#!/usr/bin/env bash
set -euo pipefail

usage() {
  cat <<'EOF'
Usage:
  codex_guarded.sh [--cwd DIR] [--sandbox MODE] [--approval POLICY] [--] [codex args...]

Defaults:
  --approval never
  --sandbox read-only
  --cwd current working directory

Description:
  Launch Codex with deterministic non-interactive safety defaults.
EOF
}

CWD="$(pwd)"
SANDBOX="read-only"
APPROVAL="never"
FORWARD_ARGS=()

while [[ $# -gt 0 ]]; do
  case "$1" in
    --cwd)
      CWD="$2"
      shift 2
      ;;
    --sandbox)
      SANDBOX="$2"
      shift 2
      ;;
    --approval)
      APPROVAL="$2"
      shift 2
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    --)
      shift
      FORWARD_ARGS+=("$@")
      break
      ;;
    *)
      FORWARD_ARGS+=("$1")
      shift
      ;;
  esac
done

if [[ ${#FORWARD_ARGS[@]} -gt 0 ]]; then
  exec codex -a "$APPROVAL" -s "$SANDBOX" -C "$CWD" "${FORWARD_ARGS[@]}"
else
  exec codex -a "$APPROVAL" -s "$SANDBOX" -C "$CWD"
fi