didericis/bot-bottle
1
0
Fork 0
Code Issues 5 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

refactor(egress): use provisioned_env instead of sentinel for Codex token (PRD 0030)
test / unit (pull_request) Successful in 39s
Details
test / integration (pull_request) Successful in 45s
Details

Browse Source 
Add `provisioned_env: dict[str, str]` to `AgentProvisionPlan`. When
`forward_host_credentials=True`, `agent_provision_plan` reads the host
Codex access token at prepare time and stores it under
`CODEX_HOST_CREDENTIAL_TOKEN_REF`. Both backends merge `provisioned_env`
over `os.environ` before calling `egress_resolve_token_values`, so the
token slot resolves like any other manifest-declared token ref.

Removes `egress_resolve_token_values_with_provider` and the sentinel
`continue` skip from `egress_resolve_token_values`. The function is now
fully generic — it neither knows nor cares about provider identity.
This commit is contained in:
didericis (claude)
2026-06-02 04:53:23 +00:00
parent 8c2b59ca94
commit 0e29bcc829
6 changed files with 49 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bot_bottle/egress.py
-29
View File
@@ -29,7 +29,6 @@ from dataclasses import dataclass
from pathlib import Path
from typing import TYPE_CHECKING
from .codex_auth import codex_host_access_token
from .log import die
if TYPE_CHECKING:
@@ -342,8 +341,6 @@ def egress_resolve_token_values(
a sealed mapping without touching `os.environ`."""
out: dict[str, str] = {}
for token_env, token_ref in token_env_map.items():
if token_ref == CODEX_HOST_CREDENTIAL_TOKEN_REF:
continue
value = host_env.get(token_ref)
if value is None:
die(
@@ -361,31 +358,6 @@ def egress_resolve_token_values(
return out
def egress_resolve_token_values_with_provider(
token_env_map: dict[str, str],
forward_host_credentials: bool,
host_env: dict[str, str],
) -> dict[str, str]:
"""Resolve all egress token env-var values, including the optional
Codex host credential slot.
Combines `egress_resolve_token_values` (manifest-declared token refs)
with the `forward_host_credentials` path (Codex ChatGPT bearer).
Returns an empty dict when `token_env_map` is empty.
Pure function: `host_env` is passed in so tests can use a sealed
mapping without touching `os.environ`."""
if not token_env_map:
return {}
token_values = egress_resolve_token_values(token_env_map, host_env)
if forward_host_credentials:
access_token = codex_host_access_token(host_env)
for token_env, token_ref in token_env_map.items():
if token_ref == CODEX_HOST_CREDENTIAL_TOKEN_REF:
token_values[token_env] = access_token
return token_values
class Egress(ABC):
"""The per-bottle egress proxy. Encapsulates the host-side prepare
(route lift + routes.yaml render + token-env-map derivation); the
@@ -429,7 +401,6 @@ __all__ = [
"egress_manifest_routes",
"egress_render_routes",
"egress_resolve_token_values",
"egress_resolve_token_values_with_provider",
"egress_routes_for_bottle",
"egress_token_env_map",
]