Codex OAuth is an authentication method for the OpenAI provider, not a
standalone MCP tool. Move all Codex endpoints to a dedicated controller
with semantically correct paths (/codex/connect, /codex/disconnect) and
update the frontend to use the new routes.
Add a "Connect via Codex" button to the OpenAI BYOK provider panel in
the Models settings page. The OAuth PKCE flow obtains an OpenAI API key
and saves it as a provider, with a marker config for state detection.
- Add handleCodexOAuth, saveCodexAsProvider, handleCodexDisconnect
- Extract refreshProviderForm helper to deduplicate provider list sync
- Show "or" divider between Codex OAuth and manual API key entry
- Disconnect properly revokes token, removes marker, and resets provider
- Add i18n keys for connect/disconnect/status UI text
Remove the entire Codex onInstall handler, saveCodexAsProvider, and
saveCodexMarkerConfig helpers from MCP.tsx and ToolSelect.tsx. Extract
OAuth polling constants (OAUTH_POLL_INTERVAL_MS, OAUTH_POLL_TIMEOUT_MS)
to replace inline magic numbers in the remaining Google Calendar flow.
Add TODO for status string enum extraction.
Codex OAuth is a model-provider integration, not a toolkit. Remove it
from ConfigInfo.configs so it no longer appears in the /api/config/info
response that drives the MCP & Tools UI. Also remove Codex-specific
install detection and uninstall handling from useIntegrationManagement
and IntegrationList.
- Save CODEX_OAUTH_TOKEN marker config after OAuth to track install state
- Check marker config instead of OPENAI_API_KEY for install detection
- Avoid mutating input dict in CodexOAuthManager.save_token()
- Add CODEX_OAUTH_TOKEN to Codex env_vars whitelist in server config
- Prioritize named integration descriptions over env_vars fallback
Address review feedback: Codex OAuth obtains an OpenAI API key for model
access, not agent tools. After successful OAuth, the key is now saved via
the Provider API (/api/provider) so it integrates with the model provider
configuration system.
Changes:
- Backend: return access_token in Codex install response for provider storage
- Frontend: replace /api/configs storage with /api/provider for Codex
- Server: mark CODEX ConfigInfo entry as type=provider with empty env_vars
- i18n: add missing codex translation keys, remove verbose t() fallback pattern
- Fix stray merge conflict marker in ToolSelect.tsx
- Remove debug console.log statements from MCP.tsx
- Add Fernet encryption for token storage using cryptography library
- Derive encryption key from machine-specific identifiers (username,
hostname, machine-id) using PBKDF2HMAC with 100k iterations
- Set restrictive file permissions (0600) on encrypted token file
- Tokens tied to specific machine for additional security
- Extract Codex config constants (CODEX_CONFIG_GROUP, CODEX_CONFIG_NAME,
CODEX_POLL_TIMEOUT_MS) in ToolSelect.tsx
- Extract CODEX_TOKEN_PATH constant and clarify CODEX_CLIENT_ID is a
fixed public value in codex_toolkit.py
- Simplify expires_in/expires_at: compute absolute expiry from relative
value and only persist expires_at
- Add FileLock around token file reads/writes to prevent parallel
update races
- Add TODO for response status string improvement and refactor of
shared OAuth install logic
- Apply formatting suggestion on codex uninstall message
Add Codex onInstall handler with OAuth status polling in MCP.tsx
settings page and ToolSelect.tsx AddWorker flow, following the
existing Google Calendar authorization pattern.
Add Codex config check in useIntegrationManagement for installed state
and uninstall cleanup. Add Codex case in IntegrationList handleInstall
to trigger onInstall directly without env dialog.
Add codex handling to install_tool and uninstall_tool endpoints.
Add POST /codex/save-token for manual API key fallback and
GET /codex/status for token status. Add Codex to available tools list.
Implements Authorization Code + PKCE flow using Codex CLI's public
client_id. Handles background OAuth via localhost callback server,
token persistence at ~/.eigent/tokens/codex/, and refresh logic.
