  const webRoutes = createWebRoutes(accountPool);
+
+  app.route("/", authRoutes);
+  app.route("/", accountRoutes);
+  app.route("/", chatRoutes);
+  app.route("/", modelsApp);
+  app.route("/", webRoutes);
+
+  // Start server
+  const port = config.server.port;
+  const host = config.server.host;
+
+  const poolSummary = accountPool.getPoolSummary();
+
+  console.log(`
+╔══════════════════════════════════════════╗
+║           Codex Proxy Server             ║
+╠══════════════════════════════════════════╣
+║  Status: ${accountPool.isAuthenticated() ? "Authenticated ✓" : "Not logged in  "}             ║
+║  Listen: http://${host}:${port}              ║
+║  API:    http://${host}:${port}/v1            ║
+╚══════════════════════════════════════════╝
+`);
+
+  if (accountPool.isAuthenticated()) {
+    const user = accountPool.getUserInfo();
+    console.log(`  User: ${user?.email ?? "unknown"}`);
+    console.log(`  Plan: ${user?.planType ?? "unknown"}`);
+    console.log(`  Key:  ${accountPool.getProxyApiKey()}`);
+    console.log(`  Pool: ${poolSummary.active} active / ${poolSummary.total} total accounts`);
+  } else {
+    console.log(`  Open http://localhost:${port} to login`);
+  }
+  console.log();
+
+  serve({
+    fetch: app.fetch,
+    hostname: host,
+    port,
+  });
+
+  // Graceful shutdown
+  const shutdown = () => {
+    console.log("\n[Shutdown] Cleaning up...");
+    cookieJar.destroy();
+    refreshScheduler.destroy();
+    accountPool.destroy();
+    process.exit(0);
+  };
+
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
+}
+
+main().catch((err) => {
+  console.error("Fatal error:", err);
+  process.exit(1);
+});

src/middleware/error-handler.ts

@@ -0,0 +1,66 @@
+import type { Context, Next } from "hono";
+import type { OpenAIErrorBody } from "../types/openai.js";
+
+function makeError(
+  message: string,
+  type: string,
+  code: string | null,
+): OpenAIErrorBody {
+  return {
+    error: {
+      message,
+      type,
+      param: null,
+      code,
+    },
+  };
+}
+
+export async function errorHandler(c: Context, next: Next): Promise<void> {
+  try {
+    await next();
+  } catch (err: unknown) {
+    const message = err instanceof Error ? err.message : "Internal server error";
+    console.error("[ErrorHandler]", message);
+
+    const status = (err as { status?: number }).status;
+
+    if (status === 401) {
+      c.status(401);
+      return c.json(
+        makeError(
+          "Invalid or expired ChatGPT token. Please re-authenticate.",
+          "invalid_request_error",
+          "invalid_api_key",
+        ),
+      ) as never;
+    }
+
+    if (status === 429) {
+      c.status(429);
+      return c.json(
+        makeError(
+          "Rate limit exceeded. Please try again later.",
+          "rate_limit_error",
+          "rate_limit_exceeded",
+        ),
+      ) as never;
+    }
+
+    if (status && status >= 500) {
+      c.status(502);
+      return c.json(
+        makeError(
+          `Upstream server error: ${message}`,
+          "server_error",
+          "server_error",
+        ),
+      ) as never;
+    }
+
+    c.status(500);
+    return c.json(
+      makeError(message, "server_error", "internal_error"),
+    ) as never;
+  }
+}

src/middleware/logger.ts

@@ -0,0 +1,15 @@
+import type { Context, Next } from "hono";
+
+export async function logger(c: Context, next: Next): Promise<void> {
+  const start = Date.now();
+  const method = c.req.method;
+  const path = c.req.path;
+
+  console.log(`→ ${method} ${path}`);
+
+  await next();
+
+  const ms = Date.now() - start;
+  const status = c.res.status;
+  console.log(`← ${method} ${path} ${status} ${ms}ms`);
+}

src/proxy/client.ts

@@ -0,0 +1,246 @@
+/**
+ * ProxyClient — fetch wrapper with auth headers, retry on 401, and SSE streaming.
+ *
+ * Mirrors the Codex Desktop ElectronFetchWrapper pattern.
+ */
+
+import { getConfig } from "../config.js";
+import {
+  buildHeaders,
+  buildHeadersWithContentType,
+} from "../fingerprint/manager.js";
+
+export interface FetchOptions {
+  method?: string;
+  headers?: Record<string, string>;
+  body?: string;
+  signal?: AbortSignal;
+}
+
+export interface FetchResponse {
+  status: number;
+  headers: Record<string, string>;
+  body: unknown;
+  ok: boolean;
+}
+
+export class ProxyClient {
+  private token: string;
+  private accountId: string | null;
+
+  constructor(token: string, accountId: string | null) {
+    this.token = token;
+    this.accountId = accountId;
+  }
+
+  /** Update the bearer token (e.g. after a refresh). */
+  setToken(token: string): void {
+    this.token = token;
+  }
+
+  /** Update the account ID. */
+  setAccountId(accountId: string | null): void {
+    this.accountId = accountId;
+  }
+
+  // ---- public helpers ----
+
+  /** GET request, returns parsed JSON body. */
+  async get(path: string): Promise<FetchResponse> {
+    const url = this.ensureAbsoluteUrl(path);
+    const res = await this.fetchWithRetry(url, {
+      method: "GET",
+      headers: buildHeaders(this.token, this.accountId),
+    });
+    const body = await res.json();
+    return {
+      status: res.status,
+      headers: Object.fromEntries(res.headers.entries()),
+      body,
+      ok: res.ok,
+    };
+  }
+
+  /** POST request with JSON body, returns parsed JSON body. */
+  async post(path: string, body: unknown): Promise<FetchResponse> {
+    const url = this.ensureAbsoluteUrl(path);
+    const res = await this.fetchWithRetry(url, {
+      method: "POST",
+      headers: buildHeadersWithContentType(this.token, this.accountId),
+      body: JSON.stringify(body),
+    });
+    const resBody = await res.json();
+    return {
+      status: res.status,
+      headers: Object.fromEntries(res.headers.entries()),
+      body: resBody,
+      ok: res.ok,
+    };
+  }
+
+  /** GET an SSE endpoint — yields parsed `{ event?, data }` objects. */
+  async *stream(
+    path: string,
+    signal?: AbortSignal,
+  ): AsyncGenerator<{ event?: string; data: unknown }> {
+    const url = this.ensureAbsoluteUrl(path);
+    const res = await this.fetchWithRetry(url, {
+      method: "GET",
+      headers: {
+        ...buildHeaders(this.token, this.accountId),
+        Accept: "text/event-stream",
+      },
+      signal,
+    });
+
+    if (!res.ok) {
+      const text = await res.text();
+      throw new Error(`SSE request failed (${res.status}): ${text}`);
+    }
+
+    if (!res.body) {
+      throw new Error("Response body is null — cannot stream");
+    }
+
+    const reader = res.body
+      .pipeThrough(new TextDecoderStream())
+      .getReader();
+
+    let buffer = "";
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+
+        buffer += value;
+
+        // Process complete SSE messages (separated by double newline)
+        const parts = buffer.split("\n\n");
+        // Last part may be incomplete — keep it in the buffer
+        buffer = parts.pop()!;
+
+        for (const part of parts) {
+          if (!part.trim()) continue;
+          for (const parsed of this.parseSSE(part)) {
+            if (parsed.data === "[DONE]") return;
+            try {
+              yield { event: parsed.event, data: JSON.parse(parsed.data) };
+            } catch {
+              yield { event: parsed.event, data: parsed.data };
+            }
+          }
+        }
+      }
+
+      // Process any remaining data in the buffer
+      if (buffer.trim()) {
+        for (const parsed of this.parseSSE(buffer)) {
+          if (parsed.data === "[DONE]") return;
+          try {
+            yield { event: parsed.event, data: JSON.parse(parsed.data) };
+          } catch {
+            yield { event: parsed.event, data: parsed.data };
+          }
+        }
+      }
+    } finally {
+      reader.releaseLock();
+    }
+  }
+
+  // ---- internal helpers ----
+
+  /**
+   * Resolve a relative URL to absolute using the configured base_url.
+   * Mirrors Codex's ensureAbsoluteUrl.
+   */
+  private ensureAbsoluteUrl(url: string): string {
+    if (/^https?:\/\//i.test(url) || url.startsWith("data:")) return url;
+    const base = getConfig().api.base_url;
+    return `${base}/${url.replace(/^\/+/, "")}`;
+  }
+
+  /**
+   * Fetch with a single 401 retry (re-builds auth headers on retry).
+   */
+  private async fetchWithRetry(
+    url: string,
+    options: FetchOptions,
+    onRefreshToken?: () => Promise<string | null>,
+  ): Promise<Response> {
+    const config = getConfig();
+    const timeout = config.api.timeout_seconds * 1000;
+
+    const doFetch = (opts: FetchOptions): Promise<Response> => {
+      const controller = new AbortController();
+      const timer = setTimeout(() => controller.abort(), timeout);
+      const mergedSignal = opts.signal
+        ? AbortSignal.any([opts.signal, controller.signal])
+        : controller.signal;
+
+      return fetch(url, {
+        method: opts.method ?? "GET",
+        headers: opts.headers,
+        body: opts.body,
+        signal: mergedSignal,
+      }).finally(() => clearTimeout(timer));
+    };
+
+    const res = await doFetch(options);
+
+    // Single retry on 401 if a refresh callback is provided
+    if (res.status === 401 && onRefreshToken) {
+      const newToken = await onRefreshToken();
+      if (newToken) {
+        this.token = newToken;
+        const retryHeaders = options.headers?.["Content-Type"]
+          ? buildHeadersWithContentType(this.token, this.accountId)
+          : buildHeaders(this.token, this.accountId);
+        return doFetch({ ...options, headers: retryHeaders });
+      }
+    }
+
+    return res;
+  }
+
+  /**
+   * Parse raw SSE text block into individual events.
+   */
+  private *parseSSE(
+    text: string,
+  ): Generator<{ event?: string; data: string }> {
+    let event: string | undefined;
+    let dataLines: string[] = [];
+
+    for (const line of text.split("\n")) {
+      if (line.startsWith("event:")) {
+        event = line.slice(6).trim();
+      } else if (line.startsWith("data:")) {
+        dataLines.push(line.slice(5).trimStart());
+      } else if (line === "" && dataLines.length > 0) {
+        yield { event, data: dataLines.join("\n") };
+        event = undefined;
+        dataLines = [];
+      }
+    }
+
+    // Yield any remaining accumulated data
+    if (dataLines.length > 0) {
+      yield { event, data: dataLines.join("\n") };
+    }
+  }
+}
+
+/**
+ * Replace `{param}` placeholders in a URL template with encoded values.
+ */
+export function serializePath(
+  template: string,
+  params: Record<string, string>,
+): string {
+  let path = template;
+  for (const [key, value] of Object.entries(params)) {
+    path = path.replace(`{${key}}`, encodeURIComponent(value));
+  }
+  return path;
+}

src/proxy/codex-api.ts

@@ -0,0 +1,281 @@
+/**
+ * CodexApi — client for the Codex Responses API.
+ *
+ * Endpoint: POST /backend-api/codex/responses
+ * This is the API the Codex CLI actually uses.
+ * It requires: instructions, store: false, stream: true.
+ */
+
+import { execFile } from "child_process";
+import { getConfig } from "../config.js";
+import {
+  buildHeaders,
+  buildHeadersWithContentType,
+} from "../fingerprint/manager.js";
+import type { CookieJar } from "./cookie-jar.js";
+
+export interface CodexResponsesRequest {
+  model: string;
+  instructions: string;
+  input: CodexInputItem[];
+  stream: true;
+  store: false;
+  /** Optional: reasoning effort level */
+  reasoning?: { effort: string };
+  /** Optional: tools available to the model */
+  tools?: unknown[];
+  /** Optional: previous response ID for multi-turn */
+  previous_response_id?: string;
+}
+
+export type CodexInputItem =
+  | { role: "user"; content: string }
+  | { role: "assistant"; content: string }
+  | { role: "system"; content: string };
+
+/** Parsed SSE event from the Codex Responses stream */
+export interface CodexSSEEvent {
+  event: string;
+  data: unknown;
+}
+
+export class CodexApi {
+  private token: string;
+  private accountId: string | null;
+  private cookieJar: CookieJar | null;
+  private entryId: string | null;
+
+  constructor(
+    token: string,
+    accountId: string | null,
+    cookieJar?: CookieJar | null,
+    entryId?: string | null,
+  ) {
+    this.token = token;
+    this.accountId = accountId;
+    this.cookieJar = cookieJar ?? null;
+    this.entryId = entryId ?? null;
+  }
+
+  setToken(token: string): void {
+    this.token = token;
+  }
+
+  /** Build headers with cookies injected. */
+  private applyHeaders(headers: Record<string, string>): Record<string, string> {
+    if (this.cookieJar && this.entryId) {
+      const cookie = this.cookieJar.getCookieHeader(this.entryId);
+      if (cookie) headers["Cookie"] = cookie;
+    }
+    return headers;
+  }
+
+  /** Capture Set-Cookie headers from a response into the jar. */
+  private captureCookies(response: Response): void {
+    if (this.cookieJar && this.entryId) {
+      this.cookieJar.capture(this.entryId, response);
+    }
+  }
+
+  /**
+   * Query official Codex usage/quota.
+   * GET /backend-api/codex/usage
+   *
+   * Uses curl subprocess instead of Node.js fetch because Cloudflare
+   * fingerprints the TLS handshake and blocks Node.js/undici requests
+   * with a JS challenge (403). System curl uses native TLS (WinSSL/SecureTransport)
+   * which Cloudflare accepts.
+   */
+  async getUsage(): Promise<CodexUsageResponse> {
+    const config = getConfig();
+    const url = `${config.api.base_url}/codex/usage`;
+
+    const headers = this.applyHeaders(
+      buildHeaders(this.token, this.accountId),
+    );
+    headers["Accept"] = "application/json";
+
+    // Build curl args
+    const args = ["-s", "--max-time", "15"];
+    for (const [key, value] of Object.entries(headers)) {
+      args.push("-H", `${key}: ${value}`);
+    }
+    args.push(url);
+
+    const body = await new Promise<string>((resolve, reject) => {
+      execFile("curl", args, { maxBuffer: 1024 * 1024 }, (err, stdout, stderr) => {
+        if (err) {
+          reject(new CodexApiError(0, `curl failed: ${err.message} ${stderr}`));
+        } else {
+          resolve(stdout);
+        }
+      });
+    });
+
+    try {
+      const parsed = JSON.parse(body) as CodexUsageResponse;
+      // Validate we got actual usage data (not an error page)
+      if (!parsed.rate_limit) {
+        throw new CodexApiError(502, `Unexpected response: ${body.slice(0, 200)}`);
+      }
+      return parsed;
+    } catch (e) {
+      if (e instanceof CodexApiError) throw e;
+      throw new CodexApiError(502, `Invalid JSON from /codex/usage: ${body.slice(0, 200)}`);
+    }
+  }
+
+  /**
+   * Create a response (streaming).
+   * Returns the raw Response so the caller can process the SSE stream.
+   */
+  async createResponse(
+    request: CodexResponsesRequest,
+    signal?: AbortSignal,
+  ): Promise<Response> {
+    const config = getConfig();
+    const baseUrl = config.api.base_url; // https://chatgpt.com/backend-api
+    const url = `${baseUrl}/codex/responses`;
+
+    const headers = this.applyHeaders(
+      buildHeadersWithContentType(this.token, this.accountId),
+    );
+    headers["Accept"] = "text/event-stream";
+
+    const timeout = config.api.timeout_seconds * 1000;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeout);
+    const mergedSignal = signal
+      ? AbortSignal.any([signal, controller.signal])
+      : controller.signal;
+
+    const res = await fetch(url, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(request),
+      signal: mergedSignal,
+    }).finally(() => clearTimeout(timer));
+
+    this.captureCookies(res);
+
+    if (!res.ok) {
+      let errorBody: string;
+      try {
+        errorBody = await res.text();
+      } catch {
+        errorBody = `HTTP ${res.status}`;
+      }
+      throw new CodexApiError(res.status, errorBody);
+    }
+
+    return res;
+  }
+
+  /**
+   * Parse SSE stream from a Codex Responses API response.
+   * Yields individual events.
+   */
+  async *parseStream(
+    response: Response,
+  ): AsyncGenerator<CodexSSEEvent> {
+    if (!response.body) {
+      throw new Error("Response body is null — cannot stream");
+    }
+
+    const reader = response.body
+      .pipeThrough(new TextDecoderStream())
+      .getReader();
+
+    let buffer = "";
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+
+        buffer += value;
+        const parts = buffer.split("\n\n");
+        buffer = parts.pop()!;
+
+        for (const part of parts) {
+          if (!part.trim()) continue;
+          const evt = this.parseSSEBlock(part);
+          if (evt) yield evt;
+        }
+      }
+
+      // Process remaining buffer
+      if (buffer.trim()) {
+        const evt = this.parseSSEBlock(buffer);
+        if (evt) yield evt;
+      }
+    } finally {
+      reader.releaseLock();
+    }
+  }
+
+  private parseSSEBlock(block: string): CodexSSEEvent | null {
+    let event = "";
+    const dataLines: string[] = [];
+
+    for (const line of block.split("\n")) {
+      if (line.startsWith("event:")) {
+        event = line.slice(6).trim();
+      } else if (line.startsWith("data:")) {
+        dataLines.push(line.slice(5).trimStart());
+      }
+    }
+
+    if (!event && dataLines.length === 0) return null;
+
+    const raw = dataLines.join("\n");
+    if (raw === "[DONE]") return null;
+
+    let data: unknown;
+    try {
+      data = JSON.parse(raw);
+    } catch {
+      data = raw;
+    }
+
+    return { event, data };
+  }
+}
+
+/** Response from GET /backend-api/codex/usage */
+export interface CodexUsageRateWindow {
+  used_percent: number;
+  limit_window_seconds: number;
+  reset_after_seconds: number;
+  reset_at: number;
+}
+
+export interface CodexUsageRateLimit {
+  allowed: boolean;
+  limit_reached: boolean;
+  primary_window: CodexUsageRateWindow | null;
+  secondary_window: CodexUsageRateWindow | null;
+}
+
+export interface CodexUsageResponse {
+  plan_type: string;
+  rate_limit: CodexUsageRateLimit;
+  code_review_rate_limit: CodexUsageRateLimit | null;
+  credits: unknown;
+  promo: unknown;
+}
+
+export class CodexApiError extends Error {
+  constructor(
+    public readonly status: number,
+    public readonly body: string,
+  ) {
+    let detail: string;
+    try {
+      const parsed = JSON.parse(body);
+      detail = parsed.detail ?? parsed.error?.message ?? body;
+    } catch {
+      detail = body;
+    }
+    super(`Codex API error (${status}): ${detail}`);
+  }
+}

src/proxy/cookie-jar.ts

@@ -0,0 +1,161 @@
+/**
+ * CookieJar — per-account cookie storage.
+ *
+ * Stores cookies (especially cf_clearance from Cloudflare) so that
+ * GET endpoints like /codex/usage don't get blocked by JS challenges.
+ *
+ * Cookies are auto-captured from every ChatGPT API response's Set-Cookie
+ * headers, and can also be set manually via the management API.
+ */
+
+import {
+  readFileSync,
+  writeFileSync,
+  existsSync,
+  mkdirSync,
+} from "fs";
+import { resolve, dirname } from "path";
+
+const COOKIE_FILE = resolve(process.cwd(), "data", "cookies.json");
+
+export class CookieJar {
+  private cookies: Map<string, Record<string, string>> = new Map();
+  private persistTimer: ReturnType<typeof setTimeout> | null = null;
+
+  constructor() {
+    this.load();
+  }
+
+  /**
+   * Set cookies for an account.
+   * Accepts "name1=val1; name2=val2" string or a Record.
+   * Merges with existing cookies.
+   */
+  set(accountId: string, cookies: string | Record<string, string>): void {
+    const existing = this.cookies.get(accountId) ?? {};
+
+    if (typeof cookies === "string") {
+      for (const part of cookies.split(";")) {
+        const eq = part.indexOf("=");
+        if (eq === -1) continue;
+        const name = part.slice(0, eq).trim();
+        const value = part.slice(eq + 1).trim();
+        if (name) existing[name] = value;
+      }
+    } else {
+      Object.assign(existing, cookies);
+    }
+
+    this.cookies.set(accountId, existing);
+    this.schedulePersist();
+  }
+
+  /**
+   * Build the Cookie header value for a request.
+   * Returns null if no cookies are stored.
+   */
+  getCookieHeader(accountId: string): string | null {
+    const cookies = this.cookies.get(accountId);
+    if (!cookies || Object.keys(cookies).length === 0) return null;
+    return Object.entries(cookies)
+      .map(([k, v]) => `${k}=${v}`)
+      .join("; ");
+  }
+
+  /**
+   * Auto-capture Set-Cookie headers from an API response.
+   * Call this after every successful fetch to chatgpt.com.
+   */
+  capture(accountId: string, response: Response): void {
+    // getSetCookie() returns individual Set-Cookie header values
+    const setCookies =
+      typeof response.headers.getSetCookie === "function"
+        ? response.headers.getSetCookie()
+        : [];
+
+    if (setCookies.length === 0) return;
+
+    const existing = this.cookies.get(accountId) ?? {};
+    let changed = false;
+
+    for (const raw of setCookies) {
+      // Format: "name=value; Path=/; Domain=...; ..."
+      const semi = raw.indexOf(";");
+      const pair = semi === -1 ? raw : raw.slice(0, semi);
+      const eq = pair.indexOf("=");
+      if (eq === -1) continue;
+
+      const name = pair.slice(0, eq).trim();
+      const value = pair.slice(eq + 1).trim();
+      if (name && existing[name] !== value) {
+        existing[name] = value;
+        changed = true;
+      }
+    }
+
+    if (changed) {
+      this.cookies.set(accountId, existing);
+      this.schedulePersist();
+    }
+  }
+
+  /** Get raw cookie record for an account. */
+  get(accountId: string): Record<string, string> | null {
+    return this.cookies.get(accountId) ?? null;
+  }
+
+  /** Clear all cookies for an account. */
+  clear(accountId: string): void {
+    if (this.cookies.delete(accountId)) {
+      this.schedulePersist();
+    }
+  }
+
+  // ── Persistence ──────────────────────────────────────────────────
+
+  private schedulePersist(): void {
+    if (this.persistTimer) return;
+    this.persistTimer = setTimeout(() => {
+      this.persistTimer = null;
+      this.persistNow();
+    }, 1000);
+  }
+
+  persistNow(): void {
+    if (this.persistTimer) {
+      clearTimeout(this.persistTimer);
+      this.persistTimer = null;
+    }
+    try {
+      const dir = dirname(COOKIE_FILE);
+      if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+      const data = Object.fromEntries(this.cookies);
+      writeFileSync(COOKIE_FILE, JSON.stringify(data, null, 2), "utf-8");
+    } catch {
+      // best-effort
+    }
+  }
+
+  private load(): void {
+    try {
+      if (!existsSync(COOKIE_FILE)) return;
+      const raw = readFileSync(COOKIE_FILE, "utf-8");
+      const data = JSON.parse(raw) as Record<string, Record<string, string>>;
+      for (const [key, val] of Object.entries(data)) {
+        if (typeof val === "object" && val !== null) {
+          this.cookies.set(key, val);
+        }
+      }
+    } catch {
+      // corrupt file, start fresh
+    }
+  }
+
+  destroy(): void {
+    if (this.persistTimer) {
+      clearTimeout(this.persistTimer);
+      this.persistTimer = null;
+    }
+    this.persistNow();
+  }
+}

src/routes/accounts.ts

@@ -0,0 +1,230 @@
+/**
+ * Account management API routes.
+ *
+ * GET    /auth/accounts            — list all accounts + usage + status
+ * GET    /auth/accounts?quota=true — list all accounts with official quota
+ * POST   /auth/accounts            — add account (token paste)
+ * DELETE /auth/accounts/:id        — remove account
+ * POST   /auth/accounts/:id/reset-usage — reset usage stats
+ * GET    /auth/accounts/:id/quota  — query single account's official quota
+ * GET    /auth/accounts/:id/cookies — view stored cookies
+ * POST   /auth/accounts/:id/cookies — set cookies (for Cloudflare bypass)
+ * DELETE /auth/accounts/:id/cookies — clear cookies
+ */
+
+import { Hono } from "hono";
+import type { AccountPool } from "../auth/account-pool.js";
+import type { RefreshScheduler } from "../auth/refresh-scheduler.js";
+import { validateManualToken } from "../auth/chatgpt-oauth.js";
+import { CodexApi } from "../proxy/codex-api.js";
+import type { CodexUsageResponse } from "../proxy/codex-api.js";
+import type { CodexQuota, AccountInfo } from "../auth/types.js";
+import type { CookieJar } from "../proxy/cookie-jar.js";
+
+function toQuota(usage: CodexUsageResponse): CodexQuota {
+  return {
+    plan_type: usage.plan_type,
+    rate_limit: {
+      allowed: usage.rate_limit.allowed,
+      limit_reached: usage.rate_limit.limit_reached,
+      used_percent: usage.rate_limit.primary_window?.used_percent ?? null,
+      reset_at: usage.rate_limit.primary_window?.reset_at ?? null,
+    },
+    code_review_rate_limit: usage.code_review_rate_limit
+      ? {
+          allowed: usage.code_review_rate_limit.allowed,
+          limit_reached: usage.code_review_rate_limit.limit_reached,
+          used_percent:
+            usage.code_review_rate_limit.primary_window?.used_percent ?? null,
+          reset_at:
+            usage.code_review_rate_limit.primary_window?.reset_at ?? null,
+        }
+      : null,
+  };
+}
+
+export function createAccountRoutes(
+  pool: AccountPool,
+  scheduler: RefreshScheduler,
+  cookieJar?: CookieJar,
+): Hono {
+  const app = new Hono();
+
+  /** Helper: build a CodexApi with cookie support. */
+  function makeApi(entryId: string, token: string, accountId: string | null): CodexApi {
+    return new CodexApi(token, accountId, cookieJar, entryId);
+  }
+
+  // List all accounts (with optional ?quota=true)
+  app.get("/auth/accounts", async (c) => {
+    const accounts = pool.getAccounts();
+    const wantQuota = c.req.query("quota") === "true";
+
+    if (!wantQuota) {
+      return c.json({ accounts });
+    }
+
+    // Fetch quota for every active account in parallel
+    const enriched: AccountInfo[] = await Promise.all(
+      accounts.map(async (acct) => {
+        if (acct.status !== "active") return acct;
+
+        const entry = pool.getEntry(acct.id);
+        if (!entry) return acct;
+
+        try {
+          const api = makeApi(acct.id, entry.token, entry.accountId);
+          const usage = await api.getUsage();
+          return { ...acct, quota: toQuota(usage) };
+        } catch {
+          return acct; // skip on error — no quota field
+        }
+      }),
+    );
+
+    return c.json({ accounts: enriched });
+  });
+
+  // Add account
+  app.post("/auth/accounts", async (c) => {
+    const body = await c.req.json<{ token: string }>();
+    const token = body.token?.trim();
+
+    if (!token) {
+      c.status(400);
+      return c.json({ error: "Token is required" });
+    }
+
+    const validation = validateManualToken(token);
+    if (!validation.valid) {
+      c.status(400);
+      return c.json({ error: validation.error });
+    }
+
+    const entryId = pool.addAccount(token);
+    scheduler.scheduleOne(entryId, token);
+
+    const accounts = pool.getAccounts();
+    const added = accounts.find((a) => a.id === entryId);
+    return c.json({ success: true, account: added });
+  });
+
+  // Remove account
+  app.delete("/auth/accounts/:id", (c) => {
+    const id = c.req.param("id");
+    scheduler.clearOne(id);
+    const removed = pool.removeAccount(id);
+    if (!removed) {
+      c.status(404);
+      return c.json({ error: "Account not found" });
+    }
+    cookieJar?.clear(id);
+    return c.json({ success: true });
+  });
+
+  // Reset usage
+  app.post("/auth/accounts/:id/reset-usage", (c) => {
+    const id = c.req.param("id");
+    const reset = pool.resetUsage(id);
+    if (!reset) {
+      c.status(404);
+      return c.json({ error: "Account not found" });
+    }
+    return c.json({ success: true });
+  });
+
+  // Query single account's official quota
+  app.get("/auth/accounts/:id/quota", async (c) => {
+    const id = c.req.param("id");
+    const entry = pool.getEntry(id);
+
+    if (!entry) {
+      c.status(404);
+      return c.json({ error: "Account not found" });
+    }
+
+    if (entry.status !== "active") {
+      c.status(409);
+      return c.json({ error: `Account is ${entry.status}, cannot query quota` });
+    }
+
+    const hasCookies = !!(cookieJar?.getCookieHeader(id));
+
+    try {
+      const api = makeApi(id, entry.token, entry.accountId);
+      const usage = await api.getUsage();
+      return c.json({ quota: toQuota(usage), raw: usage });
+    } catch (err) {
+      const detail = err instanceof Error ? err.message : String(err);
+      const isCf = detail.includes("403") || detail.includes("cf_chl");
+      c.status(502);
+      return c.json({
+        error: "Failed to fetch quota from Codex API",
+        detail,
+        hint: isCf && !hasCookies
+          ? "Cloudflare blocked this request. Set cookies via POST /auth/accounts/:id/cookies with your browser's cf_clearance cookie."
+          : undefined,
+      });
+    }
+  });
+
+  // ── Cookie management ──────────────────────────────────────────
+
+  // View cookies for an account
+  app.get("/auth/accounts/:id/cookies", (c) => {
+    const id = c.req.param("id");
+    if (!pool.getEntry(id)) {
+      c.status(404);
+      return c.json({ error: "Account not found" });
+    }
+
+    const cookies = cookieJar?.get(id) ?? null;
+    return c.json({
+      cookies,
+      hint: !cookies
+        ? "No cookies set. POST cookies from your browser to bypass Cloudflare. Example: { \"cookies\": \"cf_clearance=VALUE; __cf_bm=VALUE\" }"
+        : undefined,
+    });
+  });
+
+  // Set cookies for an account
+  app.post("/auth/accounts/:id/cookies", async (c) => {
+    const id = c.req.param("id");
+    if (!pool.getEntry(id)) {
+      c.status(404);
+      return c.json({ error: "Account not found" });
+    }
+
+    if (!cookieJar) {
+      c.status(500);
+      return c.json({ error: "CookieJar not initialized" });
+    }
+
+    const body = await c.req.json<{ cookies: string | Record<string, string> }>();
+    if (!body.cookies) {
+      c.status(400);
+      return c.json({
+        error: "cookies field is required",
+        example: { cookies: "cf_clearance=VALUE; __cf_bm=VALUE" },
+      });
+    }
+
+    cookieJar.set(id, body.cookies);
+    const stored = cookieJar.get(id);
+    console.log(`[Cookies] Set ${Object.keys(stored ?? {}).length} cookie(s) for account ${id}`);
+    return c.json({ success: true, cookies: stored });
+  });
+
+  // Clear cookies for an account
+  app.delete("/auth/accounts/:id/cookies", (c) => {
+    const id = c.req.param("id");
+    if (!pool.getEntry(id)) {
+      c.status(404);
+      return c.json({ error: "Account not found" });
+    }
+    cookieJar?.clear(id);
+    return c.json({ success: true });
+  });
+
+  return app;
+}

src/routes/auth.ts

@@ -0,0 +1,96 @@
+import { Hono } from "hono";
+import type { AccountPool } from "../auth/account-pool.js";
+import {
+  isCodexCliAvailable,
+  loginViaCli,
+  validateManualToken,
+} from "../auth/chatgpt-oauth.js";
+
+export function createAuthRoutes(pool: AccountPool): Hono {
+  const app = new Hono();
+
+  // Pending OAuth session (one at a time)
+  let pendingOAuth: {
+    authUrl: string;
+    waitForCompletion: () => Promise<{ success: boolean; token?: string; error?: string }>;
+  } | null = null;
+
+  // Auth status (JSON) — pool-level summary
+  app.get("/auth/status", (c) => {
+    const authenticated = pool.isAuthenticated();
+    const userInfo = pool.getUserInfo();
+    const proxyApiKey = pool.getProxyApiKey();
+    const summary = pool.getPoolSummary();
+    return c.json({
+      authenticated,
+      user: authenticated ? userInfo : null,
+      proxy_api_key: authenticated ? proxyApiKey : null,
+      pool: summary,
+    });
+  });
+
+  // Start OAuth login — returns JSON with authUrl instead of redirecting
+  app.get("/auth/login", async (c) => {
+    if (pool.isAuthenticated()) {
+      return c.json({ authenticated: true });
+    }
+
+    const cliAvailable = await isCodexCliAvailable();
+    if (!cliAvailable) {
+      return c.json(
+        { error: "Codex CLI not available. Please use manual token entry." },
+        503,
+      );
+    }
+
+    try {
+      const session = await loginViaCli();
+      pendingOAuth = session;
+
+      // Start background wait for completion
+      session.waitForCompletion().then((result) => {
+        if (result.success && result.token) {
+          pool.addAccount(result.token);
+          console.log("[Auth] OAuth login completed successfully");
+        } else {
+          console.error("[Auth] OAuth login failed:", result.error);
+        }
+        pendingOAuth = null;
+      });
+
+      return c.json({ authUrl: session.authUrl });
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error("[Auth] CLI OAuth failed:", msg);
+      return c.json({ error: msg }, 500);
+    }
+  });
+
+  // Manual token submission — adds to pool
+  app.post("/auth/token", async (c) => {
+    const body = await c.req.json<{ token: string }>();
+    const token = body.token?.trim();
+
+    if (!token) {
+      c.status(400);
+      return c.json({ error: "Token is required" });
+    }
+
+    const validation = validateManualToken(token);
+    if (!validation.valid) {
+      c.status(400);
+      return c.json({ error: validation.error });
+    }
+
+    pool.addAccount(token);
+    return c.json({ success: true });
+  });
+
+  // Logout — clears all accounts
+  app.post("/auth/logout", (c) => {
+    pool.clearToken();
+    return c.json({ success: true });
+  });
+
+  return app;
+}

src/routes/chat.ts

@@ -0,0 +1,156 @@
+import { Hono } from "hono";
+import type { StatusCode } from "hono/utils/http-status";
+import { stream } from "hono/streaming";
+import { ChatCompletionRequestSchema } from "../types/openai.js";
+import type { AccountPool } from "../auth/account-pool.js";
+import { CodexApi, CodexApiError } from "../proxy/codex-api.js";
+import { SessionManager } from "../session/manager.js";
+import { translateToCodexRequest } from "../translation/openai-to-codex.js";
+import {
+  streamCodexToOpenAI,
+  collectCodexResponse,
+  type UsageInfo,
+} from "../translation/codex-to-openai.js";
+import { getConfig } from "../config.js";
+import type { CookieJar } from "../proxy/cookie-jar.js";
+
+export function createChatRoutes(
+  accountPool: AccountPool,
+  sessionManager: SessionManager,
+  cookieJar?: CookieJar,
+): Hono {
+  const app = new Hono();
+
+  app.post("/v1/chat/completions", async (c) => {
+    // Validate auth — at least one active account
+    if (!accountPool.isAuthenticated()) {
+      c.status(401);
+      return c.json({
+        error: {
+          message: "Not authenticated. Please login first at /",
+          type: "invalid_request_error",
+          param: null,
+          code: "invalid_api_key",
+        },
+      });
+    }
+
+    // Optional proxy API key check
+    const config = getConfig();
+    if (config.server.proxy_api_key) {
+      const authHeader = c.req.header("Authorization");
+      const providedKey = authHeader?.replace("Bearer ", "");
+      if (
+        !providedKey ||
+        !accountPool.validateProxyApiKey(providedKey)
+      ) {
+        c.status(401);
+        return c.json({
+          error: {
+            message: "Invalid proxy API key",
+            type: "invalid_request_error",
+            param: null,
+            code: "invalid_api_key",
+          },
+        });
+      }
+    }
+
+    // Parse request
+    const body = await c.req.json();
+    const parsed = ChatCompletionRequestSchema.safeParse(body);
+    if (!parsed.success) {
+      c.status(400);
+      return c.json({
+        error: {
+          message: `Invalid request: ${parsed.error.message}`,
+          type: "invalid_request_error",
+          param: null,
+          code: "invalid_request",
+        },
+      });
+    }
+    const req = parsed.data;
+
+    // Acquire an account from the pool
+    const acquired = accountPool.acquire();
+    if (!acquired) {
+      c.status(503);
+      return c.json({
+        error: {
+          message: "No available accounts. All accounts are expired or rate-limited.",
+          type: "server_error",
+          param: null,
+          code: "no_available_accounts",
+        },
+      });
+    }
+
+    const { entryId, token, accountId } = acquired;
+    const codexApi = new CodexApi(token, accountId, cookieJar, entryId);
+    const codexRequest = translateToCodexRequest(req);
+    console.log(
+      `[Chat] Account ${entryId} | Codex request:`,
+      JSON.stringify(codexRequest).slice(0, 300),
+    );
+
+    let usageInfo: UsageInfo | undefined;
+
+    try {
+      const rawResponse = await codexApi.createResponse(codexRequest);
+
+      if (req.stream) {
+        c.header("Content-Type", "text/event-stream");
+        c.header("Cache-Control", "no-cache");
+        c.header("Connection", "keep-alive");
+
+        return stream(c, async (s) => {
+          try {
+            for await (const chunk of streamCodexToOpenAI(
+              codexApi,
+              rawResponse,
+              codexRequest.model,
+              (u) => { usageInfo = u; },
+            )) {
+              await s.write(chunk);
+            }
+          } finally {
+            accountPool.release(entryId, usageInfo);
+          }
+        });
+      } else {
+        const result = await collectCodexResponse(
+          codexApi,
+          rawResponse,
+          codexRequest.model,
+        );
+        accountPool.release(entryId, result.usage);
+        return c.json(result.response);
+      }
+    } catch (err) {
+      if (err instanceof CodexApiError) {
+        console.error(`[Chat] Account ${entryId} | Codex API error:`, err.message);
+        if (err.status === 429) {
+          // Parse Retry-After if present
+          accountPool.markRateLimited(entryId);
+        } else {
+          accountPool.release(entryId);
+        }
+        const code = (err.status >= 400 && err.status < 600 ? err.status : 502) as StatusCode;
+        c.status(code);
+        return c.json({
+          error: {
+            message: err.message,
+            type: "server_error",
+            param: null,
+            code: "codex_api_error",
+          },
+        });
+      }
+      accountPool.release(entryId);
+      throw err;
+    }
+  });
+
+  return app;
+}

src/routes/models.ts

@@ -0,0 +1,211 @@
+import { Hono } from "hono";
+import { getConfig } from "../config.js";
+import type { OpenAIModel, OpenAIModelList } from "../types/openai.js";
+
+const app = new Hono();
+
+/**
+ * Full model catalog from Codex CLI `model/list`.
+ * Each model has reasoning effort levels, description, and capabilities.
+ */
+export interface CodexModelInfo {
+  id: string;
+  model: string;
+  displayName: string;
+  description: string;
+  isDefault: boolean;
+  supportedReasoningEfforts: { reasoningEffort: string; description: string }[];
+  defaultReasoningEffort: string;
+  inputModalities: string[];
+  supportsPersonality: boolean;
+  upgrade: string | null;
+}
+
+// Static model catalog — sourced from `codex app-server` model/list
+const MODEL_CATALOG: CodexModelInfo[] = [
+  {
+    id: "gpt-5.3-codex",
+    model: "gpt-5.3-codex",
+    displayName: "gpt-5.3-codex",
+    description: "Latest frontier agentic coding model.",
+    isDefault: true,
+    supportedReasoningEfforts: [
+      { reasoningEffort: "low", description: "Fast responses with lighter reasoning" },
+      { reasoningEffort: "medium", description: "Balances speed and reasoning depth for everyday tasks" },
+      { reasoningEffort: "high", description: "Greater reasoning depth for complex problems" },
+      { reasoningEffort: "xhigh", description: "Extra high reasoning depth for complex problems" },
+    ],
+    defaultReasoningEffort: "medium",
+    inputModalities: ["text", "image"],
+    supportsPersonality: true,
+    upgrade: null,
+  },
+  {
+    id: "gpt-5.2-codex",
+    model: "gpt-5.2-codex",
+    displayName: "gpt-5.2-codex",
+    description: "Frontier agentic coding model.",
+    isDefault: false,
+    supportedReasoningEfforts: [
+      { reasoningEffort: "low", description: "Fast responses with lighter reasoning" },
+      { reasoningEffort: "medium", description: "Balances speed and reasoning depth for everyday tasks" },
+      { reasoningEffort: "high", description: "Greater reasoning depth for complex problems" },
+      { reasoningEffort: "xhigh", description: "Extra high reasoning depth for complex problems" },
+    ],
+    defaultReasoningEffort: "medium",
+    inputModalities: ["text", "image"],
+    supportsPersonality: true,
+    upgrade: "gpt-5.3-codex",
+  },
+  {
+    id: "gpt-5.1-codex-max",
+    model: "gpt-5.1-codex-max",
+    displayName: "gpt-5.1-codex-max",
+    description: "Codex-optimized flagship for deep and fast reasoning.",
+    isDefault: false,
+    supportedReasoningEfforts: [
+      { reasoningEffort: "low", description: "Fast responses with lighter reasoning" },
+      { reasoningEffort: "medium", description: "Balances speed and reasoning depth for everyday tasks" },
+      { reasoningEffort: "high", description: "Greater reasoning depth for complex problems" },
+      { reasoningEffort: "xhigh", description: "Extra high reasoning depth for complex problems" },
+    ],
+    defaultReasoningEffort: "medium",
+    inputModalities: ["text", "image"],
+    supportsPersonality: false,
+    upgrade: "gpt-5.3-codex",
+  },
+  {
+    id: "gpt-5.2",
+    model: "gpt-5.2",
+    displayName: "gpt-5.2",
+    description: "Latest frontier model with improvements across knowledge, reasoning and coding.",
+    isDefault: false,
+    supportedReasoningEfforts: [
+      { reasoningEffort: "low", description: "Balances speed with some reasoning" },
+      { reasoningEffort: "medium", description: "Solid balance of reasoning depth and latency" },
+      { reasoningEffort: "high", description: "Maximizes reasoning depth for complex problems" },
+      { reasoningEffort: "xhigh", description: "Extra high reasoning for complex problems" },
+    ],
+    defaultReasoningEffort: "medium",
+    inputModalities: ["text", "image"],
+    supportsPersonality: false,
+    upgrade: "gpt-5.3-codex",
+  },
+  {
+    id: "gpt-5.1-codex-mini",
+    model: "gpt-5.1-codex-mini",
+    displayName: "gpt-5.1-codex-mini",
+    description: "Optimized for codex. Cheaper, faster, but less capable.",
+    isDefault: false,
+    supportedReasoningEfforts: [
+      { reasoningEffort: "medium", description: "Dynamically adjusts reasoning based on the task" },
+      { reasoningEffort: "high", description: "Maximizes reasoning depth for complex problems" },
+    ],
+    defaultReasoningEffort: "medium",
+    inputModalities: ["text", "image"],
+    supportsPersonality: false,
+    upgrade: "gpt-5.3-codex",
+  },
+];
+
+// Short aliases for convenience
+const MODEL_ALIASES: Record<string, string> = {
+  codex: "gpt-5.3-codex",
+  "codex-max": "gpt-5.1-codex-max",
+  "codex-mini": "gpt-5.1-codex-mini",
+};
+
+/**
+ * Resolve a model name (may be an alias) to a canonical model ID.
+ */
+export function resolveModelId(input: string): string {
+  const trimmed = input.trim();
+  if (MODEL_ALIASES[trimmed]) return MODEL_ALIASES[trimmed];
+  // Check if it's already a known model ID
+  if (MODEL_CATALOG.some((m) => m.id === trimmed)) return trimmed;
+  // Fall back to config default
+  return getConfig().model.default;
+}
+
+/**
+ * Get model info by ID.
+ */
+export function getModelInfo(modelId: string): CodexModelInfo | undefined {
+  return MODEL_CATALOG.find((m) => m.id === modelId);
+}
+
+/**
+ * Get the full model catalog.
+ */
+export function getModelCatalog(): CodexModelInfo[] {
+  return MODEL_CATALOG;
+}
+
+// --- Routes ---
+
+function toOpenAIModel(info: CodexModelInfo): OpenAIModel {
+  return {
+    id: info.id,
+    object: "model",
+    created: 1700000000,
+    owned_by: "openai",
+  };
+}
+
+app.get("/v1/models", (c) => {
+  // Include catalog models + aliases as separate entries
+  const models: OpenAIModel[] = MODEL_CATALOG.map(toOpenAIModel);
+  for (const [alias, target] of Object.entries(MODEL_ALIASES)) {
+    models.push({
+      id: alias,
+      object: "model",
+      created: 1700000000,
+      owned_by: "openai",
+    });
+  }
+  const response: OpenAIModelList = { object: "list", data: models };
+  return c.json(response);
+});
+
+app.get("/v1/models/:modelId", (c) => {
+  const modelId = c.req.param("modelId");
+
+  // Try direct match
+  const info = MODEL_CATALOG.find((m) => m.id === modelId);
+  if (info) return c.json(toOpenAIModel(info));
+
+  // Try alias
+  const resolved = MODEL_ALIASES[modelId];
+  if (resolved) {
+    return c.json({
+      id: modelId,
+      object: "model",
+      created: 1700000000,
+      owned_by: "openai",
+    });
+  }
+
+  c.status(404);
+  return c.json({
+    error: {
+      message: `Model '${modelId}' not found`,
+      type: "invalid_request_error",
+      param: "model",
+      code: "model_not_found",
+    },
+  });
+});
+
+// Extended endpoint: model details with reasoning efforts
+app.get("/v1/models/:modelId/info", (c) => {
+  const modelId = c.req.param("modelId");
+  const resolved = MODEL_ALIASES[modelId] ?? modelId;
+  const info = MODEL_CATALOG.find((m) => m.id === resolved);
+  if (!info) {
+    c.status(404);
+    return c.json({ error: `Model '${modelId}' not found` });
+  }
+  return c.json(info);
+});
+
+export default app;

src/routes/web.ts

@@ -0,0 +1,90 @@
+import { Hono } from "hono";
+import { readFileSync, existsSync } from "fs";
+import { resolve } from "path";
+import type { AccountPool } from "../auth/account-pool.js";
+import { getConfig, getFingerprint } from "../config.js";
+
+export function createWebRoutes(accountPool: AccountPool): Hono {
+  const app = new Hono();
+
+  const publicDir = resolve(process.cwd(), "public");
+
+  app.get("/", (c) => {
+    if (accountPool.isAuthenticated()) {
+      const html = readFileSync(resolve(publicDir, "dashboard.html"), "utf-8");
+      return c.html(html);
+    }
+    const html = readFileSync(resolve(publicDir, "login.html"), "utf-8");
+    return c.html(html);
+  });
+
+  app.get("/health", async (c) => {
+    const authenticated = accountPool.isAuthenticated();
+    const userInfo = accountPool.getUserInfo();
+    const poolSummary = accountPool.getPoolSummary();
+    return c.json({
+      status: "ok",
+      authenticated,
+      user: authenticated ? userInfo : null,
+      pool: poolSummary,
+      timestamp: new Date().toISOString(),
+    });
+  });
+
+  app.get("/debug/fingerprint", (c) => {
+    const config = getConfig();
+    const fp = getFingerprint();
+
+    const ua = fp.user_agent_template
+      .replace("{version}", config.client.app_version)
+      .replace("{platform}", config.client.platform)
+      .replace("{arch}", config.client.arch);
+
+    const promptsDir = resolve(process.cwd(), "config/prompts");
+    const prompts: Record<string, boolean> = {
+      "desktop-context.md": existsSync(resolve(promptsDir, "desktop-context.md")),
+      "title-generation.md": existsSync(resolve(promptsDir, "title-generation.md")),
+      "pr-generation.md": existsSync(resolve(promptsDir, "pr-generation.md")),
+      "automation-response.md": existsSync(resolve(promptsDir, "automation-response.md")),
+    };
+
+    // Check for update state
+    let updateState = null;
+    const statePath = resolve(process.cwd(), "data/update-state.json");
+    if (existsSync(statePath)) {
+      try {
+        updateState = JSON.parse(readFileSync(statePath, "utf-8"));
+      } catch {}
+    }
+
+    return c.json({
+      headers: {
+        "User-Agent": ua,
+        originator: config.client.originator,
+      },
+      client: {
+        app_version: config.client.app_version,
+        build_number: config.client.build_number,
+        platform: config.client.platform,
+        arch: config.client.arch,
+      },
+      api: {
+        base_url: config.api.base_url,
+      },
+      model: {
+        default: config.model.default,
+      },
+      codex_fields: {
+        developer_instructions: "loaded from config/prompts/desktop-context.md",
+        approval_policy: "never",
+        sandbox: "workspace-write",
+        personality: null,
+        ephemeral: null,
+      },
+      prompts_loaded: prompts,
+      update_state: updateState,
+    });
+  });
+
+  return app;
+}

src/session/manager.ts

@@ -0,0 +1,94 @@
+import { createHash } from "crypto";
+
+interface Session {
+  taskId: string;
+  turnId: string;
+  messageHash: string;
+  createdAt: number;
+}
+
+export class SessionManager {
+  private sessions = new Map<string, Session>();
+  private ttlMs: number;
+
+  constructor(ttlMinutes: number = 60) {
+    this.ttlMs = ttlMinutes * 60 * 1000;
+    // Periodically clean expired sessions
+    setInterval(() => this.cleanup(), 5 * 60 * 1000);
+  }
+
+  /**
+   * Hash the message history to create a session key
+   */
+  hashMessages(
+    messages: Array<{ role: string; content: string }>,
+  ): string {
+    const data = messages.map((m) => `${m.role}:${m.content}`).join("|");
+    return createHash("sha256").update(data).digest("hex").slice(0, 16);
+  }
+
+  /**
+   * Find an existing session that matches the message history prefix
+   */
+  findSession(
+    messages: Array<{ role: string; content: string }>,
+  ): Session | null {
+    // Try matching all messages except the last (the new user message)
+    if (messages.length < 2) return null;
+    const prefix = messages.slice(0, -1);
+    const hash = this.hashMessages(prefix);
+
+    for (const session of this.sessions.values()) {
+      if (
+        session.messageHash === hash &&
+        Date.now() - session.createdAt < this.ttlMs
+      ) {
+        return session;
+      }
+    }
+    return null;
+  }
+
+  /**
+   * Store a session after task creation
+   */
+  storeSession(
+    taskId: string,
+    turnId: string,
+    messages: Array<{ role: string; content: string }>,
+  ): void {
+    const hash = this.hashMessages(messages);
+    this.sessions.set(taskId, {
+      taskId,
+      turnId,
+      messageHash: hash,
+      createdAt: Date.now(),
+    });
+  }
+
+  /**
+   * Update turn ID for an existing session
+   */
+  updateTurn(taskId: string, turnId: string): void {
+    const session = this.sessions.get(taskId);
+    if (session) {
+      session.turnId = turnId;
+    }
+  }
+
+  /**
+   * Get session by explicit task ID
+   */
+  getSession(taskId: string): Session | null {
+    return this.sessions.get(taskId) ?? null;
+  }
+
+  private cleanup(): void {
+    const now = Date.now();
+    for (const [key, session] of this.sessions) {
+      if (now - session.createdAt > this.ttlMs) {
+        this.sessions.delete(key);
+      }
+    }
+  }
+}

src/translation/codex-to-openai.ts

@@ -0,0 +1,195 @@
+/**
+ * Translate Codex Responses API SSE stream → OpenAI Chat Completions format.
+ *
+ * Codex SSE events:
+ *   response.created → (initial setup)
+ *   response.output_text.delta → chat.completion.chunk (streaming text)
+ *   response.output_text.done → (text complete)
+ *   response.completed → [DONE]
+ *
+ * Non-streaming: collect all text, return chat.completion response.
+ */
+
+import { randomUUID } from "crypto";
+import type { CodexSSEEvent, CodexApi } from "../proxy/codex-api.js";
+import type {
+  ChatCompletionResponse,
+  ChatCompletionChunk,
+} from "../types/openai.js";
+
+export interface UsageInfo {
+  input_tokens: number;
+  output_tokens: number;
+}
+
+/** Format an SSE chunk for streaming output */
+function formatSSE(chunk: ChatCompletionChunk): string {
+  return `data: ${JSON.stringify(chunk)}\n\n`;
+}
+
+/**
+ * Stream Codex Responses API events as OpenAI chat.completion.chunk SSE.
+ * Yields string chunks ready to write to the HTTP response.
+ * Calls onUsage when the response.completed event arrives with usage data.
+ */
+export async function* streamCodexToOpenAI(
+  codexApi: CodexApi,
+  rawResponse: Response,
+  model: string,
+  onUsage?: (usage: UsageInfo) => void,
+): AsyncGenerator<string> {
+  const chunkId = `chatcmpl-${randomUUID().replace(/-/g, "").slice(0, 24)}`;
+  const created = Math.floor(Date.now() / 1000);
+  let responseId: string | null = null;
+
+  // Send initial role chunk
+  yield formatSSE({
+    id: chunkId,
+    object: "chat.completion.chunk",
+    created,
+    model,
+    choices: [
+      {
+        index: 0,
+        delta: { role: "assistant" },
+        finish_reason: null,
+      },
+    ],
+  });
+
+  for await (const evt of codexApi.parseStream(rawResponse)) {
+    const data = evt.data as Record<string, unknown>;
+
+    switch (evt.event) {
+      case "response.created":
+      case "response.in_progress": {
+        // Extract response ID for headers
+        const resp = data.response as Record<string, unknown> | undefined;
+        if (resp?.id) responseId = resp.id as string;
+        break;
+      }
+
+      case "response.output_text.delta": {
+        // Streaming text delta
+        const delta = (data.delta as string) ?? "";
+        if (delta) {
+          yield formatSSE({
+            id: chunkId,
+            object: "chat.completion.chunk",
+            created,
+            model,
+            choices: [
+              {
+                index: 0,
+                delta: { content: delta },
+                finish_reason: null,
+              },
+            ],
+          });
+        }
+        break;
+      }
+
+      case "response.completed": {
+        // Extract and report usage
+        if (onUsage) {
+          const resp = data.response as Record<string, unknown> | undefined;
+          if (resp?.usage) {
+            const u = resp.usage as Record<string, number>;
+            onUsage({
+              input_tokens: u.input_tokens ?? 0,
+              output_tokens: u.output_tokens ?? 0,
+            });
+          }
+        }
+        // Send final chunk with finish_reason
+        yield formatSSE({
+          id: chunkId,
+          object: "chat.completion.chunk",
+          created,
+          model,
+          choices: [
+            {
+              index: 0,
+              delta: {},
+              finish_reason: "stop",
+            },
+          ],
+        });
+        break;
+      }
+
+      // Ignore other events (reasoning, content_part, output_item, etc.)
+    }
+  }
+
+  // Send [DONE] marker
+  yield "data: [DONE]\n\n";
+}
+
+/**
+ * Consume a Codex Responses SSE stream and build a non-streaming
+ * ChatCompletionResponse. Returns both the response and extracted usage.
+ */
+export async function collectCodexResponse(
+  codexApi: CodexApi,
+  rawResponse: Response,
+  model: string,
+): Promise<{ response: ChatCompletionResponse; usage: UsageInfo }> {
+  const id = `chatcmpl-${randomUUID().replace(/-/g, "").slice(0, 24)}`;
+  const created = Math.floor(Date.now() / 1000);
+  let fullText = "";
+  let promptTokens = 0;
+  let completionTokens = 0;
+
+  for await (const evt of codexApi.parseStream(rawResponse)) {
+    const data = evt.data as Record<string, unknown>;
+
+    switch (evt.event) {
+      case "response.output_text.delta": {
+        const delta = (data.delta as string) ?? "";
+        fullText += delta;
+        break;
+      }
+
+      case "response.completed": {
+        // Try to extract usage from the completed response
+        const resp = data.response as Record<string, unknown> | undefined;
+        if (resp?.usage) {
+          const usage = resp.usage as Record<string, number>;
+          promptTokens = usage.input_tokens ?? 0;
+          completionTokens = usage.output_tokens ?? 0;
+        }
+        break;
+      }
+    }
+  }
+
+  return {
+    response: {
+      id,
+      object: "chat.completion",
+      created,
+      model,
+      choices: [
+        {
+          index: 0,
+          message: {
+            role: "assistant",
+            content: fullText,
+          },
+          finish_reason: "stop",
+        },
+      ],
+      usage: {
+        prompt_tokens: promptTokens,
+        completion_tokens: completionTokens,
+        total_tokens: promptTokens + completionTokens,
+      },
+    },
+    usage: {
+      input_tokens: promptTokens,
+      output_tokens: completionTokens,
+    },
+  };
+}

src/translation/openai-to-codex.ts

@@ -0,0 +1,70 @@
+/**
+ * Translate OpenAI Chat Completions request → Codex Responses API request.
+ */
+
+import type { ChatCompletionRequest } from "../types/openai.js";
+import type {
+  CodexResponsesRequest,
+  CodexInputItem,
+} from "../proxy/codex-api.js";
+import { resolveModelId, getModelInfo } from "../routes/models.js";
+import { getConfig } from "../config.js";
+
+/**
+ * Convert a ChatCompletionRequest to a CodexResponsesRequest.
+ *
+ * Mapping:
+ *   - system messages → instructions field
+ *   - user/assistant messages → input array
+ *   - model → resolved model ID
+ *   - reasoning_effort → reasoning.effort
+ */
+export function translateToCodexRequest(
+  req: ChatCompletionRequest,
+): CodexResponsesRequest {
+  // Collect system messages as instructions
+  const systemMessages = req.messages.filter((m) => m.role === "system");
+  const instructions =
+    systemMessages.map((m) => m.content).join("\n\n") ||
+    "You are a helpful assistant.";
+
+  // Build input items from non-system messages
+  const input: CodexInputItem[] = [];
+  for (const msg of req.messages) {
+    if (msg.role === "system") continue;
+    input.push({
+      role: msg.role as "user" | "assistant",
+      content: msg.content,
+    });
+  }
+
+  // Ensure at least one input message
+  if (input.length === 0) {
+    input.push({ role: "user", content: "" });
+  }
+
+  // Resolve model
+  const modelId = resolveModelId(req.model);
+  const modelInfo = getModelInfo(modelId);
+  const config = getConfig();
+
+  // Build request
+  const request: CodexResponsesRequest = {
+    model: modelId,
+    instructions,
+    input,
+    stream: true,
+    store: false,
+  };
+
+  // Add reasoning effort if applicable
+  const effort =
+    req.reasoning_effort ??
+    modelInfo?.defaultReasoningEffort ??
+    config.model.default_reasoning_effort;
+  if (effort) {
+    request.reasoning = { effort };
+  }
+
+  return request;
+}

src/types/openai.ts

@@ -0,0 +1,103 @@
+/**
+ * OpenAI API types for /v1/chat/completions compatibility
+ */
+import { z } from "zod";
+
+// --- Request ---
+
+export const ChatMessageSchema = z.object({
+  role: z.enum(["system", "user", "assistant"]),
+  content: z.string(),
+  name: z.string().optional(),
+});
+
+export const ChatCompletionRequestSchema = z.object({
+  model: z.string(),
+  messages: z.array(ChatMessageSchema).min(1),
+  stream: z.boolean().optional().default(false),
+  n: z.number().optional().default(1),
+  temperature: z.number().optional(),
+  top_p: z.number().optional(),
+  max_tokens: z.number().optional(),
+  presence_penalty: z.number().optional(),
+  frequency_penalty: z.number().optional(),
+  stop: z.union([z.string(), z.array(z.string())]).optional(),
+  user: z.string().optional(),
+  // Codex-specific extensions
+  reasoning_effort: z.enum(["low", "medium", "high", "xhigh"]).optional(),
+});
+
+export type ChatMessage = z.infer<typeof ChatMessageSchema>;
+export type ChatCompletionRequest = z.infer<typeof ChatCompletionRequestSchema>;
+
+// --- Response (non-streaming) ---
+
+export interface ChatCompletionChoice {
+  index: number;
+  message: {
+    role: "assistant";
+    content: string;
+  };
+  finish_reason: "stop" | "length" | null;
+}
+
+export interface ChatCompletionUsage {
+  prompt_tokens: number;
+  completion_tokens: number;
+  total_tokens: number;
+}
+
+export interface ChatCompletionResponse {
+  id: string;
+  object: "chat.completion";
+  created: number;
+  model: string;
+  choices: ChatCompletionChoice[];
+  usage: ChatCompletionUsage;
+}
+
+// --- Response (streaming) ---
+
+export interface ChatCompletionChunkDelta {
+  role?: "assistant";
+  content?: string;
+}
+
+export interface ChatCompletionChunkChoice {
+  index: number;
+  delta: ChatCompletionChunkDelta;
+  finish_reason: "stop" | "length" | null;
+}
+
+export interface ChatCompletionChunk {
+  id: string;
+  object: "chat.completion.chunk";
+  created: number;
+  model: string;
+  choices: ChatCompletionChunkChoice[];
+}
+
+// --- Error ---
+
+export interface OpenAIErrorBody {
+  error: {
+    message: string;
+    type: string;
+    param: string | null;
+    code: string | null;
+  };
+}
+
+// --- Models ---
+
+export interface OpenAIModel {
+  id: string;
+  object: "model";
+  created: number;
+  owned_by: string;
+}
+
+export interface OpenAIModelList {
+  object: "list";
+  data: OpenAIModel[];
+}

tsconfig.json

@@ -0,0 +1,19 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "esModuleInterop": true,
+    "strict": true,
+    "noImplicitAny": true,
+    "outDir": "dist",
+    "rootDir": "src",
+    "declaration": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "isolatedModules": true
+  },
+  "include": ["src/**/*.ts"],
+  "exclude": ["node_modules", "dist"]
+}