ndycode
diff --git a/‎AGENTS.md‎
Lines changed: 47 additions & 200 deletions b/‎AGENTS.md‎
Lines changed: 47 additions & 200 deletions
diff --git a/‎lib/auth/auth.ts‎
Lines changed: 7 additions & 13 deletions b/‎lib/auth/auth.ts‎
Lines changed: 7 additions & 13 deletions
diff --git a/‎lib/auth/server.ts‎
Lines changed: 6 additions & 7 deletions b/‎lib/auth/server.ts‎
Lines changed: 6 additions & 7 deletions
diff --git a/‎lib/config.ts‎
Lines changed: 3 additions & 3 deletions b/‎lib/config.ts‎
Lines changed: 3 additions & 3 deletions
@@ -1,210 +1,57 @@
-# AGENTS.md
+# PROJECT KNOWLEDGE BASE
 
-This file provides coding guidance for AI agents (including Claude Code, Codex, and others) when working with code in this repository.
+Generated: 2026-01-29
+Commit: 693b0cc
+Branch: main
 
-## Overview
+## OVERVIEW
+OpenCode plugin that swaps OpenAI SDK calls to the ChatGPT Codex backend with multi-account OAuth.
 
-This is an **opencode plugin** that enables OAuth authentication with OpenAI's ChatGPT Plus/Pro Codex backend. It allows users to access `gpt-5.2-codex`, `gpt-5.1-codex`, `gpt-5.1-codex-max`, `gpt-5.1-codex-mini`, `gpt-5.2`, and `gpt-5.1` models through their ChatGPT subscription instead of using OpenAI Platform API credits. Legacy GPT-5.0 models are automatically normalized to their GPT-5.1 equivalents.
-
-**Key architecture principle**: 7-step fetch flow that intercepts opencode's OpenAI SDK requests, transforms them for the ChatGPT backend API, and handles OAuth token management.
-
-## Build & Test Commands
+## STRUCTURE
+```
+./
+├── index.ts                  # plugin entry point (not under src/)
+├── lib/                       # main source (auth, request, prompts, config)
+├── test/                      # vitest suites
+├── scripts/                   # install + build helpers
+├── assets/                    # static assets
+├── config/                    # OpenCode config examples
+├── docs/                      # architecture docs/diagrams
+├── dist/                      # build output (generated)
+└── SECURITY.md                # vuln reporting rules
+```
 
+## WHERE TO LOOK
+| Task | Location | Notes |
+| --- | --- | --- |
+| Fetch flow orchestration | `index.ts` | 7-step request pipeline
+| OAuth flow + tokens | `lib/auth/auth.ts` | PKCE, refresh, JWT decode
+| OAuth callback server | `lib/auth/server.ts` | binds port 1455
+| Request mutation | `lib/request/request-transformer.ts` | model normalization + prompts
+| Request helpers | `lib/request/fetch-helpers.ts` | headers, rate limit handling
+| SSE response handling | `lib/request/response-handler.ts` | SSE to JSON
+| Prompt fetching/cache | `lib/prompts/codex.ts` | GitHub release ETag cache
+| Config parsing | `lib/config.ts` | CODEX_MODE + options
+| Tests | `test/` | vitest globals enabled
+
+## CONVENTIONS
+- Source lives in `index.ts` and `lib/`; `dist/` is generated.
+- ESLint flat config: no `any`, unused args must be prefixed with `_`.
+- Test files relax lint rules; see `eslint.config.js`.
+- Build must copy `lib/oauth-success.html` into `dist/lib/` (see `scripts/copy-oauth-success.js`).
+
+## ANTI-PATTERNS (THIS PROJECT)
+- Do not edit `dist/` outputs or `tmp*` directories.
+- Do not open public security issues; follow `SECURITY.md` for reporting.
+
+## COMMANDS
 ```bash
-# Build (compiles TypeScript + copies HTML file)
 npm run build
-
-# Type checking only (no build)
 npm run typecheck
-
-# Run all tests
 npm test
-
-# Watch mode for TDD
-npm run test:watch
-
-# Interactive test UI
-npm run test:ui
-
-# Coverage report
-npm run test:coverage
+npm run lint
 ```
 
-**Important**: The build script has a critical step that copies `lib/oauth-success.html` to `dist/lib/`. This HTML file is required for the OAuth callback flow.
-
-## Code Architecture
-
-### Plugin Flow (index.ts)
-
-The main entry point orchestrates a **7-step fetch flow**:
-
-1. **Token Management**: Check token expiration, refresh if needed
-2. **URL Rewriting**: Transform OpenAI Platform API URLs → ChatGPT backend API (`https://chatgpt.com/backend-api/codex/responses`)
-3. **Request Transformation**:
-   - Normalize model names (all variants → `gpt-5.2`, `gpt-5.2-codex`, `gpt-5.1`, `gpt-5.1-codex`, `gpt-5.1-codex-max`, `gpt-5.1-codex-mini`, `gpt-5`, `gpt-5-codex`, or `codex-mini-latest`)
-   - Inject Codex system instructions from latest GitHub release
-   - Apply reasoning configuration (effort, summary, verbosity)
-   - Add CODEX_MODE bridge prompt (default) or tool remap message (legacy)
-   - Filter OpenCode system prompts when in CODEX_MODE
-   - Filter conversation history (remove `rs_*` IDs for stateless operation)
-4. **Headers**: Add OAuth token + ChatGPT account ID
-5. **Request Execution**: Send to Codex backend
-6. **Response Logging**: Optional debug logging (ENABLE_PLUGIN_REQUEST_LOGGING=1)
-7. **Response Handling**: Convert SSE to JSON (non-tool requests) or pass through
-
-### Module Organization
-
-**Core Plugin** (`index.ts`)
-- Plugin definition and main fetch orchestration
-- OAuth loader (extracts ChatGPT account ID from JWT)
-- Configuration loading and CODEX_MODE determination
-
-**Authentication** (`lib/auth/`)
-- `auth.ts`: OAuth flow (PKCE, token exchange, JWT decoding, refresh)
-- `server.ts`: Local HTTP server for OAuth callback (port 1455)
-- `browser.ts`: Platform-specific browser opening
-
-**Request Handling** (`lib/request/`)
-- `fetch-helpers.ts`: 10 focused helper functions for main fetch flow
-- `request-transformer.ts`: Body transformations (model normalization, reasoning config, input filtering)
-- `response-handler.ts`: SSE to JSON conversion
-
-**Prompts** (`lib/prompts/`)
-- `codex.ts`: Fetches Codex instructions from GitHub (ETag-cached), tool remap message
-- `codex-opencode-bridge.ts`: CODEX_MODE bridge prompt for CLI parity
-
-**Configuration** (`lib/`)
-- `config.ts`: Plugin config loading, CODEX_MODE determination
-- `constants.ts`: All magic values, URLs, error messages
-- `types.ts`: TypeScript type definitions
-- `logger.ts`: Debug logging (controlled by env var)
-
-### Key Design Patterns
-
-**1. Stateless Operation**: Uses `store: false` + `include: ["reasoning.encrypted_content"]`
-- Allows multi-turn conversations without server-side storage
-- Encrypted reasoning content persists context across turns
-
-**2. CODEX_MODE** (enabled by default):
-- **Priority**: `CODEX_MODE` env var > `~/.opencode/openai-codex-auth-config.json` > default (true)
-- When enabled: Filters out OpenCode system prompts, adds Codex-OpenCode bridge prompt with Task tool & MCP awareness
-- When disabled: Uses legacy tool remap message
-- Bridge prompt (~550 tokens): Tool mappings, available tools, working style, **Task tool/sub-agent awareness**, **MCP tool awareness**
-- **Prompt verification**: Caches OpenCode's codex.txt from GitHub (ETag-based) to verify exact prompt removal, with fallback to text signature matching
-
-**3. Configuration Merging**:
-- Global options (`provider.openai.options`) + per-model options (`provider.openai.models[name].options`)
-- Model-specific options override global
-- Plugin defaults: `reasoningEffort: "medium"`, `reasoningSummary: "auto"`, `textVerbosity: "medium"`
-
-**4. Model Normalization** (GPT-5.0 → GPT-5.1 migration):
-- All `gpt-5.2-codex*` variants → `gpt-5.2-codex` (newest Codex model, supports xhigh)
-- All `gpt-5.1-codex-max*` variants → `gpt-5.1-codex-max`
-- All `gpt-5.1-codex*` variants → `gpt-5.1-codex`
-- All `gpt-5.1-codex-mini*` variants → `gpt-5.1-codex-mini`
-- All `gpt-5.2` variants → `gpt-5.2`
-- All `gpt-5.1` variants → `gpt-5.1`
-- **Legacy mappings** (GPT-5.0 being phased out):
-  - `gpt-5-codex*` variants → `gpt-5.1-codex`
-  - `gpt-5-codex-mini*` or `codex-mini-latest` → `gpt-5.1-codex-mini`
-  - `gpt-5*` variants (including `gpt-5-mini`, `gpt-5-nano`) → `gpt-5.1`
-- `minimal` effort auto-normalized to `low` for Codex families (including GPT-5.2 Codex) and clamped to `medium` (or `high` when requested) for Codex Mini
-
-**5. Model-Specific Prompt Selection**:
-- Different prompts for different model families (matching Codex CLI):
-  - `gpt-5.2-codex*` → `gpt-5.2-codex_prompt.md` (117 lines, Codex CLI agent prompt)
-  - `gpt-5.1-codex-max*` → `gpt-5.1-codex-max_prompt.md` (117 lines, frontend design guidelines)
-  - `gpt-5.1-codex*`, `codex-*` → `gpt_5_codex_prompt.md` (105 lines, coding focus)
-  - `gpt-5.2*` → `gpt_5_2_prompt.md` (GPT‑5.2 general family)
-  - `gpt-5.1*` → `gpt_5_1_prompt.md` (368 lines, full behavioral guidance)
-- `getModelFamily()` determines prompt selection based on normalized model
-
-**6. Codex Instructions Caching**:
-- Fetches from latest release tag (not main branch)
-- ETag-based HTTP conditional requests per model family
-- Separate cache files per family: `gpt-5.2-codex-instructions.md`, `codex-max-instructions.md`, `codex-instructions.md`, `gpt-5.2-instructions.md`, `gpt-5.1-instructions.md`
-- Cache invalidation when release tag changes
-- Falls back to bundled version if GitHub unavailable
-
-## Development Patterns
-
-### Adding New Configuration Options
-
-1. Add to `ConfigOptions` interface in `lib/types.ts`
-2. Update `transformRequestBody()` in `lib/request/request-transformer.ts`
-3. Add tests in `test/request-transformer.test.ts`
-4. Document in README.md configuration section
-
-### Modifying Request Transformation
-
-All request transformations go through `transformRequestBody()`:
-- Input filtering: `filterInput()`, `filterOpenCodeSystemPrompts()`
-- Message injection: `addCodexBridgeMessage()` or `addToolRemapMessage()`
-- Reasoning config: `getReasoningConfig()` (follows Codex CLI defaults, not opencode defaults)
-- Model config: `getModelConfig()` (merges global + per-model options)
-
-### OAuth Flow Modifications
-
-OAuth implementation follows OpenAI Codex CLI patterns:
-- Client ID: `app_EMoamEEZ73f0CkXaXp7hrann`
-- PKCE with S256 challenge
-- Special params: `codex_cli_simplified_flow=true`, `originator=codex_cli_rs`
-- Callback server on port 1455 (matches Codex CLI)
-
-### Testing Strategy
-
-- **191 comprehensive tests** covering all modules
-- Test files mirror source structure (`test/auth.test.ts` ↔ `lib/auth/auth.ts`)
-- Mock-heavy testing (no actual network calls or file I/O in tests)
-- Focus on edge cases: token expiration, model normalization, input filtering, CODEX_MODE toggling
-
-## Important Configuration Differences
-
-This plugin **intentionally differs from opencode defaults** because it accesses ChatGPT backend API (not OpenAI Platform API):
-
-| Setting | opencode Default | This Plugin Default | Reason |
-|---------|-----------------|---------------------|--------|
-| `reasoningEffort` | "high" (gpt-5) | "medium" (Codex Max defaults to "high") | Matches Codex CLI default and Codex Max capabilities |
-| `textVerbosity` | "low" (gpt-5) | "medium" | Matches Codex CLI default |
-| `reasoningSummary` | "detailed" | "auto" | Matches Codex CLI default |
-| gpt-5-codex config | (excluded) | Full support | opencode excludes gpt-5-codex from auto-config |
-| `store` | true | false | Required for ChatGPT backend |
-| `include` | (not set) | `["reasoning.encrypted_content"]` | Required for stateless operation |
-
-## File Paths & Locations
-
-- **Plugin config**: `~/.opencode/openai-codex-auth-config.json`
-- **Cache dir**: `~/.opencode/cache/`
-  - `codex-instructions.md` (Codex CLI instructions from GitHub)
-  - `codex-instructions-meta.json` (ETag + release tag for Codex instructions)
-  - `opencode-codex.txt` (OpenCode system prompt from GitHub, for verification)
-  - `opencode-codex-meta.json` (ETag for OpenCode prompt)
-- **Debug logs**: `~/.opencode/logs/codex-plugin/` (when `ENABLE_PLUGIN_REQUEST_LOGGING=1`)
-- **OAuth callback**: `http://localhost:1455/auth/callback`
-
-## Environment Variables
-
-- `CODEX_MODE`: Override config file (1=enable, 0=disable)
-- `ENABLE_PLUGIN_REQUEST_LOGGING`: Enable detailed request logging (1=enable)
-
-## TypeScript Configuration
-
-- Target: ES2022
-- Module: ES2022 with bundler resolution
-- Output: `./dist/`
-- Strict mode enabled
-- Declaration files generated
-- Source maps enabled
-- Excludes: `test/`, `node_modules/`, `dist/`
-
-## Dependencies
-
-**Production**:
-- `@openauthjs/openauth` (OAuth PKCE implementation)
-
-**Development**:
-- `@opencode-ai/plugin` (peer dependency)
-- `vitest` (testing framework)
-- TypeScript
-
-**Zero external runtime dependencies** - only uses Node.js built-ins for file I/O, HTTP, crypto.
+## NOTES
+- OAuth callback server binds `http://127.0.0.1:1455/auth/callback`.
+- ChatGPT backend requires stateless requests (`store: false`, include encrypted reasoning).
@@ -1,6 +1,7 @@
 import { generatePKCE } from "@openauthjs/openauth/pkce";
 import { randomBytes } from "node:crypto";
 import type { PKCEPair, AuthorizationFlow, TokenResult, ParsedAuthInput, JWTPayload } from "../types.js";
+import { logError } from "../logger.js";
 
 // OAuth constants (from openai/codex)
 export const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
@@ -85,7 +86,7 @@ export async function exchangeAuthorizationCode(
 	});
 	if (!res.ok) {
 		const text = await res.text().catch(() => "");
-		console.error("[openai-codex-plugin] code->token failed:", res.status, text);
+		logError(`code->token failed: ${res.status} ${text}`);
 		return { type: "failed", reason: "http_error", statusCode: res.status, message: text || undefined };
 	}
 	const json = (await res.json()) as {
@@ -99,7 +100,7 @@ export async function exchangeAuthorizationCode(
 		!json?.refresh_token ||
 		typeof json?.expires_in !== "number"
 	) {
-		console.error("[openai-codex-plugin] token response missing fields:", json);
+		logError("token response missing fields", json);
 		return { type: "failed", reason: "invalid_response", message: "Missing access_token, refresh_token, or expires_in" };
 	}
 	return {
@@ -153,11 +154,7 @@ export async function refreshAccessToken(refreshToken: string): Promise<TokenRes
 
 		if (!response.ok) {
 			const text = await response.text().catch(() => "");
-			console.error(
-				"[openai-codex-plugin] Token refresh failed:",
-				response.status,
-				text,
-			);
+			logError(`Token refresh failed: ${response.status} ${text}`);
 			return { type: "failed", reason: "http_error", statusCode: response.status, message: text || undefined };
 		}
 
@@ -168,16 +165,13 @@ export async function refreshAccessToken(refreshToken: string): Promise<TokenRes
 			id_token?: string;
 		};
 		if (!json?.access_token || typeof json?.expires_in !== "number") {
-			console.error(
-				"[openai-codex-plugin] Token refresh response missing fields:",
-				json,
-			);
+			logError("Token refresh response missing fields", json);
 			return { type: "failed", reason: "invalid_response", message: "Missing access_token or expires_in" };
 		}
 
 		const nextRefresh = json.refresh_token ?? refreshToken;
 		if (!nextRefresh) {
-			console.error("[openai-codex-plugin] Token refresh missing refresh token");
+			logError("Token refresh missing refresh token");
 			return { type: "failed", reason: "missing_refresh", message: "No refresh token in response or input" };
 		}
 
@@ -191,7 +185,7 @@ export async function refreshAccessToken(refreshToken: string): Promise<TokenRes
 		};
 	} catch (error) {
 		const err = error as Error;
-		console.error("[openai-codex-plugin] Token refresh error:", err);
+		logError("Token refresh error", err);
 		return { type: "failed", reason: "network_error", message: err?.message };
 	}
 }
 
@@ -3,6 +3,7 @@ import fs from "node:fs";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import type { OAuthServerInfo } from "../types.js";
+import { logError, logWarn } from "../logger.js";
 
 // Resolve path to oauth-success.html (one level up from auth/ subfolder)
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
@@ -38,7 +39,7 @@ export function startLocalOAuthServer({ state }: { state: string }): Promise<OAu
 			res.end(successHtml);
 			(server as http.Server & { _lastCode?: string })._lastCode = code;
 	} catch (err) {
-		console.error("[openai-codex-plugin] Request handler error:", (err as Error)?.message ?? String(err));
+		logError(`Request handler error: ${(err as Error)?.message ?? String(err)}`);
 		res.statusCode = 500;
 		res.end("Internal error");
 	}
@@ -61,16 +62,14 @@ export function startLocalOAuthServer({ state }: { state: string }): Promise<OAu
 						if (lastCode) return { code: lastCode };
 						await poll();
 					}
-					console.error("[openai-codex-plugin] OAuth poll timeout after 5 minutes");
+					logWarn("OAuth poll timeout after 5 minutes");
 					return null;
 				},
 				});
 			})
 			.on("error", (err: NodeJS.ErrnoException) => {
-				console.error(
-					"[openai-codex-plugin] Failed to bind http://127.0.0.1:1455 (",
-					err?.code,
-					") Falling back to manual paste.",
+				logError(
+					`Failed to bind http://127.0.0.1:1455 (${err?.code}). Falling back to manual paste.`,
 				);
 				resolve({
 					port: 1455,
@@ -79,7 +78,7 @@ export function startLocalOAuthServer({ state }: { state: string }): Promise<OAu
 					try {
 						server.close();
 					} catch (err) {
-						console.error("[openai-codex-plugin] Failed to close OAuth server:", (err as Error)?.message ?? String(err));
+					logError(`Failed to close OAuth server: ${(err as Error)?.message ?? String(err)}`);
 					}
 				},
 					waitForCode: async () => null,
 
@@ -2,6 +2,7 @@ import { readFileSync, existsSync } from "node:fs";
 import { join } from "node:path";
 import { homedir } from "node:os";
 import type { PluginConfig } from "./types.js";
+import { logWarn } from "./logger.js";
 
 const CONFIG_PATH = join(homedir(), ".opencode", "openai-codex-auth-config.json");
 
@@ -41,9 +42,8 @@ export function loadPluginConfig(): PluginConfig {
 			...userConfig,
 		};
 	} catch (error) {
-		console.warn(
-			`[openai-codex-plugin] Failed to load config from ${CONFIG_PATH}:`,
-			(error as Error).message
+		logWarn(
+			`Failed to load config from ${CONFIG_PATH}: ${(error as Error).message}`,
 		);
 		return DEFAULT_CONFIG;
 	}