add codex oauth gateway experiment

codex-oauth-gateway-python/.gitignore

@@ -0,0 +1,4 @@
+__pycache__/
+*.pyc
+.venv/
+.tokens/

codex-oauth-gateway-python/README.md

@@ -0,0 +1,34 @@
+# codex-oauth-gateway-python
+
+This directory is an **isolated Python migration workspace** for `experiments/codex-oauth-gateway`.
+
+## Scope
+- Build a Python implementation of the gateway incrementally.
+- Keep `experiments/codex-oauth-gateway` unchanged during migration.
+
+## Current status (v0 scaffold)
+- Basic Python HTTP server with `GET /health` and `POST /responses`.
+- Model normalization and SSE final-event parsing helpers.
+- Structured gateway errors (`status` + `code`).
+- Minimal unit tests for normalization/response helpers.
+
+## Run locally
+```bash
+cd codex-oauth-gateway-python
+python3 -m venv .venv
+source .venv/bin/activate
+pip install -r requirements.txt
+PYTHONPATH=. python -m unittest discover -s tests
+python auth_cli.py
+python main.py
+```
+
+Then check:
+```bash
+curl -s http://127.0.0.1:8787/health
+```
+
+## Notes
+- This is migration work-in-progress and not feature-parity yet.
+- OAuth token refresh flow is now wired (refresh token grant).
+- OAuth tokens are stored at `~/.codex-oauth-gateway-python/openai.json` by default. Set `CODEX_GATEWAY_TOKEN_FILE` to override this path.

codex-oauth-gateway-python/auth_cli.py

@@ -0,0 +1,87 @@
+from __future__ import annotations
+
+import threading
+import webbrowser
+from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
+from urllib.parse import parse_qs, urlparse
+
+from gateway.auth import (
+    create_authorization_flow,
+    exchange_authorization_code,
+    parse_authorization_input,
+    save_tokens,
+)
+
+
+def _wait_for_callback(expected_state: str, timeout_seconds: int = 180) -> tuple[str | None, str | None]:
+    result = {"code": None, "state": None}
+    done = threading.Event()
+
+    class CallbackHandler(BaseHTTPRequestHandler):
+        def do_GET(self):  # noqa: N802
+            parsed = urlparse(self.path)
+            if parsed.path != "/auth/callback":
+                self.send_response(404)
+                self.end_headers()
+                return
+
+            query = parse_qs(parsed.query)
+            result["code"] = query.get("code", [None])[0]
+            result["state"] = query.get("state", [None])[0]
+            done.set()
+
+            self.send_response(200)
+            self.send_header("content-type", "text/plain; charset=utf-8")
+            self.end_headers()
+            self.wfile.write(b"OAuth callback received. You can return to terminal.")
+
+        def log_message(self, format, *args):  # noqa: A003
+            return
+
+    try:
+        server = ThreadingHTTPServer(("127.0.0.1", 1455), CallbackHandler)
+    except OSError:
+        return None, None
+    thread = threading.Thread(target=server.serve_forever, daemon=True)
+    thread.start()
+    try:
+        done.wait(timeout_seconds)
+        return result["code"], result["state"]
+    finally:
+        server.shutdown()
+        server.server_close()
+        thread.join(timeout=1)
+
+
+def main() -> int:
+    flow = create_authorization_flow()
+    print("Open this URL in your browser and complete login (trying auto-open):\n")
+    print(flow.url)
+    try:
+        webbrowser.open(flow.url)
+    except Exception:
+        pass
+
+    print("\nWaiting for callback on http://localhost:1455/auth/callback ...")
+    code, state = _wait_for_callback(flow.state)
+
+    if not code:
+        print("No callback captured. Paste callback URL, 'code=...&state=...', or 'code#state':")
+        raw = input("> ")
+        code, state = parse_authorization_input(raw)
+
+    if not code:
+        print("No authorization code found.")
+        return 1
+    if state and state != flow.state:
+        print("State mismatch. Aborting.")
+        return 1
+
+    tokens = exchange_authorization_code(code, flow.verifier)
+    save_tokens(tokens)
+    print("OAuth tokens saved successfully.")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())