@biaoo/tiangong-wiki 0.3.7 → 0.3.8

package/README.md

@@ -86,7 +86,7 @@ tiangong-wiki sync                                    # index Markdown pages
 
 That means commands still work best from inside a workspace, but they can also run from outside the workspace after setup, or target a specific workspace explicitly with `--env-file`.
 
-For automatic vault processing, new setup runs default to `WIKI_AGENT_AUTH_MODE=codex-login`, a dedicated Codex home under the current user's home directory, and `WIKI_AGENT_MODEL=gpt-5.5`. Before enabling that mode, run `CODEX_HOME="$HOME/.codex-tiangong-wiki" codex login` on macOS/Linux, or set `$env:CODEX_HOME = "$env:USERPROFILE\.codex-tiangong-wiki"` before `codex login` on Windows PowerShell.
+For automatic vault processing, new setup runs default to `WIKI_AGENT_AUTH_MODE=codex-login`, the current user's standard Codex home (`~/.codex`, or the user profile `.codex` directory on Windows), and `WIKI_AGENT_MODEL=gpt-5.5`. If you want an isolated Codex home, set `WIKI_AGENT_CODEX_HOME=/absolute/path/to/.codex-tiangong-wiki` and first run `CODEX_HOME=/absolute/path/to/.codex-tiangong-wiki codex login`.
 
 ```bash
 tiangong-wiki find --type concept --status active     # structured query

package/README.zh-CN.md

@@ -86,7 +86,7 @@ tiangong-wiki sync                                    # 索引 Markdown 文件
 
 这意味着命令仍然最适合在 workspace 内执行；但 setup 之后，即使在 workspace 外运行，也可以通过默认配置正常工作，或者通过 `--env-file` 显式指定目标工作区。
 
-如果启用自动 vault 处理，新的 setup 默认使用 `WIKI_AGENT_AUTH_MODE=codex-login`、当前用户 home 目录下的专用 Codex home 和 `WIKI_AGENT_MODEL=gpt-5.5`。启用前，macOS/Linux 执行 `CODEX_HOME="$HOME/.codex-tiangong-wiki" codex login`；Windows PowerShell 先设置 `$env:CODEX_HOME = "$env:USERPROFILE\.codex-tiangong-wiki"`，再执行 `codex login`。
+如果启用自动 vault 处理，新的 setup 默认使用 `WIKI_AGENT_AUTH_MODE=codex-login`、当前用户标准 Codex home（Linux/macOS 为 `~/.codex`，Windows 为用户目录下的 `.codex`）和 `WIKI_AGENT_MODEL=gpt-5.5`。如果需要隔离目录，可手动设置 `WIKI_AGENT_CODEX_HOME=/absolute/path/to/.codex-tiangong-wiki`，并先执行 `CODEX_HOME=/absolute/path/to/.codex-tiangong-wiki codex login`。
 
 ```bash
 tiangong-wiki find --type concept --status active     # 结构化查询

package/assets/config.example.env

@@ -11,12 +11,11 @@ EMBEDDING_MODEL=text-embedding-3-small
 EMBEDDING_DIMENSIONS=1536
 
 WIKI_AGENT_ENABLED=false
-# For local Codex login auth, run on macOS/Linux:
-# CODEX_HOME="$HOME/.codex-tiangong-wiki" codex login
-# On Windows PowerShell:
-# $env:CODEX_HOME = "$env:USERPROFILE\.codex-tiangong-wiki"; codex login
+# For local Codex login auth, run `codex login` once as the same user.
 WIKI_AGENT_AUTH_MODE=codex-login
-# Optional. Leave unset to use the current user's default: <home>/.codex-tiangong-wiki
+# Optional. Leave unset to use the current user's standard Codex home: <home>/.codex
+# For an isolated directory, set this to an absolute path and first run:
+# CODEX_HOME=/absolute/path/to/.codex-tiangong-wiki codex login
 # WIKI_AGENT_CODEX_HOME=/absolute/path/to/.codex-tiangong-wiki
 #
 # To use an API key instead of Codex login:

package/dist/commands/check-config.js

@@ -1,4 +1,5 @@
 import path from "node:path";
+import { inspectWikiAgentCodexLogin } from "../core/agent-auth.js";
 import { loadRuntimeConfig } from "../core/runtime.js";
 import { EmbeddingClient } from "../core/embedding.js";
 import { getWikiAgentStatus } from "../core/vault-processing.js";
@@ -20,6 +21,17 @@ export function registerCheckConfigCommand(program) {
         if (wikiAgent.enabled && wikiAgent.missing.length > 0) {
             throw new AppError(`WIKI_AGENT_ENABLED=true but missing required settings: ${wikiAgent.missing.join(", ")}`, "config");
         }
+        const agentCodexLogin = inspectWikiAgentCodexLogin(wikiAgent);
+        if (!agentCodexLogin.ready) {
+            throw new AppError([
+                agentCodexLogin.summary,
+                agentCodexLogin.recommendation,
+            ].filter(Boolean).join(" "), "config");
+        }
+        const safeWikiAgent = {
+            ...wikiAgent,
+            apiKey: wikiAgent.apiKey ? "<redacted>" : null,
+        };
         const templateChecks = Object.keys(config.templates).map((pageType) => {
             const templatePath = resolveTemplateFilePath(config, paths.wikiRoot, pageType);
             return {
@@ -44,7 +56,8 @@ export function registerCheckConfigCommand(program) {
             templatesPath: paths.templatesPath,
             configVersion: config.configVersion,
             embeddingConfigured: embeddingClient !== null,
-            agentProcessing: wikiAgent,
+            agentProcessing: safeWikiAgent,
+            agentCodexLogin,
             probe,
             templateChecks,
         };
@@ -70,6 +83,8 @@ export function registerCheckConfigCommand(program) {
                 agentBatchSize: wikiAgent.batchSize,
                 agentWorkflowTimeoutSeconds: wikiAgent.workflowTimeoutSeconds,
                 agentMissing: wikiAgent.missing.join(", "),
+                agentCodexLoginReady: agentCodexLogin.checked ? agentCodexLogin.ready : "",
+                agentCodexLoginAuthJson: agentCodexLogin.authJsonPath ?? "",
                 probe,
             }),
             "",

package/dist/core/agent-auth.js

@@ -0,0 +1,101 @@
+import { statSync } from "node:fs";
+import path from "node:path";
+function inspectPathKind(targetPath) {
+    try {
+        const stats = statSync(targetPath);
+        if (stats.isDirectory()) {
+            return { kind: "directory" };
+        }
+        if (stats.isFile()) {
+            return { kind: "file" };
+        }
+        return { kind: "other" };
+    }
+    catch (error) {
+        const code = error.code;
+        if (code === "ENOENT" || code === "ENOTDIR") {
+            return { kind: "missing" };
+        }
+        const message = error instanceof Error ? error.message : String(error);
+        return { kind: "inaccessible", errorMessage: message };
+    }
+}
+function codexLoginRecommendation(codexHome) {
+    return `Run \`CODEX_HOME=${codexHome} codex login\` before starting automatic vault processing.`;
+}
+export function inspectWikiAgentCodexLogin(settings) {
+    if (!settings.enabled || settings.authMode !== "codex-login") {
+        return {
+            checked: false,
+            ready: true,
+            codexHome: settings.codexHome,
+            authJsonPath: null,
+            summary: "Codex login auth is not enabled.",
+        };
+    }
+    if (!settings.codexHome) {
+        return {
+            checked: true,
+            ready: false,
+            codexHome: null,
+            authJsonPath: null,
+            summary: "WIKI_AGENT_CODEX_HOME is not configured for codex-login auth.",
+            recommendation: "Set WIKI_AGENT_CODEX_HOME or rerun `tiangong-wiki setup`.",
+        };
+    }
+    const codexHome = settings.codexHome;
+    const authJsonPath = path.join(codexHome, "auth.json");
+    const home = inspectPathKind(codexHome);
+    if (home.kind === "missing") {
+        return {
+            checked: true,
+            ready: false,
+            codexHome,
+            authJsonPath,
+            summary: `WIKI_AGENT_CODEX_HOME does not exist: ${codexHome}`,
+            recommendation: codexLoginRecommendation(codexHome),
+        };
+    }
+    if (home.kind !== "directory") {
+        return {
+            checked: true,
+            ready: false,
+            codexHome,
+            authJsonPath,
+            summary: home.kind === "inaccessible"
+                ? `WIKI_AGENT_CODEX_HOME cannot be inspected: ${codexHome} (${home.errorMessage})`
+                : `WIKI_AGENT_CODEX_HOME is not a directory: ${codexHome}`,
+            recommendation: codexLoginRecommendation(codexHome),
+        };
+    }
+    const authJson = inspectPathKind(authJsonPath);
+    if (authJson.kind === "missing") {
+        return {
+            checked: true,
+            ready: false,
+            codexHome,
+            authJsonPath,
+            summary: `Codex login auth.json was not found under WIKI_AGENT_CODEX_HOME: ${authJsonPath}`,
+            recommendation: codexLoginRecommendation(codexHome),
+        };
+    }
+    if (authJson.kind !== "file") {
+        return {
+            checked: true,
+            ready: false,
+            codexHome,
+            authJsonPath,
+            summary: authJson.kind === "inaccessible"
+                ? `Codex login auth.json cannot be inspected: ${authJsonPath} (${authJson.errorMessage})`
+                : `Codex login auth.json is not a file: ${authJsonPath}`,
+            recommendation: codexLoginRecommendation(codexHome),
+        };
+    }
+    return {
+        checked: true,
+        ready: true,
+        codexHome,
+        authJsonPath,
+        summary: `Codex login auth is available at ${codexHome}.`,
+    };
+}

package/dist/core/codex-workflow.js

@@ -1,5 +1,4 @@
 import path from "node:path";
-import { mkdirSync } from "node:fs";
 import childProcess from "node:child_process";
 import { syncBuiltinESMExports } from "node:module";
 import { readWorkflowResult } from "./workflow-result.js";
@@ -54,9 +53,6 @@ async function loadCodexSdk() {
 }
 function normalizeEnv(input) {
     const agentSettings = resolveAgentSettings(input.env);
-    if (agentSettings.authMode === "codex-login" && agentSettings.codexHome) {
-        mkdirSync(agentSettings.codexHome, { recursive: true });
-    }
     const normalized = {};
     for (const [key, value] of Object.entries({
         ...process.env,

package/dist/core/onboarding.js

@@ -2,6 +2,7 @@ import { accessSync, constants, readFileSync } from "node:fs";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import { confirm, input, password, select } from "@inquirer/prompts";
+import { inspectWikiAgentCodexLogin } from "./agent-auth.js";
 import { DEFAULT_WIKI_ENV_FILE, getCliEnvironmentInfo, parseEnvFile, serializeEnvEntries } from "./cli-env.js";
 import { resolveTemplateFilePath, loadConfig } from "./config.js";
 import { DEFAULT_EMBEDDING_DIMENSIONS, EmbeddingClient } from "./embedding.js";
@@ -496,7 +497,7 @@ async function collectAgentSettings(driver, ctx, defaults) {
             {
                 value: "codex-login",
                 label: "codex-login",
-                description: "Use a local Codex ChatGPT login stored under WIKI_AGENT_CODEX_HOME.",
+                description: "Use the current user's Codex login by default (~/.codex); set WIKI_AGENT_CODEX_HOME for isolation.",
             },
             {
                 value: "api-key",
@@ -792,6 +793,11 @@ export async function runSetupWizard(env = process.env, options = {}) {
             `- Example: cd ${JSON.stringify(workspaceRoot)} && tiangong-wiki init`,
             "- Run `tiangong-wiki doctor` to validate the generated configuration.",
             "- Run `tiangong-wiki init` to create index.db and perform the first sync.",
+            ...(values.agentEnabled && values.agentAuthMode === "codex-login" && values.agentCodexHome
+                ? [
+                    `- Codex login auth uses ${values.agentCodexHome}; if needed, run \`CODEX_HOME=${values.agentCodexHome} codex login\` before starting the daemon.`,
+                ]
+                : []),
             ...(values.vaultSource === "synology"
                 ? ["- Protect `.wiki.env` carefully because it now stores Synology credentials."]
                 : []),
@@ -969,6 +975,13 @@ function inspectAgent(checks, env) {
             collectDoctorCheck(checks, "error", "agent", `Automatic vault processing is enabled but missing: ${settings.missing.join(", ")}`, "Set the missing WIKI_AGENT_* values in `.wiki.env` or rerun `tiangong-wiki setup`.");
             return;
         }
+        if (settings.authMode === "codex-login") {
+            const codexLogin = inspectWikiAgentCodexLogin(settings);
+            if (!codexLogin.ready) {
+                collectDoctorCheck(checks, "error", "agent", codexLogin.summary, codexLogin.recommendation);
+                return;
+            }
+        }
         collectDoctorCheck(checks, "ok", "agent", settings.authMode === "codex-login"
             ? `Automatic vault processing is enabled with model ${settings.model} via Codex login at ${settings.codexHome}.`
             : `Automatic vault processing is enabled with model ${settings.model} via API key auth.`);

package/dist/core/paths.js

@@ -88,7 +88,7 @@ function normalizeOptionalAbsolutePath(label, rawValue) {
     return path.resolve(value);
 }
 export function defaultWikiAgentCodexHome() {
-    return path.join(os.homedir(), ".codex-tiangong-wiki");
+    return path.join(os.homedir(), ".codex");
 }
 export function parseVaultHashMode(raw) {
     const value = (raw ?? "content").trim().toLowerCase();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@biaoo/tiangong-wiki",
-  "version": "0.3.7",
+  "version": "0.3.8",
   "description": "Local-first wiki index and query engine for Markdown knowledge pages (Tiangong Wiki).",
   "type": "module",
   "publishConfig": {

package/references/troubleshooting.md

@@ -85,7 +85,7 @@ The agent uses [Codex SDK](https://www.npmjs.com/package/@openai/codex-sdk) to p
 | --- | --- | --- |
 | `WIKI_AGENT_ENABLED` | No | Enable agentic workflow (`true` / `false`, default: `false`) |
 | `WIKI_AGENT_AUTH_MODE` | No | Auth mode: `api-key` or `codex-login`. Runtime default is `api-key` for backwards compatibility; `tiangong-wiki setup` defaults new agent configs to `codex-login` |
-| `WIKI_AGENT_CODEX_HOME` | No | Dedicated Codex home directory. Leave unset to use the current user's default `${HOME}/.codex-tiangong-wiki`; if set in `.wiki.env`, use a real absolute path because shell variables are not expanded there |
+| `WIKI_AGENT_CODEX_HOME` | No | Codex home directory. Leave unset to use the current user's standard `${HOME}/.codex` (or the user profile `.codex` directory on Windows); if set in `.wiki.env`, use a real absolute path because shell variables are not expanded there |
 | `WIKI_AGENT_BASE_URL` | No | LLM API base URL for `api-key` mode (e.g. `https://api.openai.com/v1`). When set, overrides global Codex config |
 | `WIKI_AGENT_API_KEY` | In `api-key` mode | API key for the LLM provider |
 | `WIKI_AGENT_MODEL` | No | Model name (default: `gpt-5.5`; e.g. `Qwen/Qwen3.5-397B-A17B-GPTQ-Int4`) |
@@ -95,6 +95,8 @@ The agent uses [Codex SDK](https://www.npmjs.com/package/@openai/codex-sdk) to p
 
 `tiangong-wiki setup` now prompts for `WIKI_AGENT_SANDBOX_MODE` when automatic vault processing is enabled. The default is `danger-full-access`, and the setup wizard highlights that this mode grants full runtime access.
 
+When `WIKI_AGENT_ENABLED=true` and `WIKI_AGENT_AUTH_MODE=codex-login`, `tiangong-wiki doctor` and `tiangong-wiki check-config` verify that `WIKI_AGENT_CODEX_HOME` exists and contains `auth.json`. They report the path and remediation command, but never print token or auth file contents.
+
 Queue items that fail workflow execution are auto-retried up to 3 times. After that they remain in `error` until you manually retry them from the dashboard / queue tooling, or a later vault sync requeues the file because the source changed.
 
 ---
@@ -148,7 +150,23 @@ If the agent workflow fails with `bwrap`, `unshare`, `uid_map`, or similar sandb
 
 ### Codex login (recommended local setup)
 
-Create and log in to a dedicated Codex home for the wiki service:
+By default, use the current user's standard Codex home:
+
+macOS/Linux:
+
+```bash
+codex login
+codex login status
+```
+
+Windows PowerShell:
+
+```powershell
+codex login
+codex login status
+```
+
+For an isolated Codex home, set `WIKI_AGENT_CODEX_HOME` to an absolute path and log in there first:
 
 macOS/Linux:
 
@@ -172,7 +190,7 @@ Then configure the wiki agent:
 ```env
 WIKI_AGENT_ENABLED=true
 WIKI_AGENT_AUTH_MODE=codex-login
-# Optional. Leave unset to use the current user's default dedicated Codex home.
+# Optional. Leave unset to use the current user's standard ~/.codex.
 # WIKI_AGENT_CODEX_HOME=/absolute/path/to/.codex-tiangong-wiki
 WIKI_AGENT_MODEL=gpt-5.5
 ```