sneakoscope 1.18.13 → 1.18.14

package/README.md

@@ -16,7 +16,7 @@ Set up this agent project with Sneakoscope Codex. Use [[mandarange/Sneakoscope-C
 
 ## Current Release
 
-SKS **1.18.13** is the Zellij-only interactive runtime release: actual Codex CLI config-load truth, fake Codex EPERM fixtures, doctor readiness matrix proof, `sks mad repair-config`, safer project-local config splitting, Codex 0.135 compatibility gates, and official Fast mode CLI override proof are wired into release checks. Doctor now refuses Ready yes without Codex config-load evidence, MAD blocks launch before unreadable config can crash Codex, and interactive MAD/lane UI requires Zellij with no removed-runtime fallback.
+SKS **1.18.14** is the Zellij-only interactive runtime release: actual Codex CLI config-load truth, fake Codex EPERM fixtures, doctor readiness matrix proof, `sks mad repair-config`, safer project-local config splitting, Codex 0.135 compatibility gates, and official Fast mode CLI override proof are wired into release checks. Doctor now refuses Ready yes without Codex config-load evidence, MAD blocks launch before unreadable config can crash Codex, and interactive MAD/lane UI requires Zellij with no removed-runtime fallback.
 
 ```bash
 sks mad-sks plan --target-root <path> --json
@@ -699,7 +699,7 @@ npm run release:check
 npm run publish:dry
 ```
 
-`release:check` runs the 1.18.13 Zellij-only closure DAG, writes a source digest stamp under `.sneakoscope/reports/`, then refreshes release readiness so publish commands can verify the same stamp. The DAG preserves the 1.18 baseline gates and adds patch swarm runtime truth, transaction journaling, serial conflict rebase, strict strategy-to-patch proof, rollback command proof, Native CLI Session Swarm 5/10/20-process proof, Real Worker Backend Router proof, Codex child overlap proof, model-authored patch-envelope separation, Zellij layout/pane/screen proof, no-subagent-scaling proof, Fast mode default/worker/Codex/MAD propagation proof, Appshots attachment provenance, MCP runtime overlap evidence, Codex 0.134/0.135 runner truth, task graph expansion, schema-bound follow-up work, actual Agent/Team/Research/QA route blackboxes, scheduler proof hardening, Source Intelligence propagation, and Goal mode propagation checks. Broader live gates remain explicit scripts such as `release:real-check`; real Codex patch smoke, real Codex parallel worker proof, and real Zellij proof are optional unless their `SKS_REQUIRE_REAL_*` or `SKS_REQUIRE_ZELLIJ=1` environment variables are set. Generate the human-readable registry with `sks features inventory --write-docs`. Plain `npm publish` uses the `latest` dist-tag. npm's `prepublishOnly` verifies the fresh release stamp instead of rerunning the full gate, and `prepack` only rebuilds `dist`; publish no longer repeats the expensive release suite during packaging. `npm run publish:dry` remains the explicit dry-run helper.
+`release:check` runs the 1.18.14 Zellij-only closure DAG, writes a source digest stamp under `.sneakoscope/reports/`, then refreshes release readiness so publish commands can verify the same stamp. The DAG preserves the 1.18 baseline gates and adds patch swarm runtime truth, transaction journaling, serial conflict rebase, strict strategy-to-patch proof, rollback command proof, Native CLI Session Swarm 5/10/20-process proof, Real Worker Backend Router proof, Codex child overlap proof, model-authored patch-envelope separation, Zellij layout/pane/screen proof, no-subagent-scaling proof, Fast mode default/worker/Codex/MAD propagation proof, Appshots attachment provenance, MCP runtime overlap evidence, Codex 0.134/0.135 runner truth, task graph expansion, schema-bound follow-up work, actual Agent/Team/Research/QA route blackboxes, scheduler proof hardening, Source Intelligence propagation, and Goal mode propagation checks. Broader live gates remain explicit scripts such as `release:real-check`; real Codex patch smoke, real Codex parallel worker proof, and real Zellij proof are optional unless their `SKS_REQUIRE_REAL_*` or `SKS_REQUIRE_ZELLIJ=1` environment variables are set. Generate the human-readable registry with `sks features inventory --write-docs`. Plain `npm publish` uses the `latest` dist-tag. npm's `prepublishOnly` verifies the fresh release stamp instead of rerunning the full gate, and `prepack` only rebuilds `dist`; publish no longer repeats the expensive release suite during packaging. `npm run publish:dry` remains the explicit dry-run helper.
 
 Version bumps are manual. Run `sks versioning bump` only when preparing release metadata; SKS will not create `.git/hooks/pre-commit` or auto-bump during ordinary commits.
 

package/crates/sks-core/Cargo.lock

@@ -76,7 +76,7 @@ dependencies = [
 
 [[package]]
 name = "sks-core"
-version = "1.18.13"
+version = "1.18.14"
 dependencies = [
  "serde_json",
 ]

package/crates/sks-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sks-core"
-version = "1.18.13"
+version = "1.18.14"
 edition = "2021"
 
 [dependencies]

package/crates/sks-core/src/main.rs

@@ -4,7 +4,7 @@ use std::io::{self, Read, Seek, SeekFrom};
 fn main() {
     let mut args = std::env::args().skip(1);
     match args.next().as_deref() {
-        Some("--version") => println!("sks-rs 1.18.13"),
+        Some("--version") => println!("sks-rs 1.18.14"),
         Some("compact-info") => {
             let mut input = String::new();
             let _ = io::stdin().read_to_string(&mut input);

package/dist/.sks-build-stamp.json

@@ -1,8 +1,8 @@
 {
   "schema": "sks.dist-build-stamp.v1",
   "package_name": "sneakoscope",
-  "package_version": "1.18.13",
-  "source_digest": "6474b08fceec48bfd4915e09945f17e3ac1ccb4c9e01918d6a533f1a3d6bb30e",
-  "source_file_count": 1677,
-  "built_at_source_time": 1780041475580
+  "package_version": "1.18.14",
+  "source_digest": "b13a96880fa5b57ba4b3649ac5bedbcca941d871f92f9a4bf396ab20fd9c8b4b",
+  "source_file_count": 1679,
+  "built_at_source_time": 1780051095178
 }

package/dist/bin/sks.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const FAST_PACKAGE_VERSION = '1.18.13';
+const FAST_PACKAGE_VERSION = '1.18.14';
 const args = process.argv.slice(2);
 try {
     if (args[0] === '--agent' && args[1] === 'worker') {

package/dist/build-manifest.json

@@ -1,16 +1,16 @@
 {
   "schema": "sks.dist-build.v2",
-  "version": "1.18.13",
-  "package_version": "1.18.13",
+  "version": "1.18.14",
+  "package_version": "1.18.14",
   "typescript": true,
-  "mjs_runtime_files": 0,
+  "mjs_runtime_files": 1,
   "compiled_file_count": 972,
   "compiled_js_count": 486,
   "compiled_dts_count": 486,
-  "source_digest": "6474b08fceec48bfd4915e09945f17e3ac1ccb4c9e01918d6a533f1a3d6bb30e",
-  "source_file_count": 1677,
-  "source_files_hash": "fb8f5ab51d8a8c9809fa26ee6688932a083f83741916a19c2b331dad0d4b69e7",
-  "source_list_hash": "fb8f5ab51d8a8c9809fa26ee6688932a083f83741916a19c2b331dad0d4b69e7",
+  "source_digest": "b13a96880fa5b57ba4b3649ac5bedbcca941d871f92f9a4bf396ab20fd9c8b4b",
+  "source_file_count": 1679,
+  "source_files_hash": "737317372a19030a70f432942ce650900c05270a2a1d1c49281d135a1b15e66c",
+  "source_list_hash": "737317372a19030a70f432942ce650900c05270a2a1d1c49281d135a1b15e66c",
   "src_mjs_runtime_files": 0,
   "dist_stamp_schema": "sks.dist-build-stamp.v1",
   "files": [
@@ -985,6 +985,7 @@
     "core/zellij/zellij-pane-proof.js",
     "core/zellij/zellij-screen-proof.d.ts",
     "core/zellij/zellij-screen-proof.js",
+    "scripts/codex-config-load-probe.mjs",
     "scripts/release-parallel-check.d.ts",
     "scripts/release-parallel-check.js",
     "vendor/openai-codex/latest/hooks/permission-request.command.input.schema.json",

package/dist/commands/mad-sks.d.ts

@@ -113,6 +113,7 @@ export declare function run(_command: any, args?: any): Promise<void | {
             };
             blockers: string[];
         };
+        structure_repairs: any[];
         repair_actions: any[];
         after: import("../core/codex/codex-config-readability.js").CodexConfigReadabilityReport;
         tcc_risk: boolean;

package/dist/core/codex/codex-config-eperm-repair.d.ts

@@ -49,6 +49,7 @@ export declare function repairCodexConfigEperm(rootInput?: string, opts?: any):
         };
         blockers: string[];
     };
+    structure_repairs: any[];
     repair_actions: any[];
     after: import("./codex-config-readability.js").CodexConfigReadabilityReport;
     tcc_risk: boolean;

package/dist/core/codex/codex-config-eperm-repair.js

@@ -1,15 +1,29 @@
 import fsp from 'node:fs/promises';
+import os from 'node:os';
 import path from 'node:path';
 import { nowIso, readText, runProcess, writeJsonAtomic, writeTextAtomic } from '../fsx.js';
 import { inspectCodexConfigReadability } from './codex-config-readability.js';
-import { splitCodexProjectConfigPolicy } from './codex-project-config-policy.js';
+import { repairCodexConfigStructure, splitCodexProjectConfigPolicy } from './codex-project-config-policy.js';
 export const CODEX_CONFIG_EPERM_REPAIR_SCHEMA = 'sks.codex-config-eperm-repair.v1';
 export async function repairCodexConfigEperm(rootInput = process.cwd(), opts = {}) {
     const root = path.resolve(rootInput || process.cwd());
     const reportPath = opts.reportPath || path.join(root, '.sneakoscope', 'reports', 'codex-config-eperm-repair.json');
     const configPath = path.resolve(opts.configPath || path.join(root, '.codex', 'config.toml'));
+    const codexHome = path.resolve(opts.codexHome || process.env.CODEX_HOME || path.join(process.env.HOME || os.homedir(), '.codex'));
+    const codexHomeConfigPath = path.join(codexHome, 'config.toml');
     const before = await inspectCodexConfigReadability(root, { ...opts, configPath, writeReport: false });
-    const policy = await splitCodexProjectConfigPolicy(root, { ...opts, configPath, apply: opts.fix === true, writeReport: false });
+    // Structural recovery FIRST: hoist machine-local keys that a prior buggy move
+    // absorbed into a table back to the root, on both the project config and the
+    // global CODEX_HOME config (the file Codex actually loads). Runs before the
+    // splitter so recovered keys can then be migrated cleanly.
+    const structureRepairs = [];
+    if (opts.fix === true) {
+        structureRepairs.push({ scope: 'project', ...(await repairCodexConfigStructure(configPath, { apply: true })) });
+        if (path.resolve(codexHomeConfigPath) !== path.resolve(configPath)) {
+            structureRepairs.push({ scope: 'codex_home', ...(await repairCodexConfigStructure(codexHomeConfigPath, { apply: true })) });
+        }
+    }
+    const policy = await splitCodexProjectConfigPolicy(root, { ...opts, configPath, codexHome, apply: opts.fix === true, writeReport: false });
     const repairActions = opts.fix === true ? await runScopedRepairs(configPath, before.blockers) : [];
     const after = await inspectCodexConfigReadability(root, { ...opts, configPath, writeReport: false });
     const blockers = [...new Set([...(policy.blockers || []), ...after.blockers])];
@@ -25,6 +39,7 @@ export async function repairCodexConfigEperm(rootInput = process.cwd(), opts = {
         fix: opts.fix === true,
         before,
         policy,
+        structure_repairs: structureRepairs,
         repair_actions: repairActions,
         after,
         tcc_risk: tccRisk(root),
@@ -32,6 +47,9 @@ export async function repairCodexConfigEperm(rootInput = process.cwd(), opts = {
         blockers,
         operator_actions: [
             ...(after.operator_actions || []),
+            ...structureRepairs
+                .filter((repair) => repair.applied && repair.hoisted_keys?.length)
+                .map((repair) => `Recovered misplaced machine-local keys (${repair.hoisted_keys.join(', ')}) back to the top of ${repair.scope === 'codex_home' ? 'CODEX_HOME' : 'project'} config; backup at ${repair.backup_path}.`),
             ...(tccProbable ? ['macOS probable TCC block: grant Full Disk Access and Files and Folders permissions to Warp/Terminal/iTerm, Codex app, and the Codex CLI launch context, then rerun `sks mad repair-config --apply`.'] : [])
         ]
     };

package/dist/core/codex/codex-config-readability.js

@@ -175,6 +175,8 @@ function operatorActions(blockers) {
     const actions = new Set();
     if (blockers.some((item) => /^missing_/.test(item)))
         actions.add('Run `sks doctor --fix` to regenerate the managed Codex project config, then rerun the preflight.');
+    if (blockers.includes('codex_cli_config_toml_parse_error'))
+        actions.add('Run `sks doctor --fix` (or `sks mad repair-config --apply`) to hoist misplaced machine-local keys back to the top of the Codex config and restore a loadable config.toml.');
     if (blockers.includes('codex_cli_config_eperm'))
         actions.add('Run `sks mad repair-config --apply`; if it still fails on macOS, grant Full Disk Access/Files and Folders access to the launching terminal, Warp, iTerm, Terminal, Codex app, or Codex CLI context.');
     if (blockers.includes('EPERM') || blockers.includes('tcc_possible'))
@@ -194,6 +196,24 @@ function operatorActions(blockers) {
 function errorDetail(err) {
     return { name: err?.name || 'Error', code: err?.code || '', message: err?.message || String(err) };
 }
+function resolveCodexConfigLoadProbe() {
+    // Prefer the packaged copy under dist/scripts (shipped via the `dist` files
+    // allowlist); fall back to the repo-root scripts/ copy for local development.
+    const candidates = [
+        path.join(packageRoot(), 'dist', 'scripts', 'codex-config-load-probe.mjs'),
+        path.join(packageRoot(), 'scripts', 'codex-config-load-probe.mjs')
+    ];
+    for (const candidate of candidates) {
+        try {
+            if (fs.existsSync(candidate))
+                return candidate;
+        }
+        catch {
+            // ignore and try the next candidate
+        }
+    }
+    return null;
+}
 async function codexCliConfigLoadCheck(root, configPath, opts = {}) {
     if (!opts.codexProbe && !opts.actualCodex && !opts.codexBin) {
         return {
@@ -203,7 +223,17 @@ async function codexCliConfigLoadCheck(root, configPath, opts = {}) {
             detail: { integration_optional: true, blockers: [] }
         };
     }
-    const script = path.join(packageRoot(), 'scripts', 'codex-config-load-probe.mjs');
+    const script = resolveCodexConfigLoadProbe();
+    if (!script) {
+        // The probe ships in dist/scripts; if it is genuinely absent (packaging gap),
+        // do not block MAD preflight on an unverifiable check — degrade gracefully.
+        return {
+            name: 'actual_codex_cli_config_load',
+            ok: true,
+            status: 'integration_optional_probe_missing',
+            detail: { integration_optional: true, blockers: [] }
+        };
+    }
     const args = [script, '--root', root, '--config', configPath, '--json'];
     if (opts.actualCodex !== false)
         args.push('--actual-codex');

package/dist/core/codex/codex-project-config-policy.d.ts

@@ -41,4 +41,27 @@ export declare function splitCodexProjectConfigPolicy(rootInput?: string, opts?:
     };
     blockers: string[];
 }>;
+export declare function repairCodexConfigStructure(configPathInput: string, opts?: any): Promise<{
+    config_path: string;
+    ok: boolean;
+    status: string;
+    changed: boolean;
+    applied: boolean;
+    hoisted_keys: never[];
+    backup_path: null;
+    parse_smoke?: never;
+} | {
+    config_path: string;
+    ok: boolean;
+    status: string;
+    changed: boolean;
+    applied: boolean;
+    hoisted_keys: string[];
+    backup_path: string | null;
+    parse_smoke: {
+        ok: boolean;
+        unterminated_multiline_string: boolean;
+        invalid_table_header: string | null;
+    };
+}>;
 //# sourceMappingURL=codex-project-config-policy.d.ts.map

package/dist/core/codex/codex-project-config-policy.js

@@ -32,6 +32,30 @@ export async function splitCodexProjectConfigPolicy(rootInput = process.cwd(), o
     const configPath = path.resolve(opts.configPath || path.join(root, '.codex', 'config.toml'));
     const codexHome = path.resolve(opts.codexHome || process.env.CODEX_HOME || path.join(process.env.HOME || os.homedir(), '.codex'));
     const reportPath = opts.reportPath || path.join(root, '.sneakoscope', 'reports', 'codex-project-config-policy.json');
+    const codexHomeConfigPath = path.join(codexHome, 'config.toml');
+    // Guard: never split the global Codex home config against itself. When `sks`
+    // runs from (or near) the home directory the project config can resolve to the
+    // same file as the move target. Splitting it would strip machine-local keys and
+    // re-append them, corrupting the file. Treat this as a no-op.
+    if (await isSameFile(configPath, codexHomeConfigPath)) {
+        const report = {
+            schema: CODEX_PROJECT_CONFIG_POLICY_SCHEMA,
+            generated_at: nowIso(),
+            root,
+            config_path: configPath,
+            codex_home: codexHome,
+            ok: true,
+            status: 'project_config_is_codex_home_noop',
+            changed: false,
+            moved_keys: [],
+            moved_tables: [],
+            actions: [],
+            blockers: []
+        };
+        if (opts.writeReport !== false)
+            await writeJsonAtomic(reportPath, { ...report, report_path: reportPath });
+        return report;
+    }
     const original = await readText(configPath, null);
     if (original === null) {
         const report = {
@@ -70,16 +94,12 @@ export async function splitCodexProjectConfigPolicy(rootInput = process.cwd(), o
     }
     if (opts.apply && split.machine_text.trim()) {
         await ensureDir(codexHome);
-        userConfigPath = path.join(codexHome, 'config.toml');
+        userConfigPath = codexHomeConfigPath;
         const currentUser = await readText(userConfigPath, '');
         const dedupedUser = removeConfigIds(String(currentUser || ''), configIds(split.machine_text));
-        const movedBlock = [
-            '',
-            `# SKS moved machine-local Codex config from ${path.relative(root, configPath) || configPath} at ${nowIso()}`,
-            split.machine_text.trim(),
-            ''
-        ].join('\n');
-        await writeTextAtomic(userConfigPath, `${dedupedUser.replace(/\s+$/, '')}${movedBlock}`.replace(/^\n+/, ''));
+        const commentLine = `# SKS moved machine-local Codex config from ${path.relative(root, configPath) || configPath} at ${nowIso()}`;
+        const mergedUser = mergeMachineLocalIntoUserConfig(dedupedUser, split.machine_text.trim(), commentLine);
+        await writeTextAtomic(userConfigPath, mergedUser);
         actions.push('machine_local_keys_moved_to_codex_home_config');
     }
     if (profileName)
@@ -113,6 +133,116 @@ export async function splitCodexProjectConfigPolicy(rootInput = process.cwd(), o
         await writeJsonAtomic(reportPath, { ...report, report_path: reportPath });
     return report;
 }
+// Recovery pass for already-corrupted configs. The pre-fix mover appended
+// machine-local top-level keys after the last [table], so TOML absorbed them
+// into that table (e.g. `notify`/`model_provider` landing inside
+// `[mcp_servers.*.env]`, which Codex rejects with
+// `invalid type: sequence, expected a string`). The splitter cannot recover this
+// because it now sees those lines as table members, not top-level keys. This pass
+// hoists them back above the first table so Codex can load the config again.
+export async function repairCodexConfigStructure(configPathInput, opts = {}) {
+    const configPath = path.resolve(configPathInput);
+    const original = await readText(configPath, null);
+    if (original === null) {
+        return { config_path: configPath, ok: true, status: 'config_missing', changed: false, applied: false, hoisted_keys: [], backup_path: null };
+    }
+    const hoist = hoistMisplacedMachineLocalKeys(String(original));
+    let backupPath = null;
+    if (opts.apply && hoist.changed) {
+        backupPath = `${configPath}.struct-bak-${Date.now().toString(36)}`;
+        await ensureDir(path.dirname(configPath));
+        await fsp.copyFile(configPath, backupPath);
+        await writeTextAtomic(configPath, hoist.text);
+    }
+    const parseSmoke = tomlRewriteSmoke(hoist.text);
+    return {
+        config_path: configPath,
+        ok: parseSmoke.ok,
+        status: hoist.changed ? (opts.apply ? 'structure_repaired' : 'structure_repair_available') : 'structure_ok',
+        changed: hoist.changed,
+        applied: opts.apply === true && hoist.changed,
+        hoisted_keys: hoist.hoisted_keys,
+        backup_path: backupPath,
+        parse_smoke: parseSmoke
+    };
+}
+function hoistMisplacedMachineLocalKeys(text) {
+    const blocks = tomlBlocks(text);
+    const preamble = [];
+    const tables = [];
+    const hoisted = [];
+    const hoistedKeys = [];
+    for (const block of blocks) {
+        if (!block.table) {
+            preamble.push(block.text);
+            continue;
+        }
+        const lines = block.text.split('\n');
+        const header = lines[0];
+        // `mcp_servers.*` / `*.env` tables never legitimately contain machine-local
+        // Codex root keys; treat keys found there (or anything after an absorbed
+        // SKS-moved comment) as misplaced.
+        const corruptionProne = /^mcp_servers(\.|$)/.test(block.table) || /\.env$/.test(block.table) || block.table === 'env';
+        const kept = [header];
+        let sawMovedComment = false;
+        let i = 1;
+        while (i < lines.length) {
+            const line = lines[i];
+            if (/^\s*#\s*SKS moved machine-local Codex config/i.test(line)) {
+                sawMovedComment = true;
+                i += 1;
+                continue;
+            }
+            const key = topLevelKey(line);
+            const isMachineKey = Boolean(key) && MACHINE_LOCAL_TOP_LEVEL_KEYS.has(key);
+            if (isMachineKey && (corruptionProne || sawMovedComment)) {
+                const span = captureAssignmentSpan(lines, i);
+                for (const spanned of span.lines)
+                    hoisted.push(spanned);
+                hoistedKeys.push(key);
+                i = span.next;
+                continue;
+            }
+            kept.push(line);
+            i += 1;
+        }
+        tables.push(kept.join('\n'));
+    }
+    if (!hoisted.length)
+        return { changed: false, text, hoisted_keys: [] };
+    const head = [preamble.join('\n').trim(), hoisted.join('\n').trim()].filter(Boolean).join('\n');
+    const sections = [head, ...tables.map((table) => table.trim())].filter(Boolean);
+    return { changed: true, text: normalizeProjectText(sections.join('\n\n')), hoisted_keys: [...new Set(hoistedKeys)] };
+}
+// Capture a TOML assignment that may span multiple lines (multiline arrays
+// `[ ... ]` or triple-quoted strings) so hoisting never splits a value.
+function captureAssignmentSpan(lines, start) {
+    const first = lines[start] ?? '';
+    const collected = [first];
+    let next = start + 1;
+    let triple = updateMultilineState(first, null);
+    let bracketDepth = bracketDelta(first);
+    while ((triple || bracketDepth > 0) && next < lines.length) {
+        const line = lines[next] ?? '';
+        collected.push(line);
+        triple = updateMultilineState(line, triple);
+        bracketDepth += bracketDelta(line);
+        next += 1;
+    }
+    return { lines: collected, next };
+}
+function bracketDelta(line) {
+    const noComment = stripCommentOutsideQuotes(String(line));
+    const noStrings = noComment.replace(/"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'/g, '');
+    let delta = 0;
+    for (const ch of noStrings) {
+        if (ch === '[')
+            delta += 1;
+        else if (ch === ']')
+            delta -= 1;
+    }
+    return delta;
+}
 function splitProjectToml(text) {
     const blocks = tomlBlocks(text);
     const kept = [];
@@ -269,6 +399,59 @@ function configIds(text) {
     }
     return ids;
 }
+async function isSameFile(a, b) {
+    const ra = path.resolve(a);
+    const rb = path.resolve(b);
+    if (ra === rb)
+        return true;
+    try {
+        const [realA, realB] = await Promise.all([fsp.realpath(ra), fsp.realpath(rb)]);
+        return realA === realB;
+    }
+    catch {
+        return false;
+    }
+}
+// Merge machine-local Codex config into the user (CODEX_HOME) config while
+// preserving TOML structure: bare top-level keys must appear before any
+// `[table]` header, otherwise they are parsed as members of the preceding
+// table. Appending moved keys blindly at end-of-file corrupted configs
+// (e.g. `notify`/`model_provider` landing inside `[mcp_servers.*.env]`).
+function mergeMachineLocalIntoUserConfig(userText, machineText, commentLine) {
+    const preamble = [];
+    const tables = [];
+    collectTomlSections(userText, preamble, tables);
+    const movedPreamble = [];
+    const movedTables = [];
+    collectTomlSections(machineText, movedPreamble, movedTables);
+    const head = [];
+    const existingHead = preamble.join('\n').trim();
+    if (existingHead)
+        head.push(existingHead);
+    const movedHead = movedPreamble.join('\n').trim();
+    if (commentLine && (movedHead || movedTables.length))
+        head.push(commentLine);
+    if (movedHead)
+        head.push(movedHead);
+    const sections = [];
+    const headText = head.join('\n').trim();
+    if (headText)
+        sections.push(headText);
+    for (const table of [...tables, ...movedTables]) {
+        const trimmed = table.trim();
+        if (trimmed)
+            sections.push(trimmed);
+    }
+    return normalizeProjectText(sections.join('\n\n'));
+}
+function collectTomlSections(text, preamble, tables) {
+    for (const block of tomlBlocks(text)) {
+        if (block.table)
+            tables.push(block.text);
+        else
+            preamble.push(block.text);
+    }
+}
 function removeConfigIds(text, ids) {
     const kept = [];
     for (const block of tomlBlocks(text)) {

package/dist/core/commands/mad-sks-command.d.ts

@@ -113,6 +113,7 @@ export declare function madHighCommand(args?: any, deps?: any): Promise<void | {
             };
             blockers: string[];
         };
+        structure_repairs: any[];
         repair_actions: any[];
         after: import("../codex/codex-config-readability.js").CodexConfigReadabilityReport;
         tcc_risk: boolean;

package/dist/core/fsx.d.ts

@@ -1,4 +1,4 @@
-export declare const PACKAGE_VERSION = "1.18.13";
+export declare const PACKAGE_VERSION = "1.18.14";
 export declare const DEFAULT_PROCESS_TAIL_BYTES: number;
 export declare const DEFAULT_PROCESS_TIMEOUT_MS: number;
 export interface RunProcessOptions {

package/dist/core/fsx.js

@@ -5,7 +5,7 @@ import os from 'node:os';
 import crypto from 'node:crypto';
 import { spawn } from 'node:child_process';
 import { fileURLToPath } from 'node:url';
-export const PACKAGE_VERSION = '1.18.13';
+export const PACKAGE_VERSION = '1.18.14';
 export const DEFAULT_PROCESS_TAIL_BYTES = 256 * 1024;
 export const DEFAULT_PROCESS_TIMEOUT_MS = 30 * 60 * 1000;
 export function nowIso() {

package/dist/core/preflight/parallel-preflight-engine.d.ts

@@ -87,6 +87,7 @@ export declare function runCodexLaunchPreflight(rootInput?: string, opts?: any):
             };
             blockers: string[];
         };
+        structure_repairs: any[];
         repair_actions: any[];
         after: import("../codex/codex-config-readability.js").CodexConfigReadabilityReport;
         tcc_risk: boolean;

package/dist/core/version.d.ts

@@ -1,2 +1,2 @@
-export declare const PACKAGE_VERSION = "1.18.13";
+export declare const PACKAGE_VERSION = "1.18.14";
 //# sourceMappingURL=version.d.ts.map

package/dist/core/version.js

@@ -1,2 +1,2 @@
-export const PACKAGE_VERSION = '1.18.13';
+export const PACKAGE_VERSION = '1.18.14';
 //# sourceMappingURL=version.js.map

package/dist/scripts/codex-config-load-probe.mjs

@@ -0,0 +1,245 @@
+#!/usr/bin/env node
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import { spawnSync } from 'node:child_process';
+
+const args = process.argv.slice(2);
+const root = path.resolve(readOption('--root', process.cwd()));
+const configPath = path.resolve(readOption('--config', path.join(root, '.codex', 'config.toml')));
+const json = args.includes('--json');
+const actualRequested = args.includes('--actual-codex')
+  || process.env.SKS_TEST_REAL_CODEX_CONFIG_LOAD === '1'
+  || Boolean(readOption('--codex-bin', ''));
+const actualRequired = args.includes('--require-actual-codex')
+  || process.env.SKS_REQUIRE_REAL_CODEX_CONFIG_LOAD === '1';
+const codexBin = readOption('--codex-bin', process.env.SKS_CODEX_CONFIG_PROBE_BIN || 'codex');
+const outputLastMessage = path.resolve(readOption(
+  '--output-last-message',
+  path.join(root, '.sneakoscope', 'reports', 'codex-config-load-probe-output.json')
+));
+
+const report = {
+  schema: 'sks.codex-config-load-probe.v2',
+  generated_at: new Date().toISOString(),
+  root,
+  config_path: configPath,
+  ok: false,
+  checks: [],
+  blockers: [],
+  warnings: [],
+  integration_optional: !actualRequired,
+  actual_codex_requested: actualRequested,
+  actual_codex_required: actualRequired
+};
+
+await check('node_read', async () => {
+  const text = await fs.readFile(configPath, 'utf8');
+  return { bytes: Buffer.byteLength(text) };
+});
+
+const child = spawnSync(process.execPath, ['-e', 'require("fs").readFileSync(process.argv[1], "utf8")', configPath], {
+  cwd: root,
+  encoding: 'utf8'
+});
+pushCheck({
+  name: 'spawned_node_child_read',
+  ok: child.status === 0,
+  exit_code: child.status,
+  stdout_tail: tail(child.stdout),
+  stderr_tail: tail(child.stderr),
+  signals: classifyText(`${child.stderr}\n${child.stdout}`)
+});
+
+if (actualRequested) {
+  await fs.mkdir(path.dirname(outputLastMessage), { recursive: true }).catch(() => {});
+  await fs.rm(outputLastMessage, { force: true }).catch(() => {});
+  const codexArgs = [
+    'exec',
+    '--skip-git-repo-check',
+    '--sandbox',
+    'read-only',
+    '--ignore-rules',
+    '--output-last-message',
+    outputLastMessage,
+    'Reply exactly SKS_CONFIG_LOAD_PROBE_OK.'
+  ];
+  const command = commandForCodex(codexBin, codexArgs);
+  const result = spawnSync(command.command, command.args, {
+    cwd: root,
+    env: probeEnv(process.env),
+    encoding: 'utf8',
+    timeout: Number(process.env.SKS_CODEX_CONFIG_LOAD_TIMEOUT_MS || 20000),
+    maxBuffer: 1024 * 1024
+  });
+  const outputLastText = await readTextIfExists(outputLastMessage);
+  const observedText = `${result.stderr || ''}\n${result.stdout || ''}\n${outputLastText || ''}`;
+  const probeOkObserved = /SKS_CONFIG_LOAD_PROBE_OK/.test(observedText);
+  const signals = classifyText(observedText, { configLoaded: probeOkObserved });
+  const configFailure = signals.blockers.length > 0;
+  const unavailable = result.error?.code === 'ENOENT';
+  const timeoutAfterProbeOk = result.error?.code === 'ETIMEDOUT' && probeOkObserved;
+  const executionError = Boolean(result.error) && !timeoutAfterProbeOk;
+  const nonConfigFailure = (result.status !== 0 || executionError) && !configFailure && !unavailable;
+  const passed = (result.status === 0 && !executionError) || (probeOkObserved && !configFailure);
+  pushCheck({
+    name: 'actual_codex_cli_config_load',
+    ok: passed,
+    status: passed
+      ? timeoutAfterProbeOk
+        ? 'passed_after_probe_ok_timeout'
+        : 'passed'
+      : unavailable
+        ? 'integration_optional_unavailable'
+        : configFailure
+          ? 'failed_config_load'
+          : 'non_config_failure_after_config_load',
+    integration_optional: !actualRequired && (unavailable || nonConfigFailure),
+    exit_code: result.status,
+    signal: result.signal,
+    error: result.error ? { code: result.error.code, message: result.error.message } : null,
+    command: {
+      executable: redact(codexBin),
+      args: codexArgs.map(redact)
+    },
+    env_keys: Object.keys(probeEnv(process.env)).sort(),
+    stdout_tail: tail(result.stdout),
+    stderr_tail: tail(result.stderr),
+    output_last_message: outputLastMessage,
+    output_last_message_tail: tail(outputLastText),
+    probe_ok_observed: probeOkObserved,
+    signals
+  });
+} else {
+  pushCheck({
+    name: 'actual_codex_cli_config_load',
+    ok: true,
+    status: 'integration_optional_not_requested',
+    integration_optional: true,
+    command: { executable: redact(codexBin), args: [] },
+    signals: { blockers: [], flags: {} }
+  });
+}
+
+report.ok = report.checks.every((check) => {
+  if (check.ok) return true;
+  return check.integration_optional === true && !actualRequired;
+}) && report.blockers.length === 0;
+
+if (json) console.log(JSON.stringify(report, null, 2));
+else {
+  console.log(report.ok
+    ? `Codex config load probe ok: ${configPath}`
+    : `Codex config load probe failed: ${report.blockers.join(', ')}`);
+}
+if (!report.ok) process.exitCode = 1;
+
+async function check(name, fn) {
+  try {
+    pushCheck({ name, ok: true, detail: await fn(), signals: { blockers: [], flags: {} } });
+  } catch (err) {
+    const signals = classifyText(`${err?.code || ''}\n${err?.message || String(err)}`);
+    pushCheck({
+      name,
+      ok: false,
+      error: { code: err?.code || '', message: err?.message || String(err) },
+      signals
+    });
+  }
+}
+
+function pushCheck(check) {
+  report.checks.push(check);
+  for (const warning of check.signals?.warnings || []) {
+    if (!report.warnings.includes(warning)) report.warnings.push(warning);
+  }
+  if (check.ok) return;
+  for (const blocker of check.signals?.blockers || classifyText(`${check.stderr_tail || ''}\n${check.error?.message || ''}`).blockers) {
+    if (!report.blockers.includes(blocker)) report.blockers.push(blocker);
+  }
+  if (!check.integration_optional && check.name === 'actual_codex_cli_config_load' && !check.signals?.blockers?.length) {
+    if (!report.blockers.includes('codex_cli_config_load_unverified')) report.blockers.push('codex_cli_config_load_unverified');
+  }
+}
+
+function classifyText(textInput, opts = {}) {
+  const text = String(textInput || '');
+  const flags = {
+    error_loading_config_toml: /Error loading config\.toml/i.test(text),
+    operation_not_permitted: /Operation not permitted|os error 1|EPERM/i.test(text),
+    permission_denied: /Permission denied|EACCES/i.test(text),
+    toml_parse: /TOML parse|toml.*parse|parse.*toml|invalid.*toml|duplicate key/i.test(text),
+    // serde/toml deserialize failures from a structurally-broken config, e.g.
+    // `invalid type: sequence, expected a string` when `notify` was absorbed into
+    // an env table. These carry no literal "toml" token so the patterns above miss them.
+    toml_type_error: /invalid type:|invalid value:|expected (a |an )?(string|sequence|array|table|map|integer|boolean|float)|missing field|unknown field|unknown variant/i.test(text),
+    untrusted_project: /untrusted project/i.test(text),
+    ignored_project_local_config_key: /ignored project-local config key|ignored.*project.*config/i.test(text)
+  };
+  const blockers = [];
+  const warnings = [];
+  if (flags.operation_not_permitted || (flags.error_loading_config_toml && /os error 1/i.test(text))) blockers.push('codex_cli_config_eperm');
+  else if (flags.permission_denied) blockers.push('codex_cli_config_permission_denied');
+  // A config-load failure that is not a permission problem is a parse/structure error.
+  const tomlLoadFailure = flags.toml_parse
+    || (!opts.configLoaded && flags.toml_type_error)
+    || (!opts.configLoaded && flags.error_loading_config_toml && !flags.operation_not_permitted && !flags.permission_denied);
+  if (tomlLoadFailure) blockers.push('codex_cli_config_toml_parse_error');
+  if (flags.untrusted_project) blockers.push('codex_cli_untrusted_project');
+  if (flags.ignored_project_local_config_key) {
+    if (opts.configLoaded) warnings.push('codex_cli_ignored_project_local_config_key');
+    else blockers.push('codex_cli_ignored_project_local_config_key');
+  }
+  return { blockers: [...new Set(blockers)], warnings: [...new Set(warnings)], flags };
+}
+
+function commandForCodex(bin, codexArgs) {
+  if (/\.mjs$/i.test(String(bin))) return { command: process.execPath, args: [bin, ...codexArgs] };
+  return { command: bin, args: codexArgs };
+}
+
+function probeEnv(env) {
+  const keys = [
+    'CODEX_HOME',
+    'SKS_FAST_MODE',
+    'SKS_SERVICE_TIER',
+    'PATH',
+    'HOME',
+    'WARP_SESSION_ID',
+    'TMUX'
+  ];
+  const out = {};
+  for (const key of keys) {
+    if (env[key] !== undefined) out[key] = env[key];
+  }
+  for (const [key, value] of Object.entries(env)) {
+    if (/^(CODEX_LB|SKS_CODEX_LB)_/.test(key)) out[key] = value;
+    if (/^SKS_FAKE_CODEX_CONFIG_/.test(key)) out[key] = value;
+  }
+  return out;
+}
+
+function redact(value) {
+  return String(value || '')
+    .replace(/sk-[A-Za-z0-9_-]{8,}/g, '[REDACTED_OPENAI_KEY]')
+    .replace(/github_pat_[A-Za-z0-9_]+/g, '[REDACTED_GITHUB_PAT]')
+    .replace(/(CODEX_LB_API_KEY=)[^\s]+/g, '$1[REDACTED]')
+    .replace(/(OPENAI_API_KEY=)[^\s]+/g, '$1[REDACTED]');
+}
+
+function tail(value, limit = 4000) {
+  const text = redact(String(value || ''));
+  return text.length <= limit ? text : text.slice(-limit);
+}
+
+async function readTextIfExists(file) {
+  try {
+    return await fs.readFile(file, 'utf8');
+  } catch {
+    return '';
+  }
+}
+
+function readOption(name, fallback) {
+  const index = args.indexOf(name);
+  return index >= 0 && args[index + 1] ? args[index + 1] : fallback;
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sneakoscope",
   "displayName": "ㅅㅋㅅ",
-  "version": "1.18.13",
+  "version": "1.18.14",
   "description": "Sneakoscope Codex: fast proof-first Codex trust layer with image-based Voxel TriWiki.",
   "type": "module",
   "homepage": "https://github.com/mandarange/Sneakoscope-Codex#readme",