feat(cli): add OpenAI Codex OAuth support

[roomote]

Adds support for the OpenAI - ChatGPT Plus/Pro provider in the CLI using OAuth authentication instead of API keys.

Changes

• Added openai-codex to supported providers list in CLI
• Implemented OAuth authentication flow for OpenAI Codex with PKCE
• Created credentials storage module for OpenAI Codex tokens
• Added CLI commands:
  • roo-code auth openai-codex:login - Authenticate with OpenAI Codex
  • roo-code auth openai-codex:logout - Log out from OpenAI Codex
  • roo-code auth openai-codex:status - Show authentication status
• Updated provider settings builder to handle openai-codex without API key
• OAuth uses local callback server on port 1455 with automatic token refresh

Usage

# Authenticate with OpenAI Codex
roo-code auth openai-codex:login

# Run CLI with OpenAI Codex provider
roo-code -p openai-codex -m gpt-5.2-codex "Your task here"

# Check authentication status
roo-code auth openai-codex:status

# Logout
roo-code auth openai-codex:logout

Testing

• All existing tests pass
• Type checking passes
• Linting passes

---

View task on Roo Code Cloud

---

Important

Adds OAuth support for OpenAI Codex in CLI with new login, logout, and status commands, and updates provider settings for OAuth handling.

• Behavior:
  • Adds openai-codex to supported providers in types.ts.
  • Implements OAuth flow for OpenAI Codex in openai-codex-oauth.ts using PKCE.
  • Uses local server on port 1455 for OAuth callback with automatic token refresh.
• Commands:
  • Adds openai-codex:login, openai-codex:logout, and openai-codex:status commands in index.ts.
  • Implements openaiCodexLogin(), openaiCodexLogout(), and openaiCodexStatus() in respective files.
• Storage:
  • Creates openai-codex-credentials.ts for storing and managing OpenAI Codex tokens.
  • Exports credential functions in storage/index.ts.
• Provider Settings:
  • Updates provider.ts to handle openai-codex without API key.
• Misc:
  • Updates auth/index.ts to export new OpenAI Codex command modules.

^{This description was created by for 6a4d54d. You can customize this summary. It will automatically update as commits are pushed.}

[roomote]

Rooviewer   See task on Roo Cloud

Review complete. Found 2 issues in the OAuth implementation:

• XSS vulnerability in OAuth error callback (line 334) - error parameter interpolated into HTML without escaping
• Missing validation in refreshAccessToken (line 206) - unlike exchangeCodeForTokens, required response fields are not validated

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}

[roomote]

The OAuth error parameter is interpolated directly into HTML without escaping. An attacker could craft a malicious OAuth callback URL with an XSS payload in the error parameter (e.g., ?error=<script>alert(1)</script>). The error value should be HTML-escaped before embedding in the response.

Suggested change

	<h1>Authentication failed: ${error}</h1>
	<h1>Authentication failed: ${error.replace(/</g, '&lt;').replace(/>/g, '&gt;')}</h1>

_{Fix it with Roo Code or mention @roomote and request a fix.}

[roomote]

Unlike exchangeCodeForTokens (lines 159-161), refreshAccessToken doesn't validate that required fields (access_token, expires_in) exist in the token response before using them. If the token endpoint returns a malformed response, expires_in * 1000 could result in NaN, and access_token could be undefined. Consider adding validation similar to exchangeCodeForTokens:

if (!tokenResponse.access_token || !tokenResponse.expires_in) {
    throw new Error("Invalid token refresh response: missing required fields")
}

_{Fix it with Roo Code or mention @roomote and request a fix.}