From 9919b5905712308fb56c3ad9f5b99f1346999e94 Mon Sep 17 00:00:00 2001 From: Petr Nyc Date: Mon, 1 Jun 2026 10:11:31 +0200 Subject: [PATCH] before SSO migration --- .codex/config.toml | 223 +++++++++++++++++---------------------- .spacemacs | 13 ++- .ssh/config.oci | 3 + .ssh/config.solaris | 2 +- .zshenv | 5 +- bin/codex-devops-auth.sh | 66 +++++++++++- bin/codex-wrapper.sh | 148 +++++++++++++++++++++++--- 7 files changed, 316 insertions(+), 144 deletions(-) diff --git a/.codex/config.toml b/.codex/config.toml index 86be3d8..bbbbe74 100644 --- a/.codex/config.toml +++ b/.codex/config.toml @@ -11,11 +11,8 @@ # #+end_src -# model = "oca/gpt-5.1-codex-mini" -# profile = "gpt-5-1-codex-mini" model = "gpt-5.5" -profile = "gpt-5-5" # web_search is deprecated @@ -31,9 +28,12 @@ personality = "pragmatic" model_reasoning_effort = "medium" +notify = ["/Users/jetpac/.codex/computer-use/Codex Computer Use.app/Contents/SharedSupport/SkyComputerUseClient.app/Contents/MacOS/SkyComputerUseClient", "turn-ended"] + [features] multi_agent = true goals = true +js_repl = false # remote_control = true [agents] @@ -43,6 +43,7 @@ max_depth = 2 [tui] alternate_screen = "always" status_line = ["model-with-reasoning", "current-dir", "git-branch", "run-state", "codex-version", "context-remaining"] +pet = "codex" [tui.model_availability_nux] "gpt-5.5" = 4 @@ -65,125 +66,7 @@ stream_max_retries = 20 request_max_retries = 20 -[model_providers.oca-chat] -base_url = "https://code-internal.aiservice.us-chicago-1.oci.oraclecloud.com/20250206/app/litellm" -http_headers = { "client" = "codex-cli", "client-version" = "0" } -model = "gpt5" -name = "Oracle Code Assist Chat" -wire_api = "responses" -[profiles.grok-4] -model = "grok4" -model_provider = "oca-chat" -review_model = "grok4" - -[profiles.grok-4-fast-reasoning] -model = "grok4-fast-reasoning" -model_provider = "oca-chat" -review_model = "grok4-fast-reasoning" - -[profiles.grok-code-fast-1] -model = "grok-code-fast-1" -model_provider = "oca-chat" -review_model = "grok-code-fast-1" -[profiles.gpt-4-1] -model = "gpt-4.1" -model_provider = "oca-chat" -review_model = "gpt-4.1" -[profiles.gpt-5] -model = "gpt5" -model_provider = "oca-responses" -review_model = "gpt5" -[profiles.gpt-5-1] -model = "gpt-5.1" -model_provider = "oca-chat" -review_model = "gpt-5.1" -[profiles.gpt-5-2] -model = "gpt-5.2" -model_provider = "oca-responses" -review_model = "gpt-5.2" -[profiles.gpt-5-codex] -model = "gpt-5-codex" -model_provider = "oca-responses" -review_model = "gpt-5-codex" -personality = "pragmatic" -[profiles.gpt-5-1-codex-high] -model = "gpt-5.1-codex" -model_provider = "oca-responses" -review_model = "gpt-5.1-codex" -personality = "pragmatic" -model_reasoning_effort = "high" -[profiles.gpt-5-1-codex] -model = "gpt-5.1-codex" -model_provider = "oca-responses" -review_model = "gpt-5.1-codex" -personality = "pragmatic" -model_reasoning_effort = "medium" - -[profiles.gpt-5-1-codex-mini] -model = "gpt-5.1-codex-mini" -model_provider = "oca-responses" -review_model = "gpt-5.1-codex-mini" -personality = "pragmatic" - - -[profiles.gpt-5-2-codex-high] -model = "gpt-5.2-codex" -model_provider = "oca-responses" -review_model = "gpt-5.2-codex" -personality = "pragmatic" -model_reasoning_effort = "high" -[profiles.gpt-5-2-codex] -model = "gpt-5.2-codex" -model_provider = "oca-responses" -review_model = "gpt-5.2-codex" -personality = "pragmatic" -model_reasoning_effort = "medium" -[profiles.gpt-5-2-codex-mini] -model = "gpt-5.2-codex-mini" -model_provider = "oca-responses" -review_model = "gpt-5.2-codex-mini" -personality = "pragmatic" - - -[profiles.gpt-5-3-codex] -model = "gpt-5.3-codex" -model_provider = "oca-responses" -review_model = "gpt-5.3-codex" -personality = "pragmatic" -model_reasoning_effort = "high" - -[profiles.gpt-5-4] -model = "gpt-5.5" -model_provider = "oca-responses" -review_model = "gpt-5.4" -personality = "pragmatic" -model_reasoning_effort = "medium" -plan_mode_reasoning_effort = "high" - -[profiles.gpt-5-4-pro] -model = "gpt-5.4-pro" -model_provider = "oca-responses" -review_model = "gpt-5.4" -personality = "pragmatic" -# model_reasoning_effort = "high" - - - -[profiles.gpt-5-5] -model = "gpt-5.5" -model_provider = "oca-responses" -review_model = "gpt-5.5" -personality = "pragmatic" -model_reasoning_effort = "high" -plan_mode_reasoning_effort = "high" - -[profiles.gpt-5-5.features] -terminal_resize_reflow = true -memories = false -external_migration = false -goals = true -prevent_idle_sleep = false [profiles.gpt-5-5-pro] model = "gpt-5.5-pro" @@ -219,6 +102,12 @@ approval_mode = "approve" [mcp_servers.playwright.tools.browser_tabs] approval_mode = "approve" +[mcp_servers.playwright.tools.browser_run_code] +approval_mode = "approve" + +[mcp_servers.playwright.tools.browser_select_option] +approval_mode = "approve" + [mcp_servers.slack] command = "/Users/jetpac/.codex/bin/slack-mcp-wrapper" startup_timeout_sec = 60.0 @@ -243,8 +132,11 @@ enabled_tools = [ [mcp_servers.slack.env] SLACK_MCP_ENABLE_WRITES = "true" # Slack write allowlist: @pnyc self-DM (D7PT0SXMK), @pzahradn DM (D9CF41WHG), -# Kavya Nair DM (D08G5NZAN2C), and C0A71SCTQRM for Codex Slack MCP setup instructions. -SLACK_MCP_WRITE_CHANNEL_ALLOWLIST = "D7PT0SXMK,D9CF41WHG,D08G5NZAN2C,C0A71SCTQRM" +# @jahorak DM (DFYAKGQFL), +# Kavya Nair DM (D08G5NZAN2C), Jacob Paul DM (D090RLVUCUV), +# Owen Roberts DM (DEPU4A2QM), C0A71SCTQRM for Codex Slack MCP setup instructions, +# and C05RJJ18EAF for corparch-core-srv replies. +SLACK_MCP_WRITE_CHANNEL_ALLOWLIST = "D7PT0SXMK,D9CF41WHG,DFYAKGQFL,D08G5NZAN2C,D090RLVUCUV,DEPU4A2QM,C0A71SCTQRM,C05RJJ18EAF" [mcp_servers.slack.tools.conversations_add_message] approval_mode = "approve" @@ -598,6 +490,12 @@ approval_mode = "approve" [mcp_servers.vm.tools.vm_list_machines] approval_mode = "approve" +[mcp_servers.vm.tools.vm_manage_disk] +approval_mode = "approve" + +[mcp_servers.vm.tools.vm_get_resources] +approval_mode = "approve" + [mcp_servers.vcap] command = "node" args = ["/Users/jetpac/Documents/codex-tools/MCPs/vcap-mcp/dist/index.js"] @@ -610,6 +508,36 @@ VCAP_MCP_API_KEY = "b6e395b4-7e4b-4ba0-bdcd-a803c5dedbbb" VCAP_MCP_BASE_URL = "https://vcap.us.oracle.com/vcap" VCAP_MCP_ALLOW_MUTATIONS = "false" +[mcp_servers.vcap.tools.vcap_list_templates] +approval_mode = "approve" + +[mcp_servers.vcap.tools.vcap_request] +approval_mode = "approve" + +[mcp_servers.vcap.tools.vcap_list_networks] +approval_mode = "approve" + +[mcp_servers.vcap.tools.vcap_list_groups] +approval_mode = "approve" + +[mcp_servers.vcap.tools.vcap_list_machines] +approval_mode = "approve" + +[mcp_servers.vcap.tools.vcap_list_users] +approval_mode = "approve" + +[mcp_servers.vcap.tools.vcap_get_group] +approval_mode = "approve" + +[mcp_servers.vcap.tools.vcap_list_logs] +approval_mode = "approve" + +[mcp_servers.vcap.tools.vcap_get_machine] +approval_mode = "approve" + +[mcp_servers.vcap.tools.vcap_get_template] +approval_mode = "approve" + [mcp_servers.oracle-bitbucket] command = "node" args = ["/Users/jetpac/Documents/codex-tools/MCPs/bitbucket-mcp/build/index.js"] @@ -1045,8 +973,23 @@ trust_level = "trusted" [projects."/Users/jetpac/PycharmProjects/ips-trunk"] trust_level = "trusted" +[projects."/Users/jetpac/Documents/OSD/oci-desktop-service-console-plugin"] +trust_level = "trusted" + +[projects."/Users/jetpac/PycharmProjects/ips-trunk/solaris/ips/build"] +trust_level = "trusted" + +[projects."/private/tmp/shity"] +trust_level = "trusted" + +[projects."/Users/jetpac/Documents/codex-tools/codex-src/codex"] +trust_level = "trusted" + +[projects."/Users/jetpac/.codex-sso"] +trust_level = "trusted" + [marketplaces.openai-bundled] -last_updated = "2026-05-05T21:54:34Z" +last_updated = "2026-05-28T10:46:49Z" source_type = "local" source = "/Users/jetpac/.codex/.tmp/bundled-marketplaces/openai-bundled" @@ -1064,9 +1007,22 @@ enabled = true [plugins."presentations@openai-primary-runtime"] enabled = true -[plugins."browser-use@openai-bundled"] +[plugins."browser@openai-bundled"] enabled = true +[desktop] +appearanceTheme = "system" +composerEnterBehavior = "cmdIfMultiline" +preventSleepWhileRunning = false +keepRemoteControlAwakeWhilePluggedIn = false + +[desktop.open-in-target-preferences] +global = "iterm2" + +[desktop.open-in-target-preferences.perPath] +"/Users/jetpac/Documents/codex-worktrees/mail" = "iterm2" +"/Users/jetpac/Documents/OSD/tigera-v1.40.9/tigera-operator-new" = "iterm2" + # [projects."/Users/jetpac/Documents/codex-tools/MCPs/ident-scm-mcp"] # trust_level = "trusted" @@ -1255,3 +1211,20 @@ approval_mode = "approve" [mcp_servers.mcp_gateway.tools.devops__get_region_build_status] approval_mode = "approve" + +[mcp_servers.node_repl] +args = [] +command = "/Applications/Codex.app/Contents/Resources/node_repl" +startup_timeout_sec = 120 + +[mcp_servers.node_repl.env] +NODE_REPL_NATIVE_PIPE_CONNECT_TIMEOUT_MS = "1000" +NODE_REPL_NODE_MODULE_DIRS = "" +NODE_REPL_NODE_PATH = "/Applications/Codex.app/Contents/Resources/node" +NODE_REPL_TRUSTED_CODE_PATHS = "/Users/jetpac/.codex" +CODEX_HOME = "/Users/jetpac/.codex" +NODE_REPL_TRUSTED_BROWSER_CLIENT_SHA256S = "496c7b3cb95b4bc20cff49b513150606e0da0000c92bf752206bee5a6c248423" +BROWSER_USE_AVAILABLE_BACKENDS = "iab" +BROWSER_USE_MARKETPLACE_NAME = "openai-bundled" +NODE_REPL_UNTRUSTED_ENV_ALLOWLIST = "BROWSER_USE_MARKETPLACE_NAME" +CODEX_CLI_PATH = "/Applications/Codex.app/Contents/Resources/codex" diff --git a/.spacemacs b/.spacemacs index e8ff1b1..03882db 100644 --- a/.spacemacs +++ b/.spacemacs @@ -1382,7 +1382,8 @@ This function is called at the very end of Spacemacs initialization." ("Solaris" . "tag:solaris") ("OCI" - . "tag:oci")) + . "tag:oci") + ) :filter "date:1/1/2026.. and (tag:important and tag:action)" :show-empty-searches @@ -1400,10 +1401,18 @@ This function is called at the very end of Spacemacs initialization." . "tag:announcement") ("Deployment Calendar events" . "tag:calendar") - ("SGD" . "tag:sgd")) + ("SGD" . "tag:sgd") + ) :filter "tag:osd and date:12/1/2025.. and (tag:unread or tag:important or tag:action)" :show-empty-searches nil) + (notmuch-hello-insert-searches + "Active dev projects needing focus" + ( + ("Linux images" . "tag:linux-images") + ("AK IPS delivery" . "tag:ak-ips or tag:akidr-ips") + ) + ) (notmuch-hello-insert-searches "Solaris Focused" (("Solaris" diff --git a/.ssh/config.oci b/.ssh/config.oci index 955f19f..00ef7a6 100644 --- a/.ssh/config.oci +++ b/.ssh/config.oci @@ -8,6 +8,9 @@ Host bitbucket.oci.oraclecorp.com HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa +Host github.com + IdentityFile ~/.ssh/github.com + Host dabel dabel.us.oracle.com andel andel.us.oracle.com gates gates.us.oracle.com on10-patch.us.oracle.com scapen* User pnyc IdentityFile ~/.ssh/dabel.key diff --git a/.ssh/config.solaris b/.ssh/config.solaris index 1925fa7..9827740 100644 --- a/.ssh/config.solaris +++ b/.ssh/config.solaris @@ -35,7 +35,7 @@ Host solaris-reviews.us.oracle.com User hg IdentityFile ~/.ssh/id_phabricator -Host hetzner +Host hetzner u444067.your-storagebox.de HostName u444067.your-storagebox.de User u444067 Port 23 diff --git a/.zshenv b/.zshenv index 9059b55..77756f7 100644 --- a/.zshenv +++ b/.zshenv @@ -2,7 +2,7 @@ set -o vi export LC_ALL=en_US.UTF-8 -export PATH=/Users/jetpac/.asdf/shims/:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/jetpac/work/flutter/bin:$HOME/.rd/bin:$HOME/bin:$PATH:$HOME/.fzf/bin +export PATH=/Users/jetpac/.asdf/shims/:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/jetpac/work/flutter/bin:$HOME/.rd/bin:$HOME/bin:$PATH:$HOME/.fzf/bin:$HOME/Documents/codex-tools/mcpgw-cli/ # homebrew config # output of brew shellenv @@ -23,6 +23,9 @@ alias mc='SHELL=/bin/bash mc' alias config='/usr/bin/git --git-dir=$HOME/.cfg/ --work-tree=$HOME' alias -g N="2>&1 " alias pig='ping' + +alias ops='OCI_CLI_PROFILE=solarisx86-us-phoenix-1-apikey ops' + # export PATH=$HOME/.rd/bin # diff --git a/bin/codex-devops-auth.sh b/bin/codex-devops-auth.sh index 7ba4e86..0ec3990 100755 --- a/bin/codex-devops-auth.sh +++ b/bin/codex-devops-auth.sh @@ -17,6 +17,9 @@ OCI_PROFILE_SYNC_PYTHON="${OCI_PROFILE_SYNC_PYTHON:-python3}" OCI_SESSION_VALIDATE_TIMEOUT_SECONDS="${OCI_SESSION_VALIDATE_TIMEOUT_SECONDS:-2}" RESET_AGENT="${RESET_AGENT:-0}" CODEX_DEVOPS_AUTH_ENV_OUT="${CODEX_DEVOPS_AUTH_ENV_OUT:-}" +CODEX_DEVOPS_AUTH_CODEX_BIN="${CODEX_DEVOPS_AUTH_CODEX_BIN:-/opt/homebrew/bin/codex}" +CODEX_DEVOPS_AUTH_CODEX_PROFILE="${CODEX_DEVOPS_AUTH_CODEX_PROFILE:-}" +CODEX_DEVOPS_AUTH_DEFAULT_CODEX_PROFILE="${CODEX_DEVOPS_AUTH_DEFAULT_CODEX_PROFILE:-gpt-5-5}" DEDICATED_AGENT_PID="" DEDICATED_AGENT_SOCK="" PRESERVE_DEDICATED_AGENT="0" @@ -35,6 +38,59 @@ run_oci() { "${OCI_BIN}" --profile "${OCI_PROFILE_NAME}" "$@" } +codex_home() { + print -r -- "${CODEX_HOME:-${HOME}/.codex}" +} + +codex_profile_file_exists() { + local profile="$1" + [[ -r "$(codex_home)/${profile}.config.toml" ]] +} + +resolve_codex_profile() { + if [[ -n "${CODEX_DEVOPS_AUTH_CODEX_PROFILE}" ]]; then + print -r -- "${CODEX_DEVOPS_AUTH_CODEX_PROFILE}" + return 0 + fi + + if codex_profile_file_exists "${CODEX_DEVOPS_AUTH_DEFAULT_CODEX_PROFILE}"; then + print -r -- "${CODEX_DEVOPS_AUTH_DEFAULT_CODEX_PROFILE}" + fi + + return 0 +} + +args_include_codex_profile() { + local arg + + for arg in "$@"; do + case "${arg}" in + --profile|-p|--profile=*|-p=*|--profile-v2|--profile-v2=*) + return 0 + ;; + esac + done + + return 1 +} + +codex_profile_flag() { + local version_output version major minor rest + + version_output="$("${CODEX_DEVOPS_AUTH_CODEX_BIN}" --version 2>/dev/null || true)" + version="${version_output##* }" + major="${version%%.*}" + rest="${version#*.}" + minor="${rest%%.*}" + + if [[ "${major}" == "0" && "${minor}" =~ '^[0-9]+$' && "${minor}" -lt 134 ]]; then + print -r -- "--profile-v2" + return 0 + fi + + print -r -- "--profile" +} + resolve_timeout_bin() { local candidate @@ -568,4 +624,12 @@ if [[ -n "${CODEX_DEVOPS_AUTH_ENV_OUT}" ]]; then exit 0 fi -/opt/homebrew/bin/codex "$@" +codex_args=() +if ! args_include_codex_profile "$@"; then + resolved_codex_profile="$(resolve_codex_profile)" + if [[ -n "${resolved_codex_profile}" ]]; then + codex_args+=("$(codex_profile_flag)" "${resolved_codex_profile}") + fi +fi +codex_args+=("$@") +"${CODEX_DEVOPS_AUTH_CODEX_BIN}" "${codex_args[@]}" diff --git a/bin/codex-wrapper.sh b/bin/codex-wrapper.sh index 4afff17..dba9f52 100755 --- a/bin/codex-wrapper.sh +++ b/bin/codex-wrapper.sh @@ -7,6 +7,8 @@ MCPGW_SELECTED_SERVERS_FILE="${MCPGW_SELECTED_SERVERS_FILE:-${HOME}/.ora-gateway MCPGW_OP_TOKEN_FILE="${MCPGW_OP_TOKEN_FILE:-${HOME}/.ora-gateway/op-token}" CODEX_DEVOPS_AUTH_SCRIPT="${CODEX_DEVOPS_AUTH_SCRIPT:-${HOME}/bin/codex-devops-auth.sh}" CODEX_BIN="${CODEX_BIN:-/opt/homebrew/bin/codex}" +CODEX_WRAPPER_CODEX_PROFILE="${CODEX_WRAPPER_CODEX_PROFILE:-}" +CODEX_WRAPPER_DEFAULT_CODEX_PROFILE="${CODEX_WRAPPER_DEFAULT_CODEX_PROFILE:-gpt-5-5}" CODEX_WRAPPER_AUTH_ENV_FILE="" CODEX_WRAPPER_DEDICATED_AGENT_PID="" CODEX_WRAPPER_DEDICATED_AGENT_SOCK="" @@ -59,6 +61,59 @@ is_truthy() { esac } +codex_home() { + print -r -- "${CODEX_HOME:-${HOME}/.codex}" +} + +codex_profile_file_exists() { + local profile="$1" + [[ -r "$(codex_home)/${profile}.config.toml" ]] +} + +resolve_codex_profile() { + if [[ -n "${CODEX_WRAPPER_CODEX_PROFILE}" ]]; then + print -r -- "${CODEX_WRAPPER_CODEX_PROFILE}" + return 0 + fi + + if codex_profile_file_exists "${CODEX_WRAPPER_DEFAULT_CODEX_PROFILE}"; then + print -r -- "${CODEX_WRAPPER_DEFAULT_CODEX_PROFILE}" + fi + + return 0 +} + +args_include_codex_profile() { + local arg + + for arg in "$@"; do + case "${arg}" in + --profile|-p|--profile=*|-p=*|--profile-v2|--profile-v2=*) + return 0 + ;; + esac + done + + return 1 +} + +codex_profile_flag() { + local version_output version major minor rest + + version_output="$("${CODEX_BIN}" --version 2>/dev/null || true)" + version="${version_output##* }" + major="${version%%.*}" + rest="${version#*.}" + minor="${rest%%.*}" + + if [[ "${major}" == "0" && "${minor}" =~ '^[0-9]+$' && "${minor}" -lt 134 ]]; then + print -r -- "--profile-v2" + return 0 + fi + + print -r -- "--profile" +} + confluence_selected() { local selected_servers_file="${MCPGW_SELECTED_SERVERS_FILE}" @@ -103,13 +158,39 @@ run_mcpgw_required() { prepare_codex_auth() { if [[ ! -x "${CODEX_DEVOPS_AUTH_SCRIPT}" ]]; then - log "Codex DevOps auth helper not found or not executable: ${CODEX_DEVOPS_AUTH_SCRIPT}" - exit 1 + log "Warning: Codex DevOps auth helper not found or not executable: ${CODEX_DEVOPS_AUTH_SCRIPT}" + return 1 fi - CODEX_WRAPPER_AUTH_ENV_FILE="$(mktemp "${TMPDIR:-/tmp}/codex-devops-auth.XXXXXX")" + if ! CODEX_WRAPPER_AUTH_ENV_FILE="$(mktemp "${TMPDIR:-/tmp}/codex-devops-auth.XXXXXX")"; then + log "Warning: could not create temporary Codex auth environment file." + return 1 + fi + + set +e CODEX_DEVOPS_AUTH_ENV_OUT="${CODEX_WRAPPER_AUTH_ENV_FILE}" "${CODEX_DEVOPS_AUTH_SCRIPT}" + local auth_rc=$? + set -e + + if [[ ${auth_rc} -ne 0 ]]; then + log "Warning: Codex DevOps auth helper failed with exit code ${auth_rc}; could not refresh OP token." + return 1 + fi + + if [[ ! -s "${CODEX_WRAPPER_AUTH_ENV_FILE}" ]]; then + log "Warning: Codex DevOps auth helper did not write an auth environment; could not refresh OP token." + return 1 + fi + + set +e source "${CODEX_WRAPPER_AUTH_ENV_FILE}" + local source_rc=$? + set -e + + if [[ ${source_rc} -ne 0 ]]; then + log "Warning: could not load Codex auth environment from ${CODEX_WRAPPER_AUTH_ENV_FILE}; could not refresh OP token." + return 1 + fi CODEX_WRAPPER_DEDICATED_AGENT_PID="${SSH_AGENT_PID:-}" CODEX_WRAPPER_DEDICATED_AGENT_SOCK="${SSH_AUTH_SOCK:-}" @@ -120,21 +201,44 @@ write_gateway_op_token() { local token_dir tmp if [[ -z "${OP_TOKEN:-}" ]]; then - log "Cannot write MCP Gateway OP token: OP_TOKEN is empty." - exit 1 + log "Warning: cannot write MCP Gateway OP token: OP_TOKEN is empty." + return 1 fi token_dir="$(dirname -- "${token_file}")" - mkdir -p "${token_dir}" - tmp="$(mktemp "${token_file}.XXXXXX")" - printf '%s\n' "${OP_TOKEN}" > "${tmp}" - chmod 600 "${tmp}" - mv -f "${tmp}" "${token_file}" + if ! mkdir -p "${token_dir}"; then + log "Warning: could not create MCP Gateway token directory: ${token_dir}" + return 1 + fi + + if ! tmp="$(mktemp "${token_file}.XXXXXX")"; then + log "Warning: could not create temporary MCP Gateway OP token file for ${token_file}." + return 1 + fi + + if ! printf '%s\n' "${OP_TOKEN}" > "${tmp}"; then + log "Warning: could not write temporary MCP Gateway OP token file: ${tmp}" + rm -f "${tmp}" >/dev/null 2>&1 || true + return 1 + fi + + if ! chmod 600 "${tmp}"; then + log "Warning: could not set permissions on temporary MCP Gateway OP token file: ${tmp}" + rm -f "${tmp}" >/dev/null 2>&1 || true + return 1 + fi + + if ! mv -f "${tmp}" "${token_file}"; then + log "Warning: could not install MCP Gateway OP token file: ${token_file}" + rm -f "${tmp}" >/dev/null 2>&1 || true + return 1 + fi + log "MCP Gateway auth preflight: wrote fresh operator token to ${token_file}." } refresh_gateway_auth() { - local mcpgw_bin + local mcpgw_bin op_token_refreshed=0 mcpgw_bin="$(command -v mcpgw 2>/dev/null || true)" if [[ -n "${mcpgw_bin}" ]]; then @@ -143,13 +247,21 @@ refresh_gateway_auth() { log "Warning: mcpgw not found on PATH; skipping MCP Gateway auth refresh." fi - prepare_codex_auth - write_gateway_op_token + if prepare_codex_auth && write_gateway_op_token; then + op_token_refreshed=1 + else + log "Warning: could not refresh OP token; continuing with existing MCP Gateway token state." + fi if [[ -z "${mcpgw_bin}" ]]; then return 0 fi + if [[ "${op_token_refreshed}" != "1" ]]; then + log "MCP Gateway auth preflight: skipping token-dependent checks because OP token refresh failed." + return 0 + fi + if should_refresh_confluence_cookies; then run_mcpgw_required "${mcpgw_bin}" refresh-cookies else @@ -172,4 +284,12 @@ if is_truthy "${CODEX_WRAPPER_DRY_RUN:-}"; then exit 0 fi -"${CODEX_BIN}" -a on-request -s danger-full-access "$@" +codex_args=() +if ! args_include_codex_profile "$@"; then + resolved_codex_profile="$(resolve_codex_profile)" + if [[ -n "${resolved_codex_profile}" ]]; then + codex_args+=("$(codex_profile_flag)" "${resolved_codex_profile}") + fi +fi +codex_args+=(-a on-request -s danger-full-access "$@") +"${CODEX_BIN}" "${codex_args[@]}"