feat: Codex CLI Proxy (App-Server Architecture) — PROJECT-SPEC.md

scripts/codex-auth-check.sh

@@ -20,10 +20,10 @@ fi
 
 # ─── Extract access token ─────────────────────────────────────────────────────
 
-ACCESS_TOKEN=$(python3 -c "
-import json, sys
+ACCESS_TOKEN=$(AUTH_FILE="${AUTH_FILE}" python3 -c "
+import json, sys, os
 try:
-    data = json.load(open('${AUTH_FILE}'))
+    data = json.load(open(os.environ['AUTH_FILE']))
     token = data.get('accessToken') or data.get('access_token') or data.get('token')
     if not token:
         print('', end='')
@@ -43,10 +43,10 @@ fi
 
 # ─── Decode JWT exp claim ─────────────────────────────────────────────────────
 
-EXP=$(python3 -c "
-import base64, json, sys
+EXP=$(ACCESS_TOKEN="${ACCESS_TOKEN}" python3 -c "
+import base64, json, sys, os
 
-token = '${ACCESS_TOKEN}'
+token = os.environ['ACCESS_TOKEN']
 parts = token.split('.')
 if len(parts) != 3:
     print(-1)

src/client/app-server.ts

@@ -493,7 +493,17 @@ export class AppServerClient {
     }
     if (inflight.cleanupDone) return;
 
-    // If turnId not yet set, buffer the delta
+    // If turnId not yet set, try to resolve from delta params before buffering
+    if (!inflight.turnId) {
+      if (turnId) {
+        // Delta carries turnId — resolve it now and flush buffer
+        inflight.turnId = turnId;
+        this.flushDeltaBuffer(inflight);
+        // Fall through to emit current delta normally (turnId is now set)
+      }
+    }
+
+    // If turnId still not set after attempting resolution, buffer the delta
     if (!inflight.turnId) {
       // Check buffer limits
       inflight.deltaBufferSize += delta.length;
@@ -608,6 +618,7 @@ export class AppServerClient {
           message: 'Response too large',
           errorType: 'server_error',
         });
+        return;
       }
     }
   }
@@ -661,8 +672,9 @@ export class AppServerClient {
     if (!inflight.stream && inflight.gracePeriodTimer) {
       clearTimeout(inflight.gracePeriodTimer);
       inflight.gracePeriodTimer = null;
-      // Send the non-streaming response now
+      // Send the non-streaming response now, then release the slot and archive
       this.sendNonStreamingResponse(inflight);
+      this.triggerCleanup(inflight, { type: 'success' });
     }
   }
 

src/server/routes.ts

@@ -138,8 +138,14 @@ export function buildRouter(client: AppServerClient): Router {
   router.use(limiter);
 
   // ─── CORS ──────────────────────────────────────────────────────────────────
-  router.use((_req: Request, res: Response, next: NextFunction) => {
-    res.setHeader('Access-Control-Allow-Origin', '*');
+  // Restrict to localhost origins only — this proxy is local-only
+  router.use((req: Request, res: Response, next: NextFunction) => {
+    const origin = req.headers.origin;
+    if (origin && /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin)) {
+      res.setHeader('Access-Control-Allow-Origin', origin);
+    } else {
+      res.setHeader('Access-Control-Allow-Origin', 'http://localhost');
+    }
     res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
     res.setHeader('Access-Control-Allow-Headers', 'Authorization, Content-Type');
     next();