[codex] Add Flash 3.1 Lite mobile harness for Telegram

[JamesFincher]

Summary

This PR turns Codex Relay into a stronger phone-first mobile harness for a local Mac Codex install, with the Gemini layer centered on the Flash 3.1 Lite model (gemini-3.1-flash-lite-preview).

The headline path is now: install the relay once, then send /gemini key YOUR_GEMINI_API_KEY from Telegram. The relay saves the key privately, enables Gemini natural command routing and reply polish, reloads the running process immediately, and best-effort deletes the Telegram message containing the key. No Mac-side editor, restart, or manual .env edit is required after the first LaunchAgent install.

What changed

• Added Telegram-side Gemini setup:

  • /gemini key ... accepts a Gemini API key from Telegram.
  • Bare Gemini API keys in private Telegram messages are also recognized by the built-in control path before Codex sees them.
  • /gemini on, /gemini off, and /gemini clear manage the feature later.
  • The status text shows the configured Flash 3.1 Lite model, max output tokens, natural-command state, polish state, and setup hint.

• Made startup/runtime config support zero-intervention mobile enablement:

  • scripts/configure.py now writes Gemini defaults during install.
  • scripts/install_launch_agent.sh now copies the repo path into runtime config and seeds Gemini defaults into the LaunchAgent runtime .env while preserving explicit user choices.
  • Runtime updates persist to the private LaunchAgent .env, and to the repo .env when available, so /gemini key ... survives restarts.
  • Gemini defaults now include enabled=true, natural commands=true, polish=true, model=gemini-3.1-flash-lite-preview, max output tokens=4096, timeout, and error notices.

• Expanded the Telegram mobile harness:

  • Pending request queue while a Codex thread is busy.
  • /queue, /forget, /forgetphotos, and Gemini-planned queue edits.
  • /activity for running jobs, pending work, terminals, and recent safe history.
  • /think to change Codex thinking mode per Telegram thread.
  • PTY-backed /terminal sessions for explicit terminal work from Telegram.
  • /file for sending safe local files back to Telegram.
  • /recover plus scripts/recover.sh for local self-repair checks.
  • Telegram photo albums and queued image attachments.

• Improved mobile reliability and operator feedback:

  • Non-fatal Telegram long-poll timeout handling.
  • More useful job progress snapshots.
  • More complete /status, /health, doctor, and local status UI output.
  • Doctor now respects a configured CODEX_BIN path.
  • Existing TLS/CA fallback handling remains included so Telegram token verification is less brittle on macOS and managed networks.

• Updated docs:

  • README and PHONE_REMOTE.md now document the Flash 3.1 Lite mobile harness path.
  • The installer finish text now tells users they can enable Gemini from Telegram with /gemini key YOUR_GEMINI_API_KEY.
  • .env.example includes the new runtime, queue, terminal, file transfer, polling, image, thinking-mode, and Gemini defaults.

Why

The previous Gemini setup still assumed the user could edit local config or restart from the Mac. That breaks the actual phone-first use case: someone installs the LaunchAgent, leaves the Mac alone, and wants to enable the natural-language mobile harness later from Telegram.

This PR makes the Gemini token submission and feature enablement part of the Telegram control surface itself. The slash-command layer still works without Gemini; Flash 3.1 Lite only adds natural-language planning and phone-readable answer polish on top of the same relay actions.

Security and privacy notes

• The Gemini key is written only to private env files using 0600 permissions.
• The key is loaded into the running relay immediately, so a restart is not needed.
• The relay attempts to delete the Telegram message that contained the key.
• Secret-looking prompts, .env content, API tokens, private keys, and similar values bypass Gemini planning/polish guards.
• /file blocks obvious secret/runtime paths by default.
• No .env, bot token, runtime state, private logs, screenshots, or transcripts are committed.

Validation

• python3 -m py_compile codex_relay.py scripts/configure.py
• PYTHONPATH=. python3 scripts/smoke_test.py
• zsh -n scripts/install.sh scripts/install_launch_agent.sh scripts/doctor.sh scripts/recover.sh scripts/status.sh scripts/status_ui.sh scripts/update.sh
• git diff --check
• python3 codex_relay.py --check-config

The local check-config path reported Telegram and Gemini configured without printing secret values, and confirmed the Flash 3.1 Lite model plus natural commands and polish enabled.

[dicnunz]

Parking this until the core Mission Control install path has more real-user feedback. The Gemini/queue/terminal/file-transfer scope is useful, but it widens the product before the current lane/approval/Relay core has enough installs.