periodic commit

.codex/config.toml

@@ -209,6 +209,12 @@ approval_mode = "approve"
 [mcp_servers.playwright.tools.browser_click]
 approval_mode = "approve"
 
+[mcp_servers.playwright.tools.browser_type]
+approval_mode = "approve"
+
+[mcp_servers.playwright.tools.browser_tabs]
+approval_mode = "approve"
+
 [mcp_servers.oci-kb]
 command = "/Users/jetpac/.local/bin/ocikb-mcp-server"
 startup_timeout_sec = 30.0
@@ -290,6 +296,15 @@ approval_mode = "approve"
 [mcp_servers.devops_mcp.tools.get_shepherd_execution_target_state]
 approval_mode = "approve"
 
+[mcp_servers.devops_mcp.tools.get_tenancy_by_id]
+approval_mode = "approve"
+
+[mcp_servers.devops_mcp.tools.list_subscription_mappings]
+approval_mode = "approve"
+
+[mcp_servers.devops_mcp.tools.list_subscriptions]
+approval_mode = "approve"
+
 [mcp_servers.mcp_shepherd]
 command = "uvx"
 args = ["--default-index", "https://artifactory.oci.oraclecorp.com/api/pypi/global-release-pypi/simple/", "--from", "mcp-shepherd-server", "mcp-shepherd", "--transport", "stdio"]
@@ -352,6 +367,9 @@ approval_mode = "approve"
 [mcp_servers.mcp_shepherd.tools.shepherd_get_latest_static_analysis_for_execution_target]
 approval_mode = "approve"
 
+[mcp_servers.mcp_shepherd.tools.shepherd_get_release_phase_target_guardrails_metadata]
+approval_mode = "approve"
+
 [mcp_servers.grt]
 command = "/Users/jetpac/.codex/bin/grt-mcp"
 startup_timeout_sec = 30.0
@@ -450,6 +468,9 @@ approval_mode = "approve"
 [mcp_servers.central_confluence.tools.confluence_get_macro_hints]
 approval_mode = "approve"
 
+[mcp_servers.central_confluence.tools.confluence_search_user]
+approval_mode = "approve"
+
 [mcp_servers.notmuch]
 command = "node"
 args = ["/Users/jetpac/Documents/codex-tools/MCPs/notmuch/dist/index.js"]
@@ -537,7 +558,7 @@ BITBUCKET_ENABLE_READ_ONLY = "true"
 BITBUCKET_ENABLE_SAFE_WRITE = "true"
 BITBUCKET_URL = "https://bitbucket.oci.oraclecorp.com"
 MCP_PROJECT_DEFAULT = "ODAAS"
-MCP_PROJECT_LIST = "ODAAS"
+MCP_PROJECT_LIST = "ODAAS,CARE"
 
 [mcp_servers.oracle-bitbucket.tools.get_activities]
 approval_mode = "approve"
@@ -569,6 +590,9 @@ approval_mode = "approve"
 [mcp_servers.oracle-bitbucket.tools.search]
 approval_mode = "approve"
 
+[mcp_servers.oracle-bitbucket.tools.browse_repository]
+approval_mode = "approve"
+
 [mcp_servers.mcp-atlassian]
 command = "uvx"
 args = ["--python=3.11", "mcp-atlassian"]
@@ -892,6 +916,33 @@ trust_level = "trusted"
 [projects."/private/tmp/merge-marian/oci-desktop-service-shepherd"]
 trust_level = "trusted"
 
+[projects."/Users/jetpac/Documents/akidr/ips-repo-pkg-delivery"]
+trust_level = "trusted"
+
+[projects."/Users/jetpac/Documents/OSD/guardrails-skill"]
+trust_level = "trusted"
+
+[projects."/Users/jetpac/Documents/11.4.93"]
+trust_level = "trusted"
+
+[projects."/Users/jetpac/Documents/OSD/merino"]
+trust_level = "trusted"
+
+[projects."/Users/jetpac/Documents/codex"]
+trust_level = "trusted"
+
+[projects."/private/tmp/hjovno"]
+trust_level = "trusted"
+
+[projects."/Users/jetpac/Documents/codex/update-solarisx86-linux"]
+trust_level = "trusted"
+
+[projects."/Users/jetpac/Documents/codex/symphony"]
+trust_level = "trusted"
+
+[projects."/Users/jetpac/src/symphony"]
+trust_level = "trusted"
+
 [marketplaces.openai-bundled]
 last_updated = "2026-05-05T21:54:34Z"
 source_type = "local"
@@ -1003,3 +1054,39 @@ approval_mode = "approve"
 
 [mcp_servers.mcp_gateway.tools.jira__jira_get_issue_development_info]
 approval_mode = "approve"
+
+[mcp_servers.mcp_gateway.tools.devops__get_shepherd_flocks]
+approval_mode = "approve"
+
+[mcp_servers.mcp_gateway.tools.devops__get_shepherd_releases]
+approval_mode = "approve"
+
+[mcp_servers.mcp_gateway.tools.devops__get_shepherd_release_details]
+approval_mode = "approve"
+
+[mcp_servers.mcp_gateway.tools.devops__get_shepherd_release_phase_target_guardrails_metadata]
+approval_mode = "approve"
+
+[mcp_servers.mcp_gateway.tools.devops__list_shepherd_execution_targets_for_flock]
+approval_mode = "approve"
+
+[mcp_servers.mcp_gateway.tools.devops__get_shepherd_phase_execution_targets]
+approval_mode = "approve"
+
+[mcp_servers.mcp_gateway.tools.devops__get_shepherd_release_target_blocker]
+approval_mode = "approve"
+
+[mcp_servers.mcp_gateway.tools.devops__list_shepherd_system_settings]
+approval_mode = "approve"
+
+[mcp_servers.mcp_gateway.tools.devops__list_shepherd_system_setting_names]
+approval_mode = "approve"
+
+[mcp_servers.mcp_gateway.tools.jirasd__jira_search]
+approval_mode = "approve"
+
+[mcp_servers.mcp_gateway.tools.sks__search]
+approval_mode = "approve"
+
+[mcp_servers.mcp_gateway.tools.kcm__search]
+approval_mode = "approve"

.spacemacs

@@ -1077,6 +1077,7 @@ before packages are loaded."
                              "~/Documents/org/work/oracle.org"
                              "~/Documents/org/someday.org"
                              "~/Documents/org/calendar.org"
+                             "~/Documents/organice/telefon.org"
                              ))
 
 

.ssh/config.oci

@@ -8,7 +8,7 @@ Host bitbucket.oci.oraclecorp.com
 	HostkeyAlgorithms +ssh-rsa
 	PubkeyAcceptedAlgorithms +ssh-rsa
 
-Host dabel dabel.us.oracle.com andel andel.us.oracle.com gates gates.us.oracle.com on10-patch.us.oracle.com
+Host dabel dabel.us.oracle.com andel andel.us.oracle.com gates gates.us.oracle.com on10-patch.us.oracle.com scapen*
 	User pnyc
 	IdentityFile ~/.ssh/dabel.key
   RequestTTY yes
@@ -17,3 +17,35 @@ Host codex.webad1phx.solarisx86phx.oraclevcn.com
   User pnyc
   IdentityFile ~/.ssh/id_rsa
   IdentitiesOnly yes
+
+Host operator-access-token.svc.ad1.r2
+  User pnyc
+
+Host jenkins-java-test
+  HostName 100.106.196.24
+  User opc
+  IdentityFile ~/.ssh/id_rsa
+  IdentitiesOnly yes
+  WarnWeakCrypto no
+
+Host nginx-osd-dev
+  HostName 100.106.197.175
+  User opc
+  IdentityFile ~/.ssh/osd-dev-pnyc
+  IdentitiesOnly yes
+  WarnWeakCrypto no
+
+Host osd-calico-dev
+  HostName 100.106.197.237
+  User opc
+  IdentityFile ~/.ssh/id_ed25519
+  IdentitiesOnly yes
+  WarnWeakCrypto no
+
+Host pnyc-ws
+  HostName 100.106.196.59
+  User opc
+  IdentityFile ~/.ssh/id_pnyc-ws
+  IdentitiesOnly yes
+  WarnWeakCrypto no
+  ForwardAgent yes

.ssh/config.solaris

@@ -160,9 +160,15 @@ Host adam-test
 	HostName 100.106.212.188
 	User opc
 
-Host nori nori.commonsub.zsphx.oraclevcn.com
-	Hostname nori.commonsub.zsphx.oraclevcn.com
+# Host nori nori.commonsub.zsphx.oraclevcn.com
+# 	Hostname nori.commonsub.zsphx.oraclevcn.com
+# 	User opc
+
+Host nori sfzfs-nori.commonsub.zsphx.oraclevcn.com
+     Hostname sfzfs-nori.commonsub.zsphx.oraclevcn.com
      User opc
+     IdentityFile ~/.ssh/nori
+
 
 # Host operator-access-token.svc.ad1.r2  bastion*.oracleiaas.com
 # 	Include ~/.ssh/ssh_configs/config

bin/codex-wrapper.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env zsh
+
+export BITBUCKET_TOKEN=NzQ0MDE3NjEzNDE1Oh6PpMt8Rl+a569vzoPOfCRJ+Kwt
+"$HOME/bin/codex-devops-auth.sh" -a on-request -s danger-full-access "$@"
+

bin/load-yubikey-piv-ssh

@@ -0,0 +1,258 @@
+#!/bin/zsh
+# Load YubiKey PIV SSH keys into the macOS launchd-managed ssh-agent.
+# The default health check verifies the PIV AUTH key with ssh-add -T so
+# listed-but-stale PKCS#11 keys are reloaded instead of being trusted.
+set -u
+
+PKCS11_LIB="${PKCS11_LIB:-/usr/local/lib/opensc-pkcs11.so}"
+PIV_KEY_PATTERN="${PIV_KEY_PATTERN:-PIV AUTH pubkey|SIGN pubkey|KEY MAN pubkey|CARD AUTH pubkey}"
+PIV_AUTH_PATTERN="${PIV_AUTH_PATTERN:-PIV AUTH pubkey}"
+VERIFY_MODE="auth"
+TMP_DIRS=()
+SCRIPT_NAME="${0:t}"
+
+usage() {
+  # Print the small CLI surface; normal operation intentionally has few knobs.
+  cat <<EOF
+Usage: ${SCRIPT_NAME} [--no-verify] [--help]
+
+Safely load YubiKey PIV keys into the macOS launchd ssh-agent.
+
+Options:
+  --no-verify  Only check whether PIV keys are listed in the agent.
+  --help       Show this help.
+
+Environment:
+  PKCS11_LIB     PKCS#11 provider path. Default: /usr/local/lib/opensc-pkcs11.so
+EOF
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --no-verify)
+      VERIFY_MODE="none"
+      ;;
+    --help|-h)
+      usage
+      exit 0
+      ;;
+    *)
+      print -u2 -- "load-yubikey-piv-ssh: unknown option: $1"
+      usage >&2
+      exit 2
+      ;;
+  esac
+  shift
+done
+
+cleanup() {
+  # Remove temporary public-key files created for ssh-add -T verification.
+  local dir
+  for dir in "${TMP_DIRS[@]}"; do
+    [[ -n "${dir}" && -d "${dir}" ]] && rm -rf -- "${dir}"
+  done
+}
+trap cleanup EXIT INT TERM
+
+die() {
+  # Report a fatal script error with a stable prefix for shell output.
+  print -u2 -- "load-yubikey-piv-ssh: $*"
+  exit 1
+}
+
+note() {
+  # Emit status messages to stderr so stdout stays clean for callers.
+  print -u2 -- "load-yubikey-piv-ssh: $*"
+}
+
+agent_socket() {
+  # Return the launchd-published ssh-agent socket if it exists.
+  local sock
+  sock="$(launchctl getenv SSH_AUTH_SOCK 2>/dev/null || true)"
+  [[ -n "${sock}" && -S "${sock}" ]] || return 1
+  print -r -- "${sock}"
+}
+
+use_launchd_agent() {
+  # Force this shell to use Apple's launchd-managed agent socket and ignore
+  # stale SSH_AGENT_PID values from manually started agents.
+  local sock
+  sock="$(agent_socket)" || die "could not find launchd SSH_AUTH_SOCK"
+  export SSH_AUTH_SOCK="${sock}"
+  unset SSH_AGENT_PID
+}
+
+agent_has_piv_keys() {
+  # Check for any listed YubiKey PIV identities in the active agent.
+  ssh-add -l 2>/dev/null | egrep -q "${PIV_KEY_PATTERN}"
+}
+
+loaded_piv_public_keys() {
+  # Select loaded public keys for either health verification or no-verify mode.
+  local pattern
+  case "${VERIFY_MODE}" in
+    auth) pattern="${PIV_AUTH_PATTERN}" ;;
+    none) pattern="${PIV_KEY_PATTERN}" ;;
+    *) die "internal error: unknown verify mode: ${VERIFY_MODE}" ;;
+  esac
+
+  ssh-add -L 2>/dev/null | egrep "${pattern}" || true
+}
+
+verify_loaded_piv_keys() {
+  # Export the loaded PIV AUTH public key to a temp file and ask ssh-add to
+  # perform a local sign-and-verify operation through the agent.
+  [[ "${VERIFY_MODE}" == "none" ]] && return 0
+
+  local tmp key_file line count
+  local -a key_files
+
+  tmp="$(mktemp -d "${TMPDIR:-/tmp}/load-yubikey-piv-ssh.XXXXXX")" ||
+    die "failed to create temporary directory"
+  TMP_DIRS+=("${tmp}")
+
+  count=0
+  while IFS= read -r line; do
+    [[ -n "${line}" ]] || continue
+    count=$((count + 1))
+    key_file="${tmp}/piv-${count}.pub"
+    print -r -- "${line}" >| "${key_file}" ||
+      die "failed to write temporary public key"
+    chmod 600 "${key_file}" || die "failed to chmod temporary public key"
+    key_files+=("${key_file}")
+  done < <(loaded_piv_public_keys)
+
+  if [[ "${count}" -eq 0 ]]; then
+    note "no matching PIV AUTH public key found for verification"
+    return 1
+  fi
+
+  SSH_ASKPASS_REQUIRE=never ssh-add -T "${key_files[@]}" >/dev/null 2>&1
+}
+
+agent_has_healthy_piv_keys() {
+  # A healthy state requires both listed PIV keys and a successful sign test.
+  if ! agent_has_piv_keys; then
+    return 1
+  fi
+
+  if verify_loaded_piv_keys; then
+    return 0
+  fi
+
+  return 1
+}
+
+agent_responds() {
+  # Treat "no identities" as a working agent, but reject broken sockets.
+  ssh-add -l >/dev/null 2>&1
+  case "$?" in
+    0|1) return 0 ;;  # 1 means a reachable agent with no identities.
+    *) return 1 ;;
+  esac
+}
+
+restart_launchd_agent() {
+  # Restart only the launchd-managed ssh-agent. macOS may block kickstart under
+  # SIP, so fall back to terminating the exact PID reported by launchctl.
+  local pid
+  local i
+
+  note "restarting launchd ssh-agent"
+
+  if launchctl kickstart -k "gui/${UID}/com.openssh.ssh-agent" >/dev/null 2>&1; then
+    sleep 1
+    use_launchd_agent
+    return 0
+  fi
+
+  pid="$(launchctl print "gui/${UID}/com.openssh.ssh-agent" 2>/dev/null |
+    awk '/pid = / { print $3; exit }')"
+
+  if [[ -n "${pid}" ]]; then
+    note "launchctl kickstart failed; terminating launchd ssh-agent pid ${pid}"
+    kill -TERM "${pid}" >/dev/null 2>&1 ||
+      die "failed to terminate launchd ssh-agent pid ${pid}"
+
+    for i in {1..10}; do
+      kill -0 "${pid}" >/dev/null 2>&1 || break
+      sleep 0.2
+    done
+
+    if kill -0 "${pid}" >/dev/null 2>&1; then
+      note "launchd ssh-agent pid ${pid} did not exit after TERM; sending KILL"
+      kill -KILL "${pid}" >/dev/null 2>&1 ||
+        die "failed to kill launchd ssh-agent pid ${pid}"
+    fi
+  else
+    note "launchctl kickstart failed and no running launchd ssh-agent pid was found"
+  fi
+
+  use_launchd_agent
+
+  if ! agent_responds; then
+    die "failed to restart launchd ssh-agent"
+  fi
+}
+
+load_provider() {
+  # Load the OpenSC PKCS#11 provider and force PIN entry on the terminal.
+  SSH_ASKPASS_REQUIRE=never ssh-add -s "${PKCS11_LIB}"
+}
+
+verify_or_report_stale() {
+  # Treat listed PIV keys as healthy only after verification succeeds.
+  if agent_has_healthy_piv_keys; then
+    case "${VERIFY_MODE}" in
+      none) note "PIV keys are already loaded" ;;
+      auth) note "PIV AUTH key is already loaded and verified" ;;
+    esac
+    return 0
+  fi
+
+  if agent_has_piv_keys; then
+    note "PIV keys are listed but failed verification; treating agent as stale"
+  fi
+
+  return 1
+}
+
+[[ -r "${PKCS11_LIB}" ]] || die "PKCS#11 library is not readable: ${PKCS11_LIB}"
+
+use_launchd_agent
+
+if verify_or_report_stale; then
+  exit 0
+fi
+
+if agent_has_piv_keys; then
+  restart_launchd_agent
+elif ! agent_responds; then
+  restart_launchd_agent
+fi
+
+if load_provider && agent_has_healthy_piv_keys; then
+  case "${VERIFY_MODE}" in
+    none) note "PIV keys loaded" ;;
+    auth) note "PIV keys loaded and PIV AUTH key verified" ;;
+  esac
+  exit 0
+fi
+
+note "initial load failed; checking agent state"
+
+if verify_or_report_stale; then
+  exit 0
+fi
+
+restart_launchd_agent
+
+if load_provider && agent_has_healthy_piv_keys; then
+  case "${VERIFY_MODE}" in
+    none) note "PIV keys loaded after agent restart" ;;
+    auth) note "PIV keys loaded after agent restart and PIV AUTH key verified" ;;
+  esac
+  exit 0
+fi
+
+die "failed to load and verify PIV keys"