Token refresh updated internal array and .env file but not process.env,
so docker exec -e kept injecting the stale startup token. Now syncs
to process.env after refresh. Container kill on refresh is no longer
needed since docker exec picks up the latest token each turn.
When OAuth tokens rotate or refresh, all reviewer containers are
automatically removed. The next reviewer turn recreates them with
the latest token, preventing 401 auth failures.
Uses callback pattern to avoid circular dependencies:
- token-rotation.ts: onTokenRotated(cb)
- token-refresh.ts: onTokenRefreshed(cb)
- index.ts: registers recreateAllReviewerContainers as callback
Restores token-refresh.ts that was deleted in 35356dd. Now works
with multi-account token rotation:
- Refreshes tokens from ~/.claude/.credentials.json (account 0)
and ~/.claude-accounts/{n}/.credentials.json (account 1+)
- Updates token-rotation memory and .env on refresh
- Syncs credentials to session directories
- 5-min check interval, refreshes 30 min before expiry
- forceRefreshToken() export for 401 recovery
Delete token-refresh.ts and credentials.json sync. Auth is now
via CLAUDE_CODE_OAUTH_TOKEN in .env (1-year setup-token).
No more auto-refresh loop or credentials.json dependency.
When CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY is set in .env,
the credentials.json refresh loop is unnecessary. setup-token
generates a 1-year token, making auto-refresh redundant.
- Rewrite codex-runner to use `codex app-server` JSON-RPC instead of
`codex exec`. Supports streaming (item/agentMessage/delta), session
persistence (thread/start, thread/resume), and mid-turn message
injection (turn/steer with IPC polling during execution).
- Fix token refresh not syncing to per-group session directories,
causing 401 errors on running agents.
- Fix typing indicator staying on when codex returns null result
by always clearing typing on any streaming callback.
- Update README and CLAUDE.md to reflect dual-service architecture,
host process mode, and codex app-server integration.
- Add token-refresh module that auto-renews Claude OAuth tokens 30min before expiry
- Fix Codex session loss on service restart by resuming previous sessions
- Inject nanoclaw MCP server into Codex config.toml for send_message/schedule_task
- Sanitize ANTHROPIC_API_KEY and CLAUDE_CODE_OAUTH_TOKEN from Codex subprocess env