refactor(egress): use provisioned_env instead of sentinel for Codex token (PRD 0030)

Add `provisioned_env: dict[str, str]` to `AgentProvisionPlan`. When
`forward_host_credentials=True`, `agent_provision_plan` reads the host
Codex access token at prepare time and stores it under
`CODEX_HOST_CREDENTIAL_TOKEN_REF`. Both backends merge `provisioned_env`
over `os.environ` before calling `egress_resolve_token_values`, so the
token slot resolves like any other manifest-declared token ref.

Removes `egress_resolve_token_values_with_provider` and the sentinel
`continue` skip from `egress_resolve_token_values`. The function is now
fully generic — it neither knows nor cares about provider identity.

bot_bottle/agent_provider.py

@@ -12,7 +12,7 @@ from dataclasses import dataclass, field
 from pathlib import Path
 from typing import Literal
 
-from .codex_auth import write_codex_dummy_auth_file
+from .codex_auth import codex_host_access_token, write_codex_dummy_auth_file
 from .egress import CODEX_HOST_CREDENTIAL_TOKEN_REF, EgressRoute
 
 
@@ -92,6 +92,7 @@ class AgentProvisionPlan:
     verify: tuple[AgentProvisionCommand, ...] = ()
     egress_routes: tuple[EgressRoute, ...] = ()
     hidden_env_names: frozenset[str] = field(default_factory=frozenset)
+    provisioned_env: dict[str, str] = field(default_factory=dict)
 
 
 _REPO_ROOT = Path(__file__).resolve().parent.parent
@@ -139,6 +140,7 @@ def agent_provision_plan(
     runtime = runtime_for(template)
     resolved_guest_env = dict(guest_env or {})
     env_vars: dict[str, str] = {}
+    provisioned_env: dict[str, str] = {}
     dirs: list[AgentProvisionDir] = []
     files: list[AgentProvisionFile] = []
     pre_copy: list[AgentProvisionCommand] = []
@@ -169,8 +171,12 @@ def agent_provision_plan(
                 tls_passthrough=True,
             ))
         if forward_host_credentials:
+            _host_env = host_env or dict(os.environ)
+            provisioned_env[CODEX_HOST_CREDENTIAL_TOKEN_REF] = codex_host_access_token(
+                _host_env,
+            )
             auth_file = state_dir / "codex-auth.json"
-            write_codex_dummy_auth_file(auth_file, host_env or dict(os.environ))
+            write_codex_dummy_auth_file(auth_file, _host_env)
             files.append(AgentProvisionFile(auth_file, f"{auth_dir}/auth.json"))
             pre_copy.append(AgentProvisionCommand((
                 "find", auth_dir,
@@ -220,6 +226,7 @@ def agent_provision_plan(
         verify=tuple(verify),
         egress_routes=tuple(egress_routes),
         hidden_env_names=hidden_env_names,
+        provisioned_env=provisioned_env,
     )
 
 

bot_bottle/backend/docker/launch.py

@@ -42,7 +42,7 @@ from contextlib import ExitStack, contextmanager
 from pathlib import Path
 from typing import Callable, Generator
 
-from ...egress import egress_resolve_token_values_with_provider
+from ...egress import egress_resolve_token_values
 from ...log import info
 from . import network as network_mod
 from . import util as docker_mod
@@ -176,11 +176,9 @@ def launch(
         # Step 7: compose up. Token values + the OAuth placeholder
         # flow through subprocess env; the compose file holds only
         # bare names for the secret-carrying entries.
-        bottle = plan.spec.manifest.bottle_for(plan.spec.agent_name)
-        token_values = egress_resolve_token_values_with_provider(
-            plan.egress_plan.token_env_map,
-            bottle.agent_provider.forward_host_credentials,
-            dict(os.environ),
+        effective_env = {**dict(os.environ), **plan.agent_provision.provisioned_env}
+        token_values = egress_resolve_token_values(
+            plan.egress_plan.token_env_map, effective_env,
         )
         compose_env: dict[str, str] = {
             **os.environ,

bot_bottle/backend/smolmachines/launch.py

@@ -28,7 +28,7 @@ from typing import Callable, Generator
 
 from ...egress import (
     EGRESS_ROUTES_IN_CONTAINER,
-    egress_resolve_token_values_with_provider,
+    egress_resolve_token_values,
 )
 from ...pipelock import (
     PIPELOCK_CA_CERT_IN_CONTAINER,
@@ -423,12 +423,8 @@ def _resolve_token_env(
     """Resolve the egress token env-var values from the host's
     environ so they reach the bundle's process env via docker's
     `-e NAME` inheritance. Empty when no routes declare auth."""
-    bottle = plan.spec.manifest.bottle_for(plan.spec.agent_name)
-    return egress_resolve_token_values_with_provider(
-        plan.egress_plan.token_env_map,
-        bottle.agent_provider.forward_host_credentials,
-        host_env,
-    )
+    effective_env = {**host_env, **plan.agent_provision.provisioned_env}
+    return egress_resolve_token_values(plan.egress_plan.token_env_map, effective_env)
 
 
 def _ensure_smolmachine(image_ref: str, *, dockerfile: str = "") -> Path:

bot_bottle/egress.py

@@ -29,7 +29,6 @@ from dataclasses import dataclass
 from pathlib import Path
 from typing import TYPE_CHECKING
 
-from .codex_auth import codex_host_access_token
 from .log import die
 
 if TYPE_CHECKING:
@@ -342,8 +341,6 @@ def egress_resolve_token_values(
     a sealed mapping without touching `os.environ`."""
     out: dict[str, str] = {}
     for token_env, token_ref in token_env_map.items():
-        if token_ref == CODEX_HOST_CREDENTIAL_TOKEN_REF:
-            continue
         value = host_env.get(token_ref)
         if value is None:
             die(
@@ -361,31 +358,6 @@ def egress_resolve_token_values(
     return out
 
 
-def egress_resolve_token_values_with_provider(
-    token_env_map: dict[str, str],
-    forward_host_credentials: bool,
-    host_env: dict[str, str],
-) -> dict[str, str]:
-    """Resolve all egress token env-var values, including the optional
-    Codex host credential slot.
-
-    Combines `egress_resolve_token_values` (manifest-declared token refs)
-    with the `forward_host_credentials` path (Codex ChatGPT bearer).
-    Returns an empty dict when `token_env_map` is empty.
-
-    Pure function: `host_env` is passed in so tests can use a sealed
-    mapping without touching `os.environ`."""
-    if not token_env_map:
-        return {}
-    token_values = egress_resolve_token_values(token_env_map, host_env)
-    if forward_host_credentials:
-        access_token = codex_host_access_token(host_env)
-        for token_env, token_ref in token_env_map.items():
-            if token_ref == CODEX_HOST_CREDENTIAL_TOKEN_REF:
-                token_values[token_env] = access_token
-    return token_values
-
-
 class Egress(ABC):
     """The per-bottle egress proxy. Encapsulates the host-side prepare
     (route lift + routes.yaml render + token-env-map derivation); the
@@ -429,7 +401,6 @@ __all__ = [
     "egress_manifest_routes",
     "egress_render_routes",
     "egress_resolve_token_values",
-    "egress_resolve_token_values_with_provider",
     "egress_routes_for_bottle",
     "egress_token_env_map",
 ]