feat: add Codex OAuth login and fix channel config display

- Add OpenAI Codex Device Code Flow login (backend polling + frontend modal) - Codex provider integrated into preset dropdown (hides URL/API key fields) - Sync provider model catalogs with Hermes system - Fix channel config not displaying on first visit (wait for data load) - Fix sidebar model list not refreshing after adding provider - Add autocomplete="off" to API key input to prevent browser autofill Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-17 23:11:57 +08:00
parent 26bb821e29
commit 9979871550
19 changed files with 722 additions and 6 deletions
@@ -1,6 +1,6 @@
 {
  "name": "hermes-web-ui",
-  "version": "0.3.2",
+  "version": "0.3.4",
  "description": "Web dashboard for Hermes Agent — multi-platform AI chat, session management, scheduled jobs, usage analytics & channel configuration (Telegram, Discord, Slack, WhatsApp)",
  "repository": {
    "type": "git",
@@ -0,0 +1,30 @@
+import { request } from '../client'
+
+export interface CodexStartResult {
+  session_id: string
+  user_code: string
+  verification_url: string
+  expires_in: number
+}
+
+export interface CodexPollResult {
+  status: 'pending' | 'approved' | 'expired' | 'error'
+  error: string | null
+}
+
+export interface CodexStatusResult {
+  authenticated: boolean
+  last_refresh?: string
+}
+
+export async function startCodexLogin(): Promise<CodexStartResult> {
+  return request<CodexStartResult>('/api/hermes/auth/codex/start', { method: 'POST' })
+}
+
+export async function pollCodexLogin(sessionId: string): Promise<CodexPollResult> {
+  return request<CodexPollResult>(`/api/hermes/auth/codex/poll/${sessionId}`)
+}
+
+export async function getCodexAuthStatus(): Promise<CodexStatusResult> {
+  return request<CodexStatusResult>('/api/hermes/auth/codex/status')
+}
@@ -0,0 +1,239 @@
+<script setup lang="ts">
+import { ref, onUnmounted } from 'vue'
+import { NModal, NButton, useMessage } from 'naive-ui'
+import { useI18n } from 'vue-i18n'
+import { startCodexLogin, pollCodexLogin } from '@/api/hermes/codex-auth'
+
+const { t } = useI18n()
+const emit = defineEmits<{ close: []; success: [] }>()
+const message = useMessage()
+
+const showModal = ref(true)
+const status = ref<'idle' | 'loading' | 'waiting' | 'approved' | 'expired' | 'error'>('idle')
+const userCode = ref('')
+const verificationUrl = ref('')
+const sessionId = ref('')
+const errorMessage = ref('')
+let pollTimer: ReturnType<typeof setTimeout> | null = null
+
+async function startLogin() {
+  status.value = 'loading'
+  errorMessage.value = ''
+
+  try {
+    const data = await startCodexLogin()
+    userCode.value = data.user_code
+    verificationUrl.value = data.verification_url
+    sessionId.value = data.session_id
+    status.value = 'waiting'
+    startPolling()
+  } catch (err: any) {
+    status.value = 'error'
+    const msg = err.message || ''
+    // Try to extract friendly error from response
+    try {
+      const match = msg.match(/\{[\s\S]*\}$/)
+      if (match) {
+        const body = JSON.parse(match[0])
+        errorMessage.value = body.error || msg
+      } else {
+        errorMessage.value = msg
+      }
+    } catch {
+      errorMessage.value = msg
+    }
+    message.error(errorMessage.value)
+  }
+}
+
+function startPolling() {
+  stopPolling()
+  pollTimer = setTimeout(async () => {
+    try {
+      const result = await pollCodexLogin(sessionId.value)
+      if (result.status === 'pending') {
+        startPolling()
+      } else if (result.status === 'approved') {
+        status.value = 'approved'
+        message.success(t('models.codexApproved'))
+        setTimeout(() => {
+          showModal.value = false
+          setTimeout(() => emit('success'), 200)
+        }, 1000)
+      } else if (result.status === 'expired') {
+        status.value = 'expired'
+      } else if (result.status === 'error') {
+        status.value = 'error'
+        errorMessage.value = result.error || 'Unknown error'
+      }
+    } catch {
+      startPolling()
+    }
+  }, 3000)
+}
+
+function stopPolling() {
+  if (pollTimer) {
+    clearTimeout(pollTimer)
+    pollTimer = null
+  }
+}
+
+function handleClose() {
+  stopPolling()
+  showModal.value = false
+  setTimeout(() => emit('close'), 200)
+}
+
+function copyCode() {
+  navigator.clipboard.writeText(userCode.value)
+  message.success(t('models.codexCopyCode'))
+}
+
+function openLink() {
+  window.open(verificationUrl.value, '_blank')
+}
+
+function retry() {
+  status.value = 'idle'
+  userCode.value = ''
+  verificationUrl.value = ''
+  sessionId.value = ''
+  errorMessage.value = ''
+  startLogin()
+}
+
+onUnmounted(() => {
+  stopPolling()
+})
+
+// Auto-start when modal opens
+startLogin()
+</script>
+
+<template>
+  <NModal
+    v-model:show="showModal"
+    preset="card"
+    :title="t('models.codexLoginTitle')"
+    :style="{ width: 'min(440px, calc(100vw - 32px))' }"
+    :mask-closable="status !== 'waiting'"
+    @after-leave="emit('close')"
+  >
+    <div class="codex-login">
+      <!-- Idle / Loading -->
+      <div v-if="status === 'idle' || status === 'loading'" class="codex-login__state">
+        <NSpin size="small" />
+      </div>
+
+      <!-- Waiting for authorization -->
+      <div v-else-if="status === 'waiting'" class="codex-login__state">
+        <p class="codex-login__hint">{{ t('models.codexWaiting') }}</p>
+        <div class="codex-login__code" @click="copyCode">
+          <span class="codex-login__code-text">{{ userCode }}</span>
+          <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><rect x="9" y="9" width="13" height="13" rx="2"/><path d="M5 15H4a2 2 0 01-2-2V4a2 2 0 012-2h9a2 2 0 012 2v1"/></svg>
+        </div>
+        <NButton type="primary" block @click="openLink">
+          <template #icon>
+            <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M18 13v6a2 2 0 01-2 2H5a2 2 0 01-2-2V8a2 2 0 012-2h6"/><polyline points="15 3 21 3 21 9"/><line x1="10" y1="14" x2="21" y2="3"/></svg>
+          </template>
+          {{ t('models.codexOpenLink') }}
+        </NButton>
+      </div>
+
+      <!-- Approved -->
+      <div v-else-if="status === 'approved'" class="codex-login__state codex-login__state--success">
+        <svg width="40" height="40" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M22 11.08V12a10 10 0 11-5.93-9.14"/><polyline points="22 4 12 14.01 9 11.01"/></svg>
+        <p>{{ t('models.codexApproved') }}</p>
+      </div>
+
+      <!-- Expired -->
+      <div v-else-if="status === 'expired'" class="codex-login__state">
+        <p class="codex-login__error">{{ t('models.codexExpired') }}</p>
+        <NButton size="small" @click="retry">{{ t('common.retry') }}</NButton>
+      </div>
+
+      <!-- Error -->
+      <div v-else-if="status === 'error'" class="codex-login__state">
+        <p class="codex-login__error">{{ errorMessage }}</p>
+        <NButton size="small" @click="retry">{{ t('common.retry') }}</NButton>
+      </div>
+    </div>
+
+    <template #footer>
+      <div class="modal-footer">
+        <NButton :disabled="status === 'waiting'" @click="handleClose">{{ t('common.cancel') }}</NButton>
+      </div>
+    </template>
+  </NModal>
+</template>
+
+<style scoped lang="scss">
+.codex-login {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  padding: 8px 0;
+}
+
+.codex-login__state {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  gap: 16px;
+  min-height: 120px;
+  justify-content: center;
+  width: 100%;
+}
+
+.codex-login__hint {
+  font-size: 14px;
+  color: var(--n-text-color, inherit);
+  text-align: center;
+  line-height: 1.6;
+}
+
+.codex-login__code {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  padding: 12px 20px;
+  border: 1px solid var(--n-border-color, #e0e0e6);
+  border-radius: 8px;
+  cursor: pointer;
+  transition: border-color 0.2s;
+  background: var(--n-color, #fafafa);
+
+  &:hover {
+    border-color: var(--n-primary-color, #18a058);
+  }
+}
+
+.codex-login__code-text {
+  font-size: 28px;
+  font-weight: 700;
+  font-family: monospace;
+  letter-spacing: 4px;
+  color: var(--n-text-color, inherit);
+}
+
+.codex-login__state--success {
+  color: #18a058;
+
+  svg {
+    stroke: #18a058;
+  }
+}
+
+.codex-login__error {
+  color: #d03050;
+  text-align: center;
+  font-size: 13px;
+}
+
+.modal-footer {
+  display: flex;
+  justify-content: flex-end;
+  gap: 8px;
+}
+</style>
@@ -1,9 +1,10 @@
 <script setup lang="ts">
-import { ref, watch } from 'vue'
+import { ref, watch, computed } from 'vue'
 import { NModal, NForm, NFormItem, NInput, NButton, NSelect, useMessage } from 'naive-ui'
 import { useModelsStore } from '@/stores/hermes/models'
 import { PROVIDER_PRESETS } from '@/shared/providers'
 import { useI18n } from 'vue-i18n'
+import CodexLoginModal from './CodexLoginModal.vue'

 const { t } = useI18n()

@@ -18,6 +19,7 @@ const message = useMessage()
 const showModal = ref(true)
 const loading = ref(false)
 const fetchingModels = ref(false)
+const showCodexLogin = ref(false)

 const providerType = ref<'preset' | 'custom'>('preset')
 const selectedPreset = ref<string | null>(null)
@@ -32,6 +34,10 @@ const modelOptions = ref<Array<{ label: string; value: string }>>([])

 const PRESET_PROVIDERS = PROVIDER_PRESETS as any[]

+const CODEX_KEY = 'openai-codex'
+
+const isCodex = computed(() => selectedPreset.value === CODEX_KEY)
+
 function autoGenerateName(url: string): string {
  const clean = url.replace(/^https?:\/\//, '').replace(/\/v1\/?$/, '')
  const host = clean.split('/')[0]
@@ -104,6 +110,13 @@ async function handleSave() {
    message.warning(t('models.selectProviderRequired'))
    return
  }
+
+  // Codex: 弹出授权码弹窗
+  if (isCodex.value) {
+    showCodexLogin.value = true
+    return
+  }
+
  if (!formData.value.base_url.trim()) {
    message.warning(t('models.baseUrlRequired'))
    return
@@ -139,6 +152,12 @@ async function handleSave() {
  }
 }

+async function handleCodexSuccess() {
+  showCodexLogin.value = false
+  message.success(t('models.providerAdded'))
+  emit('saved')
+}
+
 function handleClose() {
  showModal.value = false
  setTimeout(() => emit('close'), 200)
@@ -151,7 +170,7 @@ function handleClose() {
    preset="card"
    :title="t('models.addProvider')"
    :style="{ width: 'min(520px, calc(100vw - 32px))' }"
-    :mask-closable="!loading"
+    :mask-closable="!loading && !showCodexLogin"
    @after-leave="emit('close')"
  >
    <NForm label-placement="top">
@@ -191,7 +210,7 @@ function handleClose() {
        />
      </NFormItem>

-      <NFormItem :label="t('models.baseUrl')" required>
+      <NFormItem v-if="!isCodex" :label="t('models.baseUrl')" required>
        <NInput
          v-model:value="formData.base_url"
          :placeholder="t('models.baseUrlPlaceholder')"
@@ -199,12 +218,13 @@ function handleClose() {
        />
      </NFormItem>

-      <NFormItem :label="t('models.apiKey')" required>
+      <NFormItem v-if="!isCodex" :label="t('models.apiKey')" required>
        <NInput
          v-model:value="formData.api_key"
          type="password"
          show-password-on="click"
          :placeholder="t('models.apiKeyPlaceholder')"
+          autocomplete="off"
        />
      </NFormItem>

@@ -237,6 +257,12 @@ function handleClose() {
        </NButton>
      </div>
    </template>
+
+    <CodexLoginModal
+      v-if="showCodexLogin"
+      @close="showCodexLogin = false"
+      @success="handleCodexSuccess"
+    />
  </NModal>
 </template>

@@ -14,6 +14,7 @@ export default {
  common: {
    loading: 'Laden...',
    cancel: 'Abbrechen',
+    retry: 'Erneutern',
    delete: 'Loschen',
    edit: 'Bearbeiten',
    save: 'Speichern',
@@ -195,6 +196,12 @@ export default {
    providerDeleted: 'Anbieter geloscht',
    deleteProvider: 'Anbieter loschen',
    deleteConfirm: 'Mochten Sie "{name}" wirklich loschen?',
+    codexLoginTitle: 'OpenAI Codex Anmeldung',
+    codexWaiting: 'Geben Sie diesen Code auf der Autorisierungsseite ein, um sich anzumelden:',
+    codexCopyCode: 'Code kopiert',
+    codexOpenLink: 'Autorisierungsseite öffnen',
+    codexApproved: 'Anmeldung erfolgreich',
+    codexExpired: 'Die Autorisierung ist abgelaufen. Bitte versuchen Sie es erneut.',
    noProviders: 'Keine Anbieter gefunden. Fugen Sie einen benutzerdefinierten Anbieter hinzu, um zu beginnen.',
    builtIn: 'Integriert',
    customType: 'Benutzerdefiniert',
@@ -17,6 +17,7 @@ export default {
    delete: 'Delete',
    edit: 'Edit',
    save: 'Save',
+    retry: 'Retry',
    saved: 'Saved',
    update: 'Update',
    create: 'Create',
@@ -195,6 +196,12 @@ export default {
    providerDeleted: 'Provider deleted',
    deleteProvider: 'Delete Provider',
    deleteConfirm: 'Are you sure you want to delete "{name}"?',
+    codexLoginTitle: 'OpenAI Codex Login',
+    codexWaiting: 'Enter this code at the authorization page to complete login:',
+    codexCopyCode: 'Code copied',
+    codexOpenLink: 'Open authorization page',
+    codexApproved: 'Login successful',
+    codexExpired: 'Authorization expired. Please try again.',
    noProviders: 'No providers found. Add a custom provider to get started.',
    builtIn: 'Built-in',
    customType: 'Custom',
@@ -14,6 +14,7 @@ export default {
  common: {
    loading: 'Cargando...',
    cancel: 'Cancelar',
+    retry: 'Reintentar',
    delete: 'Eliminar',
    edit: 'Editar',
    save: 'Guardar',
@@ -195,6 +196,12 @@ export default {
    providerDeleted: 'Proveedor eliminado',
    deleteProvider: 'Eliminar proveedor',
    deleteConfirm: 'Estas seguro de que quieres eliminar "{name}"?',
+    codexLoginTitle: 'Inicio de sesión de OpenAI Codex',
+    codexWaiting: 'Ingrese este código en la página de autorización para iniciar sesión:',
+    codexCopyCode: 'Código copiado',
+    codexOpenLink: 'Abrir página de autorización',
+    codexApproved: 'Inicio de sesión exitoso',
+    codexExpired: 'La autorización ha expirado. Por favor, inténtelo de nuevo.',
    noProviders: 'No se encontraron proveedores. Anade un proveedor personalizado para comenzar.',
    builtIn: 'Integrado',
    customType: 'Personalizado',
@@ -14,6 +14,7 @@ export default {
  common: {
    loading: 'Chargement...',
    cancel: 'Annuler',
+    retry: 'Réessayer',
    delete: 'Supprimer',
    edit: 'Modifier',
    save: 'Enregistrer',
@@ -195,6 +196,12 @@ export default {
    providerDeleted: 'Fournisseur supprime',
    deleteProvider: 'Supprimer le fournisseur',
    deleteConfirm: 'Etes-vous sur de vouloir supprimer "{name}" ?',
+    codexLoginTitle: 'Connexion OpenAI Codex',
+    codexWaiting: 'Entrez ce code sur la page d\'autorisation pour vous connecter :',
+    codexCopyCode: 'Code copié',
+    codexOpenLink: 'Ouvrir la page d\'autorisation',
+    codexApproved: 'Connexion réussie',
+    codexExpired: 'L\'autorisation a expiré. Veuillez réessayer.',
    noProviders: 'Aucun fournisseur trouve. Ajoutez un fournisseur personnalise pour commencer.',
    builtIn: 'Integre',
    customType: 'Personnalise',
@@ -14,6 +14,7 @@ export default {
  common: {
    loading: '読み込み中...',
    cancel: 'キャンセル',
+    retry: '再試行',
    delete: '削除',
    edit: '編集',
    save: '保存',
@@ -195,6 +196,12 @@ export default {
    providerDeleted: 'プロバイダーを削除しました',
    deleteProvider: 'プロバイダーを削除',
    deleteConfirm: '「{name}」を削除しますか？',
+    codexLoginTitle: 'OpenAI Codex ログイン',
+    codexWaiting: '認証ページで以下のコードを入力してログインしてください：',
+    codexCopyCode: 'コードをコピーしました',
+    codexOpenLink: '認証ページを開く',
+    codexApproved: 'ログイン成功',
+    codexExpired: '認証の有効期限が切れました。もう一度お試しください。',
    noProviders: 'プロバイダーがありません。カスタムプロバイダーを追加して始めましょう。',
    builtIn: '組み込み',
    customType: 'カスタム',
@@ -14,6 +14,7 @@ export default {
  common: {
    loading: '로딩 중...',
    cancel: '취소',
+    retry: '재시도',
    delete: '삭제',
    edit: '편집',
    save: '저장',
@@ -195,6 +196,12 @@ export default {
    providerDeleted: 'Provider가 삭제되었습니다',
    deleteProvider: 'Provider 삭제',
    deleteConfirm: '"{name}"을(를) 삭제하시겠습니까?',
+    codexLoginTitle: 'OpenAI Codex 로그인',
+    codexWaiting: '인증 페이지에서 아래 코드를 입력하여 로그인하세요:',
+    codexCopyCode: '코드가 복사되었습니다',
+    codexOpenLink: '인증 페이지 열기',
+    codexApproved: '로그인 성공',
+    codexExpired: '인증이 만료되었습니다. 다시 시도해주세요.',
    noProviders: 'Provider가 없습니다. 사용자 지정 Provider를 추가하여 시작하세요.',
    builtIn: '내장',
    customType: '사용자 지정',
@@ -14,6 +14,7 @@ export default {
  common: {
    loading: 'Carregando...',
    cancel: 'Cancelar',
+    retry: 'Tentar novamente',
    delete: 'Excluir',
    edit: 'Editar',
    save: 'Salvar',
@@ -195,6 +196,12 @@ export default {
    providerDeleted: 'Provedor excluido',
    deleteProvider: 'Excluir provedor',
    deleteConfirm: 'Tem certeza de que deseja excluir "{name}"?',
+    codexLoginTitle: 'Login do OpenAI Codex',
+    codexWaiting: 'Digite este código na página de autorização para fazer login:',
+    codexCopyCode: 'Código copiado',
+    codexOpenLink: 'Abrir página de autorização',
+    codexApproved: 'Login bem-sucedido',
+    codexExpired: 'A autorização expirou. Por favor, tente novamente.',
    noProviders: 'Nenhum provedor encontrado. Adicione um provedor personalizado para comecar.',
    builtIn: 'Integrado',
    customType: 'Personalizado',
@@ -15,6 +15,7 @@ export default {
    loading: '加载中...',
    cancel: '取消',
    delete: '删除',
+    retry: '重试',
    edit: '编辑',
    save: '保存',
    saved: '已保存',
@@ -195,6 +196,12 @@ export default {
    providerDeleted: 'Provider 已删除',
    deleteProvider: '删除 Provider',
    deleteConfirm: '确定删除 "{name}" 吗？',
+    codexLoginTitle: 'OpenAI Codex 登录',
+    codexWaiting: '在授权页面输入以下代码完成登录：',
+    codexCopyCode: '代码已复制',
+    codexOpenLink: '打开授权页面',
+    codexApproved: '登录成功',
+    codexExpired: '授权已过期，请重试。',
    noProviders: '暂无 Provider，添加一个开始吧。',
    builtIn: '内置',
    customType: '自定义',
@@ -221,6 +221,12 @@ export const PROVIDER_PRESETS: ProviderPreset[] = [
    base_url: 'https://opencode.ai/zen/go/v1',
    models: ['glm-5.1', 'glm-5', 'kimi-k2.5', 'mimo-v2-pro', 'mimo-v2-omni', 'minimax-m2.7', 'minimax-m2.5'],
  },
+  {
+    label: 'OpenAI Codex',
+    value: 'openai-codex',
+    base_url: 'https://chatgpt.com/backend-api/codex',
+    models: ['gpt-5.4-mini', 'gpt-5.4', 'gpt-5.3-codex', 'gpt-5.2-codex', 'gpt-5.1-codex-max', 'gpt-5.1-codex-mini'],
+  },
  {
    label: 'Arcee AI',
    value: 'arcee',
@@ -21,7 +21,7 @@ onMounted(() => {

    <div class="channels-content">
      <NSpin :show="settingsStore.loading || settingsStore.saving" size="large" :description="t('common.loading')">
-        <PlatformSettings />
+        <PlatformSettings v-if="!settingsStore.loading" />
      </NSpin>
    </div>
  </div>
@@ -5,9 +5,11 @@ import { useI18n } from 'vue-i18n'
 import ProvidersPanel from '@/components/hermes/models/ProvidersPanel.vue'
 import ProviderFormModal from '@/components/hermes/models/ProviderFormModal.vue'
 import { useModelsStore } from '@/stores/hermes/models'
+import { useAppStore } from '@/stores/hermes/app'

 const { t } = useI18n()
 const modelsStore = useModelsStore()
+const appStore = useAppStore()
 const showModal = ref(false)

 onMounted(() => {
@@ -24,6 +26,7 @@ function handleModalClose() {

 async function handleSaved() {
  await modelsStore.fetchProviders()
+  appStore.loadModels()
  handleModalClose()
 }
 </script>
@@ -0,0 +1,347 @@
+import Router from '@koa/router'
+import { randomUUID } from 'crypto'
+import { join } from 'path'
+import { homedir } from 'os'
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs'
+import { getActiveAuthPath } from '../../services/hermes/hermes-profile'
+
+// --- OAuth Constants ---
+const CODEX_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann'
+const CODEX_DEVICE_AUTH_URL = 'https://auth.openai.com/api/accounts/deviceauth/usercode'
+const CODEX_DEVICE_TOKEN_URL = 'https://auth.openai.com/api/accounts/deviceauth/token'
+const CODEX_OAUTH_TOKEN_URL = 'https://auth.openai.com/oauth/token'
+const CODEX_DEFAULT_BASE_URL = 'https://chatgpt.com/backend-api/codex'
+const CODEX_REDIRECT_URI = 'https://auth.openai.com/deviceauth/callback'
+const CODEX_VERIFICATION_URL = 'https://auth.openai.com/codex/device'
+const CODEX_HOME = join(homedir(), '.codex')
+const POLL_MAX_DURATION = 15 * 60 * 1000 // 15 minutes
+const POLL_DEFAULT_INTERVAL = 5000 // 5 seconds
+
+// --- Session Store ---
+interface CodexSession {
+  id: string
+  userCode: string
+  deviceAuthId: string
+  status: 'pending' | 'approved' | 'expired' | 'error'
+  error?: string
+  accessToken?: string
+  refreshToken?: string
+  createdAt: number
+}
+
+const sessions = new Map<string, CodexSession>()
+
+function cleanupExpiredSessions() {
+  const now = Date.now()
+  sessions.forEach((session, id) => {
+    if (now - session.createdAt > POLL_MAX_DURATION + 60000) {
+      sessions.delete(id)
+    }
+  })
+}
+
+// --- Auth file helpers ---
+interface AuthJson {
+  version?: number
+  active_provider?: string
+  providers?: Record<string, any>
+  credential_pool?: Record<string, any[]>
+  updated_at?: string
+}
+
+function loadAuthJson(authPath: string): AuthJson {
+  try {
+    const raw = readFileSync(authPath, 'utf-8')
+    return JSON.parse(raw) as AuthJson
+  } catch {
+    return { version: 1 }
+  }
+}
+
+function saveAuthJson(authPath: string, data: AuthJson): void {
+  data.updated_at = new Date().toISOString()
+  const dir = authPath.substring(0, authPath.lastIndexOf('/'))
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true })
+  writeFileSync(authPath, JSON.stringify(data, null, 2) + '\n', { mode: 0o600 })
+}
+
+function saveCodexCliTokens(accessToken: string, refreshToken: string): void {
+  const codexHome = process.env.CODEX_HOME || CODEX_HOME
+  const codexAuthPath = join(codexHome, 'auth.json')
+  const dir = codexAuthPath.substring(0, codexAuthPath.lastIndexOf('/'))
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true })
+  const data = {
+    tokens: { access_token: accessToken, refresh_token: refreshToken },
+    last_refresh: new Date().toISOString(),
+  }
+  writeFileSync(codexAuthPath, JSON.stringify(data, null, 2) + '\n', { mode: 0o600 })
+}
+
+function decodeJwtExp(token: string): number | null {
+  try {
+    const parts = token.split('.')
+    if (parts.length !== 3) return null
+    const payload = Buffer.from(parts[1], 'base64url').toString('utf-8')
+    const claims = JSON.parse(payload)
+    return typeof claims.exp === 'number' ? claims.exp : null
+  } catch {
+    return null
+  }
+}
+
+// --- Background login worker ---
+async function codexLoginWorker(session: CodexSession, authPath: string): Promise<void> {
+  const startTime = Date.now()
+  const interval = POLL_DEFAULT_INTERVAL
+
+  while (Date.now() - startTime < POLL_MAX_DURATION) {
+    await new Promise(resolve => setTimeout(resolve, interval))
+
+    if (session.status !== 'pending') return
+
+    try {
+      // Step 3: Poll for authorization
+      const pollRes = await fetch(CODEX_DEVICE_TOKEN_URL, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          device_auth_id: session.deviceAuthId,
+          user_code: session.userCode,
+        }),
+        signal: AbortSignal.timeout(10000),
+      })
+
+      if (pollRes.status === 200) {
+        const pollData = await pollRes.json() as { authorization_code: string; code_verifier: string }
+
+        // Step 4: Exchange authorization code for tokens
+        const tokenRes = await fetch(CODEX_OAUTH_TOKEN_URL, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+          body: new URLSearchParams({
+            grant_type: 'authorization_code',
+            code: pollData.authorization_code,
+            redirect_uri: CODEX_REDIRECT_URI,
+            client_id: CODEX_CLIENT_ID,
+            code_verifier: pollData.code_verifier,
+          }).toString(),
+          signal: AbortSignal.timeout(15000),
+        })
+
+        if (!tokenRes.ok) {
+          const errText = await tokenRes.text()
+          console.error('[Codex Auth] Token exchange failed:', tokenRes.status, errText)
+          session.status = 'error'
+          session.error = `Token exchange failed: ${tokenRes.status}`
+          return
+        }
+
+        const tokenData = await tokenRes.json() as { access_token: string; refresh_token?: string }
+        const refreshToken = tokenData.refresh_token || ''
+
+        session.accessToken = tokenData.access_token
+        session.refreshToken = refreshToken
+        session.status = 'approved'
+
+        // Save to auth.json
+        const auth = loadAuthJson(authPath)
+        if (!auth.providers) auth.providers = {}
+        auth.providers['openai-codex'] = {
+          tokens: {
+            access_token: tokenData.access_token,
+            refresh_token: refreshToken,
+          },
+          last_refresh: new Date().toISOString(),
+          auth_mode: 'chatgpt',
+        }
+
+        // Add to credential pool
+        if (!auth.credential_pool) auth.credential_pool = {}
+        auth.credential_pool['openai-codex'] = [{
+          id: `openai-codex-${Date.now()}`,
+          label: 'OpenAI Codex',
+          base_url: CODEX_DEFAULT_BASE_URL,
+          access_token: tokenData.access_token,
+          last_status: null,
+        }]
+
+        saveAuthJson(authPath, auth)
+
+        // Save to ~/.codex/auth.json for CLI sync
+        saveCodexCliTokens(tokenData.access_token, refreshToken)
+
+        console.log('[Codex Auth] Login successful')
+        return
+      }
+
+      if (pollRes.status === 403 || pollRes.status === 404) {
+        // Not yet authorized, keep polling
+        continue
+      }
+
+      // Other error status
+      console.error('[Codex Auth] Poll failed:', pollRes.status)
+      session.status = 'error'
+      session.error = `Poll failed: ${pollRes.status}`
+      return
+    } catch (err: any) {
+      if (err.name === 'TimeoutError' || err.name === 'AbortError') {
+        continue
+      }
+      console.error('[Codex Auth] Poll error:', err.message)
+      session.status = 'error'
+      session.error = err.message
+      return
+    }
+  }
+
+  // Timeout
+  session.status = 'expired'
+}
+
+// --- Routes ---
+export const codexAuthRoutes = new Router()
+
+codexAuthRoutes.post('/api/hermes/auth/codex/start', async (ctx) => {
+  try {
+    cleanupExpiredSessions()
+
+    // Step 1: Request device code
+    const res = await fetch(CODEX_DEVICE_AUTH_URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Accept': 'application/json',
+        'User-Agent': 'node-fetch',
+      },
+      body: JSON.stringify({ client_id: CODEX_CLIENT_ID }),
+      signal: AbortSignal.timeout(10000),
+    })
+
+    if (!res.ok) {
+      let errorBody: any = null
+      try { errorBody = await res.json() } catch { /* ignore */ }
+      console.error(`[codex-auth] Device code request failed: ${res.status}`, errorBody)
+
+      let errorMessage = `Device code request failed: ${res.status}`
+      if (errorBody?.error?.code === 'unsupported_country_region_territory') {
+        errorMessage = 'OpenAI does not support your region. You may need to use a proxy or VPN to access Codex.'
+      }
+
+      ctx.status = 502
+      ctx.body = { error: errorMessage, code: errorBody?.error?.code }
+      return
+    }
+
+    const data = await res.json() as { user_code: string; device_auth_id: string; interval?: string }
+
+    const sessionId = randomUUID()
+    const session: CodexSession = {
+      id: sessionId,
+      userCode: data.user_code,
+      deviceAuthId: data.device_auth_id,
+      status: 'pending',
+      createdAt: Date.now(),
+    }
+    sessions.set(sessionId, session)
+
+    // Start background worker
+    const authPath = getActiveAuthPath()
+    codexLoginWorker(session, authPath).catch(err => {
+      console.error('[Codex Auth] Worker error:', err)
+      session.status = 'error'
+      session.error = err.message
+    })
+
+    ctx.body = {
+      session_id: sessionId,
+      user_code: data.user_code,
+      verification_url: CODEX_VERIFICATION_URL,
+      expires_in: 900, // 15 minutes
+    }
+  } catch (err: any) {
+    ctx.status = 500
+    ctx.body = { error: err.message }
+  }
+})
+
+codexAuthRoutes.get('/api/hermes/auth/codex/poll/:sessionId', async (ctx) => {
+  const session = sessions.get(ctx.params.sessionId)
+  if (!session) {
+    ctx.status = 404
+    ctx.body = { error: 'Session not found' }
+    return
+  }
+
+  ctx.body = {
+    status: session.status,
+    error: session.error || null,
+  }
+})
+
+codexAuthRoutes.get('/api/hermes/auth/codex/status', async (ctx) => {
+  try {
+    const authPath = getActiveAuthPath()
+    const auth = loadAuthJson(authPath)
+    const tokens = auth.providers?.['openai-codex']?.tokens
+
+    if (!tokens?.access_token || !auth.providers) {
+      ctx.body = { authenticated: false }
+      return
+    }
+
+    const codexProvider = auth.providers['openai-codex']!
+
+    // Check if token is expired
+    const exp = decodeJwtExp(tokens.access_token)
+    if (exp && exp <= Date.now() / 1000 + 120) {
+      // Try refresh
+      if (tokens.refresh_token) {
+        try {
+          const refreshRes = await fetch(CODEX_OAUTH_TOKEN_URL, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: new URLSearchParams({
+              grant_type: 'refresh_token',
+              refresh_token: tokens.refresh_token,
+              client_id: CODEX_CLIENT_ID,
+            }).toString(),
+            signal: AbortSignal.timeout(15000),
+          })
+
+          if (refreshRes.ok) {
+            const newTokens = await refreshRes.json() as { access_token: string; refresh_token?: string }
+            codexProvider.tokens.access_token = newTokens.access_token
+            if (newTokens.refresh_token) {
+              codexProvider.tokens.refresh_token = newTokens.refresh_token
+            }
+            codexProvider.last_refresh = new Date().toISOString()
+            saveAuthJson(authPath, auth)
+            saveCodexCliTokens(newTokens.access_token, newTokens.refresh_token || tokens.refresh_token)
+
+            // Update credential pool too
+            if (auth.credential_pool?.['openai-codex']?.[0]) {
+              auth.credential_pool['openai-codex'][0].access_token = newTokens.access_token
+              saveAuthJson(authPath, auth)
+            }
+
+            ctx.body = { authenticated: true, last_refresh: codexProvider.last_refresh }
+            return
+          }
+        } catch {
+          // Refresh failed
+        }
+      }
+
+      ctx.body = { authenticated: false }
+      return
+    }
+
+    ctx.body = {
+      authenticated: true,
+      last_refresh: codexProvider.last_refresh,
+    }
+  } catch {
+    ctx.body = { authenticated: false }
+  }
+})
@@ -27,6 +27,7 @@ const PROVIDER_ENV_MAP: Record<string, { api_key_env: string; base_url_env: stri
  'opencode-go': { api_key_env: 'OPENCODE_API_KEY', base_url_env: 'OPENCODE_GO_BASE_URL' },
  huggingface: { api_key_env: 'HF_TOKEN', base_url_env: 'HF_BASE_URL' },
  arcee: { api_key_env: 'ARCEE_API_KEY', base_url_env: '' },
+  'openai-codex': { api_key_env: '', base_url_env: 'HERMES_CODEX_BASE_URL' },
 }

 async function saveEnvValue(key: string, value: string): Promise<void> {
@@ -5,6 +5,7 @@ import { configRoutes } from './config'
 import { fsRoutes } from './filesystem'
 import { logRoutes } from './logs'
 import { weixinRoutes } from './weixin'
+import { codexAuthRoutes } from './codex-auth'
 import { proxyRoutes, proxyMiddleware } from './proxy'
 import { setupTerminalWebSocket } from './terminal'

@@ -16,6 +17,7 @@ hermesRoutes.use(configRoutes.routes())
 hermesRoutes.use(fsRoutes.routes())
 hermesRoutes.use(logRoutes.routes())
 hermesRoutes.use(weixinRoutes.routes())
+hermesRoutes.use(codexAuthRoutes.routes())
 hermesRoutes.use(proxyRoutes.routes())

 export { setupTerminalWebSocket, proxyMiddleware }
@@ -221,6 +221,12 @@ export const PROVIDER_PRESETS: ProviderPreset[] = [
    base_url: 'https://opencode.ai/zen/go/v1',
    models: ['glm-5.1', 'glm-5', 'kimi-k2.5', 'mimo-v2-pro', 'mimo-v2-omni', 'minimax-m2.7', 'minimax-m2.5'],
  },
+  {
+    label: 'OpenAI Codex',
+    value: 'openai-codex',
+    base_url: 'https://chatgpt.com/backend-api/codex',
+    models: ['gpt-5.4-mini', 'gpt-5.4', 'gpt-5.3-codex', 'gpt-5.2-codex', 'gpt-5.1-codex-max', 'gpt-5.1-codex-mini'],
+  },
  {
    label: 'Arcee AI',
    value: 'arcee',