skalpel 3.1.10 → 3.2.0

package/INSTALL.md

@@ -134,3 +134,26 @@ A small set of bundling questions are recorded here for the build phase. Each wi
 - `SPEC.md` — Skalpel TUI design dockets: §01 (the daemon non-supervisor stance), §03 Journey 1 (first-launch fresh-authentication flow that this document's first-run flow corresponds to), §05 (privacy stance referenced in the install-time telemetry open question).
 - `../../design-dockets/cross-surface-contract.md` — Cross-surface contract: the Auth handoff section (machine-client identity, the `npx skalpel` install wizard arriving in the same transaction as the daemon), the ownership matrix's Post-signup install row.
 - `../../Skalpel_Infrastructure/INFRASTRUCTURE.md` — CLI Distribution section (npm, GitHub Releases, Sigstore signing, the `cli/latest` auto-update endpoint, emergency-release fallback path).
+
+## Codex setup (macOS)
+
+During `npm install -g skalpel` on macOS you will see a **one-time Touch ID / password prompt** from the system. This prompt is the macOS keychain asking you to trust the daemon's local intercept CA in your **login keychain**. The trust is needed because Codex CLI is Rust and validates TLS against the OS keychain — without the trust, `codex` would reject the daemon's MITM leaf certs and skalpel would never see Codex traffic.
+
+**Scope of trust:**
+
+- Per-user (your `login.keychain-db`), not system-wide.
+- Trusts only the daemon-minted local CA labelled `Skalpel Local Intercept CA`.
+- Used exclusively for `chatgpt.com` / `api.openai.com` traffic the daemon intercepts; every other host is blind-tunnelled untouched.
+
+**If you missed the prompt** or declined it, run `skalpel login` or invoke `codex` once — the postinstall step writes a deferred-install sentinel and the next entry point retries the keychain install.
+
+**To revoke trust:**
+
+1. Open **Keychain Access**.
+2. Select the `login` keychain.
+3. Search for `Skalpel Local Intercept CA`.
+4. Right-click → Delete.
+
+After deletion, Codex traffic falls back to bare TLS (daemon won't see it). Re-install the CA via `skalpel login` if you change your mind.
+
+**Linux / Windows status:** the trust-store install path is **not yet shipped** on Linux or Windows. Codex MITM works on macOS only in this release. On other platforms the postinstall step skips the keychain step with a printed notice; the user can configure trust manually if they need Codex visibility.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "skalpel",
-  "version": "3.1.10",
+  "version": "3.2.0",
   "description": "Skalpel — local proxy and TUI for coding agents (skalpel + skalpeld bundle).",
   "license": "Apache-2.0",
   "homepage": "https://skalpel.ai",
@@ -31,7 +31,7 @@
     "preinstall": "node postinstall/preinstall.js",
     "postinstall": "node postinstall/index.js",
     "preuninstall": "node postinstall/uninstall.js",
-    "test": "echo 'no top-level tests; run make test or npm run test:rc-edit' && exit 0",
+    "test": "node postinstall/lib/run-tests.js",
     "test:rc-edit": "node postinstall/lib/rc-edit.test.js",
     "test:postinstall": "node --test postinstall/index.test.js",
     "test:preinstall": "node --test postinstall/preinstall.test.js"
@@ -57,10 +57,10 @@
     "x64"
   ],
   "optionalDependencies": {
-    "@skalpelai/skalpel-darwin-arm64": "3.1.10",
-    "@skalpelai/skalpel-darwin-x64": "3.1.10",
-    "@skalpelai/skalpel-linux-arm64": "3.1.10",
-    "@skalpelai/skalpel-linux-x64": "3.1.10",
-    "@skalpelai/skalpel-win32-x64": "3.1.10"
+    "@skalpelai/skalpel-darwin-arm64": "3.2.0",
+    "@skalpelai/skalpel-darwin-x64": "3.2.0",
+    "@skalpelai/skalpel-linux-arm64": "3.2.0",
+    "@skalpelai/skalpel-linux-x64": "3.2.0",
+    "@skalpelai/skalpel-win32-x64": "3.2.0"
   }
 }

package/postinstall/index.js

@@ -27,6 +27,7 @@ const signIn = require('./lib/sign-in');
 const serviceRegister = require('./lib/service-register');
 const envInject = require('./lib/env-inject');
 const launch = require('./lib/launch');
+const caInstall = require('./lib/ca-install');
 
 function printStyledSuccess() {
   if (!process.stdout.isTTY) return;
@@ -93,7 +94,35 @@ function helpText() {
   ].join('\n');
 }
 
-function main(argv) {
+async function runCAInstallStep(opts) {
+  // Resolve CA path by spawning the just-installed `skalpel ca-path`.
+  // (The Go binary is on PATH by the time postinstall runs; see
+  // npm-bin/skalpel.js for the resolver.)
+  const cp = require('child_process');
+  let caPath = '';
+  try {
+    const out = cp.spawnSync('skalpel', ['ca-path'], {
+      stdio: ['ignore', 'pipe', 'pipe'],
+      timeout: 5_000,
+    });
+    if (out.status === 0) {
+      caPath = String(out.stdout || '').trim();
+    }
+  } catch (_) {
+    // ignored — fall through to deferred-no-ca branch
+  }
+  if (!caPath) {
+    log.warn('ca-install: could not resolve `skalpel ca-path`; deferring keychain trust to first login');
+    return { ok: false, reason: 'no-binary' };
+  }
+  if (opts.dryRun) {
+    log.info(`ca-install: dry-run; would install ${caPath} into login keychain`);
+    return { ok: true, skipped: true, reason: 'dry-run' };
+  }
+  return caInstall.installMacOSCA(caPath);
+}
+
+async function main(argv) {
   const opts = parseArgs(argv);
   if (opts.help) {
     process.stdout.write(`${helpText()}\n`);
@@ -118,7 +147,7 @@ function main(argv) {
     return 0;
   }
 
-  const total = 5;
+  const total = 6;
   const mode = opts.dryRun ? 'dry-run' : 'live';
   log.info(`postinstall wizard starting (${mode} install) on ${process.platform}`);
 
@@ -155,12 +184,28 @@ function main(argv) {
       allWarnings.push(...sr.warnings);
     }
 
-    log.step(4, total, 'env-inject', 'managed-block edit per shell');
+    log.step(4, total, 'ca-install', `keychain trust on ${process.platform}`);
+    // ca-install is NON-CRITICAL: a declined Touch ID prompt must NOT
+    // fail postinstall. The deferred-install sentinel ensures first
+    // `skalpel login` / `codex` invocation retries the trust. On
+    // non-darwin we log + skip; Linux/Windows trust-store install is
+    // deferred to a later bundle.
+    try {
+      const caRes = await runCAInstallStep(opts);
+      if (caRes && !caRes.ok && caRes.reason) {
+        allWarnings.push(`ca-install: ${caRes.reason}`);
+      }
+    } catch (err) {
+      log.warn(`ca-install: ${err.message}; continuing`);
+      allWarnings.push(`ca-install: ${err.message}`);
+    }
+
+    log.step(5, total, 'env-inject', 'managed-block edit per shell');
     // env-inject is critical: missing managed block means agents
     // never see the proxy URL. Errors propagate.
     envInject.run({ dryRun: opts.dryRun });
 
-    log.step(5, total, 'launch', 'next-step hint');
+    log.step(6, total, 'launch', 'next-step hint');
     launch.run({ dryRun: opts.dryRun });
   } catch (err) {
     critical = err;
@@ -187,7 +232,14 @@ function main(argv) {
 }
 
 if (require.main === module) {
-  process.exit(main(process.argv));
+  Promise.resolve(main(process.argv)).then(
+    (code) => process.exit(code || 0),
+    (err) => {
+      log.error(`postinstall crashed: ${err && err.stack ? err.stack : err}`);
+      // Wizard contract: exit 0 even on crash so npm install never aborts.
+      process.exit(0);
+    }
+  );
 }
 
 module.exports = { main, parseArgs };

package/postinstall/lib/ca-install.js

@@ -0,0 +1,188 @@
+'use strict';
+
+// macOS keychain CA install for the daemon's MITM CA.
+//
+// Codex CLI is Rust and consults the OS keychain (Security Framework on
+// macOS) for trust. To make `skalpel codex-exec` work end-to-end on a
+// fresh `npm install -g skalpel`, the postinstall flow trusts the
+// daemon's local CA in the user's login keychain. This module owns that
+// step.
+//
+// Contract:
+//   installMacOSCA(caPath, opts) returns
+//     { ok: true }                                — installed (or already trusted)
+//     { ok: true, skipped: true, reason: '...' } — non-darwin or idempotent skip
+//     { ok: false, reason: '...' }                — user declined / timeout /
+//                                                   deferred (CA not yet on disk)
+//
+// Failure is NEVER fatal to postinstall. The user falls back to a
+// printed-instruction path and the next `skalpel codex-exec` /
+// `skalpel login` retries via the Go-side `internal/cainstall`
+// RetrySentinel helper.
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const childProcess = require('child_process');
+
+const KEYCHAIN_LABEL = 'Skalpel Local Intercept CA';
+const DEFAULT_TIMEOUT_MS = 60_000;
+const SENTINEL_BASENAME = '.ca-install-pending';
+
+// loginKeychainPath returns the path to the user's login keychain on
+// macOS. macOS Catalina+ uses .keychain-db.
+function loginKeychainPath(homedir) {
+  return path.join(homedir, 'Library', 'Keychains', 'login.keychain-db');
+}
+
+function logMsg(stream, msg) {
+  if (stream && typeof stream.write === 'function') {
+    stream.write(`${msg}\n`);
+  }
+}
+
+// installMacOSCA installs the daemon's MITM CA into the user's login
+// keychain, prompting the user for Touch ID / password. Idempotent —
+// re-running after a successful install is a no-op.
+//
+// opts:
+//   spawn:         optional injected child_process.spawn for tests
+//   stderr:        optional Writable for status messages (defaults to process.stderr)
+//   homedir:       optional homedir for tests (defaults to os.homedir())
+//   timeoutMs:     optional timeout override (defaults to 60s)
+//   sentinelDir:   optional dir where the deferred-install sentinel is written
+//                  when caPath does not exist (defaults to dirname(caPath))
+async function installMacOSCA(caPath, opts) {
+  const o = opts || {};
+  const spawn = o.spawn || childProcess.spawn;
+  const stderr = o.stderr || process.stderr;
+  const homedir = o.homedir || os.homedir();
+  const timeoutMs = o.timeoutMs || DEFAULT_TIMEOUT_MS;
+  const platform = o.platform || process.platform;
+
+  if (platform !== 'darwin') {
+    logMsg(
+      stderr,
+      `Skalpel: Codex MITM CA install skipped on ${platform}; Linux/Windows ` +
+        `trust-store install not yet implemented. Codex will fall back to bare ` +
+        `TLS — daemon won't see Codex traffic until trust is configured manually.`
+    );
+    return { ok: true, skipped: true, reason: 'platform' };
+  }
+
+  if (!fs.existsSync(caPath)) {
+    // Daemon hasn't generated the CA yet. Drop a sentinel and let the
+    // Go-side retry path pick it up on next `skalpel login` /
+    // `skalpel codex-exec`.
+    const sentinelDir = o.sentinelDir || path.dirname(caPath);
+    const sentinelPath = path.join(sentinelDir, SENTINEL_BASENAME);
+    try {
+      fs.mkdirSync(sentinelDir, { recursive: true });
+      fs.writeFileSync(sentinelPath, '');
+    } catch (err) {
+      logMsg(stderr, `Skalpel: could not write ca-install sentinel at ${sentinelPath}: ${err.message}`);
+    }
+    logMsg(
+      stderr,
+      'Skalpel: daemon CA not yet generated — will install on first `skalpel login` or `codex` invocation.'
+    );
+    return { ok: false, reason: 'deferred-no-ca', sentinelPath };
+  }
+
+  const loginKC = loginKeychainPath(homedir);
+
+  // Idempotency: probe first via `security find-certificate -c <label>
+  // <keychain>`. Exit 0 → already trusted; nothing to do.
+  if (await findCertificate(spawn, loginKC, timeoutMs)) {
+    return { ok: true, skipped: true, reason: 'already-installed' };
+  }
+
+  return await runAddTrustedCert(spawn, stderr, caPath, loginKC, timeoutMs);
+}
+
+// findCertificate runs `security find-certificate -c <label> <kc>` and
+// resolves to true iff the certificate is already trusted in the user's
+// login keychain.
+function findCertificate(spawn, loginKC, timeoutMs) {
+  return new Promise((resolve) => {
+    const child = spawn('security', ['find-certificate', '-c', KEYCHAIN_LABEL, loginKC], {
+      stdio: ['ignore', 'ignore', 'ignore'],
+    });
+    let settled = false;
+    const timer = setTimeout(() => {
+      if (settled) return;
+      settled = true;
+      try { child.kill('SIGTERM'); } catch (_) { /* noop */ }
+      resolve(false);
+    }, timeoutMs);
+    child.on('error', () => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      resolve(false);
+    });
+    child.on('exit', (code) => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      resolve(code === 0);
+    });
+  });
+}
+
+// runAddTrustedCert spawns the install command, branching on its
+// outcome:
+//   exit 0  → installed
+//   exit !=0 within timeout → user declined or system rejected
+//   timeout → kill child and report timeout
+function runAddTrustedCert(spawn, stderr, caPath, loginKC, timeoutMs) {
+  return new Promise((resolve) => {
+    const child = spawn(
+      'security',
+      ['add-trusted-cert', '-r', 'trustRoot', '-k', loginKC, caPath],
+      { stdio: ['ignore', 'pipe', 'pipe'] }
+    );
+    let settled = false;
+    const timer = setTimeout(() => {
+      if (settled) return;
+      settled = true;
+      try { child.kill('SIGTERM'); } catch (_) { /* noop */ }
+      logMsg(stderr, 'Skalpel: user did not respond to keychain prompt within 60s — skipped.');
+      resolve({ ok: false, reason: 'timeout' });
+    }, timeoutMs);
+
+    child.on('error', (err) => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      logMsg(stderr, `Skalpel: keychain install failed to start: ${err.message}`);
+      resolve({ ok: false, reason: 'spawn-error', error: err.message });
+    });
+
+    child.on('exit', (code) => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      if (code === 0) {
+        logMsg(stderr, 'Skalpel: daemon CA trusted in login keychain.');
+        resolve({ ok: true });
+        return;
+      }
+      logMsg(
+        stderr,
+        'Skalpel: Codex MITM CA not trusted. Codex traffic will bypass skalpel until ' +
+          'you re-run the prompt (next `skalpel login` or `codex` invocation) or ' +
+          'manually trust ~/.skalpel/mitm-ca.pem.'
+      );
+      resolve({ ok: false, reason: 'declined-or-failed', exitCode: code });
+    });
+  });
+}
+
+module.exports = {
+  installMacOSCA,
+  KEYCHAIN_LABEL,
+  SENTINEL_BASENAME,
+  // Exported for tests:
+  loginKeychainPath,
+};

package/postinstall/lib/ca-install.test.js

@@ -0,0 +1,228 @@
+#!/usr/bin/env node
+// ca-install tests.
+//
+// Stdlib only: assert + fs + os + path + events. No mocha / no jest.
+// Matches the testing style of rc-edit.test.js. spawn is injected so
+// the tests never touch the real `security` binary or the user's
+// login keychain.
+//
+// Test cases (the promise.txt names each one explicitly):
+//   - non-darwin                — platform != 'darwin' short-circuits
+//   - already-installed         — find-certificate returns 0 → skip
+//   - success                   — add-trusted-cert exits 0
+//   - declined                  — add-trusted-cert exits non-zero
+//   - timeout                   — add-trusted-cert never exits; killed
+//   - deferred                  — CA file missing → sentinel written
+
+'use strict';
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const { EventEmitter } = require('events');
+const assert = require('assert');
+
+const ca = require('./ca-install');
+
+let pass = 0;
+let fail = 0;
+
+function test(name, fn) {
+  return Promise.resolve()
+    .then(fn)
+    .then(() => {
+      process.stdout.write(`  PASS ${name}\n`);
+      pass += 1;
+    })
+    .catch((err) => {
+      process.stderr.write(`  FAIL ${name}\n    ${err && err.stack ? err.stack : err}\n`);
+      fail += 1;
+    });
+}
+
+// fakeChild implements the subset of ChildProcess that installMacOSCA
+// consumes: an event emitter with `kill()`. Plug into makeSpawn().
+function fakeChild() {
+  const ee = new EventEmitter();
+  ee.killed = false;
+  ee.kill = function () { ee.killed = true; };
+  return ee;
+}
+
+// makeSpawn returns a fake spawn that scripts each successive
+// invocation. Each script entry is either:
+//   { cmd: 'find-certificate', exit: 0|N }
+//   { cmd: 'add-trusted-cert', exit: 0|N, async?: true (delay exit), error?: Error }
+// If `async` is set, the child does NOT emit `exit` — the caller is
+// responsible for triggering the timeout path.
+function makeSpawn(script) {
+  const calls = [];
+  let i = 0;
+  function spawn(bin, args) {
+    const verb = args[0];
+    const step = script[i] || {};
+    i += 1;
+    calls.push({ bin, args, verb });
+    const child = fakeChild();
+    if (step.error) {
+      process.nextTick(() => child.emit('error', step.error));
+      return child;
+    }
+    if (step.async) {
+      // never emits exit — caller's setTimeout drives the timeout
+      return child;
+    }
+    const exitCode = typeof step.exit === 'number' ? step.exit : 0;
+    process.nextTick(() => child.emit('exit', exitCode));
+    return child;
+  }
+  spawn.calls = calls;
+  return spawn;
+}
+
+function captureStderr() {
+  const buf = [];
+  return {
+    write(s) { buf.push(s); },
+    text() { return buf.join(''); },
+  };
+}
+
+function tmpdir() {
+  return fs.mkdtempSync(path.join(os.tmpdir(), 'ca-install-test-'));
+}
+
+async function run() {
+  process.stdout.write('ca-install tests:\n');
+
+  await test('non-darwin skip', async () => {
+    const stderr = captureStderr();
+    const spawn = makeSpawn([]);
+    const result = await ca.installMacOSCA('/anything', {
+      spawn,
+      stderr,
+      platform: 'linux',
+    });
+    assert.strictEqual(result.ok, true);
+    assert.strictEqual(result.skipped, true);
+    assert.strictEqual(result.reason, 'platform');
+    assert.strictEqual(spawn.calls.length, 0, 'must not invoke security on non-darwin');
+    assert.ok(/linux/.test(stderr.text()), 'should mention current platform');
+  });
+
+  await test('already-installed idempotency', async () => {
+    const stderr = captureStderr();
+    const dir = tmpdir();
+    const caPath = path.join(dir, 'mitm-ca.pem');
+    fs.writeFileSync(caPath, 'dummy');
+    // find-certificate exits 0 → already trusted; no add-trusted-cert call.
+    const spawn = makeSpawn([{ cmd: 'find-certificate', exit: 0 }]);
+    const result = await ca.installMacOSCA(caPath, {
+      spawn,
+      stderr,
+      platform: 'darwin',
+      homedir: dir,
+    });
+    assert.strictEqual(result.ok, true);
+    assert.strictEqual(result.skipped, true);
+    assert.strictEqual(result.reason, 'already-installed');
+    assert.strictEqual(spawn.calls.length, 1);
+    assert.strictEqual(spawn.calls[0].verb, 'find-certificate');
+  });
+
+  await test('success path', async () => {
+    const stderr = captureStderr();
+    const dir = tmpdir();
+    const caPath = path.join(dir, 'mitm-ca.pem');
+    fs.writeFileSync(caPath, 'dummy');
+    const spawn = makeSpawn([
+      { cmd: 'find-certificate', exit: 1 },
+      { cmd: 'add-trusted-cert', exit: 0 },
+    ]);
+    const result = await ca.installMacOSCA(caPath, {
+      spawn,
+      stderr,
+      platform: 'darwin',
+      homedir: dir,
+    });
+    assert.strictEqual(result.ok, true);
+    assert.strictEqual(result.skipped, undefined);
+    assert.strictEqual(spawn.calls.length, 2);
+    assert.strictEqual(spawn.calls[1].verb, 'add-trusted-cert');
+    assert.deepStrictEqual(
+      spawn.calls[1].args.slice(0, 4),
+      ['add-trusted-cert', '-r', 'trustRoot', '-k']
+    );
+  });
+
+  await test('declined path', async () => {
+    const stderr = captureStderr();
+    const dir = tmpdir();
+    const caPath = path.join(dir, 'mitm-ca.pem');
+    fs.writeFileSync(caPath, 'dummy');
+    const spawn = makeSpawn([
+      { cmd: 'find-certificate', exit: 1 },
+      { cmd: 'add-trusted-cert', exit: 128 },
+    ]);
+    const result = await ca.installMacOSCA(caPath, {
+      spawn,
+      stderr,
+      platform: 'darwin',
+      homedir: dir,
+    });
+    assert.strictEqual(result.ok, false);
+    assert.strictEqual(result.reason, 'declined-or-failed');
+    assert.strictEqual(result.exitCode, 128);
+    assert.ok(/CA not trusted|bypass skalpel/.test(stderr.text()), 'should warn user');
+  });
+
+  await test('timeout path', async () => {
+    const stderr = captureStderr();
+    const dir = tmpdir();
+    const caPath = path.join(dir, 'mitm-ca.pem');
+    fs.writeFileSync(caPath, 'dummy');
+    const spawn = makeSpawn([
+      { cmd: 'find-certificate', exit: 1 },
+      { cmd: 'add-trusted-cert', async: true }, // never exits
+    ]);
+    const result = await ca.installMacOSCA(caPath, {
+      spawn,
+      stderr,
+      platform: 'darwin',
+      homedir: dir,
+      timeoutMs: 30, // small so test is fast
+    });
+    assert.strictEqual(result.ok, false);
+    assert.strictEqual(result.reason, 'timeout');
+    assert.ok(/did not respond|skipped/.test(stderr.text()), 'should explain skip');
+  });
+
+  await test('deferred (no CA file yet) writes sentinel', async () => {
+    const stderr = captureStderr();
+    const dir = tmpdir();
+    const caPath = path.join(dir, 'mitm-ca.pem');
+    // Do NOT create caPath — simulate daemon hasn't booted yet.
+    const spawn = makeSpawn([]);
+    const result = await ca.installMacOSCA(caPath, {
+      spawn,
+      stderr,
+      platform: 'darwin',
+      homedir: dir,
+      sentinelDir: dir,
+    });
+    assert.strictEqual(result.ok, false);
+    assert.strictEqual(result.reason, 'deferred-no-ca');
+    assert.strictEqual(spawn.calls.length, 0, 'no security spawn on deferred path');
+    const sentinel = path.join(dir, ca.SENTINEL_BASENAME);
+    assert.ok(fs.existsSync(sentinel), `sentinel should exist at ${sentinel}`);
+  });
+
+  process.stdout.write(`\n  pass=${pass} fail=${fail}\n`);
+  return fail === 0 ? 0 : 1;
+}
+
+if (require.main === module) {
+  run().then((code) => process.exit(code));
+}
+
+module.exports = { run };

package/postinstall/lib/integrations.js

@@ -1,5 +1,10 @@
 'use strict';
 
+// envBlockValues defines the five vars the managed rc-block exports so
+// agents see the daemon's loopback proxy. Under the MITM Codex regime
+// (Option A) the Codex wrapper no longer needs SKALPEL_CODEX_* base-URL
+// vars — `skalpel codex-exec` sets HTTPS_PROXY at exec time and the
+// daemon TLS-terminates chatgpt.com:443 directly.
 function envBlockValues(port) {
   const p = String(port || 7878);
   const root = `http://127.0.0.1:${p}`;
@@ -9,8 +14,6 @@ function envBlockValues(port) {
     OPENAI_BASE_URL: `${root}/v1`,
     OPENAI_API_BASE: `${root}/v1`,
     SKALPEL_PROXY_URL: root,
-    SKALPEL_CODEX_OPENAI_BASE_URL: `${root}/v1`,
-    SKALPEL_CODEX_CHATGPT_BASE_URL: `${root}/backend-api`,
   };
 }
 
@@ -28,7 +31,7 @@ if [ -z "\${SKALPEL_NO_AGENT_WRAP:-}" ] && ! alias claude >/dev/null 2>&1 && com
       # exec'ing the real claude binary.
       command skalpel claude-exec "$@"
     else
-      ANTHROPIC_API_URL= ANTHROPIC_BASE_URL= OPENAI_BASE_URL= OPENAI_API_BASE= SKALPEL_PROXY_URL= SKALPEL_CODEX_OPENAI_BASE_URL= SKALPEL_CODEX_CHATGPT_BASE_URL= command claude "$@"
+      ANTHROPIC_API_URL= ANTHROPIC_BASE_URL= OPENAI_BASE_URL= OPENAI_API_BASE= SKALPEL_PROXY_URL= command claude "$@"
     fi
   }
 fi`,
@@ -40,7 +43,7 @@ if not set -q SKALPEL_NO_AGENT_WRAP; and not functions -q claude; and command -q
         if skalpel status 1>&2
             command skalpel claude-exec $argv
         else
-            env -u ANTHROPIC_API_URL -u ANTHROPIC_BASE_URL -u OPENAI_BASE_URL -u OPENAI_API_BASE -u SKALPEL_PROXY_URL -u SKALPEL_CODEX_OPENAI_BASE_URL -u SKALPEL_CODEX_CHATGPT_BASE_URL command claude $argv
+            env -u ANTHROPIC_API_URL -u ANTHROPIC_BASE_URL -u OPENAI_BASE_URL -u OPENAI_API_BASE -u SKALPEL_PROXY_URL command claude $argv
         end
     end
 end`,
@@ -60,15 +63,11 @@ if (-not $env:SKALPEL_NO_AGENT_WRAP -and $_skalpelOrigClaude -and $_skalpelStatu
             $_savedOpenAiBase = $env:OPENAI_BASE_URL
             $_savedOpenAiApiBase = $env:OPENAI_API_BASE
             $_savedSkalpelProxy = $env:SKALPEL_PROXY_URL
-            $_savedCodexOpenAi = $env:SKALPEL_CODEX_OPENAI_BASE_URL
-            $_savedCodexChatGPT = $env:SKALPEL_CODEX_CHATGPT_BASE_URL
             $env:ANTHROPIC_API_URL = ''
             $env:ANTHROPIC_BASE_URL = ''
             $env:OPENAI_BASE_URL = ''
             $env:OPENAI_API_BASE = ''
             $env:SKALPEL_PROXY_URL = ''
-            $env:SKALPEL_CODEX_OPENAI_BASE_URL = ''
-            $env:SKALPEL_CODEX_CHATGPT_BASE_URL = ''
             try { & $script:_skalpelOrigClaude.Source @args }
             finally {
                 $env:ANTHROPIC_API_URL = $_savedAnthropicApi
@@ -76,8 +75,6 @@ if (-not $env:SKALPEL_NO_AGENT_WRAP -and $_skalpelOrigClaude -and $_skalpelStatu
                 $env:OPENAI_BASE_URL = $_savedOpenAiBase
                 $env:OPENAI_API_BASE = $_savedOpenAiApiBase
                 $env:SKALPEL_PROXY_URL = $_savedSkalpelProxy
-                $env:SKALPEL_CODEX_OPENAI_BASE_URL = $_savedCodexOpenAi
-                $env:SKALPEL_CODEX_CHATGPT_BASE_URL = $_savedCodexChatGPT
             }
         }
     }
@@ -85,54 +82,59 @@ if (-not $env:SKALPEL_NO_AGENT_WRAP -and $_skalpelOrigClaude -and $_skalpelStatu
   },
 };
 
+// Codex integration — MITM Option A.
+//
+// Under the prior base-URL regime the wrapper sniffed Codex's auth_mode
+// out of ~/.codex/auth.json and injected `codex -c openai_base_url ...`
+// or `codex -c chatgpt_base_url ...`. That bypassed the daemon's TLS
+// pipeline for chatgpt.com and made attribution impossible.
+//
+// The MITM regime drops all base-URL knobs. Each wrapper now simply
+// delegates to `skalpel codex-exec`, which sets HTTPS_PROXY at exec
+// time so Codex CLI CONNECTs to chatgpt.com:443 through the daemon and
+// the daemon TLS-terminates with a leaf minted from its local CA. The
+// trust chain is installed into the OS keychain by
+// postinstall/lib/ca-install.js (macOS today; Linux/Windows deferred).
+//
+// Fail-open contract: if `skalpel status` reports the daemon down, the
+// wrapper falls through to bare `codex` so the user is never blocked
+// from running Codex by a skalpel outage.
 const codex = {
   name: 'codex',
   wrappers: {
     posix: `
-# Codex CLI/App integration. Config overrides are native Codex -c knobs.
+# Codex CLI integration — MITM regime (skalpel codex-exec).
 # Set SKALPEL_NO_AGENT_WRAP=1 to disable.
 if [ -z "\${SKALPEL_NO_AGENT_WRAP:-}" ] && ! alias codex >/dev/null 2>&1 && command -v codex >/dev/null 2>&1 && command -v skalpel >/dev/null 2>&1; then
   codex() {
     if skalpel status >&2; then
-      _skalpel_codex_home="\${CODEX_HOME:-$HOME/.codex}"
-      _skalpel_codex_auth_mode="$(awk -F'"' '/"auth_mode"/ { print $4; exit }' "\${_skalpel_codex_home}/auth.json" 2>/dev/null)"
-      case "\${_skalpel_codex_auth_mode}" in
-        apikey|api_key|api)
-          command codex -c "openai_base_url='\${SKALPEL_CODEX_OPENAI_BASE_URL}'" "$@"
-          ;;
-        *)
-          command codex -c "chatgpt_base_url='\${SKALPEL_CODEX_CHATGPT_BASE_URL}'" "$@"
-          ;;
-      esac
+      command skalpel codex-exec "$@"
     else
-      command codex "$@"
+      # Fail-open: daemon down. Clear every proxy var the rc-block set —
+      # Codex respects OPENAI_BASE_URL / OPENAI_API_BASE and would
+      # otherwise dial the dead loopback URL. Mirrors the claude
+      # wrapper's fail-open above.
+      ANTHROPIC_API_URL= ANTHROPIC_BASE_URL= OPENAI_BASE_URL= OPENAI_API_BASE= SKALPEL_PROXY_URL= SKALPEL_CODEX_OPENAI_BASE_URL= SKALPEL_CODEX_CHATGPT_BASE_URL= command codex "$@"
     fi
   }
 fi`,
     fish: `
-# Codex CLI/App integration. Config overrides are native Codex -c knobs.
+# Codex CLI integration — MITM regime (skalpel codex-exec).
 # Set SKALPEL_NO_AGENT_WRAP=1 to disable.
 if not set -q SKALPEL_NO_AGENT_WRAP; and not functions -q codex; and command -q codex; and command -q skalpel
     function codex
         if skalpel status 1>&2
-            set -l _skalpel_codex_home "$HOME/.codex"
-            if set -q CODEX_HOME
-                set _skalpel_codex_home "$CODEX_HOME"
-            end
-            set -l _skalpel_codex_auth_mode (awk -F'"' '/"auth_mode"/ { print $4; exit }' "$_skalpel_codex_home/auth.json" 2>/dev/null)
-            switch "$_skalpel_codex_auth_mode"
-                case apikey api_key api
-                    command codex -c "openai_base_url='$SKALPEL_CODEX_OPENAI_BASE_URL'" $argv
-                case '*'
-                    command codex -c "chatgpt_base_url='$SKALPEL_CODEX_CHATGPT_BASE_URL'" $argv
-            end
+            command skalpel codex-exec $argv
         else
-            command codex $argv
+            # Fail-open: daemon down. Clear every proxy var the rc-block set
+            # — Codex respects OPENAI_BASE_URL / OPENAI_API_BASE and would
+            # otherwise dial the dead loopback URL.
+            env -u ANTHROPIC_API_URL -u ANTHROPIC_BASE_URL -u OPENAI_BASE_URL -u OPENAI_API_BASE -u SKALPEL_PROXY_URL -u SKALPEL_CODEX_OPENAI_BASE_URL -u SKALPEL_CODEX_CHATGPT_BASE_URL command codex $argv
         end
     end
 end`,
     powershell: `
-# Codex CLI/App integration. Config overrides are native Codex -c knobs.
+# Codex CLI integration — MITM regime (skalpel codex-exec).
 # Set $env:SKALPEL_NO_AGENT_WRAP=1 to disable.
 $_skalpelOrigCodex = Get-Command codex -CommandType Application -ErrorAction SilentlyContinue | Select-Object -First 1
 $_skalpelStatusBin = Get-Command skalpel -CommandType Application -ErrorAction SilentlyContinue | Select-Object -First 1
@@ -140,21 +142,35 @@ if (-not $env:SKALPEL_NO_AGENT_WRAP -and $_skalpelOrigCodex -and $_skalpelStatus
     function global:codex {
         & $script:_skalpelStatusBin.Source status | Out-Host
         if ($LASTEXITCODE -eq 0) {
-            $_skalpelCodexHome = if ($env:CODEX_HOME) { $env:CODEX_HOME } else { Join-Path $HOME '.codex' }
-            $_skalpelCodexAuthMode = ''
-            try {
-                $_skalpelCodexAuthPath = Join-Path $_skalpelCodexHome 'auth.json'
-                if (Test-Path $_skalpelCodexAuthPath) {
-                    $_skalpelCodexAuthMode = (Get-Content -Raw $_skalpelCodexAuthPath | ConvertFrom-Json).auth_mode
-                }
-            } catch {}
-            if ($_skalpelCodexAuthMode -in @('apikey', 'api_key', 'api')) {
-                & $script:_skalpelOrigCodex.Source -c "openai_base_url='$env:SKALPEL_CODEX_OPENAI_BASE_URL'" @args
-            } else {
-                & $script:_skalpelOrigCodex.Source -c "chatgpt_base_url='$env:SKALPEL_CODEX_CHATGPT_BASE_URL'" @args
-            }
+            & $script:_skalpelStatusBin.Source codex-exec @args
         } else {
-            & $script:_skalpelOrigCodex.Source @args
+            # Fail-open: daemon down. Save + clear every proxy var the
+            # rc-block set so Codex doesn't dial the dead loopback URL,
+            # then restore them so the parent shell is unaffected.
+            $_savedAnthropicApi = $env:ANTHROPIC_API_URL
+            $_savedAnthropicBase = $env:ANTHROPIC_BASE_URL
+            $_savedOpenAiBase = $env:OPENAI_BASE_URL
+            $_savedOpenAiApiBase = $env:OPENAI_API_BASE
+            $_savedSkalpelProxy = $env:SKALPEL_PROXY_URL
+            $_savedCodexOpenAi = $env:SKALPEL_CODEX_OPENAI_BASE_URL
+            $_savedCodexChatGPT = $env:SKALPEL_CODEX_CHATGPT_BASE_URL
+            $env:ANTHROPIC_API_URL = ''
+            $env:ANTHROPIC_BASE_URL = ''
+            $env:OPENAI_BASE_URL = ''
+            $env:OPENAI_API_BASE = ''
+            $env:SKALPEL_PROXY_URL = ''
+            $env:SKALPEL_CODEX_OPENAI_BASE_URL = ''
+            $env:SKALPEL_CODEX_CHATGPT_BASE_URL = ''
+            try { & $script:_skalpelOrigCodex.Source @args }
+            finally {
+                $env:ANTHROPIC_API_URL = $_savedAnthropicApi
+                $env:ANTHROPIC_BASE_URL = $_savedAnthropicBase
+                $env:OPENAI_BASE_URL = $_savedOpenAiBase
+                $env:OPENAI_API_BASE = $_savedOpenAiApiBase
+                $env:SKALPEL_PROXY_URL = $_savedSkalpelProxy
+                $env:SKALPEL_CODEX_OPENAI_BASE_URL = $_savedCodexOpenAi
+                $env:SKALPEL_CODEX_CHATGPT_BASE_URL = $_savedCodexChatGPT
+            }
         }
     }
 }`,

package/postinstall/lib/rc-edit.test.js

@@ -188,13 +188,18 @@ function run() {
   });
 
   test('TestRcEdit_Body_Has_Codex_Wrapper', () => {
+    // Codex MITM regime (Option A): wrapper delegates to
+    // `skalpel codex-exec`, which sets HTTPS_PROXY at exec time. The
+    // prior `auth_mode` / `openai_base_url` / `chatgpt_base_url`
+    // sniffing is gone — the daemon TLS-terminates chatgpt.com:443
+    // directly and Codex CLI's native upstream resolver does the rest.
     const env = rc.envBlockValues(7878);
     const block = rc.buildBlock('bash', env);
     assert.ok(block.includes('codex()'), 'missing codex wrapper');
-    assert.ok(block.includes('openai_base_url'), 'missing Codex OpenAI base config');
-    assert.ok(block.includes('chatgpt_base_url'), 'missing Codex ChatGPT base config');
-    assert.ok(block.includes('auth_mode'), 'missing Codex auth-mode routing');
-    assert.ok(block.includes('http://127.0.0.1:7878/backend-api'), 'missing Codex ChatGPT backend base');
+    assert.ok(block.includes('skalpel codex-exec'), 'codex wrapper should delegate to skalpel codex-exec');
+    assert.ok(!block.includes('openai_base_url'), 'codex wrapper should not pin openai_base_url (MITM regime drops base-URL knobs)');
+    assert.ok(!block.includes('chatgpt_base_url'), 'codex wrapper should not pin chatgpt_base_url (MITM regime drops base-URL knobs)');
+    assert.ok(!block.includes('auth_mode'), 'codex wrapper should not sniff auth_mode (MITM regime is auth-mode-agnostic)');
     assert.ok(!block.includes('network.proxy_url'), 'Codex wrapper should not generic-proxy metadata routes');
   });
 

package/postinstall/lib/run-tests.js

@@ -0,0 +1,59 @@
+#!/usr/bin/env node
+// Tiny test driver for postinstall/lib/*.test.js
+//
+// Why: each *.test.js is a self-contained module exporting `run()` that
+// returns 0|1 (rc-edit pattern). This driver lets `npm test` run them
+// all or filter to a single one — required so the promise's two probes
+// (`npm test` AND `npm test -- ca-install.test.js`) both work.
+//
+// Filter argument is the test file's basename, e.g. `ca-install.test.js`
+// or `rc-edit.test.js`. Anything not matching a known test is ignored.
+
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const HERE = __dirname;
+
+function discoverTests() {
+  return fs
+    .readdirSync(HERE)
+    .filter((f) => f.endsWith('.test.js'))
+    .sort();
+}
+
+function filterFromArgv(argv) {
+  // npm test -- ca-install.test.js → process.argv = [node, run-tests.js, 'ca-install.test.js']
+  return argv.slice(2).filter((a) => a && !a.startsWith('-'));
+}
+
+async function main() {
+  const filters = filterFromArgv(process.argv);
+  const all = discoverTests();
+  const selected = filters.length
+    ? all.filter((f) => filters.includes(f))
+    : all;
+  if (selected.length === 0) {
+    process.stderr.write(`no tests matched filter(s): ${filters.join(', ')}\n`);
+    process.stderr.write(`available: ${all.join(', ')}\n`);
+    process.exit(1);
+  }
+  let total = 0;
+  for (const f of selected) {
+    process.stdout.write(`\n== ${f} ==\n`);
+    const mod = require(path.join(HERE, f));
+    if (typeof mod.run !== 'function') {
+      process.stderr.write(`  ${f}: module does not export run(); skipping\n`);
+      continue;
+    }
+    const code = await mod.run();
+    total += code || 0;
+  }
+  process.exit(total === 0 ? 0 : 1);
+}
+
+main().catch((err) => {
+  process.stderr.write(`run-tests crashed: ${err.stack || err}\n`);
+  process.exit(1);
+});