jetpac/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: jetpac:543f9b64ec6ad2aafab38b062e79adc5c757838d
Branches Tags
jetpac:main jetpac:osd-dev
...
compare: jetpac:9919b5905712308fb56c3ad9f5b99f1346999e94
Branches Tags
jetpac:main jetpac:osd-dev

5 Commits
543f9b64ec ... 9919b59057

Author SHA1 Message Date
Petr Nyc
9919b59057 before SSO migration 2026-06-01 10:14:13 +02:00
Petr Nyc
bdc17cef59 slack & vcap MCPs 2026-05-25 22:07:09 +02:00
Petr Nyc
8d7fd92dd3 codex improvements 2026-05-21 16:57:06 +02:00
Petr Nyc
804e9278b8 codex profile 2026-05-20 14:29:34 +02:00
Petr Nyc
d367547fab codex startup unification 2026-05-20 11:08:09 +02:00
8 changed files with 1114 additions and 193 deletions
Expand all files Collapse all files

492
.codex/config.toml
View File

@@ -11,11 +11,8 @@
# #+end_src # #+end_src
# model = "oca/gpt-5.1-codex-mini"
# profile = "gpt-5-1-codex-mini"
model = "gpt-5.5" model = "gpt-5.5"
profile = "gpt-5-5"
# web_search is deprecated # web_search is deprecated
@@ -31,9 +28,12 @@ personality = "pragmatic"
model_reasoning_effort = "medium" model_reasoning_effort = "medium"
notify = ["/Users/jetpac/.codex/computer-use/Codex Computer Use.app/Contents/SharedSupport/SkyComputerUseClient.app/Contents/MacOS/SkyComputerUseClient", "turn-ended"]
[features] [features]
multi_agent = true multi_agent = true
goals = true goals = true
js_repl = false
# remote_control = true # remote_control = true
[agents] [agents]
@@ -43,6 +43,7 @@ max_depth = 2
[tui] [tui]
alternate_screen = "always" alternate_screen = "always"
status_line = ["model-with-reasoning", "current-dir", "git-branch", "run-state", "codex-version", "context-remaining"] status_line = ["model-with-reasoning", "current-dir", "git-branch", "run-state", "codex-version", "context-remaining"]
pet = "codex"
[tui.model_availability_nux] [tui.model_availability_nux]
"gpt-5.5" = 4 "gpt-5.5" = 4
@@ -65,125 +66,7 @@ stream_max_retries = 20
request_max_retries = 20 request_max_retries = 20
[model_providers.oca-chat]
base_url = "https://code-internal.aiservice.us-chicago-1.oci.oraclecloud.com/20250206/app/litellm"
http_headers = { "client" = "codex-cli", "client-version" = "0" }
model = "gpt5"
name = "Oracle Code Assist Chat"
wire_api = "responses"
[profiles.grok-4]
model = "grok4"
model_provider = "oca-chat"
review_model = "grok4"
[profiles.grok-4-fast-reasoning]
model = "grok4-fast-reasoning"
model_provider = "oca-chat"
review_model = "grok4-fast-reasoning"
[profiles.grok-code-fast-1]
model = "grok-code-fast-1"
model_provider = "oca-chat"
review_model = "grok-code-fast-1"
[profiles.gpt-4-1]
model = "gpt-4.1"
model_provider = "oca-chat"
review_model = "gpt-4.1"
[profiles.gpt-5]
model = "gpt5"
model_provider = "oca-responses"
review_model = "gpt5"
[profiles.gpt-5-1]
model = "gpt-5.1"
model_provider = "oca-chat"
review_model = "gpt-5.1"
[profiles.gpt-5-2]
model = "gpt-5.2"
model_provider = "oca-responses"
review_model = "gpt-5.2"
[profiles.gpt-5-codex]
model = "gpt-5-codex"
model_provider = "oca-responses"
review_model = "gpt-5-codex"
personality = "pragmatic"
[profiles.gpt-5-1-codex-high]
model = "gpt-5.1-codex"
model_provider = "oca-responses"
review_model = "gpt-5.1-codex"
personality = "pragmatic"
model_reasoning_effort = "high"
[profiles.gpt-5-1-codex]
model = "gpt-5.1-codex"
model_provider = "oca-responses"
review_model = "gpt-5.1-codex"
personality = "pragmatic"
model_reasoning_effort = "medium"
[profiles.gpt-5-1-codex-mini]
model = "gpt-5.1-codex-mini"
model_provider = "oca-responses"
review_model = "gpt-5.1-codex-mini"
personality = "pragmatic"
[profiles.gpt-5-2-codex-high]
model = "gpt-5.2-codex"
model_provider = "oca-responses"
review_model = "gpt-5.2-codex"
personality = "pragmatic"
model_reasoning_effort = "high"
[profiles.gpt-5-2-codex]
model = "gpt-5.2-codex"
model_provider = "oca-responses"
review_model = "gpt-5.2-codex"
personality = "pragmatic"
model_reasoning_effort = "medium"
[profiles.gpt-5-2-codex-mini]
model = "gpt-5.2-codex-mini"
model_provider = "oca-responses"
review_model = "gpt-5.2-codex-mini"
personality = "pragmatic"
[profiles.gpt-5-3-codex]
model = "gpt-5.3-codex"
model_provider = "oca-responses"
review_model = "gpt-5.3-codex"
personality = "pragmatic"
model_reasoning_effort = "high"
[profiles.gpt-5-4]
model = "gpt-5.5"
model_provider = "oca-responses"
review_model = "gpt-5.4"
personality = "pragmatic"
model_reasoning_effort = "medium"
plan_mode_reasoning_effort = "high"
[profiles.gpt-5-4-pro]
model = "gpt-5.4-pro"
model_provider = "oca-responses"
review_model = "gpt-5.4"
personality = "pragmatic"
# model_reasoning_effort = "high"
[profiles.gpt-5-5]
model = "gpt-5.5"
model_provider = "oca-responses"
review_model = "gpt-5.5"
personality = "pragmatic"
model_reasoning_effort = "high"
plan_mode_reasoning_effort = "high"
[profiles.gpt-5-5.features]
terminal_resize_reflow = true
memories = false
external_migration = false
goals = true
prevent_idle_sleep = false
[profiles.gpt-5-5-pro] [profiles.gpt-5-5-pro]
model = "gpt-5.5-pro" model = "gpt-5.5-pro"
@@ -195,8 +78,12 @@ personality = "pragmatic"
[mcp_servers.playwright] [mcp_servers.playwright]
command = "/Users/jetpac/.codex/bin/playwright-mcp" command = "/Users/jetpac/.codex/bin/playwright-mcp"
args = ["--extension"]
startup_timeout_sec = 30.0 startup_timeout_sec = 30.0
[mcp_servers.playwright.env]
PLAYWRIGHT_MCP_EXTENSION_TOKEN = "-6NDHv8ampzL_lDb5uVCpvea_m_O4vht7ZeTq3n5baI"
[mcp_servers.playwright.tools.browser_navigate] [mcp_servers.playwright.tools.browser_navigate]
approval_mode = "approve" approval_mode = "approve"
@@ -215,95 +102,144 @@ approval_mode = "approve"
[mcp_servers.playwright.tools.browser_tabs] [mcp_servers.playwright.tools.browser_tabs]
approval_mode = "approve" approval_mode = "approve"
[mcp_servers.playwright.tools.browser_run_code]
approval_mode = "approve"
[mcp_servers.playwright.tools.browser_select_option]
approval_mode = "approve"
[mcp_servers.slack]
command = "/Users/jetpac/.codex/bin/slack-mcp-wrapper"
startup_timeout_sec = 60.0
tool_timeout_sec = 60.0
default_tools_approval_mode = "approve"
enabled_tools = [
"channels_list",
"channels_me",
"conversations_history",
"conversations_replies",
"conversations_search_messages",
"conversations_unreads",
"channel_unreads",
"usergroups_list",
"usergroups_me",
"users_search",
"conversations_add_message",
"reactions_add",
"reactions_remove",
]
[mcp_servers.slack.env]
SLACK_MCP_ENABLE_WRITES = "true"
# Slack write allowlist: @pnyc self-DM (D7PT0SXMK), @pzahradn DM (D9CF41WHG),
# @jahorak DM (DFYAKGQFL),
# Kavya Nair DM (D08G5NZAN2C), Jacob Paul DM (D090RLVUCUV),
# Owen Roberts DM (DEPU4A2QM), C0A71SCTQRM for Codex Slack MCP setup instructions,
# and C05RJJ18EAF for corparch-core-srv replies.
SLACK_MCP_WRITE_CHANNEL_ALLOWLIST = "D7PT0SXMK,D9CF41WHG,DFYAKGQFL,D08G5NZAN2C,D090RLVUCUV,DEPU4A2QM,C0A71SCTQRM,C05RJJ18EAF"
[mcp_servers.slack.tools.conversations_add_message]
approval_mode = "approve"
[mcp_servers.slack.tools.reactions_add]
approval_mode = "approve"
[mcp_servers.slack.tools.reactions_remove]
approval_mode = "approve"
[mcp_servers.oci-kb] [mcp_servers.oci-kb]
command = "/Users/jetpac/.local/bin/ocikb-mcp-server" command = "/Users/jetpac/.local/bin/ocikb-mcp-server"
startup_timeout_sec = 30.0 startup_timeout_sec = 30.0
[mcp_servers.oci-kb.env]
OCI_CONFIG_PROFILE = "MCP_GW_DEFAULT"
[mcp_servers.oci-kb.tools.getDocument] [mcp_servers.oci-kb.tools.getDocument]
approval_mode = "approve" approval_mode = "approve"
[mcp_servers.oci-kb.tools.search] [mcp_servers.oci-kb.tools.search]
approval_mode = "approve" approval_mode = "approve"
[mcp_servers.devops_mcp] # Disabled by KB-11: prefer mcp_gateway devops__ tools for refreshable DevOps access.
command = "/Users/jetpac/bin/devops-mcp-wrapper.sh" # [mcp_servers.devops_mcp]
env_vars = ["OP_TOKEN", "OPERATOR_ACCESS_TOKEN"] # command = "/Users/jetpac/bin/devops-mcp-wrapper.sh"
startup_timeout_sec = 180.0 # env_vars = ["OP_TOKEN", "OPERATOR_ACCESS_TOKEN"]
# startup_timeout_sec = 180.0
[mcp_servers.devops_mcp.tools.get_realms] # [mcp_servers.devops_mcp.tools.get_realms]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_regions] # [mcp_servers.devops_mcp.tools.get_regions]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_release_details] # [mcp_servers.devops_mcp.tools.get_release_details]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_runbook_projects] # [mcp_servers.devops_mcp.tools.get_runbook_projects]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_shepherd_execution_target_errors] # [mcp_servers.devops_mcp.tools.get_shepherd_execution_target_errors]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_shepherd_flocks] # [mcp_servers.devops_mcp.tools.get_shepherd_flocks]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_shepherd_phase_execution_targets] # [mcp_servers.devops_mcp.tools.get_shepherd_phase_execution_targets]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_shepherd_projects] # [mcp_servers.devops_mcp.tools.get_shepherd_projects]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_shepherd_release_target_logs] # [mcp_servers.devops_mcp.tools.get_shepherd_release_target_logs]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_shepherd_releases] # [mcp_servers.devops_mcp.tools.get_shepherd_releases]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_tenancy_by_name] # [mcp_servers.devops_mcp.tools.get_tenancy_by_name]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.list_shepherd_region_details] # [mcp_servers.devops_mcp.tools.list_shepherd_region_details]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.search_phonebook] # [mcp_servers.devops_mcp.tools.search_phonebook]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.search_runbooks] # [mcp_servers.devops_mcp.tools.search_runbooks]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_security_tasks_for_team] # [mcp_servers.devops_mcp.tools.get_security_tasks_for_team]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_security_findings_for_team] # [mcp_servers.devops_mcp.tools.get_security_findings_for_team]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_shepherd_release_all_target_logs] # [mcp_servers.devops_mcp.tools.get_shepherd_release_all_target_logs]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_odo_application] # [mcp_servers.devops_mcp.tools.get_odo_application]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_active_odo_deployments] # [mcp_servers.devops_mcp.tools.get_active_odo_deployments]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_odo_deployments_by_time] # [mcp_servers.devops_mcp.tools.get_odo_deployments_by_time]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_app_release_versions_by_tenants] # [mcp_servers.devops_mcp.tools.get_app_release_versions_by_tenants]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_shepherd_execution_target_state] # [mcp_servers.devops_mcp.tools.get_shepherd_execution_target_state]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.get_tenancy_by_id] # [mcp_servers.devops_mcp.tools.get_tenancy_by_id]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.list_subscription_mappings] # [mcp_servers.devops_mcp.tools.list_subscription_mappings]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.devops_mcp.tools.list_subscriptions] # [mcp_servers.devops_mcp.tools.list_subscriptions]
approval_mode = "approve" # approval_mode = "approve"
[mcp_servers.mcp_shepherd] [mcp_servers.mcp_shepherd]
command = "uvx" command = "uvx"
@@ -370,6 +306,12 @@ approval_mode = "approve"
[mcp_servers.mcp_shepherd.tools.shepherd_get_release_phase_target_guardrails_metadata] [mcp_servers.mcp_shepherd.tools.shepherd_get_release_phase_target_guardrails_metadata]
approval_mode = "approve" approval_mode = "approve"
[mcp_servers.mcp_shepherd.tools.shepherd_get_execution_target]
approval_mode = "approve"
[mcp_servers.mcp_shepherd.tools.shepherd_get_release_target_errors]
approval_mode = "approve"
[mcp_servers.grt] [mcp_servers.grt]
command = "/Users/jetpac/.codex/bin/grt-mcp" command = "/Users/jetpac/.codex/bin/grt-mcp"
startup_timeout_sec = 30.0 startup_timeout_sec = 30.0
@@ -531,6 +473,7 @@ jenkins_list_nodes = { approval_mode = "approve" }
jenkins_search_console = { approval_mode = "approve" } jenkins_search_console = { approval_mode = "approve" }
jenkins_validate_jenkinsfile = { approval_mode = "approve" } jenkins_validate_jenkinsfile = { approval_mode = "approve" }
jenkins_watch_build = { approval_mode = "approve" } jenkins_watch_build = { approval_mode = "approve" }
jenkins_request = { approval_mode = "approve" }
[mcp_servers.vm] [mcp_servers.vm]
@@ -547,6 +490,54 @@ approval_mode = "approve"
[mcp_servers.vm.tools.vm_list_machines] [mcp_servers.vm.tools.vm_list_machines]
approval_mode = "approve" approval_mode = "approve"
[mcp_servers.vm.tools.vm_manage_disk]
approval_mode = "approve"
[mcp_servers.vm.tools.vm_get_resources]
approval_mode = "approve"
[mcp_servers.vcap]
command = "node"
args = ["/Users/jetpac/Documents/codex-tools/MCPs/vcap-mcp/dist/index.js"]
startup_timeout_sec = 30.0
tool_timeout_sec = 60.0
[mcp_servers.vcap.env]
VCAP_MCP_USERNAME = "petr.nyc"
VCAP_MCP_API_KEY = "b6e395b4-7e4b-4ba0-bdcd-a803c5dedbbb"
VCAP_MCP_BASE_URL = "https://vcap.us.oracle.com/vcap"
VCAP_MCP_ALLOW_MUTATIONS = "false"
[mcp_servers.vcap.tools.vcap_list_templates]
approval_mode = "approve"
[mcp_servers.vcap.tools.vcap_request]
approval_mode = "approve"
[mcp_servers.vcap.tools.vcap_list_networks]
approval_mode = "approve"
[mcp_servers.vcap.tools.vcap_list_groups]
approval_mode = "approve"
[mcp_servers.vcap.tools.vcap_list_machines]
approval_mode = "approve"
[mcp_servers.vcap.tools.vcap_list_users]
approval_mode = "approve"
[mcp_servers.vcap.tools.vcap_get_group]
approval_mode = "approve"
[mcp_servers.vcap.tools.vcap_list_logs]
approval_mode = "approve"
[mcp_servers.vcap.tools.vcap_get_machine]
approval_mode = "approve"
[mcp_servers.vcap.tools.vcap_get_template]
approval_mode = "approve"
[mcp_servers.oracle-bitbucket] [mcp_servers.oracle-bitbucket]
command = "node" command = "node"
args = ["/Users/jetpac/Documents/codex-tools/MCPs/bitbucket-mcp/build/index.js"] args = ["/Users/jetpac/Documents/codex-tools/MCPs/bitbucket-mcp/build/index.js"]
@@ -593,6 +584,9 @@ approval_mode = "approve"
[mcp_servers.oracle-bitbucket.tools.browse_repository] [mcp_servers.oracle-bitbucket.tools.browse_repository]
approval_mode = "approve" approval_mode = "approve"
[mcp_servers.oracle-bitbucket.tools.list_pull_requests_for_my_review]
approval_mode = "approve"
[mcp_servers.mcp-atlassian] [mcp_servers.mcp-atlassian]
command = "uvx" command = "uvx"
args = ["--python=3.11", "mcp-atlassian"] args = ["--python=3.11", "mcp-atlassian"]
@@ -943,8 +937,59 @@ trust_level = "trusted"
[projects."/Users/jetpac/src/symphony"] [projects."/Users/jetpac/src/symphony"]
trust_level = "trusted" trust_level = "trusted"
[projects."/Users/jetpac/src/symphony/kanboard-workspaces/KB-10/repo"]
trust_level = "trusted"
[projects."/private/tmp/kanban-jira"]
trust_level = "trusted"
[projects."/private/tmp/krava"]
trust_level = "trusted"
[projects."/Users/jetpac/Documents/bugdb"]
trust_level = "trusted"
[projects."/Users/jetpac/Documents/OSD/linux-images/desktop-image-builds"]
trust_level = "trusted"
[projects."/private/tmp/lll"]
trust_level = "trusted"
[projects."/Users/jetpac/Documents/OSD/oc21"]
trust_level = "trusted"
[projects."/Users/jetpac/Documents/codex-tui-watch"]
trust_level = "trusted"
[projects."/private/tmp/slack-mcp-planning"]
trust_level = "trusted"
[projects."/Users/jetpac/Documents/codex-tools/codex-auth-status"]
trust_level = "trusted"
[projects."/Users/jetpac/PycharmProjects"]
trust_level = "trusted"
[projects."/Users/jetpac/PycharmProjects/ips-trunk"]
trust_level = "trusted"
[projects."/Users/jetpac/Documents/OSD/oci-desktop-service-console-plugin"]
trust_level = "trusted"
[projects."/Users/jetpac/PycharmProjects/ips-trunk/solaris/ips/build"]
trust_level = "trusted"
[projects."/private/tmp/shity"]
trust_level = "trusted"
[projects."/Users/jetpac/Documents/codex-tools/codex-src/codex"]
trust_level = "trusted"
[projects."/Users/jetpac/.codex-sso"]
trust_level = "trusted"
[marketplaces.openai-bundled] [marketplaces.openai-bundled]
last_updated = "2026-05-05T21:54:34Z" last_updated = "2026-05-28T10:46:49Z"
source_type = "local" source_type = "local"
source = "/Users/jetpac/.codex/.tmp/bundled-marketplaces/openai-bundled" source = "/Users/jetpac/.codex/.tmp/bundled-marketplaces/openai-bundled"
@@ -962,9 +1007,22 @@ enabled = true
[plugins."presentations@openai-primary-runtime"] [plugins."presentations@openai-primary-runtime"]
enabled = true enabled = true
[plugins."browser-use@openai-bundled"] [plugins."browser@openai-bundled"]
enabled = true enabled = true
[desktop]
appearanceTheme = "system"
composerEnterBehavior = "cmdIfMultiline"
preventSleepWhileRunning = false
keepRemoteControlAwakeWhilePluggedIn = false
[desktop.open-in-target-preferences]
global = "iterm2"
[desktop.open-in-target-preferences.perPath]
"/Users/jetpac/Documents/codex-worktrees/mail" = "iterm2"
"/Users/jetpac/Documents/OSD/tigera-v1.40.9/tigera-operator-new" = "iterm2"
# [projects."/Users/jetpac/Documents/codex-tools/MCPs/ident-scm-mcp"] # [projects."/Users/jetpac/Documents/codex-tools/MCPs/ident-scm-mcp"]
# trust_level = "trusted" # trust_level = "trusted"
@@ -1090,3 +1148,83 @@ approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.kcm__search] [mcp_servers.mcp_gateway.tools.kcm__search]
approval_mode = "approve" approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.jira__jira_get_issue]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.buildservice__buildservice_get_commit]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.buildservice__buildservice_list_project_branches]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.jira__jira_search]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__list_shepherd_artifact_versions]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.bitbucket__list_pull_request_comments]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_tenancy_by_name]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_shepherd_release_by_id]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_shepherd_onsr_release_log]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_shepherd_release_all_target_logs]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_shepherd_execution_target_errors]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_shepherd_release_target_logs]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_shepherd_release_target_plan]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_shepherd_import_defaults]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_shepherd_release]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_shepherd_release_phases]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_shepherd_flock_acr_status]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__list_shepherd_imports_status]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_shepherd_flock_config]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_shepherd_latest_static_analysis_for_execution_target]
approval_mode = "approve"
[mcp_servers.mcp_gateway.tools.devops__get_region_build_status]
approval_mode = "approve"
[mcp_servers.node_repl]
args = []
command = "/Applications/Codex.app/Contents/Resources/node_repl"
startup_timeout_sec = 120
[mcp_servers.node_repl.env]
NODE_REPL_NATIVE_PIPE_CONNECT_TIMEOUT_MS = "1000"
NODE_REPL_NODE_MODULE_DIRS = ""
NODE_REPL_NODE_PATH = "/Applications/Codex.app/Contents/Resources/node"
NODE_REPL_TRUSTED_CODE_PATHS = "/Users/jetpac/.codex"
CODEX_HOME = "/Users/jetpac/.codex"
NODE_REPL_TRUSTED_BROWSER_CLIENT_SHA256S = "496c7b3cb95b4bc20cff49b513150606e0da0000c92bf752206bee5a6c248423"
BROWSER_USE_AVAILABLE_BACKENDS = "iab"
BROWSER_USE_MARKETPLACE_NAME = "openai-bundled"
NODE_REPL_UNTRUSTED_ENV_ALLOWLIST = "BROWSER_USE_MARKETPLACE_NAME"
CODEX_CLI_PATH = "/Applications/Codex.app/Contents/Resources/codex"

13
.spacemacs
View File

@@ -1382,7 +1382,8 @@ This function is called at the very end of Spacemacs initialization."
("Solaris" ("Solaris"
. "tag:solaris") . "tag:solaris")
("OCI" ("OCI"
. "tag:oci")) . "tag:oci")
)
:filter :filter
"date:1/1/2026.. and (tag:important and tag:action)" "date:1/1/2026.. and (tag:important and tag:action)"
:show-empty-searches :show-empty-searches
@@ -1400,10 +1401,18 @@ This function is called at the very end of Spacemacs initialization."
. "tag:announcement") . "tag:announcement")
("Deployment Calendar events" ("Deployment Calendar events"
. "tag:calendar") . "tag:calendar")
("SGD" . "tag:sgd")) ("SGD" . "tag:sgd")
)
:filter :filter
"tag:osd and date:12/1/2025.. and (tag:unread or tag:important or tag:action)" "tag:osd and date:12/1/2025.. and (tag:unread or tag:important or tag:action)"
:show-empty-searches nil) :show-empty-searches nil)
(notmuch-hello-insert-searches
"Active dev projects needing focus"
(
("Linux images" . "tag:linux-images")
("AK IPS delivery" . "tag:ak-ips or tag:akidr-ips")
)
)
(notmuch-hello-insert-searches (notmuch-hello-insert-searches
"Solaris Focused" "Solaris Focused"
(("Solaris" (("Solaris"

3
.ssh/config.oci
View File

@@ -8,6 +8,9 @@ Host bitbucket.oci.oraclecorp.com
HostkeyAlgorithms +ssh-rsa HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa
Host github.com
IdentityFile ~/.ssh/github.com
Host dabel dabel.us.oracle.com andel andel.us.oracle.com gates gates.us.oracle.com on10-patch.us.oracle.com scapen* Host dabel dabel.us.oracle.com andel andel.us.oracle.com gates gates.us.oracle.com on10-patch.us.oracle.com scapen*
User pnyc User pnyc
IdentityFile ~/.ssh/dabel.key IdentityFile ~/.ssh/dabel.key

2
.ssh/config.solaris
View File

@@ -35,7 +35,7 @@ Host solaris-reviews.us.oracle.com
User hg User hg
IdentityFile ~/.ssh/id_phabricator IdentityFile ~/.ssh/id_phabricator
Host hetzner Host hetzner u444067.your-storagebox.de
HostName u444067.your-storagebox.de HostName u444067.your-storagebox.de
User u444067 User u444067
Port 23 Port 23

5
.zshenv
View File

@@ -2,7 +2,7 @@ set -o vi
export LC_ALL=en_US.UTF-8 export LC_ALL=en_US.UTF-8
export PATH=/Users/jetpac/.asdf/shims/:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/jetpac/work/flutter/bin:$HOME/.rd/bin:$HOME/bin:$PATH:$HOME/.fzf/bin export PATH=/Users/jetpac/.asdf/shims/:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/jetpac/work/flutter/bin:$HOME/.rd/bin:$HOME/bin:$PATH:$HOME/.fzf/bin:$HOME/Documents/codex-tools/mcpgw-cli/
# homebrew config # homebrew config
# output of brew shellenv # output of brew shellenv
@@ -23,6 +23,9 @@ alias mc='SHELL=/bin/bash mc'
alias config='/usr/bin/git --git-dir=$HOME/.cfg/ --work-tree=$HOME' alias config='/usr/bin/git --git-dir=$HOME/.cfg/ --work-tree=$HOME'
alias -g N="2>&1 " alias -g N="2>&1 "
alias pig='ping' alias pig='ping'
alias ops='OCI_CLI_PROFILE=solarisx86-us-phoenix-1-apikey ops'
# export PATH=$HOME/.rd/bin # export PATH=$HOME/.rd/bin
# #

494
bin/codex-devops-auth.sh
View File

@@ -3,22 +3,33 @@
set -euo pipefail set -euo pipefail
PKCS11_LIB="${PKCS11_LIB:-/usr/local/lib/opensc-pkcs11.so}" PKCS11_LIB="${PKCS11_LIB:-/usr/local/lib/opensc-pkcs11.so}"
YUBIKEY_PIN_FILE="${YUBIKEY_PIN_FILE:-/tmp/pass}"
TOKEN_HOST="${TOKEN_HOST:-operator-access-token.svc.ad1.r2}" TOKEN_HOST="${TOKEN_HOST:-operator-access-token.svc.ad1.r2}"
SSH_CONFIG_FILE="${SSH_CONFIG_FILE:-$HOME/.ssh/config.oci}" SSH_CONFIG_FILE="${SSH_CONFIG_FILE:-$HOME/.ssh/config.oci}"
OCI_BIN="${OCI_BIN:-/opt/homebrew/bin/oci}" OCI_BIN="${OCI_BIN:-/opt/homebrew/bin/oci}"
OCI_SESSION_REGION="${OCI_SESSION_REGION:-us-chicago-1}" OCI_SESSION_REGION="${OCI_SESSION_REGION:-us-chicago-1}"
OCI_PROFILE_NAME="${OCI_PROFILE_NAME:-DEFAULT}" OCI_PROFILE_NAME="${OCI_PROFILE_NAME:-MCP_GW_DEFAULT}"
OCI_CONFIG_FILE="${OCI_CONFIG_FILE:-${HOME}/.oci/config}"
OCI_PROFILE_SYNC_ENABLED="${OCI_PROFILE_SYNC_ENABLED:-1}"
OCI_PROFILE_SYNC_TARGETS="${OCI_PROFILE_SYNC_TARGETS:-DEFAULT}"
OCI_PROFILE_SYNC_KEYS="${OCI_PROFILE_SYNC_KEYS:-tenancy,region,security_token_file,key_file,fingerprint,pass_phrase,user}"
OCI_PROFILE_SYNC_PYTHON="${OCI_PROFILE_SYNC_PYTHON:-python3}"
OCI_SESSION_VALIDATE_TIMEOUT_SECONDS="${OCI_SESSION_VALIDATE_TIMEOUT_SECONDS:-2}" OCI_SESSION_VALIDATE_TIMEOUT_SECONDS="${OCI_SESSION_VALIDATE_TIMEOUT_SECONDS:-2}"
RESET_AGENT="${RESET_AGENT:-0}" RESET_AGENT="${RESET_AGENT:-0}"
CODEX_DEVOPS_AUTH_ENV_OUT="${CODEX_DEVOPS_AUTH_ENV_OUT:-}"
CODEX_DEVOPS_AUTH_CODEX_BIN="${CODEX_DEVOPS_AUTH_CODEX_BIN:-/opt/homebrew/bin/codex}"
CODEX_DEVOPS_AUTH_CODEX_PROFILE="${CODEX_DEVOPS_AUTH_CODEX_PROFILE:-}"
CODEX_DEVOPS_AUTH_DEFAULT_CODEX_PROFILE="${CODEX_DEVOPS_AUTH_DEFAULT_CODEX_PROFILE:-gpt-5-5}"
DEDICATED_AGENT_PID="" DEDICATED_AGENT_PID=""
DEDICATED_AGENT_SOCK="" DEDICATED_AGENT_SOCK=""
PRESERVE_DEDICATED_AGENT="0"
log() { log() {
print -u2 -- "$@" print -u2 -- "$@"
} }
cleanup() { cleanup() {
if [[ -n "${DEDICATED_AGENT_PID}" && -n "${DEDICATED_AGENT_SOCK}" ]]; then if [[ "${PRESERVE_DEDICATED_AGENT}" != "1" && -n "${DEDICATED_AGENT_PID}" && -n "${DEDICATED_AGENT_SOCK}" ]]; then
SSH_AGENT_PID="${DEDICATED_AGENT_PID}" SSH_AUTH_SOCK="${DEDICATED_AGENT_SOCK}" ssh-agent -k >/dev/null 2>&1 || true SSH_AGENT_PID="${DEDICATED_AGENT_PID}" SSH_AUTH_SOCK="${DEDICATED_AGENT_SOCK}" ssh-agent -k >/dev/null 2>&1 || true
fi fi
} }
@@ -27,6 +38,59 @@ run_oci() {
"${OCI_BIN}" --profile "${OCI_PROFILE_NAME}" "$@" "${OCI_BIN}" --profile "${OCI_PROFILE_NAME}" "$@"
} }
codex_home() {
print -r -- "${CODEX_HOME:-${HOME}/.codex}"
}
codex_profile_file_exists() {
local profile="$1"
[[ -r "$(codex_home)/${profile}.config.toml" ]]
}
resolve_codex_profile() {
if [[ -n "${CODEX_DEVOPS_AUTH_CODEX_PROFILE}" ]]; then
print -r -- "${CODEX_DEVOPS_AUTH_CODEX_PROFILE}"
return 0
fi
if codex_profile_file_exists "${CODEX_DEVOPS_AUTH_DEFAULT_CODEX_PROFILE}"; then
print -r -- "${CODEX_DEVOPS_AUTH_DEFAULT_CODEX_PROFILE}"
fi
return 0
}
args_include_codex_profile() {
local arg
for arg in "$@"; do
case "${arg}" in
--profile|-p|--profile=*|-p=*|--profile-v2|--profile-v2=*)
return 0
;;
esac
done
return 1
}
codex_profile_flag() {
local version_output version major minor rest
version_output="$("${CODEX_DEVOPS_AUTH_CODEX_BIN}" --version 2>/dev/null || true)"
version="${version_output##* }"
major="${version%%.*}"
rest="${version#*.}"
minor="${rest%%.*}"
if [[ "${major}" == "0" && "${minor}" =~ '^[0-9]+$' && "${minor}" -lt 134 ]]; then
print -r -- "--profile-v2"
return 0
fi
print -r -- "--profile"
}
resolve_timeout_bin() { resolve_timeout_bin() {
local candidate local candidate
@@ -112,6 +176,162 @@ ensure_oci_session() {
"${OCI_BIN}" session authenticate --region "${OCI_SESSION_REGION}" --profile-name "${OCI_PROFILE_NAME}" "${OCI_BIN}" session authenticate --region "${OCI_SESSION_REGION}" --profile-name "${OCI_PROFILE_NAME}"
} }
sync_oci_profiles() {
if [[ "${OCI_PROFILE_SYNC_ENABLED}" != "1" ]]; then
log "OCI profile sync disabled."
return 0
fi
if [[ -z "${OCI_PROFILE_SYNC_TARGETS}" ]]; then
log "OCI profile sync: no target profiles configured."
return 0
fi
if [[ ! -r "${OCI_CONFIG_FILE}" || ! -w "${OCI_CONFIG_FILE}" ]]; then
log "Warning: OCI config is not readable and writable; skipping profile sync: ${OCI_CONFIG_FILE}"
return 0
fi
if ! command -v "${OCI_PROFILE_SYNC_PYTHON}" >/dev/null 2>&1; then
log "Warning: ${OCI_PROFILE_SYNC_PYTHON} not found; skipping OCI profile sync."
return 0
fi
OCI_CONFIG_FILE_FOR_SYNC="${OCI_CONFIG_FILE}" \
OCI_PROFILE_SYNC_SOURCE="${OCI_PROFILE_NAME}" \
OCI_PROFILE_SYNC_TARGETS_FOR_SYNC="${OCI_PROFILE_SYNC_TARGETS}" \
OCI_PROFILE_SYNC_KEYS_FOR_SYNC="${OCI_PROFILE_SYNC_KEYS}" \
"${OCI_PROFILE_SYNC_PYTHON}" - <<'PY'
import os
from pathlib import Path
import re
import tempfile
config_path = Path(os.environ["OCI_CONFIG_FILE_FOR_SYNC"]).expanduser()
source = os.environ["OCI_PROFILE_SYNC_SOURCE"]
targets = [
target.strip()
for target in os.environ["OCI_PROFILE_SYNC_TARGETS_FOR_SYNC"].split(",")
if target.strip() and target.strip() != source
]
keys = [
key.strip()
for key in os.environ["OCI_PROFILE_SYNC_KEYS_FOR_SYNC"].split(",")
if key.strip()
]
if not targets or not keys:
raise SystemExit(0)
section_re = re.compile(r"^(\s*)\[([^\]]+)\](\s*(?:[#;].*)?)$")
key_re = re.compile(r"^(\s*)([A-Za-z_][A-Za-z0-9_]*)(\s*=\s*)(.*?)(\s*(?:[#;].*)?)$")
lines = config_path.read_text(encoding="utf-8").splitlines(keepends=True)
line_sections = []
sections = {}
current = None
for index, line in enumerate(lines):
match = section_re.match(line.rstrip("\n"))
if match:
current = match.group(2).strip()
sections.setdefault(current, {"start": index, "end": None})
line_sections.append(current)
for index, section in enumerate(line_sections):
if section is not None:
sections[section]["end"] = index + 1
if source not in sections:
raise SystemExit(f"OCI profile sync source profile not found: {source}")
source_values = {}
source_start = int(sections[source]["start"])
source_end = int(sections[source]["end"] or len(lines))
for line in lines[source_start + 1 : source_end]:
match = key_re.match(line.rstrip("\n"))
if match and match.group(2).strip() in keys:
source_values[match.group(2).strip()] = match.group(4).rstrip()
if not source_values:
raise SystemExit(f"OCI profile sync source profile has no syncable keys: {source}")
changed = False
for target in targets:
if target not in sections:
insert_at = len(lines)
if lines and not lines[-1].endswith("\n"):
lines[-1] += "\n"
if lines and lines[-1].strip():
lines.append("\n")
insert_at += 1
lines.append(f"[{target}]\n")
sections[target] = {"start": insert_at, "end": insert_at + 1}
for known in sections:
if known != target and int(sections[known]["start"]) >= insert_at:
sections[known]["start"] = int(sections[known]["start"]) + 2
if sections[known]["end"] is not None:
sections[known]["end"] = int(sections[known]["end"]) + 2
changed = True
target_start = int(sections[target]["start"])
target_end = int(sections[target]["end"] or len(lines))
present: set[str] = set()
index = target_start + 1
while index < target_end:
raw = lines[index]
newline = "\n" if raw.endswith("\n") else ""
match = key_re.match(raw.rstrip("\n"))
if match:
key = match.group(2).strip()
if key in source_values:
present.add(key)
replacement = f"{match.group(1)}{key}{match.group(3)}{source_values[key]}{match.group(5)}{newline}"
if replacement != raw:
lines[index] = replacement
changed = True
index += 1
missing = [key for key in keys if key in source_values and key not in present]
if missing:
insert_at = target_end
additions = [f"{key} = {source_values[key]}\n" for key in missing]
lines[insert_at:insert_at] = additions
delta = len(additions)
sections[target]["end"] = target_end + delta
for known in sections:
if known != target and int(sections[known]["start"]) >= insert_at:
sections[known]["start"] = int(sections[known]["start"]) + delta
if sections[known]["end"] is not None:
sections[known]["end"] = int(sections[known]["end"]) + delta
changed = True
if changed:
content = "".join(lines)
mode = config_path.stat().st_mode & 0o777
with tempfile.NamedTemporaryFile(
"w",
encoding="utf-8",
dir=str(config_path.parent),
prefix=f".{config_path.name}.",
delete=False,
) as tmp:
tmp.write(content)
tmp_name = tmp.name
os.chmod(tmp_name, mode)
os.replace(tmp_name, config_path)
PY
local sync_rc=$?
if [[ ${sync_rc} -ne 0 ]]; then
log "OCI profile sync failed with exit code ${sync_rc}."
exit "${sync_rc}"
fi
log "OCI profile sync complete: ${OCI_PROFILE_NAME} -> ${OCI_PROFILE_SYNC_TARGETS}"
}
ensure_ssh_agent() { ensure_ssh_agent() {
log "Starting dedicated ssh-agent for Codex." log "Starting dedicated ssh-agent for Codex."
unset SSH_AUTH_SOCK SSH_AGENT_PID unset SSH_AUTH_SOCK SSH_AGENT_PID
@@ -120,9 +340,205 @@ ensure_ssh_agent() {
DEDICATED_AGENT_SOCK="${SSH_AUTH_SOCK:-}" DEDICATED_AGENT_SOCK="${SSH_AUTH_SOCK:-}"
} }
resolve_token_ssh_config_value() {
local key="$1"
ssh -G -F "${SSH_CONFIG_FILE}" "${TOKEN_HOST}" 2>/dev/null | awk -v key="${key}" '
$1 == key {
$1 = ""
sub(/^[[:space:]]+/, "")
print
exit
}
'
}
resolve_token_proxy_command() {
resolve_token_ssh_config_value proxycommand
}
resolve_token_proxy_jump() {
resolve_token_ssh_config_value proxyjump
}
resolve_token_ssh_user() {
resolve_token_ssh_config_value user
}
quiet_proxy_command() {
local proxy_command="$1"
proxy_command="${proxy_command// -vvv/}"
proxy_command="${proxy_command// -vv/}"
proxy_command="${proxy_command// -v/}"
print -r -- "${proxy_command}"
}
proxy_ssh_prefix() {
local ssh_bin="$1"
local prefix="${ssh_bin} -F ${(q)SSH_CONFIG_FILE} -o LogLevel=ERROR"
if [[ -n "${TOKEN_SSH_USER:-}" ]]; then
prefix+=" -l ${(q)TOKEN_SSH_USER}"
fi
print -r -- "${prefix}"
}
proxy_command_with_ssh_config() {
local proxy_command="$1"
local bastion_host
if [[ -z "${proxy_command}" || "${proxy_command}" == "none" ]]; then
return 1
fi
if [[ "${proxy_command}" == bash\ -c\ * && "${proxy_command}" == *" -W %h:%p "* ]]; then
bastion_host="${proxy_command#* -W %h:%p }"
bastion_host="${bastion_host%% *}"
bastion_host="${bastion_host%%\'*}"
bastion_host="${bastion_host%%\"*}"
if [[ -n "${bastion_host}" ]]; then
print -r -- "$(proxy_ssh_prefix ssh) -W %h:%p ${bastion_host}"
return 0
fi
fi
case "${proxy_command}" in
/usr/bin/ssh\ *)
print -r -- "$(proxy_ssh_prefix /usr/bin/ssh) ${proxy_command#/usr/bin/ssh }"
;;
ssh\ *)
print -r -- "$(proxy_ssh_prefix ssh) ${proxy_command#ssh }"
;;
*)
print -r -- "${proxy_command}"
;;
esac
}
proxy_jump_as_proxy_command() {
local proxy_jump="$1"
if [[ -z "${proxy_jump}" || "${proxy_jump}" == "none" ]]; then
return 1
fi
print -r -- "$(proxy_ssh_prefix ssh) -W %h:%p ${proxy_jump}"
}
build_token_ssh_args() {
TOKEN_SSH_ARGS=(-F "${SSH_CONFIG_FILE}" -o LogLevel=ERROR)
TOKEN_SSH_USER="$(resolve_token_ssh_user || true)"
local proxy_command proxy_jump configured_proxy_command
proxy_command="$(resolve_token_proxy_command || true)"
configured_proxy_command="$(proxy_command_with_ssh_config "${proxy_command}" || true)"
if [[ -z "${configured_proxy_command}" ]]; then
proxy_jump="$(resolve_token_proxy_jump || true)"
configured_proxy_command="$(proxy_jump_as_proxy_command "${proxy_jump}" || true)"
fi
if [[ -n "${configured_proxy_command}" ]]; then
TOKEN_SSH_ARGS+=(-o "ProxyCommand=${configured_proxy_command}")
fi
}
load_pkcs11_provider_with_expect() {
local expect_script="$1"
shift
if ! command -v expect >/dev/null 2>&1; then
return 127
fi
if ! PKCS11_LIB_FOR_EXPECT="${PKCS11_LIB}" expect -c "${expect_script}"; then
return 1
fi
return 0
}
load_pkcs11_provider_from_pin_file() {
YUBIKEY_PIN_FILE_FOR_EXPECT="${YUBIKEY_PIN_FILE}" load_pkcs11_provider_with_expect '
set timeout 30
set pkcs11_lib $env(PKCS11_LIB_FOR_EXPECT)
set pin_file $env(YUBIKEY_PIN_FILE_FOR_EXPECT)
set fh [open $pin_file r]
gets $fh pin
close $fh
spawn ssh-add -s $pkcs11_lib
expect {
-re {([Pp]assphrase|PIN|pin).*:} {
send -- "$pin\r"
exp_continue
}
eof {
catch wait result
exit [lindex $result 3]
}
timeout {
exit 124
}
}
' >/dev/null
}
load_pkcs11_provider_with_prompt() {
load_pkcs11_provider_with_expect '
set timeout 120
set pkcs11_lib $env(PKCS11_LIB_FOR_EXPECT)
send_user "YubiKey PIN: "
stty -echo
expect_user -re "(.*)\n"
stty echo
send_user "\n"
set pin $expect_out(1,string)
log_user 0
spawn ssh-add -s $pkcs11_lib
expect {
-re {([Pp]assphrase|PIN|pin).*:} {
send -- "$pin\r"
exp_continue
}
eof {
catch wait result
exit [lindex $result 3]
}
timeout {
exit 124
}
}
'
}
add_pkcs11_provider() { add_pkcs11_provider() {
log "Loading PKCS#11 provider: ${PKCS11_LIB}" log "Loading PKCS#11 provider: ${PKCS11_LIB}"
ssh-add -s "${PKCS11_LIB}" >/dev/null
if [[ -r "${YUBIKEY_PIN_FILE}" ]]; then
if ! load_pkcs11_provider_from_pin_file; then
log "Failed to load PKCS#11 provider using YubiKey PIN file ${YUBIKEY_PIN_FILE}."
return 1
fi
elif [[ -t 0 ]]; then
if ! load_pkcs11_provider_with_prompt; then
log "Failed to load PKCS#11 provider using prompted YubiKey PIN."
return 1
fi
else
log "YubiKey PIN file not readable at ${YUBIKEY_PIN_FILE}, and stdin is not a terminal."
return 1
fi
if ! ssh-add -l >/dev/null 2>&1; then
log "PKCS#11 provider loaded, but no SSH identities are visible to the dedicated agent."
return 1
fi
} }
prepare_agent() { prepare_agent() {
@@ -130,6 +546,55 @@ prepare_agent() {
add_pkcs11_provider add_pkcs11_provider
} }
refresh_operator_token() {
local operator_token
log "Refreshing OPERATOR_ACCESS_TOKEN from ${TOKEN_HOST} using ${SSH_CONFIG_FILE}"
TOKEN_SSH_ARGS=()
build_token_ssh_args
if ! operator_token="$(ssh "${TOKEN_SSH_ARGS[@]}" "${TOKEN_HOST}" "generate --mode jwt")"; then
log "Failed to refresh OPERATOR_ACCESS_TOKEN from ${TOKEN_HOST}."
return 1
fi
if [[ -z "${operator_token}" ]]; then
log "Token host ${TOKEN_HOST} returned an empty OPERATOR_ACCESS_TOKEN."
return 1
fi
export OPERATOR_ACCESS_TOKEN="${operator_token}"
export OP_TOKEN="${OPERATOR_ACCESS_TOKEN}"
log "Using fresh OP_TOKEN for Codex and DevOps MCP."
}
write_shell_export() {
local name="$1"
local value="$2"
printf 'export %s=%q\n' "${name}" "${value}"
}
write_auth_env() {
local env_out="$1"
local env_dir tmp
env_dir="$(dirname -- "${env_out}")"
mkdir -p "${env_dir}"
tmp="$(mktemp "${env_out}.XXXXXX")"
{
write_shell_export SSH_AUTH_SOCK "${DEDICATED_AGENT_SOCK}"
write_shell_export SSH_AGENT_PID "${DEDICATED_AGENT_PID}"
write_shell_export OPERATOR_ACCESS_TOKEN "${OPERATOR_ACCESS_TOKEN}"
write_shell_export OP_TOKEN "${OP_TOKEN}"
} > "${tmp}"
chmod 600 "${tmp}"
mv -f "${tmp}" "${env_out}"
}
if [[ ! -f "${SSH_CONFIG_FILE}" ]]; then if [[ ! -f "${SSH_CONFIG_FILE}" ]]; then
print -u2 "SSH config file not found: ${SSH_CONFIG_FILE}" print -u2 "SSH config file not found: ${SSH_CONFIG_FILE}"
exit 1 exit 1
@@ -146,12 +611,25 @@ trap cleanup EXIT INT TERM
ensure_oci_session ensure_oci_session
sync_oci_profiles
prepare_agent prepare_agent
log "Refreshing OPERATOR_ACCESS_TOKEN from ${TOKEN_HOST} using ${SSH_CONFIG_FILE}" refresh_operator_token
export OPERATOR_ACCESS_TOKEN="$(ssh -F "${SSH_CONFIG_FILE}" "${TOKEN_HOST}" "generate --mode jwt")"
export OP_TOKEN="${OPERATOR_ACCESS_TOKEN}"
log "Using fresh OP_TOKEN for Codex and DevOps MCP." if [[ -n "${CODEX_DEVOPS_AUTH_ENV_OUT}" ]]; then
write_auth_env "${CODEX_DEVOPS_AUTH_ENV_OUT}"
PRESERVE_DEDICATED_AGENT="1"
log "Wrote Codex auth environment to ${CODEX_DEVOPS_AUTH_ENV_OUT}."
exit 0
fi
/opt/homebrew/bin/codex "$@" codex_args=()
if ! args_include_codex_profile "$@"; then
resolved_codex_profile="$(resolve_codex_profile)"
if [[ -n "${resolved_codex_profile}" ]]; then
codex_args+=("$(codex_profile_flag)" "${resolved_codex_profile}")
fi
fi
codex_args+=("$@")
"${CODEX_DEVOPS_AUTH_CODEX_BIN}" "${codex_args[@]}"

294
bin/codex-wrapper.sh
View File

@@ -1,5 +1,295 @@
#!/usr/bin/env zsh #!/usr/bin/env zsh
export BITBUCKET_TOKEN=NzQ0MDE3NjEzNDE1Oh6PpMt8Rl+a569vzoPOfCRJ+Kwt set -euo pipefail
"$HOME/bin/codex-devops-auth.sh" -a on-request -s danger-full-access "$@"
CODEX_MCP_ENV_FILE="${CODEX_MCP_ENV_FILE:-${HOME}/.codex/mcp.env}"
MCPGW_SELECTED_SERVERS_FILE="${MCPGW_SELECTED_SERVERS_FILE:-${HOME}/.ora-gateway/selected-servers.json}"
MCPGW_OP_TOKEN_FILE="${MCPGW_OP_TOKEN_FILE:-${HOME}/.ora-gateway/op-token}"
CODEX_DEVOPS_AUTH_SCRIPT="${CODEX_DEVOPS_AUTH_SCRIPT:-${HOME}/bin/codex-devops-auth.sh}"
CODEX_BIN="${CODEX_BIN:-/opt/homebrew/bin/codex}"
CODEX_WRAPPER_CODEX_PROFILE="${CODEX_WRAPPER_CODEX_PROFILE:-}"
CODEX_WRAPPER_DEFAULT_CODEX_PROFILE="${CODEX_WRAPPER_DEFAULT_CODEX_PROFILE:-gpt-5-5}"
CODEX_WRAPPER_AUTH_ENV_FILE=""
CODEX_WRAPPER_DEDICATED_AGENT_PID=""
CODEX_WRAPPER_DEDICATED_AGENT_SOCK=""
log() {
print -u2 -- "$@"
}
cleanup() {
if [[ -n "${CODEX_WRAPPER_DEDICATED_AGENT_PID}" && -n "${CODEX_WRAPPER_DEDICATED_AGENT_SOCK}" ]]; then
SSH_AGENT_PID="${CODEX_WRAPPER_DEDICATED_AGENT_PID}" SSH_AUTH_SOCK="${CODEX_WRAPPER_DEDICATED_AGENT_SOCK}" ssh-agent -k >/dev/null 2>&1 || true
fi
if [[ -n "${CODEX_WRAPPER_AUTH_ENV_FILE}" ]]; then
rm -f "${CODEX_WRAPPER_AUTH_ENV_FILE}" >/dev/null 2>&1 || true
fi
}
sanitize_mcpgw_output() {
local line clean redacted
while IFS= read -r line || [[ -n "${line}" ]]; do
clean="$(printf '%s\n' "${line}" | perl -pe 's/\e\]8;;.*?\a//g; s/\e\[[0-?]*[ -\/]*[@-~]//g')"
redacted="$(printf '%s\n' "${clean}" | sed -E \
-e 's#https?://[^[:space:]]+#[redacted URL]#g' \
-e 's#([Aa][Cc][Cc][Ee][Ss][Ss]_[Tt][Oo][Kk][Ee][Nn]=)[^[:space:]]+#\1[redacted]#g' \
-e 's#([Ii][Dd]_[Tt][Oo][Kk][Ee][Nn]=)[^[:space:]]+#\1[redacted]#g' \
-e 's#([Rr][Ee][Ff][Rr][Ee][Ss][Hh]_[Tt][Oo][Kk][Ee][Nn]=)[^[:space:]]+#\1[redacted]#g' \
-e 's#([Ss][Ee][Cc][Uu][Rr][Ii][Tt][Yy]_[Tt][Oo][Kk][Ee][Nn]=)[^[:space:]]+#\1[redacted]#g' \
-e 's#([Cc][Ll][Ii][Ee][Nn][Tt]_[Ss][Ee][Cc][Rr][Ee][Tt]=)[^[:space:]]+#\1[redacted]#g' \
-e 's#([Pp][Uu][Bb][Ll][Ii][Cc]_[Kk][Ee][Yy]=)[^[:space:]]+#\1[redacted]#g' \
-e 's#([Aa][Uu][Tt][Hh][Oo][Rr][Ii][Zz][Aa][Tt][Ii][Oo][Nn]:[[:space:]]*).*#\1[redacted]#g' \
-e 's#([Cc][Oo][Oo][Kk][Ii][Ee]:[[:space:]]*).*#\1[redacted]#g' \
-e 's#([Ss][Ee][Tt]-[Cc][Oo][Oo][Kk][Ii][Ee]:[[:space:]]*).*#\1[redacted]#g' \
-e 's#([^[:space:]]*/)?[.]oci/config#[redacted OCI config path]#g' \
-e 's#(Config written to: ).*#\1[redacted config path]#')"
log "${redacted}"
done
}
is_truthy() {
case "${1:-}" in
1|true|TRUE|yes|YES|on|ON)
return 0
;;
*)
return 1
;;
esac
}
codex_home() {
print -r -- "${CODEX_HOME:-${HOME}/.codex}"
}
codex_profile_file_exists() {
local profile="$1"
[[ -r "$(codex_home)/${profile}.config.toml" ]]
}
resolve_codex_profile() {
if [[ -n "${CODEX_WRAPPER_CODEX_PROFILE}" ]]; then
print -r -- "${CODEX_WRAPPER_CODEX_PROFILE}"
return 0
fi
if codex_profile_file_exists "${CODEX_WRAPPER_DEFAULT_CODEX_PROFILE}"; then
print -r -- "${CODEX_WRAPPER_DEFAULT_CODEX_PROFILE}"
fi
return 0
}
args_include_codex_profile() {
local arg
for arg in "$@"; do
case "${arg}" in
--profile|-p|--profile=*|-p=*|--profile-v2|--profile-v2=*)
return 0
;;
esac
done
return 1
}
codex_profile_flag() {
local version_output version major minor rest
version_output="$("${CODEX_BIN}" --version 2>/dev/null || true)"
version="${version_output##* }"
major="${version%%.*}"
rest="${version#*.}"
minor="${rest%%.*}"
if [[ "${major}" == "0" && "${minor}" =~ '^[0-9]+$' && "${minor}" -lt 134 ]]; then
print -r -- "--profile-v2"
return 0
fi
print -r -- "--profile"
}
confluence_selected() {
local selected_servers_file="${MCPGW_SELECTED_SERVERS_FILE}"
if [[ -r "${selected_servers_file}" ]] && LC_ALL=C grep -Eiq '"(Confluence|CentralConfluence|central_confluence|central-confluence)"' "${selected_servers_file}"; then
return 0
fi
case ",${CODEX_MCP_SERVERS:-}," in
*,Confluence,*|*,confluence,*|*,CentralConfluence,*|*,central_confluence,*|*,central-confluence,*)
return 0
;;
esac
return 1
}
should_refresh_confluence_cookies() {
if is_truthy "${CODEX_MCP_REFRESH_COOKIES:-}" || \
is_truthy "${CODEX_MCP_REFRESH_CONFLUENCE_COOKIES:-}" || \
is_truthy "${MCPGW_REFRESH_COOKIES:-}" || \
is_truthy "${CODEX_MCP_CONFLUENCE_COOKIES_STALE:-}" || \
is_truthy "${MCPGW_CONFLUENCE_COOKIES_STALE:-}"; then
return 0
fi
confluence_selected
}
run_mcpgw_required() {
local mcpgw_bin="$1"
shift
log "MCP Gateway auth preflight: mcpgw $*"
"${mcpgw_bin}" "$@" 2>&1 | sanitize_mcpgw_output
local rc="${pipestatus[1]}"
if [[ ${rc} -ne 0 ]]; then
log "MCP Gateway auth preflight failed: mcpgw $* exited with ${rc}."
exit "${rc}"
fi
}
prepare_codex_auth() {
if [[ ! -x "${CODEX_DEVOPS_AUTH_SCRIPT}" ]]; then
log "Warning: Codex DevOps auth helper not found or not executable: ${CODEX_DEVOPS_AUTH_SCRIPT}"
return 1
fi
if ! CODEX_WRAPPER_AUTH_ENV_FILE="$(mktemp "${TMPDIR:-/tmp}/codex-devops-auth.XXXXXX")"; then
log "Warning: could not create temporary Codex auth environment file."
return 1
fi
set +e
CODEX_DEVOPS_AUTH_ENV_OUT="${CODEX_WRAPPER_AUTH_ENV_FILE}" "${CODEX_DEVOPS_AUTH_SCRIPT}"
local auth_rc=$?
set -e
if [[ ${auth_rc} -ne 0 ]]; then
log "Warning: Codex DevOps auth helper failed with exit code ${auth_rc}; could not refresh OP token."
return 1
fi
if [[ ! -s "${CODEX_WRAPPER_AUTH_ENV_FILE}" ]]; then
log "Warning: Codex DevOps auth helper did not write an auth environment; could not refresh OP token."
return 1
fi
set +e
source "${CODEX_WRAPPER_AUTH_ENV_FILE}"
local source_rc=$?
set -e
if [[ ${source_rc} -ne 0 ]]; then
log "Warning: could not load Codex auth environment from ${CODEX_WRAPPER_AUTH_ENV_FILE}; could not refresh OP token."
return 1
fi
CODEX_WRAPPER_DEDICATED_AGENT_PID="${SSH_AGENT_PID:-}"
CODEX_WRAPPER_DEDICATED_AGENT_SOCK="${SSH_AUTH_SOCK:-}"
}
write_gateway_op_token() {
local token_file="${MCPGW_OP_TOKEN_FILE}"
local token_dir tmp
if [[ -z "${OP_TOKEN:-}" ]]; then
log "Warning: cannot write MCP Gateway OP token: OP_TOKEN is empty."
return 1
fi
token_dir="$(dirname -- "${token_file}")"
if ! mkdir -p "${token_dir}"; then
log "Warning: could not create MCP Gateway token directory: ${token_dir}"
return 1
fi
if ! tmp="$(mktemp "${token_file}.XXXXXX")"; then
log "Warning: could not create temporary MCP Gateway OP token file for ${token_file}."
return 1
fi
if ! printf '%s\n' "${OP_TOKEN}" > "${tmp}"; then
log "Warning: could not write temporary MCP Gateway OP token file: ${tmp}"
rm -f "${tmp}" >/dev/null 2>&1 || true
return 1
fi
if ! chmod 600 "${tmp}"; then
log "Warning: could not set permissions on temporary MCP Gateway OP token file: ${tmp}"
rm -f "${tmp}" >/dev/null 2>&1 || true
return 1
fi
if ! mv -f "${tmp}" "${token_file}"; then
log "Warning: could not install MCP Gateway OP token file: ${token_file}"
rm -f "${tmp}" >/dev/null 2>&1 || true
return 1
fi
log "MCP Gateway auth preflight: wrote fresh operator token to ${token_file}."
}
refresh_gateway_auth() {
local mcpgw_bin op_token_refreshed=0
mcpgw_bin="$(command -v mcpgw 2>/dev/null || true)"
if [[ -n "${mcpgw_bin}" ]]; then
run_mcpgw_required "${mcpgw_bin}" refresh
else
log "Warning: mcpgw not found on PATH; skipping MCP Gateway auth refresh."
fi
if prepare_codex_auth && write_gateway_op_token; then
op_token_refreshed=1
else
log "Warning: could not refresh OP token; continuing with existing MCP Gateway token state."
fi
if [[ -z "${mcpgw_bin}" ]]; then
return 0
fi
if [[ "${op_token_refreshed}" != "1" ]]; then
log "MCP Gateway auth preflight: skipping token-dependent checks because OP token refresh failed."
return 0
fi
if should_refresh_confluence_cookies; then
run_mcpgw_required "${mcpgw_bin}" refresh-cookies
else
log "MCP Gateway auth preflight: skipping mcpgw refresh-cookies; Confluence auth was not requested."
fi
run_mcpgw_required "${mcpgw_bin}" status
}
trap cleanup EXIT INT TERM
if [[ -r "${CODEX_MCP_ENV_FILE}" ]]; then
source "${CODEX_MCP_ENV_FILE}"
fi
refresh_gateway_auth
if is_truthy "${CODEX_WRAPPER_DRY_RUN:-}"; then
log "CODEX_WRAPPER_DRY_RUN is set; skipping Codex launch."
exit 0
fi
codex_args=()
if ! args_include_codex_profile "$@"; then
resolved_codex_profile="$(resolve_codex_profile)"
if [[ -n "${resolved_codex_profile}" ]]; then
codex_args+=("$(codex_profile_flag)" "${resolved_codex_profile}")
fi
fi
codex_args+=(-a on-request -s danger-full-access "$@")
"${CODEX_BIN}" "${codex_args[@]}"

4
bin/retag-email
View File

@@ -407,8 +407,8 @@ notmuch tag +solaris \
# seatch term to include in each search # seatch term to include in each search
# commented out for debugging # commented out for debugging
# ST='tag:new' ST='tag:new'
ST="date:1/1/2026.." # ST="date:1/1/2026.."
notmuch tag +osd \ notmuch tag +osd \
"$ST" AND "( "$ST" AND "(