WebSocket-First Codex Notifications, Cloudflared Tunnel QR/Auth, macOS TaskDock/CPU Cleanup, and OCI A1 Android Containers

Highlights

• Switched Codex realtime notifications to WebSocket-first with SSE fallback, then documented direct WS testing.
• Added Cloudflared tunnel startup to npx codexapp, including a QR code and explicit URL output, and tightened auth so tunnel hosts always require a password.
• Performed macOS ops work: rebuilt a broken TaskDock.app, identified Accessibility permission as the launch blocker, cleared a stuck port, and reduced background CPU by pruning stale processes and caches.
• Explored Android-in-container options on OCI A1: Waydroid/Incus constraints, rooted image availability, and ARM64-compatible Redroid on Docker.

WebSocket-First Realtime Transport

Codex web notifications now prefer WebSockets for long-lived, low-latency streaming, with automatic SSE fallback to preserve resilience. The workflow included build validation, Playwright screenshots, and direct WS testing guidance using wscat for quick sanity checks.

Cloudflared Tunnel UX + Auth Hardening

The CLI startup flow was extended to optionally launch cloudflared tunnel --url http://localhost:<port>, then print the public URL, password, and a terminal QR code for quick mobile access. After tunnel testing, localhost trust checks were corrected so tunnel domains never bypass authentication.

macOS Operational Fixes

A broken TaskDock bundle was rebuilt from Xcode and traced to missing Accessibility authorization (AX trust). Additional ops cleanups included:

• Killing a stale process on port 5173.
• Running a process cleanup pass for unused Node/Java processes.
• Clearing Xcode caches to reclaim disk space.
• Profiling Codex CPU hotspots and pruning extra standalone servers.

OCI A1 Android Containers: Reality Check

On Oracle A1 (ARM64), nested virtualization and binder support are missing, which blocks Incus VMs and Waydroid initialization. A best-effort install confirmed binder module absence. Docker-in-Incus works, but rooted Redroid images found were amd64-only. The practical path on ARM64 was Docker on host with an ARM64 Redroid image (non-rooted), while rooted variants remain unavailable on this architecture.

What’s Next

• If tunnel access is a primary workflow, consider making WebSocket readiness checks explicit in the CLI and surfacing a “tunnel ready” status.
• For Android-on-A1, track ARM64 rooted Redroid images or use a different host with binder/KVM support.