#!/usr/bin/env bash set -euo pipefail APP_PATH="/Applications/Codex.app" APP_ASAR="$APP_PATH/Contents/Resources/app.asar" CLI_PATH="$APP_PATH/Contents/Resources/codex" PORT="${CODEX_WEBUI_PORT:-5999}" TOKEN="" ORIGINS="" KEEP_TEMP=0 NO_OPEN=0 USER_DATA_DIR="" BRIDGE_PATH="$(cd "$(dirname "$0")" && pwd)/webui-bridge.js" AUTO_INSTALL_TOOLS="${AUTO_INSTALL_TOOLS:-1}" usage() { cat <<'USAGE' Usage: launch_codex_webui_unpacked.sh [options] [-- ] Options: --app Codex.app path --port webui port (default: 5999) --token pass --token for auth --origins pass --origins allowlist --bridge standalone webui-bridge.js path --user-data-dir chromium user data dir override --no-open don't open browser --keep-temp keep temp extracted app dir -h, --help USAGE } activate_homebrew_path() { if command -v brew >/dev/null 2>&1; then eval "$(brew shellenv)" >/dev/null 2>&1 || true return fi local brew_bin for brew_bin in /opt/homebrew/bin/brew /usr/local/bin/brew; do if [[ -x "$brew_bin" ]]; then eval "$("$brew_bin" shellenv)" >/dev/null 2>&1 || export PATH="$(dirname "$brew_bin"):$PATH" return fi done } ensure_homebrew() { activate_homebrew_path if command -v brew >/dev/null 2>&1; then return 0 fi if [[ "$AUTO_INSTALL_TOOLS" != "1" ]]; then echo "Missing Homebrew (set AUTO_INSTALL_TOOLS=1 to allow auto-install)." >&2 return 1 fi command -v curl >/dev/null 2>&1 || { echo "curl is required to install Homebrew automatically." >&2 return 1 } echo "Homebrew not found. Installing Homebrew..." if ! NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"; then return 1 fi activate_homebrew_path command -v brew >/dev/null 2>&1 || { echo "Homebrew install completed, but brew is still unavailable in PATH." >&2 return 1 } return 0 } ensure_brew_package() { local command_name="$1" local package_name="$2" if command -v "$command_name" >/dev/null 2>&1; then return fi ensure_homebrew || return 1 echo "Installing missing tool: $package_name" brew list "$package_name" >/dev/null 2>&1 || brew install "$package_name" || return 1 activate_homebrew_path command -v "$command_name" >/dev/null 2>&1 || { echo "Failed to install required tool: $command_name" >&2 return 1 } return 0 } install_node_with_nvm() { if [[ "$AUTO_INSTALL_TOOLS" != "1" ]]; then return 1 fi command -v curl >/dev/null 2>&1 || return 1 export NVM_DIR="${NVM_DIR:-$HOME/.nvm}" if [[ ! -s "$NVM_DIR/nvm.sh" ]]; then echo "Installing nvm (user-space) to bootstrap Node.js..." if ! curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash >/dev/null; then return 1 fi fi [[ -s "$NVM_DIR/nvm.sh" ]] || return 1 # shellcheck disable=SC1090 source "$NVM_DIR/nvm.sh" || return 1 nvm install --lts >/dev/null || return 1 nvm use --lts >/dev/null || return 1 command -v node >/dev/null 2>&1 && command -v npx >/dev/null 2>&1 } install_node_with_fnm() { if [[ "$AUTO_INSTALL_TOOLS" != "1" ]]; then return 1 fi command -v curl >/dev/null 2>&1 || return 1 command -v unzip >/dev/null 2>&1 || return 1 local fnm_dir="${FNM_DIR:-$HOME/.local/share/fnm}" local fnm_bin="$fnm_dir/fnm" if ! command -v fnm >/dev/null 2>&1; then echo "Installing fnm (user-space) to bootstrap Node.js..." local tag asset tmp_dir tag="$(curl -fsSL https://api.github.com/repos/Schniz/fnm/releases/latest | sed -n 's/.*"tag_name":[[:space:]]*"$[^"]*$".*/\1/p' | head -n 1)" [[ -n "$tag" ]] || return 1 case "$(uname -s)" in Darwin) asset="fnm-macos.zip" ;; Linux) case "$(uname -m)" in arm64|aarch64) asset="fnm-arm64.zip" ;; x86_64|amd64) asset="fnm-linux.zip" ;; *) return 1 ;; esac ;; *) return 1 ;; esac tmp_dir="$(mktemp -d)" if ! curl -fsSL "https://github.com/Schniz/fnm/releases/download/$tag/$asset" -o "$tmp_dir/fnm.zip"; then rm -rf "$tmp_dir" return 1 fi mkdir -p "$fnm_dir" if ! unzip -oq "$tmp_dir/fnm.zip" -d "$fnm_dir"; then rm -rf "$tmp_dir" return 1 fi chmod +x "$fnm_bin" >/dev/null 2>&1 || true rm -rf "$tmp_dir" fi if [[ -x "$fnm_bin" ]]; then export PATH="$fnm_dir:$PATH" fi command -v fnm >/dev/null 2>&1 || return 1 # shellcheck disable=SC2046 eval "$(fnm env --shell bash)" || return 1 fnm install --lts >/dev/null || return 1 fnm use lts-latest >/dev/null || return 1 command -v node >/dev/null 2>&1 && command -v npx >/dev/null 2>&1 } ensure_required_tools() { if ! command -v node >/dev/null 2>&1 || ! command -v npx >/dev/null 2>&1; then ensure_brew_package node node || install_node_with_nvm || install_node_with_fnm || { echo "Failed to install Node.js/npx automatically." >&2 exit 1 } fi command -v node >/dev/null 2>&1 || { echo "node is required" >&2; exit 1; } command -v npx >/dev/null 2>&1 || { echo "npx is required" >&2; exit 1; } } has_pattern() { local pattern="$1" local file="$2" if command -v rg >/dev/null 2>&1; then rg -q -- "$pattern" "$file" else grep -Eq -- "$pattern" "$file" fi } write_main_injection_chunk() { local dest="$1" cat > "$dest" <<'JS' /*__CODEX_WEBUI_RUNTIME_PATCH__*/ ;(() => { if (globalThis.__CODEX_WEBUI_RUNTIME_PATCHED__) return; globalThis.__CODEX_WEBUI_RUNTIME_PATCHED__ = true; function webUiParsePortArg(value, fallback) { const parsed = Number.parseInt(String(value ?? ""), 10); return Number.isFinite(parsed) && parsed >= 1 && parsed <= 65535 ? parsed : fallback; } function webUiParseCliOptions(argv = process.argv, env = process.env) { let enabled = false; let port = webUiParsePortArg(env.CODEX_WEBUI_PORT, 3210); let token = (env.CODEX_WEBUI_TOKEN ?? "").trim(); let origins = (env.CODEX_WEBUI_ORIGINS ?? "") .split(",") .map((x) => x.trim()) .filter(Boolean); for (let i = 0; i < argv.length; i += 1) { const arg = argv[i]; if (arg === "--webui") { enabled = true; continue; } if (arg === "--port" && i + 1 < argv.length) { port = webUiParsePortArg(argv[i + 1], port); i += 1; continue; } if (arg.startsWith("--port=")) { port = webUiParsePortArg(arg.slice("--port=".length), port); continue; } if (arg === "--token" && i + 1 < argv.length) { token = String(argv[i + 1] ?? "").trim(); i += 1; continue; } if (arg.startsWith("--token=")) { token = arg.slice("--token=".length).trim(); continue; } if (arg.startsWith("--origins=")) { origins = arg .slice("--origins=".length) .split(",") .map((x) => x.trim()) .filter(Boolean); continue; } } return { enabled, port, token, origins }; } const webUiOptions = webUiParseCliOptions(); if (!webUiOptions.enabled) return; const electron = require("electron"); const app = electron?.app; const BrowserWindow = electron?.BrowserWindow; if (!app || !BrowserWindow) { console.error("[webui] Electron app APIs unavailable."); return; } const http = require("node:http"); const fs = require("node:fs"); const path = require("node:path"); const crypto = require("node:crypto"); const { EventEmitter } = require("node:events"); let webUiAppIsQuitting = false; function webUiFormatError(err) { if (!err) return "Unknown error"; if (typeof err === "string") return err; if (typeof err.message === "string" && err.message.length > 0) return err.message; try { return JSON.stringify(err); } catch { return String(err); } } const webUiLogger = (() => { try { if (typeof Xt === "function") { const logger = Xt(); if (logger && typeof logger.info === "function" && typeof logger.warning === "function") { return logger; } } } catch {} return { info(message, data) { console.info(`[webui] ${message}`, data ?? ""); }, warning(message, data) { console.warn(`[webui] ${message}`, data ?? ""); }, }; })(); class WebUiSocket extends EventEmitter { constructor(socket) { super(); this.socket = socket; this.readyState = WebUiSocket.OPEN; this.closed = false; this.buffer = Buffer.alloc(0); socket.on("data", (chunk) => this.onData(chunk)); socket.on("error", (err) => { // Avoid unhandled EventEmitter "error" crashes on transient socket resets. this.emit("ws-error", err); this.finishClose(1006, String(err?.code ?? "socket-error")); }); socket.on("close", () => { this.finishClose(1006, ""); }); socket.on("end", () => { this.finishClose(1006, ""); }); } send(data, callback) { if (this.readyState !== WebUiSocket.OPEN) { if (typeof callback === "function") callback(new Error("Socket is not open")); return; } const payload = Buffer.isBuffer(data) ? data : Buffer.from(String(data)); const frame = WebUiSocket.buildFrame(0x1, payload); this.socket.write(frame, callback); } close(code = 1000, reason = "") { if (this.readyState === WebUiSocket.CLOSED || this.readyState === WebUiSocket.CLOSING) return; this.readyState = WebUiSocket.CLOSING; let payload; try { const reasonBuf = Buffer.from(String(reason)); payload = Buffer.allocUnsafe(2 + reasonBuf.length); payload.writeUInt16BE(code, 0); reasonBuf.copy(payload, 2); } catch { payload = Buffer.from([0x03, 0xe8]); } this.socket.write(WebUiSocket.buildFrame(0x8, payload), () => { this.socket.end(); }); } onData(chunk) { this.buffer = this.buffer.length === 0 ? chunk : Buffer.concat([this.buffer, chunk]); while (this.buffer.length >= 2) { const first = this.buffer[0]; const second = this.buffer[1]; const fin = (first & 0x80) !== 0; const opcode = first & 0x0f; const masked = (second & 0x80) !== 0; let payloadLen = second & 0x7f; let offset = 2; if (payloadLen === 126) { if (this.buffer.length < 4) return; payloadLen = this.buffer.readUInt16BE(2); offset = 4; } else if (payloadLen === 127) { if (this.buffer.length < 10) return; const high = this.buffer.readUInt32BE(2); const low = this.buffer.readUInt32BE(6); payloadLen = high * 2 ** 32 + low; if (!Number.isSafeInteger(payloadLen)) { this.close(1009, "Frame too large"); return; } offset = 10; } let mask; if (masked) { if (this.buffer.length < offset + 4) return; mask = this.buffer.subarray(offset, offset + 4); offset += 4; } if (this.buffer.length < offset + payloadLen) return; let payload = this.buffer.subarray(offset, offset + payloadLen); this.buffer = this.buffer.subarray(offset + payloadLen); if (masked && mask) { payload = Buffer.from(payload); for (let i = 0; i < payload.length; i += 1) { payload[i] ^= mask[i & 3]; } } if (!fin) { this.close(1003, "Fragmented frames are not supported"); return; } if (opcode === 0x1) { this.emit("message", payload); continue; } if (opcode === 0x8) { let code = 1000; let reason = ""; if (payload.length >= 2) { code = payload.readUInt16BE(0); reason = payload.subarray(2).toString(); } if (this.readyState === WebUiSocket.OPEN) { this.socket.write(WebUiSocket.buildFrame(0x8, payload), () => { this.socket.end(); }); } this.finishClose(code, reason); return; } if (opcode === 0x9) { this.socket.write(WebUiSocket.buildFrame(0xA, payload)); continue; } if (opcode === 0xA) { continue; } this.close(1003, "Unsupported opcode"); return; } } finishClose(code, reason) { if (this.closed) return; this.closed = true; this.readyState = WebUiSocket.CLOSED; this.emit("close", code, reason); } static buildFrame(opcode, payload) { const len = payload.length; let headerLen = 2; if (len >= 126 && len <= 65535) headerLen = 4; else if (len > 65535) headerLen = 10; const out = Buffer.allocUnsafe(headerLen + len); out[0] = 0x80 | (opcode & 0x0f); if (headerLen === 2) { out[1] = len; payload.copy(out, 2); } else if (headerLen === 4) { out[1] = 126; out.writeUInt16BE(len, 2); payload.copy(out, 4); } else { out[1] = 127; const high = Math.floor(len / 2 ** 32); const low = len >>> 0; out.writeUInt32BE(high, 2); out.writeUInt32BE(low, 6); payload.copy(out, 10); } return out; } } WebUiSocket.CONNECTING = 0; WebUiSocket.OPEN = 1; WebUiSocket.CLOSING = 2; WebUiSocket.CLOSED = 3; class WebUiSocketServer extends EventEmitter { handleUpgrade(req, socket, head, callback) { const upgrade = String(req.headers.upgrade ?? "").toLowerCase(); const key = req.headers["sec-websocket-key"]; if (upgrade !== "websocket" || typeof key !== "string" || key.length === 0) { socket.write("HTTP/1.1 400 Bad Request\r\n\r\n"); socket.destroy(); return; } const accept = crypto .createHash("sha1") .update(`${key}258EAFA5-E914-47DA-95CA-C5AB0DC85B11`) .digest("base64"); const headers = [ "HTTP/1.1 101 Switching Protocols", "Upgrade: websocket", "Connection: Upgrade", `Sec-WebSocket-Accept: ${accept}`, ]; socket.write(`${headers.join("\r\n")}\r\n\r\n`); if (head && head.length > 0) socket.unshift(head); const ws = new WebUiSocket(socket); callback(ws, req); } close() { this.emit("close"); } } function webUiTokensEqual(a, b) { if (!a || !b) return false; try { const left = Buffer.from(a); const right = Buffer.from(b); return left.length === right.length && crypto.timingSafeEqual(left, right); } catch { return false; } } function webUiParseCookieHeader(value) { if (!value) return {}; return value .split(";") .map((part) => part.trim()) .filter(Boolean) .reduce((acc, segment) => { const idx = segment.indexOf("="); if (idx <= 0) return acc; const key = segment.slice(0, idx).trim(); const raw = segment.slice(idx + 1).trim(); try { acc[key] = decodeURIComponent(raw); } catch { acc[key] = raw; } return acc; }, {}); } function webUiExtractAuthToken(req, parsedUrl) { const auth = req.headers.authorization; if (typeof auth === "string" && auth.startsWith("Bearer ")) return auth.slice(7).trim(); const headerToken = req.headers["x-codex-webui-token"]; if (typeof headerToken === "string" && headerToken.trim()) return headerToken.trim(); const qpToken = parsedUrl.searchParams.get("token"); if (qpToken && qpToken.trim()) return qpToken.trim(); const cookieToken = webUiParseCookieHeader(req.headers.cookie ?? "").codex_webui_token; return typeof cookieToken === "string" ? cookieToken.trim() : ""; } function webUiResolveAssetPath(rootDir, requestPath) { let decoded; try { decoded = decodeURIComponent(requestPath); } catch { return null; } const rel = decoded === "/" ? "index.html" : decoded.replace(/^[/\\]+/, ""); const root = path.resolve(rootDir); const resolved = path.resolve(root, rel); return resolved === root || resolved.startsWith(`${root}${path.sep}`) ? resolved : null; } function webUiSetResponseSecurityHeaders(res) { res.setHeader("X-Content-Type-Options", "nosniff"); res.setHeader("X-Frame-Options", "DENY"); res.setHeader("Referrer-Policy", "no-referrer"); res.setHeader("Cross-Origin-Resource-Policy", "same-origin"); } function webUiInjectRuntimeScripts(html) { if (html.includes('/webui-bridge.js')) return html; const injection = "\n \n \n"; return html.includes("") ? html.replace("", `${injection}`) : `${injection}${html}`; } async function webUiInvokeElectronBridgeMethod(windowRef, method, args) { if (windowRef.isDestroyed() || windowRef.webContents.isDestroyed()) { throw new Error("WebUI bridge window is not available."); } const methodJson = JSON.stringify(method); const argsJson = JSON.stringify(args ?? []); const code = ` Promise.resolve().then(async () => { const bridge = window.electronBridge; if (!bridge || typeof bridge[${methodJson}] !== "function") { return null; } return await bridge[${methodJson}](...${argsJson}); }); `; return windowRef.webContents.executeJavaScript(code, true); } async function webUiDispatchMessageFromView(bridgeWindow, context, payload) { // Prefer the renderer bridge API; it is stable across minified builds. const bridged = await webUiInvokeElectronBridgeMethod(bridgeWindow, "sendMessageFromView", [ payload, ]); if (bridged !== null) return; // Fallback for older/newer app internals. if (context && typeof context.handleMessage === "function") { await context.handleMessage(bridgeWindow.webContents, payload); return; } throw new Error("No message dispatch handler available for WebUI bridge"); } async function waitForPrimaryWindow(timeoutMs = 30000) { const start = Date.now(); while (Date.now() - start < timeoutMs) { const win = BrowserWindow.getAllWindows().find((candidate) => candidate && !candidate.isDestroyed()); if (win && !win.isDestroyed()) return win; await new Promise((resolve) => setTimeout(resolve, 50)); } return null; } function webUiForceWindowHidden(win) { if (!win || win.isDestroyed()) return; const hideNow = () => { try { win.hide(); } catch {} }; hideNow(); if (!win.__codexWebUiShowPatched) { win.__codexWebUiShowPatched = true; if (typeof win.show === "function") { win.show = () => { hideNow(); }; } if (typeof win.showInactive === "function") { win.showInactive = () => { hideNow(); }; } } win.on("show", () => { setTimeout(hideNow, 0); }); } async function webUiStartBridgeRuntime({ bridgeWindow, context }) { const assetRoot = path.join(app.getAppPath(), "webview"); const host = "0.0.0.0"; const authRequired = !!webUiOptions.token; const token = authRequired && !webUiOptions.token ? crypto.randomBytes(24).toString("hex") : webUiOptions.token; const originAllowlist = new Set(webUiOptions.origins); const sockets = new Set(); let cachedIndexHtml = ""; const originAllowed = (origin, hostHeader) => { if (typeof origin !== "string") return false; if (originAllowlist.size > 0) return originAllowlist.has(origin); try { return origin.length === 0 ? true : new URL(origin).host === hostHeader; } catch { return false; } }; const broadcast = (packet) => { if (sockets.size === 0) return; let serialized; try { serialized = JSON.stringify(packet); } catch { return; } for (const ws of sockets) { if (ws.readyState !== WebUiSocket.OPEN) continue; ws.send(serialized, (err) => { if (err) { webUiLogger.warning("WebUI socket send failed", { message: webUiFormatError(err), }); } }); } }; const originalSend = bridgeWindow.webContents.send.bind(bridgeWindow.webContents); bridgeWindow.webContents.send = (channel, ...args) => { const payload = args.find( (value) => value && typeof value === "object" && !Array.isArray(value) && typeof value.type === "string", ); if (payload) { broadcast({ kind: "message-for-view", payload, }); } else if ( typeof channel === "string" && channel.startsWith("codex_desktop:worker:") && channel.endsWith(":for-view") ) { broadcast({ kind: "worker-message-for-view", workerId: channel.slice("codex_desktop:worker:".length, -":for-view".length), payload: args[0], }); } originalSend(channel, ...args); }; const server = http.createServer(async (req, res) => { const parsedUrl = new URL(req.url ?? "/", `http://${req.headers.host ?? "127.0.0.1"}`); webUiSetResponseSecurityHeaders(res); if (authRequired) { const provided = webUiExtractAuthToken(req, parsedUrl); if (!webUiTokensEqual(provided, token)) { res.statusCode = 401; res.setHeader("Content-Type", "text/plain; charset=utf-8"); res.end("Unauthorized"); return; } if (parsedUrl.searchParams.get("token")) { res.setHeader( "Set-Cookie", `codex_webui_token=${encodeURIComponent(token)}; Path=/; HttpOnly; SameSite=Lax`, ); } } if (parsedUrl.pathname === "/webui-config.js") { const config = JSON.stringify({ wsPath: "/ws", buildFlavor: process.env.BUILD_FLAVOR ?? "prod", sentryInitOptions: null, appSessionId: null, }); res.setHeader("Content-Type", "application/javascript; charset=utf-8"); res.setHeader("Cache-Control", "no-store"); res.end(`window.__CODEX_WEBUI_CONFIG__=${config};`); return; } let assetPath = webUiResolveAssetPath(assetRoot, parsedUrl.pathname); if (parsedUrl.pathname === "/" || parsedUrl.pathname === "/index.html") { assetPath = path.join(assetRoot, "index.html"); } if (assetPath) { try { const stat = await fs.promises.stat(assetPath); if (stat.isFile()) { if (path.basename(assetPath) === "index.html") { if (!cachedIndexHtml) { cachedIndexHtml = webUiInjectRuntimeScripts(await fs.promises.readFile(assetPath, "utf8")); } res.setHeader("Content-Type", "text/html; charset=utf-8"); res.setHeader("Cache-Control", "no-store"); res.end(cachedIndexHtml); return; } const ext = path.extname(assetPath).toLowerCase(); const mime = ext === ".html" ? "text/html" : ext === ".js" || ext === ".mjs" ? "application/javascript" : ext === ".css" ? "text/css" : ext === ".json" || ext === ".map" ? "application/json" : ext === ".svg" ? "image/svg+xml" : ext === ".png" ? "image/png" : ext === ".jpg" || ext === ".jpeg" ? "image/jpeg" : ext === ".gif" ? "image/gif" : ext === ".webp" ? "image/webp" : ext === ".ico" ? "image/x-icon" : ext === ".txt" ? "text/plain" : ext === ".wasm" ? "application/wasm" : "application/octet-stream"; res.setHeader( "Content-Type", mime.includes("charset") ? mime : `${mime}; charset=utf-8`, ); res.setHeader("Cache-Control", "no-store"); fs.createReadStream(assetPath) .on("error", (err) => { webUiLogger.warning("WebUI static stream failed", { message: webUiFormatError(err), }); if (!res.headersSent) { res.statusCode = 500; res.setHeader("Content-Type", "text/plain; charset=utf-8"); } res.end("Internal Server Error"); }) .pipe(res); return; } } catch { // fall through to SPA fallback } } if ( parsedUrl.pathname === "/api" || parsedUrl.pathname.startsWith("/api/") || parsedUrl.pathname === "/auth" || parsedUrl.pathname.startsWith("/auth/") || parsedUrl.pathname === "/ws" ) { res.statusCode = 404; res.setHeader("Content-Type", "text/plain; charset=utf-8"); res.end("Not Found"); return; } const indexPath = path.join(assetRoot, "index.html"); try { if (!cachedIndexHtml) { cachedIndexHtml = webUiInjectRuntimeScripts(await fs.promises.readFile(indexPath, "utf8")); } } catch { cachedIndexHtml = "

Web UI unavailable

"; } res.setHeader("Content-Type", "text/html; charset=utf-8"); res.setHeader("Cache-Control", "no-store"); res.end(cachedIndexHtml); }); const wss = new WebUiSocketServer(); server.on("upgrade", (req, socket, head) => { const parsedUrl = new URL(req.url ?? "/", `http://${req.headers.host ?? "127.0.0.1"}`); if (parsedUrl.pathname !== "/ws") { socket.write("HTTP/1.1 404 Not Found\r\n\r\n"); socket.destroy(); return; } if (!originAllowed(req.headers.origin ?? "", req.headers.host ?? "")) { socket.write("HTTP/1.1 403 Forbidden\r\n\r\n"); socket.destroy(); return; } if (authRequired && !webUiTokensEqual(webUiExtractAuthToken(req, parsedUrl), token)) { socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n"); socket.destroy(); return; } wss.handleUpgrade(req, socket, head, (ws) => { // Single active client policy: newer tab takes over and prior tabs are disconnected. for (const existing of sockets) { try { existing.send( JSON.stringify({ kind: "bridge-error", message: "Another tab took over this session", }), ); existing.close(1012, "Replaced by newer client tab"); } catch {} } sockets.add(ws); ws.on("close", () => { sockets.delete(ws); }); ws.on("ws-error", (err) => { webUiLogger.warning("WebUI socket error", { message: webUiFormatError(err), }); }); let bucketStart = Date.now(); let count = 0; const inboundLimit = 5000; ws.on("message", async (raw) => { const now = Date.now(); if (now - bucketStart > 60000) { bucketStart = now; count = 0; } count += 1; if (count > inboundLimit) { webUiLogger.warning("WebUI inbound rate limit exceeded", { count, limit: inboundLimit, }); ws.close(1008, "Rate limit exceeded"); return; } let packet; try { packet = JSON.parse(String(raw)); } catch { ws.send( JSON.stringify({ kind: "bridge-error", message: "Invalid payload", }), ); return; } try { if (packet?.kind === "message-from-view") { const payload = packet.payload; if (!payload || typeof payload.type !== "string") return; await webUiDispatchMessageFromView(bridgeWindow, context, payload); if (payload.type === "ready") { broadcast({ kind: "message-for-view", payload: { type: "ipc-broadcast", method: "client-status-changed", sourceClientId: null, version: 1, params: { status: "connected" }, }, }); } return; } if (packet?.kind === "worker-message-from-view") { if (typeof packet.workerId !== "string" || packet.workerId.length === 0) return; await webUiInvokeElectronBridgeMethod(bridgeWindow, "sendWorkerMessageFromView", [ packet.workerId, packet.payload, ]); return; } if (packet?.kind === "trigger-sentry-test") { await webUiInvokeElectronBridgeMethod(bridgeWindow, "triggerSentryTestError", []); return; } } catch (err) { webUiLogger.warning("WebUI bridge dispatch failed", { message: webUiFormatError(err), }); ws.send( JSON.stringify({ kind: "bridge-error", message: "Bridge dispatch failed", }), ); } }); }); }); await new Promise((resolve, reject) => { server.once("error", reject); server.listen(webUiOptions.port, host, () => { const address = server.address(); if (typeof address === "object" && address && "port" in address) { webUiOptions.port = address.port; } server.off("error", reject); resolve(); }); }); webUiLogger.info("WebUI bridge started", { host, port: webUiOptions.port, authRequired, originAllowlist: [...originAllowlist], }); if (authRequired) { webUiLogger.info("WebUI access token", { token }); } return { host, port: webUiOptions.port, token: authRequired ? token : "", dispose: async () => { wss.close(); for (const ws of sockets) { try { ws.close(1001, "Server shutting down"); } catch {} } sockets.clear(); await new Promise((resolve) => { server.close(() => resolve()); }); bridgeWindow.webContents.send = originalSend; }, }; } let webUiRuntime = null; let webUiBridgeWindow = null; let webUiStartPromise = null; async function webUiStart() { if (webUiStartPromise) return webUiStartPromise; webUiStartPromise = (async () => { const primaryWindow = await waitForPrimaryWindow(); if (!primaryWindow) throw new Error("Timed out waiting for primary window"); webUiBridgeWindow = primaryWindow; webUiForceWindowHidden(primaryWindow); const preventClose = (event) => { if (!webUiAppIsQuitting) { event.preventDefault(); webUiForceWindowHidden(primaryWindow); } }; primaryWindow.on("close", preventClose); primaryWindow.on("minimize", () => { webUiForceWindowHidden(primaryWindow); }); webUiRuntime = await webUiStartBridgeRuntime({ bridgeWindow: primaryWindow, context: null, }); return webUiRuntime; })(); return webUiStartPromise; } app.on("browser-window-created", (_event, win) => { if (!webUiOptions.enabled) return; if (win && !win.isDestroyed()) { webUiForceWindowHidden(win); win.once("ready-to-show", () => { webUiForceWindowHidden(win); }); setImmediate(() => { webUiForceWindowHidden(win); }); } }); app.whenReady().then(() => { webUiStart().catch((err) => { webUiLogger.warning("WebUI runtime start failed", { message: webUiFormatError(err), }); }); }); app.on("before-quit", () => { webUiAppIsQuitting = true; }); app.on("activate", () => { if (!webUiOptions.enabled) return; const win = webUiBridgeWindow ?? BrowserWindow.getAllWindows().find((candidate) => candidate && !candidate.isDestroyed()); if (win && !win.isDestroyed()) { webUiForceWindowHidden(win); } }); app.on("will-quit", () => { if (webUiRuntime && typeof webUiRuntime.dispose === "function") { webUiRuntime.dispose().catch((err) => { webUiLogger.warning("WebUI shutdown failed", { message: webUiFormatError(err), }); }); webUiRuntime = null; } }); })(); JS } apply_main_chunk() { local main_file="$1" local chunk_file="$2" node - "$main_file" "$chunk_file" <<'NODE' const fs = require("node:fs"); const mainFile = process.argv[2]; const chunkFile = process.argv[3]; const marker = "/*__CODEX_WEBUI_RUNTIME_PATCH__*/"; let source = fs.readFileSync(mainFile, "utf8"); if (source.includes(marker)) { process.exit(0); } const chunk = fs.readFileSync(chunkFile, "utf8"); const mapIndex = source.lastIndexOf("//# sourceMappingURL="); if (mapIndex >= 0) { source = `${source.slice(0, mapIndex)}\n${chunk}\n${source.slice(mapIndex)}`; } else { source = `${source}\n${chunk}\n`; } fs.writeFileSync(mainFile, source, "utf8"); NODE } patch_renderer_bundle() { local renderer_file="$1" node - "$renderer_file" <<'NODE' const fs = require("node:fs"); const rendererFile = process.argv[2]; let source = fs.readFileSync(rendererFile, "utf8"); if (/!Array\.isArray$[A-Za-z_$][\w$]*\.roots$/.test(source)) { process.exit(0); } // Older bundle shape (kept for compatibility). const find = "if(!v)return;const M=v.roots.map(A4),A=g.current;"; const replace = "if(!v||!Array.isArray(v.roots))return;const M=v.roots.map(A4),A=g.current;"; if (source.includes(find)) { source = source.replace(find, replace); fs.writeFileSync(rendererFile, source, "utf8"); process.exit(0); } // Newer bundle shape where minified variable names change between builds. const generic = /if$!([A-Za-z_$][\w$]*)$return;const ([A-Za-z_$][\w$]*)=\1\.roots\.map$([A-Za-z_$][\w$]*)$,([A-Za-z_$][\w$]*)=([A-Za-z_$][\w$]*)\.current;/; if (generic.test(source)) { source = source.replace( generic, "if(!$1||!Array.isArray($1.roots))return;const $2=$1.roots.map($3),$4=$5.current;" ); fs.writeFileSync(rendererFile, source, "utf8"); process.exit(0); } // Bundle shape with `const M=v.roots.map(A4),A=g.current;` and no preceding guard. const rootsMapOnly = /const ([A-Za-z_$][\w$]*)=([A-Za-z_$][\w$]*)\.roots\.map$([A-Za-z_$][\w$]*)$,([A-Za-z_$][\w$]*)=([A-Za-z_$][\w$]*)\.current;/; if (rootsMapOnly.test(source)) { source = source.replace( rootsMapOnly, "if(!$2||!Array.isArray($2.roots))return;const $1=$2.roots.map($3),$4=$5.current;" ); fs.writeFileSync(rendererFile, source, "utf8"); process.exit(0); } console.error("Renderer guard patch anchor not found."); process.exit(1); NODE } EXTRA_ARGS=() while (($#)); do case "$1" in --app) APP_PATH="${2:?missing value}"; APP_ASAR="$APP_PATH/Contents/Resources/app.asar"; CLI_PATH="$APP_PATH/Contents/Resources/codex"; shift 2 ;; --port) PORT="${2:?missing value}"; shift 2 ;; --token) TOKEN="${2:?missing value}"; shift 2 ;; --origins) ORIGINS="${2:?missing value}"; shift 2 ;; --bridge) BRIDGE_PATH="${2:?missing value}"; shift 2 ;; --user-data-dir) USER_DATA_DIR="${2:?missing value}"; shift 2 ;; --no-open) NO_OPEN=1; shift ;; --keep-temp) KEEP_TEMP=1; shift ;; -h|--help) usage; exit 0 ;; --) shift; EXTRA_ARGS+=("$@"); break ;; *) EXTRA_ARGS+=("$1"); shift ;; esac done [[ -f "$APP_ASAR" ]] || { echo "Missing app.asar: $APP_ASAR" >&2; exit 1; } [[ -x "$CLI_PATH" ]] || { echo "Missing codex binary: $CLI_PATH" >&2; exit 1; } [[ -f "$BRIDGE_PATH" ]] || { echo "Missing standalone bridge file: $BRIDGE_PATH" >&2; exit 1; } ensure_required_tools WORKDIR="$(mktemp -d "${TMPDIR:-/tmp}/codex-webui-unpacked.XXXXXX")" APP_DIR="$WORKDIR/app" if [[ -z "$USER_DATA_DIR" ]]; then USER_DATA_DIR="$WORKDIR/user-data" fi cleanup() { if [[ "$KEEP_TEMP" -eq 0 ]]; then rm -rf "$WORKDIR" else echo "Kept temp dir: $WORKDIR" fi } trap cleanup EXIT echo "Extracting app.asar to: $APP_DIR" npx -y @electron/asar extract "$APP_ASAR" "$APP_DIR" target_main_js_rel="$(sed -nE 's@.*(main-[A-Za-z0-9_-]+\.js).*@\1@p' "$APP_DIR/.vite/build/main.js" | head -n1 || true)" target_renderer_js_rel="$(sed -nE 's@.*assets/(index-[A-Za-z0-9_-]+\.js).*@\1@p' "$APP_DIR/webview/index.html" | head -n1 || true)" [[ -n "$target_main_js_rel" && -n "$target_renderer_js_rel" ]] || { echo "Failed resolving target bundle names" >&2; exit 1; } MAIN_CHUNK_FILE="$WORKDIR/main-webui.chunk.js" write_main_injection_chunk "$MAIN_CHUNK_FILE" apply_main_chunk "$APP_DIR/.vite/build/$target_main_js_rel" "$MAIN_CHUNK_FILE" patch_renderer_bundle "$APP_DIR/webview/assets/$target_renderer_js_rel" cp "$BRIDGE_PATH" "$APP_DIR/webview/webui-bridge.js" has_pattern '__CODEX_WEBUI_RUNTIME_PATCH__' "$APP_DIR/.vite/build/$target_main_js_rel" || { echo "Patched main missing runtime marker" >&2; exit 1; } has_pattern '!Array\.isArray$[[:alnum:]_$]+\.roots$' "$APP_DIR/webview/assets/$target_renderer_js_rel" || { echo "Patched renderer missing roots guard" >&2; exit 1; } has_pattern 'sendMessageFromView' "$APP_DIR/webview/webui-bridge.js" || { echo "Bridge file looks invalid" >&2; exit 1; } CMD=(npx -y electron "--user-data-dir=$USER_DATA_DIR" "$APP_DIR" --webui --port "$PORT") if [[ -n "$TOKEN" ]]; then CMD+=(--token "$TOKEN") fi if [[ -n "$ORIGINS" ]]; then CMD+=(--origins "$ORIGINS") fi if ((${#EXTRA_ARGS[@]})); then CMD+=("${EXTRA_ARGS[@]}") fi unset ELECTRON_RUN_AS_NODE export ELECTRON_FORCE_IS_PACKAGED=true export BUILD_FLAVOR=prod export NODE_ENV=production export CODEX_CLI_PATH="$CLI_PATH" export CUSTOM_CLI_PATH="$CLI_PATH" echo "App dir: $APP_DIR" echo "User data dir: $USER_DATA_DIR" printf 'Command:'; printf ' %q' "${CMD[@]}"; echo if [[ "$NO_OPEN" -eq 0 ]]; then ( if command -v curl >/dev/null 2>&1; then for _ in {1..120}; do if curl -fsS "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then open "http://127.0.0.1:${PORT}/" >/dev/null 2>&1 || true exit 0 fi sleep 0.25 done else sleep 1 open "http://127.0.0.1:${PORT}/" >/dev/null 2>&1 || true fi ) & fi exec "${CMD[@]}"