bosun 0.41.7 → 0.41.9

package/server/ui-server.mjs

@@ -80,6 +80,7 @@ import {
   scaffoldAgentProfiles,
   getBosunHomeDir,
   syncAutoDiscoveredLibraryEntries,
+  resolveAgentProfileLibraryMetadata,
 } from "../infra/library-manager.mjs";
 import {
   listCatalog,
@@ -319,6 +320,17 @@ function unblockInternalTask(taskId, options = {}) {
   }
 }
 
+function resetExecutorTaskThrottleState(taskId, options = {}) {
+  const executor = uiDeps.getInternalExecutor?.() || null;
+  const fn = executor?.resetTaskThrottleState;
+  if (typeof fn !== "function") return false;
+  try {
+    return fn.call(executor, taskId, options) === true;
+  } catch {
+    return false;
+  }
+}
+
 const __dirname = resolve(fileURLToPath(new URL(".", import.meta.url)));
 const repoRoot = resolveRepoRoot();
 const uiRootPreferred = resolve(__dirname, "..", "ui");
@@ -729,10 +741,44 @@ function isVoiceAgentProfileEntry(entry, profile) {
 }
 
 function resolveAgentProfileType(entry, profile) {
-  const explicit = String(profile?.agentType || "").trim().toLowerCase();
-  if (explicit === "voice" || explicit === "task" || explicit === "chat") return explicit;
-  if (isVoiceAgentProfileEntry(entry, profile)) return "voice";
-  return "task";
+  return resolveAgentProfileLibraryMetadata(entry, profile).agentType;
+}
+
+function resolveAgentProfileLibraryView(entry, profile, storageScope) {
+  const metadata = resolveAgentProfileLibraryMetadata(entry, profile);
+  return {
+    ...entry,
+    storageScope,
+    ...metadata,
+  };
+}
+
+function listManualAgentProfiles(workspaceContext) {
+  const resolved = listLibraryEntriesAcrossRoots(workspaceContext, { type: "agent" });
+  const profiles = [];
+  for (const { entry, rootInfo } of resolved.entries) {
+    const profile = getEntryContent(rootInfo.rootDir, entry);
+    const metadata = resolveAgentProfileLibraryMetadata(entry, profile);
+    if (metadata.agentCategory !== "interactive" || metadata.showInChatDropdown !== true) continue;
+    const sectionLabel = metadata.interactiveLabel
+      || (metadata.interactiveMode ? metadata.interactiveMode.charAt(0).toUpperCase() + metadata.interactiveMode.slice(1) : "Manual");
+    profiles.push({
+      id: entry.id,
+      name: entry.name || entry.id,
+      description: entry.description || "",
+      storageScope: rootInfo.scope,
+      model: String(profile?.model || "").trim() || null,
+      sdk: String(profile?.sdk || "").trim() || null,
+      sectionLabel,
+      ...metadata,
+    });
+  }
+  profiles.sort((a, b) => {
+    const sectionCmp = String(a.sectionLabel || "").localeCompare(String(b.sectionLabel || ""));
+    if (sectionCmp !== 0) return sectionCmp;
+    return String(a.name || a.id).localeCompare(String(b.name || b.id));
+  });
+  return profiles;
 }
 
 function resolveVoiceLibraryRoot(callContext = {}) {
@@ -4072,6 +4118,13 @@ const workflowEngineListenerCleanup = new WeakMap();
 let workflowWsSeq = 0;
 let uiInstanceLockPath = "";
 let uiInstanceLockHeld = false;
+
+// ── Unified setup state (entrypoint integration) ────────────────────────────
+// When running via entrypoint.mjs, `_setupMode` starts true and flips to false
+// once the wizard completes.  In standalone ui-server mode, it's always false.
+let _setupMode = false;
+/** @type {(() => void)|null} */
+let _setupOnComplete = null;
 let _sessionTokenLastTouchedAt = 0;
 let _localRequestAddressCache = {
   loadedAt: 0,
@@ -4134,19 +4187,39 @@ async function resolveExecPrimaryPrompt() {
 
 /**
  * Resolve the bosun config directory. Falls back through:
- *   1. uiDeps.configDir (injected at server start)
- *   2. BOSUN_DIR env var
- *   3. ~/bosun (standard default)
+ *   1. uiDeps.configDir (explicitly injected at server start)
+ *   2. BOSUN_CONFIG_PATH parent directory
+ *   3. repo-local config when REPO_ROOT explicitly points at a managed repo
+ *   4. BOSUN_HOME/BOSUN_DIR/test sandbox/default home dir
  * Ensures the directory exists.
  */
 function resolveUiConfigDir() {
   const sandbox = ensureTestRuntimeSandbox();
+  if (uiDeps.configDir) {
+    const injectedDir = resolve(String(uiDeps.configDir));
+    try { mkdirSync(injectedDir, { recursive: true }); } catch { /* ok */ }
+    return injectedDir;
+  }
   if (process.env.BOSUN_CONFIG_PATH) {
     const fromConfigPath = dirname(resolve(process.env.BOSUN_CONFIG_PATH));
     try { mkdirSync(fromConfigPath, { recursive: true }); } catch { /* ok */ }
-    if (!uiDeps.configDir) uiDeps.configDir = fromConfigPath;
     return fromConfigPath;
   }
+  if (String(process.env.REPO_ROOT || "").trim()) {
+    const repoLocalConfigDirCandidates = [
+      resolve(repoRoot, ".bosun"),
+      repoRoot,
+    ];
+    for (const candidate of repoLocalConfigDirCandidates) {
+      try {
+        if (!existsSync(resolve(candidate, "bosun.config.json"))) continue;
+        mkdirSync(candidate, { recursive: true });
+        return candidate;
+      } catch {
+        // Fall through to the next candidate.
+      }
+    }
+  }
   const isWslInteropRuntime = Boolean(
     process.env.WSL_DISTRO_NAME
     || process.env.WSL_INTEROP
@@ -4176,8 +4249,6 @@ function resolveUiConfigDir() {
     || resolve(baseDir, "bosun");
   if (dir) {
     try { mkdirSync(dir, { recursive: true }); } catch { /* ok */ }
-    // Cache it so subsequent calls don't re-resolve
-    if (!uiDeps.configDir) uiDeps.configDir = dir;
   }
   return dir;
 }
@@ -8379,10 +8450,49 @@ function getExpectedDesktopApiKey() {
   return fromEnv;
 }
 
+/**
+ * Check whether the request carries a valid user-configured API key.
+ * Set via BOSUN_API_KEY env var — intended for external clients (Electron app
+ * connecting to a remote/Docker instance, CLI tools, third-party integrations).
+ * Unlike the desktop API key (auto-generated per install), this is a
+ * user-chosen secret that can be set in .env, docker-compose.yml, etc.
+ */
+function checkApiKey(req) {
+  const expected = String(process.env.BOSUN_API_KEY || "").trim();
+  if (!expected || expected.length < 8) return false;
+  const authHeader = req.headers.authorization || "";
+  // Accept as Bearer token
+  if (authHeader.startsWith("Bearer ")) {
+    const provided = authHeader.slice(7).trim();
+    if (!provided) return false;
+    try {
+      const a = Buffer.from(provided);
+      const b = Buffer.from(expected);
+      if (a.length !== b.length) return false;
+      return timingSafeEqual(a, b);
+    } catch { return false; }
+  }
+  // Accept as X-API-Key header
+  const apiKeyHeader = String(req.headers["x-api-key"] || "").trim();
+  if (apiKeyHeader) {
+    try {
+      const a = Buffer.from(apiKeyHeader);
+      const b = Buffer.from(expected);
+      if (a.length !== b.length) return false;
+      return timingSafeEqual(a, b);
+    } catch { return false; }
+  }
+  return false;
+}
+
 async function requireAuth(req) {
   if (isAllowUnsafe()) return { ok: true, source: "unsafe", issueSessionCookie: false };
+  // User-configured API key (BOSUN_API_KEY env) — external clients, Docker
+  // Issue a session cookie so the browser can authenticate WebSocket upgrades
+  // (the WS constructor doesn't support custom headers).
+  if (checkApiKey(req)) return { ok: true, source: "api-key", issueSessionCookie: true };
   // Desktop Electron API key — non-expiring, set via BOSUN_DESKTOP_API_KEY env
-  if (checkDesktopApiKey(req)) return { ok: true, source: "desktop-api-key", issueSessionCookie: false };
+  if (checkDesktopApiKey(req)) return { ok: true, source: "desktop-api-key", issueSessionCookie: true };
   // Session token (browser access)
   if (checkSessionToken(req)) return { ok: true, source: "session", issueSessionCookie: false };
   // Telegram initData HMAC
@@ -8406,6 +8516,19 @@ async function requireAuth(req) {
 
 function resolveWsAuthSource(req, url) {
   if (isAllowUnsafe()) return "unsafe";
+  // User-configured API key (BOSUN_API_KEY) — check Bearer header and query param
+  if (checkApiKey(req)) return "api-key";
+  const qApiKey = url.searchParams.get("apiKey") || "";
+  if (qApiKey) {
+    const expected = String(process.env.BOSUN_API_KEY || "").trim();
+    if (expected && expected.length >= 8) {
+      try {
+        const a = Buffer.from(qApiKey);
+        const b = Buffer.from(expected);
+        if (a.length === b.length && timingSafeEqual(a, b)) return "api-key";
+      } catch { /* ignore */ }
+    }
+  }
   // Desktop Electron API key (query param: desktopKey=...)
   const desktopKey = getExpectedDesktopApiKey();
   if (desktopKey) {
@@ -12898,7 +13021,14 @@ async function handleApi(req, res, url) {
         : undefined;
       const metadataPatch = buildTaskMetadataPatch(body || {});
       const requestedStatus = normalizeTaskStatusKey(body?.status);
-      const clearsBlockedState = requestedStatus === "todo";
+      const currentLooksBlocked =
+        normalizeTaskStatusKey(previousTask?.status) === "blocked" ||
+        Boolean(previousTask?.blockedReason) ||
+        Boolean(previousTask?.cooldownUntil) ||
+        Boolean(previousTask?.meta?.autoRecovery) ||
+        Boolean(previousTask?.meta?.worktreeFailure?.blockedReason);
+      const clearsBlockedState =
+        currentLooksBlocked && Boolean(requestedStatus) && requestedStatus !== "blocked";
       const nextMeta = (Object.keys(metadataPatch.meta).length > 0 || clearsBlockedState)
         ? buildTaskMetaPatch(previousTask?.meta, metadataPatch.meta, { clearBlockedState: clearsBlockedState })
         : null;
@@ -12932,6 +13062,9 @@ async function handleApi(req, res, url) {
           ? await adapter.updateTask(taskId, patch)
           : await adapter.updateTaskStatus(taskId, patch.status);
       const updated = withTaskMetadataTopLevel(updatedRaw);
+      if (clearsBlockedState) {
+        resetExecutorTaskThrottleState(taskId);
+      }
       const nextStatus = updated?.status || patch.status || null;
       const lifecycleAction = inferLifecycleAction(
         previousTask?.status || null,
@@ -13039,7 +13172,14 @@ async function handleApi(req, res, url) {
         : undefined;
       const metadataPatch = buildTaskMetadataPatch(body || {});
       const requestedStatus = normalizeTaskStatusKey(body?.status);
-      const clearsBlockedState = requestedStatus === "todo";
+      const currentLooksBlocked =
+        normalizeTaskStatusKey(previousTask?.status) === "blocked" ||
+        Boolean(previousTask?.blockedReason) ||
+        Boolean(previousTask?.cooldownUntil) ||
+        Boolean(previousTask?.meta?.autoRecovery) ||
+        Boolean(previousTask?.meta?.worktreeFailure?.blockedReason);
+      const clearsBlockedState =
+        currentLooksBlocked && Boolean(requestedStatus) && requestedStatus !== "blocked";
       const nextMeta = (Object.keys(metadataPatch.meta).length > 0 || clearsBlockedState)
         ? buildTaskMetaPatch(previousTask?.meta, metadataPatch.meta, { clearBlockedState: clearsBlockedState })
         : null;
@@ -13073,6 +13213,9 @@ async function handleApi(req, res, url) {
           ? await adapter.updateTask(taskId, patch)
           : await adapter.updateTaskStatus(taskId, patch.status);
       const updated = withTaskMetadataTopLevel(updatedRaw);
+      if (clearsBlockedState) {
+        resetExecutorTaskThrottleState(taskId);
+      }
       const nextStatus = updated?.status || patch.status || null;
       const lifecycleAction = inferLifecycleAction(
         previousTask?.status || null,
@@ -13491,16 +13634,14 @@ async function handleApi(req, res, url) {
         search: search || undefined,
       });
       let data = resolved.entries.map(({ entry, rootInfo }) => {
-        const base = {
-          ...entry,
-          storageScope: rootInfo.scope,
-        };
-        if (entry?.type !== "agent") return base;
+        if (entry?.type !== "agent") {
+          return {
+            ...entry,
+            storageScope: rootInfo.scope,
+          };
+        }
         const profile = getEntryContent(rootInfo.rootDir, entry);
-        return {
-          ...base,
-          agentType: resolveAgentProfileType(entry, profile),
-        };
+        return resolveAgentProfileLibraryView(entry, profile, rootInfo.scope);
       });
       if (type === "agent" && (agentTypeRaw === "voice" || agentTypeRaw === "task" || agentTypeRaw === "chat")) {
         data = data.filter((entry) => {
@@ -16836,6 +16977,7 @@ async function handleApi(req, res, url) {
         status: "todo",
         source: "manual-retry",
       });
+      resetExecutorTaskThrottleState(taskId);
       if (!nextTask) {
         if (typeof adapter.updateTask === "function") {
           await adapter.updateTask(taskId, {
@@ -16900,6 +17042,7 @@ async function handleApi(req, res, url) {
         status: targetStatus,
         source: "api.tasks.unblock",
       });
+      resetExecutorTaskThrottleState(taskId);
       if (!updatedTask) {
         const nextMeta = task?.meta && typeof task.meta === "object"
           ? Object.fromEntries(Object.entries(task.meta).filter(([key]) => key !== "autoRecovery"))
@@ -17079,10 +17222,13 @@ async function handleApi(req, res, url) {
 
   if (path === "/api/agents/available" && req.method === "GET") {
     try {
+      const workspaceContext = resolveWorkspaceContextFromRequest(url, { allowAll: false })
+        || { workspaceDir: repoRoot, workspaceRoot: repoRoot };
       const agents = getAvailableAgents();
       const active = getPrimaryAgentSelection();
       const mode = getAgentMode();
-      jsonResponse(res, 200, { ok: true, agents, active, mode });
+      const manualAgents = listManualAgentProfiles(workspaceContext);
+      jsonResponse(res, 200, { ok: true, agents, active, mode, manualAgents });
     } catch (err) {
       jsonResponse(res, 500, { ok: false, error: err.message });
     }
@@ -19255,6 +19401,21 @@ export async function startTelegramUiServer(options = {}) {
   const taskStoreModule = await ensureTaskStoreApi();
   const sandbox = ensureTestRuntimeSandbox();
 
+  // ── Setup mode integration (entrypoint.mjs) ───────────────────────────
+  if (options.setupMode) {
+    _setupMode = true;
+    _setupOnComplete = () => {
+      _setupMode = false;
+      console.log("[telegram-ui] setup complete — portal mode active");
+      // Notify entrypoint to start monitor
+      try {
+        import("../entrypoint.mjs").then((m) => {
+          if (typeof m.markSetupComplete === "function") m.markSetupComplete();
+        }).catch(() => {});
+      } catch { /* not running via entrypoint */ }
+    };
+  }
+
   const rawPort = options.port ?? getDefaultPort();
   const configuredPort = Number(rawPort);
   const isTestRun =
@@ -19427,6 +19588,18 @@ export async function startTelegramUiServer(options = {}) {
       return;
     }
 
+    // Docker / load-balancer health check — no auth required
+    if (url.pathname === "/healthz") {
+      try {
+        const { getHealthStatus } = await import("../infra/health-status.mjs");
+        jsonResponse(res, 200, getHealthStatus());
+      } catch {
+        // Fallback if health module unavailable
+        jsonResponse(res, 200, { status: "ok", server: "bosun" });
+      }
+      return;
+    }
+
     // GitHub OAuth callback — public (no session auth required)
     // Accept both /github/callback (registered in GitHub App settings) and
     // /api/github/callback (documented API path) so either works.
@@ -19445,6 +19618,16 @@ export async function startTelegramUiServer(options = {}) {
       return;
     }
 
+    // Setup wizard API routes — handled before the general /api/ catch-all
+    // so the setup wizard works whether running standalone or unified with portal.
+    if (url.pathname.startsWith("/api/setup/")) {
+      const { handleSetupApi } = await import("./setup-web-server.mjs");
+      const handled = await handleSetupApi(req, res, url, {
+        onComplete: _setupOnComplete || undefined,
+      });
+      if (handled) return;
+    }
+
     if (url.pathname.startsWith("/api/")) {
       await handleApi(req, res, url);
       return;
@@ -19463,6 +19646,15 @@ export async function startTelegramUiServer(options = {}) {
       return;
     }
 
+    // ── Setup wizard page ──────────────────────────────────────────────────
+    // When in setup mode, redirect / → /setup so the user lands on the wizard.
+    // When setup is complete, /setup still works for re-configuration access.
+    if (_setupMode && url.pathname === "/") {
+      res.writeHead(302, { Location: "/setup" });
+      res.end();
+      return;
+    }
+
     // /demo and /ui/demo are convenience aliases for /demo.html (the self-contained mock UI demo)
     if (url.pathname === "/demo" || url.pathname === "/ui/demo") {
       const qs = url.search || "";
@@ -20111,6 +20303,9 @@ export function stopTelegramUiServer() {
   if (!uiServer) return;
   stopTunnel();
   stopWsHeartbeat();
+  // Clear injected configDir so it does not leak between server lifecycles
+  // (tests start/stop servers repeatedly with different config directories).
+  delete uiDeps.configDir;
   for (const socket of wsClients) {
     try {
       stopLogStream(socket);

package/shell/claude-shell.mjs

@@ -437,9 +437,22 @@ async function saveState() {
 }
 
 function extractTaskHeading(msg) {
-  // Prompt first line is "# TASKID — Task Title" (from _buildTaskPrompt).
+  // Prompt first line is "# Task: Task Title" (or legacy "# TASKID — Task Title").
   // Return just the task title portion, or a short fallback.
   const firstLine = msg.split(/\r?\n/)[0].replace(/^#+\s*/, '').trim();
+  if (!firstLine) return 'Execute Task';
+  const lowerLine = firstLine.toLowerCase();
+  if (lowerLine.startsWith('task')) {
+    let index = 4;
+    while (index < firstLine.length && /\s/.test(firstLine[index])) index += 1;
+    const separator = firstLine[index];
+    if (separator === ':' || separator === '-' || separator === '\u2014') {
+      index += 1;
+      while (index < firstLine.length && /\s/.test(firstLine[index])) index += 1;
+      const heading = firstLine.slice(index).trim();
+      if (heading) return heading;
+    }
+  }
   const dashIdx = firstLine.indexOf(' \u2014 ');
   const heading = dashIdx !== -1 ? firstLine.slice(dashIdx + 3).trim() : firstLine;
   return heading || 'Execute Task';

package/shell/codex-model-profiles.mjs

@@ -9,6 +9,33 @@ function clean(value) {
   return String(value ?? "").trim();
 }
 
+function isAzureOpenAIBaseUrl(value) {
+  try {
+    const parsed = value instanceof URL ? value : new URL(String(value || ""));
+    const host = String(parsed.hostname || "").toLowerCase();
+    return host === "openai.azure.com" || host.endsWith(".openai.azure.com");
+  } catch {
+    return false;
+  }
+}
+
+function normalizeAzureOpenAIBaseUrl(value) {
+  const raw = clean(value);
+  if (!raw) return "";
+  try {
+    const parsed = new URL(raw);
+    if (!isAzureOpenAIBaseUrl(parsed)) {
+      return raw;
+    }
+    parsed.pathname = "/openai/v1";
+    parsed.search = "";
+    parsed.hash = "";
+    return parsed.toString().replace(/\/+$/, "");
+  } catch {
+    return raw;
+  }
+}
+
 function normalizeProfileName(value, fallback = DEFAULT_ACTIVE_PROFILE) {
   const raw = clean(value).toLowerCase();
   if (!raw) return fallback;
@@ -19,20 +46,6 @@ function profilePrefix(name) {
   return `CODEX_MODEL_PROFILE_${name.toUpperCase()}_`;
 }
 
-function inferGlobalProvider(env) {
-  const baseUrl = clean(env.OPENAI_BASE_URL).toLowerCase();
-  if ((() => {
-        try {
-          const parsed = new URL(baseUrl);
-          const host = String(parsed.hostname || "").toLowerCase();
-          return host === "openai.azure.com" || host.endsWith(".openai.azure.com");
-        } catch {
-          return false;
-        }
-      })()) return "azure";
-  return "openai";
-}
-
 function normalizeProvider(value, fallback) {
   const raw = clean(value).toLowerCase();
   if (!raw) return fallback;
@@ -48,6 +61,17 @@ function normalizeProvider(value, fallback) {
   return fallback;
 }
 
+function hasEnvValue(env, key) {
+  return Boolean(key && clean(env?.[key]));
+}
+
+function inferProviderKindFromSection(name, section, fallback = "openai") {
+  if (isAzureOpenAIBaseUrl(section?.baseUrl)) return "azure";
+  const normalized = normalizeProvider(name, "");
+  if (normalized) return normalized;
+  return fallback;
+}
+
 function readProfileField(env, profileName, field) {
   return clean(env[`${profilePrefix(profileName)}${field}`]);
 }
@@ -75,17 +99,99 @@ function profileRecord(env, profileName, globalProvider) {
   };
 }
 
-function readCodexConfigTopLevelModel() {
+function readCodexConfigRuntimeDefaults() {
   try {
     const configPath = resolve(homedir(), ".codex", "config.toml");
-    if (!existsSync(configPath)) return "";
+    if (!existsSync(configPath)) {
+      return { model: "", modelProvider: "", providers: {} };
+    }
     const content = readFileSync(configPath, "utf8");
     const head = content.split(/\n\[/)[0] || "";
-    const match = head.match(/^\s*model\s*=\s*"([^"]+)"/m);
-    return match ? match[1].trim() : "";
+    const modelMatch = head.match(/^\s*model\s*=\s*"([^"]+)"/m);
+    const modelProviderMatch = head.match(/^\s*model_provider\s*=\s*"([^"]+)"/m);
+    const providers = {};
+    const providerSectionRegex = /^\[model_providers\.([^\]]+)\]\s*([\s\S]*?)(?=^\[[^\]]+\]|\Z)/gm;
+    for (const match of content.matchAll(providerSectionRegex)) {
+      const [, rawName = "", body = ""] = match;
+      const name = clean(rawName);
+      if (!name) continue;
+      const baseUrlMatch = body.match(/^\s*base_url\s*=\s*"([^"]+)"/m);
+      const envKeyMatch = body.match(/^\s*env_key\s*=\s*"([^"]+)"/m);
+      providers[name] = {
+        name,
+        baseUrl: clean(baseUrlMatch?.[1]),
+        envKey: clean(envKeyMatch?.[1]),
+      };
+    }
+    return {
+      model: clean(modelMatch?.[1]),
+      modelProvider: clean(modelProviderMatch?.[1]),
+      providers,
+    };
   } catch {
-    return "";
+    return { model: "", modelProvider: "", providers: {} };
+  }
+}
+
+function readCodexConfigTopLevelModel() {
+  return readCodexConfigRuntimeDefaults().model;
+}
+
+function selectConfigProviderForRuntime(configDefaults, env, preferredProvider = "") {
+  const providers = configDefaults?.providers || {};
+  const preferred = clean(preferredProvider).toLowerCase();
+  const entries = Object.values(providers).map((section) => ({
+    ...section,
+    provider: inferProviderKindFromSection(section.name, section, preferred || "openai"),
+  }));
+  const matchingEntries = preferred
+    ? entries.filter((section) => section.provider === preferred)
+    : entries;
+  const envBackedEntries = matchingEntries.filter(
+    (section) => !section.envKey || hasEnvValue(env, section.envKey),
+  );
+  const preferredNames = preferred === "azure"
+    ? ["azure"]
+    : preferred === "openai"
+      ? ["openai"]
+      : [];
+  const findNamed = (sections) => preferredNames
+    .map((name) => sections.find((section) => section.name === name))
+    .find(Boolean);
+
+  const configuredName = clean(configDefaults?.modelProvider);
+  if (configuredName) {
+    const configuredSection = providers[configuredName];
+    if (configuredSection) {
+      const configured = {
+        ...configuredSection,
+        provider: inferProviderKindFromSection(
+          configuredSection.name,
+          configuredSection,
+          preferred || "openai",
+        ),
+      };
+      const preferredMatches = !preferred || configured.provider === preferred;
+      if (preferredMatches && (!configured.envKey || hasEnvValue(env, configured.envKey))) {
+        return configured;
+      }
+    }
   }
+
+  return (
+    findNamed(envBackedEntries) ||
+    envBackedEntries[0] ||
+    findNamed(matchingEntries) ||
+    matchingEntries[0] ||
+    null
+  );
+}
+
+function inferGlobalProvider(env, configDefaults = null) {
+  const baseUrl = clean(env.OPENAI_BASE_URL).toLowerCase();
+  if (isAzureOpenAIBaseUrl(baseUrl)) return "azure";
+  const configured = selectConfigProviderForRuntime(configDefaults, env);
+  return configured?.provider || "openai";
 }
 
 /**
@@ -96,6 +202,7 @@ function readCodexConfigTopLevelModel() {
  */
 export function resolveCodexProfileRuntime(envInput = process.env) {
   const sourceEnv = { ...envInput };
+  const configDefaults = readCodexConfigRuntimeDefaults();
   const activeProfile = normalizeProfileName(
     sourceEnv.CODEX_MODEL_PROFILE,
     DEFAULT_ACTIVE_PROFILE,
@@ -105,7 +212,7 @@ export function resolveCodexProfileRuntime(envInput = process.env) {
     DEFAULT_SUBAGENT_PROFILE,
   );
 
-  const globalProvider = inferGlobalProvider(sourceEnv);
+  const globalProvider = inferGlobalProvider(sourceEnv, configDefaults);
   const active = profileRecord(sourceEnv, activeProfile, globalProvider);
   const sub = profileRecord(sourceEnv, subagentProfile, globalProvider);
 
@@ -116,24 +223,54 @@ export function resolveCodexProfileRuntime(envInput = process.env) {
   if (active.model) {
     env.CODEX_MODEL = active.model;
   }
-  if (active.baseUrl) {
-    env.OPENAI_BASE_URL = active.baseUrl;
-  }
 
   const profileApiKey = active.apiKey;
   const resolvedProvider = active.provider || globalProvider;
+  const configProvider = selectConfigProviderForRuntime(
+    configDefaults,
+    sourceEnv,
+    resolvedProvider,
+  );
+  const runtimeBaseUrl =
+    clean(active.baseUrl) ||
+    clean(env.OPENAI_BASE_URL) ||
+    clean(configProvider?.baseUrl);
+  if (runtimeBaseUrl) {
+    const normalizedBaseUrl =
+      resolvedProvider === "azure"
+        ? normalizeAzureOpenAIBaseUrl(runtimeBaseUrl)
+        : runtimeBaseUrl;
+    env.OPENAI_BASE_URL = normalizedBaseUrl;
+    active.baseUrl = normalizedBaseUrl;
+  }
+
+  if (!profileApiKey && configProvider?.envKey && hasEnvValue(sourceEnv, configProvider.envKey)) {
+    const configuredApiKey = clean(sourceEnv[configProvider.envKey]);
+    if (resolvedProvider === "azure") {
+      env.AZURE_OPENAI_API_KEY = configuredApiKey;
+      if (!env.OPENAI_API_KEY) {
+        env.OPENAI_API_KEY = configuredApiKey;
+      }
+    } else {
+      env.OPENAI_API_KEY = configuredApiKey;
+    }
+  }
 
   // Azure deployments often differ from default model names.
   // If the env is using Azure and the model is still the default,
   // prefer the top-level ~/.codex/config.toml model when present.
-  const activeModelExplicit =
-    Boolean(readProfileField(sourceEnv, activeProfile, "MODEL")) ||
-    Boolean(clean(sourceEnv.CODEX_MODEL));
-  if (
+  const activeProfileModelExplicit = Boolean(
+    readProfileField(sourceEnv, activeProfile, "MODEL"),
+  );
+  const runtimeModelExplicit = Boolean(clean(sourceEnv.CODEX_MODEL));
+  const activeModelValue = clean(env.CODEX_MODEL);
+  const shouldPreferAzureConfigModel =
     resolvedProvider === "azure" &&
     configModel &&
-    (!activeModelExplicit || clean(env.CODEX_MODEL) === "gpt-5.3-codex")
-  ) {
+    !activeProfileModelExplicit &&
+    !runtimeModelExplicit &&
+    !activeModelValue;
+  if (shouldPreferAzureConfigModel) {
     env.CODEX_MODEL = configModel;
     active.model = configModel;
   }