Implemented fallback
This provider stays in the repo as the recovery path. It is no longer the preferred long-term UX target, but it still needs to be strict because fallback tools often get used in the messiest moments.
The current implementation expects a runtime command that supports:
codex-app-linux web --bind <ip> --port <port> --token-file <path>
The launcher does not bless a runtime by filename alone.
Instead, a runtime becomes manageable when:
- it starts with the expected CLI shape
- it writes valid runtime metadata
- the live process arguments match the launcher expectations
- the launcher captures and persists a process fingerprint for later reuse and stop checks
The provider is expected to write a JSON file at:
<token-file>.runtime
Expected fields:
pidbindportstartedAttokenFileauthDisabled
For the browser-shell provider, tokenFile is treated as required in practice because the launcher uses it as part of the ownership check.
After a healthy launch, the launcher writes a managed fingerprint file at:
${XDG_STATE_HOME:-$HOME/.local/state}/codex-ubuntu/runtime.fingerprint.json
That fingerprint is required for later reuse and stop behavior. A merely healthy loopback service without a matching launcher fingerprint is treated as unverified and will not be reused.
The current fingerprint includes:
pidAtCaptureprocStarttimeAtCapturecmdlineSha256procExe
The launcher currently checks:
http://<bind>:<port>/__webstrapper/healthz
The launcher will only stop the runtime when:
- runtime metadata is valid
/proc/<pid>/cmdlinestill matches the expected bind, port, and token file/proc/<pid>/statstill matches the captured process start time- the live process still matches the stored launcher fingerprint