didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

fix(codex): trust launch home directory
test / unit (pull_request) Successful in 30s
Details
test / integration (pull_request) Successful in 49s
Details

Browse Source
This commit is contained in:
didericis (codex)
2026-06-01 17:16:00 -04:00
parent 3942b51184
commit 1d2dfeefa4
4 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bot_bottle/backend/docker/provision/provider_auth.py
+8 -3
View File
@@ -9,6 +9,7 @@ import subprocess
from ..bottle_plan import DockerBottlePlan
_CODEX_HOME_PROJECT = "/home/node"
_CODEX_WORKSPACE = "/home/node/workspace"
@@ -16,9 +17,10 @@ def provision_provider_auth(plan: DockerBottlePlan, target: str) -> None:
"""Prepare Codex home state inside a Docker bottle.
Every Codex bottle gets a minimal config.toml that trusts the
in-container workspace path. When host credentials are forwarded,
auth.json contains no real access or refresh token values; it only
nudges Codex into the same user/device auth branch as the host.
in-container launch directory and workspace path. When host
credentials are forwarded, auth.json contains no real access or
refresh token values; it only nudges Codex into the same user/device
auth branch as the host.
"""
if plan.agent_provider_template != "codex":
return
@@ -42,6 +44,9 @@ def provision_provider_auth(plan: DockerBottlePlan, target: str) -> None:
)
config_path = f"{auth_dir}/config.toml"
config = (
f'[projects."{_CODEX_HOME_PROJECT}"]\n'
'trust_level = "trusted"\n'
"\n"
f'[projects."{_CODEX_WORKSPACE}"]\n'
'trust_level = "trusted"\n'
)
bot_bottle/backend/smolmachines/provision/provider_auth.py
+8 -3
View File
@@ -11,6 +11,7 @@ from ..bottle_plan import SmolmachinesBottlePlan
_DEFAULT_GUEST_HOME = "/home/node"
_CODEX_HOME_PROJECT = "/home/node"
_CODEX_WORKSPACE = "/home/node/workspace"
@@ -18,9 +19,10 @@ def provision_provider_auth(plan: SmolmachinesBottlePlan, target: str) -> None:
"""Prepare Codex home state inside the smolmachine.
Every Codex bottle gets a minimal config.toml that trusts the
in-guest workspace path. When host credentials are forwarded, the
real host access token remains in the egress bundle env; auth.json
only selects Codex's user/device auth code path.
in-guest launch directory and workspace path. When host credentials
are forwarded, the real host access token remains in the egress
bundle env; auth.json only selects Codex's user/device auth code
path.
"""
if plan.agent_provider_template != "codex":
return
@@ -70,6 +72,9 @@ def provision_provider_auth(plan: SmolmachinesBottlePlan, target: str) -> None:
config_path = f"{auth_dir}/config.toml"
config = (
f'[projects."{_CODEX_HOME_PROJECT}"]\n'
'trust_level = "trusted"\n'
"\n"
f'[projects."{_CODEX_WORKSPACE}"]\n'
'trust_level = "trusted"\n'
)
tests/unit/test_docker_provision_provider_auth.py
+1
View File
@@ -90,6 +90,7 @@ class TestProvisionProviderAuth(unittest.TestCase):
a for a in argvs
if a[:6] == ["docker", "exec", "-u", "0", "bot-bottle-demo-abc12", "sh"]
)
self.assertIn('[projects."/home/node"]', trust_config[-1])
self.assertIn('[projects."/home/node/workspace"]', trust_config[-1])
self.assertIn('trust_level = "trusted"', trust_config[-1])
self.assertIn(
tests/unit/test_smolmachines_provision.py
+1
View File
@@ -228,6 +228,7 @@ class TestProvisionProviderAuth(unittest.TestCase):
a for a in argv_seen
if a[:2] == ["sh", "-c"] and "config.toml" in a[2]
)
self.assertIn('[projects."/home/node"]', trust_config[2])
self.assertIn('[projects."/home/node/workspace"]', trust_config[2])
self.assertIn('trust_level = "trusted"', trust_config[2])
self.assertIn(