fix(audit): deep whole-repo hardening (20260228-073529)

index.ts

@@ -389,7 +389,7 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
                 validate: (input: string): string | undefined => {
                         const parsed = parseAuthorizationInput(input);
                         if (!parsed.code) {
-                                return "No authorization code found. Paste the full callback URL (e.g., http://localhost:1455/auth/callback?code=...)";
+                                return `No authorization code found. Paste the full callback URL (e.g., ${REDIRECT_URI}?code=...)`;
                         }
                         if (!parsed.state) {
                                 return "Missing OAuth state. Paste the full callback URL including both code and state parameters.";

lib/auth/auth.ts

@@ -8,7 +8,7 @@ import { safeParseOAuthTokenResponse } from "../schemas.js";
 export const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
 export const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
 export const TOKEN_URL = "https://auth.openai.com/oauth/token";
-export const REDIRECT_URI = "http://localhost:1455/auth/callback";
+export const REDIRECT_URI = "http://127.0.0.1:1455/auth/callback";
 export const SCOPE = "openid profile email offline_access";
 
 /**
@@ -44,6 +44,10 @@ export function parseAuthorizationInput(input: string): ParsedAuthInput {
 		if (code || state) {
 			return { code, state };
 		}
+
+		// Input is a valid URL but does not contain OAuth parameters.
+		// Do not reinterpret URL fragments as "code#state" fallback syntax.
+		return {};
 	} catch {
 		// Invalid URL, try other parsing methods
 	}