From ab6be896bdff98bea92ccbe579759028b266ab18 Mon Sep 17 00:00:00 2001
From: delta-cloud-208e <delta-cloud-208e@device.local>
Date: Tue, 10 Mar 2026 17:54:43 +0000
Subject: [PATCH] =?UTF-8?q?fix(codex):=20patch=20all=20users,=20not=20just?=
 =?UTF-8?q?=20root=20=E2=80=94=20add=20--all=20flag=20and=20fix=20macOS=20?=
 =?UTF-8?q?UID=20threshold?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Install script now runs patcher with --all to patch every user's ~/.codex/config.toml
- Fix list_users() UID threshold: macOS starts at 500, Linux at 1000
- Fix file ownership: chown config files to the actual user after patching

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 codex/codex_patcher.py  | 13 ++++++++++---
 codex/ucodex_install.sh |  2 +-
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/codex/codex_patcher.py b/codex/codex_patcher.py
index 8a683d4..061e874 100755
--- a/codex/codex_patcher.py
+++ b/codex/codex_patcher.py
@@ -664,7 +664,8 @@ def list_users():
             home = pw.pw_dir
             if not os.path.isdir(home):
                 continue
-            if pw.pw_uid < 1000 and pw.pw_uid != 0:
+            min_uid = 500 if IS_MACOS else 1000
+            if pw.pw_uid < min_uid and pw.pw_uid != 0:
                 continue
             if pw.pw_shell in ("/usr/sbin/nologin", "/bin/false"):
                 continue
@@ -674,7 +675,7 @@ def list_users():
     return users
 
 
-def patch_user(user_home, config):
+def patch_user(user_home, config, uid=None, gid=None):
     """Patch a single user's ~/.codex/ config."""
     codex_dir = os.path.join(user_home, ".codex")
     os.makedirs(codex_dir, exist_ok=True)
@@ -693,6 +694,12 @@ def patch_user(user_home, config):
     with open(config_path, "w", encoding="utf-8") as f:
         f.write(new_content)
 
+    # Fix ownership so files belong to the user, not root
+    if uid is not None and gid is not None:
+        for path in [codex_dir, config_path, catalog_path]:
+            if os.path.exists(path):
+                os.chown(path, uid, gid)
+
     return True
 
 
@@ -741,7 +748,7 @@ def main():
                 if user.pw_dir == os.path.expanduser("~"):
                     continue
                 try:
-                    patch_user(user.pw_dir, config)
+                    patch_user(user.pw_dir, config, uid=user.pw_uid, gid=user.pw_gid)
                     print(f"  Patched {user.pw_name}: {user.pw_dir}/.codex/config.toml")
                 except Exception as e:
                     print(f"  {RED}Failed {user.pw_name}: {e}{RESET}")
diff --git a/codex/ucodex_install.sh b/codex/ucodex_install.sh
index 55ce348..f2926a0 100755
--- a/codex/ucodex_install.sh
+++ b/codex/ucodex_install.sh
@@ -179,7 +179,7 @@ curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "$REPO_RAW/codex_patcher.py"
 curl -fsSL -H "Authorization: token ${GITEA_TOKEN}" "$REPO_RAW/codex_config.json" -o "$INSTALL_DIR/codex_config.json"
 
 info "Applying patches..."
-python3 "$INSTALL_DIR/codex_patcher.py" --apply --config "$INSTALL_DIR/codex_config.json"
+python3 "$INSTALL_DIR/codex_patcher.py" --apply --all --config "$INSTALL_DIR/codex_config.json"
 log "Patches applied"
 
 # ---- Step 3: Set env vars system-wide ----