Fix Cloudflare 403s for openai-codex provider on server IPs

Add ChatGPT-Account-Id and originator headers when using chatgpt.com backend-api endpoint. Matches official codex-rs CLI behavior to prevent Cloudflare JavaScript challenges on non-residential IPs (VPS, Mac Mini, always-on servers). Applied in AIAgent.__init__ and _update_base_url_headers to cover both initial setup and credential rotation paths.
2026-04-25 00:51:20 +00:00 · 2026-04-08 19:58:38 -07:00 · 2026-04-08 19:58:38 -07:00 · 4d0846b640
commit 4d0846b640
parent 91eea7544f
1 changed files with 32 additions and 0 deletions
--- a/run_agent.py
+++ b/run_agent.py
@ -1077,6 +1077,23 @@ class AIAgent:
                    }
                elif "portal.qwen.ai" in effective_base.lower():
                    client_kwargs["default_headers"] = _qwen_portal_headers()
+                elif "chatgpt.com" in effective_base.lower():
+                    # Match official Codex CLI headers to avoid Cloudflare challenges.
+                    # The ChatGPT-Account-Id header is critical — without it,
+                    # server-hosted agents get 403 Cloudflare JS challenges.
+                    _codex_headers = {
+                        "User-Agent": "hermes-agent/1.0",
+                        "originator": "hermes-agent",
+                    }
+                    try:
+                        import base64 as _b64
+                        _jwt_payload = json.loads(_b64.b64decode(api_key.split(".")[1] + "=="))
+                        _acct_id = _jwt_payload.get("https://api.openai.com/auth", {}).get("chatgpt_account_id")
+                        if _acct_id:
+                            _codex_headers["ChatGPT-Account-Id"] = _acct_id
+                    except Exception:
+                        pass
+                    client_kwargs["default_headers"] = _codex_headers
            else:
                # No explicit creds — use the centralized provider router
                from agent.auxiliary_client import resolve_provider_client
@ -5312,6 +5329,21 @@ class AIAgent:
            self._client_kwargs["default_headers"] = {"User-Agent": "KimiCLI/1.30.0"}
        elif "portal.qwen.ai" in normalized:
            self._client_kwargs["default_headers"] = _qwen_portal_headers()
+        elif "chatgpt.com" in normalized:
+            _codex_headers = {
+                "User-Agent": "hermes-agent/1.0",
+                "originator": "hermes-agent",
+            }
+            try:
+                import base64 as _b64
+                _ak = self._client_kwargs.get("api_key", "")
+                _jwt_payload = json.loads(_b64.b64decode(_ak.split(".")[1] + "=="))
+                _acct_id = _jwt_payload.get("https://api.openai.com/auth", {}).get("chatgpt_account_id")
+                if _acct_id:
+                    _codex_headers["ChatGPT-Account-Id"] = _acct_id
+            except Exception:
+                pass
+            self._client_kwargs["default_headers"] = _codex_headers
        else:
            self._client_kwargs.pop("default_headers", None)