sneakoscope 1.18.11 → 1.18.12

package/README.md

@@ -16,7 +16,7 @@ Set up this agent project with Sneakoscope Codex. Use [[mandarange/Sneakoscope-C
 
 ## Current Release
 
-SKS **1.18.11** adds the Real Worker Backend Router and Warp/tmux right-lane physical proof closure: native CLI workers now route fake, process, codex-exec, and tmux backends through explicit child-execution reports, real Codex proof separates native worker processes from Codex child process overlap and model-authored patch envelopes, and tmux lane proof checks right-side pane coordinates plus lane content instead of accepting manifest-only evidence.
+SKS **1.18.12** adds Codex config EPERM self-heal, doctor real-fix proof, MAD launch preflight, and official Fast mode closure: doctor now proves `.codex/config.toml` is readable by a spawned child, project-local config is split away from ignored provider/profile/telemetry keys, MAD blocks tmux launch before unreadable config can crash Codex, and Codex children receive `-c service_tier=fast` with process-report evidence.
 
 ```bash
 sks mad-sks plan --target-root <path> --json
@@ -700,7 +700,7 @@ npm run release:check
 npm run publish:dry
 ```
 
-`release:check` runs the 1.18.11 route-truth closure DAG, writes a source digest stamp under `.sneakoscope/reports/`, then refreshes release readiness so publish commands can verify the same stamp. The DAG preserves the 1.18 baseline gates and adds patch swarm runtime truth, transaction journaling, serial conflict rebase, strict strategy-to-patch proof, rollback command proof, Native CLI Session Swarm 5/10/20-process proof, Real Worker Backend Router proof, Codex child overlap proof, model-authored patch-envelope separation, Warp/tmux right-lane physical UI proof, no-subagent-scaling proof, Fast mode default/worker/Codex/MAD propagation proof, Appshots attachment provenance, MCP runtime overlap evidence, Codex 0.134 runner truth, task graph expansion, schema-bound follow-up work, actual Agent/Team/Research/QA route blackboxes, scheduler proof hardening, tmux lane proof, Source Intelligence propagation, and Goal mode propagation checks. Broader live gates remain explicit scripts such as `release:real-check`; real Codex patch smoke and real Codex parallel worker proof are optional unless their `SKS_REQUIRE_REAL_*` environment variables are set. Generate the human-readable registry with `sks features inventory --write-docs`. Plain `npm publish` uses the `latest` dist-tag. npm's `prepublishOnly` verifies the fresh release stamp instead of rerunning the full gate, and `prepack` only rebuilds `dist`; publish no longer repeats the expensive release suite during packaging. `npm run publish:dry` remains the explicit dry-run helper.
+`release:check` runs the 1.18.12 route-truth closure DAG, writes a source digest stamp under `.sneakoscope/reports/`, then refreshes release readiness so publish commands can verify the same stamp. The DAG preserves the 1.18 baseline gates and adds patch swarm runtime truth, transaction journaling, serial conflict rebase, strict strategy-to-patch proof, rollback command proof, Native CLI Session Swarm 5/10/20-process proof, Real Worker Backend Router proof, Codex child overlap proof, model-authored patch-envelope separation, Warp/tmux right-lane physical UI proof, no-subagent-scaling proof, Fast mode default/worker/Codex/MAD propagation proof, Appshots attachment provenance, MCP runtime overlap evidence, Codex 0.134 runner truth, task graph expansion, schema-bound follow-up work, actual Agent/Team/Research/QA route blackboxes, scheduler proof hardening, tmux lane proof, Source Intelligence propagation, and Goal mode propagation checks. Broader live gates remain explicit scripts such as `release:real-check`; real Codex patch smoke and real Codex parallel worker proof are optional unless their `SKS_REQUIRE_REAL_*` environment variables are set. Generate the human-readable registry with `sks features inventory --write-docs`. Plain `npm publish` uses the `latest` dist-tag. npm's `prepublishOnly` verifies the fresh release stamp instead of rerunning the full gate, and `prepack` only rebuilds `dist`; publish no longer repeats the expensive release suite during packaging. `npm run publish:dry` remains the explicit dry-run helper.
 
 Version bumps are manual. Run `sks versioning bump` only when preparing release metadata; SKS will not create `.git/hooks/pre-commit` or auto-bump during ordinary commits.
 

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "1.18.11"
+version = "1.18.12"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "1.18.11"
+version = "1.18.12"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 1.18.11"),
+        Some("--version") => println!("sks-rs 1.18.12"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/.sks-build-stamp.json

@@ -1,8 +1,8 @@
 {
   "schema": "sks.dist-build-stamp.v1",
   "package_name": "sneakoscope",
-  "package_version": "1.18.11",
-  "source_digest": "d004681e2602ecbdc874d004fbaea06decb2fceda7cae54121f35eeb176d9f37",
-  "source_file_count": 1616,
-  "built_at_source_time": 1779978966188
+  "package_version": "1.18.12",
+  "source_digest": "2cb365dedaaf3adf494af387fa19195a82c8dabc0e4436c4f8921120ab3627e7",
+  "source_file_count": 1630,
+  "built_at_source_time": 1779984628787
 }

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '1.18.11';
+const FAST_PACKAGE_VERSION = '1.18.12';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--agent' && args[1] === 'worker') {

package/dist/build-manifest.json

@@ -1,16 +1,16 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "1.18.11",
-  "package_version": "1.18.11",
+  "version": "1.18.12",
+  "package_version": "1.18.12",
   "typescript": true,
   "mjs_runtime_files": 0,
-  "compiled_file_count": 932,
-  "compiled_js_count": 466,
-  "compiled_dts_count": 466,
-  "source_digest": "d004681e2602ecbdc874d004fbaea06decb2fceda7cae54121f35eeb176d9f37",
-  "source_file_count": 1616,
-  "source_files_hash": "8a3b749a48f8693f57f3dfaf93354e4224feb1e0e88730df901d0b6f8f30c10a",
-  "source_list_hash": "8a3b749a48f8693f57f3dfaf93354e4224feb1e0e88730df901d0b6f8f30c10a",
+  "compiled_file_count": 942,
+  "compiled_js_count": 471,
+  "compiled_dts_count": 471,
+  "source_digest": "2cb365dedaaf3adf494af387fa19195a82c8dabc0e4436c4f8921120ab3627e7",
+  "source_file_count": 1630,
+  "source_files_hash": "b777fa1c9f49a7269df34a856ac0c22d77537df0ce51e63efd02852e49309b8b",
+  "source_list_hash": "b777fa1c9f49a7269df34a856ac0c22d77537df0ce51e63efd02852e49309b8b",
   "src_mjs_runtime_files": 0,
   "dist_stamp_schema": "sks.dist-build-stamp.v1",
   "files": [
@@ -396,6 +396,14 @@
     "core/codex/appshots-operator-policy.js",
     "core/codex/codex-0-134-compat.d.ts",
     "core/codex/codex-0-134-compat.js",
+    "core/codex/codex-cli-syntax-builder.d.ts",
+    "core/codex/codex-cli-syntax-builder.js",
+    "core/codex/codex-config-eperm-repair.d.ts",
+    "core/codex/codex-config-eperm-repair.js",
+    "core/codex/codex-config-readability.d.ts",
+    "core/codex/codex-config-readability.js",
+    "core/codex/codex-project-config-policy.d.ts",
+    "core/codex/codex-project-config-policy.js",
     "core/codex/codex-web-search-adapter.d.ts",
     "core/codex/codex-web-search-adapter.js",
     "core/codex/managed-proxy-env.d.ts",
@@ -751,6 +759,8 @@
     "core/ppt-review/slide-issue-extraction.js",
     "core/ppt.d.ts",
     "core/ppt.js",
+    "core/preflight/parallel-preflight-engine.d.ts",
+    "core/preflight/parallel-preflight-engine.js",
     "core/prompt-context-builder.d.ts",
     "core/prompt-context-builder.js",
     "core/proof-field.d.ts",

package/dist/commands/doctor.js

@@ -7,8 +7,10 @@ import { codexAppIntegrationStatus } from '../core/codex-app.js';
 import { codexLbMetrics, readCodexLbCircuit } from '../core/codex-lb-circuit.js';
 import { ensureGlobalCodexSkillsDuringInstall } from '../cli/install-helpers.js';
 import { normalizeInstallScope } from '../core/init.js';
+import { inspectCodexConfigReadability } from '../core/codex/codex-config-readability.js';
+import { repairCodexConfigEperm } from '../core/codex/codex-config-eperm-repair.js';
 export async function run(_command, args = []) {
-    let repair = null;
+    let setupRepair = null;
     if (flag(args, '--fix')) {
         const { setupCommand } = await import('../core/commands/basic-cli.js');
         const installScope = installScopeFromArgs(args);
@@ -16,7 +18,7 @@ export async function run(_command, args = []) {
         if (flag(args, '--local-only'))
             setupArgs.push('--local-only');
         await setupCommand(setupArgs);
-        repair = {
+        setupRepair = {
             install_scope: installScope,
             global_skills: installScope === 'global' && !flag(args, '--local-only')
                 ? await ensureGlobalCodexSkillsDuringInstall({ force: true })
@@ -24,6 +26,8 @@ export async function run(_command, args = []) {
         };
     }
     const root = await projectRoot();
+    const configRepair = flag(args, '--fix') ? await repairCodexConfigEperm(root, { fix: true }) : null;
+    const codexConfig = configRepair?.after || await inspectCodexConfigReadability(root);
     const codex = await getCodexInfo().catch(() => ({ bin: null, version: null, available: false }));
     const rust = await rustInfo().catch((err) => ({
         available: false,
@@ -35,18 +39,26 @@ export async function run(_command, args = []) {
     const codexApp = await codexAppIntegrationStatus({ codex }).catch((err) => ({ ok: false, error: err.message }));
     const codexLb = codexLbMetrics(await readCodexLbCircuit(root).catch(() => ({})));
     const pkgBytes = await dirSize(root).catch(() => 0);
+    const readyBlockers = [
+        ...(!codex.bin ? ['codex_cli_missing'] : []),
+        ...(!codexConfig.ok ? ['codex_config_unreadable', ...(codexConfig.blockers || [])] : []),
+        ...(!codexApp.ok ? ['codex_app_setup_incomplete'] : []),
+        ...(!codexLb.ok ? [`codex_lb_${codexLb.circuit?.state || 'blocked'}`] : [])
+    ];
     const result = {
         schema: 'sks.doctor-status.v1',
-        ok: Boolean(codex.bin) && codexApp.ok && codexLb.ok,
+        ok: Boolean(codex.bin) && codexConfig.ok && codexApp.ok && codexLb.ok,
         root,
         node: { ok: Number(process.versions.node.split('.')[0]) >= 20, version: process.version },
         codex,
+        codex_config: codexConfig,
         rust,
         codex_app: codexApp,
         codex_lb: codexLb,
+        ready: { ok: readyBlockers.length === 0, blockers: readyBlockers },
         sneakoscope: { ok: await exists(`${root}/.sneakoscope`) },
         package: { bytes: pkgBytes, human: formatBytes(pkgBytes) },
-        repair
+        repair: { setup: setupRepair, codex_config: configRepair }
     };
     if (flag(args, '--json')) {
         printJson(result);
@@ -58,10 +70,16 @@ export async function run(_command, args = []) {
     console.log(`Root:      ${root}`);
     console.log(`Node:      ${result.node.ok ? 'ok' : 'fail'} ${result.node.version}`);
     console.log(`Codex:     ${codex.bin ? 'ok' : 'missing'} ${codex.version || ''}`);
+    console.log(`Codex cfg: ${codexConfig.ok ? 'ok' : `blocked ${(codexConfig.blockers || []).join(', ') || 'unknown'}`}`);
     console.log(`Rust acc.: ${rust.mode || (rust.available ? 'rust_accelerated' : 'js_fallback')} ${rust.version || rust.status || ''}`);
     console.log(`Codex App: ${codexApp.ok ? 'ok' : 'needs setup'}`);
     console.log(`codex-lb:  ${codexLb.ok ? 'ok' : `blocked ${codexLb.circuit?.state || 'unknown'}`}`);
     console.log(`Ready:     ${result.ok ? 'yes' : 'no'}`);
+    if (!codexConfig.ok && codexConfig.operator_actions?.length) {
+        console.log('Config action:');
+        for (const action of codexConfig.operator_actions)
+            console.log(`- ${action}`);
+    }
     if (!result.ok)
         process.exitCode = 1;
 }

package/dist/commands/mad-sks.d.ts

@@ -49,5 +49,78 @@ export declare function run(_command: any, args?: any): Promise<void | {
     mode: string;
     mission_id: any;
     codex_lb_cleanup: any;
+} | {
+    schema: string;
+    generated_at: string;
+    root: string;
+    ok: boolean;
+    readonly: {
+        schema: string;
+        generated_at: string;
+        started_at: string;
+        ok: boolean;
+        results: {
+            id: string;
+            ok: boolean;
+            status: "fulfilled" | "rejected";
+            value: any;
+            error: string | null;
+        }[];
+        blockers: any[];
+        operator_actions: any[];
+    };
+    repair: {
+        schema: string;
+        generated_at: string;
+        root: string;
+        config_path: string;
+        ok: boolean;
+        fix: boolean;
+        before: import("../core/codex/codex-config-readability.js").CodexConfigReadabilityReport;
+        policy: {
+            schema: string;
+            generated_at: string;
+            root: string;
+            config_path: string;
+            codex_home: string;
+            ok: boolean;
+            status: string;
+            changed: boolean;
+            moved_keys: never[];
+            moved_tables: never[];
+            actions: never[];
+            blockers: never[];
+        } | {
+            schema: string;
+            generated_at: string;
+            root: string;
+            config_path: string;
+            codex_home: string;
+            ok: boolean;
+            changed: boolean;
+            applied: boolean;
+            backup_path: string | null;
+            user_config_path: string | null;
+            profile_config_path: string | null;
+            profile_name: any;
+            moved_keys: string[];
+            moved_tables: string[];
+            deprecated_approval_policy_fixed: boolean;
+            actions: string[];
+            blockers: never[];
+        };
+        repair_actions: any[];
+        after: import("../core/codex/codex-config-readability.js").CodexConfigReadabilityReport;
+        blockers: string[];
+        operator_actions: string[];
+    } | null;
+    fast_tier_proof: {
+        schema: string;
+        ok: boolean;
+        service_tier: any;
+        codex_args: string[];
+    };
+    blockers: any[];
+    operator_actions: any[];
 }>;
 //# sourceMappingURL=mad-sks.d.ts.map

package/dist/core/agents/agent-runner-codex-exec.d.ts

@@ -1,6 +1,6 @@
 export declare function buildCodexExecAgentArgs(agent: any, prompt: string, opts?: any): {
     resultFile: any;
-    args: any[];
+    args: string[];
 };
 export declare function runCodexExecAgent(agent: any, slice: any, opts?: any): Promise<{
     status: string;

package/dist/core/agents/agent-runner-codex-exec.js

@@ -3,30 +3,31 @@ import { packageRoot, readJson, runProcess, writeJsonAtomic } from '../fsx.js';
 import { managedProxyEnvForChild } from '../codex/managed-proxy-env.js';
 import { agentWorkerEnv, validateAgentWorkerResult } from './agent-worker-pipeline.js';
 import { fastModeEnv, resolveFastModePolicy } from './fast-mode-policy.js';
+import { buildCodexExecArgs } from '../codex/codex-cli-syntax-builder.js';
 export function buildCodexExecAgentArgs(agent, prompt, opts = {}) {
     const resultFile = opts.resultFile || defaultCodexResultFile(agent, opts);
     const sandbox = opts.workspaceWrite ? 'workspace-write' : 'read-only';
-    const args = [
-        'exec',
-        '--json',
-        '--output-schema',
-        opts.schemaFile || path.join(packageRoot(), 'schemas/codex/agent-result.schema.json'),
-        '--output-last-message',
-        resultFile,
-        '--ephemeral',
-    ];
-    if (opts.skipGitRepoCheck !== false)
-        args.push('--skip-git-repo-check');
-    if (opts.profile)
-        args.push('--profile', String(opts.profile));
-    else
-        args.push('--ignore-user-config');
-    args.push('--ignore-rules', '--sandbox', sandbox, prompt);
+    const args = buildCodexExecArgs({
+        json: true,
+        outputSchema: opts.schemaFile || path.join(packageRoot(), 'schemas/codex/agent-result.schema.json'),
+        outputLastMessage: resultFile,
+        ephemeral: true,
+        skipGitRepoCheck: opts.skipGitRepoCheck !== false,
+        profile: opts.profile ? String(opts.profile) : null,
+        ignoreUserConfig: !opts.profile,
+        ignoreRules: true,
+        sandbox,
+        serviceTier: opts.serviceTier || (opts.fastMode === false ? 'standard' : 'fast'),
+        prompt
+    });
     return {
         resultFile,
         args
     };
 }
+function codexArgsIncludeServiceTier(args, serviceTier) {
+    return args.includes('-c') && args.includes(`service_tier=${serviceTier}`);
+}
 function defaultCodexResultFile(agent, opts = {}) {
     const root = opts.agentRoot || opts.cwd || process.cwd();
     const artifactDir = agent.session_artifact_dir || path.join('sessions', agent.id || agent.session_id || 'agent');
@@ -46,7 +47,7 @@ export async function runCodexExecAgent(agent, slice, opts = {}) {
             result_file: command.resultFile,
             service_tier: fastPolicy.service_tier,
             fast_mode: fastPolicy.fast_mode,
-            service_tier_passed_to_codex: false,
+            service_tier_passed_to_codex: codexArgsIncludeServiceTier(command.args, fastPolicy.service_tier),
             output_schema_used: command.args.includes('--output-schema'),
             output_last_message_path: command.resultFile,
             agent_worker_env_injected: false,
@@ -74,7 +75,7 @@ export async function runCodexExecAgent(agent, slice, opts = {}) {
         result_file: command.resultFile,
         service_tier: fastPolicy.service_tier,
         fast_mode: fastPolicy.fast_mode,
-        service_tier_passed_to_codex: false,
+        service_tier_passed_to_codex: codexArgsIncludeServiceTier(command.args, fastPolicy.service_tier),
         output_schema_used: command.args.includes('--output-schema'),
         output_last_message_path: command.resultFile,
         agent_worker_env_injected: Object.keys(workerEnv).length > 0,

package/dist/core/agents/codex-exec-worker-adapter.d.ts

@@ -31,6 +31,7 @@ export declare function runCodexExecWorkerAdapter(input: {
             output_schema_file: string | null;
             fast_mode: boolean;
             service_tier: "standard" | "fast";
+            service_tier_passed_to_codex: boolean;
             managed_proxy_env_keys: any;
             recursion_guard_env: boolean;
             dry_run: boolean;
@@ -96,6 +97,7 @@ export declare function runCodexExecWorkerAdapter(input: {
         output_schema_file: string | null;
         fast_mode: boolean;
         service_tier: "standard" | "fast";
+        service_tier_passed_to_codex: boolean;
         managed_proxy_env_keys: any;
         recursion_guard_env: boolean;
         dry_run: boolean;

package/dist/core/agents/codex-exec-worker-adapter.js

@@ -60,6 +60,7 @@ export async function runCodexExecWorkerAdapter(input) {
         output_schema_file: input.outputSchemaFile || null,
         fast_mode: input.fastModePolicy.fast_mode,
         service_tier: input.fastModePolicy.service_tier,
+        service_tier_passed_to_codex: command.args.includes('-c') && command.args.includes(`service_tier=${input.fastModePolicy.service_tier}`),
         managed_proxy_env_keys: rawReport?.managed_proxy_env_keys || [],
         recursion_guard_env: rawReport?.recursion_guard_env === true,
         dry_run: rawReport?.dry_run !== false,

package/dist/core/auto-review.js

@@ -110,7 +110,7 @@ export async function enableMadHighProfile(opts = {}) {
         config_path: configPath,
         profile_config_path: path.join(path.dirname(configPath), `${MAD_HIGH_PROFILE}.config.toml`),
         profile_name: MAD_HIGH_PROFILE,
-        launch_args: ['--profile', MAD_HIGH_PROFILE, '--sandbox', 'danger-full-access', '--ask-for-approval', 'never'],
+        launch_args: ['--profile', MAD_HIGH_PROFILE, '--sandbox', 'danger-full-access', '--ask-for-approval', 'never', '-c', 'service_tier=fast'],
         sandbox_mode: 'danger-full-access',
         approval_policy: 'never',
         approvals_reviewer: AUTO_REVIEW_REVIEWER,

package/dist/core/codex/codex-cli-syntax-builder.d.ts

@@ -0,0 +1,20 @@
+export type CodexSandboxMode = 'read-only' | 'workspace-write' | 'danger-full-access';
+export type CodexServiceTier = 'fast' | 'standard' | 'default' | 'flex' | 'auto';
+export type BuildCodexExecArgsOptions = {
+    json?: boolean;
+    outputSchema?: string | null;
+    outputLastMessage?: string | null;
+    ephemeral?: boolean;
+    skipGitRepoCheck?: boolean;
+    profile?: string | null;
+    ignoreUserConfig?: boolean;
+    ignoreRules?: boolean;
+    sandbox?: CodexSandboxMode;
+    serviceTier?: CodexServiceTier | null;
+    fullAuto?: boolean;
+    danger?: boolean;
+    allowDanger?: boolean;
+    prompt: string;
+};
+export declare function buildCodexExecArgs(opts: BuildCodexExecArgsOptions): string[];
+//# sourceMappingURL=codex-cli-syntax-builder.d.ts.map

package/dist/core/codex/codex-cli-syntax-builder.js

@@ -0,0 +1,39 @@
+export function buildCodexExecArgs(opts) {
+    if (opts.fullAuto && opts.danger) {
+        throw new Error('codex exec cannot combine full auto and danger modes');
+    }
+    if (opts.danger && !opts.allowDanger) {
+        throw new Error('codex exec danger mode requires explicit allowDanger=true');
+    }
+    if (opts.profile && opts.ignoreUserConfig) {
+        throw new Error('codex exec cannot combine --profile with --ignore-user-config');
+    }
+    const args = ['exec'];
+    if (opts.json)
+        args.push('--json');
+    if (opts.outputSchema)
+        args.push('--output-schema', opts.outputSchema);
+    if (opts.outputLastMessage)
+        args.push('--output-last-message', opts.outputLastMessage);
+    if (opts.ephemeral)
+        args.push('--ephemeral');
+    if (opts.skipGitRepoCheck)
+        args.push('--skip-git-repo-check');
+    if (opts.profile)
+        args.push('--profile', opts.profile);
+    else if (opts.ignoreUserConfig)
+        args.push('--ignore-user-config');
+    if (opts.ignoreRules)
+        args.push('--ignore-rules');
+    if (opts.fullAuto)
+        args.push('--full-auto');
+    if (opts.danger)
+        args.push('--dangerously-bypass-approvals-and-sandbox');
+    else if (opts.sandbox)
+        args.push('--sandbox', opts.sandbox);
+    if (opts.serviceTier)
+        args.push('-c', `service_tier=${opts.serviceTier}`);
+    args.push(opts.prompt);
+    return args;
+}
+//# sourceMappingURL=codex-cli-syntax-builder.js.map

package/dist/core/codex/codex-config-eperm-repair.d.ts

@@ -0,0 +1,47 @@
+export declare const CODEX_CONFIG_EPERM_REPAIR_SCHEMA = "sks.codex-config-eperm-repair.v1";
+export declare function repairCodexConfigEperm(rootInput?: string, opts?: any): Promise<{
+    schema: string;
+    generated_at: string;
+    root: string;
+    config_path: string;
+    ok: boolean;
+    fix: boolean;
+    before: import("./codex-config-readability.js").CodexConfigReadabilityReport;
+    policy: {
+        schema: string;
+        generated_at: string;
+        root: string;
+        config_path: string;
+        codex_home: string;
+        ok: boolean;
+        status: string;
+        changed: boolean;
+        moved_keys: never[];
+        moved_tables: never[];
+        actions: never[];
+        blockers: never[];
+    } | {
+        schema: string;
+        generated_at: string;
+        root: string;
+        config_path: string;
+        codex_home: string;
+        ok: boolean;
+        changed: boolean;
+        applied: boolean;
+        backup_path: string | null;
+        user_config_path: string | null;
+        profile_config_path: string | null;
+        profile_name: any;
+        moved_keys: string[];
+        moved_tables: string[];
+        deprecated_approval_policy_fixed: boolean;
+        actions: string[];
+        blockers: never[];
+    };
+    repair_actions: any[];
+    after: import("./codex-config-readability.js").CodexConfigReadabilityReport;
+    blockers: string[];
+    operator_actions: string[];
+}>;
+//# sourceMappingURL=codex-config-eperm-repair.d.ts.map

package/dist/core/codex/codex-config-eperm-repair.js

@@ -0,0 +1,60 @@
+import path from 'node:path';
+import { nowIso, runProcess, writeJsonAtomic } from '../fsx.js';
+import { inspectCodexConfigReadability } from './codex-config-readability.js';
+import { splitCodexProjectConfigPolicy } from './codex-project-config-policy.js';
+export const CODEX_CONFIG_EPERM_REPAIR_SCHEMA = 'sks.codex-config-eperm-repair.v1';
+export async function repairCodexConfigEperm(rootInput = process.cwd(), opts = {}) {
+    const root = path.resolve(rootInput || process.cwd());
+    const reportPath = opts.reportPath || path.join(root, '.sneakoscope', 'reports', 'codex-config-eperm-repair.json');
+    const configPath = path.resolve(opts.configPath || path.join(root, '.codex', 'config.toml'));
+    const before = await inspectCodexConfigReadability(root, { ...opts, configPath, writeReport: false });
+    const policy = await splitCodexProjectConfigPolicy(root, { ...opts, configPath, apply: opts.fix === true, writeReport: false });
+    const repairActions = opts.fix === true ? await runScopedRepairs(configPath, before.blockers) : [];
+    const after = await inspectCodexConfigReadability(root, { ...opts, configPath, writeReport: false });
+    const blockers = [...new Set([...(policy.blockers || []), ...after.blockers])];
+    const report = {
+        schema: CODEX_CONFIG_EPERM_REPAIR_SCHEMA,
+        generated_at: nowIso(),
+        root,
+        config_path: configPath,
+        ok: after.ok && blockers.length === 0,
+        fix: opts.fix === true,
+        before,
+        policy,
+        repair_actions: repairActions,
+        after,
+        blockers,
+        operator_actions: after.operator_actions || []
+    };
+    if (opts.writeReport !== false)
+        await writeJsonAtomic(reportPath, { ...report, report_path: reportPath });
+    return report;
+}
+async function runScopedRepairs(configPath, blockers) {
+    const actions = [];
+    const has = (blocker) => blockers.includes(blocker);
+    if (has('EACCES') || has('EPERM') || has('parent_traverse_denied')) {
+        actions.push(await repairCommand('chmod_config_user_readwrite', 'chmod', ['u+rw', configPath]));
+        actions.push(await repairCommand('chmod_codex_dir_user_traverse', 'chmod', ['u+rwx', path.dirname(configPath)]));
+    }
+    if (process.platform === 'darwin' && has('quarantine')) {
+        actions.push(await repairCommand('remove_quarantine_xattr', 'xattr', ['-d', 'com.apple.quarantine', configPath], [0, 1]));
+    }
+    if (process.platform === 'darwin' && has('flags_locked')) {
+        actions.push(await repairCommand('remove_user_immutable_flag', 'chflags', ['nouchg', configPath], [0, 1]));
+    }
+    return actions;
+}
+async function repairCommand(name, command, args, allowExitCodes = [0]) {
+    const result = await runProcess(command, args, { timeoutMs: 5000, maxOutputBytes: 64 * 1024 });
+    return {
+        name,
+        command: [command, ...args],
+        ok: allowExitCodes.includes(Number(result.code)),
+        exit_code: result.code,
+        stdout: result.stdout,
+        stderr: result.stderr,
+        timed_out: result.timedOut
+    };
+}
+//# sourceMappingURL=codex-config-eperm-repair.js.map

package/dist/core/codex/codex-config-readability.d.ts

@@ -0,0 +1,22 @@
+export declare const CODEX_CONFIG_READABILITY_SCHEMA = "sks.codex-config-readability.v1";
+export type CodexConfigCheck = {
+    name: string;
+    ok: boolean;
+    status?: string;
+    detail?: any;
+    error?: any;
+};
+export type CodexConfigReadabilityReport = {
+    schema: typeof CODEX_CONFIG_READABILITY_SCHEMA;
+    generated_at: string;
+    root: string;
+    config_dir: string;
+    config_path: string;
+    ok: boolean;
+    checks: CodexConfigCheck[];
+    blockers: string[];
+    operator_actions: string[];
+    report_path?: string;
+};
+export declare function inspectCodexConfigReadability(rootInput?: string, opts?: any): Promise<CodexConfigReadabilityReport>;
+//# sourceMappingURL=codex-config-readability.d.ts.map