Try to fix workers and workspace

README.md

@@ -200,9 +200,10 @@ curl -H "Authorization: Bearer $SPOON_AGENT_WORKER_INTERNAL_TOKEN" \
   http://spoon-agent-worker:3921/health
 ```
 
-For the first production run, use an API-key based AI provider profile. Stored
-OpenCode/Codex `auth.json` profiles are supported in settings, but worker-side
-auth-file injection is still a follow-up before they can execute jobs.
+API-key based AI provider profiles run through OpenCode. Codex ChatGPT login
+profiles run through the Codex CLI: Spoon writes the encrypted `auth.json` into
+the isolated job workspace as `CODEX_HOME/.codex/auth.json` before execution.
+Treat that saved auth file like a password and only use it on trusted workers.
 
 </details>
 
@@ -294,7 +295,8 @@ The mobile app currently supports:
 - thread list/detail, message composer, resolve/cancel actions, and workspace
   review links
 - GitHub integration status and repository listing
-- AI provider profile management, including Codex/OpenCode auth JSON
+- AI provider profile management, including Codex auth JSON and API-key
+  providers
 - read-only workspace review for job status, messages, diffs, events,
   artifacts, and draft PR links
 
@@ -466,11 +468,12 @@ not call Infisical.
 - GitHub drift refresh, commit cache, PR cache, and sync-run history
 - Effective drift and ignored upstream change records
 - Global Threads page and Spoon-scoped Threads tab
-- OpenCode-oriented agent worker and browser workspace foundation
+- OpenCode/Codex-oriented agent worker and browser workspace foundation
 - Monaco editor with optional Vim mode
 - Diff viewer, command panel, worker logs, and artifacts
 - Encrypted Spoon secrets and bulk `.env` import
-- Encrypted AI provider profiles, including Codex/OpenCode auth support
+- Encrypted AI provider profiles, including Codex auth JSON and API-key
+  provider support
 - Authentik, GitHub, and password auth through Convex Auth
 - Self-hosted Convex/Postgres deployment model