agent-relay 1.2.3 → 1.3.1

package/.trajectories/completed/2026-01/traj_y7aiwijyfmmv.json

@@ -0,0 +1,49 @@
+{
+  "id": "traj_y7aiwijyfmmv",
+  "version": 1,
+  "task": {
+    "title": "Fix CLI hanging - add auth check endpoint"
+  },
+  "status": "completed",
+  "startedAt": "2026-01-07T10:19:49.851Z",
+  "agents": [
+    {
+      "name": "khaliqgant",
+      "role": "lead",
+      "joinedAt": "2026-01-07T10:19:49.852Z"
+    }
+  ],
+  "chapters": [
+    {
+      "id": "chap_brksv0oi98s5",
+      "title": "Work",
+      "agentName": "default",
+      "startedAt": "2026-01-07T10:19:49.908Z",
+      "events": [
+        {
+          "ts": 1767781189908,
+          "type": "decision",
+          "content": "Add /auth/cli/openai/check endpoint to workspace daemon: Add /auth/cli/openai/check endpoint to workspace daemon",
+          "raw": {
+            "question": "Add /auth/cli/openai/check endpoint to workspace daemon",
+            "chosen": "Add /auth/cli/openai/check endpoint to workspace daemon",
+            "alternatives": [],
+            "reasoning": "CLI was hanging because it polls this endpoint to detect auth completion, but it didn't exist. Added check for ~/.codex/auth.json credentials file."
+          },
+          "significance": "high"
+        }
+      ],
+      "endedAt": "2026-01-07T10:19:49.966Z"
+    }
+  ],
+  "commits": [],
+  "filesChanged": [],
+  "projectId": "/Users/khaliqgant/Projects/agent-workforce/relay",
+  "tags": [],
+  "completedAt": "2026-01-07T10:19:49.966Z",
+  "retrospective": {
+    "summary": "Added missing /auth/cli/openai/check endpoint to workspace daemon server.ts. CLI polls this to detect when Codex OAuth completes.",
+    "approach": "Standard approach",
+    "confidence": 0.9
+  }
+}

package/.trajectories/completed/2026-01/traj_y7aiwijyfmmv.md

@@ -0,0 +1,31 @@
+# Trajectory: Fix CLI hanging - add auth check endpoint
+
+> **Status:** ✅ Completed
+> **Confidence:** 90%
+> **Started:** January 7, 2026 at 11:19 AM
+> **Completed:** January 7, 2026 at 11:19 AM
+
+---
+
+## Summary
+
+Added missing /auth/cli/openai/check endpoint to workspace daemon server.ts. CLI polls this to detect when Codex OAuth completes.
+
+**Approach:** Standard approach
+
+---
+
+## Key Decisions
+
+### Add /auth/cli/openai/check endpoint to workspace daemon
+- **Chose:** Add /auth/cli/openai/check endpoint to workspace daemon
+- **Reasoning:** CLI was hanging because it polls this endpoint to detect auth completion, but it didn't exist. Added check for ~/.codex/auth.json credentials file.
+
+---
+
+## Chapters
+
+### 1. Work
+*Agent: default*
+
+- Add /auth/cli/openai/check endpoint to workspace daemon: Add /auth/cli/openai/check endpoint to workspace daemon

package/.trajectories/consolidate-settings-panel.md

@@ -0,0 +1,24 @@
+# Trajectory: Consolidate settings panel and create PR
+
+> **Status:** ✅ Completed
+> **Confidence:** 90%
+> **Started:** January 6, 2026 at 12:40 PM
+> **Completed:** January 6, 2026 at 12:41 PM
+
+---
+
+## Summary
+
+Settings panel consolidation PR exists as #78. Pushed additional commit (7429eb7) with types.ts. GitHub auth working via git-credential-relay helper.
+
+**Approach:** Standard approach
+
+---
+
+## Chapters
+
+### 1. Initial work
+*Agent: Fullstack*
+
+- PR may already exist from previous session, branch was pushed successfully: PR may already exist from previous session, branch was pushed successfully
+

package/.trajectories/gh-cli-user-token.md

@@ -0,0 +1,26 @@
+# Trajectory: Investigate gh CLI auth solution for agents
+
+> **Status:** ✅ Completed
+> **Confidence:** 85%
+> **Started:** January 6, 2026 at 12:44 PM
+> **Completed:** January 6, 2026 at 01:10 PM
+
+---
+
+## Summary
+
+Created PR #79 to fix gh CLI auth. Updates git.ts to use user login connection (GITHUB_USER) for userToken. Also created ~/.local/bin/gh-relay wrapper that uses userToken with GH_TOKEN env var.
+
+**Approach:** Standard approach
+
+---
+
+## Chapters
+
+### 1. Initial work
+*Agent: Fullstack*
+
+- API currently returns same token for both 'token' and 'userToken' - both are GitHub App installation tokens (ghs_*): API currently returns same token for both 'token' and 'userToken' - both are GitHub App installation tokens (ghs_*)
+- Issue identified: getGithubUserOAuthToken returns installation token (ghs_*) instead of user OAuth token (gho_*). gh CLI needs user OAuth token for full API access.: Issue identified: getGithubUserOAuthToken returns installation token (ghs_*) instead of user OAuth token (gho_*). gh CLI needs user OAuth token for full API access.
+- API still returns same token - code change not deployed yet. Need to verify user has login connection (users.nangoConnectionId) and that GITHUB_USER integration returns gho_* OAuth token: API still returns same token - code change not deployed yet. Need to verify user has login connection (users.nangoConnectionId) and that GITHUB_USER integration returns gho_* OAuth token
+

package/.trajectories/index.json

@@ -1,6 +1,6 @@
 {
   "version": 1,
-  "lastUpdated": "2026-01-05T21:29:51.202Z",
+  "lastUpdated": "2026-01-07T14:19:04.152Z",
   "trajectories": {
     "traj_ozd98si6a7ns": {
       "title": "Fix thinking indicator showing on all messages",
@@ -309,6 +309,160 @@
       "startedAt": "2026-01-05T20:14:01.563Z",
       "completedAt": "2026-01-05T20:14:01.617Z",
       "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_hhxte7w4gjjx.json"
+    },
+    "traj_fhx9irlckht6": {
+      "title": "Spec and plan: Auto workspace access + Human-to-human messaging",
+      "status": "completed",
+      "startedAt": "2026-01-05T23:10:52.953Z",
+      "completedAt": "2026-01-05T23:15:32.933Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_fhx9irlckht6.json"
+    },
+    "traj_avqeghu6pz5a": {
+      "title": "Fix gh CLI authentication in workspace containers",
+      "status": "completed",
+      "startedAt": "2026-01-05T23:14:00.755Z",
+      "completedAt": "2026-01-05T23:44:34.432Z",
+      "path": "/workspace/relay/.trajectories/completed/2026-01/traj_avqeghu6pz5a.json"
+    },
+    "traj_hfmki2jr9d4r": {
+      "title": "Implement auto workspace access + mobile UI fixes",
+      "status": "completed",
+      "startedAt": "2026-01-05T23:45:03.470Z",
+      "completedAt": "2026-01-06T00:03:49.311Z",
+      "path": "/workspace/relay/.trajectories/completed/2026-01/traj_hfmki2jr9d4r.json"
+    },
+    "traj_5ammh5qtvklq": {
+      "title": "Evaluate Fly.io Sprites and implement workspace resilience",
+      "status": "completed",
+      "startedAt": "2026-01-06T06:24:17.361Z",
+      "completedAt": "2026-01-06T06:25:03.223Z",
+      "path": "/home/user/relay/.trajectories/completed/2026-01/traj_5ammh5qtvklq.json"
+    },
+    "traj_ui9b4tqxoa7j": {
+      "title": "Fix agent token fetch with improved error handling",
+      "status": "completed",
+      "startedAt": "2026-01-06T08:24:36.222Z",
+      "completedAt": "2026-01-06T08:25:20.777Z",
+      "path": "/home/user/relay/.trajectories/completed/2026-01/traj_ui9b4tqxoa7j.json"
+    },
+    "traj_xy9vifpqet80": {
+      "title": "Extract BaseWrapper from PtyWrapper and TmuxWrapper",
+      "status": "completed",
+      "startedAt": "2026-01-06T12:27:13.004Z",
+      "completedAt": "2026-01-06T12:58:24.003Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_xy9vifpqet80.json"
+    },
+    "traj_78ffm31jn3uk": {
+      "title": "Fix agent token fetch and seamless gh CLI",
+      "status": "completed",
+      "startedAt": "2026-01-06T16:24:13.901Z",
+      "completedAt": "2026-01-06T16:24:50.235Z",
+      "path": "/home/user/relay/.trajectories/completed/2026-01/traj_78ffm31jn3uk.json"
+    },
+    "traj_v9dkdoxylyid": {
+      "title": "Implement first-class user messaging with channels and DMs",
+      "status": "completed",
+      "startedAt": "2026-01-06T17:11:57.504Z",
+      "completedAt": "2026-01-06T17:12:56.919Z",
+      "path": "/home/user/relay/.trajectories/completed/2026-01/traj_v9dkdoxylyid.json"
+    },
+    "traj_ub8csuv3lcv4": {
+      "title": "Fix WebSocket disconnections for workspace instances",
+      "status": "completed",
+      "startedAt": "2026-01-06T18:13:23.603Z",
+      "completedAt": "2026-01-06T18:16:51.462Z",
+      "path": "/home/user/relay/.trajectories/completed/2026-01/traj_ub8csuv3lcv4.json"
+    },
+    "traj_fqduidx3xbtp": {
+      "title": "Implement dynamic repo management for workspaces",
+      "status": "completed",
+      "startedAt": "2026-01-07T05:44:47.138Z",
+      "completedAt": "2026-01-07T06:07:35.433Z",
+      "path": "/home/user/relay/.trajectories/completed/2026-01/traj_fqduidx3xbtp.json"
+    },
+    "traj_multi_server_arch": {
+      "title": "Multi-server architecture document",
+      "status": "completed",
+      "startedAt": "2026-01-07T06:00:00.000Z",
+      "completedAt": "2026-01-07T06:30:00.000Z",
+      "path": "/home/user/relay/.trajectories/completed/2026-01/traj_multi_server_arch.md"
+    },
+    "traj_6mieijqyvaag": {
+      "title": "Fix xterm interactive terminal for provider auth setup",
+      "status": "completed",
+      "startedAt": "2026-01-07T08:27:00.428Z",
+      "completedAt": "2026-01-07T08:28:17.323Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_6mieijqyvaag.json"
+    },
+    "traj_0zacdjl1g4ht": {
+      "title": "Interactive terminal for provider auth setup",
+      "status": "completed",
+      "startedAt": "2026-01-07T10:06:42.869Z",
+      "completedAt": "2026-01-07T10:07:24.422Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_0zacdjl1g4ht.json"
+    },
+    "traj_lq450ly148uw": {
+      "title": "Dashboard UI fixes, billing improvements, and settings alignment",
+      "status": "completed",
+      "startedAt": "2026-01-07T10:07:46.226Z",
+      "completedAt": "2026-01-07T10:07:58.979Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_lq450ly148uw.json"
+    },
+    "traj_uc29tlso8i9s": {
+      "title": "Production-ready SSH tunneling for Codex OAuth with security hardening",
+      "status": "completed",
+      "startedAt": "2026-01-07T10:08:04.299Z",
+      "completedAt": "2026-01-07T10:09:10.870Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_uc29tlso8i9s.json"
+    },
+    "traj_dcsp9s8y01ra": {
+      "title": "Dashboard UI fixes, billing improvements, and settings alignment",
+      "status": "completed",
+      "startedAt": "2026-01-07T10:09:36.428Z",
+      "completedAt": "2026-01-07T10:09:38.308Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_dcsp9s8y01ra.json"
+    },
+    "traj_y7aiwijyfmmv": {
+      "title": "Fix CLI hanging - add auth check endpoint",
+      "status": "completed",
+      "startedAt": "2026-01-07T10:19:49.851Z",
+      "completedAt": "2026-01-07T10:19:49.966Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_y7aiwijyfmmv.json"
+    },
+    "traj_psd9ob0j2ru3": {
+      "title": "Clarify codex rule file location and spawn behavior",
+      "status": "completed",
+      "startedAt": "2026-01-07T12:37:16.374Z",
+      "completedAt": "2026-01-07T12:40:48.197Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_psd9ob0j2ru3.json"
+    },
+    "traj_33iuy72sezbk": {
+      "title": "Ensure Codex config applies without OPENAI_TOKEN",
+      "status": "completed",
+      "startedAt": "2026-01-07T12:53:31.624Z",
+      "completedAt": "2026-01-07T12:53:45.247Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_33iuy72sezbk.json"
+    },
+    "traj_94gnp3k30goq": {
+      "title": "Fix intra-workspace messaging delivery and sidebar/notification visibility",
+      "status": "completed",
+      "startedAt": "2026-01-07T14:03:47.655Z",
+      "completedAt": "2026-01-07T14:11:00.042Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_94gnp3k30goq.json"
+    },
+    "traj_03zupyv1s7b9": {
+      "title": "Fix intra-workspace messaging delivery and sidebar/notification visibility",
+      "status": "completed",
+      "startedAt": "2026-01-07T14:15:50.956Z",
+      "completedAt": "2026-01-07T14:16:39.455Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_03zupyv1s7b9.json"
+    },
+    "traj_hf81ey93uz6t": {
+      "title": "Add sidebar section break between agents and human users",
+      "status": "completed",
+      "startedAt": "2026-01-07T14:18:40.736Z",
+      "completedAt": "2026-01-07T14:19:04.139Z",
+      "path": "/Users/khaliqgant/Projects/agent-workforce/relay/.trajectories/completed/2026-01/traj_hf81ey93uz6t.json"
     }
   }
 }

package/deploy/workspace/codex.config.toml

@@ -0,0 +1,15 @@
+# Codex CLI Configuration for Agent Relay Containers
+# This file is copied to ~/.codex/config.toml in container environments
+# Reference: https://developers.openai.com/codex/config-reference/
+
+# Disable auto-updates in containers to prevent permission errors
+# Updates are managed via Dockerfile (pinned versions)
+check_for_updates = false
+
+# Additional configuration options can be added here as needed
+# Examples (uncomment and adjust as needed):
+# [model]
+# default_model = "o1"
+#
+# [editor]
+# default_editor = "vim"

package/deploy/workspace/entrypoint.sh

@@ -6,8 +6,71 @@ log() {
   echo "[workspace] $*"
 }
 
-# Drop to workspace user if running as root
+# Fix volume permissions and drop to workspace user if running as root
 if [[ "$(id -u)" == "0" ]]; then
+  # Fix /data and /workspace permissions before dropping privileges
+  # Fresh Fly.io volumes are root-owned, need to chown for workspace user
+  log "Fixing volume permissions..."
+  chown -R workspace:workspace /data /workspace 2>/dev/null || true
+
+  # ============================================================================
+  # SSH Server Setup (for CLI tunneling - Codex OAuth callback forwarding)
+  # When ENABLE_SSH=true, start SSH server on port 2222 for secure tunneling
+  # ============================================================================
+  if [[ "${ENABLE_SSH:-false}" == "true" ]]; then
+    log "Starting SSH server on port 2222..."
+
+    # Set SSH password for workspace user
+    SSH_PASS="${SSH_PASSWORD:-devpassword}"
+    echo "workspace:${SSH_PASS}" | chpasswd
+
+    # Configure SSH server for tunneling
+    # - Allow password auth (for CLI simplicity)
+    # - Listen on port 2222 (non-privileged)
+    # - Allow TCP forwarding (for port tunneling)
+    cat > /etc/ssh/sshd_config.d/workspace.conf <<SSHEOF
+Port 2222
+PasswordAuthentication yes
+PermitRootLogin no
+AllowUsers workspace
+AllowTcpForwarding yes
+GatewayPorts no
+X11Forwarding no
+SSHEOF
+
+    # Start SSH server in background
+    /usr/sbin/sshd -e
+    log "SSH server started (port 2222, user: workspace)"
+  fi
+
+  # ============================================================================
+  # Persist workspace environment for SSH sessions (must be done as root)
+  # SSH sessions don't inherit the container's runtime environment, so we write
+  # critical variables to /etc/profile.d/ which gets sourced by login shells
+  # ============================================================================
+  if [[ -n "${CLOUD_API_URL:-}" || -n "${WORKSPACE_ID:-}" ]]; then
+    log "Persisting workspace environment for SSH sessions"
+    # Compute HOME path for the env file
+    _DATA_DIR="${AGENT_RELAY_DATA_DIR:-/data}"
+    if [[ -n "${WORKSPACE_OWNER_USER_ID:-}" ]]; then
+      _USER_HOME="${_DATA_DIR}/users/${WORKSPACE_OWNER_USER_ID}"
+    else
+      _USER_HOME="/home/workspace"
+    fi
+    cat > /etc/profile.d/workspace-env.sh <<ENVEOF
+# Workspace environment variables (auto-generated by entrypoint.sh)
+export WORKSPACE_ID="${WORKSPACE_ID:-}"
+export WORKSPACE_OWNER_USER_ID="${WORKSPACE_OWNER_USER_ID:-}"
+export CLOUD_API_URL="${CLOUD_API_URL:-}"
+export WORKSPACE_TOKEN="${WORKSPACE_TOKEN:-}"
+export WORKSPACE_DIR="${WORKSPACE_DIR:-/workspace}"
+export HOME="${_USER_HOME}"
+export AGENT_RELAY_USER_ID="${WORKSPACE_OWNER_USER_ID:-}"
+export AGENT_RELAY_DATA_DIR="${_DATA_DIR}"
+ENVEOF
+    chmod 644 /etc/profile.d/workspace-env.sh
+  fi
+
   log "Dropping privileges to workspace user..."
   exec gosu workspace "$0" "$@"
 fi
@@ -16,6 +79,41 @@ PORT="${AGENT_RELAY_DASHBOARD_PORT:-${PORT:-3888}}"
 export AGENT_RELAY_DASHBOARD_PORT="${PORT}"
 export PORT="${PORT}"
 
+# Disable auto-updates for AI CLIs in container environments
+# Prevents permission errors when CLIs try to self-update with npm/pip
+export DISABLE_AUTOUPDATER=1
+# Belt-and-suspenders flags to block Codex/OpenAI update checks
+export CODEX_CHECK_FOR_UPDATES=false
+export CODEX_DISABLE_AUTOUPDATE=1
+export OPENAI_CLI_NO_UPDATE=1
+export NO_UPDATE_NOTIFIER=1
+export NPM_CONFIG_UPDATE_NOTIFIER=false
+log "Auto-updates disabled for AI CLIs (container environment)"
+
+# ============================================================================
+# Per-user credential storage setup
+# Create user-specific HOME on persistent volume (/data)
+# This enables multi-user workspaces where each user has their own credentials
+# ============================================================================
+DATA_DIR="${AGENT_RELAY_DATA_DIR:-/data}"
+if [[ -n "${WORKSPACE_OWNER_USER_ID:-}" ]]; then
+  USER_HOME="${DATA_DIR}/users/${WORKSPACE_OWNER_USER_ID}"
+  log "Setting up per-user HOME at ${USER_HOME}"
+  mkdir -p "${USER_HOME}"
+  mkdir -p "${USER_HOME}/.claude"
+  mkdir -p "${USER_HOME}/.codex"
+  mkdir -p "${USER_HOME}/.config/gcloud"
+  mkdir -p "${USER_HOME}/.config/gh"
+  export HOME="${USER_HOME}"
+  # Ensure user-local bin is on PATH for per-user shims/wrappers
+  export PATH="${HOME}/.local/bin:${PATH}"
+  export XDG_CONFIG_HOME="${USER_HOME}/.config"
+  export AGENT_RELAY_USER_ID="${WORKSPACE_OWNER_USER_ID}"
+  log "HOME set to ${HOME} (user: ${WORKSPACE_OWNER_USER_ID})"
+else
+  log "No WORKSPACE_OWNER_USER_ID set, using default HOME: ${HOME}"
+fi
+
 WORKSPACE_DIR="${WORKSPACE_DIR:-/workspace}"
 REPO_LIST="${REPOSITORIES:-}"
 
@@ -67,9 +165,38 @@ fi
 GHEOF
   chmod +x "/tmp/gh-token-helper.sh"
 
-  # gh CLI will use GH_TOKEN if set; we export a function to refresh it
-  # For now, set it once at startup (will be refreshed by the credential helper for git operations)
-  # Retry a few times in case the cloud API isn't ready yet
+  # Create gh wrapper that auto-refreshes token on each invocation
+  # This ensures gh always has a valid token without agents needing to do anything
+  GH_REAL=$(which gh 2>/dev/null || echo "/usr/bin/gh")
+  if [[ -x "${GH_REAL}" ]]; then
+    cat > "/tmp/gh-wrapper" <<GHWRAPPER
+#!/usr/bin/env bash
+# Auto-refreshing gh wrapper - fetches fresh token on each invocation
+export GH_TOKEN=\$(/tmp/gh-token-helper.sh 2>/dev/null)
+if [[ -z "\${GH_TOKEN}" ]]; then
+  echo "gh-wrapper: Failed to fetch GitHub token" >&2
+  echo "gh-wrapper: Check CLOUD_API_URL, WORKSPACE_ID, and WORKSPACE_TOKEN are set" >&2
+  exit 1
+fi
+exec "${GH_REAL}" "\$@"
+GHWRAPPER
+    chmod +x "/tmp/gh-wrapper"
+
+    # Create symlink or copy to override the real gh
+    # We use /usr/local/bin which comes before /usr/bin in PATH
+    if [[ -w "/usr/local/bin" ]]; then
+      cp "/tmp/gh-wrapper" "/usr/local/bin/gh"
+      log "Installed auto-refreshing gh wrapper to /usr/local/bin/gh"
+    else
+      # If we can't write to /usr/local/bin, add /tmp to PATH
+      export PATH="/tmp:${PATH}"
+      mv "/tmp/gh-wrapper" "/tmp/gh"
+      log "Added auto-refreshing gh wrapper to PATH"
+    fi
+  fi
+
+  # Also set GH_TOKEN at startup for any tools that read it directly
+  # (The wrapper handles runtime refresh, this is just for initialization)
   export GH_TOKEN=""
   for attempt in 1 2 3; do
     GH_TOKEN=$(/tmp/gh-token-helper.sh 2>/dev/null || echo "")
@@ -81,7 +208,7 @@ GHEOF
   if [[ -n "${GH_TOKEN}" ]]; then
     log "GitHub CLI configured with fresh token"
   else
-    log "WARN: Could not fetch GitHub token for gh CLI"
+    log "WARN: Could not fetch initial GitHub token for gh CLI"
   fi
 
 # Fallback: Use static GITHUB_TOKEN if provided (legacy mode)
@@ -261,11 +388,44 @@ RELAYEOF
 fi
 log "Claude Code configuration complete"
 
-# Codex CLI expects ~/.codex/auth.json
+# Codex CLI settings (always install config to disable auto-updates)
+mkdir -p "${HOME}/.codex"
+if [[ -f "/app/deploy/workspace/codex.config.toml" ]]; then
+  cp "/app/deploy/workspace/codex.config.toml" "${HOME}/.codex/config.toml"
+  chmod 600 "${HOME}/.codex/config.toml"
+  log "Codex configuration applied from codex.config.toml"
+else
+  # Fallback: create minimal config (should not happen in production)
+  log "WARN: codex.config.toml not found, creating minimal config"
+  cat > "${HOME}/.codex/config.toml" <<CODEXCONFIGEOF
+check_for_updates = false
+CODEXCONFIGEOF
+  chmod 600 "${HOME}/.codex/config.toml"
+fi
+# Also create JSON config for Codex (some versions read config.json instead of config.toml)
+cat > "${HOME}/.codex/config.json" <<'CODEXJSON'
+{
+  "check_for_updates": false
+}
+CODEXJSON
+chmod 600 "${HOME}/.codex/config.json"
+
+# NPM wrapper to block Codex self-updates (no-op when Codex tries npm install -g @openai/codex)
+mkdir -p "${HOME}/.local/bin"
+cat > "${HOME}/.local/bin/npm" <<'NPMWRAPPER'
+#!/usr/bin/env bash
+if [[ "$1" == "install" && "$2" == "-g" && "$3" == @openai/codex* ]]; then
+  echo "npm wrapper: skipping Codex self-update (auto-update disabled)" >&2
+  exit 0
+fi
+exec /usr/local/bin/npm "$@"
+NPMWRAPPER
+chmod +x "${HOME}/.local/bin/npm"
+
+# Codex CLI expects ~/.codex/auth.json for credentials
 # Format: { tokens: { access_token: "...", refresh_token: "...", ... } }
 if [[ -n "${OPENAI_TOKEN:-}" ]]; then
   log "Configuring Codex credentials..."
-  mkdir -p "${HOME}/.codex"
   cat > "${HOME}/.codex/auth.json" <<EOF
 {
   "tokens": {

package/deploy/workspace/git-credential-relay

@@ -86,6 +86,7 @@ fi
 
 if [[ -z "$response" ]]; then
   echo "git-credential-relay: Failed to fetch token from gateway" >&2
+  echo "git-credential-relay: Check that CLOUD_API_URL is accessible: ${CLOUD_API_URL}" >&2
   exit 1
 fi
 
@@ -94,12 +95,26 @@ token=$(echo "$response" | jq -r '.token // empty')
 username=$(echo "$response" | jq -r '.username // "x-access-token"')
 
 if [[ -z "$token" ]]; then
-  # Check if there's an error message
+  # Check if there's an error message with details
   error=$(echo "$response" | jq -r '.error // empty')
+  code=$(echo "$response" | jq -r '.code // empty')
+  hint=$(echo "$response" | jq -r '.hint // empty')
+  details=$(echo "$response" | jq -r '.details // empty')
+
   if [[ -n "$error" ]]; then
-    echo "git-credential-relay: $error" >&2
+    echo "git-credential-relay: ERROR: $error" >&2
+    if [[ -n "$code" ]]; then
+      echo "git-credential-relay: Code: $code" >&2
+    fi
+    if [[ -n "$hint" ]]; then
+      echo "git-credential-relay: Hint: $hint" >&2
+    fi
+    if [[ -n "$details" ]]; then
+      echo "git-credential-relay: Details: $details" >&2
+    fi
   else
     echo "git-credential-relay: No token in response" >&2
+    debug "Raw response: $response"
   fi
   exit 1
 fi

package/dist/bridge/spawner.d.ts

@@ -128,6 +128,13 @@ export declare class AgentSpawner {
      * Get raw output from a worker
      */
     getWorkerRawOutput(name: string): string | null;
+    /**
+     * Send input to a worker's PTY (for interactive terminal support)
+     * @param name - Worker name
+     * @param data - Input data to send (keystrokes, text, etc.)
+     * @returns true if input was sent, false if worker not found
+     */
+    sendWorkerInput(name: string, data: string): boolean;
     /**
      * Wait for an agent to appear in the registry (agents.json)
      */