Add Codex OAuth provider flow for ChatGPT account sign-in (#503)

* feat: add Codex OAuth provider flow

* fix: harden Codex OAuth storage, session activation, and UI

src/commands/provider/provider.test.tsx

@@ -1,20 +1,28 @@
 import { PassThrough } from 'node:stream'
 
-import { expect, test } from 'bun:test'
+import { afterEach, expect, mock, test } from 'bun:test'
 import React from 'react'
 import stripAnsi from 'strip-ansi'
 
 import { createRoot, render, useApp } from '../../ink.js'
 import { AppStateProvider } from '../../state/AppState.js'
 import {
+  applySavedProfileToCurrentSession,
+  buildCodexOAuthProfileEnv,
   buildCurrentProviderSummary,
   buildProfileSaveMessage,
   getProviderWizardDefaults,
+  ProviderWizard,
   TextEntryDialog,
 } from './provider.js'
+import { createProfileFile } from '../../utils/providerProfile.js'
 
 const SYNC_START = '\x1B[?2026h'
 const SYNC_END = '\x1B[?2026l'
+const ORIGINAL_SIMPLE_ENV = process.env.CLAUDE_CODE_SIMPLE
+const ORIGINAL_CODEX_API_KEY = process.env.CODEX_API_KEY
+const ORIGINAL_CHATGPT_ACCOUNT_ID = process.env.CHATGPT_ACCOUNT_ID
+const ORIGINAL_CODEX_ACCOUNT_ID = process.env.CODEX_ACCOUNT_ID
 
 function extractLastFrame(output: string): string {
   let lastFrame: string | null = null
@@ -60,6 +68,51 @@ async function renderFinalFrame(node: React.ReactNode): Promise<string> {
   return stripAnsi(extractLastFrame(getOutput()))
 }
 
+async function waitForOutput(
+  getOutput: () => string,
+  predicate: (output: string) => boolean,
+  timeoutMs = 2500,
+): Promise<string> {
+  const startedAt = Date.now()
+
+  while (Date.now() - startedAt < timeoutMs) {
+    const output = stripAnsi(extractLastFrame(getOutput()))
+    if (predicate(output)) {
+      return output
+    }
+    await Bun.sleep(10)
+  }
+
+  throw new Error('Timed out waiting for ProviderWizard test output')
+}
+
+async function renderProviderWizardFrame(): Promise<string> {
+  const { stdout, stdin, getOutput } = createTestStreams()
+  const root = await createRoot({
+    stdout: stdout as unknown as NodeJS.WriteStream,
+    stdin: stdin as unknown as NodeJS.ReadStream,
+    patchConsole: false,
+  })
+
+  root.render(
+    <AppStateProvider>
+      <ProviderWizard onDone={() => {}} />
+    </AppStateProvider>,
+  )
+
+  try {
+    return await waitForOutput(
+      getOutput,
+      output => output.includes('Set up a provider profile'),
+    )
+  } finally {
+    root.unmount()
+    stdin.end()
+    stdout.end()
+    await Bun.sleep(0)
+  }
+}
+
 function createTestStreams(): {
   stdout: PassThrough
   stdin: PassThrough & {
@@ -94,6 +147,34 @@ function createTestStreams(): {
   }
 }
 
+afterEach(() => {
+  mock.restore()
+
+  if (ORIGINAL_SIMPLE_ENV === undefined) {
+    delete process.env.CLAUDE_CODE_SIMPLE
+  } else {
+    process.env.CLAUDE_CODE_SIMPLE = ORIGINAL_SIMPLE_ENV
+  }
+
+  if (ORIGINAL_CODEX_API_KEY === undefined) {
+    delete process.env.CODEX_API_KEY
+  } else {
+    process.env.CODEX_API_KEY = ORIGINAL_CODEX_API_KEY
+  }
+
+  if (ORIGINAL_CHATGPT_ACCOUNT_ID === undefined) {
+    delete process.env.CHATGPT_ACCOUNT_ID
+  } else {
+    process.env.CHATGPT_ACCOUNT_ID = ORIGINAL_CHATGPT_ACCOUNT_ID
+  }
+
+  if (ORIGINAL_CODEX_ACCOUNT_ID === undefined) {
+    delete process.env.CODEX_ACCOUNT_ID
+  } else {
+    process.env.CODEX_ACCOUNT_ID = ORIGINAL_CODEX_ACCOUNT_ID
+  }
+})
+
 function StepChangeHarness(): React.ReactNode {
   const { exit } = useApp()
   const [step, setStep] = React.useState<'api' | 'model'>('api')
@@ -233,6 +314,167 @@ test('buildProfileSaveMessage describes Gemini access token / ADC mode clearly',
   expect(message).not.toContain('AIza')
 })
 
+test('buildProfileSaveMessage reflects immediate Codex activation for existing credentials', () => {
+  const message = buildProfileSaveMessage(
+    'codex',
+    {
+      OPENAI_MODEL: 'codexplan',
+      OPENAI_BASE_URL: 'https://chatgpt.com/backend-api/codex',
+      CHATGPT_ACCOUNT_ID: 'acct_codex',
+    },
+    'D:/codings/Opensource/openclaude/.openclaude-profile.json',
+    {
+      activatedInSession: true,
+    },
+  )
+
+  expect(message).toContain('Saved Codex profile.')
+  expect(message).toContain('OpenClaude switched to it for this session.')
+  expect(message).not.toContain('Restart OpenClaude to use it.')
+})
+
+test('buildProfileSaveMessage reflects immediate Codex OAuth activation when the session switched successfully', () => {
+  const message = buildProfileSaveMessage(
+    'codex',
+    {
+      OPENAI_MODEL: 'codexplan',
+      OPENAI_BASE_URL: 'https://chatgpt.com/backend-api/codex',
+      CHATGPT_ACCOUNT_ID: 'acct_codex',
+      CODEX_CREDENTIAL_SOURCE: 'oauth',
+    },
+    'D:/codings/Opensource/openclaude/.openclaude-profile.json',
+    {
+      activatedInSession: true,
+    },
+  )
+
+  expect(message).toContain('Saved Codex profile.')
+  expect(message).toContain('OpenClaude switched to it for this session.')
+  expect(message).not.toContain('Restart OpenClaude to use it.')
+})
+
+test('buildCodexOAuthProfileEnv uses the fresh OAuth account id without persisting an API key', () => {
+  process.env.CODEX_API_KEY = 'stale-codex-key'
+  process.env.CHATGPT_ACCOUNT_ID = 'acct_stale'
+
+  const env = buildCodexOAuthProfileEnv({
+    accessToken: 'oauth-access-token',
+    accountId: 'acct_oauth',
+  })
+
+  expect(env).toEqual({
+    OPENAI_BASE_URL: 'https://chatgpt.com/backend-api/codex',
+    OPENAI_MODEL: 'codexplan',
+    CHATGPT_ACCOUNT_ID: 'acct_oauth',
+    CODEX_CREDENTIAL_SOURCE: 'oauth',
+  })
+  expect(env).not.toHaveProperty('CODEX_API_KEY')
+})
+
+test('buildCodexProfileEnv derives oauth source from secure storage when no explicit source is provided', async () => {
+  const actualProviderConfig = await import('../../services/api/providerConfig.js')
+
+  mock.module('../../services/api/providerConfig.js', () => ({
+    ...actualProviderConfig,
+    resolveCodexApiCredentials: () => ({
+      apiKey: 'stored-access-token',
+      accountId: 'acct_secure_storage',
+      source: 'secure-storage' as const,
+    }),
+  }))
+
+  // @ts-expect-error cache-busting query string for Bun module mocks
+  const { buildCodexProfileEnv } = await import(
+    '../../utils/providerProfile.js?secure-storage-codex-source'
+  )
+
+  const env = buildCodexProfileEnv({
+    model: 'codexplan',
+    processEnv: {},
+  })
+
+  expect(env).toEqual({
+    OPENAI_BASE_URL: 'https://chatgpt.com/backend-api/codex',
+    OPENAI_MODEL: 'codexplan',
+    CHATGPT_ACCOUNT_ID: 'acct_secure_storage',
+    CODEX_CREDENTIAL_SOURCE: 'oauth',
+  })
+})
+
+test('applySavedProfileToCurrentSession switches the current env to the saved Codex profile', async () => {
+  // @ts-expect-error cache-busting query string for Bun module mocks
+  const { applySavedProfileToCurrentSession } = await import(
+    '../../utils/providerProfile.js?apply-saved-profile-codex'
+  )
+  const processEnv: NodeJS.ProcessEnv = {
+    CLAUDE_CODE_USE_OPENAI: '1',
+    OPENAI_MODEL: 'gpt-4o',
+    OPENAI_BASE_URL: 'https://api.openai.com/v1',
+    OPENAI_API_KEY: 'sk-openai',
+    CODEX_API_KEY: 'codex-live',
+    CHATGPT_ACCOUNT_ID: 'acct_codex',
+    CLAUDE_CODE_PROVIDER_PROFILE_ENV_APPLIED: '1',
+    CLAUDE_CODE_PROVIDER_PROFILE_ENV_APPLIED_ID: 'provider_old',
+  }
+  const profileFile = createProfileFile('codex', {
+    OPENAI_MODEL: 'codexplan',
+    OPENAI_BASE_URL: 'https://chatgpt.com/backend-api/codex',
+    CODEX_API_KEY: 'codex-live',
+    CHATGPT_ACCOUNT_ID: 'acct_codex',
+  })
+
+  const warning = await applySavedProfileToCurrentSession({
+    profileFile,
+    processEnv,
+  })
+
+  expect(warning).toBeNull()
+  expect(processEnv.CLAUDE_CODE_USE_OPENAI).toBe('1')
+  expect(processEnv.OPENAI_MODEL).toBe('codexplan')
+  expect(processEnv.OPENAI_BASE_URL).toBe(
+    'https://chatgpt.com/backend-api/codex',
+  )
+  expect(processEnv.CODEX_API_KEY).toBe('codex-live')
+  expect(processEnv.CHATGPT_ACCOUNT_ID).toBe('acct_codex')
+  expect(processEnv.OPENAI_API_KEY).toBeUndefined()
+  expect(processEnv.CLAUDE_CODE_PROVIDER_PROFILE_ENV_APPLIED).toBeUndefined()
+  expect(processEnv.CLAUDE_CODE_PROVIDER_PROFILE_ENV_APPLIED_ID).toBeUndefined()
+})
+
+test('applySavedProfileToCurrentSession ignores stale Codex env overrides for OAuth-backed profiles', async () => {
+  // @ts-expect-error cache-busting query string for Bun module mocks
+  const { applySavedProfileToCurrentSession } = await import(
+    '../../utils/providerProfile.js?apply-saved-profile-codex-oauth'
+  )
+  const processEnv: NodeJS.ProcessEnv = {
+    CLAUDE_CODE_USE_OPENAI: '1',
+    OPENAI_MODEL: 'gpt-4o',
+    OPENAI_BASE_URL: 'https://api.openai.com/v1',
+    CODEX_API_KEY: 'stale-codex-key',
+    CHATGPT_ACCOUNT_ID: 'acct_stale',
+  }
+  const profileFile = createProfileFile('codex', {
+    OPENAI_MODEL: 'codexplan',
+    OPENAI_BASE_URL: 'https://chatgpt.com/backend-api/codex',
+    CHATGPT_ACCOUNT_ID: 'acct_oauth',
+    CODEX_CREDENTIAL_SOURCE: 'oauth',
+  })
+
+  const warning = await applySavedProfileToCurrentSession({
+    profileFile,
+    processEnv,
+  })
+
+  expect(warning).toBeNull()
+  expect(processEnv.OPENAI_MODEL).toBe('codexplan')
+  expect(processEnv.OPENAI_BASE_URL).toBe(
+    'https://chatgpt.com/backend-api/codex',
+  )
+  expect(processEnv.CODEX_API_KEY).toBeUndefined()
+  expect(processEnv.CHATGPT_ACCOUNT_ID).not.toBe('acct_stale')
+  expect(processEnv.CHATGPT_ACCOUNT_ID).toBeTruthy()
+})
+
 test('buildCurrentProviderSummary redacts poisoned model and endpoint values', () => {
   const summary = buildCurrentProviderSummary({
     processEnv: {
@@ -307,3 +549,12 @@ test('getProviderWizardDefaults ignores poisoned current provider values', () =>
   expect(defaults.openAIBaseUrl).toBe('https://api.openai.com/v1')
   expect(defaults.geminiModel).toBe('gemini-2.0-flash')
 })
+
+test('ProviderWizard hides Codex OAuth while running in bare mode', async () => {
+  process.env.CLAUDE_CODE_SIMPLE = '1'
+
+  const output = await renderProviderWizardFrame()
+
+  expect(output).toContain('Set up a provider profile')
+  expect(output).not.toContain('Codex OAuth')
+})