chore: codex

Author: towry

conf/llm/docs/coding-rules.md

@@ -26,7 +26,8 @@
 - **Reuse:** Prefer existing utilities/components via explicit interfaces—do not break abstraction boundaries.
 - **Precedent:** Follow prior implementations for new features unless told otherwise.
 - **Structured Plan:** For each step, specify target files and exact required changes.
-- **Boundaries:** Keep business logic isolated from UI. Place demo/mock code at the top layer. Don't modify production code just for debugging.
+- **Boundaries:** Keep business logic isolated from UI. Place demo/mock code at the top layer. Don't modify production code just for debugging. 
+- **Separation of concerns:** Bad: Use other layer's implement details in current layer that current layer should not know or care about. Good: current layer use it's own knowledge based implement details, dependant layers can depends on that to derive implement details.
 - **Abstraction:** Only use explicitly exposed abstractions from the immediate downstream layer—avoid private APIs, even for reuse.
 - **Fail Fast:** Let bugs surface; do not mask errors with `try-catch` or optional chaining.
 - **Comment Intent:** Use `FIXME`, `TODO`, and `NOTE` to flag issues, explain logic, document changes, and note trade-offs.
@@ -35,6 +36,7 @@
 - **Avoid introduce implement complexity:** No backward compatibility layers, feature flags, or toggles unless explicitly requested.
 - **No external data based design:** Avoid designs relying on external data, for example, use external api data to determine program logic or control flow, it will broke when external data changes.
 - **Avoid outdated dependency:** Use the latest stable version of dependencies unless there is a specific reason to use an older version. This is important to avoid big refactor later.
+- **No Weak Test:**: Disallow tests that are meaningless to implemented code, or that do not effectively validate the intended functionality. Bad: Test to verify "id should not start with number", the test simply construct a string without number and assert with that, does not involve any implemented code.
 
 When editing code: (1) state your assumptions, (2) create/run minimal tests if possible, (3) generate diffs ready for review, (4) follow repository style.
 

nix/hm/ai/codex/default.nix

@@ -6,7 +6,11 @@
 }:
 let
   proxyConfig = import ../../../lib/proxy.nix { inherit lib pkgs; };
+  mcp = import ../../../modules/ai/mcp.nix { inherit pkgs lib config; };
   codex_home = "${config.xdg.configHome}/codex";
+  codexMcpToml = builtins.readFile (
+    (pkgs.formats.toml { }).generate "codex-mcp.toml" { mcp_servers = mcp.clients.codex; }
+  );
   # codex_config_file = "${codex_home}/config.toml";
   # like commands in other agents
   # prompts_dir = "${codex_home}/prompts";
@@ -30,15 +34,34 @@ in
       source = ./instructions;
       recursive = true;
     };
+    "codex/skills" = {
+      source = ../../../../conf/claude-local-marketplace/skills;
+      recursive = true;
+    };
     # toml
-    "codex/config.toml".text = ''
-      model = "gpt-5"
-      model_provider = "litellm"
+    "codex/config-generated.toml".text = ''
+      model = "gpt-5.2-medium"
+      model_provider = "packy"
       approval_policy = "untrusted"
-      model_reasoning_effort = "low"
+      model_reasoning_effort = "medium"
       # the AGENTS.md contains instructions for using codex mcp, do not use it
       # experimental_instructions_file = "${config.xdg.configHome}/AGENTS.md"
-      sandbox_mode = "read-only"
+      project_doc_fallback_filenames = ["CLAUDE.md"]
+      sandbox_mode = "workspace-write"
+
+      [features]
+      tui2 = true
+      skills = true
+      unified_exec = true
+      apply_patch_freeform = true
+      view_image_tool = false
+      ghost_commit = false
+
+      [model_providers.packy]
+      name = "packy"
+      wire_api = "responses"
+      base_url = "https://www.packyapi.com/v1"
+      env_key = "PACKYCODE_CODEX_API_KEY"
 
       [model_providers.litellm]
       name = "litellm"
@@ -104,31 +127,17 @@ in
       hide_agent_reasoning = true
       model_verbosity = "low"
 
-      [profiles.sage_slow]
-      model = "glm-4.6"
-      model_provider = "zhipuai-coding-plan"
-      sandbox_mode = "read-only"
-      experimental_instructions_file = "${codex_home}/instructions/sage-role.md"
-      approval_policy = "never"
-      model_reasoning_effort = "medium"
-      model_reasoning_summary = "concise"
-      hide_agent_reasoning = true
-      model_verbosity = "low"
-
-      [profiles.sage]
-      model = "kimi-k2-turbo-preview"
-      model_provider = "moonshot"
-      sandbox_mode = "read-only"
-      experimental_instructions_file = "${codex_home}/instructions/sage-role.md"
-      approval_policy = "never"
-      model_reasoning_effort = "low"
-      model_reasoning_summary = "concise"
-      hide_agent_reasoning = true
-      model_verbosity = "medium"
-
       [tui]
       # notifications = [ "agent-turn-complete", "approval-requested" ]
       notifications = true
+      animations = false
+      scroll_events_per_tick = 3
+      scroll_wheel_lines = 3
+      scroll_mode = "auto"
+
+      [sandbox_workspace_write]
+      network_access = true
+      writable_roots = ["${config.home.homeDirectory}/workspace/work"]
 
       [shell_environment_policy]
       inherit = "core"
@@ -140,26 +149,18 @@ in
       set = { HTTP_PROXY = "${proxyConfig.proxies.http}", HTTPS_PROXY = "${proxyConfig.proxies.https}" }
 
       ## MCP
-      [mcp_servers.chromedev]
-      command = "bunx"
-      args = ["chrome-devtools-mcp@latest", "--browser-url=http://127.0.0.1:9222"]
-
-      # [mcp_servers.context7]
-      # command = "bunx"
-      # args = ["@upstash/context7-mcp"]
-
-      # [mcp_servers.mermaid]
-      # command = "bunx"
-      # args = ["@devstefancho/mermaid-mcp"]
-
-      # [mcp_servers.sequentialthinking]
-      # command = "bunx"
-      # args = ["@modelcontextprotocol/server-sequential-thinking"]
-
-      # [mcp_servers.github]
-      # command = "github-mcp-server"
-      # args = ["stdio", "--dynamic-toolsets"]
-      # env = { GITHUB_PERSONAL_ACCESS_TOKEN = "${pkgs.nix-priv.keys.github.accessToken}" }
+      ${codexMcpToml}
+    '';
+  };
+
+  home.activation = {
+    setupCodexConfig = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+      CODEX_HOME="${codex_home}"
+
+      cp -f ${codex_home}/config-generated.toml "${codex_home}/config.toml"
+      chmod u+w "${codex_home}/config.toml"
+
+      cat ${../../../../conf/llm/docs/coding-rules.md} > ${codex_home}/AGENTS.md
     '';
   };
 }

nix/hm/ai/codex/instructions/sage-role.md

@@ -10,7 +10,7 @@
     ./legacy.nix
     ./claude
     ./codex
-    ./forge
+    # ./forge
     # ./windsurf
     # ./cline
     ./droid

nix/hm/ai/default.nix

@@ -10,6 +10,67 @@
   ...
 }:
 {
+  # codex (openai/codex) config format:
+  # - STDIO servers: { command, args?, env?, env_vars?, cwd?, ... }
+  # - Streamable HTTP servers: { url, bearer_token_env_var?, http_headers?, env_http_headers?, ... }
+  codex =
+    serverAttrs:
+    let
+      passthru =
+        lib.optionalAttrs (serverAttrs ? enabled) { inherit (serverAttrs) enabled; }
+        // lib.optionalAttrs (serverAttrs ? startup_timeout_sec) {
+          inherit (serverAttrs) startup_timeout_sec;
+        }
+        // lib.optionalAttrs (serverAttrs ? tool_timeout_sec) {
+          inherit (serverAttrs) tool_timeout_sec;
+        }
+        // lib.optionalAttrs (serverAttrs ? enabled_tools) { inherit (serverAttrs) enabled_tools; }
+        // lib.optionalAttrs (serverAttrs ? disabled_tools) { inherit (serverAttrs) disabled_tools; }
+        // lib.optionalAttrs (serverAttrs ? cwd) { inherit (serverAttrs) cwd; };
+
+      mkStdio =
+        base:
+        base
+        // lib.optionalAttrs (serverAttrs ? environment && serverAttrs.environment != { }) {
+          env = serverAttrs.environment;
+        }
+        // lib.optionalAttrs (serverAttrs ? env_vars && serverAttrs.env_vars != [ ]) {
+          inherit (serverAttrs) env_vars;
+        }
+        // passthru;
+    in
+    if serverAttrs.type == "local" then
+      mkStdio {
+        inherit (serverAttrs) command;
+        args = serverAttrs.args or [ ];
+      }
+    else if serverAttrs.type == "sse" then
+      mkStdio {
+        command = "bunx";
+        args = [
+          "mcp-remote"
+          serverAttrs.url
+          "--allow-http"
+          "--header"
+          "Authorization: ${serverAttrs.headers.Authorization}"
+        ];
+      }
+    else
+      {
+        inherit (serverAttrs) url;
+      }
+      // lib.optionalAttrs (serverAttrs ? bearer_token_env_var) {
+        inherit (serverAttrs) bearer_token_env_var;
+      }
+      // lib.optionalAttrs (serverAttrs ? http_headers) { inherit (serverAttrs) http_headers; }
+      // lib.optionalAttrs (serverAttrs ? env_http_headers) {
+        inherit (serverAttrs) env_http_headers;
+      }
+      // lib.optionalAttrs (serverAttrs ? headers && serverAttrs.headers != { }) {
+        http_headers = serverAttrs.headers;
+      }
+      // passthru;
+
   opencode =
     let
       typeMap = {

nix/lib/mcp-clients.nix

@@ -181,6 +181,16 @@ rec {
   };
 
   clients = {
+    codex = mapWithClientMk clientMk.codex (
+      pick mcpServers [
+        "chromedev"
+        "context7"
+        "mermaid"
+        "github"
+        "exa"
+        "mastergo"
+      ]
+    );
     opencode = mapWithClientMk clientMk.opencode (
       pick mcpServers [
         "kg"