jetpac/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
d367547fab684c8b69d9b3296a84aedb6502ad1e
dotfiles/bin/codex-wrapper.sh
Petr Nyc d367547fab codex startup unification
2026-05-20 11:08:09 +02:00

176 lines
5.4 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env zsh
set -euo pipefail
CODEX_MCP_ENV_FILE="${CODEX_MCP_ENV_FILE:-${HOME}/.codex/mcp.env}"
MCPGW_SELECTED_SERVERS_FILE="${MCPGW_SELECTED_SERVERS_FILE:-${HOME}/.ora-gateway/selected-servers.json}"
MCPGW_OP_TOKEN_FILE="${MCPGW_OP_TOKEN_FILE:-${HOME}/.ora-gateway/op-token}"
CODEX_DEVOPS_AUTH_SCRIPT="${CODEX_DEVOPS_AUTH_SCRIPT:-${HOME}/bin/codex-devops-auth.sh}"
CODEX_BIN="${CODEX_BIN:-/opt/homebrew/bin/codex}"
CODEX_WRAPPER_AUTH_ENV_FILE=""
CODEX_WRAPPER_DEDICATED_AGENT_PID=""
CODEX_WRAPPER_DEDICATED_AGENT_SOCK=""
log() {
print -u2 -- "$@"
}
cleanup() {
if [[ -n "${CODEX_WRAPPER_DEDICATED_AGENT_PID}" && -n "${CODEX_WRAPPER_DEDICATED_AGENT_SOCK}" ]]; then
SSH_AGENT_PID="${CODEX_WRAPPER_DEDICATED_AGENT_PID}" SSH_AUTH_SOCK="${CODEX_WRAPPER_DEDICATED_AGENT_SOCK}" ssh-agent -k >/dev/null 2>&1 || true
fi
if [[ -n "${CODEX_WRAPPER_AUTH_ENV_FILE}" ]]; then
rm -f "${CODEX_WRAPPER_AUTH_ENV_FILE}" >/dev/null 2>&1 || true
fi
}
sanitize_mcpgw_output() {
local line clean redacted
while IFS= read -r line || [[ -n "${line}" ]]; do
clean="$(printf '%s\n' "${line}" | perl -pe 's/\e\]8;;.*?\a//g; s/\e\[[0-?]*[ -\/]*[@-~]//g')"
redacted="$(printf '%s\n' "${clean}" | sed -E \
-e 's#https?://[^[:space:]]+#[redacted URL]#g' \
-e 's#([Aa][Cc][Cc][Ee][Ss][Ss]_[Tt][Oo][Kk][Ee][Nn]=)[^[:space:]]+#\1[redacted]#g' \
-e 's#([Ii][Dd]_[Tt][Oo][Kk][Ee][Nn]=)[^[:space:]]+#\1[redacted]#g' \
-e 's#([Rr][Ee][Ff][Rr][Ee][Ss][Hh]_[Tt][Oo][Kk][Ee][Nn]=)[^[:space:]]+#\1[redacted]#g' \
-e 's#([Ss][Ee][Cc][Uu][Rr][Ii][Tt][Yy]_[Tt][Oo][Kk][Ee][Nn]=)[^[:space:]]+#\1[redacted]#g' \
-e 's#([Cc][Ll][Ii][Ee][Nn][Tt]_[Ss][Ee][Cc][Rr][Ee][Tt]=)[^[:space:]]+#\1[redacted]#g' \
-e 's#([Pp][Uu][Bb][Ll][Ii][Cc]_[Kk][Ee][Yy]=)[^[:space:]]+#\1[redacted]#g' \
-e 's#([Aa][Uu][Tt][Hh][Oo][Rr][Ii][Zz][Aa][Tt][Ii][Oo][Nn]:[[:space:]]*).*#\1[redacted]#g' \
-e 's#([Cc][Oo][Oo][Kk][Ii][Ee]:[[:space:]]*).*#\1[redacted]#g' \
-e 's#([Ss][Ee][Tt]-[Cc][Oo][Oo][Kk][Ii][Ee]:[[:space:]]*).*#\1[redacted]#g' \
-e 's#([^[:space:]]*/)?[.]oci/config#[redacted OCI config path]#g' \
-e 's#(Config written to: ).*#\1[redacted config path]#')"
log "${redacted}"
done
}
is_truthy() {
case "${1:-}" in
1|true|TRUE|yes|YES|on|ON)
return 0
;;
*)
return 1
;;
esac
}
confluence_selected() {
local selected_servers_file="${MCPGW_SELECTED_SERVERS_FILE}"
if [[ -r "${selected_servers_file}" ]] && LC_ALL=C grep -Eiq '"(Confluence|CentralConfluence|central_confluence|central-confluence)"' "${selected_servers_file}"; then
return 0
fi
case ",${CODEX_MCP_SERVERS:-}," in
*,Confluence,*|*,confluence,*|*,CentralConfluence,*|*,central_confluence,*|*,central-confluence,*)
return 0
;;
esac
return 1
}
should_refresh_confluence_cookies() {
if is_truthy "${CODEX_MCP_REFRESH_COOKIES:-}" || \
is_truthy "${CODEX_MCP_REFRESH_CONFLUENCE_COOKIES:-}" || \
is_truthy "${MCPGW_REFRESH_COOKIES:-}" || \
is_truthy "${CODEX_MCP_CONFLUENCE_COOKIES_STALE:-}" || \
is_truthy "${MCPGW_CONFLUENCE_COOKIES_STALE:-}"; then
return 0
fi
confluence_selected
}
run_mcpgw_required() {
local mcpgw_bin="$1"
shift
log "MCP Gateway auth preflight: mcpgw $*"
"${mcpgw_bin}" "$@" 2>&1 | sanitize_mcpgw_output
local rc="${pipestatus[1]}"
if [[ ${rc} -ne 0 ]]; then
log "MCP Gateway auth preflight failed: mcpgw $* exited with ${rc}."
exit "${rc}"
fi
}
prepare_codex_auth() {
if [[ ! -x "${CODEX_DEVOPS_AUTH_SCRIPT}" ]]; then
log "Codex DevOps auth helper not found or not executable: ${CODEX_DEVOPS_AUTH_SCRIPT}"
exit 1
fi
CODEX_WRAPPER_AUTH_ENV_FILE="$(mktemp "${TMPDIR:-/tmp}/codex-devops-auth.XXXXXX")"
CODEX_DEVOPS_AUTH_ENV_OUT="${CODEX_WRAPPER_AUTH_ENV_FILE}" "${CODEX_DEVOPS_AUTH_SCRIPT}"
source "${CODEX_WRAPPER_AUTH_ENV_FILE}"
CODEX_WRAPPER_DEDICATED_AGENT_PID="${SSH_AGENT_PID:-}"
CODEX_WRAPPER_DEDICATED_AGENT_SOCK="${SSH_AUTH_SOCK:-}"
}
write_gateway_op_token() {
local token_file="${MCPGW_OP_TOKEN_FILE}"
local token_dir tmp
if [[ -z "${OP_TOKEN:-}" ]]; then
log "Cannot write MCP Gateway OP token: OP_TOKEN is empty."
exit 1
fi
token_dir="$(dirname -- "${token_file}")"
mkdir -p "${token_dir}"
tmp="$(mktemp "${token_file}.XXXXXX")"
printf '%s\n' "${OP_TOKEN}" > "${tmp}"
chmod 600 "${tmp}"
mv -f "${tmp}" "${token_file}"
log "MCP Gateway auth preflight: wrote fresh operator token to ${token_file}."
}
refresh_gateway_auth() {
local mcpgw_bin
mcpgw_bin="$(command -v mcpgw 2>/dev/null || true)"
if [[ -n "${mcpgw_bin}" ]]; then
run_mcpgw_required "${mcpgw_bin}" refresh
else
log "Warning: mcpgw not found on PATH; skipping MCP Gateway auth refresh."
fi
prepare_codex_auth
write_gateway_op_token
if [[ -z "${mcpgw_bin}" ]]; then
return 0
fi
if should_refresh_confluence_cookies; then
run_mcpgw_required "${mcpgw_bin}" refresh-cookies
else
log "MCP Gateway auth preflight: skipping mcpgw refresh-cookies; Confluence auth was not requested."
fi
run_mcpgw_required "${mcpgw_bin}" status
}
trap cleanup EXIT INT TERM
if [[ -r "${CODEX_MCP_ENV_FILE}" ]]; then
source "${CODEX_MCP_ENV_FILE}"
fi
refresh_gateway_auth
if is_truthy "${CODEX_WRAPPER_DRY_RUN:-}"; then
log "CODEX_WRAPPER_DRY_RUN is set; skipping Codex launch."
exit 0
fi
"${CODEX_BIN}" -a on-request -s danger-full-access "$@"
Reference in New Issue View Git Blame Copy Permalink