jetpac/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

before SSO migration

Browse Source
This commit is contained in:
Petr Nyc
2026-06-01 10:11:31 +02:00
parent bdc17cef59
commit 9919b59057
7 changed files with 316 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
bin/codex-devops-auth.sh
View File

@@ -17,6 +17,9 @@ OCI_PROFILE_SYNC_PYTHON="${OCI_PROFILE_SYNC_PYTHON:-python3}"
OCI_SESSION_VALIDATE_TIMEOUT_SECONDS="${OCI_SESSION_VALIDATE_TIMEOUT_SECONDS:-2}"
RESET_AGENT="${RESET_AGENT:-0}"
CODEX_DEVOPS_AUTH_ENV_OUT="${CODEX_DEVOPS_AUTH_ENV_OUT:-}"
CODEX_DEVOPS_AUTH_CODEX_BIN="${CODEX_DEVOPS_AUTH_CODEX_BIN:-/opt/homebrew/bin/codex}"
CODEX_DEVOPS_AUTH_CODEX_PROFILE="${CODEX_DEVOPS_AUTH_CODEX_PROFILE:-}"
CODEX_DEVOPS_AUTH_DEFAULT_CODEX_PROFILE="${CODEX_DEVOPS_AUTH_DEFAULT_CODEX_PROFILE:-gpt-5-5}"
DEDICATED_AGENT_PID=""
DEDICATED_AGENT_SOCK=""
PRESERVE_DEDICATED_AGENT="0"
@@ -35,6 +38,59 @@ run_oci() {
"${OCI_BIN}" --profile "${OCI_PROFILE_NAME}" "$@"
}
codex_home() {
print -r -- "${CODEX_HOME:-${HOME}/.codex}"
}
codex_profile_file_exists() {
local profile="$1"
[[ -r "$(codex_home)/${profile}.config.toml" ]]
}
resolve_codex_profile() {
if [[ -n "${CODEX_DEVOPS_AUTH_CODEX_PROFILE}" ]]; then
print -r -- "${CODEX_DEVOPS_AUTH_CODEX_PROFILE}"
return 0
fi
if codex_profile_file_exists "${CODEX_DEVOPS_AUTH_DEFAULT_CODEX_PROFILE}"; then
print -r -- "${CODEX_DEVOPS_AUTH_DEFAULT_CODEX_PROFILE}"
fi
return 0
}
args_include_codex_profile() {
local arg
for arg in "$@"; do
case "${arg}" in
--profile|-p|--profile=*|-p=*|--profile-v2|--profile-v2=*)
return 0
;;
esac
done
return 1
}
codex_profile_flag() {
local version_output version major minor rest
version_output="$("${CODEX_DEVOPS_AUTH_CODEX_BIN}" --version 2>/dev/null || true)"
version="${version_output##* }"
major="${version%%.*}"
rest="${version#*.}"
minor="${rest%%.*}"
if [[ "${major}" == "0" && "${minor}" =~ '^[0-9]+$' && "${minor}" -lt 134 ]]; then
print -r -- "--profile-v2"
return 0
fi
print -r -- "--profile"
}
resolve_timeout_bin() {
local candidate
@@ -568,4 +624,12 @@ if [[ -n "${CODEX_DEVOPS_AUTH_ENV_OUT}" ]]; then
exit 0
fi
/opt/homebrew/bin/codex "$@"
codex_args=()
if ! args_include_codex_profile "$@"; then
resolved_codex_profile="$(resolve_codex_profile)"
if [[ -n "${resolved_codex_profile}" ]]; then
codex_args+=("$(codex_profile_flag)" "${resolved_codex_profile}")
fi
fi
codex_args+=("$@")
"${CODEX_DEVOPS_AUTH_CODEX_BIN}" "${codex_args[@]}"

148
bin/codex-wrapper.sh
View File

@@ -7,6 +7,8 @@ MCPGW_SELECTED_SERVERS_FILE="${MCPGW_SELECTED_SERVERS_FILE:-${HOME}/.ora-gateway
MCPGW_OP_TOKEN_FILE="${MCPGW_OP_TOKEN_FILE:-${HOME}/.ora-gateway/op-token}"
CODEX_DEVOPS_AUTH_SCRIPT="${CODEX_DEVOPS_AUTH_SCRIPT:-${HOME}/bin/codex-devops-auth.sh}"
CODEX_BIN="${CODEX_BIN:-/opt/homebrew/bin/codex}"
CODEX_WRAPPER_CODEX_PROFILE="${CODEX_WRAPPER_CODEX_PROFILE:-}"
CODEX_WRAPPER_DEFAULT_CODEX_PROFILE="${CODEX_WRAPPER_DEFAULT_CODEX_PROFILE:-gpt-5-5}"
CODEX_WRAPPER_AUTH_ENV_FILE=""
CODEX_WRAPPER_DEDICATED_AGENT_PID=""
CODEX_WRAPPER_DEDICATED_AGENT_SOCK=""
@@ -59,6 +61,59 @@ is_truthy() {
esac
}
codex_home() {
print -r -- "${CODEX_HOME:-${HOME}/.codex}"
}
codex_profile_file_exists() {
local profile="$1"
[[ -r "$(codex_home)/${profile}.config.toml" ]]
}
resolve_codex_profile() {
if [[ -n "${CODEX_WRAPPER_CODEX_PROFILE}" ]]; then
print -r -- "${CODEX_WRAPPER_CODEX_PROFILE}"
return 0
fi
if codex_profile_file_exists "${CODEX_WRAPPER_DEFAULT_CODEX_PROFILE}"; then
print -r -- "${CODEX_WRAPPER_DEFAULT_CODEX_PROFILE}"
fi
return 0
}
args_include_codex_profile() {
local arg
for arg in "$@"; do
case "${arg}" in
--profile|-p|--profile=*|-p=*|--profile-v2|--profile-v2=*)
return 0
;;
esac
done
return 1
}
codex_profile_flag() {
local version_output version major minor rest
version_output="$("${CODEX_BIN}" --version 2>/dev/null || true)"
version="${version_output##* }"
major="${version%%.*}"
rest="${version#*.}"
minor="${rest%%.*}"
if [[ "${major}" == "0" && "${minor}" =~ '^[0-9]+$' && "${minor}" -lt 134 ]]; then
print -r -- "--profile-v2"
return 0
fi
print -r -- "--profile"
}
confluence_selected() {
local selected_servers_file="${MCPGW_SELECTED_SERVERS_FILE}"
@@ -103,13 +158,39 @@ run_mcpgw_required() {
prepare_codex_auth() {
if [[ ! -x "${CODEX_DEVOPS_AUTH_SCRIPT}" ]]; then
log "Codex DevOps auth helper not found or not executable: ${CODEX_DEVOPS_AUTH_SCRIPT}"
exit 1
log "Warning: Codex DevOps auth helper not found or not executable: ${CODEX_DEVOPS_AUTH_SCRIPT}"
return 1
fi
CODEX_WRAPPER_AUTH_ENV_FILE="$(mktemp "${TMPDIR:-/tmp}/codex-devops-auth.XXXXXX")"
if ! CODEX_WRAPPER_AUTH_ENV_FILE="$(mktemp "${TMPDIR:-/tmp}/codex-devops-auth.XXXXXX")"; then
log "Warning: could not create temporary Codex auth environment file."
return 1
fi
set +e
CODEX_DEVOPS_AUTH_ENV_OUT="${CODEX_WRAPPER_AUTH_ENV_FILE}" "${CODEX_DEVOPS_AUTH_SCRIPT}"
local auth_rc=$?
set -e
if [[ ${auth_rc} -ne 0 ]]; then
log "Warning: Codex DevOps auth helper failed with exit code ${auth_rc}; could not refresh OP token."
return 1
fi
if [[ ! -s "${CODEX_WRAPPER_AUTH_ENV_FILE}" ]]; then
log "Warning: Codex DevOps auth helper did not write an auth environment; could not refresh OP token."
return 1
fi
set +e
source "${CODEX_WRAPPER_AUTH_ENV_FILE}"
local source_rc=$?
set -e
if [[ ${source_rc} -ne 0 ]]; then
log "Warning: could not load Codex auth environment from ${CODEX_WRAPPER_AUTH_ENV_FILE}; could not refresh OP token."
return 1
fi
CODEX_WRAPPER_DEDICATED_AGENT_PID="${SSH_AGENT_PID:-}"
CODEX_WRAPPER_DEDICATED_AGENT_SOCK="${SSH_AUTH_SOCK:-}"
@@ -120,21 +201,44 @@ write_gateway_op_token() {
local token_dir tmp
if [[ -z "${OP_TOKEN:-}" ]]; then
log "Cannot write MCP Gateway OP token: OP_TOKEN is empty."
exit 1
log "Warning: cannot write MCP Gateway OP token: OP_TOKEN is empty."
return 1
fi
token_dir="$(dirname -- "${token_file}")"
mkdir -p "${token_dir}"
tmp="$(mktemp "${token_file}.XXXXXX")"
printf '%s\n' "${OP_TOKEN}" > "${tmp}"
chmod 600 "${tmp}"
mv -f "${tmp}" "${token_file}"
if ! mkdir -p "${token_dir}"; then
log "Warning: could not create MCP Gateway token directory: ${token_dir}"
return 1
fi
if ! tmp="$(mktemp "${token_file}.XXXXXX")"; then
log "Warning: could not create temporary MCP Gateway OP token file for ${token_file}."
return 1
fi
if ! printf '%s\n' "${OP_TOKEN}" > "${tmp}"; then
log "Warning: could not write temporary MCP Gateway OP token file: ${tmp}"
rm -f "${tmp}" >/dev/null 2>&1 || true
return 1
fi
if ! chmod 600 "${tmp}"; then
log "Warning: could not set permissions on temporary MCP Gateway OP token file: ${tmp}"
rm -f "${tmp}" >/dev/null 2>&1 || true
return 1
fi
if ! mv -f "${tmp}" "${token_file}"; then
log "Warning: could not install MCP Gateway OP token file: ${token_file}"
rm -f "${tmp}" >/dev/null 2>&1 || true
return 1
fi
log "MCP Gateway auth preflight: wrote fresh operator token to ${token_file}."
}
refresh_gateway_auth() {
local mcpgw_bin
local mcpgw_bin op_token_refreshed=0
mcpgw_bin="$(command -v mcpgw 2>/dev/null || true)"
if [[ -n "${mcpgw_bin}" ]]; then
@@ -143,13 +247,21 @@ refresh_gateway_auth() {
log "Warning: mcpgw not found on PATH; skipping MCP Gateway auth refresh."
fi
prepare_codex_auth
write_gateway_op_token
if prepare_codex_auth && write_gateway_op_token; then
op_token_refreshed=1
else
log "Warning: could not refresh OP token; continuing with existing MCP Gateway token state."
fi
if [[ -z "${mcpgw_bin}" ]]; then
return 0
fi
if [[ "${op_token_refreshed}" != "1" ]]; then
log "MCP Gateway auth preflight: skipping token-dependent checks because OP token refresh failed."
return 0
fi
if should_refresh_confluence_cookies; then
run_mcpgw_required "${mcpgw_bin}" refresh-cookies
else
@@ -172,4 +284,12 @@ if is_truthy "${CODEX_WRAPPER_DRY_RUN:-}"; then
exit 0
fi
"${CODEX_BIN}" -a on-request -s danger-full-access "$@"
codex_args=()
if ! args_include_codex_profile "$@"; then
resolved_codex_profile="$(resolve_codex_profile)"
if [[ -n "${resolved_codex_profile}" ]]; then
codex_args+=("$(codex_profile_flag)" "${resolved_codex_profile}")
fi
fi
codex_args+=(-a on-request -s danger-full-access "$@")
"${CODEX_BIN}" "${codex_args[@]}"