bosun 0.33.3 → 0.33.4

package/agent-pool.mjs

@@ -239,8 +239,8 @@ async function withSanitizedOpenAiEnv(fn) {
  * provider settings via `config` and maps the API key via `env`.
  * Otherwise strips OPENAI_BASE_URL so the SDK uses its default auth.
  */
-function buildCodexSdkOptions() {
-  const { env: resolvedEnv } = resolveCodexProfileRuntime(process.env);
+function buildCodexSdkOptions(envInput = process.env) {
+  const { env: resolvedEnv } = resolveCodexProfileRuntime(envInput);
   const baseUrl = resolvedEnv.OPENAI_BASE_URL || "";
   const isAzure = baseUrl.includes(".openai.azure.com");
   const env = { ...resolvedEnv };
@@ -544,7 +544,13 @@ export function getAvailableSdks() {
  * @returns {Promise<{ success: boolean, output: string, items: Array, error: string|null, sdk: string }>}
  */
 async function launchCodexThread(prompt, cwd, timeoutMs, extra = {}) {
-  const { onEvent, abortController: externalAC, onThreadReady = null, taskKey: steerKey = null } = extra;
+  const {
+    onEvent,
+    abortController: externalAC,
+    onThreadReady = null,
+    taskKey: steerKey = null,
+    envOverrides = null,
+  } = extra;
 
   let reportedThreadId = null;
   const emitThreadReady = (threadId) => {
@@ -583,7 +589,16 @@ async function launchCodexThread(prompt, cwd, timeoutMs, extra = {}) {
 
   // Pass feature overrides via --config so sub-agent and memory features are
   // available even if ~/.codex/config.toml hasn't been patched yet.
-  const codexOpts = buildCodexSdkOptions();
+  const codexRuntimeEnv =
+    envOverrides && typeof envOverrides === "object"
+      ? { ...process.env, ...envOverrides }
+      : process.env;
+  const codexOpts = buildCodexSdkOptions(codexRuntimeEnv);
+  const modelOverride = String(extra?.model || "").trim();
+  if (modelOverride) {
+    codexOpts.env = { ...(codexOpts.env || {}), CODEX_MODEL: modelOverride };
+    codexOpts.config = { ...(codexOpts.config || {}), model: modelOverride };
+  }
   codexOpts.config = {
     ...(codexOpts.config || {}),
     features: {
@@ -1947,7 +1962,7 @@ function isPoisonedCodexResumeError(errorValue) {
  * @returns {Promise<{ success: boolean, output: string, items: Array, error: string|null, sdk: string, threadId: string|null }>}
  */
 async function resumeCodexThread(threadId, prompt, cwd, timeoutMs, extra = {}) {
-  const { onEvent, abortController: externalAC } = extra;
+  const { onEvent, abortController: externalAC, envOverrides = null } = extra;
 
   let CodexClass;
   try {
@@ -1965,7 +1980,17 @@ async function resumeCodexThread(threadId, prompt, cwd, timeoutMs, extra = {}) {
     };
   }
 
-  const codex = new CodexClass(buildCodexSdkOptions());
+  const codexRuntimeEnv =
+    envOverrides && typeof envOverrides === "object"
+      ? { ...process.env, ...envOverrides }
+      : process.env;
+  const codexOpts = buildCodexSdkOptions(codexRuntimeEnv);
+  const modelOverride = String(extra?.model || "").trim();
+  if (modelOverride) {
+    codexOpts.env = { ...(codexOpts.env || {}), CODEX_MODEL: modelOverride };
+    codexOpts.config = { ...(codexOpts.config || {}), model: modelOverride };
+  }
+  const codex = new CodexClass(codexOpts);
 
   let thread;
   try {

package/agent-work-analyzer.mjs

@@ -13,14 +13,12 @@
  */
 
 import { readFile, writeFile, appendFile, stat, watch, mkdir } from "fs/promises";
-import { createReadStream, existsSync, mkdirSync } from "fs";
+import { createReadStream, existsSync } from "fs";
 import { createInterface } from "readline";
 import { resolve, dirname } from "path";
-import { fileURLToPath } from "url";
+import { resolveRepoRoot } from "./repo-root.mjs";
 
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = dirname(__filename);
-const repoRoot = resolve(__dirname, "../..");
+const repoRoot = resolveRepoRoot({ cwd: process.cwd() });
 
 // ── Configuration ───────────────────────────────────────────────────────────
 const AGENT_WORK_STREAM = resolve(
@@ -45,6 +43,13 @@ const TOOL_LOOP_WINDOW_MS = 60 * 1000; // 1 minute
 const STUCK_DETECTION_THRESHOLD_MS = Number(
   process.env.AGENT_STUCK_THRESHOLD_MS || String(5 * 60 * 1000),
 ); // 5 minutes
+const STUCK_SWEEP_INTERVAL_MS = Number(
+  process.env.AGENT_STUCK_SWEEP_INTERVAL_MS || "30000",
+); // 30 seconds
+const INITIAL_REPLAY_MAX_SESSION_AGE_MS = Number(
+  process.env.AGENT_INITIAL_REPLAY_MAX_SESSION_AGE_MS ||
+    String(Math.max(STUCK_DETECTION_THRESHOLD_MS * 3, 15 * 60 * 1000)),
+); // Trim stale sessions after startup replay
 
 const COST_ANOMALY_THRESHOLD_USD = Number(
   process.env.AGENT_COST_ANOMALY_THRESHOLD || "1.0",
@@ -63,6 +68,7 @@ const ALERT_COOLDOWN_MS = 5 * 60 * 1000; // 5 minutes between same alert
 
 let filePosition = 0;
 let isRunning = false;
+let stuckSweepTimer = null;
 
 /**
  * Start the analyzer loop
@@ -89,6 +95,7 @@ export async function startAnalyzer() {
   // Initial read of existing log
   if (existsSync(AGENT_WORK_STREAM)) {
     filePosition = await processLogFile(filePosition);
+    pruneStaleSessionsAfterReplay();
   } else {
     // Ensure the stream file exists so the watcher doesn't throw
     try {
@@ -98,6 +105,8 @@ export async function startAnalyzer() {
     }
   }
 
+  startStuckSweep();
+
   // Watch for changes — retry loop handles the case where the file
   // is deleted and recreated (e.g. log rotation).
   console.log(`[agent-work-analyzer] Watching: ${AGENT_WORK_STREAM}`);
@@ -130,6 +139,10 @@ export async function startAnalyzer() {
  */
 export function stopAnalyzer() {
   isRunning = false;
+  if (stuckSweepTimer) {
+    clearInterval(stuckSweepTimer);
+    stuckSweepTimer = null;
+  }
   console.log("[agent-work-analyzer] Stopped");
 }
 
@@ -182,7 +195,10 @@ async function processLogFile(startPosition) {
  * @param {Object} event - Parsed JSONL event
  */
 async function analyzeEvent(event) {
-  const { attempt_id, event_type, timestamp, data } = event;
+  const { attempt_id, event_type, timestamp } = event;
+  const parsedTs = Date.parse(timestamp);
+  const eventTime = Number.isFinite(parsedTs) ? parsedTs : Date.now();
+  const eventIso = new Date(eventTime).toISOString();
 
   // Initialize session state if needed
   if (!activeSessions.has(attempt_id)) {
@@ -190,15 +206,15 @@ async function analyzeEvent(event) {
       attempt_id,
       errors: [],
       toolCalls: [],
-      lastActivity: timestamp,
-      startedAt: timestamp,
+      lastActivity: eventIso,
+      startedAt: eventIso,
       taskId: event.task_id,
       executor: event.executor,
     });
   }
 
   const session = activeSessions.get(attempt_id);
-  session.lastActivity = timestamp;
+  session.lastActivity = eventIso;
 
   // Route to specific analyzers
   switch (event_type) {
@@ -217,8 +233,7 @@ async function analyzeEvent(event) {
       break;
   }
 
-  // Continuous checks
-  await checkStuckAgent(session, event);
+  // Stuck checks are timer-driven to avoid replay-triggered false positives.
 }
 
 // ── Pattern Analyzers ───────────────────────────────────────────────────────
@@ -376,9 +391,10 @@ async function analyzeSessionEnd(session, event) {
 /**
  * Check if agent appears stuck (no activity for X minutes)
  */
-async function checkStuckAgent(session, event) {
+async function checkStuckAgent(session, nowMs = Date.now()) {
   const lastActivityTime = new Date(session.lastActivity).getTime();
-  const timeSinceActivity = Date.now() - lastActivityTime;
+  if (!Number.isFinite(lastActivityTime)) return;
+  const timeSinceActivity = nowMs - lastActivityTime;
 
   if (timeSinceActivity > STUCK_DETECTION_THRESHOLD_MS) {
     await emitAlert({
@@ -394,6 +410,35 @@ async function checkStuckAgent(session, event) {
   }
 }
 
+function pruneStaleSessionsAfterReplay() {
+  const now = Date.now();
+  for (const [attemptId, session] of activeSessions.entries()) {
+    const lastActivityTime = new Date(session.lastActivity).getTime();
+    if (
+      !Number.isFinite(lastActivityTime) ||
+      now - lastActivityTime > INITIAL_REPLAY_MAX_SESSION_AGE_MS
+    ) {
+      activeSessions.delete(attemptId);
+    }
+  }
+}
+
+async function runStuckSweep() {
+  if (!isRunning) return;
+  const now = Date.now();
+  for (const session of activeSessions.values()) {
+    await checkStuckAgent(session, now);
+  }
+}
+
+function startStuckSweep() {
+  if (stuckSweepTimer) return;
+  stuckSweepTimer = setInterval(() => {
+    void runStuckSweep();
+  }, STUCK_SWEEP_INTERVAL_MS);
+  stuckSweepTimer.unref?.();
+}
+
 // ── Alert System ────────────────────────────────────────────────────────────
 
 /**

package/codex-config.mjs

@@ -24,7 +24,7 @@
  */
 
 import { existsSync, readFileSync, writeFileSync, mkdirSync, statSync } from "node:fs";
-import { resolve, dirname, parse } from "node:path";
+import { resolve, dirname, parse, isAbsolute } from "node:path";
 import { homedir } from "node:os";
 import { fileURLToPath } from "node:url";
 import { resolveCodexProfileRuntime } from "./codex-model-profiles.mjs";
@@ -145,7 +145,6 @@ const RECOMMENDED_FEATURES = {
   skill_mcp_dependency_install: { default: true, envVar: null,                           comment: "Auto-install MCP skill deps" },
 
   // Experimental (disabled by default unless explicitly enabled)
-  apps:                   { default: true, envVar: "CODEX_FEATURES_APPS",               comment: "ChatGPT Apps integration" },
 };
 
 const CRITICAL_ALWAYS_ON_FEATURES = new Set([
@@ -474,11 +473,12 @@ function parseTomlArrayLiteral(raw) {
     .split(",")
     .map((item) => item.trim())
     .filter(Boolean)
-    .map((item) => item.replace(/^"(.*)"$/, "$1"));
+    .map((item) => item.replace(/^"(.*)"$/, "$1"))
+    .map((item) => item.replace(/\\(["\\])/g, "$1"));
 }
 
 function formatTomlArray(values) {
-  return `[${values.map((value) => `"${String(value).replace(/"/g, '\\"')}"`).join(", ")}]`;
+  return `[${values.map((value) => `"${String(value).replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`).join(", ")}]`;
 }
 
 function normalizeWritableRoots(input, { repoRoot, additionalRoots, validateExistence = false } = {}) {
@@ -489,7 +489,7 @@ function normalizeWritableRoots(input, { repoRoot, additionalRoots, validateExis
     // Reject bare relative paths like ".git" — they resolve relative to CWD
     // at Codex launch time and cause "writable root does not exist" errors
     // (e.g. /home/user/.codex/.git). Only accept absolute paths.
-    if (!trimmed.startsWith("/")) return;
+    if (!isAbsolute(trimmed)) return;
     // When validateExistence is true, skip paths that don't exist on disk.
     // This prevents the sandbox from failing to start with phantom roots.
     if (validateExistence && !existsSync(trimmed)) return;
@@ -499,7 +499,7 @@ function normalizeWritableRoots(input, { repoRoot, additionalRoots, validateExis
   // present even if validateExistence is true — they're the intended CWD.
   const addPrimaryRoot = (value) => {
     const trimmed = String(value || "").trim();
-    if (!trimmed || !trimmed.startsWith("/")) return;
+    if (!trimmed || !isAbsolute(trimmed)) return;
     roots.add(trimmed);
   };
   if (Array.isArray(input)) {
@@ -516,7 +516,7 @@ function normalizeWritableRoots(input, { repoRoot, additionalRoots, validateExis
   const addRepoRootPaths = (repo) => {
     if (!repo) return;
     const r = String(repo).trim();
-    if (!r || !r.startsWith("/")) return;
+    if (!r || !isAbsolute(r)) return;
     // Repo root and parent are always added (they're primary working dirs)
     addPrimaryRoot(r);
     const gitDir = resolve(r, ".git");
@@ -598,13 +598,13 @@ export function ensureGitAncestor(dir) {
  * @returns {string[]} Merged writable roots
  */
 export function buildTaskWritableRoots({ worktreePath, repoRoot, existingRoots = [] } = {}) {
-  const roots = new Set(existingRoots.filter(r => r && r.startsWith("/") && existsSync(r)));
+  const roots = new Set(existingRoots.filter(r => r && isAbsolute(r) && existsSync(r)));
   const addIfExists = (p) => {
-    if (p && p.startsWith("/") && existsSync(p)) roots.add(p);
+    if (p && isAbsolute(p) && existsSync(p)) roots.add(p);
   };
   // Add path even if it doesn't exist yet (will be created by the task)
   const addRoot = (p) => {
-    if (p && p.startsWith("/")) roots.add(p);
+    if (p && isAbsolute(p)) roots.add(p);
   };
 
   if (worktreePath) {
@@ -634,6 +634,32 @@ export function hasSandboxWorkspaceWrite(toml) {
   return /^\[sandbox_workspace_write\]/m.test(toml);
 }
 
+export function buildSandboxWorkspaceWrite(options = {}) {
+  const {
+    writableRoots = [],
+    repoRoot,
+    additionalRoots,
+    networkAccess = true,
+    excludeTmpdirEnvVar = false,
+    excludeSlashTmp = false,
+  } = options;
+
+  const desiredRoots = normalizeWritableRoots(writableRoots, { repoRoot, additionalRoots, validateExistence: true });
+  if (desiredRoots.length === 0) {
+    return "";
+  }
+  return [
+    "",
+    "# ── Workspace-write sandbox defaults (added by bosun) ──",
+    "[sandbox_workspace_write]",
+    `network_access = ${networkAccess}`,
+    `exclude_tmpdir_env_var = ${excludeTmpdirEnvVar}`,
+    `exclude_slash_tmp = ${excludeSlashTmp}`,
+    `writable_roots = ${formatTomlArray(desiredRoots)}`,
+    "",
+  ].join("\n");
+}
+
 export function ensureSandboxWorkspaceWrite(toml, options = {}) {
   const {
     writableRoots = [],
@@ -1211,300 +1237,9 @@ export function ensureCodexConfig({
     profileProvidersAdded: [],
     timeoutsFixed: [],
     retriesAdded: [],
-    noChanges: false,
+    noChanges: true,
   };
 
-  let toml = readCodexConfig();
-
-  // If config.toml doesn't exist at all, create a minimal one
-  if (!toml) {
-    result.created = true;
-    toml = [
-      "# Codex CLI configuration",
-      "# Generated by bosun setup wizard",
-      "#",
-      "# See: codex --help or https://github.com/openai/codex for details.",
-      "",
-      "",
-    ].join("\n");
-  }
-
-  // ── 1. Vibe-Kanban MCP server ────────────────────────────
-  // When VK is not the active kanban backend, remove the MCP section
-  // so the Codex CLI doesn't try to spawn it.
-
-  if (skipVk) {
-    if (hasVibeKanbanMcp(toml)) {
-      toml = removeVibeKanbanMcp(toml);
-      result.vkRemoved = true;
-    }
-  } else if (!hasVibeKanbanMcp(toml)) {
-    toml += buildVibeKanbanBlock({ vkBaseUrl });
-    result.vkAdded = true;
-  } else {
-    // MCP section exists — ensure env vars are up to date
-    if (!hasVibeKanbanEnv(toml)) {
-      // Has the server but no env section — append env block
-      const envBlock = [
-        "",
-        "[mcp_servers.vibe_kanban.env]",
-        "# Ensure MCP always targets the correct VK API endpoint.",
-        `VK_BASE_URL = "${vkBaseUrl}"`,
-        `VK_ENDPOINT_URL = "${vkBaseUrl}"`,
-        "",
-      ].join("\n");
-
-      // Insert after [mcp_servers.vibe_kanban] section content, before next section
-      const vkHeader = "[mcp_servers.vibe_kanban]";
-      const vkIdx = toml.indexOf(vkHeader);
-      const afterVk = vkIdx + vkHeader.length;
-      const nextSectionAfterVk = toml.indexOf("\n[", afterVk);
-
-      if (nextSectionAfterVk === -1) {
-        toml += envBlock;
-      } else {
-        toml =
-          toml.substring(0, nextSectionAfterVk) +
-          "\n" +
-          envBlock +
-          toml.substring(nextSectionAfterVk);
-      }
-      result.vkEnvUpdated = true;
-    } else {
-      // Both server and env exist — ensure values match
-      const envVars = {
-        VK_BASE_URL: vkBaseUrl,
-        VK_ENDPOINT_URL: vkBaseUrl,
-      };
-      const before = toml;
-      toml = updateVibeKanbanEnv(toml, envVars);
-      if (toml !== before) {
-        result.vkEnvUpdated = true;
-      }
-    }
-  }
-
-  // ── 1b. Ensure agent SDK selection block ──────────────────
-
-  // Resolve which SDK should be primary:
-  //   1. Explicit primarySdk parameter
-  //   2. PRIMARY_AGENT env var (e.g. "copilot-sdk" → "copilot")
-  //   3. Default: "codex"
-  const resolvedPrimary = (() => {
-    if (primarySdk && ["codex", "copilot", "claude"].includes(primarySdk)) {
-      return primarySdk;
-    }
-    const envPrimary = (env.PRIMARY_AGENT || "").trim().toLowerCase().replace(/-sdk$/, "");
-    if (["codex", "copilot", "claude"].includes(envPrimary)) return envPrimary;
-    return "codex";
-  })();
-
-  if (!hasAgentSdkConfig(toml)) {
-    toml += buildAgentSdkBlock({ primary: resolvedPrimary });
-    result.agentSdkAdded = true;
-  }
-
-  // ── 1c. Ensure feature flags (sub-agents, memory, etc.) ──
-
-  {
-    const { toml: updated, added } = ensureFeatureFlags(toml, env);
-    if (added.length > 0) {
-      toml = updated;
-      result.featuresAdded = added;
-    }
-  }
-
-  // ── 1d. Ensure agent thread limits ──────────────────────
-
-  {
-    const desired = resolveAgentMaxThreads(env);
-    const ensured = ensureAgentMaxThreads(toml, {
-      maxThreads: desired.value,
-      overwrite: desired.explicit,
-    });
-    if (ensured.changed) {
-      toml = ensured.toml;
-      result.agentMaxThreads = {
-        from: ensured.existing,
-        to: ensured.applied,
-        explicit: desired.explicit,
-      };
-    } else if (ensured.skipped && desired.explicit) {
-      result.agentMaxThreadsSkipped = desired.raw;
-    }
-  }
-
-  // ── 1e. Ensure sandbox permissions ────────────────────────
-
-  {
-    const envPerms = env.CODEX_SANDBOX_PERMISSIONS || "";
-    const ensured = ensureTopLevelSandboxPermissions(toml, envPerms);
-    if (ensured.changed) {
-      toml = ensured.toml;
-      result.sandboxAdded = true;
-    }
-  }
-
-  // ── 1f. Ensure sandbox workspace-write defaults ───────────
-
-  {
-    // Determine primary repo root — prefer workspace agent root
-    const primaryRepoRoot = env.BOSUN_AGENT_REPO_ROOT || env.REPO_ROOT || "";
-    const additionalRoots = [];
-    // If agent repo root differs from REPO_ROOT, include both
-    if (env.BOSUN_AGENT_REPO_ROOT && env.REPO_ROOT &&
-        env.BOSUN_AGENT_REPO_ROOT !== env.REPO_ROOT) {
-      additionalRoots.push(env.REPO_ROOT);
-    }
-    // Enumerate ALL workspace repo paths so every repo's .git/.cache is writable
-    try {
-      // Inline workspace config read (sync) — avoids async import in sync function
-      const configDirGuess = env.BOSUN_DIR || resolve(homedir(), "bosun");
-      const bosunConfigPath = resolve(configDirGuess, "bosun.config.json");
-      if (existsSync(bosunConfigPath)) {
-        const bosunCfg = JSON.parse(readFileSync(bosunConfigPath, "utf8"));
-        const wsDir = resolve(configDirGuess, "workspaces");
-        const allWs = Array.isArray(bosunCfg.workspaces) ? bosunCfg.workspaces : [];
-        for (const ws of allWs) {
-          const wsPath = resolve(wsDir, ws.id || ws.name || "");
-          for (const repo of ws.repos || []) {
-            const repoPath = resolve(wsPath, repo.name);
-            if (repoPath && !additionalRoots.includes(repoPath) &&
-                repoPath !== primaryRepoRoot) {
-              additionalRoots.push(repoPath);
-            }
-          }
-        }
-      }
-    } catch { /* workspace config read failed — skip */ }
-    const ensured = ensureSandboxWorkspaceWrite(toml, {
-      writableRoots: env.CODEX_SANDBOX_WRITABLE_ROOTS || "",
-      repoRoot: primaryRepoRoot,
-      additionalRoots,
-    });
-    if (ensured.changed) {
-      toml = ensured.toml;
-      result.sandboxWorkspaceAdded = ensured.added;
-      result.sandboxWorkspaceUpdated = !ensured.added;
-      result.sandboxWorkspaceRootsAdded = ensured.rootsAdded || [];
-    }
-
-    // Prune any writable_roots that no longer exist on disk
-    const pruned = pruneStaleSandboxRoots(toml);
-    if (pruned.changed) {
-      toml = pruned.toml;
-      result.sandboxWorkspaceUpdated = true;
-      result.sandboxStaleRootsRemoved = pruned.removed;
-    }
-  }
-
-  // ── 1g. Ensure shell environment policy ───────────────────
-
-  if (!hasShellEnvPolicy(toml)) {
-    const policy = env.CODEX_SHELL_ENV_POLICY || "all";
-    toml += buildShellEnvPolicy(policy);
-    result.shellEnvAdded = true;
-  }
-
-  // ── 1f. Ensure common MCP servers ───────────────────────────
-
-  {
-    const missing = [];
-    if (!hasContext7Mcp(toml)) missing.push("context7");
-    if (!hasNamedMcpServer(toml, "sequential-thinking")) {
-      missing.push("sequential-thinking");
-    }
-    if (!hasNamedMcpServer(toml, "playwright")) missing.push("playwright");
-    if (!hasMicrosoftDocsMcp(toml)) missing.push("microsoft-docs");
-
-    if (missing.length > 0) {
-      if (missing.length >= 4) {
-        toml += buildCommonMcpBlocks();
-      } else {
-        if (missing.includes("context7")) {
-          toml += [
-            "",
-            "[mcp_servers.context7]",
-            'command = "npx"',
-            'args = ["-y", "@upstash/context7-mcp"]',
-            "",
-          ].join("\n");
-        }
-        if (missing.includes("sequential-thinking")) {
-          toml += [
-            "",
-            "[mcp_servers.sequential-thinking]",
-            'command = "npx"',
-            'args = ["-y", "@modelcontextprotocol/server-sequential-thinking"]',
-            "",
-          ].join("\n");
-        }
-        if (missing.includes("playwright")) {
-          toml += [
-            "",
-            "[mcp_servers.playwright]",
-            'command = "npx"',
-            'args = ["-y", "@playwright/mcp@latest"]',
-            "",
-          ].join("\n");
-        }
-        if (missing.includes("microsoft-docs")) {
-          toml += [
-            "",
-            "[mcp_servers.microsoft-docs]",
-            'url = "https://learn.microsoft.com/api/mcp"',
-            "",
-          ].join("\n");
-        }
-      }
-      result.commonMcpAdded = true;
-    }
-  }
-
-  // ── 2. Audit and fix stream timeouts ──────────────────────
-
-  {
-    const ensured = ensureModelProviderSectionsFromEnv(toml, env);
-    toml = ensured.toml;
-    result.profileProvidersAdded = ensured.added;
-  }
-
-  const timeouts = auditStreamTimeouts(toml);
-  for (const t of timeouts) {
-    if (t.needsUpdate) {
-      toml = setStreamTimeout(toml, t.provider, t.recommended);
-      result.timeoutsFixed.push({
-        provider: t.provider,
-        from: t.currentValue,
-        to: t.recommended,
-      });
-    }
-  }
-
-  // ── 3. Ensure retry settings ──────────────────────────────
-
-  for (const t of timeouts) {
-    const before = toml;
-    toml = ensureRetrySettings(toml, t.provider);
-    if (toml !== before) {
-      result.retriesAdded.push(t.provider);
-    }
-  }
-
-  // ── Check if anything changed ─────────────────────────────
-
-  const original = readCodexConfig();
-  if (toml === original && !result.created) {
-    result.noChanges = true;
-    return result;
-  }
-
-  // ── Write ─────────────────────────────────────────────────
-
-  if (!dryRun) {
-    writeCodexConfig(toml);
-  }
-
   return result;
 }
 

package/config-doctor.mjs

@@ -578,7 +578,7 @@ export function runConfigDoctor(options = {}) {
   }
 
   // ── Codex config.toml feature flag / sub-agent checks ──────────────────────
-  const codexConfigToml = join(homedir(), ".codex", "config.toml");
+  const codexConfigToml = join(repoRoot, ".codex", "config.toml");
   if (existsSync(codexConfigToml)) {
     const toml = readFileSync(codexConfigToml, "utf-8");
     if (!/^\[features\]/m.test(toml)) {
@@ -592,14 +592,14 @@ export function runConfigDoctor(options = {}) {
         issues.warnings.push({
           code: "CODEX_NO_CHILD_AGENTS",
           message: "child_agents_md not enabled — Codex cannot spawn sub-agents or discover CODEX.md.",
-          fix: 'Add child_agents_md = true under [features] in ~/.codex/config.toml',
+          fix: 'Add child_agents_md = true under [features] in .codex/config.toml',
         });
       }
       if (!/memory_tool\s*=\s*true/i.test(toml)) {
         issues.warnings.push({
           code: "CODEX_NO_MEMORY",
           message: "memory_tool not enabled — Codex has no persistent memory across sessions.",
-          fix: 'Add memory_tool = true under [features] in ~/.codex/config.toml',
+          fix: 'Add memory_tool = true under [features] in .codex/config.toml',
         });
       }
     }
@@ -613,13 +613,6 @@ export function runConfigDoctor(options = {}) {
         fix: "Run bosun --setup to auto-configure sandbox permissions",
       });
     }
-    if (!/^\[sandbox_workspace_write\]/m.test(toml)) {
-      issues.warnings.push({
-        code: "CODEX_NO_SANDBOX_WORKSPACE",
-        message: "No [sandbox_workspace_write] section in Codex config — workspace-write roots may be missing.",
-        fix: "Run bosun --setup to add workspace-write defaults (writable_roots, network_access).",
-      });
-    }
     if (
       isUserNamespaceDisabled() &&
       /use_linux_sandbox_bwrap\s*=\s*true/i.test(toml)
@@ -627,14 +620,14 @@ export function runConfigDoctor(options = {}) {
       issues.warnings.push({
         code: "CODEX_BWRAP_DISABLED",
         message: "Bubblewrap sandbox is enabled but unprivileged user namespaces appear disabled.",
-        fix: "Set CODEX_FEATURES_BWRAP=false and re-run bosun --setup (or edit ~/.codex/config.toml [features]).",
+        fix: "Set CODEX_FEATURES_BWRAP=false and re-run bosun --setup (or edit .codex/config.toml [features]).",
       });
     }
   } else {
     issues.warnings.push({
       code: "CODEX_CONFIG_MISSING",
-      message: "~/.codex/config.toml not found — Codex CLI may not be configured.",
-      fix: "Run bosun --setup or 'codex --setup' to create initial config",
+      message: "repo-level .codex/config.toml not found — Codex CLI may not be configured for this workspace.",
+      fix: "Run bosun --setup to create initial config",
     });
   }