Fix dynamic chat models and Codex spark handling

Author: 0x4007

deno.json

@@ -1,7 +1,11 @@
 {
   "tasks": {
     "dev": "deno serve --watch --env --allow-env --allow-net --allow-read --unstable-kv serve.ts",
+    "dev:play": "deno task dev:local",
+    "dev:local": "sh -c 'if [ -z \"${CODEX_AUTH_JSON_B64:-}\" ]; then if [ -f \"$HOME/.codex/auth.json\" ]; then export CODEX_AUTH_JSON_B64=\"$(base64 < \"$HOME/.codex/auth.json\" | tr -d \"\\n\")\"; echo \"Loaded CODEX_AUTH_JSON_B64 from ~/.codex/auth.json\"; else echo \"No CODEX_AUTH_JSON_B64 and no ~/.codex/auth.json found. /v1/models will return 503 until auth is configured.\"; fi; fi; if [ -f .env ]; then source .env; fi; deno serve --watch --allow-env --allow-net --allow-read --unstable-kv serve.ts'",
     "ubq-ai": "deno run --env --allow-env --allow-net --allow-read scripts/ubq-ai.ts",
+    "admin:models": "sh -c 'BASE_URL=${BASE_URL:-http://localhost:8000}; if [ -z \"${DENO_DEPLOY_TOKEN:-}\" ]; then echo \"DENO_DEPLOY_TOKEN is required for admin endpoints.\" >&2; exit 1; fi; curl -sS -H \"Authorization: Bearer ${DENO_DEPLOY_TOKEN}\" ${BASE_URL}/admin/codex/models'",
+    "admin:models:spark": "sh -c 'BASE_URL=${BASE_URL:-http://localhost:8000}; if [ -z \"${DENO_DEPLOY_TOKEN:-}\" ]; then echo \"DENO_DEPLOY_TOKEN is required for admin endpoints.\" >&2; exit 1; fi; curl -sS -H \"Authorization: Bearer ${DENO_DEPLOY_TOKEN}\" ${BASE_URL}/admin/codex/models | jq -r \".data.models[]?.slug // empty | select(contains(\\\"-spark\\\"))\"'",
     "upload:auth": "deno run --env --allow-env --allow-net --allow-read scripts/upload-codex-auth.ts",
     "keys:create": "deno run --env --allow-env --allow-net --allow-read scripts/ubq-ai.ts admin keys create",
     "keys:list": "deno run --env --allow-env --allow-net --allow-read scripts/ubq-ai.ts admin keys list",

src/codex.ts

@@ -6,7 +6,7 @@ import type { CodexAuthState, ResponseInputItem } from "./types.ts";
 const CODEX_REFRESH_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
 const CODEX_REFRESH_TOKEN_URL = "https://auth.openai.com/oauth/token";
 const CODEX_ORIGINATOR = "codex_cli_rs";
-const CODEX_USER_AGENT = "codex_cli_rs/0.99.0 (ai.ubq.fi)";
+const CODEX_USER_AGENT = "codex_cli_rs/0.100.0 (ai.ubq.fi)";
 const CODEX_CLIENT_VERSION = (() => {
   const match = CODEX_USER_AGENT.match(/codex_cli_rs\/([0-9]+(?:\.[0-9]+){1,2})/);
   return match ? match[1] : null;
@@ -111,44 +111,106 @@ export const cacheCodexAuth = (auth: CodexAuthState): void => {
 };
 
 const loadAuthSeedFromEnv = (): CodexAuthState => {
-  if (!config.codexAuthJsonB64) {
+  if (config.isDeploy) {
+    if (!config.codexAuthJsonB64) {
+      throw new CodexError(
+        "Codex auth missing: CODEX_AUTH_JSON_B64 unset and no KV entry.",
+        "codex_auth_missing",
+        503,
+      );
+    }
+  }
+
+  if (config.codexAuthJsonB64) {
+    let decoded: string;
+    try {
+      decoded = decodeBase64ToString(config.codexAuthJsonB64);
+    } catch (error) {
+      throw new CodexError(
+        "Codex auth invalid: CODEX_AUTH_JSON_B64 is not valid base64.",
+        "codex_auth_invalid",
+        503,
+        error,
+      );
+    }
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(decoded) as unknown;
+    } catch (error) {
+      throw new CodexError(
+        "Codex auth invalid: CODEX_AUTH_JSON_B64 is not valid JSON.",
+        "codex_auth_invalid",
+        503,
+        error,
+      );
+    }
+    const tokenData = parseCodexAuthFromAuthJson(parsed);
+    if (!tokenData) {
+      throw new CodexError(
+        "Codex auth invalid: CODEX_AUTH_JSON_B64 does not look like a Codex auth.json.",
+        "codex_auth_invalid",
+        503,
+      );
+    }
+    return { ...tokenData, updated_at_ms: Date.now() };
+  }
+
+  if (config.isDeploy) {
     throw new CodexError(
       "Codex auth missing: CODEX_AUTH_JSON_B64 unset and no KV entry.",
       "codex_auth_missing",
       503,
     );
   }
-  let decoded: string;
-  try {
-    decoded = decodeBase64ToString(config.codexAuthJsonB64);
-  } catch (error) {
-    throw new CodexError(
-      "Codex auth invalid: CODEX_AUTH_JSON_B64 is not valid base64.",
-      "codex_auth_invalid",
-      503,
-      error,
-    );
+
+  return loadAuthSeedFromDisk();
+};
+
+const loadAuthSeedFromDisk = (): CodexAuthState => {
+  if (!config.isDeploy) {
+    const home = (Deno as unknown as { homeDir?: () => string | null }).homeDir?.() ?? Deno.env.get("HOME");
+    if (!home) {
+      throw new CodexError("Could not resolve home directory for ~/.codex/auth.json.", "codex_auth_invalid", 503);
+    }
+    try {
+      const raw = Deno.readTextFileSync(`${home}/.codex/auth.json`);
+      const parsed = JSON.parse(raw) as unknown;
+      const tokenData = parseCodexAuthFromAuthJson(parsed);
+      if (!tokenData) {
+        throw new CodexError(
+          "Codex auth invalid: ~/.codex/auth.json does not look like a Codex auth.json.",
+          "codex_auth_invalid",
+          503,
+        );
+      }
+      return { ...tokenData, updated_at_ms: Date.now() };
+    } catch (error) {
+      if (error instanceof CodexError) throw error;
+      throw new CodexError(
+        "Codex auth invalid: ~/.codex/auth.json is missing or unreadable.",
+        "codex_auth_invalid",
+        503,
+        error,
+      );
+    }
   }
-  let parsed: unknown;
-  try {
-    parsed = JSON.parse(decoded) as unknown;
-  } catch (error) {
-    throw new CodexError(
-      "Codex auth invalid: CODEX_AUTH_JSON_B64 is not valid JSON.",
-      "codex_auth_invalid",
-      503,
-      error,
-    );
+  throw new CodexError("Codex auth missing: CODEX_AUTH_JSON_B64 unset and no KV entry.", "codex_auth_missing", 503);
+};
+
+const getConfiguredCodexAuthSeed = (): CodexAuthState | null => {
+  if (!config.codexAuthJsonB64) {
+    return loadAuthSeedFromEnv(); // throws when unavailable in deploy or returns fallback in local
   }
-  const tokenData = parseCodexAuthFromAuthJson(parsed);
-  if (!tokenData) {
-    throw new CodexError(
-      "Codex auth invalid: CODEX_AUTH_JSON_B64 does not look like a Codex auth.json.",
-      "codex_auth_invalid",
-      503,
-    );
+  try {
+    return loadAuthSeedFromEnv();
+  } catch {
+    if (config.isDeploy) return null;
+    try {
+      return loadAuthSeedFromDisk();
+    } catch {
+      return null;
+    }
   }
-  return { ...tokenData, updated_at_ms: Date.now() };
 };
 
 const getAuthEntry = async (): Promise<{
@@ -158,18 +220,44 @@ const getAuthEntry = async (): Promise<{
 }> => {
   const kv = await kvPromise;
   if (!kv) {
-    const auth = cachedAuth ?? loadAuthSeedFromEnv();
+    const auth = cachedAuth ?? getConfiguredCodexAuthSeed();
+    if (!auth) {
+      throw new CodexError(
+        "Codex auth missing: CODEX_AUTH_JSON_B64 unset and no KV entry.",
+        "codex_auth_missing",
+        503,
+      );
+    }
     cachedAuth = auth;
     return { kv: null, entry: null, auth };
   }
 
   const entry = await kv.get<CodexAuthState>(CODEX_KV_KEY);
   if (entry.value) {
+    if (!config.isDeploy) {
+      try {
+        const localSeed = getConfiguredCodexAuthSeed();
+        if (localSeed) {
+          cachedAuth = localSeed;
+          await kv.set(CODEX_KV_KEY, localSeed);
+          return { kv, entry, auth: localSeed };
+        }
+      } catch {
+        // Keep working from persisted KV credentials when local seed loading fails.
+      }
+    }
     cachedAuth = entry.value;
     return { kv, entry, auth: entry.value };
   }
 
-  const seed = loadAuthSeedFromEnv();
+  const seed = getConfiguredCodexAuthSeed();
+  if (!seed) {
+    throw new CodexError(
+      "Codex auth missing: CODEX_AUTH_JSON_B64 unset and no KV entry.",
+      "codex_auth_missing",
+      503,
+    );
+  }
   await kv.set(CODEX_KV_KEY, seed);
   cachedAuth = seed;
   return { kv, entry: null, auth: seed };

src/handler.ts

@@ -27,7 +27,7 @@ import {
   requireAdminAuth,
 } from "./auth.ts";
 import { handleHealth, handleHealthAuth, handleHealthUpstream } from "./health.ts";
-import { corsHeaders, openaiError, withCors } from "./http.ts";
+import { corsHeaders, notFound, openaiError, withCors } from "./http.ts";
 import {
   getKernelUsageLimitSnapshot,
   incrementKernelOrgUsageLimit,
@@ -123,6 +123,10 @@ export default async function handler(req: Request): Promise<Response> {
     return withCors(await handleAdminCss());
   }
 
+  if (req.method === "GET" && path === "/favicon.ico") {
+    return withCors(await handleFavicon());
+  }
+
   if (req.method === "GET" && path === "/app.js") {
     return withCors(await handleAppJs());
   }
@@ -268,7 +272,7 @@ export default async function handler(req: Request): Promise<Response> {
   }
 
   if (!path.startsWith("/v1/")) {
-    return withCors(openaiError(404, "Not found", "not_found"));
+    return withCors(notFound());
   }
 
   if (req.method === "GET" && path === "/v1/auth") {

src/http.ts

@@ -56,6 +56,15 @@ export const openaiError = (
   });
 };
 
+export const notFound = (): Response =>
+  json(404, {
+    error: {
+      message: "Not found",
+      type: "not_found",
+      code: "not_found",
+    },
+  });
+
 export const getBearerToken = (req: Request): string | null => {
   const value = req.headers.get("Authorization");
   if (!value) return null;

static/chat.html

@@ -89,13 +89,7 @@
               <label data-field>
                 <span data-label>Reasoning effort</span>
                 <select id="reasoning-effort">
-                  <option value="">Default</option>
-                  <option value="none">none</option>
-                  <option value="minimal">minimal</option>
-                  <option value="low">low</option>
-                  <option value="medium">medium</option>
-                  <option value="high">high</option>
-                  <option value="xhigh">xhigh</option>
+                  <option value="">Loading models...</option>
                 </select>
               </label>
               <label data-field>