Refactor codebase

2026-02-03 04:50:52 +08:00 · 2025-08-22 01:31:12 +08:00
parent 2b1762be16
commit 8c555c4e69
109 changed files with 7319 additions and 5735 deletions
--- a/internal/auth/codex/errors.go
+++ b/internal/auth/codex/errors.go
@@ -6,14 +6,19 @@ import (
 	"net/http"
 )

-// OAuthError represents an OAuth-specific error
+// OAuthError represents an OAuth-specific error.
 type OAuthError struct {
-	Code        string `json:"error"`
+	// Code is the OAuth error code.
+	Code string `json:"error"`
+	// Description is a human-readable description of the error.
 	Description string `json:"error_description,omitempty"`
-	URI         string `json:"error_uri,omitempty"`
-	StatusCode  int    `json:"-"`
+	// URI is a URI identifying a human-readable web page with information about the error.
+	URI string `json:"error_uri,omitempty"`
+	// StatusCode is the HTTP status code associated with the error.
+	StatusCode int `json:"-"`
 }

+// Error returns a string representation of the OAuth error.
 func (e *OAuthError) Error() string {
 	if e.Description != "" {
 		return fmt.Sprintf("OAuth error %s: %s", e.Code, e.Description)
@@ -21,7 +26,7 @@ func (e *OAuthError) Error() string {
 	return fmt.Sprintf("OAuth error: %s", e.Code)
 }

-// NewOAuthError creates a new OAuth error
+// NewOAuthError creates a new OAuth error with the specified code, description, and status code.
 func NewOAuthError(code, description string, statusCode int) *OAuthError {
 	return &OAuthError{
 		Code:        code,
@@ -30,14 +35,19 @@ func NewOAuthError(code, description string, statusCode int) *OAuthError {
 	}
 }

-// AuthenticationError represents authentication-related errors
+// AuthenticationError represents authentication-related errors.
 type AuthenticationError struct {
-	Type    string `json:"type"`
+	// Type is the type of authentication error.
+	Type string `json:"type"`
+	// Message is a human-readable message describing the error.
 	Message string `json:"message"`
-	Code    int    `json:"code"`
-	Cause   error  `json:"-"`
+	// Code is the HTTP status code associated with the error.
+	Code int `json:"code"`
+	// Cause is the underlying error that caused this authentication error.
+	Cause error `json:"-"`
 }

+// Error returns a string representation of the authentication error.
 func (e *AuthenticationError) Error() string {
 	if e.Cause != nil {
 		return fmt.Sprintf("%s: %s (caused by: %v)", e.Type, e.Message, e.Cause)
@@ -45,44 +55,50 @@ func (e *AuthenticationError) Error() string {
 	return fmt.Sprintf("%s: %s", e.Type, e.Message)
 }

-// Common authentication error types
+// Common authentication error types.
 var (
-	ErrTokenExpired = &AuthenticationError{
-		Type:    "token_expired",
-		Message: "Access token has expired",
-		Code:    http.StatusUnauthorized,
-	}
+	// ErrTokenExpired = &AuthenticationError{
+	// 	Type:    "token_expired",
+	// 	Message: "Access token has expired",
+	// 	Code:    http.StatusUnauthorized,
+	// }

+	// ErrInvalidState represents an error for invalid OAuth state parameter.
 	ErrInvalidState = &AuthenticationError{
 		Type:    "invalid_state",
 		Message: "OAuth state parameter is invalid",
 		Code:    http.StatusBadRequest,
 	}

+	// ErrCodeExchangeFailed represents an error when exchanging authorization code for tokens fails.
 	ErrCodeExchangeFailed = &AuthenticationError{
 		Type:    "code_exchange_failed",
 		Message: "Failed to exchange authorization code for tokens",
 		Code:    http.StatusBadRequest,
 	}

+	// ErrServerStartFailed represents an error when starting the OAuth callback server fails.
 	ErrServerStartFailed = &AuthenticationError{
 		Type:    "server_start_failed",
 		Message: "Failed to start OAuth callback server",
 		Code:    http.StatusInternalServerError,
 	}

+	// ErrPortInUse represents an error when the OAuth callback port is already in use.
 	ErrPortInUse = &AuthenticationError{
 		Type:    "port_in_use",
 		Message: "OAuth callback port is already in use",
 		Code:    13, // Special exit code for port-in-use
 	}

+	// ErrCallbackTimeout represents an error when waiting for OAuth callback times out.
 	ErrCallbackTimeout = &AuthenticationError{
 		Type:    "callback_timeout",
 		Message: "Timeout waiting for OAuth callback",
 		Code:    http.StatusRequestTimeout,
 	}

+	// ErrBrowserOpenFailed represents an error when opening the browser for authentication fails.
 	ErrBrowserOpenFailed = &AuthenticationError{
 		Type:    "browser_open_failed",
 		Message: "Failed to open browser for authentication",
@@ -90,7 +106,7 @@ var (
 	}
 )

-// NewAuthenticationError creates a new authentication error with a cause
+// NewAuthenticationError creates a new authentication error with a cause based on a base error.
 func NewAuthenticationError(baseErr *AuthenticationError, cause error) *AuthenticationError {
 	return &AuthenticationError{
 		Type:    baseErr.Type,
@@ -100,21 +116,21 @@ func NewAuthenticationError(baseErr *AuthenticationError, cause error) *Authenti
 	}
 }

-// IsAuthenticationError checks if an error is an authentication error
+// IsAuthenticationError checks if an error is an authentication error.
 func IsAuthenticationError(err error) bool {
 	var authenticationError *AuthenticationError
 	ok := errors.As(err, &authenticationError)
 	return ok
 }

-// IsOAuthError checks if an error is an OAuth error
+// IsOAuthError checks if an error is an OAuth error.
 func IsOAuthError(err error) bool {
 	var oAuthError *OAuthError
 	ok := errors.As(err, &oAuthError)
 	return ok
 }

-// GetUserFriendlyMessage returns a user-friendly error message
+// GetUserFriendlyMessage returns a user-friendly error message based on the error type.
 func GetUserFriendlyMessage(err error) string {
 	switch {
 	case IsAuthenticationError(err):
--- a/internal/auth/codex/html_templates.go
+++ b/internal/auth/codex/html_templates.go
@@ -1,6 +1,8 @@
 package codex

-// LoginSuccessHtml is the template for the OAuth success page
+// LoginSuccessHTML is the HTML template for the page shown after a successful
+// OAuth2 authentication with Codex. It informs the user that the authentication
+// was successful and provides a countdown timer to automatically close the window.
 const LoginSuccessHtml = `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -202,7 +204,9 @@ const LoginSuccessHtml = `<!DOCTYPE html>
 </body>
 </html>`

-// SetupNoticeHtml is the template for the setup notice section
+// SetupNoticeHTML is the HTML template for the section that provides instructions
+// for additional setup. This is displayed on the success page when further actions
+// are required from the user.
 const SetupNoticeHtml = `
        <div class="setup-notice">
            <h3>Additional Setup Required</h3>
--- a/internal/auth/codex/jwt_parser.go
+++ b/internal/auth/codex/jwt_parser.go
@@ -8,7 +8,9 @@ import (
 	"time"
 )

-// JWTClaims represents the claims section of a JWT token
+// JWTClaims represents the claims section of a JSON Web Token (JWT).
+// It includes standard claims like issuer, subject, and expiration time, as well as
+// custom claims specific to OpenAI's authentication.
 type JWTClaims struct {
 	AtHash        string        `json:"at_hash"`
 	Aud           []string      `json:"aud"`
@@ -25,12 +27,18 @@ type JWTClaims struct {
 	Sid           string        `json:"sid"`
 	Sub           string        `json:"sub"`
 }
+
+// Organizations defines the structure for organization details within the JWT claims.
+// It holds information about the user's organization, such as ID, role, and title.
 type Organizations struct {
 	ID        string `json:"id"`
 	IsDefault bool   `json:"is_default"`
 	Role      string `json:"role"`
 	Title     string `json:"title"`
 }
+
+// CodexAuthInfo contains authentication-related details specific to Codex.
+// This includes ChatGPT account information, subscription status, and user/organization IDs.
 type CodexAuthInfo struct {
 	ChatgptAccountID               string          `json:"chatgpt_account_id"`
 	ChatgptPlanType                string          `json:"chatgpt_plan_type"`
@@ -43,8 +51,10 @@ type CodexAuthInfo struct {
 	UserID                         string          `json:"user_id"`
 }

-// ParseJWTToken parses a JWT token and extracts the claims without verification
-// This is used for extracting user information from ID tokens
+// ParseJWTToken parses a JWT token string and extracts its claims without performing
+// cryptographic signature verification. This is useful for introspecting the token's
+// contents to retrieve user information from an ID token after it has been validated
+// by the authentication server.
 func ParseJWTToken(token string) (*JWTClaims, error) {
 	parts := strings.Split(token, ".")
 	if len(parts) != 3 {
@@ -65,7 +75,9 @@ func ParseJWTToken(token string) (*JWTClaims, error) {
 	return &claims, nil
 }

-// base64URLDecode decodes a base64 URL-encoded string with proper padding
+// base64URLDecode decodes a Base64 URL-encoded string, adding padding if necessary.
+// JWTs use a URL-safe Base64 alphabet and omit padding, so this function ensures
+// correct decoding by re-adding the padding before decoding.
 func base64URLDecode(data string) ([]byte, error) {
 	// Add padding if necessary
 	switch len(data) % 4 {
@@ -78,12 +90,13 @@ func base64URLDecode(data string) ([]byte, error) {
 	return base64.URLEncoding.DecodeString(data)
 }

-// GetUserEmail extracts the user email from JWT claims
+// GetUserEmail extracts the user's email address from the JWT claims.
 func (c *JWTClaims) GetUserEmail() string {
 	return c.Email
 }

-// GetAccountID extracts the user ID from JWT claims (subject)
+// GetAccountID extracts the user's account ID (subject) from the JWT claims.
+// It retrieves the unique identifier for the user's ChatGPT account.
 func (c *JWTClaims) GetAccountID() string {
 	return c.CodexAuthInfo.ChatgptAccountID
 }
--- a/internal/auth/codex/oauth_server.go
+++ b/internal/auth/codex/oauth_server.go
@@ -13,24 +13,45 @@ import (
 	log "github.com/sirupsen/logrus"
 )

-// OAuthServer handles the local HTTP server for OAuth callbacks
+// OAuthServer handles the local HTTP server for OAuth callbacks.
+// It listens for the authorization code response from the OAuth provider
+// and captures the necessary parameters to complete the authentication flow.
 type OAuthServer struct {
-	server     *http.Server
-	port       int
+	// server is the underlying HTTP server instance
+	server *http.Server
+	// port is the port number on which the server listens
+	port int
+	// resultChan is a channel for sending OAuth results
 	resultChan chan *OAuthResult
-	errorChan  chan error
-	mu         sync.Mutex
-	running    bool
+	// errorChan is a channel for sending OAuth errors
+	errorChan chan error
+	// mu is a mutex for protecting server state
+	mu sync.Mutex
+	// running indicates whether the server is currently running
+	running bool
 }

-// OAuthResult contains the result of the OAuth callback
+// OAuthResult contains the result of the OAuth callback.
+// It holds either the authorization code and state for successful authentication
+// or an error message if the authentication failed.
 type OAuthResult struct {
-	Code  string
+	// Code is the authorization code received from the OAuth provider
+	Code string
+	// State is the state parameter used to prevent CSRF attacks
 	State string
+	// Error contains any error message if the OAuth flow failed
 	Error string
 }

-// NewOAuthServer creates a new OAuth callback server
+// NewOAuthServer creates a new OAuth callback server.
+// It initializes the server with the specified port and creates channels
+// for handling OAuth results and errors.
+//
+// Parameters:
+//   - port: The port number on which the server should listen
+//
+// Returns:
+//   - *OAuthServer: A new OAuthServer instance
 func NewOAuthServer(port int) *OAuthServer {
 	return &OAuthServer{
 		port:       port,
@@ -39,8 +60,13 @@ func NewOAuthServer(port int) *OAuthServer {
 	}
 }

-// Start starts the OAuth callback server
-func (s *OAuthServer) Start(ctx context.Context) error {
+// Start starts the OAuth callback server.
+// It sets up the HTTP handlers for the callback and success endpoints,
+// and begins listening on the specified port.
+//
+// Returns:
+//   - error: An error if the server fails to start
+func (s *OAuthServer) Start() error {
 	s.mu.Lock()
 	defer s.mu.Unlock()

@@ -79,7 +105,14 @@ func (s *OAuthServer) Start(ctx context.Context) error {
 	return nil
 }

-// Stop gracefully stops the OAuth callback server
+// Stop gracefully stops the OAuth callback server.
+// It performs a graceful shutdown of the HTTP server with a timeout.
+//
+// Parameters:
+//   - ctx: The context for controlling the shutdown process
+//
+// Returns:
+//   - error: An error if the server fails to stop gracefully
 func (s *OAuthServer) Stop(ctx context.Context) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
@@ -101,7 +134,16 @@ func (s *OAuthServer) Stop(ctx context.Context) error {
 	return err
 }

-// WaitForCallback waits for the OAuth callback with a timeout
+// WaitForCallback waits for the OAuth callback with a timeout.
+// It blocks until either an OAuth result is received, an error occurs,
+// or the specified timeout is reached.
+//
+// Parameters:
+//   - timeout: The maximum time to wait for the callback
+//
+// Returns:
+//   - *OAuthResult: The OAuth result if successful
+//   - error: An error if the callback times out or an error occurs
 func (s *OAuthServer) WaitForCallback(timeout time.Duration) (*OAuthResult, error) {
 	select {
 	case result := <-s.resultChan:
@@ -113,7 +155,13 @@ func (s *OAuthServer) WaitForCallback(timeout time.Duration) (*OAuthResult, erro
 	}
 }

-// handleCallback handles the OAuth callback endpoint
+// handleCallback handles the OAuth callback endpoint.
+// It extracts the authorization code and state from the callback URL,
+// validates the parameters, and sends the result to the waiting channel.
+//
+// Parameters:
+//   - w: The HTTP response writer
+//   - r: The HTTP request
 func (s *OAuthServer) handleCallback(w http.ResponseWriter, r *http.Request) {
 	log.Debug("Received OAuth callback")

@@ -171,7 +219,12 @@ func (s *OAuthServer) handleCallback(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, "/success", http.StatusFound)
 }

-// handleSuccess handles the success page endpoint
+// handleSuccess handles the success page endpoint.
+// It serves a user-friendly HTML page indicating that authentication was successful.
+//
+// Parameters:
+//   - w: The HTTP response writer
+//   - r: The HTTP request
 func (s *OAuthServer) handleSuccess(w http.ResponseWriter, r *http.Request) {
 	log.Debug("Serving success page")

@@ -195,7 +248,16 @@ func (s *OAuthServer) handleSuccess(w http.ResponseWriter, r *http.Request) {
 	}
 }

-// generateSuccessHTML creates the HTML content for the success page
+// generateSuccessHTML creates the HTML content for the success page.
+// It customizes the page based on whether additional setup is required
+// and includes a link to the platform.
+//
+// Parameters:
+//   - setupRequired: Whether additional setup is required after authentication
+//   - platformURL: The URL to the platform for additional setup
+//
+// Returns:
+//   - string: The HTML content for the success page
 func (s *OAuthServer) generateSuccessHTML(setupRequired bool, platformURL string) string {
 	html := LoginSuccessHtml

@@ -213,7 +275,11 @@ func (s *OAuthServer) generateSuccessHTML(setupRequired bool, platformURL string
 	return html
 }

-// sendResult sends the OAuth result to the waiting channel
+// sendResult sends the OAuth result to the waiting channel.
+// It ensures that the result is sent without blocking the handler.
+//
+// Parameters:
+//   - result: The OAuth result to send
 func (s *OAuthServer) sendResult(result *OAuthResult) {
 	select {
 	case s.resultChan <- result:
@@ -223,7 +289,11 @@ func (s *OAuthServer) sendResult(result *OAuthResult) {
 	}
 }

-// isPortAvailable checks if the specified port is available
+// isPortAvailable checks if the specified port is available.
+// It attempts to listen on the port to determine availability.
+//
+// Returns:
+//   - bool: True if the port is available, false otherwise
 func (s *OAuthServer) isPortAvailable() bool {
 	addr := fmt.Sprintf(":%d", s.port)
 	listener, err := net.Listen("tcp", addr)
@@ -236,7 +306,10 @@ func (s *OAuthServer) isPortAvailable() bool {
 	return true
 }

-// IsRunning returns whether the server is currently running
+// IsRunning returns whether the server is currently running.
+//
+// Returns:
+//   - bool: True if the server is running, false otherwise
 func (s *OAuthServer) IsRunning() bool {
 	s.mu.Lock()
 	defer s.mu.Unlock()
--- a/internal/auth/codex/openai.go
+++ b/internal/auth/codex/openai.go
@@ -1,6 +1,7 @@
 package codex

-// PKCECodes holds PKCE verification codes for OAuth2 PKCE flow
+// PKCECodes holds the verification codes for the OAuth2 PKCE (Proof Key for Code Exchange) flow.
+// PKCE is an extension to the Authorization Code flow to prevent CSRF and authorization code injection attacks.
 type PKCECodes struct {
 	// CodeVerifier is the cryptographically random string used to correlate
 	// the authorization request to the token request
@@ -9,7 +10,8 @@ type PKCECodes struct {
 	CodeChallenge string `json:"code_challenge"`
 }

-// CodexTokenData holds OAuth token information from OpenAI
+// CodexTokenData holds the OAuth token information obtained from OpenAI.
+// It includes the ID token, access token, refresh token, and associated user details.
 type CodexTokenData struct {
 	// IDToken is the JWT ID token containing user claims
 	IDToken string `json:"id_token"`
@@ -25,7 +27,8 @@ type CodexTokenData struct {
 	Expire string `json:"expired"`
 }

-// CodexAuthBundle aggregates authentication data after OAuth flow completion
+// CodexAuthBundle aggregates all authentication-related data after the OAuth flow is complete.
+// This includes the API key, token data, and the timestamp of the last refresh.
 type CodexAuthBundle struct {
 	// APIKey is the OpenAI API key obtained from token exchange
 	APIKey string `json:"api_key"`
--- a/internal/auth/codex/openai_auth.go
+++ b/internal/auth/codex/openai_auth.go
@@ -1,3 +1,7 @@
+// Package codex provides authentication and token management for OpenAI's Codex API.
+// It handles the OAuth2 flow, including generating authorization URLs, exchanging
+// authorization codes for tokens, and refreshing expired tokens. The package also
+// defines data structures for storing and managing Codex authentication credentials.
 package codex

 import (
@@ -22,19 +26,24 @@ const (
 	redirectURI    = "http://localhost:1455/auth/callback"
 )

-// CodexAuth handles OpenAI OAuth2 authentication flow
+// CodexAuth handles the OpenAI OAuth2 authentication flow.
+// It manages the HTTP client and provides methods for generating authorization URLs,
+// exchanging authorization codes for tokens, and refreshing access tokens.
 type CodexAuth struct {
 	httpClient *http.Client
 }

-// NewCodexAuth creates a new OpenAI authentication service
+// NewCodexAuth creates a new CodexAuth service instance.
+// It initializes an HTTP client with proxy settings from the provided configuration.
 func NewCodexAuth(cfg *config.Config) *CodexAuth {
 	return &CodexAuth{
 		httpClient: util.SetProxy(cfg, &http.Client{}),
 	}
 }

-// GenerateAuthURL creates the OAuth authorization URL with PKCE
+// GenerateAuthURL creates the OAuth authorization URL with PKCE (Proof Key for Code Exchange).
+// It constructs the URL with the necessary parameters, including the client ID,
+// response type, redirect URI, scopes, and PKCE challenge.
 func (o *CodexAuth) GenerateAuthURL(state string, pkceCodes *PKCECodes) (string, error) {
 	if pkceCodes == nil {
 		return "", fmt.Errorf("PKCE codes are required")
@@ -57,7 +66,9 @@ func (o *CodexAuth) GenerateAuthURL(state string, pkceCodes *PKCECodes) (string,
 	return authURL, nil
 }

-// ExchangeCodeForTokens exchanges authorization code for access tokens
+// ExchangeCodeForTokens exchanges an authorization code for access and refresh tokens.
+// It performs an HTTP POST request to the OpenAI token endpoint with the provided
+// authorization code and PKCE verifier.
 func (o *CodexAuth) ExchangeCodeForTokens(ctx context.Context, code string, pkceCodes *PKCECodes) (*CodexAuthBundle, error) {
 	if pkceCodes == nil {
 		return nil, fmt.Errorf("PKCE codes are required for token exchange")
@@ -143,7 +154,9 @@ func (o *CodexAuth) ExchangeCodeForTokens(ctx context.Context, code string, pkce
 	return bundle, nil
 }

-// RefreshTokens refreshes the access token using the refresh token
+// RefreshTokens refreshes an access token using a refresh token.
+// This method is called when an access token has expired. It makes a request to the
+// token endpoint to obtain a new set of tokens.
 func (o *CodexAuth) RefreshTokens(ctx context.Context, refreshToken string) (*CodexTokenData, error) {
 	if refreshToken == "" {
 		return nil, fmt.Errorf("refresh token is required")
@@ -216,7 +229,8 @@ func (o *CodexAuth) RefreshTokens(ctx context.Context, refreshToken string) (*Co
 	}, nil
 }

-// CreateTokenStorage creates a new CodexTokenStorage from auth bundle and user info
+// CreateTokenStorage creates a new CodexTokenStorage from a CodexAuthBundle.
+// It populates the storage struct with token data, user information, and timestamps.
 func (o *CodexAuth) CreateTokenStorage(bundle *CodexAuthBundle) *CodexTokenStorage {
 	storage := &CodexTokenStorage{
 		IDToken:      bundle.TokenData.IDToken,
@@ -231,7 +245,9 @@ func (o *CodexAuth) CreateTokenStorage(bundle *CodexAuthBundle) *CodexTokenStora
 	return storage
 }

-// RefreshTokensWithRetry refreshes tokens with automatic retry logic
+// RefreshTokensWithRetry refreshes tokens with a built-in retry mechanism.
+// It attempts to refresh the tokens up to a specified maximum number of retries,
+// with an exponential backoff strategy to handle transient network errors.
 func (o *CodexAuth) RefreshTokensWithRetry(ctx context.Context, refreshToken string, maxRetries int) (*CodexTokenData, error) {
 	var lastErr error

@@ -257,7 +273,8 @@ func (o *CodexAuth) RefreshTokensWithRetry(ctx context.Context, refreshToken str
 	return nil, fmt.Errorf("token refresh failed after %d attempts: %w", maxRetries, lastErr)
 }

-// UpdateTokenStorage updates an existing token storage with new token data
+// UpdateTokenStorage updates an existing CodexTokenStorage with new token data.
+// This is typically called after a successful token refresh to persist the new credentials.
 func (o *CodexAuth) UpdateTokenStorage(storage *CodexTokenStorage, tokenData *CodexTokenData) {
 	storage.IDToken = tokenData.IDToken
 	storage.AccessToken = tokenData.AccessToken
--- a/internal/auth/codex/pkce.go
+++ b/internal/auth/codex/pkce.go
@@ -1,3 +1,6 @@
+// Package codex provides authentication and token management functionality
+// for OpenAI's Codex AI services. It handles OAuth2 PKCE (Proof Key for Code Exchange)
+// code generation for secure authentication flows.
 package codex

 import (
@@ -7,8 +10,10 @@ import (
 	"fmt"
 )

-// GeneratePKCECodes generates a PKCE code verifier and challenge pair
-// following RFC 7636 specifications for OAuth 2.0 PKCE extension
+// GeneratePKCECodes generates a new pair of PKCE (Proof Key for Code Exchange) codes.
+// It creates a cryptographically random code verifier and its corresponding
+// SHA256 code challenge, as specified in RFC 7636. This is a critical security
+// feature for the OAuth 2.0 authorization code flow.
 func GeneratePKCECodes() (*PKCECodes, error) {
 	// Generate code verifier: 43-128 characters, URL-safe
 	codeVerifier, err := generateCodeVerifier()
@@ -25,8 +30,10 @@ func GeneratePKCECodes() (*PKCECodes, error) {
 	}, nil
 }

-// generateCodeVerifier creates a cryptographically random string
-// of 128 characters using URL-safe base64 encoding
+// generateCodeVerifier creates a cryptographically secure random string to be used
+// as the code verifier in the PKCE flow. The verifier is a high-entropy string
+// that is later used to prove possession of the client that initiated the
+// authorization request.
 func generateCodeVerifier() (string, error) {
 	// Generate 96 random bytes (will result in 128 base64 characters)
 	bytes := make([]byte, 96)
@@ -39,8 +46,10 @@ func generateCodeVerifier() (string, error) {
 	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(bytes), nil
 }

-// generateCodeChallenge creates a SHA256 hash of the code verifier
-// and encodes it using URL-safe base64 encoding without padding
+// generateCodeChallenge creates a code challenge from a given code verifier.
+// The challenge is derived by taking the SHA256 hash of the verifier and then
+// Base64 URL-encoding the result. This is sent in the initial authorization
+// request and later verified against the verifier.
 func generateCodeChallenge(codeVerifier string) string {
 	hash := sha256.Sum256([]byte(codeVerifier))
 	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(hash[:])
--- a/internal/auth/codex/token.go
+++ b/internal/auth/codex/token.go
@@ -1,3 +1,6 @@
+// Package codex provides authentication and token management functionality
+// for OpenAI's Codex AI services. It handles OAuth2 token storage, serialization,
+// and retrieval for maintaining authenticated sessions with the Codex API.
 package codex

 import (
@@ -7,28 +10,37 @@ import (
 	"path"
 )

-// CodexTokenStorage extends the existing GeminiTokenStorage for OpenAI-specific data
-// It maintains compatibility with the existing auth system while adding OpenAI-specific fields
+// CodexTokenStorage stores OAuth2 token information for OpenAI Codex API authentication.
+// It maintains compatibility with the existing auth system while adding Codex-specific fields
+// for managing access tokens, refresh tokens, and user account information.
 type CodexTokenStorage struct {
-	// IDToken is the JWT ID token containing user claims
+	// IDToken is the JWT ID token containing user claims and identity information.
 	IDToken string `json:"id_token"`
-	// AccessToken is the OAuth2 access token for API access
+	// AccessToken is the OAuth2 access token used for authenticating API requests.
 	AccessToken string `json:"access_token"`
-	// RefreshToken is used to obtain new access tokens
+	// RefreshToken is used to obtain new access tokens when the current one expires.
 	RefreshToken string `json:"refresh_token"`
-	// AccountID is the OpenAI account identifier
+	// AccountID is the OpenAI account identifier associated with this token.
 	AccountID string `json:"account_id"`
-	// LastRefresh is the timestamp of the last token refresh
+	// LastRefresh is the timestamp of the last token refresh operation.
 	LastRefresh string `json:"last_refresh"`
-	// Email is the OpenAI account email
+	// Email is the OpenAI account email address associated with this token.
 	Email string `json:"email"`
-	// Type indicates the type (gemini, chatgpt, claude) of token storage.
+	// Type indicates the authentication provider type, always "codex" for this storage.
 	Type string `json:"type"`
-	// Expire is the timestamp of the token expire
+	// Expire is the timestamp when the current access token expires.
 	Expire string `json:"expired"`
 }

-// SaveTokenToFile serializes the token storage to a JSON file.
+// SaveTokenToFile serializes the Codex token storage to a JSON file.
+// This method creates the necessary directory structure and writes the token
+// data in JSON format to the specified file path for persistent storage.
+//
+// Parameters:
+//   - authFilePath: The full path where the token file should be saved
+//
+// Returns:
+//   - error: An error if the operation fails, nil otherwise
 func (ts *CodexTokenStorage) SaveTokenToFile(authFilePath string) error {
 	ts.Type = "codex"
 	if err := os.MkdirAll(path.Dir(authFilePath), 0700); err != nil {