diff --git a/install.sh b/install.sh index b80a411..d5e0b62 100755 --- a/install.sh +++ b/install.sh @@ -1104,10 +1104,26 @@ collect_security_config() { # Parameter source-of-truth: single mapping for CFN Console, CFN CLI, Terraform # ============================================================================ # ⚠ KEEP THESE THREE ARRAYS IN SYNC — same order, same count -PARAM_CFN_NAMES=(EnvironmentName PackName ProfileName InstanceType ModelMode BedrockRegion LokiWatermark EnableBedrockForm EnableSecurityHub EnableGuardDuty EnableInspector EnableAccessAnalyzer EnableConfigRecorder ExistingVpcId ExistingSubnetId RepoBranch) -PARAM_TF_NAMES=(environment_name pack_name profile_name instance_type model_mode bedrock_region loki_watermark enable_bedrock_form enable_security_hub enable_guardduty enable_inspector enable_access_analyzer enable_config_recorder existing_vpc_id existing_subnet_id repo_branch) +PARAM_CFN_NAMES=(EnvironmentName PackName ProfileName InstanceType DefaultModel ModelMode BedrockRegion LokiWatermark EnableBedrockForm EnableSecurityHub EnableGuardDuty EnableInspector EnableAccessAnalyzer EnableConfigRecorder ExistingVpcId ExistingSubnetId RepoBranch) +PARAM_TF_NAMES=(environment_name pack_name profile_name instance_type default_model model_mode bedrock_region loki_watermark enable_bedrock_form enable_security_hub enable_guardduty enable_inspector enable_access_analyzer enable_config_recorder existing_vpc_id existing_subnet_id repo_branch) PARAM_VALUES=() # populated by build_deploy_params() +# Per-pack default model (passed to CFN DefaultModel / bootstrap.sh --model). +# Packs that use AWS Bedrock get Bedrock model IDs; packs that use provider +# APIs (OpenAI, etc.) get provider-native model IDs. Without this mapping +# every pack inherits the template's Bedrock default, which breaks codex-cli +# (OpenAI rejects Bedrock ids with HTTP 400). +pack_default_model() { + case "$1" in + codex-cli) echo "gpt-5.4" ;; + openclaw|claude-code|kiro-cli) echo "us.anthropic.claude-opus-4-6-v1" ;; + nemoclaw) echo "us.anthropic.claude-opus-4-6-v1" ;; + hermes) echo "NousResearch/Hermes-3-Llama-3.1-8B" ;; + pi|ironclaw) echo "us.anthropic.claude-opus-4-6-v1" ;; + *) echo "us.anthropic.claude-opus-4-6-v1" ;; + esac +} + # Populate PARAM_VALUES from user config (call after collect_config) build_deploy_params() { PARAM_VALUES=( @@ -1115,6 +1131,7 @@ build_deploy_params() { "$PACK_NAME" "$PROFILE_NAME" "$INSTANCE_TYPE" + "${DEFAULT_MODEL:-$(pack_default_model "$PACK_NAME")}" "bedrock" "$DEPLOY_REGION" "$LOKI_WATERMARK" diff --git a/packs/codex-cli/install.sh b/packs/codex-cli/install.sh index 0ac404e..885b586 100755 --- a/packs/codex-cli/install.sh +++ b/packs/codex-cli/install.sh @@ -78,6 +78,19 @@ done REGION="${PACK_ARG_REGION}" MODEL="${PACK_ARG_MODEL}" +# ── Guard against Bedrock model IDs leaking in via CFN's DefaultModel ──────────────────────────────────── +# install.sh / CFN template ship with a Bedrock-style DefaultModel +# (e.g. us.anthropic.claude-opus-4-6-v1) that's great for openclaw/claude-code +# but poison for codex-cli — OpenAI's API rejects it with HTTP 400. +# If the caller hands us a Bedrock-style ID, fall back to the pack default +# instead of writing a broken config. +CODEX_DEFAULT_MODEL="gpt-5.4" +if [[ "${MODEL}" =~ ^(us\.|eu\.|ap\.|anthropic\.|amazon\.|meta\.|mistral\.|cohere\.|ai21\.) ]]; then + warn "ignoring Bedrock-style model id '${MODEL}' — Codex CLI talks to OpenAI, not Bedrock" + warn "falling back to ${CODEX_DEFAULT_MODEL} (override with: bash install.sh --model )" + MODEL="${CODEX_DEFAULT_MODEL}" +fi + pack_banner "codex-cli" log "region=${REGION} model=${MODEL} sandbox=danger-full-access approval=never"