login-bridge

Author: EstebanForge

CHANGELOG.md

@@ -10,6 +10,8 @@ All notable changes to Construct CLI will be documented in this file.
   - Enabled by default, configurable via `propagate_git_identity` in `config.toml`.
   - Safely injects values as `GIT_AUTHOR_NAME`, `GIT_AUTHOR_EMAIL`, etc., without mounting potentially incompatible host git configs.
 - **Improved Shell Prompt**: Container hostname is now set to `sandbox` (was random ID) for a cleaner prompt experience: `construct@sandbox:/workspace$`.
+- **Headless Login Bridge**: New `construct sys login-bridge` command to enable local browser login callbacks for headless-unfriendly agents (Codex, OpenCode with OpenAI GPT or Google Gemini).
+  - Runs until interrupted and forwards `localhost` OAuth callbacks into the container.
 
 ## [0.7.0] - 2025-12-24
 
@@ -44,7 +46,7 @@ All notable changes to Construct CLI will be documented in this file.
   - Automatic permission fixing (0600) and matching `.pub`/`known_hosts` support.
   - Smart logic to skip selection if only one key is found.
 - **Config Restoration**: New `construct sys restore-config` command to immediately recover from configuration backups.
-- **Shell Productivity Enhancements**: 
+- **Shell Productivity Enhancements**:
   - Automatic management of `.bash_aliases` inside the container.
   - Standard aliases included: `ll`, `la`, `l`, and color-coded `ls`/`grep`.
   - Zsh-like navigation shortcuts: `..`, `...`, `....`.

cmd/construct/main.go

@@ -123,6 +123,7 @@ func main() {
 			fmt.Println("  doctor           # Check system health")
 			fmt.Println("  ssh-import       # Import SSH keys from host into The Construct (for when no SSH Agent is in use)")
 			fmt.Println("  restore-config   # Restore config from backup")
+			fmt.Println("  login-bridge     # Start a temporary localhost login callback bridge for headless-unfriendly agents")
 			os.Exit(1)
 		}
 		handleSysCommand(args[1:], cfg)
@@ -264,6 +265,8 @@ func handleSysCommand(args []string, cfg *config.Config) {
 		sys.SSHImport()
 	case "restore-config":
 		sys.RestoreConfig()
+	case "login-bridge":
+		sys.LoginBridge(args[1:])
 	default:
 		fmt.Printf("Unknown system command: %s\n", args[0])
 		fmt.Println("Run 'construct sys' for a list of available commands.")

internal/agent/runner.go

@@ -4,7 +4,10 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 	stdruntime "runtime"
+	"sort"
+	"strconv"
 	"strings"
 
 	"github.com/EstebanForge/construct-cli/internal/clipboard"
@@ -16,6 +19,10 @@ import (
 	"github.com/EstebanForge/construct-cli/internal/ui"
 )
 
+const defaultLoginForwardPorts = "1455,8085"
+const loginForwardListenOffset = 10000
+const loginBridgeFlagFile = ".login_bridge"
+
 // RunWithArgs executes an agent inside the container with optional network override.
 func RunWithArgs(args []string, networkFlag string) {
 	cfg, _, err := config.Load()
@@ -307,11 +314,18 @@ func runWithProviderEnv(args []string, cfg *config.Config, containerRuntime, con
 	}
 
 	var cmd *exec.Cmd
+	loginForward, loginPorts := shouldEnableLoginForward(args)
 
 	// Build the run command based on runtime
 	if containerRuntime == "docker" {
 		if _, err := exec.LookPath("docker-compose"); err == nil {
 			runArgs := append(composeArgs, "run", "--rm")
+			if loginForward {
+				for _, port := range loginPorts {
+					listenPort := port + loginForwardListenOffset
+					runArgs = append(runArgs, "-p", fmt.Sprintf("127.0.0.1:%d:%d", port, listenPort))
+				}
+			}
 			// Add host.docker.internal for Linux
 			if stdruntime.GOOS == "linux" {
 				runArgs = append(runArgs, "--add-host", "host.docker.internal:host-gateway")
@@ -328,6 +342,11 @@ func runWithProviderEnv(args []string, cfg *config.Config, containerRuntime, con
 					break
 				}
 			}
+			if loginForward {
+				runArgs = append(runArgs, "-e", "CONSTRUCT_LOGIN_FORWARD=1")
+				runArgs = append(runArgs, "-e", "CONSTRUCT_LOGIN_FORWARD_PORTS="+formatPorts(loginPorts))
+				runArgs = append(runArgs, "-e", fmt.Sprintf("CONSTRUCT_LOGIN_FORWARD_LISTEN_OFFSET=%d", loginForwardListenOffset))
+			}
 			// Inject provider env vars
 			for _, envVar := range providerEnv {
 				runArgs = append(runArgs, "-e", envVar)
@@ -339,6 +358,12 @@ func runWithProviderEnv(args []string, cfg *config.Config, containerRuntime, con
 			runArgs := []string{"compose"}
 			runArgs = append(runArgs, composeArgs...)
 			runArgs = append(runArgs, "run", "--rm")
+			if loginForward {
+				for _, port := range loginPorts {
+					listenPort := port + loginForwardListenOffset
+					runArgs = append(runArgs, "-p", fmt.Sprintf("127.0.0.1:%d:%d", port, listenPort))
+				}
+			}
 			// Add host.docker.internal for Linux
 			if stdruntime.GOOS == "linux" {
 				runArgs = append(runArgs, "--add-host", "host.docker.internal:host-gateway")
@@ -355,6 +380,11 @@ func runWithProviderEnv(args []string, cfg *config.Config, containerRuntime, con
 					break
 				}
 			}
+			if loginForward {
+				runArgs = append(runArgs, "-e", "CONSTRUCT_LOGIN_FORWARD=1")
+				runArgs = append(runArgs, "-e", "CONSTRUCT_LOGIN_FORWARD_PORTS="+formatPorts(loginPorts))
+				runArgs = append(runArgs, "-e", fmt.Sprintf("CONSTRUCT_LOGIN_FORWARD_LISTEN_OFFSET=%d", loginForwardListenOffset))
+			}
 			// Inject provider env vars
 			for _, envVar := range providerEnv {
 				runArgs = append(runArgs, "-e", envVar)
@@ -365,6 +395,12 @@ func runWithProviderEnv(args []string, cfg *config.Config, containerRuntime, con
 		}
 	} else if containerRuntime == "podman" {
 		runArgs := append(composeArgs, "run", "--rm")
+		if loginForward {
+			for _, port := range loginPorts {
+				listenPort := port + loginForwardListenOffset
+				runArgs = append(runArgs, "-p", fmt.Sprintf("127.0.0.1:%d:%d", port, listenPort))
+			}
+		}
 		// Add host.docker.internal for Linux
 		if stdruntime.GOOS == "linux" {
 			runArgs = append(runArgs, "--add-host", "host.docker.internal:host-gateway")
@@ -381,6 +417,11 @@ func runWithProviderEnv(args []string, cfg *config.Config, containerRuntime, con
 				break
 			}
 		}
+		if loginForward {
+			runArgs = append(runArgs, "-e", "CONSTRUCT_LOGIN_FORWARD=1")
+			runArgs = append(runArgs, "-e", "CONSTRUCT_LOGIN_FORWARD_PORTS="+formatPorts(loginPorts))
+			runArgs = append(runArgs, "-e", fmt.Sprintf("CONSTRUCT_LOGIN_FORWARD_LISTEN_OFFSET=%d", loginForwardListenOffset))
+		}
 		// Inject provider env vars
 		for _, envVar := range providerEnv {
 			runArgs = append(runArgs, "-e", envVar)
@@ -392,6 +433,12 @@ func runWithProviderEnv(args []string, cfg *config.Config, containerRuntime, con
 		runArgs := []string{"compose"}
 		runArgs = append(runArgs, composeArgs...)
 		runArgs = append(runArgs, "run", "--rm")
+		if loginForward {
+			for _, port := range loginPorts {
+				listenPort := port + loginForwardListenOffset
+				runArgs = append(runArgs, "-p", fmt.Sprintf("127.0.0.1:%d:%d", port, listenPort))
+			}
+		}
 		// Add host.docker.internal for Linux
 		if stdruntime.GOOS == "linux" {
 			runArgs = append(runArgs, "--add-host", "host.docker.internal:host-gateway")
@@ -408,6 +455,11 @@ func runWithProviderEnv(args []string, cfg *config.Config, containerRuntime, con
 				break
 			}
 		}
+		if loginForward {
+			runArgs = append(runArgs, "-e", "CONSTRUCT_LOGIN_FORWARD=1")
+			runArgs = append(runArgs, "-e", "CONSTRUCT_LOGIN_FORWARD_PORTS="+formatPorts(loginPorts))
+			runArgs = append(runArgs, "-e", fmt.Sprintf("CONSTRUCT_LOGIN_FORWARD_LISTEN_OFFSET=%d", loginForwardListenOffset))
+		}
 		// Inject provider env vars
 		for _, envVar := range providerEnv {
 			runArgs = append(runArgs, "-e", envVar)
@@ -439,3 +491,71 @@ func runWithProviderEnv(args []string, cfg *config.Config, containerRuntime, con
 		os.Exit(1)
 	}
 }
+
+func shouldEnableLoginForward(args []string) (bool, []int) {
+	if ports, ok := readLoginBridgePorts(); ok {
+		return true, ports
+	}
+	for _, arg := range args {
+		if arg == "login" || arg == "auth" {
+			ports := parsePorts(defaultLoginForwardPorts)
+			if len(ports) == 0 {
+				return true, []int{1455}
+			}
+			return true, ports
+		}
+	}
+	return false, nil
+}
+
+func readLoginBridgePorts() ([]int, bool) {
+	path := filepath.Join(config.GetConfigDir(), loginBridgeFlagFile)
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, false
+	}
+	raw := strings.TrimSpace(string(data))
+	ports := parsePorts(raw)
+	if len(ports) == 0 {
+		ports = parsePorts(defaultLoginForwardPorts)
+	}
+	if len(ports) == 0 {
+		return []int{1455}, true
+	}
+	return ports, true
+}
+
+func parsePorts(raw string) []int {
+	parts := strings.FieldsFunc(raw, func(r rune) bool {
+		return r == ',' || r == ' ' || r == '\t' || r == '\n'
+	})
+	seen := make(map[int]struct{})
+	ports := make([]int, 0, len(parts))
+	for _, part := range parts {
+		if part == "" {
+			continue
+		}
+		port, err := strconv.Atoi(part)
+		if err != nil || port <= 0 {
+			continue
+		}
+		if _, exists := seen[port]; exists {
+			continue
+		}
+		seen[port] = struct{}{}
+		ports = append(ports, port)
+	}
+	sort.Ints(ports)
+	return ports
+}
+
+func formatPorts(ports []int) string {
+	if len(ports) == 0 {
+		return ""
+	}
+	parts := make([]string, 0, len(ports))
+	for _, port := range ports {
+		parts = append(parts, strconv.Itoa(port))
+	}
+	return strings.Join(parts, ",")
+}

internal/sys/login_bridge.go

@@ -0,0 +1,111 @@
+package sys
+
+import (
+	"bufio"
+	"flag"
+	"fmt"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"sort"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"github.com/EstebanForge/construct-cli/internal/config"
+)
+
+const defaultLoginBridgePorts = "1455,8085"
+const loginBridgeFlagFile = ".login_bridge"
+
+// LoginBridge enables localhost login callback forwarding until interrupted.
+func LoginBridge(args []string) {
+	fs := flag.NewFlagSet("login-bridge", flag.ContinueOnError)
+	fs.SetOutput(os.Stdout)
+	ports := fs.String("ports", defaultLoginBridgePorts, "Comma-separated callback ports for login flows")
+
+	if err := fs.Parse(args); err != nil {
+		fmt.Println("Usage: construct sys login-bridge [--ports 1455,8085]")
+		return
+	}
+
+	normalized := normalizePortList(*ports)
+	if normalized == "" {
+		normalized = defaultLoginBridgePorts
+	}
+
+	if err := os.MkdirAll(config.GetConfigDir(), 0755); err != nil {
+		fmt.Fprintf(os.Stderr, "Error: Failed to create config directory: %v\n", err)
+		return
+	}
+
+	flagPath := filepath.Join(config.GetConfigDir(), loginBridgeFlagFile)
+	if err := os.WriteFile(flagPath, []byte(fmt.Sprintf("%s\n", normalized)), 0644); err != nil {
+		fmt.Fprintf(os.Stderr, "Error: Failed to enable login bridge: %v\n", err)
+		return
+	}
+	defer func() {
+		if err := os.Remove(flagPath); err != nil && !os.IsNotExist(err) {
+			fmt.Fprintf(os.Stderr, "Warning: Failed to remove login bridge flag: %v\n", err)
+		}
+	}()
+
+	fmt.Printf("Login bridge active on localhost ports: %s\n", normalized)
+	fmt.Println("Run your agent login in another terminal window.")
+	fmt.Println("Press Enter to stop the bridge.")
+
+	signalChan := make(chan os.Signal, 1)
+	signal.Notify(signalChan, os.Interrupt, syscall.SIGTERM)
+
+	inputChan := make(chan struct{}, 1)
+	go func() {
+		reader := bufio.NewReader(os.Stdin)
+		if _, err := reader.ReadString('\n'); err != nil {
+			fmt.Fprintf(os.Stderr, "Warning: Failed to read input: %v\n", err)
+		}
+		inputChan <- struct{}{}
+	}()
+
+	select {
+	case <-signalChan:
+	case <-inputChan:
+	}
+
+	fmt.Println("Login bridge stopped.")
+}
+
+func normalizePortList(raw string) string {
+	ports := parsePorts(raw)
+	if len(ports) == 0 {
+		return ""
+	}
+	parts := make([]string, 0, len(ports))
+	for _, port := range ports {
+		parts = append(parts, fmt.Sprintf("%d", port))
+	}
+	return strings.Join(parts, ",")
+}
+
+func parsePorts(raw string) []int {
+	parts := strings.FieldsFunc(raw, func(r rune) bool {
+		return r == ',' || r == ' ' || r == '\t' || r == '\n'
+	})
+	seen := make(map[int]struct{})
+	ports := make([]int, 0, len(parts))
+	for _, part := range parts {
+		if part == "" {
+			continue
+		}
+		port, err := strconv.Atoi(part)
+		if err != nil || port <= 0 {
+			continue
+		}
+		if _, exists := seen[port]; exists {
+			continue
+		}
+		seen[port] = struct{}{}
+		ports = append(ports, port)
+	}
+	sort.Ints(ports)
+	return ports
+}

internal/templates/entrypoint.sh

@@ -72,7 +72,7 @@ if [ ! -f "$MARKER_FILE" ]; then
         ninja gradle \
         fastmod shellcheck yamllint terraform awscli \
         node@24 python@3 oven-sh/bun/bun jq \
-        vite webpack tlrc || true
+        vite webpack tlrc socat || true
 
     # Install AI agents via Homebrew
     echo "Installing gemini-cli..."
@@ -213,6 +213,21 @@ patch_agent_code() {
 }
 patch_agent_code
 
+# Forward localhost login callbacks to the container when requested.
+if [ "$CONSTRUCT_LOGIN_FORWARD" = "1" ] && command -v socat >/dev/null; then
+    LOGIN_PORTS="${CONSTRUCT_LOGIN_FORWARD_PORTS:-1455}"
+    LISTEN_OFFSET="${CONSTRUCT_LOGIN_FORWARD_LISTEN_OFFSET:-10000}"
+    IFS=', ' read -r -a LOGIN_PORT_LIST <<< "$LOGIN_PORTS"
+    for LOGIN_PORT in "${LOGIN_PORT_LIST[@]}"; do
+        if [ -z "$LOGIN_PORT" ]; then
+            continue
+        fi
+        LISTEN_PORT=$((LOGIN_PORT + LISTEN_OFFSET))
+        socat "TCP-LISTEN:${LISTEN_PORT},fork,bind=0.0.0.0" "TCP:127.0.0.1:${LOGIN_PORT}" >/tmp/login-forward.log 2>&1 &
+        echo "✓ Started login callback forwarder on port ${LISTEN_PORT} -> ${LOGIN_PORT}"
+    done
+fi
+
 # Debug: Check if command exists before exec
 if [ $# -gt 0 ]; then
     if ! command -v "$1" &> /dev/null; then

internal/ui/help.go

@@ -40,6 +40,7 @@ Global Flags:
   construct sys doctor           # Check system health
   construct sys ssh-import       # Import SSH keys from host into The Construct (for when no SSH Agent is in use)
   construct sys restore-config   # Restore config from backup
+  construct sys login-bridge     # Start a temporary localhost login callback bridge for headless-unfriendly agents
 
 [network] Network Management:
   construct network allow api.anthropic.com  # Add domain to allowlist