feat: architecture audit — disguise hardening, update automation, robustness

Disguise hardening (P0):
- Enforce HTTP header order from fingerprint.yaml config
- Add browser-level headers (Accept-Encoding, Accept-Language)
- Add Codex-specific request body fields (tools, previous_response_id)
- Protect /debug/fingerprint endpoint (dev/localhost only)

Update automation (P0-P1):
- Integrate appcast version checker into server process (30-min polling)
- Expose update state via /health endpoint
- Externalize model catalog to config/models.yaml
- Fail fast on critical extraction failures (originator, api_base_url)
- Update apply-update.ts to compare models against YAML config

Robustness (P0-P1):
- Add 5xx retry with exponential backoff in chat route (max 2 retries)
- Wrap HTML file reads in try-catch to prevent server crashes
- Add config load try-catch with friendly error messages
- Log persistence errors instead of silently swallowing
- Add retry (1 attempt, 5s delay) for token refresh failures

Code hygiene:
- Delete leftover WHAM dist files
- Mark 6 backward-compat shim methods as @deprecated

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

config/fingerprint.yaml

@@ -1,4 +1,16 @@
 user_agent_template: "Codex Desktop/{version} ({platform}; {arch})"
 auth_domains: ["chatgpt.com", "*.chatgpt.com", "openai.com", "*.openai.com"]
 auth_domain_exclusions: ["ab.chatgpt.com"]
-header_order: ["Authorization", "ChatGPT-Account-Id", "originator", "User-Agent", "Content-Type"]
+header_order:
+  - "Authorization"
+  - "ChatGPT-Account-Id"
+  - "originator"
+  - "User-Agent"
+  - "Accept-Encoding"
+  - "Accept-Language"
+  - "Content-Type"
+  - "Accept"
+  - "Cookie"
+default_headers:
+  Accept-Encoding: "gzip, deflate, br, zstd"
+  Accept-Language: "en-US,en;q=0.9"

config/models.yaml

@@ -0,0 +1,76 @@
+# Codex model catalog — sourced from Codex Desktop `model/list`.
+# Updated by scripts/apply-update.ts when new versions are detected.
+
+models:
+  - id: "gpt-5.3-codex"
+    displayName: "gpt-5.3-codex"
+    description: "Latest frontier agentic coding model."
+    isDefault: true
+    supportedReasoningEfforts:
+      - { reasoningEffort: "low", description: "Fast responses with lighter reasoning" }
+      - { reasoningEffort: "medium", description: "Balances speed and reasoning depth for everyday tasks" }
+      - { reasoningEffort: "high", description: "Greater reasoning depth for complex problems" }
+      - { reasoningEffort: "xhigh", description: "Extra high reasoning depth for complex problems" }
+    defaultReasoningEffort: "medium"
+    inputModalities: ["text", "image"]
+    supportsPersonality: true
+    upgrade: null
+
+  - id: "gpt-5.2-codex"
+    displayName: "gpt-5.2-codex"
+    description: "Frontier agentic coding model."
+    isDefault: false
+    supportedReasoningEfforts:
+      - { reasoningEffort: "low", description: "Fast responses with lighter reasoning" }
+      - { reasoningEffort: "medium", description: "Balances speed and reasoning depth for everyday tasks" }
+      - { reasoningEffort: "high", description: "Greater reasoning depth for complex problems" }
+      - { reasoningEffort: "xhigh", description: "Extra high reasoning depth for complex problems" }
+    defaultReasoningEffort: "medium"
+    inputModalities: ["text", "image"]
+    supportsPersonality: true
+    upgrade: "gpt-5.3-codex"
+
+  - id: "gpt-5.1-codex-max"
+    displayName: "gpt-5.1-codex-max"
+    description: "Codex-optimized flagship for deep and fast reasoning."
+    isDefault: false
+    supportedReasoningEfforts:
+      - { reasoningEffort: "low", description: "Fast responses with lighter reasoning" }
+      - { reasoningEffort: "medium", description: "Balances speed and reasoning depth for everyday tasks" }
+      - { reasoningEffort: "high", description: "Greater reasoning depth for complex problems" }
+      - { reasoningEffort: "xhigh", description: "Extra high reasoning depth for complex problems" }
+    defaultReasoningEffort: "medium"
+    inputModalities: ["text", "image"]
+    supportsPersonality: false
+    upgrade: "gpt-5.3-codex"
+
+  - id: "gpt-5.2"
+    displayName: "gpt-5.2"
+    description: "Latest frontier model with improvements across knowledge, reasoning and coding."
+    isDefault: false
+    supportedReasoningEfforts:
+      - { reasoningEffort: "low", description: "Balances speed with some reasoning" }
+      - { reasoningEffort: "medium", description: "Solid balance of reasoning depth and latency" }
+      - { reasoningEffort: "high", description: "Maximizes reasoning depth for complex problems" }
+      - { reasoningEffort: "xhigh", description: "Extra high reasoning for complex problems" }
+    defaultReasoningEffort: "medium"
+    inputModalities: ["text", "image"]
+    supportsPersonality: false
+    upgrade: "gpt-5.3-codex"
+
+  - id: "gpt-5.1-codex-mini"
+    displayName: "gpt-5.1-codex-mini"
+    description: "Optimized for codex. Cheaper, faster, but less capable."
+    isDefault: false
+    supportedReasoningEfforts:
+      - { reasoningEffort: "medium", description: "Dynamically adjusts reasoning based on the task" }
+      - { reasoningEffort: "high", description: "Maximizes reasoning depth for complex problems" }
+    defaultReasoningEffort: "medium"
+    inputModalities: ["text", "image"]
+    supportsPersonality: false
+    upgrade: "gpt-5.3-codex"
+
+aliases:
+  codex: "gpt-5.3-codex"
+  codex-max: "gpt-5.1-codex-max"
+  codex-mini: "gpt-5.1-codex-mini"

scripts/apply-update.ts

@@ -17,7 +17,7 @@ const ROOT = resolve(import.meta.dirname, "..");
 const CONFIG_PATH = resolve(ROOT, "config/default.yaml");
 const FINGERPRINT_PATH = resolve(ROOT, "config/fingerprint.yaml");
 const EXTRACTED_PATH = resolve(ROOT, "data/extracted-fingerprint.json");
-const MODELS_PATH = resolve(ROOT, "src/routes/models.ts");
+const MODELS_PATH = resolve(ROOT, "config/models.yaml");
 const PROMPTS_DIR = resolve(ROOT, "config/prompts");
 
 type ChangeType = "auto" | "semi-auto" | "alert";
@@ -119,9 +119,11 @@ function detectChanges(extracted: ExtractedFingerprint): Change[] {
     });
   }
 
-  // Models — check for additions/removals
-  const modelsTs = readFileSync(MODELS_PATH, "utf-8");
-  const currentModels = [...modelsTs.matchAll(/id:\s*"(gpt-[^"]+)"/g)].map((m) => m[1]);
+  // Models — compare against config/models.yaml
+  const modelsYaml = yaml.load(readFileSync(MODELS_PATH, "utf-8")) as {
+    models: { id: string }[];
+  };
+  const currentModels = modelsYaml.models.map((m) => m.id);
   const extractedModels = extracted.models.filter((m) => m.includes("codex") || currentModels.includes(m));
 
   const newModels = extractedModels.filter((m) => !currentModels.includes(m));

scripts/extract-fingerprint.ts

@@ -155,6 +155,13 @@ function extractFromMainJs(
     if (m) apiBaseUrl = m[0];
   }
 
+  // Fail fast on critical fields
+  if (!apiBaseUrl) {
+    console.error("[extract] CRITICAL: Failed to extract API base URL from main.js");
+    console.error("[extract] The extraction pattern may need updating for this version.");
+    throw new Error("Failed to extract critical field: api_base_url");
+  }
+
   // Originator
   let originator: string | null = null;
   const origPattern = patterns.originator;
@@ -163,6 +170,13 @@ function extractFromMainJs(
     if (m) originator = m[origPattern.group ?? 0] ?? m[0];
   }
 
+  // Fail fast on critical fields
+  if (!originator) {
+    console.error("[extract] CRITICAL: Failed to extract originator from main.js");
+    console.error("[extract] The extraction pattern may need updating for this version.");
+    throw new Error("Failed to extract critical field: originator");
+  }
+
   // Models — deduplicate, use capture group if specified
   const models: Set<string> = new Set();
   const modelPattern = patterns.models;

src/auth/account-pool.ts

@@ -257,6 +257,7 @@ export class AccountPool {
     return false;
   }
 
+  /** @deprecated Use acquire() instead. */
   async getToken(): Promise<string | null> {
     const acq = this.acquire();
     if (!acq) return null;
@@ -265,11 +266,13 @@ export class AccountPool {
     return acq.token;
   }
 
+  /** @deprecated Use acquire() instead. */
   getAccountId(): string | null {
     const first = [...this.accounts.values()].find((a) => a.status === "active");
     return first?.accountId ?? null;
   }
 
+  /** @deprecated Use getAccounts() instead. */
   getUserInfo(): { email?: string; accountId?: string; planType?: string } | null {
     const first = [...this.accounts.values()].find((a) => a.status === "active");
     if (!first) return null;
@@ -280,6 +283,7 @@ export class AccountPool {
     };
   }
 
+  /** @deprecated Use getAccounts() instead. */
   getProxyApiKey(): string | null {
     const first = [...this.accounts.values()].find((a) => a.status === "active");
     return first?.proxyApiKey ?? null;
@@ -292,11 +296,12 @@ export class AccountPool {
     return false;
   }
 
-  /** Alias for addAccount — used by auth routes */
+  /** @deprecated Use addAccount() instead. */
   setToken(token: string): void {
     this.addAccount(token);
   }
 
+  /** @deprecated Use removeAccount() instead. */
   clearToken(): void {
     this.accounts.clear();
     this.acquireLocks.clear();
@@ -390,8 +395,8 @@ export class AccountPool {
       if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
       const data: AccountsFile = { accounts: [...this.accounts.values()] };
       writeFileSync(ACCOUNTS_FILE, JSON.stringify(data, null, 2), "utf-8");
-    } catch {
-      // best-effort
+    } catch (err) {
+      console.error("[AccountPool] Failed to persist accounts:", err instanceof Error ? err.message : err);
     }
   }
 

src/auth/refresh-scheduler.ts

@@ -86,16 +86,24 @@ export class RefreshScheduler {
     console.log(`[RefreshScheduler] Refreshing account ${entryId} (${entry.email ?? "?"})`);
     this.pool.markStatus(entryId, "refreshing");
 
-    try {
-      const newToken = await refreshTokenViaCli();
-      this.pool.updateToken(entryId, newToken);
-      console.log(`[RefreshScheduler] Account ${entryId} refreshed successfully`);
-      // Re-schedule for the new token
-      this.scheduleOne(entryId, newToken);
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      console.error(`[RefreshScheduler] Failed to refresh ${entryId}: ${msg}`);
-      this.pool.markStatus(entryId, "expired");
+    const maxAttempts = 2;
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+      try {
+        const newToken = await refreshTokenViaCli();
+        this.pool.updateToken(entryId, newToken);
+        console.log(`[RefreshScheduler] Account ${entryId} refreshed successfully`);
+        this.scheduleOne(entryId, newToken);
+        return;
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        if (attempt < maxAttempts) {
+          console.warn(`[RefreshScheduler] Refresh attempt ${attempt} failed for ${entryId}: ${msg}, retrying in 5s...`);
+          await new Promise((r) => setTimeout(r, 5000));
+        } else {
+          console.error(`[RefreshScheduler] Failed to refresh ${entryId} after ${maxAttempts} attempts: ${msg}`);
+          this.pool.markStatus(entryId, "expired");
+        }
+      }
     }
   }
 }

src/config.ts

@@ -56,6 +56,7 @@ const FingerprintSchema = z.object({
   auth_domains: z.array(z.string()),
   auth_domain_exclusions: z.array(z.string()),
   header_order: z.array(z.string()),
+  default_headers: z.record(z.string()).optional().default({}),
 });
 
 export type FingerprintConfig = z.infer<typeof FingerprintSchema>;

src/fingerprint/manager.ts

@@ -7,35 +7,66 @@
 import { getConfig, getFingerprint } from "../config.js";
 import { extractChatGptAccountId } from "../auth/jwt-utils.js";
 
+/**
+ * Reorder headers according to the fingerprint header_order config.
+ * Keys not in the order list are appended at the end.
+ */
+function orderHeaders(
+  headers: Record<string, string>,
+  order: string[],
+): Record<string, string> {
+  const ordered: Record<string, string> = {};
+  for (const key of order) {
+    if (key in headers) {
+      ordered[key] = headers[key];
+    }
+  }
+  for (const key of Object.keys(headers)) {
+    if (!(key in ordered)) {
+      ordered[key] = headers[key];
+    }
+  }
+  return ordered;
+}
+
 export function buildHeaders(
   token: string,
   accountId?: string | null,
 ): Record<string, string> {
   const config = getConfig();
   const fp = getFingerprint();
-  const headers: Record<string, string> = {};
+  const raw: Record<string, string> = {};
 
-  headers["Authorization"] = `Bearer ${token}`;
+  raw["Authorization"] = `Bearer ${token}`;
 
   const acctId = accountId ?? extractChatGptAccountId(token);
-  if (acctId) headers["ChatGPT-Account-Id"] = acctId;
+  if (acctId) raw["ChatGPT-Account-Id"] = acctId;
 
-  headers["originator"] = config.client.originator;
+  raw["originator"] = config.client.originator;
 
   const ua = fp.user_agent_template
     .replace("{version}", config.client.app_version)
     .replace("{platform}", config.client.platform)
     .replace("{arch}", config.client.arch);
-  headers["User-Agent"] = ua;
+  raw["User-Agent"] = ua;
+
+  // Add browser-level default headers (Accept-Encoding, Accept-Language, etc.)
+  if (fp.default_headers) {
+    for (const [key, value] of Object.entries(fp.default_headers)) {
+      raw[key] = value;
+    }
+  }
 
-  return headers;
+  return orderHeaders(raw, fp.header_order);
 }
 
 export function buildHeadersWithContentType(
   token: string,
   accountId?: string | null,
 ): Record<string, string> {
-  const headers = buildHeaders(token, accountId);
-  headers["Content-Type"] = "application/json";
-  return headers;
+  const config = getConfig();
+  const fp = getFingerprint();
+  const raw = buildHeaders(token, accountId);
+  raw["Content-Type"] = "application/json";
+  return orderHeaders(raw, fp.header_order);
 }

src/index.ts

@@ -12,12 +12,21 @@ import { createChatRoutes } from "./routes/chat.js";
 import modelsApp from "./routes/models.js";
 import { createWebRoutes } from "./routes/web.js";
 import { CookieJar } from "./proxy/cookie-jar.js";
+import { startUpdateChecker, stopUpdateChecker } from "./update-checker.js";
 
 async function main() {
   // Load configuration
   console.log("[Init] Loading configuration...");
-  const config = loadConfig();
-  loadFingerprint();
+  let config: ReturnType<typeof loadConfig>;
+  try {
+    config = loadConfig();
+    loadFingerprint();
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error(`[Init] Failed to load configuration: ${msg}`);
+    console.error("[Init] Make sure config/default.yaml and config/fingerprint.yaml exist and are valid YAML.");
+    process.exit(1);
+  }
 
   // Initialize managers
   const accountPool = new AccountPool();
@@ -71,6 +80,9 @@ async function main() {
   }
   console.log();
 
+  // Start background update checker
+  startUpdateChecker();
+
   serve({
     fetch: app.fetch,
     hostname: host,
@@ -80,6 +92,7 @@ async function main() {
   // Graceful shutdown
   const shutdown = () => {
     console.log("\n[Shutdown] Cleaning up...");
+    stopUpdateChecker();
     cookieJar.destroy();
     refreshScheduler.destroy();
     accountPool.destroy();

src/proxy/codex-api.ts

@@ -25,7 +25,7 @@ export interface CodexResponsesRequest {
   /** Optional: tools available to the model */
   tools?: unknown[];
   /** Optional: previous response ID for multi-turn */
-  previous_response_id?: string;
+  previous_response_id?: string | null;
 }
 
 export type CodexInputItem =

src/routes/chat.ts

@@ -14,6 +14,30 @@ import {
 import { getConfig } from "../config.js";
 import type { CookieJar } from "../proxy/cookie-jar.js";
 
+/** Retry a function on 5xx errors with exponential backoff. */
+async function withRetry<T>(
+  fn: () => Promise<T>,
+  { maxRetries = 2, baseDelayMs = 1000 }: { maxRetries?: number; baseDelayMs?: number } = {},
+): Promise<T> {
+  let lastError: unknown;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      const isRetryable =
+        err instanceof CodexApiError && err.status >= 500 && err.status < 600;
+      if (!isRetryable || attempt === maxRetries) throw err;
+      const delay = baseDelayMs * Math.pow(2, attempt);
+      console.warn(
+        `[Chat] Retrying after ${err instanceof CodexApiError ? err.status : "error"} (attempt ${attempt + 1}/${maxRetries}, delay ${delay}ms)`,
+      );
+      await new Promise((r) => setTimeout(r, delay));
+    }
+  }
+  throw lastError;
+}
+
 export function createChatRoutes(
   accountPool: AccountPool,
   sessionManager: SessionManager,
@@ -97,7 +121,7 @@ export function createChatRoutes(
     let usageInfo: UsageInfo | undefined;
 
     try {
-      const rawResponse = await codexApi.createResponse(codexRequest);
+      const rawResponse = await withRetry(() => codexApi.createResponse(codexRequest));
 
       if (req.stream) {
         c.header("Content-Type", "text/event-stream");

src/routes/models.ts

@@ -1,4 +1,7 @@
 import { Hono } from "hono";
+import { readFileSync } from "fs";
+import { resolve } from "path";
+import yaml from "js-yaml";
 import { getConfig } from "../config.js";
 import type { OpenAIModel, OpenAIModelList } from "../types/openai.js";
 
@@ -10,7 +13,6 @@ const app = new Hono();
  */
 export interface CodexModelInfo {
   id: string;
-  model: string;
   displayName: string;
   description: string;
   isDefault: boolean;
@@ -21,99 +23,20 @@ export interface CodexModelInfo {
   upgrade: string | null;
 }
 
-// Static model catalog — sourced from `codex app-server` model/list
-const MODEL_CATALOG: CodexModelInfo[] = [
-  {
-    id: "gpt-5.3-codex",
-    model: "gpt-5.3-codex",
-    displayName: "gpt-5.3-codex",
-    description: "Latest frontier agentic coding model.",
-    isDefault: true,
-    supportedReasoningEfforts: [
-      { reasoningEffort: "low", description: "Fast responses with lighter reasoning" },
-      { reasoningEffort: "medium", description: "Balances speed and reasoning depth for everyday tasks" },
-      { reasoningEffort: "high", description: "Greater reasoning depth for complex problems" },
-      { reasoningEffort: "xhigh", description: "Extra high reasoning depth for complex problems" },
-    ],
-    defaultReasoningEffort: "medium",
-    inputModalities: ["text", "image"],
-    supportsPersonality: true,
-    upgrade: null,
-  },
-  {
-    id: "gpt-5.2-codex",
-    model: "gpt-5.2-codex",
-    displayName: "gpt-5.2-codex",
-    description: "Frontier agentic coding model.",
-    isDefault: false,
-    supportedReasoningEfforts: [
-      { reasoningEffort: "low", description: "Fast responses with lighter reasoning" },
-      { reasoningEffort: "medium", description: "Balances speed and reasoning depth for everyday tasks" },
-      { reasoningEffort: "high", description: "Greater reasoning depth for complex problems" },
-      { reasoningEffort: "xhigh", description: "Extra high reasoning depth for complex problems" },
-    ],
-    defaultReasoningEffort: "medium",
-    inputModalities: ["text", "image"],
-    supportsPersonality: true,
-    upgrade: "gpt-5.3-codex",
-  },
-  {
-    id: "gpt-5.1-codex-max",
-    model: "gpt-5.1-codex-max",
-    displayName: "gpt-5.1-codex-max",
-    description: "Codex-optimized flagship for deep and fast reasoning.",
-    isDefault: false,
-    supportedReasoningEfforts: [
-      { reasoningEffort: "low", description: "Fast responses with lighter reasoning" },
-      { reasoningEffort: "medium", description: "Balances speed and reasoning depth for everyday tasks" },
-      { reasoningEffort: "high", description: "Greater reasoning depth for complex problems" },
-      { reasoningEffort: "xhigh", description: "Extra high reasoning depth for complex problems" },
-    ],
-    defaultReasoningEffort: "medium",
-    inputModalities: ["text", "image"],
-    supportsPersonality: false,
-    upgrade: "gpt-5.3-codex",
-  },
-  {
-    id: "gpt-5.2",
-    model: "gpt-5.2",
-    displayName: "gpt-5.2",
-    description: "Latest frontier model with improvements across knowledge, reasoning and coding.",
-    isDefault: false,
-    supportedReasoningEfforts: [
-      { reasoningEffort: "low", description: "Balances speed with some reasoning" },
-      { reasoningEffort: "medium", description: "Solid balance of reasoning depth and latency" },
-      { reasoningEffort: "high", description: "Maximizes reasoning depth for complex problems" },
-      { reasoningEffort: "xhigh", description: "Extra high reasoning for complex problems" },
-    ],
-    defaultReasoningEffort: "medium",
-    inputModalities: ["text", "image"],
-    supportsPersonality: false,
-    upgrade: "gpt-5.3-codex",
-  },
-  {
-    id: "gpt-5.1-codex-mini",
-    model: "gpt-5.1-codex-mini",
-    displayName: "gpt-5.1-codex-mini",
-    description: "Optimized for codex. Cheaper, faster, but less capable.",
-    isDefault: false,
-    supportedReasoningEfforts: [
-      { reasoningEffort: "medium", description: "Dynamically adjusts reasoning based on the task" },
-      { reasoningEffort: "high", description: "Maximizes reasoning depth for complex problems" },
-    ],
-    defaultReasoningEffort: "medium",
-    inputModalities: ["text", "image"],
-    supportsPersonality: false,
-    upgrade: "gpt-5.3-codex",
-  },
-];
-
-// Short aliases for convenience
-const MODEL_ALIASES: Record<string, string> = {
-  codex: "gpt-5.3-codex",
-  "codex-max": "gpt-5.1-codex-max",
-  "codex-mini": "gpt-5.1-codex-mini",
-};
+interface ModelsConfig {
+  models: CodexModelInfo[];
+  aliases: Record<string, string>;
+}
+
+function loadModelConfig(): ModelsConfig {
+  const configPath = resolve(process.cwd(), "config/models.yaml");
+  const raw = yaml.load(readFileSync(configPath, "utf-8")) as ModelsConfig;
+  return raw;
+}
+
+const modelConfig = loadModelConfig();
+const MODEL_CATALOG: CodexModelInfo[] = modelConfig.models;
+const MODEL_ALIASES: Record<string, string> = modelConfig.aliases;
 
 /**
  * Resolve a model name (may be an alias) to a canonical model ID.

src/routes/web.ts

@@ -3,6 +3,7 @@ import { readFileSync, existsSync } from "fs";
 import { resolve } from "path";
 import type { AccountPool } from "../auth/account-pool.js";
 import { getConfig, getFingerprint } from "../config.js";
+import { getUpdateState } from "../update-checker.js";
 
 export function createWebRoutes(accountPool: AccountPool): Hono {
   const app = new Hono();
@@ -10,12 +11,18 @@ export function createWebRoutes(accountPool: AccountPool): Hono {
   const publicDir = resolve(process.cwd(), "public");
 
   app.get("/", (c) => {
-    if (accountPool.isAuthenticated()) {
-      const html = readFileSync(resolve(publicDir, "dashboard.html"), "utf-8");
+    try {
+      if (accountPool.isAuthenticated()) {
+        const html = readFileSync(resolve(publicDir, "dashboard.html"), "utf-8");
+        return c.html(html);
+      }
+      const html = readFileSync(resolve(publicDir, "login.html"), "utf-8");
       return c.html(html);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`[Web] Failed to read HTML file: ${msg}`);
+      return c.html("<h1>Codex Proxy</h1><p>UI files not found. The API is still available at /v1/chat/completions</p>");
     }
-    const html = readFileSync(resolve(publicDir, "login.html"), "utf-8");
-    return c.html(html);
   });
 
   app.get("/health", async (c) => {
@@ -27,11 +34,21 @@ export function createWebRoutes(accountPool: AccountPool): Hono {
       authenticated,
       user: authenticated ? userInfo : null,
       pool: poolSummary,
+      update: getUpdateState(),
       timestamp: new Date().toISOString(),
     });
   });
 
   app.get("/debug/fingerprint", (c) => {
+    // Only allow in development or from localhost
+    const isProduction = process.env.NODE_ENV === "production";
+    const remoteAddr = c.req.header("x-forwarded-for") ?? c.req.header("x-real-ip") ?? "";
+    const isLocalhost = remoteAddr === "" || remoteAddr === "127.0.0.1" || remoteAddr === "::1";
+    if (isProduction && !isLocalhost) {
+      c.status(404);
+      return c.json({ error: { message: "Not found", type: "invalid_request_error" } });
+    }
+
     const config = getConfig();
     const fp = getFingerprint();
 

src/translation/openai-to-codex.ts

@@ -55,6 +55,7 @@ export function translateToCodexRequest(
     input,
     stream: true,
     store: false,
+    tools: [],
   };
 
   // Add reasoning effort if applicable

src/update-checker.ts

@@ -0,0 +1,128 @@
+/**
+ * Update checker — polls the Codex Sparkle appcast for new versions.
+ * Integrates with the main server process.
+ */
+
+import { readFileSync, writeFileSync, mkdirSync } from "fs";
+import { resolve } from "path";
+import yaml from "js-yaml";
+
+const CONFIG_PATH = resolve(process.cwd(), "config/default.yaml");
+const STATE_PATH = resolve(process.cwd(), "data/update-state.json");
+const APPCAST_URL = "https://persistent.oaistatic.com/codex-app-prod/appcast.xml";
+const POLL_INTERVAL_MS = 30 * 60 * 1000; // 30 minutes
+
+export interface UpdateState {
+  last_check: string;
+  latest_version: string | null;
+  latest_build: string | null;
+  download_url: string | null;
+  update_available: boolean;
+  current_version: string;
+  current_build: string;
+}
+
+let _currentState: UpdateState | null = null;
+let _pollTimer: ReturnType<typeof setInterval> | null = null;
+
+function loadCurrentConfig(): { app_version: string; build_number: string } {
+  const raw = yaml.load(readFileSync(CONFIG_PATH, "utf-8")) as Record<string, unknown>;
+  const client = raw.client as Record<string, string>;
+  return {
+    app_version: client.app_version,
+    build_number: client.build_number,
+  };
+}
+
+function parseAppcast(xml: string): {
+  version: string | null;
+  build: string | null;
+  downloadUrl: string | null;
+} {
+  const itemMatch = xml.match(/<item>([\s\S]*?)<\/item>/i);
+  if (!itemMatch) return { version: null, build: null, downloadUrl: null };
+  const item = itemMatch[1];
+  const versionMatch = item.match(/sparkle:shortVersionString="([^"]+)"/);
+  const buildMatch = item.match(/sparkle:version="([^"]+)"/);
+  const urlMatch = item.match(/url="([^"]+)"/);
+  return {
+    version: versionMatch?.[1] ?? null,
+    build: buildMatch?.[1] ?? null,
+    downloadUrl: urlMatch?.[1] ?? null,
+  };
+}
+
+export async function checkForUpdate(): Promise<UpdateState> {
+  const current = loadCurrentConfig();
+  const res = await fetch(APPCAST_URL);
+  if (!res.ok) {
+    throw new Error(`Failed to fetch appcast: ${res.status} ${res.statusText}`);
+  }
+  const xml = await res.text();
+  const { version, build, downloadUrl } = parseAppcast(xml);
+
+  const updateAvailable = !!(version && build &&
+    (version !== current.app_version || build !== current.build_number));
+
+  const state: UpdateState = {
+    last_check: new Date().toISOString(),
+    latest_version: version,
+    latest_build: build,
+    download_url: downloadUrl,
+    update_available: updateAvailable,
+    current_version: current.app_version,
+    current_build: current.build_number,
+  };
+
+  _currentState = state;
+
+  // Persist state
+  try {
+    mkdirSync(resolve(process.cwd(), "data"), { recursive: true });
+    writeFileSync(STATE_PATH, JSON.stringify(state, null, 2));
+  } catch {
+    // best-effort persistence
+  }
+
+  if (updateAvailable) {
+    console.log(
+      `[UpdateChecker] *** UPDATE AVAILABLE: v${version} (build ${build}) — current: v${current.app_version} (build ${current.build_number})`,
+    );
+  }
+
+  return state;
+}
+
+/** Get the most recent update check state. */
+export function getUpdateState(): UpdateState | null {
+  return _currentState;
+}
+
+/**
+ * Start periodic update checking.
+ * Runs an initial check immediately (non-blocking), then polls every 30 minutes.
+ */
+export function startUpdateChecker(): void {
+  // Initial check (non-blocking)
+  checkForUpdate().catch((err) => {
+    console.warn(`[UpdateChecker] Initial check failed: ${err instanceof Error ? err.message : err}`);
+  });
+
+  // Periodic polling
+  _pollTimer = setInterval(() => {
+    checkForUpdate().catch((err) => {
+      console.warn(`[UpdateChecker] Poll failed: ${err instanceof Error ? err.message : err}`);
+    });
+  }, POLL_INTERVAL_MS);
+
+  // Don't keep the process alive just for update checks
+  if (_pollTimer.unref) _pollTimer.unref();
+}
+
+/** Stop the periodic update checker. */
+export function stopUpdateChecker(): void {
+  if (_pollTimer) {
+    clearInterval(_pollTimer);
+    _pollTimer = null;
+  }
+}