update secrets

hosts/nb/users/codex-cli.nix

@@ -5,7 +5,7 @@ let
   npmPrefix = "${home}/.npm-global";
   node = pkgs.nodejs; # or pkgs.nodejs_20
 in {
-  home-manager.users.dominik = { lib, pkgs, ... }: {
+  home-manager.users.dominik = { config, lib, pkgs, ... }: {
     home.packages = with pkgs; [
       node
       gnutar     # provides `tar`
@@ -13,6 +13,12 @@ in {
       unzip  
       python314  # useful for codex model use
       jq         # useful for JSON processing
+      (pkgs.writeShellScriptBin "codex" ''
+        #!/usr/bin/env bash
+        export TMPDIR="''${TMPDIR:-$HOME/.cache/codex-tmp}"
+        export XDG_RUNTIME_DIR="''${XDG_RUNTIME_DIR:-$HOME/.cache/xdg-runtime}"
+        exec ${npmPrefix}/bin/codex "$@"
+      '')
     ];
 
     # Ensure ~/.npmrc with a user prefix (no sudo needed)
@@ -34,12 +40,17 @@ in {
       NPM_CONFIG_PREFIX = npmPrefix;
     };
 
+    home.activation.ensureCodexDirs = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+      install -d -m 700 "${config.home.homeDirectory}/.cache/codex-tmp"
+      install -d -m 700 "${config.home.homeDirectory}/.cache/xdg-runtime"
+    '';
+
     # Auto-install @openai/codex if it's not already there
     # (idempotent on each `home-manager switch`)
     home.activation.installCodexCli = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
       export PATH=${node}/bin:${pkgs.gnutar}/bin:${pkgs.gzip}/bin:${pkgs.unzip}/bin:${pkgs.curl}/bin:$PATH
       mkdir -p ${npmPrefix}
-      if ! command -v codex >/dev/null 2>&1; then
+      if [ ! -x "${npmPrefix}/bin/codex" ]; then
         echo "Installing @openai/codex globally..."
         # --global uses prefix from ~/.npmrc; PATH has node for postinstall
         ${node}/bin/npm install -g @openai/codex