From 28181da839fc1146061160ae9a4c016d8853d45c Mon Sep 17 00:00:00 2001
From: Roy Osherove <575051+royosherove@users.noreply.github.com>
Date: Thu, 16 Apr 2026 22:30:24 +0000
Subject: [PATCH] codex-cli: pass correct default model per pack (hotfix
 v0.5.95)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: codex-cli installed by 'curl | install.lowkey.run' received the
CFN template's Bedrock DefaultModel ('us.anthropic.claude-opus-4-6-v1')
because install.sh never overrode DefaultModel per-pack. OpenAI's API
rejects Bedrock IDs with HTTP 400:

  {"type":"error","status":400,"error":{
    "message":"The 'us.anthropic.claude-opus-4-6-v1' model is
                 not supported when using Codex with a ChatGPT account."}}

Two-layer fix:

1. install.sh: add DefaultModel to PARAM_CFN_NAMES/PARAM_TF_NAMES and
   populate from new pack_default_model() dispatch:
     codex-cli → gpt-5.4
     openclaw/claude-code/kiro-cli/nemoclaw/pi/ironclaw → Claude Opus (Bedrock)
     hermes → Hermes-3-Llama-3.1-8B
   User override via env DEFAULT_MODEL still honored.

2. packs/codex-cli/install.sh: defense-in-depth guard that rejects any
   model id starting with a Bedrock provider prefix (us./eu./ap./
   anthropic./amazon./meta./mistral./cohere./ai21.) and falls back to
   gpt-5.4 with a warning. This catches the case where users upgrade
   only the pack or run the pack directly against a stale CFN template.

Both layers tested:
- pack contracts 177/0
- registry sync clean
- codex-cli pack test 28/0
- manual: bash packs/codex-cli/install.sh --model 'us.anthropic.claude-opus-4-6-v1'
  correctly warns and writes model='gpt-5.4' to config.toml
---
 install.sh                 | 21 +++++++++++++++++++--
 packs/codex-cli/install.sh | 13 +++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/install.sh b/install.sh
index b80a411..d5e0b62 100755
--- a/install.sh
+++ b/install.sh
@@ -1104,10 +1104,26 @@ collect_security_config() {
 # Parameter source-of-truth: single mapping for CFN Console, CFN CLI, Terraform
 # ============================================================================
 # ⚠ KEEP THESE THREE ARRAYS IN SYNC — same order, same count
-PARAM_CFN_NAMES=(EnvironmentName PackName ProfileName InstanceType ModelMode BedrockRegion LokiWatermark EnableBedrockForm EnableSecurityHub EnableGuardDuty EnableInspector EnableAccessAnalyzer EnableConfigRecorder ExistingVpcId ExistingSubnetId RepoBranch)
-PARAM_TF_NAMES=(environment_name pack_name profile_name instance_type model_mode bedrock_region loki_watermark enable_bedrock_form enable_security_hub enable_guardduty enable_inspector enable_access_analyzer enable_config_recorder existing_vpc_id existing_subnet_id repo_branch)
+PARAM_CFN_NAMES=(EnvironmentName PackName ProfileName InstanceType DefaultModel ModelMode BedrockRegion LokiWatermark EnableBedrockForm EnableSecurityHub EnableGuardDuty EnableInspector EnableAccessAnalyzer EnableConfigRecorder ExistingVpcId ExistingSubnetId RepoBranch)
+PARAM_TF_NAMES=(environment_name pack_name profile_name instance_type default_model model_mode bedrock_region loki_watermark enable_bedrock_form enable_security_hub enable_guardduty enable_inspector enable_access_analyzer enable_config_recorder existing_vpc_id existing_subnet_id repo_branch)
 PARAM_VALUES=()  # populated by build_deploy_params()
 
+# Per-pack default model (passed to CFN DefaultModel / bootstrap.sh --model).
+# Packs that use AWS Bedrock get Bedrock model IDs; packs that use provider
+# APIs (OpenAI, etc.) get provider-native model IDs. Without this mapping
+# every pack inherits the template's Bedrock default, which breaks codex-cli
+# (OpenAI rejects Bedrock ids with HTTP 400).
+pack_default_model() {
+  case "$1" in
+    codex-cli)                     echo "gpt-5.4" ;;
+    openclaw|claude-code|kiro-cli) echo "us.anthropic.claude-opus-4-6-v1" ;;
+    nemoclaw)                      echo "us.anthropic.claude-opus-4-6-v1" ;;
+    hermes)                        echo "NousResearch/Hermes-3-Llama-3.1-8B" ;;
+    pi|ironclaw)                   echo "us.anthropic.claude-opus-4-6-v1" ;;
+    *)                             echo "us.anthropic.claude-opus-4-6-v1" ;;
+  esac
+}
+
 # Populate PARAM_VALUES from user config (call after collect_config)
 build_deploy_params() {
   PARAM_VALUES=(
@@ -1115,6 +1131,7 @@ build_deploy_params() {
     "$PACK_NAME"
     "$PROFILE_NAME"
     "$INSTANCE_TYPE"
+    "${DEFAULT_MODEL:-$(pack_default_model "$PACK_NAME")}"
     "bedrock"
     "$DEPLOY_REGION"
     "$LOKI_WATERMARK"
diff --git a/packs/codex-cli/install.sh b/packs/codex-cli/install.sh
index 0ac404e..885b586 100755
--- a/packs/codex-cli/install.sh
+++ b/packs/codex-cli/install.sh
@@ -78,6 +78,19 @@ done
 REGION="${PACK_ARG_REGION}"
 MODEL="${PACK_ARG_MODEL}"
 
+# ── Guard against Bedrock model IDs leaking in via CFN's DefaultModel ────────────────────────────────────
+# install.sh / CFN template ship with a Bedrock-style DefaultModel
+# (e.g. us.anthropic.claude-opus-4-6-v1) that's great for openclaw/claude-code
+# but poison for codex-cli — OpenAI's API rejects it with HTTP 400.
+# If the caller hands us a Bedrock-style ID, fall back to the pack default
+# instead of writing a broken config.
+CODEX_DEFAULT_MODEL="gpt-5.4"
+if [[ "${MODEL}" =~ ^(us\.|eu\.|ap\.|anthropic\.|amazon\.|meta\.|mistral\.|cohere\.|ai21\.) ]]; then
+  warn "ignoring Bedrock-style model id '${MODEL}' — Codex CLI talks to OpenAI, not Bedrock"
+  warn "falling back to ${CODEX_DEFAULT_MODEL} (override with: bash install.sh --model <openai-model>)"
+  MODEL="${CODEX_DEFAULT_MODEL}"
+fi
+
 pack_banner "codex-cli"
 log "region=${REGION} model=${MODEL} sandbox=danger-full-access approval=never"