kojee-mcp 0.5.0 → 0.5.3

package/dist/{chunk-LCFCCWMM.js → chunk-YEC7IHIG.js}

@@ -1,17 +1,21 @@
 import {
-  MCP_SESSION_ID,
-  createDPoPProof,
-  startEventStream
-} from "./chunk-QB22PD6T.js";
+  deriveDiscoveryKey,
+  findClaudeAncestorPid
+} from "./chunk-BJMASMKX.js";
 import {
   buildCatchUpNote,
   buildMonitorSpawn,
   buildReplyRecipe
-} from "./chunk-E26AHU6J.js";
+} from "./chunk-C6GZ2L2W.js";
 import {
-  deriveDiscoveryKey,
-  findClaudeAncestorPid
-} from "./chunk-BJMASMKX.js";
+  MCP_SESSION_ID,
+  createDPoPProof,
+  startEventStream
+} from "./chunk-WBMX4CHB.js";
+import {
+  secureDir,
+  secureFile
+} from "./chunk-BLEGIR35.js";
 
 // src/index.ts
 import fs3 from "fs";
@@ -47,9 +51,8 @@ async function loadKeystore(keystorePath = DEFAULT_PATH, expectedBrokerUrl) {
 }
 async function saveKeystore(privateKey, publicJwk, kid, brokerUrl, keystorePath = DEFAULT_PATH) {
   const dir = path.dirname(keystorePath);
-  if (!fs.existsSync(dir)) {
-    fs.mkdirSync(dir, { recursive: true, mode: 448 });
-  }
+  fs.mkdirSync(dir, { recursive: true, mode: 448 });
+  secureDir(dir);
   const privateJwk = await exportJWK(privateKey);
   const data = {
     private_key_jwk: privateJwk,
@@ -61,6 +64,7 @@ async function saveKeystore(privateKey, publicJwk, kid, brokerUrl, keystorePath
   fs.writeFileSync(keystorePath, JSON.stringify(data, null, 2), {
     mode: 384
   });
+  secureFile(keystorePath);
 }
 async function generateES256KeyPair() {
   const { privateKey, publicKey } = await generateKeyPair("ES256");
@@ -230,7 +234,7 @@ function formatDenied(governance) {
     isError: true
   };
 }
-function translateHttpError(status, errorCode, _trigger) {
+function translateHttpError(status, errorCode, trigger) {
   if (status === 401) {
     if (errorCode === "use_dpop_nonce") {
       return null;
@@ -248,8 +252,9 @@ function translateHttpError(status, errorCode, _trigger) {
     );
   }
   if (status === 403 && errorCode === "step_up_required") {
+    const reason = trigger ? ` (reason: ${trigger})` : "";
     return makeError(
-      "Device re-authorization required. The user has been notified but has not yet approved. Try again later."
+      `Device re-authorization required${reason}. This action can't proceed until the user re-authorizes this device in the Kojee dashboard.`
     );
   }
   if (status === 429) {
@@ -366,8 +371,6 @@ function makeError(text) {
 }
 
 // src/gateway-client.ts
-var STEP_UP_POLL_INTERVAL_MS = 5e3;
-var STEP_UP_MAX_TIMEOUT_MS = 3e5;
 var GatewayClient = class {
   constructor(brokerUrl, token, privateKey, kid, sessionId) {
     this.brokerUrl = brokerUrl;
@@ -407,8 +410,10 @@ var GatewayClient = class {
     return hash.slice(0, 16);
   }
   /**
-   * Send a JSON-RPC 2.0 request to the gateway, handling DPoP auth,
-   * nonce retry, and step-up retry transparently.
+   * Send a JSON-RPC 2.0 request to the gateway, handling DPoP auth and
+   * nonce retry transparently. A 403 `step_up_required` (deprecated feature,
+   * owner ruling 2026-06-10) is no longer polled — it surfaces immediately as
+   * a structured tool error via translateHttpError.
    *
    * `signal` (ROUND-3 MAJOR A) is a REAL AbortSignal threaded into the
    * underlying `fetch` option — NOT placed inside `params`/`arguments`. A
@@ -451,9 +456,6 @@ var GatewayClient = class {
     }
     if (response.status === 403) {
       const body = await this.tryParseErrorBody(response);
-      if (body?.error === "step_up_required") {
-        return this.handleStepUp(rpcRequest, body.trigger, signal);
-      }
       const translated = translateHttpError(403, body?.error, body?.trigger);
       if (translated) return translated;
     }
@@ -497,53 +499,6 @@ var GatewayClient = class {
       ...signal ? { signal } : {}
     });
   }
-  /**
-   * Handle step-up retry: poll with backoff until user approves
-   * or timeout is reached.
-   */
-  async handleStepUp(rpcRequest, trigger, signal) {
-    console.error(
-      `[gateway] Device re-authorization required (${trigger ?? "unknown"}). Waiting for user approval...`
-    );
-    const deadline = Date.now() + STEP_UP_MAX_TIMEOUT_MS;
-    while (Date.now() < deadline) {
-      await sleep(STEP_UP_POLL_INTERVAL_MS);
-      let response;
-      try {
-        response = await this.sendHttpRequest(rpcRequest, signal);
-      } catch {
-        continue;
-      }
-      this.trackNonce(response);
-      if (response.status === 403) {
-        const body2 = await this.tryParseErrorBody(response);
-        if (body2?.error === "step_up_required") {
-          console.error("[gateway] Still waiting for step-up approval...");
-          continue;
-        }
-      }
-      if (response.ok) {
-        const rpcResponse = await response.json();
-        if (rpcResponse.error) {
-          return translateJsonRpcError(rpcResponse.error);
-        }
-        const result = rpcResponse.result;
-        return result ?? { content: [{ type: "text", text: "No result" }] };
-      }
-      const body = await this.tryParseErrorBody(response);
-      const translated = translateHttpError(response.status, body?.error);
-      if (translated) return translated;
-    }
-    return {
-      content: [
-        {
-          type: "text",
-          text: "Device re-authorization was not approved within 5 minutes. Try again later."
-        }
-      ],
-      isError: true
-    };
-  }
   trackNonce(response) {
     const nonce = response.headers.get("DPoP-Nonce");
     if (nonce) {
@@ -558,9 +513,6 @@ var GatewayClient = class {
     }
   }
 };
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
 
 // src/tool-registry.ts
 var ToolRegistry = class {
@@ -711,27 +663,32 @@ async function startMcpServer(server) {
 import psList from "ps-list";
 async function detectRuntime(env = process.env) {
   if (env["KOJEE_RUNTIME"] === "claude-code") return "claude-code";
+  if (env["KOJEE_RUNTIME"] === "codex") return "codex";
   if (env["CLAUDE_CODE_SESSION_ID"]) return "claude-code";
-  if (await parentProcessLooksLikeClaude()) return "claude-code";
+  const ancestor = await detectRuntimeFromAncestry();
+  if (ancestor) return ancestor;
   return "unknown";
 }
-async function parentProcessLooksLikeClaude() {
+async function detectRuntimeFromAncestry() {
   try {
     const processes = await psList();
     const byPid = new Map(processes.map((p) => [p.pid, p]));
     let pid = process.ppid;
     for (let depth = 0; depth < 5 && pid && pid > 1; depth++) {
       const row = byPid.get(pid);
-      if (!row) return false;
+      if (!row) return null;
       const haystack = `${row.name} ${row.cmd ?? ""}`;
       if (/(^|\/|\\)claude(\.app|\.exe)?(\/|$|\s|\\)/i.test(haystack) || /Claude Helper/i.test(haystack)) {
-        return true;
+        return "claude-code";
+      }
+      if (/(^|\/|\\)codex(\.exe)?(\/|$|\s|\\)/i.test(haystack)) {
+        return "codex";
       }
       pid = row.ppid;
     }
   } catch {
   }
-  return false;
+  return null;
 }
 
 // src/adapters/claude-code.ts
@@ -770,6 +727,18 @@ var claudeCodeAdapter = {
   }
 };
 
+// src/adapters/codex.ts
+var codexAdapter = {
+  runtime: "codex",
+  supportsChannels: false,
+  // Codex has NO Claude-style channel injection
+  formatTandemEvent() {
+    throw new Error(
+      "codexAdapter.formatTandemEvent() is unreachable \u2014 Codex has no channel injection; server.ts gates this on supportsChannels. Codex receives events via the webhook sink + a model-chosen bounded tandem_listen."
+    );
+  }
+};
+
 // src/adapters/unknown.ts
 var unknownAdapter = {
   runtime: "unknown",
@@ -792,6 +761,7 @@ function isDPoPEnrollmentError(err) {
 async function selectAdapter() {
   const runtime = await detectRuntime();
   if (runtime === "claude-code") return claudeCodeAdapter;
+  if (runtime === "codex") return codexAdapter;
   return unknownAdapter;
 }
 async function listTandemIds(gateway) {
@@ -812,6 +782,9 @@ async function listTandemIds(gateway) {
     return null;
   }
 }
+function needsWebhookEventStream() {
+  return (process.env["KOJEE_WEBHOOK_URL"] ?? "").trim().length > 0;
+}
 async function startProxy(config) {
   const keystorePath = config.keystorePath || DEFAULT_KEYSTORE_PATH;
   const adapter = await selectAdapter();
@@ -836,15 +809,35 @@ async function startProxy(config) {
       writeDiscoveryByKey,
       cleanupDiscoveryByKey,
       sweepStaleDiscovery
-    } = await import("./session-discovery-QE5TTAPS.js");
-    const { startEventLog, sweepStaleEventLogs } = await import("./event-log-R6VW6GAF.js");
+    } = await import("./session-discovery-FNMJGFPM.js");
+    const { startEventLog, sweepStaleEventLogs } = await import("./event-log-RSTM4PLL.js");
     const { resubscribeMemberships } = await import("./resubscribe-SLZNA76S.js");
+    const { resolveWebhookConfig } = await import("./webhook-config-5TLLX7RA.js");
+    const { createWebhookSink } = await import("./webhook-sink-7OYZBWXA.js");
     sweepStaleDiscovery();
     sweepStaleEventLogs();
     const ccPid = await findClaudeAncestorPid();
     const projectDir = process.env["CLAUDE_PROJECT_DIR"];
     const discoveryKey = deriveDiscoveryKey(projectDir, ccPid);
     const eventLog = startEventLog({ key: discoveryKey });
+    const webhookResolution = resolveWebhookConfig();
+    if (webhookResolution.error) {
+      console.error(`[kojee-mcp] webhook sink ERROR: ${webhookResolution.error}`);
+      void eventLog.appendStatus(`status=webhook error="${webhookResolution.error}"`).catch(() => {
+      });
+    }
+    const webhookSink = webhookResolution.enabled && webhookResolution.config ? createWebhookSink(webhookResolution.config, {
+      // Route delivery/failure observability to the STATUS sink.
+      log: (line) => {
+        void eventLog.appendStatus(`status=webhook ${line}`).catch(() => {
+        });
+      }
+    }) : null;
+    if (webhookSink) {
+      console.error(`[kojee-mcp] webhook sink ENABLED (${webhookSink.configSummary()})`);
+      void eventLog.appendStatus(`status=webhook enabled ${webhookSink.configSummary()}`).catch(() => {
+      });
+    }
     server = createMcpServer(registry, adapter, tandemMembershipCount, eventLog.path);
     const queue = new EventQueue();
     let streamHandle = null;
@@ -875,7 +868,12 @@ async function startProxy(config) {
       port: hookServer.port,
       startedAt: (/* @__PURE__ */ new Date()).toISOString(),
       brokerUrl: config.url,
-      eventLogPath: eventLog.path
+      eventLogPath: eventLog.path,
+      // Stamp the auth mode so `kojee-mcp doctor` renders the pairing check
+      // honestly: a token-mode box has no ~/.kojee/config.json by design and
+      // must not hard-fail on "paired config: MISSING". Defaults to "paired"
+      // for back-compat with callers that don't set it.
+      authMode: config.authMode ?? "paired"
     });
     const cleanupDiscoveryFile = () => cleanupDiscoveryByKey(discoveryKey);
     process.on("exit", () => cleanupDiscoveryFile());
@@ -896,6 +894,9 @@ async function startProxy(config) {
       server,
       queue,
       eventLog,
+      // Generic webhook sink (null unless KOJEE_WEBHOOK_URL + _SECRET are set).
+      // Wired LAST in the fan-out, fire-and-forget — can't delay a wake.
+      ...webhookSink ? { webhookSink } : {},
       // Resubscribe-on-start (P0 #2): touch all memberships + write a
       // `status=subscribed n=<count>` line on every (re)connect, so a backend
       // restart / scope reset self-heals and the log is never ambiguously
@@ -923,6 +924,7 @@ async function startProxy(config) {
     const cancelStream = streamHandle;
     process.stdin.on("end", () => {
       cancelStream();
+      void webhookSink?.stop();
       cleanupDiscoveryFile();
       eventLog.cleanup();
       hookServer.stop().finally(() => {
@@ -930,6 +932,62 @@ async function startProxy(config) {
         process.exit(0);
       });
     });
+  } else if (needsWebhookEventStream()) {
+    const { startEventLog, sweepStaleEventLogs } = await import("./event-log-RSTM4PLL.js");
+    const { resolveWebhookConfig } = await import("./webhook-config-5TLLX7RA.js");
+    const { createWebhookSink } = await import("./webhook-sink-7OYZBWXA.js");
+    const { resubscribeMemberships } = await import("./resubscribe-SLZNA76S.js");
+    sweepStaleEventLogs();
+    const ccPid = await findClaudeAncestorPid();
+    const projectDir = process.env["CLAUDE_PROJECT_DIR"];
+    const discoveryKey = deriveDiscoveryKey(projectDir, ccPid);
+    const eventLog = startEventLog({ key: discoveryKey });
+    const webhookResolution = resolveWebhookConfig();
+    if (webhookResolution.error) {
+      console.error(`[kojee-mcp] webhook sink ERROR: ${webhookResolution.error}`);
+      void eventLog.appendStatus(`status=webhook error="${webhookResolution.error}"`).catch(() => {
+      });
+    }
+    const webhookSink = webhookResolution.enabled && webhookResolution.config ? createWebhookSink(webhookResolution.config, {
+      log: (line) => {
+        void eventLog.appendStatus(`status=webhook ${line}`).catch(() => {
+        });
+      }
+    }) : null;
+    if (webhookSink) {
+      console.error(`[kojee-mcp] webhook sink ENABLED (${webhookSink.configSummary()})`);
+      void eventLog.appendStatus(`status=webhook enabled ${webhookSink.configSummary()}`).catch(() => {
+      });
+    }
+    server = createMcpServer(registry, adapter, tandemMembershipCount);
+    process.on("exit", () => eventLog.cleanup());
+    const streamHandle = await startEventStream({
+      brokerUrl: config.url,
+      token: config.token,
+      gateway,
+      adapter,
+      server,
+      eventLog,
+      ...webhookSink ? { webhookSink } : {},
+      onConnected: /* @__PURE__ */ (() => {
+        const debounceState = { lastRunAt: 0 };
+        return async () => {
+          await resubscribeMemberships({
+            gateway,
+            eventLog,
+            listTandems: async () => await listTandemIds(gateway) ?? [],
+            debounceState
+          });
+        };
+      })()
+    });
+    process.stdin.on("end", () => {
+      streamHandle();
+      void webhookSink?.stop();
+      eventLog.cleanup();
+      console.error("[kojee-mcp] stdin closed, exiting");
+      process.exit(0);
+    });
   } else {
     server = createMcpServer(registry, adapter, tandemMembershipCount);
     process.stdin.on("end", () => {

package/dist/{chunk-GBOTBYEP.js → chunk-YH27B6SW.js}

@@ -1,3 +1,8 @@
+import {
+  secureDir,
+  secureFile
+} from "./chunk-BLEGIR35.js";
+
 // src/auth/paired-config.ts
 import fs from "fs";
 import os from "os";
@@ -16,15 +21,9 @@ function loadPairedConfig(filePath = pairedConfigPath()) {
 function savePairedConfig(filePath, config) {
   const dir = path.dirname(filePath);
   fs.mkdirSync(dir, { recursive: true, mode: 448 });
-  try {
-    fs.chmodSync(dir, 448);
-  } catch {
-  }
+  secureDir(dir);
   fs.writeFileSync(filePath, JSON.stringify(config, null, 2), { mode: 384 });
-  try {
-    fs.chmodSync(filePath, 384);
-  } catch {
-  }
+  secureFile(filePath);
 }
 
 export {

package/dist/chunk-ZW4SW7LJ.js

@@ -0,0 +1,225 @@
+import {
+  kojeeHomeDir
+} from "./chunk-SQL56SEB.js";
+import {
+  secureFile
+} from "./chunk-BLEGIR35.js";
+
+// src/wizard/codex-config.ts
+import fs from "fs";
+import path from "path";
+function defaultCodexConfigPath() {
+  return path.join(kojeeHomeDir(), ".codex", "config.toml");
+}
+function defaultCodexHooksPath() {
+  return path.join(kojeeHomeDir(), ".codex", "hooks.json");
+}
+var CODEX_STOP_HOOK_COMMAND = "npx -y kojee-mcp hook --type=codex-stop";
+function buildCodexMcpServerTable(opts) {
+  return [
+    "[mcp_servers.kojee]",
+    'command = "npx"',
+    'args = ["-y", "kojee-mcp"]',
+    "",
+    "[mcp_servers.kojee.env]",
+    'KOJEE_RUNTIME = "codex"',
+    `KOJEE_WEBHOOK_URL = "${escapeTomlString(opts.webhookUrl)}"`,
+    `KOJEE_WEBHOOK_SECRET = "${escapeTomlString(opts.webhookSecret)}"`
+  ].join("\n");
+}
+function buildCodexStopHookBlock() {
+  return [
+    "[[hooks.Stop]]",
+    "[[hooks.Stop.hooks]]",
+    'type = "command"',
+    `command = "${escapeTomlString(CODEX_STOP_HOOK_COMMAND)}"`
+  ].join("\n");
+}
+function escapeTomlString(s) {
+  return s.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+}
+var KOJEE_TABLE_HEADER = "[mcp_servers.kojee]";
+var KOJEE_ENV_TABLE_HEADER = "[mcp_servers.kojee.env]";
+function writeCodexConfig(inputs) {
+  const configPath = inputs.configPath ?? defaultCodexConfigPath();
+  const hooksPath = inputs.hooksPath ?? defaultCodexHooksPath();
+  let toml = "";
+  try {
+    toml = fs.readFileSync(configPath, "utf8");
+  } catch {
+  }
+  toml = upsertKojeeTomlTables(toml, inputs.webhookUrl, inputs.webhookSecret);
+  writeFile600(configPath, toml);
+  const hooks = readJson(hooksPath);
+  hooks.hooks ??= {};
+  hooks.hooks.Stop ??= [];
+  const already = hooks.hooks.Stop.some(
+    (e) => e.hooks?.some((h) => h.command === CODEX_STOP_HOOK_COMMAND)
+  );
+  if (!already) {
+    hooks.hooks.Stop.push({
+      hooks: [{ type: "command", command: CODEX_STOP_HOOK_COMMAND }]
+    });
+  }
+  writeFile600(hooksPath, JSON.stringify(hooks, null, 2));
+}
+function removeCodexConfig(opts = {}) {
+  const configPath = opts.configPath ?? defaultCodexConfigPath();
+  const hooksPath = opts.hooksPath ?? defaultCodexHooksPath();
+  const result = { mcpServer: false, stopHook: false };
+  try {
+    const toml = fs.readFileSync(configPath, "utf8");
+    const stripped = stripKojeeTomlTables(toml);
+    if (stripped !== toml) {
+      result.mcpServer = true;
+      writeFile600(configPath, stripped);
+    }
+  } catch {
+  }
+  try {
+    const hooks = readJson(hooksPath);
+    const stop = hooks.hooks?.Stop;
+    if (stop && stop.length > 0) {
+      const before = stop.length;
+      hooks.hooks.Stop = stop.filter(
+        (e) => !e.hooks?.some((h) => h.command.startsWith("npx -y kojee-mcp hook"))
+      );
+      if (hooks.hooks.Stop.length !== before) {
+        result.stopHook = true;
+        writeFile600(hooksPath, JSON.stringify(hooks, null, 2));
+      }
+    }
+  } catch {
+  }
+  return result;
+}
+function upsertKojeeTomlTables(existing, webhookUrl, webhookSecret) {
+  const parsed = extractKojeeBlock(existing);
+  if (!parsed) {
+    const block = buildCodexMcpServerTable({ webhookUrl, webhookSecret });
+    const base2 = existing.replace(/\s*$/, "");
+    return base2.length === 0 ? block + "\n" : base2 + "\n\n" + block + "\n";
+  }
+  const tableKeys = upsertKeyLines(parsed.tableKeys, [
+    ["command", '"npx"'],
+    ["args", '["-y", "kojee-mcp"]']
+  ]);
+  const envKeys = upsertKeyLines(parsed.envKeys, [
+    ["KOJEE_RUNTIME", '"codex"'],
+    ["KOJEE_WEBHOOK_URL", `"${escapeTomlString(webhookUrl)}"`],
+    ["KOJEE_WEBHOOK_SECRET", `"${escapeTomlString(webhookSecret)}"`]
+  ]);
+  const merged = [
+    KOJEE_TABLE_HEADER,
+    ...tableKeys.map(([k, v]) => `${k} = ${v}`),
+    "",
+    KOJEE_ENV_TABLE_HEADER,
+    ...envKeys.map(([k, v]) => `${k} = ${v}`)
+  ].join("\n");
+  const base = parsed.rest.replace(/\s*$/, "");
+  return base.length === 0 ? merged + "\n" : base + "\n\n" + merged + "\n";
+}
+function upsertKeyLines(existing, owned) {
+  const ownedKeys = new Set(owned.map(([k]) => k));
+  const preserved = existing.filter(([k]) => !ownedKeys.has(k));
+  return [...preserved, ...owned];
+}
+function extractKojeeBlock(toml) {
+  const lines = toml.split("\n");
+  const rest = [];
+  const tableKv = /* @__PURE__ */ new Map();
+  const envKv = /* @__PURE__ */ new Map();
+  let found = false;
+  let section = "other";
+  for (const line of lines) {
+    const header = line.trim();
+    const isTableHeader = /^\[\[?[^\]]+\]\]?$/.test(header);
+    if (isTableHeader) {
+      if (header === KOJEE_TABLE_HEADER) {
+        found = true;
+        section = "table";
+        continue;
+      }
+      if (header === KOJEE_ENV_TABLE_HEADER) {
+        found = true;
+        section = "env";
+        continue;
+      }
+      if (header.startsWith("[mcp_servers.kojee.")) {
+        section = "other";
+        rest.push(line);
+        continue;
+      }
+      section = "other";
+      rest.push(line);
+      continue;
+    }
+    if (section === "table" || section === "env") {
+      const kv = parseTomlKeyValue(line);
+      if (kv) {
+        (section === "table" ? tableKv : envKv).set(kv[0], kv[1]);
+        continue;
+      }
+      if (header.length > 0) rest.push(line);
+      continue;
+    }
+    rest.push(line);
+  }
+  if (!found) return null;
+  return {
+    tableKeys: [...tableKv.entries()],
+    envKeys: [...envKv.entries()],
+    rest: rest.join("\n")
+  };
+}
+function parseTomlKeyValue(line) {
+  const trimmed = line.trim();
+  if (!trimmed || trimmed.startsWith("#")) return null;
+  const eq = trimmed.indexOf("=");
+  if (eq <= 0) return null;
+  const key = trimmed.slice(0, eq).trim();
+  const value = trimmed.slice(eq + 1).trim();
+  if (!/^[A-Za-z0-9_.-]+$/.test(key)) return null;
+  return [key, value];
+}
+function stripKojeeTomlTables(toml) {
+  const lines = toml.split("\n");
+  const out = [];
+  let inKojee = false;
+  for (const line of lines) {
+    const header = line.trim();
+    const isTableHeader = /^\[\[?[^\]]+\]\]?$/.test(header);
+    if (isTableHeader) {
+      const isKojee = header === KOJEE_TABLE_HEADER || header === KOJEE_ENV_TABLE_HEADER || header.startsWith("[mcp_servers.kojee.") || header.startsWith("[mcp_servers.kojee]");
+      if (isKojee) {
+        inKojee = true;
+        continue;
+      }
+      inKojee = false;
+    }
+    if (inKojee) continue;
+    out.push(line);
+  }
+  return out.join("\n").replace(/\n{3,}/g, "\n\n");
+}
+function readJson(p) {
+  try {
+    return JSON.parse(fs.readFileSync(p, "utf8"));
+  } catch {
+    return {};
+  }
+}
+function writeFile600(p, content) {
+  fs.mkdirSync(path.dirname(p), { recursive: true });
+  fs.writeFileSync(p, content, { mode: 384 });
+  secureFile(p);
+}
+
+export {
+  defaultCodexConfigPath,
+  defaultCodexHooksPath,
+  buildCodexMcpServerTable,
+  buildCodexStopHookBlock,
+  writeCodexConfig,
+  removeCodexConfig
+};