# 2026-05-10 run pitfall: env parsing and Chrome CDP Origin During a follow-up run using the low-token Codex OAuth skill, two reusable pitfalls appeared before the flow reached OpenAI signup: ## 1. Do not blindly `source` the env file `~/.hermes/env/codex_oauth_onboarding.env` may contain unquoted paths with spaces, e.g. Chrome app paths. Plain shell `source` can fail with an error like: ```text ...codex_oauth_onboarding.env: line 7: Chrome.app/Contents/MacOS/Google: No such file or directory ``` For validation/probe scripts, parse `KEY=VALUE` safely in Python instead of shell sourcing, or require quoting before shell use. Minimal safe parser pattern: ```python from pathlib import Path import re, shlex env = {} for line in Path.home().joinpath('.hermes/env/codex_oauth_onboarding.env').read_text().splitlines(): line = line.strip() if not line or line.startswith('#') or '=' not in line: continue if line.startswith('export '): line = line[7:].strip() k, v = line.split('=', 1) k, v = k.strip(), v.strip() if not re.match(r'^[A-Za-z_][A-Za-z0-9_]*$', k): continue try: if v and v[0] in '"\'': v = shlex.split(v)[0] except Exception: pass env[k] = v.strip('"\'') ``` ## 2. Chrome CDP WebSocket Origin rejection When using Python `websocket-client` against an existing Chrome remote debugging port, Chrome can reject the handshake: ```text websocket._exceptions.WebSocketBadStatusException: Handshake status 403 Forbidden Rejected an incoming WebSocket connection from the http://127.0.0.1:9224 origin. Use --remote-allow-origins=http://127.0.0.1:9224 or --remote-allow-origins=* ``` Preferred prevention: launch automation Chrome with: ```bash --remote-allow-origins=* ``` If the Chrome instance is already running, try a matching Origin when connecting: ```python import websocket ws = websocket.create_connection(ws_url, timeout=10, origin='http://127.0.0.1:9224') ``` Do this before concluding Dashboard CDP is unavailable.