fix: prevent .env inline comments from being parsed as JWT tokens

Docker Compose env_file doesn't strip inline comments, so
"CODEX_JWT_TOKEN= # comment" was treated as a real token, creating
ghost accounts on every restart.

- Move .env.example comments to separate lines
- Validate JWT format in config.ts (must start with "eyJ")

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.env.example

@@ -1,4 +1,14 @@
-CODEX_JWT_TOKEN=       # Optional: paste ChatGPT JWT (skip OAuth login)
-CODEX_PLATFORM=linux   # linux for Docker, darwin for macOS, win32 for Windows
-CODEX_ARCH=x64         # x64 for Docker/Intel, arm64 for Apple Silicon
+# Codex Proxy Configuration
+# Copy this file to .env and edit values as needed:  cp .env.example .env
+
+# Optional: paste ChatGPT JWT to skip OAuth login (leave empty to use OAuth)
+CODEX_JWT_TOKEN=
+
+# Platform: linux for Docker, darwin for macOS, win32 for Windows
+CODEX_PLATFORM=linux
+
+# Architecture: x64 for Docker/Intel, arm64 for Apple Silicon
+CODEX_ARCH=x64
+
+# Server port
 PORT=8080

src/config.ts

@@ -77,8 +77,11 @@ function loadYaml(filePath: string): unknown {
 }
 
 function applyEnvOverrides(raw: Record<string, unknown>): Record<string, unknown> {
-  if (process.env.CODEX_JWT_TOKEN) {
-    (raw.auth as Record<string, unknown>).jwt_token = process.env.CODEX_JWT_TOKEN;
+  const jwtEnv = process.env.CODEX_JWT_TOKEN?.trim();
+  if (jwtEnv && jwtEnv.startsWith("eyJ")) {
+    (raw.auth as Record<string, unknown>).jwt_token = jwtEnv;
+  } else if (jwtEnv) {
+    console.warn("[Config] CODEX_JWT_TOKEN ignored: not a valid JWT (must start with 'eyJ')");
   }
   if (process.env.CODEX_PLATFORM) {
     (raw.client as Record<string, unknown>).platform = process.env.CODEX_PLATFORM;