fix: address remaining runtime truthfulness review

src/auto-reply/reply/commands-system-prompt.test.ts

@@ -165,4 +165,38 @@ describe("resolveCommandsSystemPromptBundle", () => {
       }),
     );
   });
+
+  it("uses the resolved session key and forwards full-access block reasons", async () => {
+    const { resolveCommandsSystemPromptBundle } = await import("./commands-system-prompt.js");
+    const sandboxRuntime = await import("../../agents/sandbox.js");
+    const systemPromptRuntime = await import("../../agents/system-prompt.js");
+
+    vi.mocked(sandboxRuntime.resolveSandboxRuntimeStatus).mockImplementation(({ sessionKey }) => {
+      expect(sessionKey).toBe("agent:target:default");
+      return { sandboxed: true, mode: "workspace-write" } as never;
+    });
+
+    const params = makeParams();
+    params.sessionKey = "agent:target:default";
+    params.ctx.SessionKey = "agent:source:default";
+    params.elevated = {
+      enabled: true,
+      allowed: false,
+      failures: [],
+    };
+
+    await resolveCommandsSystemPromptBundle(params);
+
+    expect(vi.mocked(systemPromptRuntime.buildAgentSystemPrompt)).toHaveBeenCalledWith(
+      expect.objectContaining({
+        sandboxInfo: expect.objectContaining({
+          enabled: true,
+          elevated: expect.objectContaining({
+            fullAccessAvailable: false,
+            fullAccessBlockedReason: "host-policy",
+          }),
+        }),
+      }),
+    );
+  });
 });

src/auto-reply/reply/commands-system-prompt.ts

@@ -112,7 +112,7 @@ export async function resolveCommandsSystemPromptBundle(
     },
   });
   const fullAccessState = resolveEmbeddedFullAccessState({
-    sandboxEnabled: true,
+    sandboxEnabled: sandboxRuntime.sandboxed,
     execElevated: {
       enabled: params.elevated.enabled,
       allowed: params.elevated.allowed,

src/commands/openai-codex-oauth.test.ts

@@ -141,6 +141,31 @@ describe("loginOpenAICodexOAuth", () => {
     );
   });
 
+  it("normalizes slash-terminated authorize paths too", async () => {
+    const creds = {
+      provider: "openai-codex" as const,
+      access: "access-token",
+      refresh: "refresh-token",
+      expires: Date.now() + 60_000,
+      email: "user@example.com",
+    };
+    mocks.loginOpenAICodex.mockImplementation(
+      async (opts: { onAuth: (event: { url: string }) => Promise<void> }) => {
+        await opts.onAuth({
+          url: "https://auth.openai.com/oauth/authorize/?state=abc",
+        });
+        return creds;
+      },
+    );
+
+    const openUrl = vi.fn(async () => {});
+    await runCodexOAuth({ isRemote: false, openUrl });
+
+    expect(openUrl).toHaveBeenCalledWith(
+      "https://auth.openai.com/oauth/authorize/?state=abc&scope=openid+profile+email+offline_access+model.request+api.responses.write",
+    );
+  });
+
   it("reports oauth errors and rethrows", async () => {
     mocks.loginOpenAICodex.mockRejectedValue(new Error("oauth failed"));
 

src/plugins/provider-openai-codex-oauth.ts

@@ -26,7 +26,10 @@ function normalizeOpenAICodexAuthorizeUrl(rawUrl: string): string {
   }
   try {
     const url = new URL(trimmed);
-    if (!/(?:^|\.)openai\.com$/i.test(url.hostname) || !/\/oauth\/authorize$/i.test(url.pathname)) {
+    if (
+      !/(?:^|\.)openai\.com$/i.test(url.hostname) ||
+      !/\/oauth\/authorize\/?$/i.test(url.pathname)
+    ) {
       return rawUrl;
     }