Skip to content

add Claude rewrite mode and broker#1

Merged
alphabetc1 merged 2 commits into
mainfrom
codex/claude-mode-oauth-broker
Apr 1, 2026
Merged

add Claude rewrite mode and broker#1
alphabetc1 merged 2 commits into
mainfrom
codex/claude-mode-oauth-broker

Conversation

@alphabetc1
Copy link
Copy Markdown
Owner

@alphabetc1 alphabetc1 commented Apr 1, 2026

No description provided.

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 918377155d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread internal/admin/admin.go
})
return
}
writeJSON(w, http.StatusOK, token)
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Strip refresh token from broker token responses

Return payload for /claude/oauth/token currently serializes the full claudeoauth.Token, which includes refresh_token when the upstream refresh call rotates it. That leaks the long-lived credential to every admin-authenticated client (including the local Claude sidecar), undermining the broker’s goal of keeping refresh tokens centralized on the VPS. This handler should only expose short-lived access token data (for example access_token and expires_at) and never echo refresh tokens.

Useful? React with 👍 / 👎.

Comment thread internal/deploy/render.go
Comment on lines +356 to +357
"proxy_url": fmt.Sprintf("http://%s:%s@%s:%d", spec.Proxy.Username, spec.Proxy.Password, endpoint.Tunnel.LocalHost, endpoint.Tunnel.LocalPort),
"oauth_broker_url": fmt.Sprintf("http://%s:%d/claude/oauth/token", spec.ClaudeCode.AdminLocalHost, spec.ClaudeCode.AdminLocalPort),
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Build Claude client URLs with host-port aware formatting

RenderClaudeClientConfig builds proxy_url and oauth_broker_url with raw "%s:%d" host formatting, which produces invalid URLs when users configure IPv6 loopback/bind hosts (for example ::1). In that case generated URLs like http://::1:19090/... fail claude-client config validation and prevent startup. Use URL builders plus net.JoinHostPort (or equivalent) so IPv6 hosts are bracketed correctly.

Useful? React with 👍 / 👎.

@alphabetc1 alphabetc1 force-pushed the codex/claude-mode-oauth-broker branch from bb36931 to 5573c88 Compare April 1, 2026 11:52
@alphabetc1 alphabetc1 merged commit 447ec68 into main Apr 1, 2026
1 check passed
@alphabetc1 alphabetc1 deleted the codex/claude-mode-oauth-broker branch April 1, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alphabetc1