feat(ai): add modular codex CLI home-manager configuration

Add comprehensive Codex CLI configuration following the same patterns
as claude and opencode configurations:

- modules/home/codex.nix: Custom module for skills and prompts options
  (not in upstream home-manager)
- home/ai/repl/codex/: Modular configuration split into:
  - default.nix: Entry point with package and enable
  - settings.nix: Core settings (model, sandbox, profiles)
  - mcp-servers.nix: MCP server configurations
  - custom-instructions.nix: Global rules (git, security, docs)
  - skills.nix: Reusable knowledge modules
  - prompts.nix: Custom prompts for common workflows
- Export claude-code and codex modules in modules/default.nix

Author: DivitMittal

home/ai/repl/codex/custom-instructions.nix

@@ -0,0 +1,95 @@
+_: {
+  programs.codex.custom-instructions = ''
+    ## External File Loading
+
+    CRITICAL: When you encounter a file reference (e.g., @rules/general.md), use your Read tool to load it on a need-to-know basis. They're relevant to the SPECIFIC task at hand.
+
+    Instructions:
+
+    - Do NOT preemptively load all references - use lazy loading based on actual need
+    - When loaded, treat content as mandatory instructions that override defaults
+    - Follow references recursively when needed
+
+    ## Git Workflow Rules
+
+    ### Commits
+    - Use Conventional Commits format: `type(scope): description`
+    - Keep commits atomic (one logical change per commit)
+    - Write imperative mood ("add feature" not "added feature")
+    - Reference issues when applicable: `fixes #123`
+
+    ### Branches
+    - `main` is protected - never force push
+    - Feature branches: `feat/description`
+    - Fix branches: `fix/issue-number` or `fix/description`
+    - Keep branches short-lived
+
+    ### Before Committing
+    - Run `nix fmt` on changed Nix files
+    - Run `nix flake check` for Nix projects
+    - Review diff before staging
+
+    ## Security Rules
+
+    ### Secrets
+    - NEVER commit secrets, API keys, passwords, or tokens
+    - Use agenix/ragenix for encrypted secrets
+    - Check `.env` files are in `.gitignore`
+    - Audit file permissions for sensitive data
+
+    ### Code
+    - Validate all external input
+    - Use parameterized queries (no string interpolation for commands)
+    - Prefer allowlists over denylists
+    - Log security events but never log secrets
+
+    ### Nix Specific
+    - Use `lib.escapeShellArg` for shell arguments
+    - Avoid `builtins.fetchurl` without hash
+    - Review systemd service sandboxing options
+    - Check firewall rules for exposed services
+
+    ## Documentation Rules
+
+    ### Comments
+    - Explain "why" not "what"
+    - Document non-obvious behavior
+    - Keep comments up-to-date with code
+    - Use `## Section` comments to organize long files
+
+    ### README
+    - Include: purpose, installation, usage, configuration
+    - Keep examples working and tested
+    - Document environment requirements
+
+    ### Nix Modules
+    - Add `description` to all `mkOption`
+    - Document module dependencies
+    - Include usage examples in comments
+
+    ## Code Quality Rules
+
+    ### General
+    - Prefer pure functions over side effects
+    - Keep functions small and focused
+    - Avoid deep nesting (max 3-4 levels)
+    - Use early returns to reduce indentation
+
+    ### Error Handling
+    - Handle errors explicitly
+    - Provide helpful error messages
+    - Fail fast and loud in development
+    - Never silently swallow errors
+
+    ### Nix Specific
+    - Use `lib.mkMerge` for complex conditional configs
+    - Prefer `lib.optionalAttrs` over `if-then-else {}`
+    - Use `lib.filterAttrs` to remove null/empty values
+    - Avoid `with` - use explicit `lib.` prefix
+
+    ### Type Safety
+    - Never use `as any` or `@ts-ignore` (TypeScript)
+    - Define proper types for all function parameters
+    - Use `lib.types.*` for Nix module options
+  '';
+}

home/ai/repl/codex/default.nix

@@ -0,0 +1,21 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = lib.custom.scanPaths ./.;
+
+  home.packages = lib.attrsets.attrValues {
+    inherit (pkgs.ai) ccusage-codex;
+  };
+
+  programs.codex = let
+    # package = pkgs.ai.codex;
+    package = pkgs.writeShellScriptBin "codex" ''
+      exec ${pkgs.pnpm}/bin/pnpm dlx @openai/codex "$@"
+    '';
+  in {
+    enable = true;
+    inherit package;
+  };
+}

home/ai/repl/codex/mcp-servers.nix

@@ -0,0 +1,25 @@
+{pkgs, ...}: let
+  pnpmCommand = "${pkgs.pnpm}/bin/pnpm";
+in {
+  programs.codex.settings.mcp_servers = {
+    sequential-thinking = {
+      type = "stdio";
+      command = pnpmCommand;
+      args = ["dlx" "@modelcontextprotocol/server-sequential-thinking"];
+    };
+    deepwiki = {
+      type = "http";
+      url = "https://mcp.deepwiki.com/mcp";
+    };
+    octocode = {
+      type = "stdio";
+      command = pnpmCommand;
+      args = ["dlx" "octocode-mcp@latest"];
+    };
+    exa = {
+      type = "stdio";
+      command = pnpmCommand;
+      args = ["dlx" "exa-mcp-server"];
+    };
+  };
+}

home/ai/repl/codex/prompts.nix

@@ -0,0 +1,218 @@
+_: {
+  programs.codex.prompts = {
+    ## Git workflows
+    commit = ''
+      ---
+      description: Create git commit(s) with proper message(s)
+      argument-hint: [files-or-scope]
+      ---
+      ## Context
+
+      - Current git status: !`git status`
+      - Current git diff: !`git diff HEAD`
+      - Recent commits: !`git log --oneline -5`
+
+      ## Task
+
+      Analyze the changes and create commit(s) based on the context:
+
+      1. **Multiple commits when**:
+         - Changes span multiple logical concerns (e.g., feature + refactor + docs)
+         - Changes affect unrelated components or modules
+         - User explicitly requests multiple commits or groups of changes
+
+      2. **Single commit when**:
+         - All changes relate to a single logical unit of work
+         - User specifies a single context or scope
+         - Changes form one cohesive story
+
+      3. **Context-limited commits**:
+         - If instructed to commit specific files/paths, ONLY stage and commit those files
+         - Respect explicit scope boundaries provided by the user
+         - Do NOT include unrelated staged or unstaged changes
+
+      Each commit message MUST follow Conventional Commits syntax: `type(scope): description`
+    '';
+
+    pr = ''
+      ---
+      description: Create a pull request with description
+      argument-hint: [title]
+      ---
+      ## Context
+
+      - Current branch: !`git branch --show-current`
+      - Default branch: !`gh repo view --json defaultBranchRef -q .defaultBranchRef.name 2>/dev/null || echo "main"`
+      - Commits not in main: !`git log main..HEAD --oneline 2>/dev/null || git log origin/main..HEAD --oneline 2>/dev/null`
+      - Changed files: !`git diff main..HEAD --stat 2>/dev/null || git diff origin/main..HEAD --stat 2>/dev/null`
+
+      ## Task
+
+      Create a pull request:
+      1. Check if PR already exists for this branch (skip if so, show URL)
+      2. Push current branch to origin if not already pushed: `git push -u origin HEAD`
+      3. Create PR with title from $ARGUMENTS or infer from commits/branch name
+      4. Use this description template:
+
+      ```
+      ## Summary
+      <brief description of changes>
+
+      ## Changes
+      - <bullet points of key changes>
+
+      ## Testing
+      <how to test, or "N/A" if not applicable>
+      ```
+    '';
+
+    changelog = ''
+      ---
+      description: Update CHANGELOG.md with new entry
+      argument-hint: [version]
+      ---
+      ## Context
+
+      - Recent commits: !`git log --oneline -20`
+      - Current changelog: !`head -50 CHANGELOG.md 2>/dev/null || echo "No CHANGELOG.md found"`
+
+      ## Task
+
+      Update CHANGELOG.md following Keep a Changelog format:
+      1. Group changes by type (Added, Changed, Fixed, Removed)
+      2. Reference relevant commits/PRs
+      3. Use the provided version or determine appropriate version bump
+    '';
+
+    fix-issue = ''
+      ---
+      description: Fix a GitHub issue
+      argument-hint: <issue-number>
+      ---
+      ## Context
+
+      - Issue details: !`gh issue view $ARGUMENTS 2>/dev/null || echo "Could not fetch issue"`
+
+      ## Task
+
+      1. Understand the issue from the description and comments
+      2. Create a branch named fix/$ARGUMENTS or feature/$ARGUMENTS
+      3. Implement the fix following project conventions
+      4. Test the changes if applicable
+      5. Commit with message referencing the issue (e.g., "fix: description (closes #$ARGUMENTS)")
+    '';
+
+    ## Code quality
+    review = ''
+      ---
+      description: Review code for issues
+      argument-hint: [file-or-path]
+      ---
+      ## Context
+
+      - Files to review: $ARGUMENTS or staged changes
+      - Diff: !`git diff --cached --stat 2>/dev/null || git diff HEAD --stat`
+
+      ## Task
+
+      Review the code for:
+      1. **Bugs**: Logic errors, edge cases, null checks
+      2. **Security**: Input validation, secrets, injection
+      3. **Performance**: Unnecessary work, memory leaks
+      4. **Style**: Naming, complexity, documentation
+
+      Output format:
+      - 🔴 Critical (must fix)
+      - 🟡 Warning (should fix)
+      - 🟢 Suggestion (nice to have)
+    '';
+
+    refactor = ''
+      ---
+      description: Refactor code while preserving behavior
+      argument-hint: <file-or-symbol>
+      ---
+      ## Task
+
+      Refactor $ARGUMENTS to improve:
+      - Maintainability
+      - Remove duplication
+      - Simplify complex logic
+      - Improve naming
+
+      Rules:
+      - Preserve existing behavior exactly
+      - Make small, incremental changes
+      - Keep changes reviewable
+    '';
+
+    ## Documentation
+    explain = ''
+      ---
+      description: Explain code in detail
+      argument-hint: <file-or-symbol>
+      ---
+      Read and explain $ARGUMENTS:
+      1. Purpose and responsibility
+      2. How it works (high-level flow)
+      3. Key dependencies and interactions
+      4. Important edge cases or gotchas
+    '';
+
+    doc = ''
+      ---
+      description: Generate or improve documentation
+      argument-hint: <file-or-symbol>
+      ---
+      ## Task
+
+      Document $ARGUMENTS:
+      - Add/update inline comments for complex logic
+      - Add/update function/module documentation
+      - Follow existing documentation style in codebase
+
+      For Nix:
+      - Add `description` to mkOption
+      - Add comments for non-obvious configuration
+    '';
+
+    ## Quick actions
+    test = ''
+      ---
+      description: Run project tests
+      ---
+      Detect and run tests:
+      - Nix: `nix flake check`
+      - Node: `npm test`
+      - Python: `pytest`
+      - Rust: `cargo test`
+
+      Report results and any failures.
+    '';
+
+    build = ''
+      ---
+      description: Build the project
+      ---
+      Detect and build:
+      - Nix flake: `nix build`
+      - Nix darwin: `darwin-rebuild build --flake .`
+      - Node: `npm run build`
+      - Rust: `cargo build`
+
+      Report success or errors.
+    '';
+
+    clean = ''
+      ---
+      description: Clean build artifacts and caches
+      ---
+      Clean up:
+      1. Git ignored files (with confirmation)
+      2. Nix result symlinks
+      3. Build caches (node_modules/.cache, __pycache__, target/)
+
+      Ask before deleting anything significant.
+    '';
+  };
+}