v3.8.17

Fixed

• Codex Desktop remote-control pairing now works with the ChatGPT-subscription
  opt-in (#597). When [proxy] codex_chatgpt_proxy routes Codex through the
  proxy, chatgpt_base_url points every /backend-api/* call at lean-ctx —
  including Codex Desktop's remote-control pairing, which opens a WebSocket to
  chatgpt.com. The /backend-api handler only spoke HTTP/SSE (it even stripped the
  Upgrade/Connection headers), so the pairing handshake never completed and
  remote control stayed broken. The proxy now detects a WebSocket upgrade on
  /backend-api and tunnels it verbatim through to wss://chatgpt.com, replaying
  the client's auth plus the shared Cloudflare clearance and relaying every frame
  in both directions. Opening that wss:// socket needs a process-default rustls
  CryptoProvider; because the dependency tree pulls both aws-lc-rs (reqwest)
  and ring (lettre/ureq), tokio-tungstenite couldn't auto-pick one and the TLS
  handshake aborted — so the proxy now installs aws-lc-rs (reqwest's provider) at
  startup. Model-turn compression on /backend-api/codex/responses is unchanged,
  and the default native ChatGPT path (opt-in off) was never affected.
  Verified end-to-end against the live ChatGPT backend: the remote-control enroll
  • WebSocket now reach chatgpt.com identically whether Codex connects directly or
    through the proxy (the proxy is fully transparent).

Upgrade

lean-ctx update                 # recommended (auto-downloads + refreshes shell hooks)
cargo install lean-ctx          # or
npm update -g lean-ctx-bin      # or
brew upgrade lean-ctx

Note: After upgrading via cargo/npm/brew, run lean-ctx setup to refresh shell aliases. lean-ctx update does this automatically.

Full Changelog: v3.8.17...v3.8.17