#!/usr/bin/env bash
#
# Spec: plans/2026-06-24-codex-mcp-keychain-reprompt-report.md
#
# Self-contained, NON-INTERACTIVE proof of the Codex MCP keychain partition-list
# fix (lever 2). It NEVER touches your real login keychain or the real
# "Codex MCP Credentials" item, and it does NOT require a real Codex.app update.
#
# WHAT IT PROVES (headless, deterministic):
#   The fix runs `security set-generic-password-partition-list` to add the
#   code-signing team(s) to a keychain item's PARTITION LIST. A keychain item's
#   silent-read access is gated by that partition list. We create a dedicated
#   test item whose partition list does NOT include the target team
#   ("teamid:2DC432GLL2"), confirm the team is ABSENT (the "broken" / would-
#   re-prompt precondition), run the SAME command the helper runs, and confirm
#   the team is now PRESENT (the "fixed" state). The partition list is read back
#   verbatim via `security dump-keychain -a`, so the before/after transition is
#   fully observable without any GUI.
#
# WHY NOT "silent read" headlessly:
#   The post-fix payoff is that a same-team-signed codex binary reads the secret
#   with NO GUI prompt. Demonstrating that requires a binary that is actually in
#   the team partition; /usr/bin/security is not, and the authorization is a GUI
#   event. That on-device confirmation is the manual procedure in the QA doc.
#   This script proves the load-bearing state change the helper performs.
#
# Everything happens inside a DEDICATED test keychain with a KNOWN password,
# created unlocked and deleted on exit (even on failure, via trap), so macOS
# never pops a GUI dialog and your real keychains are untouched.
#
# Usage:  bash codex-keychain-partition-repro.sh
# Exit:   0 = PASS, 1 = FAIL, 2 = not macOS.

set -u

if [[ "$(uname -s)" != "Darwin" ]]; then
  echo "SKIP: this repro only runs on macOS (darwin). Detected: $(uname -s)" >&2
  exit 2
fi

KEYCHAIN_NAME="linzumi-qa.keychain"
KEYCHAIN_PW="linzumi-qa-$$"
SERVICE="Codex MCP Credentials TEST"
ACCOUNT="testacct"
SECRET="testsecret-$$"
# The official OpenAI Codex team id is the partition we add (the same default
# the helper applies). The synthetic item proves the partition-list mechanism;
# the team id value is not verified against a real signature in this test.
TARGET_TEAM="2DC432GLL2"
# BEFORE: a partition list WITHOUT the target team. AFTER: target team + apple.
BEFORE_PARTITION="apple:"
AFTER_PARTITION="teamid:${TARGET_TEAM},apple:"

cleanup() {
  security delete-keychain "$KEYCHAIN_NAME" >/dev/null 2>&1 || true
}
trap cleanup EXIT

# Read the partition-list "description:" line (under the partition_id
# authorization) for the test item from a keychain dump.
read_partition_description() {
  security dump-keychain -a "$KEYCHAIN_NAME" 2>/dev/null \
    | grep -A2 'authorizations (1): partition_id' \
    | grep 'description:' \
    | head -n1 \
    | sed 's/^[[:space:]]*description:[[:space:]]*//'
}

echo "== Codex MCP keychain partition-list repro (synthetic, non-interactive) =="
echo "test keychain: $KEYCHAIN_NAME"
echo "service:       $SERVICE"
echo "target team:   teamid:$TARGET_TEAM"
echo

# Clean slate in case a prior aborted run left the keychain behind.
cleanup

echo "[setup] create + unlock dedicated test keychain"
if ! security create-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN_NAME"; then
  echo "FAIL: could not create test keychain" >&2
  exit 1
fi
# Disable auto-relock so no GUI unlock prompt can appear during the run.
security set-keychain-settings "$KEYCHAIN_NAME" || true
security unlock-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN_NAME" || true

echo "[setup] add a test item (permissive ACL) then set a partition list that"
echo "        EXCLUDES the target team (the would-re-prompt precondition)"
if ! security add-generic-password \
      -a "$ACCOUNT" -s "$SERVICE" -w "$SECRET" -A "$KEYCHAIN_NAME"; then
  echo "FAIL: could not add test item" >&2
  exit 1
fi
security unlock-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN_NAME" || true
if ! security set-generic-password-partition-list \
      -S "$BEFORE_PARTITION" \
      -s "$SERVICE" -a "$ACCOUNT" -k "$KEYCHAIN_PW" "$KEYCHAIN_NAME" \
      >/dev/null 2>&1; then
  echo "FAIL: could not set the BEFORE partition list" >&2
  exit 1
fi

echo
echo "== BEFORE: target team must be ABSENT from the partition list =="
BEFORE_DESC="$(read_partition_description)"
echo "partition list (before): ${BEFORE_DESC:-<none>}"
if echo "$BEFORE_DESC" | grep -q "teamid:${TARGET_TEAM}"; then
  echo "BEFORE precondition NOT met: target team already present." >&2
  BEFORE_OK=0
else
  echo "ok: target team is absent before the fix (a same-team codex would re-prompt)."
  BEFORE_OK=1
fi

echo
echo "== APPLY FIX: the exact command the helper runs =="
echo "running: security set-generic-password-partition-list -S \"$AFTER_PARTITION\" -s \"$SERVICE\" -a \"$ACCOUNT\" -k <pw> $KEYCHAIN_NAME"
security unlock-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN_NAME" || true
if ! security set-generic-password-partition-list \
      -S "$AFTER_PARTITION" \
      -s "$SERVICE" -a "$ACCOUNT" -k "$KEYCHAIN_PW" "$KEYCHAIN_NAME" \
      >/dev/null 2>&1; then
  echo "FAIL: set-generic-password-partition-list failed" >&2
  exit 1
fi
echo "partition list applied."

echo
echo "== AFTER: target team must now be PRESENT in the partition list =="
AFTER_DESC="$(read_partition_description)"
echo "partition list (after):  ${AFTER_DESC:-<none>}"
if echo "$AFTER_DESC" | grep -q "teamid:${TARGET_TEAM}"; then
  echo "ok: target team is present after the fix (same-team codex builds read silently)."
  AFTER_OK=1
else
  echo "AFTER FAILED: target team is still absent." >&2
  AFTER_OK=0
fi

echo
echo "============================== VERDICT =============================="
echo "BEFORE (team absent): $BEFORE_OK"
echo "AFTER  (team present): $AFTER_OK"

if [[ $BEFORE_OK -eq 1 && $AFTER_OK -eq 1 ]]; then
  echo "RESULT: PASS (partition list flipped from team-absent to team-present)"
  exit 0
fi

echo "RESULT: FAIL"
exit 1
