fix(desktop): import Codex auth token

Author: Sun-sunshine06

apps/desktop/src/main/connection-ipc.ts

@@ -8,6 +8,7 @@ import {
 } from '@open-codesign/shared';
 import { ipcMain } from './electron-runtime';
 import { getApiKeyForProvider, getCachedConfig } from './onboarding-ipc';
+import { isKeylessProviderAllowed } from './provider-settings';
 
 // ---------------------------------------------------------------------------
 // Payload schemas (plain validation, no zod in main to keep bundle lean)
@@ -358,8 +359,17 @@ function resolveCredentialsForProvider(
   let apiKey: string;
   try {
     apiKey = getApiKeyForProvider(providerId);
-  } catch {
+  } catch (err) {
     // No stored key — provider may be keyless (IP-whitelisted proxy).
+    if (!isKeylessProviderAllowed(providerId, entry)) {
+      return {
+        ok: false,
+        code: 'IPC_BAD_INPUT',
+        message:
+          err instanceof Error ? err.message : `No API key stored for provider "${providerId}"`,
+        hint: 'Open Settings and import Codex again, or add an API key for this provider',
+      };
+    }
     apiKey = '';
   }
   return {
@@ -385,9 +395,7 @@ function resolveActiveCredentials(): ActiveProviderCredentials | ConnectionTestE
   return resolveCredentialsForProvider(active);
 }
 
-async function runProviderTest(
-  creds: ActiveProviderCredentials,
-): Promise<ConnectionTestResponse> {
+async function runProviderTest(creds: ActiveProviderCredentials): Promise<ConnectionTestResponse> {
   const { url } = buildEndpointForWire(creds.wire, creds.baseUrl);
   const headers = buildAuthHeadersForWire(creds.wire, creds.apiKey, creds.httpHeaders);
 
@@ -594,8 +602,15 @@ export function registerConnectionIpc(): void {
       let apiKey: string;
       try {
         apiKey = getApiKeyForProvider(raw);
-      } catch {
-        // No stored key — provider may be keyless (IP-whitelisted proxy).
+      } catch (err) {
+        if (!isKeylessProviderAllowed(raw, entry)) {
+          return {
+            ok: false,
+            code: 'IPC_BAD_INPUT',
+            message: err instanceof Error ? err.message : `No API key stored for provider "${raw}"`,
+            hint: 'Open Settings and import Codex again, or add an API key for this provider',
+          };
+        }
         apiKey = '';
       }
 

apps/desktop/src/main/imports/codex-config.test.ts

@@ -1,5 +1,8 @@
+import { mkdir, writeFile } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
 import { describe, expect, it } from 'vitest';
-import { parseCodexConfig } from './codex-config';
+import { parseCodexConfig, readCodexConfig } from './codex-config';
 
 describe('parseCodexConfig', () => {
   it('returns empty providers on empty TOML', async () => {
@@ -46,6 +49,17 @@ wire_api = "responses"
     expect(out.providers[0]?.defaultModel).toBe('gpt-4o');
   });
 
+  it('marks Codex providers that require OpenAI auth', async () => {
+    const toml = `
+[model_providers.custom]
+base_url = "https://api.duckcoding.ai/v1"
+wire_api = "responses"
+requires_openai_auth = true
+`;
+    const out = await parseCodexConfig(toml);
+    expect(out.providers[0]?.requiresApiKey).toBe(true);
+  });
+
   it('uses provider-local model when a non-active provider declares one', async () => {
     const toml = `
 model = "deepseek-chat"
@@ -89,3 +103,31 @@ base_url = "https://proxy.anthropic.example.com"
     expect(out.providers[0]?.wire).toBe('anthropic');
   });
 });
+
+describe('readCodexConfig', () => {
+  it('reads OPENAI_API_KEY from Codex auth.json for providers requiring OpenAI auth', async () => {
+    const home = join(tmpdir(), `open-codesign-codex-${Date.now()}-${Math.random()}`);
+    const codexDir = join(home, '.codex');
+    await mkdir(codexDir, { recursive: true });
+    await writeFile(
+      join(codexDir, 'config.toml'),
+      `
+model_provider = "custom"
+model = "gpt-5.4"
+
+[model_providers.custom]
+base_url = "https://api.duckcoding.ai/v1"
+wire_api = "responses"
+requires_openai_auth = true
+`,
+      'utf8',
+    );
+    await writeFile(join(codexDir, 'auth.json'), '{"OPENAI_API_KEY":" sk-codex-auth "}', 'utf8');
+
+    const out = await readCodexConfig(home);
+
+    expect(out?.providers[0]?.id).toBe('codex-custom');
+    expect(out?.providers[0]?.requiresApiKey).toBe(true);
+    expect(out?.apiKeyMap['codex-custom']).toBe('sk-codex-auth');
+  });
+});

apps/desktop/src/main/imports/codex-config.ts

@@ -10,12 +10,18 @@ export function codexConfigPath(home: string = homedir()): string {
   return join(home, '.codex', 'config.toml');
 }
 
+export function codexAuthPath(home: string = homedir()): string {
+  return join(home, '.codex', 'auth.json');
+}
+
 export interface CodexImport {
   providers: ProviderEntry[];
   activeProvider: string | null;
   activeModel: string | null;
   /** Env-key lookups the caller should run to resolve keys. */
   envKeyMap: Record<string, string>; // providerId → envVarName
+  /** API keys resolved from Codex auth.json, keyed by imported provider id. */
+  apiKeyMap: Record<string, string>;
   warnings: string[];
 }
 
@@ -25,6 +31,7 @@ type CodexProviderBlock = {
   env_key?: string;
   model?: string;
   wire_api?: string;
+  requires_openai_auth?: boolean;
   http_headers?: Record<string, string>;
   query_params?: Record<string, string>;
 };
@@ -49,6 +56,7 @@ export async function parseCodexConfig(toml: string): Promise<CodexImport> {
       activeProvider: null,
       activeModel: null,
       envKeyMap: {},
+      apiKeyMap: {},
       warnings: [`Codex config.toml is not valid TOML: ${msg}`],
     };
   }
@@ -59,6 +67,7 @@ export async function parseCodexConfig(toml: string): Promise<CodexImport> {
       activeProvider: null,
       activeModel: null,
       envKeyMap: {},
+      apiKeyMap: {},
       warnings: ['Codex config.toml has unexpected top-level shape'],
     };
   }
@@ -109,6 +118,9 @@ export async function parseCodexConfig(toml: string): Promise<CodexImport> {
           entry.envKey = block.env_key;
           envKeyMap[entry.id] = block.env_key;
         }
+        if (block.requires_openai_auth === true) {
+          entry.requiresApiKey = true;
+        }
         if (block.http_headers !== undefined && typeof block.http_headers === 'object') {
           const map: Record<string, string> = {};
           for (const [k, v] of Object.entries(block.http_headers)) {
@@ -135,7 +147,34 @@ export async function parseCodexConfig(toml: string): Promise<CodexImport> {
     if (entry !== undefined) entry.defaultModel = activeModel;
   }
 
-  return { providers, activeProvider: activeProviderId, activeModel, envKeyMap, warnings };
+  return {
+    providers,
+    activeProvider: activeProviderId,
+    activeModel,
+    envKeyMap,
+    apiKeyMap: {},
+    warnings,
+  };
+}
+
+async function readCodexOpenAiApiKey(home: string = homedir()): Promise<string | null> {
+  let raw: string;
+  try {
+    raw = await readFile(codexAuthPath(home), 'utf8');
+  } catch (err) {
+    if ((err as NodeJS.ErrnoException).code === 'ENOENT') return null;
+    throw err;
+  }
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return null;
+  }
+  if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) return null;
+  const record = parsed as Record<string, unknown>;
+  const rawKey = record['OPENAI_API_KEY'] ?? record['openai_api_key'] ?? record['apiKey'];
+  return typeof rawKey === 'string' && rawKey.trim().length > 0 ? rawKey.trim() : null;
 }
 
 export async function readCodexConfig(home: string = homedir()): Promise<CodexImport | null> {
@@ -147,5 +186,15 @@ export async function readCodexConfig(home: string = homedir()): Promise<CodexIm
     if ((err as NodeJS.ErrnoException).code === 'ENOENT') return null;
     throw err;
   }
-  return parseCodexConfig(raw);
+  const imported = await parseCodexConfig(raw);
+  const openAiApiKey = await readCodexOpenAiApiKey(home);
+  if (openAiApiKey === null) return imported;
+
+  const apiKeyMap: Record<string, string> = {};
+  for (const provider of imported.providers) {
+    if (provider.requiresApiKey === true) {
+      apiKeyMap[provider.id] = openAiApiKey;
+    }
+  }
+  return { ...imported, apiKeyMap };
 }

apps/desktop/src/main/index.ts

@@ -45,7 +45,7 @@ import {
 } from './onboarding-ipc';
 import { readPersisted as readPreferences, registerPreferencesIpc } from './preferences-ipc';
 import { preparePromptContext } from './prompt-context';
-import { isKeylessProviderAllowed, resolveActiveModel } from './provider-settings';
+import { resolveActiveModel } from './provider-settings';
 import { safeInitSnapshotsDb } from './snapshots-db';
 import { registerSnapshotsIpc, registerSnapshotsUnavailableIpc } from './snapshots-ipc';
 import { initStorageSettings } from './storage-settings';
@@ -447,7 +447,7 @@ function registerIpcHandlers(): void {
     } catch {
       apiKey = '';
     }
-    const allowKeyless = isKeylessProviderAllowed(active.model.provider);
+    const allowKeyless = active.allowKeyless;
     // Once we've snapped to the canonical active provider, the renderer-supplied
     // baseUrl can no longer be trusted — it may belong to a different (stale)
     // provider and would route the active provider's API key to the wrong host.
@@ -587,7 +587,7 @@ function registerIpcHandlers(): void {
     } catch {
       apiKey = '';
     }
-    const allowKeyless = isKeylessProviderAllowed(active.model.provider);
+    const allowKeyless = active.allowKeyless;
     // See codesign:v1:generate above — renderer baseUrl is ignored post-snap.
     const baseUrl = active.baseUrl ?? undefined;
     if (active.overridden) {
@@ -686,7 +686,7 @@ function registerIpcHandlers(): void {
     } catch {
       apiKey = '';
     }
-    const allowKeyless = isKeylessProviderAllowed(active.model.provider);
+    const allowKeyless = active.allowKeyless;
     const baseUrl = active.baseUrl ?? undefined;
     const promptContext = await preparePromptContext({
       attachments: payload.attachments,
@@ -762,7 +762,7 @@ function registerIpcHandlers(): void {
     } catch {
       apiKey = '';
     }
-    const allowKeyless = isKeylessProviderAllowed(active.model.provider);
+    const allowKeyless = active.allowKeyless;
     const baseUrl = active.baseUrl ?? undefined;
     return generateTitle({
       prompt,

apps/desktop/src/main/onboarding-ipc.test.ts

@@ -286,6 +286,7 @@ describe('config:v1:import-codex-config empty env handling', () => {
       activeProvider: 'codex-empty-env',
       activeModel: 'gpt-test',
       envKeyMap: { 'codex-empty-env': 'OPEN_CODESIGN_EMPTY_ENV_FOR_TEST' },
+      apiKeyMap: {},
       warnings: [],
     });
     process.env['OPEN_CODESIGN_EMPTY_ENV_FOR_TEST'] = '   ';
@@ -294,12 +295,51 @@ describe('config:v1:import-codex-config empty env handling', () => {
     expect(handler).toBeDefined();
     await expect(handler?.({} as unknown)).resolves.toMatchObject({
       provider: 'codex-empty-env',
-      hasKey: true,
+      hasKey: false,
     });
 
     expect(encryptSecret).not.toHaveBeenCalled();
     const written = vi.mocked(writeConfig).mock.calls.at(-1)?.[0];
     expect(written?.secrets['codex-empty-env']).toBeUndefined();
     process.env['OPEN_CODESIGN_EMPTY_ENV_FOR_TEST'] = undefined;
   });
+
+  it('encrypts Codex auth.json API keys for providers requiring OpenAI auth', async () => {
+    const { readCodexConfig } = await import('./imports/codex-config');
+    const { tryBuildSecretRef } = await import('./keychain');
+    const { writeConfig } = await import('./config');
+    vi.mocked(tryBuildSecretRef).mockClear();
+    vi.mocked(writeConfig).mockClear();
+    vi.mocked(readCodexConfig).mockResolvedValueOnce({
+      providers: [
+        {
+          id: 'codex-custom',
+          name: 'Codex (imported)',
+          builtin: false,
+          wire: 'openai-responses',
+          baseUrl: 'https://api.duckcoding.ai/v1',
+          defaultModel: 'gpt-5.4',
+          requiresApiKey: true,
+        },
+      ],
+      activeProvider: 'codex-custom',
+      activeModel: 'gpt-5.4',
+      envKeyMap: {},
+      apiKeyMap: { 'codex-custom': 'sk-codex-auth' },
+      warnings: [],
+    });
+
+    const handler = handlers.get('config:v1:import-codex-config');
+    expect(handler).toBeDefined();
+    await expect(handler?.({} as unknown)).resolves.toMatchObject({
+      provider: 'codex-custom',
+      hasKey: true,
+    });
+
+    expect(tryBuildSecretRef).toHaveBeenCalledWith('sk-codex-auth');
+    const written = vi.mocked(writeConfig).mock.calls.at(-1)?.[0];
+    expect(written?.secrets['codex-custom']).toEqual(
+      expect.objectContaining({ ciphertext: 'enc:sk-codex-auth' }),
+    );
+  });
 });

apps/desktop/src/main/onboarding-ipc.ts

@@ -106,7 +106,7 @@ function toState(cfg: Config | null): OnboardingState {
   }
   const active = cfg.activeProvider;
   const ref = cfg.secrets[active];
-  if (ref === undefined && !isKeylessProviderAllowed(active)) {
+  if (ref === undefined && !isKeylessProviderAllowed(active, cfg.providers[active])) {
     return {
       hasKey: false,
       provider: active,
@@ -696,13 +696,25 @@ async function runImportCodex(imported: CodexImport): Promise<OnboardingState> {
   }
   for (const entry of imported.providers) {
     nextProviders[entry.id] = entry;
+    const importedApiKey = imported.apiKeyMap[entry.id]?.trim();
     if (entry.envKey !== undefined) {
       const envValue = process.env[entry.envKey]?.trim();
       if (envValue !== undefined && envValue.length > 0) {
         const ref = tryBuildSecretRef(envValue);
         if (ref !== null) nextSecrets[entry.id] = ref;
+        continue;
       }
     }
+    const fallbackApiKey =
+      importedApiKey !== undefined && importedApiKey.length > 0
+        ? importedApiKey
+        : entry.requiresApiKey === true
+          ? process.env['OPENAI_API_KEY']?.trim()
+          : undefined;
+    if (fallbackApiKey !== undefined && fallbackApiKey.length > 0) {
+      const ref = tryBuildSecretRef(fallbackApiKey);
+      if (ref !== null) nextSecrets[entry.id] = ref;
+    }
   }
   const fallbackActive = imported.providers[0];
   if (fallbackActive === undefined) {