@companyhelm/cli 0.0.7 → 0.0.9

package/RUNTIME_IMAGE_VERSION

@@ -1 +1 @@
-0.0.8
+0.0.9

package/dist/cli.js

@@ -4,6 +4,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const node_fs_1 = require("node:fs");
 const node_path_1 = require("node:path");
 const commander_1 = require("commander");
+const global_options_js_1 = require("./commands/global-options.js");
 const register_commands_js_1 = require("./commands/register-commands.js");
 function getVersion() {
     try {
@@ -20,7 +21,11 @@ program
     .name("companyhelm")
     .description("Run coding agents in fully isolated Docker sandboxes, locally.")
     .version(getVersion());
+(0, global_options_js_1.addGlobalOptions)(program);
 (0, register_commands_js_1.registerCommands)(program);
+program.hook("preAction", (_thisCommand, actionCommand) => {
+    (0, global_options_js_1.applyGlobalOptionEnvironment)(actionCommand);
+});
 function formatCliError(error) {
     if (error instanceof commander_1.CommanderError) {
         return {

package/dist/commands/global-options.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CONFIG_PATH_OPTION_DESCRIPTION = void 0;
+exports.addGlobalOptions = addGlobalOptions;
+exports.applyGlobalOptionEnvironment = applyGlobalOptionEnvironment;
+const config_js_1 = require("../config.js");
+exports.CONFIG_PATH_OPTION_DESCRIPTION = `Config directory override (defaults to $${config_js_1.CONFIG_PATH_ENV} or ${config_js_1.DEFAULT_CONFIG_DIRECTORY}).`;
+function addGlobalOptions(program) {
+    return program.option("--config-path <path>", exports.CONFIG_PATH_OPTION_DESCRIPTION);
+}
+function applyGlobalOptionEnvironment(command) {
+    const options = command.optsWithGlobals();
+    if (typeof options.configPath !== "string") {
+        return;
+    }
+    const configPath = options.configPath.trim();
+    if (configPath.length > 0) {
+        process.env[config_js_1.CONFIG_PATH_ENV] = configPath;
+    }
+}

package/dist/commands/root.js

@@ -73,6 +73,7 @@ const db_js_1 = require("../state/db.js");
 const schema_js_1 = require("../state/schema.js");
 const daemon_js_1 = require("../utils/daemon.js");
 const logger_js_1 = require("../utils/logger.js");
+const path_js_1 = require("../utils/path.js");
 const workspace_agents_js_1 = require("../service/workspace_agents.js");
 const COMMAND_CHANNEL_CONNECT_RETRY_DELAY_MS = 1000;
 const COMMAND_CHANNEL_OPEN_TIMEOUT_MS = 5000;
@@ -1467,10 +1468,11 @@ async function hasConfiguredSdks(cfg) {
         client.close();
     }
 }
-async function clearSdkModels(cfg, sdkName) {
+async function countSdkModels(cfg, sdkName) {
     const { db, client } = await (0, db_js_1.initDb)(cfg.state_db_path);
     try {
-        await db.delete(schema_js_1.llmModels).where((0, drizzle_orm_1.eq)(schema_js_1.llmModels.sdkName, sdkName));
+        const models = await db.select({ name: schema_js_1.llmModels.name }).from(schema_js_1.llmModels).where((0, drizzle_orm_1.eq)(schema_js_1.llmModels.sdkName, sdkName)).all();
+        return models.length;
     }
     finally {
         client.close();
@@ -1483,9 +1485,12 @@ async function refreshCodexModelsForRegistration(cfg, logger) {
         logger.info(`Refreshed Codex models from container app-server (${modelCount} models).`);
     }
     catch (error) {
-        logger.warn(`Failed to refresh Codex models from container app-server: ${toErrorMessage(error)}. ` +
-            "Registering runner with an empty Codex model list.");
-        await clearSdkModels(cfg, "codex");
+        const cachedModelCount = await countSdkModels(cfg, "codex");
+        const failureMessage = (0, refresh_models_js_1.formatSdkModelRefreshFailure)("codex", error);
+        if (cachedModelCount === 0) {
+            throw new Error(`${failureMessage} Runner startup aborted because no cached Codex models are available; refusing to register zero models.`);
+        }
+        logger.warn(`${failureMessage} Using ${cachedModelCount} cached Codex model(s) from local state instead of registering zero models.`);
     }
 }
 async function resolveThreadAuthMode(cfg) {
@@ -2181,13 +2186,15 @@ function isInternalDaemonChildProcess() {
 function resolveEffectiveDaemonLogPath(cfg) {
     const envPath = process.env[daemon_js_1.DAEMON_LOG_PATH_ENV];
     if (envPath && envPath.trim().length > 0) {
-        return envPath;
+        return (0, path_js_1.expandHome)(envPath);
     }
     return (0, daemon_js_1.resolveDaemonLogPath)(cfg.state_db_path);
 }
 async function runDetachedDaemonProcess(options) {
     const cfg = buildRootConfig(options);
-    const logPath = (0, daemon_js_1.resolveDaemonLogPath)(cfg.state_db_path);
+    const logPath = options.logPath && options.logPath.trim().length > 0
+        ? (0, path_js_1.expandHome)(options.logPath)
+        : (0, daemon_js_1.resolveDaemonLogPath)(cfg.state_db_path);
     (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(logPath), { recursive: true });
     const logFd = (0, node_fs_1.openSync)(logPath, "a");
     try {

package/dist/commands/runner/common.js

@@ -1,13 +1,15 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.addRunnerStartOptions = addRunnerStartOptions;
+const global_options_js_1 = require("../global-options.js");
 function addRunnerStartOptions(command) {
     return command
-        .option("--config-path <path>", "Config directory override (defaults to ~/.config/companyhelm).")
+        .option("--config-path <path>", global_options_js_1.CONFIG_PATH_OPTION_DESCRIPTION)
         .option("--server-url <url>", "CompanyHelm gRPC API URL override.")
         .option("--agent-api-url <url>", "Agent gRPC API URL for companyhelm-agent in runtime containers (localhost is rewritten to http://host.docker.internal).")
         .option("--secret <secret>", "Bearer secret used as gRPC Authorization header.")
-        .option("--state-db-path <path>", "State database path override (defaults to ~/.local/share/companyhelm/state.db).")
+        .option("--state-db-path <path>", "State database path override (defaults to state.db under the active config directory).")
+        .option("--log-path <path>", "Daemon log file override.")
         .option("--use-host-docker-runtime", "Mount host Docker socket into runtime containers instead of creating DinD sidecars.")
         .option("--host-docker-path <path>", "Host Docker endpoint when --use-host-docker-runtime is enabled (unix:///<socket-path> or tcp://localhost:<port>).")
         .option("--thread-git-skills-directory <path>", "Container path where thread git skill repositories are cloned before linking into ~/.codex/skills.")

package/dist/commands/runner/stop.js

@@ -48,7 +48,7 @@ function registerRunnerStopCommand(runnerCommand) {
     runnerCommand
         .command("stop")
         .description("Stop the local CompanyHelm runner daemon.")
-        .option("--state-db-path <path>", "State database path override (defaults to ~/.local/share/companyhelm/state.db).")
+        .option("--state-db-path <path>", "State database path override (defaults to state.db under the active config directory).")
         .action(async (options) => {
         await runRunnerStopCommand(options);
     });

package/dist/commands/sdk/codex/auth.js

@@ -0,0 +1,200 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultUseDedicatedCodexAuthDependencies = exports.defaultSetCodexHostAuthDependencies = void 0;
+exports.isErrnoException = isErrnoException;
+exports.buildDockerMissingError = buildDockerMissingError;
+exports.ensureDockerAvailable = ensureDockerAvailable;
+exports.listCodexStartupAuthOptions = listCodexStartupAuthOptions;
+exports.setCodexHostAuthInDb = setCodexHostAuthInDb;
+exports.setCodexDedicatedAuthInDb = setCodexDedicatedAuthInDb;
+exports.runSetCodexHostAuth = runSetCodexHostAuth;
+exports.runDedicatedCodexAuth = runDedicatedCodexAuth;
+exports.runUseDedicatedCodexAuth = runUseDedicatedCodexAuth;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const drizzle_orm_1 = require("drizzle-orm");
+const host_js_1 = require("../../../service/host.js");
+const db_js_1 = require("../../../state/db.js");
+const schema_js_1 = require("../../../state/schema.js");
+const path_js_1 = require("../../../utils/path.js");
+exports.defaultSetCodexHostAuthDependencies = {
+    getHostInfoFn: host_js_1.getHostInfo,
+    initDbFn: db_js_1.initDb,
+};
+exports.defaultUseDedicatedCodexAuthDependencies = {
+    initDbFn: db_js_1.initDb,
+    logInfo: console.log,
+    logSuccess: console.log,
+    spawnCommand: node_child_process_1.spawn,
+    spawnSyncCommand: node_child_process_1.spawnSync,
+};
+function isErrnoException(error) {
+    return error instanceof Error && "code" in error;
+}
+function buildDockerMissingError() {
+    return new Error("Docker is not installed or not available on PATH. Install Docker and retry.");
+}
+function ensureDockerAvailable(spawnSyncCommand) {
+    const result = spawnSyncCommand("docker", ["--version"], { stdio: "ignore" });
+    if (isErrnoException(result.error) && result.error.code === "ENOENT") {
+        throw buildDockerMissingError();
+    }
+}
+function listCodexStartupAuthOptions(cfg, getHostInfoFn = host_js_1.getHostInfo) {
+    const options = [
+        {
+            value: "dedicated",
+            label: "Dedicated",
+            hint: "recommended -- runs Codex login inside a container",
+        },
+    ];
+    const hostInfo = getHostInfoFn(cfg.codex.codex_auth_path);
+    if (hostInfo.codexAuthExists) {
+        options.push({
+            value: "host",
+            label: "Host",
+            hint: `reuse existing credentials from ${cfg.codex.codex_auth_path}`,
+        });
+    }
+    return options;
+}
+async function setCodexHostAuthInDb(db) {
+    const existingSdk = await db.select().from(schema_js_1.agentSdks).where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex")).get();
+    if (existingSdk) {
+        await db
+            .update(schema_js_1.agentSdks)
+            .set({ authentication: "host" })
+            .where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex"));
+        return;
+    }
+    await db.insert(schema_js_1.agentSdks).values({ name: "codex", authentication: "host" });
+}
+async function setCodexDedicatedAuthInDb(db) {
+    const existingSdk = await db.select().from(schema_js_1.agentSdks).where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex")).get();
+    if (existingSdk) {
+        await db
+            .update(schema_js_1.agentSdks)
+            .set({ authentication: "dedicated" })
+            .where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex"));
+        return;
+    }
+    await db.insert(schema_js_1.agentSdks).values({ name: "codex", authentication: "dedicated" });
+}
+async function runSetCodexHostAuth(cfg, overrides = {}) {
+    const deps = { ...exports.defaultSetCodexHostAuthDependencies, ...overrides };
+    const authPath = (0, path_js_1.expandHome)(cfg.codex.codex_auth_path);
+    const hostInfo = deps.getHostInfoFn(cfg.codex.codex_auth_path);
+    if (!hostInfo.codexAuthExists) {
+        throw new Error(`Codex host auth file not found at ${authPath}.`);
+    }
+    const { db, client } = await deps.initDbFn(cfg.state_db_path);
+    try {
+        await setCodexHostAuthInDb(db);
+    }
+    finally {
+        client.close();
+    }
+    return authPath;
+}
+async function runDedicatedCodexAuth(cfg, db, deps) {
+    ensureDockerAvailable(deps.spawnSyncCommand);
+    const port = cfg.codex.codex_auth_port;
+    const socatPort = port + 1;
+    const containerName = `companyhelm-codex-auth-${Date.now()}`;
+    deps.logInfo("Starting Codex login inside a container...");
+    deps.logInfo("A browser URL will appear -- open it to complete authentication.");
+    const configDir = (0, path_js_1.expandHome)(cfg.config_directory);
+    if (!(0, node_fs_1.existsSync)(configDir)) {
+        (0, node_fs_1.mkdirSync)(configDir, { recursive: true });
+    }
+    const destPath = (0, node_path_1.join)(configDir, cfg.codex.codex_auth_file_path);
+    let authCopied = false;
+    await new Promise((resolve, reject) => {
+        let settled = false;
+        let poll;
+        const rejectOnce = (error) => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            if (poll) {
+                clearInterval(poll);
+            }
+            deps.spawnSyncCommand("docker", ["rm", "-f", containerName], { stdio: "ignore" });
+            reject(error);
+        };
+        const resolveOnce = () => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            if (poll) {
+                clearInterval(poll);
+            }
+            resolve();
+        };
+        const child = deps.spawnCommand("docker", [
+            "run",
+            "-it",
+            "--name",
+            containerName,
+            "-p",
+            `${port}:${socatPort}`,
+            "--entrypoint",
+            "bash",
+            cfg.runtime_image,
+            "-c",
+            `source "$NVM_DIR/nvm.sh"; socat TCP-LISTEN:${socatPort},fork,bind=0.0.0.0,reuseaddr TCP:127.0.0.1:${port} 2>/dev/null & codex`,
+        ], { stdio: "inherit" });
+        child.on("error", (error) => {
+            if (isErrnoException(error) && error.code === "ENOENT") {
+                rejectOnce(buildDockerMissingError());
+                return;
+            }
+            rejectOnce(new Error(`Failed to start Codex login container: ${error.message}`));
+        });
+        poll = setInterval(() => {
+            if (settled) {
+                return;
+            }
+            const check = deps.spawnSyncCommand("docker", ["exec", containerName, "sh", "-c", `test -f ${cfg.codex.codex_auth_path}`], {
+                stdio: "ignore",
+            });
+            if (check.status === 0) {
+                const resolveResult = deps.spawnSyncCommand("docker", ["exec", containerName, "sh", "-c", `echo ${cfg.codex.codex_auth_path}`], {
+                    encoding: "utf-8",
+                });
+                const containerAuthAbsPath = resolveResult.stdout.trim();
+                const cpResult = deps.spawnSyncCommand("docker", ["cp", `${containerName}:${containerAuthAbsPath}`, destPath], {
+                    stdio: "ignore",
+                });
+                if (cpResult.status !== 0) {
+                    rejectOnce(new Error("Failed to extract auth file from container."));
+                    return;
+                }
+                authCopied = true;
+                deps.spawnSyncCommand("docker", ["rm", "-f", containerName], { stdio: "ignore" });
+                resolveOnce();
+            }
+        }, 1000);
+        child.on("exit", () => {
+            if (!authCopied) {
+                rejectOnce(new Error("Codex login failed or was cancelled."));
+            }
+        });
+    });
+    await setCodexDedicatedAuthInDb(db);
+    deps.logSuccess(`Codex auth saved to ${destPath}`);
+    return destPath;
+}
+async function runUseDedicatedCodexAuth(cfg, overrides = {}) {
+    const deps = { ...exports.defaultUseDedicatedCodexAuthDependencies, ...overrides };
+    const { db, client } = await deps.initDbFn(cfg.state_db_path);
+    try {
+        return await runDedicatedCodexAuth(cfg, db, deps);
+    }
+    finally {
+        client.close();
+    }
+}

package/dist/commands/sdk/codex/register-codex-sdk-commands.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerCodexSdkCommands = registerCodexSdkCommands;
+const use_dedicated_auth_js_1 = require("./use-dedicated-auth.js");
+const use_host_auth_js_1 = require("./use-host-auth.js");
+function registerCodexSdkCommands(sdkCommand) {
+    const codexCommand = sdkCommand
+        .command("codex")
+        .description("Manage Codex SDK authentication.");
+    (0, use_host_auth_js_1.registerSdkCodexUseHostAuthCommand)(codexCommand);
+    (0, use_dedicated_auth_js_1.registerSdkCodexUseDedicatedAuthCommand)(codexCommand);
+}

package/dist/commands/sdk/codex/use-dedicated-auth.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runSdkCodexUseDedicatedAuthCommand = runSdkCodexUseDedicatedAuthCommand;
+exports.registerSdkCodexUseDedicatedAuthCommand = registerSdkCodexUseDedicatedAuthCommand;
+const config_js_1 = require("../../../config.js");
+const auth_js_1 = require("./auth.js");
+async function runSdkCodexUseDedicatedAuthCommand(cfg = config_js_1.config.parse({}), overrides = {}) {
+    const deps = { ...auth_js_1.defaultUseDedicatedCodexAuthDependencies, ...overrides };
+    await (0, auth_js_1.runUseDedicatedCodexAuth)(cfg, deps);
+}
+function registerSdkCodexUseDedicatedAuthCommand(codexCommand) {
+    codexCommand
+        .command("use-dedicated-auth")
+        .description("Configure the Codex SDK to use dedicated authentication.")
+        .action(async () => {
+        await runSdkCodexUseDedicatedAuthCommand();
+    });
+}

package/dist/commands/sdk/codex/use-host-auth.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runSdkCodexUseHostAuthCommand = runSdkCodexUseHostAuthCommand;
+exports.registerSdkCodexUseHostAuthCommand = registerSdkCodexUseHostAuthCommand;
+const config_js_1 = require("../../../config.js");
+const auth_js_1 = require("./auth.js");
+async function runSdkCodexUseHostAuthCommand(cfg = config_js_1.config.parse({}), overrides = {}) {
+    const deps = { ...auth_js_1.defaultSetCodexHostAuthDependencies, ...overrides };
+    const authPath = await (0, auth_js_1.runSetCodexHostAuth)(cfg, deps);
+    console.log(`Codex SDK configured with host authentication using ${authPath}.`);
+}
+function registerSdkCodexUseHostAuthCommand(codexCommand) {
+    codexCommand
+        .command("use-host-auth")
+        .description("Configure the Codex SDK to use host authentication.")
+        .action(async () => {
+        await runSdkCodexUseHostAuthCommand();
+    });
+}

package/dist/commands/sdk/refresh-models.js

@@ -4,7 +4,14 @@ exports.runSdkRefreshModelsCommand = runSdkRefreshModelsCommand;
 exports.registerSdkRefreshModelsCommand = registerSdkRefreshModelsCommand;
 const refresh_models_js_1 = require("../../service/sdk/refresh_models.js");
 async function runSdkRefreshModelsCommand(options) {
-    const results = await (0, refresh_models_js_1.refreshSdkModels)({ sdk: options.sdk });
+    let results;
+    try {
+        results = await (0, refresh_models_js_1.refreshSdkModels)({ sdk: options.sdk });
+    }
+    catch (error) {
+        const sdkName = options.sdk ?? "configured";
+        throw new Error((0, refresh_models_js_1.formatSdkModelRefreshFailure)(sdkName, error));
+    }
     for (const result of results) {
         console.log(`Refreshed ${result.modelCount} models for SDK '${result.sdk}'.`);
     }

package/dist/commands/sdk/register-sdk-commands.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.registerSdkCommands = registerSdkCommands;
+const register_codex_sdk_commands_js_1 = require("./codex/register-codex-sdk-commands.js");
 const list_js_1 = require("./list.js");
 const refresh_models_js_1 = require("./refresh-models.js");
 function registerSdkCommands(program) {
@@ -9,4 +10,5 @@ function registerSdkCommands(program) {
         .description("Manage configured SDKs and their model capabilities.");
     (0, list_js_1.registerSdkListCommand)(sdkCommand);
     (0, refresh_models_js_1.registerSdkRefreshModelsCommand)(sdkCommand);
+    (0, register_codex_sdk_commands_js_1.registerCodexSdkCommands)(sdkCommand);
 }

package/dist/commands/startup.js

@@ -37,42 +37,27 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.startup = startup;
-const node_fs_1 = require("node:fs");
-const node_path_1 = require("node:path");
 const node_child_process_1 = require("node:child_process");
 const p = __importStar(require("@clack/prompts"));
 const figlet_1 = __importDefault(require("figlet"));
 const config_js_1 = require("../config.js");
 const db_js_1 = require("../state/db.js");
 const schema_js_1 = require("../state/schema.js");
-const host_js_1 = require("../service/host.js");
 const refresh_models_js_1 = require("../service/sdk/refresh_models.js");
-const path_js_1 = require("../utils/path.js");
+const auth_js_1 = require("./sdk/codex/auth.js");
 function banner() {
     console.log();
     console.log(figlet_1.default.textSync("CompanyHelm", { font: "Small" }));
     console.log();
 }
-function isErrnoException(error) {
-    return error instanceof Error && "code" in error;
-}
-function buildDockerMissingError() {
-    return new Error("Docker is not installed or not available on PATH. Install Docker and retry.");
-}
 const defaultStartupDependencies = {
-    getHostInfoFn: host_js_1.getHostInfo,
+    getHostInfoFn: auth_js_1.defaultSetCodexHostAuthDependencies.getHostInfoFn,
     initDbFn: db_js_1.initDb,
     promptApi: p,
     refreshSdkModelsFn: refresh_models_js_1.refreshSdkModels,
     spawnCommand: node_child_process_1.spawn,
     spawnSyncCommand: node_child_process_1.spawnSync,
 };
-function ensureDockerAvailable(spawnSyncCommand) {
-    const result = spawnSyncCommand("docker", ["--version"], { stdio: "ignore" });
-    if (isErrnoException(result.error) && result.error.code === "ENOENT") {
-        throw buildDockerMissingError();
-    }
-}
 function restoreInteractiveTerminalState() {
     try {
         if (process.stdin.isTTY && typeof process.stdin.setRawMode === "function") {
@@ -96,7 +81,7 @@ function exitStartup(code) {
     process.exit(code);
 }
 async function refreshCodexModelsInStartup(deps) {
-    ensureDockerAvailable(deps.spawnSyncCommand);
+    (0, auth_js_1.ensureDockerAvailable)(deps.spawnSyncCommand);
     const spinner = deps.promptApi.spinner();
     const seenStatusMessages = new Set();
     spinner.start("Preparing Codex runtime image and refreshing model catalog via app-server");
@@ -113,96 +98,6 @@ async function refreshCodexModelsInStartup(deps) {
     const count = results[0]?.modelCount ?? 0;
     spinner.stop(`Codex model catalog refreshed (${count} models).`);
 }
-async function dedicatedAuth(cfg, db, deps) {
-    ensureDockerAvailable(deps.spawnSyncCommand);
-    const port = cfg.codex.codex_auth_port;
-    const socatPort = port + 1;
-    const containerName = `companyhelm-codex-auth-${Date.now()}`;
-    deps.promptApi.log.info("Starting Codex login inside a container...");
-    deps.promptApi.log.info("A browser URL will appear -- open it to complete authentication.");
-    const configDir = (0, path_js_1.expandHome)(cfg.config_directory);
-    if (!(0, node_fs_1.existsSync)(configDir)) {
-        (0, node_fs_1.mkdirSync)(configDir, { recursive: true });
-    }
-    const destPath = (0, node_path_1.join)(configDir, cfg.codex.codex_auth_file_path);
-    let authCopied = false;
-    await new Promise((resolve, reject) => {
-        let settled = false;
-        let poll;
-        const rejectOnce = (error) => {
-            if (settled) {
-                return;
-            }
-            settled = true;
-            if (poll) {
-                clearInterval(poll);
-            }
-            deps.spawnSyncCommand("docker", ["rm", "-f", containerName], { stdio: "ignore" });
-            reject(error);
-        };
-        const resolveOnce = () => {
-            if (settled) {
-                return;
-            }
-            settled = true;
-            if (poll) {
-                clearInterval(poll);
-            }
-            resolve();
-        };
-        const child = deps.spawnCommand("docker", [
-            "run",
-            "-it",
-            "--name",
-            containerName,
-            "-p",
-            `${port}:${socatPort}`,
-            "--entrypoint",
-            "bash",
-            cfg.runtime_image,
-            "-c",
-            `source "$NVM_DIR/nvm.sh"; socat TCP-LISTEN:${socatPort},fork,bind=0.0.0.0,reuseaddr TCP:127.0.0.1:${port} 2>/dev/null & codex`,
-        ], { stdio: "inherit" });
-        child.on("error", (error) => {
-            if (isErrnoException(error) && error.code === "ENOENT") {
-                rejectOnce(buildDockerMissingError());
-                return;
-            }
-            rejectOnce(new Error(`Failed to start Codex login container: ${error.message}`));
-        });
-        poll = setInterval(() => {
-            if (settled) {
-                return;
-            }
-            const check = deps.spawnSyncCommand("docker", ["exec", containerName, "sh", "-c", `test -f ${cfg.codex.codex_auth_path}`], {
-                stdio: "ignore",
-            });
-            if (check.status === 0) {
-                const resolveResult = deps.spawnSyncCommand("docker", ["exec", containerName, "sh", "-c", `echo ${cfg.codex.codex_auth_path}`], {
-                    encoding: "utf-8",
-                });
-                const containerAuthAbsPath = resolveResult.stdout.trim();
-                const cpResult = deps.spawnSyncCommand("docker", ["cp", `${containerName}:${containerAuthAbsPath}`, destPath], {
-                    stdio: "ignore",
-                });
-                if (cpResult.status !== 0) {
-                    rejectOnce(new Error("Failed to extract auth file from container."));
-                    return;
-                }
-                authCopied = true;
-                deps.spawnSyncCommand("docker", ["rm", "-f", containerName], { stdio: "ignore" });
-                resolveOnce();
-            }
-        }, 1000);
-        child.on("exit", () => {
-            if (!authCopied) {
-                rejectOnce(new Error("Codex login failed or was cancelled."));
-            }
-        });
-    });
-    await db.insert(schema_js_1.agentSdks).values({ name: "codex", authentication: "dedicated" });
-    deps.promptApi.log.success(`Codex auth saved to ${destPath}`);
-}
 async function selectStartupAuthMode(options, deps) {
     if (options.length === 1) {
         return options[0].value;
@@ -230,30 +125,21 @@ async function startup(cfg = config_js_1.config.parse({}), overrides = {}) {
         return;
     }
     deps.promptApi.intro("No agent SDK configured. Let's set up Codex authentication.");
-    const hostInfo = deps.getHostInfoFn(cfg.codex.codex_auth_path);
-    const options = [
-        {
-            value: "dedicated",
-            label: "Dedicated",
-            hint: "recommended -- runs Codex login inside a container",
-        },
-    ];
-    if (hostInfo.codexAuthExists) {
-        options.push({
-            value: "host",
-            label: "Host",
-            hint: `reuse existing credentials from ${cfg.codex.codex_auth_path}`,
-        });
-    }
+    const options = (0, auth_js_1.listCodexStartupAuthOptions)(cfg, deps.getHostInfoFn);
     try {
         const authMode = await selectStartupAuthMode(options, deps);
         if (authMode === "host") {
-            await db.insert(schema_js_1.agentSdks).values({ name: "codex", authentication: "host" });
+            await (0, auth_js_1.setCodexHostAuthInDb)(db);
             await refreshCodexModelsInStartup(deps);
             deps.promptApi.outro("Codex SDK configured with host authentication.");
             return;
         }
-        await dedicatedAuth(cfg, db, deps);
+        await (0, auth_js_1.runDedicatedCodexAuth)(cfg, db, {
+            logInfo: deps.promptApi.log.info,
+            logSuccess: deps.promptApi.log.success,
+            spawnCommand: deps.spawnCommand,
+            spawnSyncCommand: deps.spawnSyncCommand,
+        });
         await refreshCodexModelsInStartup(deps);
         deps.promptApi.outro("Codex login successful!");
     }

package/dist/commands/status.js

@@ -10,7 +10,7 @@ function registerStatusCommand(program) {
     program
         .command("status")
         .description("Show whether the local CompanyHelm daemon is running.")
-        .option("--state-db-path <path>", "State database path override (defaults to ~/.local/share/companyhelm/state.db).")
+        .option("--state-db-path <path>", "State database path override (defaults to state.db under the active config directory).")
         .action(async (options) => {
         const cfg = config_js_1.config.parse({
             state_db_path: options.stateDbPath,

package/dist/config.js

@@ -1,9 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.config = exports.codexConfig = void 0;
+exports.config = exports.codexConfig = exports.DEFAULT_CONFIG_DIRECTORY = exports.CONFIG_PATH_ENV = void 0;
 const node_fs_1 = require("node:fs");
 const node_path_1 = require("node:path");
 const zod_1 = require("zod");
+const path_js_1 = require("./utils/path.js");
+exports.CONFIG_PATH_ENV = "COMPANYHELM_CONFIG_PATH";
+exports.DEFAULT_CONFIG_DIRECTORY = "~/.config/companyhelm";
 const DEFAULT_RUNTIME_IMAGE_REPOSITORY = "companyhelm/runner";
 const FALLBACK_RUNTIME_IMAGE_VERSION = "latest";
 function loadRuntimeImageVersion() {
@@ -19,6 +22,19 @@ function loadRuntimeImageVersion() {
     return FALLBACK_RUNTIME_IMAGE_VERSION;
 }
 const DEFAULT_RUNTIME_IMAGE = `${DEFAULT_RUNTIME_IMAGE_REPOSITORY}:${loadRuntimeImageVersion()}`;
+function resolveConfigRelativePath(configDirectory, pathValue) {
+    if ((0, node_path_1.isAbsolute)((0, path_js_1.expandHome)(pathValue))) {
+        return pathValue;
+    }
+    return (0, node_path_1.join)(configDirectory, pathValue);
+}
+function resolveConfigDirectoryDefault() {
+    const envValue = process.env[exports.CONFIG_PATH_ENV]?.trim();
+    if (envValue && envValue.length > 0) {
+        return envValue;
+    }
+    return exports.DEFAULT_CONFIG_DIRECTORY;
+}
 exports.codexConfig = zod_1.z.object({
     codex_auth_file_path: zod_1.z.string()
         .describe("The path to the Codex authentication file on the host, relative to config_directory.")
@@ -36,13 +52,13 @@ exports.codexConfig = zod_1.z.object({
 exports.config = zod_1.z.object({
     config_directory: zod_1.z.string()
         .describe("The directory where the config files are stored.")
-        .default("~/.config/companyhelm"),
+        .default(resolveConfigDirectoryDefault),
     workspaces_directory: zod_1.z.string()
         .describe("The directory where thread workspaces are stored, relative to config_directory when not absolute.")
         .default("workspaces"),
     state_db_path: zod_1.z.string()
-        .describe("The path to the state database.")
-        .default("~/.local/share/companyhelm/state.db"),
+        .describe("The path to the state database, relative to the config directory.")
+        .default("state.db"),
     companyhelm_api_url: zod_1.z.string()
         .describe("CompanyHelm control plane gRPC endpoint URL.")
         .default("https://api.companyhelm.com:50051"),
@@ -83,4 +99,7 @@ exports.config = zod_1.z.object({
         .describe("Default git author email used when runtime repositories are missing user.email.")
         .default("agent@companyhelm.com"),
     codex: exports.codexConfig.default(() => exports.codexConfig.parse({})),
-});
+}).transform((value) => ({
+    ...value,
+    state_db_path: resolveConfigRelativePath(value.config_directory, value.state_db_path),
+}));

package/dist/service/docker/app_server_container.js

@@ -56,12 +56,46 @@ class AppServerContainerService {
         this.child = null;
         this.containerName = null;
         this.running = false;
+        this.recentStderrLines = [];
+        this.lastExitCode = null;
+        this.lastExitSignal = null;
         this.docker = options?.docker ?? new dockerode_1.default();
         this.imageStatusReporter = options?.imageStatusReporter;
     }
     reportImageStatus(message) {
         this.imageStatusReporter?.(message);
     }
+    recordStderr(chunk) {
+        const lines = chunk
+            .split(/\r?\n/)
+            .map((line) => line.trim())
+            .filter((line) => line.length > 0);
+        if (lines.length === 0) {
+            return;
+        }
+        this.recentStderrLines.push(...lines);
+        if (this.recentStderrLines.length > 8) {
+            this.recentStderrLines.splice(0, this.recentStderrLines.length - 8);
+        }
+    }
+    buildContainerStoppedErrorMessage() {
+        const details = [];
+        if (this.containerName) {
+            details.push(`container ${this.containerName}`);
+        }
+        if (this.lastExitCode !== null) {
+            details.push(`exit code ${this.lastExitCode}`);
+        }
+        else if (this.lastExitSignal) {
+            details.push(`signal ${this.lastExitSignal}`);
+        }
+        if (this.recentStderrLines.length > 0) {
+            details.push(`stderr: ${this.recentStderrLines.join(" | ")}`);
+        }
+        return details.length > 0
+            ? `App server container is not running (${details.join(", ")})`
+            : "App server container is not running";
+    }
     static isImageNotFound(error) {
         if (typeof error !== "object" || error === null) {
             return false;
@@ -159,6 +193,9 @@ class AppServerContainerService {
         if (this.running) {
             throw new Error("App server container is already running");
         }
+        this.recentStderrLines = [];
+        this.lastExitCode = null;
+        this.lastExitSignal = null;
         const cfg = config_js_1.config.parse({});
         await this.ensureImageAvailable(cfg.runtime_image);
         const { db, client } = await (0, db_js_1.initDb)(cfg.state_db_path);
@@ -218,15 +255,27 @@ class AppServerContainerService {
             this.messageQueue.push({ type: "stdout", payload: chunk });
         });
         child.stderr.on("data", (chunk) => {
-            this.messageQueue.push({ type: "stderr", payload: chunk.toString("utf8") });
+            const payload = chunk.toString("utf8");
+            this.recordStderr(payload);
+            this.messageQueue.push({ type: "stderr", payload });
         });
         child.on("error", (err) => {
+            this.recordStderr(err.message);
             this.messageQueue.push({ type: "error", reason: `docker process error: ${err.message}` });
             this.running = false;
             this.messageQueue.close();
         });
-        child.on("exit", () => {
+        child.on("exit", (code, signal) => {
+            const wasRunning = this.running;
+            this.lastExitCode = code;
+            this.lastExitSignal = signal;
             this.running = false;
+            if (wasRunning) {
+                this.messageQueue.push({
+                    type: "error",
+                    reason: this.buildContainerStoppedErrorMessage(),
+                });
+            }
             this.messageQueue.close();
         });
         this.child = child;
@@ -253,7 +302,7 @@ class AppServerContainerService {
     }
     async sendRaw(payload) {
         if (!this.running || !this.child || !this.child.stdin) {
-            throw new Error("App server container is not running");
+            throw new Error(this.buildContainerStoppedErrorMessage());
         }
         this.child.stdin.write(payload);
     }

package/dist/service/sdk/refresh_models.js

@@ -1,5 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatSdkModelRefreshFailure = formatSdkModelRefreshFailure;
 exports.refreshSdkModels = refreshSdkModels;
 const drizzle_orm_1 = require("drizzle-orm");
 const config_js_1 = require("../../config.js");
@@ -7,6 +8,13 @@ const db_js_1 = require("../../state/db.js");
 const schema_js_1 = require("../../state/schema.js");
 const app_server_js_1 = require("../app_server.js");
 const app_server_container_js_1 = require("../docker/app_server_container.js");
+function toErrorMessage(error) {
+    return error instanceof Error ? error.message : String(error);
+}
+function formatSdkModelRefreshFailure(sdk, error) {
+    return (`Failed to refresh ${sdk} models from the local Codex app-server: ${toErrorMessage(error)}. ` +
+        "Verify the runner image can start Codex app-server with valid auth, then retry.");
+}
 async function fetchCodexModelsFromAppServer(clientName, logger, imageStatusReporter) {
     const transport = new app_server_container_js_1.AppServerContainerService({ imageStatusReporter });
     const appServer = new app_server_js_1.AppServerService(transport, clientName, logger);

package/dist/templates/app_server_bootstrap.sh.j2

@@ -6,6 +6,12 @@ AGENT_UID={{ agent_uid }}
 AGENT_GID={{ agent_gid }}
 CODEX_AUTH_PATH={{ codex_auth_path }}
 APP_SERVER_COMMAND={{ app_server_command }}
+EXISTING_UID_USER=""
+
+if getent passwd "$AGENT_UID" >/dev/null 2>&1; then
+  EXISTING_UID_USER="$(getent passwd "$AGENT_UID" | cut -d: -f1)"
+  AGENT_USER="$EXISTING_UID_USER"
+fi
 
 AGENT_GROUP="$AGENT_USER"
 if getent group "$AGENT_GID" >/dev/null 2>&1; then
@@ -19,7 +25,7 @@ else
 fi
 
 if id -u "$AGENT_USER" >/dev/null 2>&1; then
-  usermod -u "$AGENT_UID" -g "$AGENT_GROUP" -d "$AGENT_HOME" "$AGENT_USER" || true
+  usermod -u "$AGENT_UID" -g "$AGENT_GROUP" -d "$AGENT_HOME" -s /bin/bash "$AGENT_USER" || true
 else
   useradd -m -d "$AGENT_HOME" -u "$AGENT_UID" -g "$AGENT_GROUP" -s /bin/bash "$AGENT_USER"
 fi

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@companyhelm/cli",
-  "version": "0.0.7",
+  "version": "0.0.9",
   "description": "Run coding agents in fully isolated Docker sandboxes, locally.",
   "license": "Apache-2.0",
   "repository": {