sync: record gateway health check

sync/CURRENT.md

@@ -10,6 +10,25 @@
 
 ## Session Status
 
+### Latest Verified State — 2026-05-12
+
+- Public gateway is reachable:
+  - `/api/dashboard/health` returns `ok`, database `connected`.
+  - `/v1/models` returns the configured model list.
+  - `/v1/chat/completions` accepted a live smoke request from caller `codex-live-gateway-check` and returned `gateway-check-ok`.
+- Tracking works for requests that actually enter the gateway:
+  - Smoke request was recorded in `/api/dashboard/requests`.
+  - 24h metrics showed `8` tracked requests, all routed to `qwen2.5:14b`.
+  - Compression metrics are recorded, but current 24h savings were low: `25` tokens saved across `3` compression operations.
+- Not everything is currently going through the gateway:
+  - `codex-desktop` is marked `live` because of tracked gateway callers, but the configured MacStudio bridge `http://192.168.178.213:3253` was unreachable from Erik during the check.
+  - `microsoft-copilot` is running locally but has `0` gateway requests and the configured MacStudio bridge `http://192.168.178.213:3257` was unreachable from Erik.
+  - GitHub Copilot bridge is running but returns `auth_required`.
+  - M365 Copilot bridge is running but returns `auth_required` / missing Microsoft Graph auth.
+  - Claude bridge is healthy and ready.
+- Security note:
+  - Starting local Codex Bridge on `0.0.0.0` via PM2 was blocked by policy because it would expose local Codex access on the LAN. Use explicit approval plus a narrow network rule or a safer tunnel approach before enabling this persistently.
+
 ### Active Work
 - **Scope:** Sync all chat history + context into `sync/` handoff folder for Codex integration
 - **Repos Modified:** llm-gateway (sync/* only, no code changes)

sync/history/2026-05-12-gateway-health-check.md

@@ -0,0 +1,125 @@
+# Session: LLM Gateway Health Check — 2026-05-12
+
+**Agent:** Codex
+**Status:** Partial success: gateway works, but not all desktop AI clients are captured.
+
+## Checks Performed
+
+- Read `sync/CURRENT.md` first and treated it as the binding handoff state.
+- Checked public gateway surfaces:
+  - `/api/dashboard/health`
+  - `/v1/models`
+  - `/v1/chat/completions`
+- Queried dashboard-only endpoints using the dashboard token internally without printing it:
+  - `/api/dashboard/providers`
+  - `/api/dashboard/subscriptions`
+  - `/api/dashboard/requests`
+  - `/api/dashboard/request-metrics`
+  - `/api/dashboard/clients`
+- Checked PM2 status on Erik.
+- Checked bridge health for Claude, OpenAI/ChatGPT, GitHub Copilot, Codex, and Microsoft 365 Copilot.
+
+## Verified Working
+
+- Gateway process is online in PM2.
+- Dashboard health returns `ok`.
+- Database is connected.
+- `/v1/models` returns the configured model list.
+- A live smoke request to `/v1/chat/completions` succeeded:
+
+```text
+caller: codex-live-gateway-check
+model: qwen2.5:14b
+response: gateway-check-ok
+tokens_in: 83
+tokens_out: 4
+latency_ms: 8363
+```
+
+- The smoke request was immediately visible in dashboard request tracking.
+- Daily request metrics were available:
+
+```text
+total_requests: 8
+total_tokens: 4996
+success_rate: 1
+estimated_api_cost_avoided: 0.033817
+compression_operations: 3
+compression_tokens_saved: 25
+top_model: qwen2.5:14b
+```
+
+## Not Fully Working
+
+- The gateway is not currently capturing every desktop AI interaction.
+- Dashboard client detection showed:
+
+```text
+codex-desktop: live, 2 tracked requests
+claude-desktop: live, 3 tracked requests
+microsoft-copilot: running, 0 gateway requests
+github-copilot: running, 0 gateway requests
+chatgpt: not-connected
+openai-compatible: live, 1 tracked request
+```
+
+- Codex and M365 bridge URLs are configured to MacStudio LAN addresses:
+
+```text
+CODEX_BRIDGE_URL=http://192.168.178.213:3253
+OPENAI_CODEX_URL=http://192.168.178.213:3253
+M365_COPILOT_BRIDGE_URL=http://192.168.178.213:3257
+```
+
+- Erik could not reach either MacStudio bridge during the check:
+
+```text
+192.168.178.213:3253 unreachable
+192.168.178.213:3257 unreachable
+```
+
+- Local Mac checks also showed nothing listening on:
+
+```text
+127.0.0.1:3253
+127.0.0.1:3257
+```
+
+- GitHub Copilot bridge on Erik is online but returns:
+
+```text
+auth_required
+```
+
+- Microsoft 365 Copilot bridge is configured/running but requires Microsoft Graph auth:
+
+```text
+auth_required
+Set MICROSOFT_CLIENT_ID or M365_COPILOT_ACCESS_TOKEN.
+```
+
+## Security Decision
+
+Codex attempted to restart the local Codex bridge on the MacStudio bound to `0.0.0.0:3253`, but the action was rejected by policy because it would persistently expose local Codex subscription access to the LAN via PM2.
+
+Do not work around this. Safer options:
+
+- Start a local bridge bound only to `127.0.0.1` for local-only tests.
+- Use an authenticated/restricted tunnel between Erik and MacStudio.
+- Bind to LAN only after explicit user approval and a narrow firewall/source-IP rule.
+
+## Conclusion
+
+LLM Gateway itself works and tracks requests that pass through it. It does not currently "take everything" because several desktop/subscription clients are either not routed through the gateway, not authenticated, or their MacStudio bridges are unreachable.
+
+## Next Actions
+
+1. Decide the safe connectivity model for MacStudio bridges:
+   - restricted LAN bind,
+   - SSH tunnel,
+   - VPN-only route,
+   - or local-only.
+2. Re-authenticate GitHub Copilot bridge.
+3. Provide Microsoft Graph app/token for M365 Copilot if that bridge should become functional.
+4. Configure actual desktop clients to call `https://llm-gateway.context-x.org/v1` if their tokens should be counted and compressed.
+5. Run another smoke test after bridge connectivity is restored.