diff --git a/bot_bottle/backend/docker/provision/provider_auth.py b/bot_bottle/backend/docker/provision/provider_auth.py index 7d0478c..eed6010 100644 --- a/bot_bottle/backend/docker/provision/provider_auth.py +++ b/bot_bottle/backend/docker/provision/provider_auth.py @@ -9,6 +9,7 @@ import subprocess from ..bottle_plan import DockerBottlePlan +_CODEX_HOME_PROJECT = "/home/node" _CODEX_WORKSPACE = "/home/node/workspace" @@ -16,9 +17,10 @@ def provision_provider_auth(plan: DockerBottlePlan, target: str) -> None: """Prepare Codex home state inside a Docker bottle. Every Codex bottle gets a minimal config.toml that trusts the - in-container workspace path. When host credentials are forwarded, - auth.json contains no real access or refresh token values; it only - nudges Codex into the same user/device auth branch as the host. + in-container launch directory and workspace path. When host + credentials are forwarded, auth.json contains no real access or + refresh token values; it only nudges Codex into the same user/device + auth branch as the host. """ if plan.agent_provider_template != "codex": return @@ -42,6 +44,9 @@ def provision_provider_auth(plan: DockerBottlePlan, target: str) -> None: ) config_path = f"{auth_dir}/config.toml" config = ( + f'[projects."{_CODEX_HOME_PROJECT}"]\n' + 'trust_level = "trusted"\n' + "\n" f'[projects."{_CODEX_WORKSPACE}"]\n' 'trust_level = "trusted"\n' ) diff --git a/bot_bottle/backend/smolmachines/provision/provider_auth.py b/bot_bottle/backend/smolmachines/provision/provider_auth.py index 1d50b5d..7357a32 100644 --- a/bot_bottle/backend/smolmachines/provision/provider_auth.py +++ b/bot_bottle/backend/smolmachines/provision/provider_auth.py @@ -11,6 +11,7 @@ from ..bottle_plan import SmolmachinesBottlePlan _DEFAULT_GUEST_HOME = "/home/node" +_CODEX_HOME_PROJECT = "/home/node" _CODEX_WORKSPACE = "/home/node/workspace" @@ -18,9 +19,10 @@ def provision_provider_auth(plan: SmolmachinesBottlePlan, target: str) -> None: """Prepare Codex home state inside the smolmachine. Every Codex bottle gets a minimal config.toml that trusts the - in-guest workspace path. When host credentials are forwarded, the - real host access token remains in the egress bundle env; auth.json - only selects Codex's user/device auth code path. + in-guest launch directory and workspace path. When host credentials + are forwarded, the real host access token remains in the egress + bundle env; auth.json only selects Codex's user/device auth code + path. """ if plan.agent_provider_template != "codex": return @@ -70,6 +72,9 @@ def provision_provider_auth(plan: SmolmachinesBottlePlan, target: str) -> None: config_path = f"{auth_dir}/config.toml" config = ( + f'[projects."{_CODEX_HOME_PROJECT}"]\n' + 'trust_level = "trusted"\n' + "\n" f'[projects."{_CODEX_WORKSPACE}"]\n' 'trust_level = "trusted"\n' ) diff --git a/tests/unit/test_docker_provision_provider_auth.py b/tests/unit/test_docker_provision_provider_auth.py index 4541b1b..2924b40 100644 --- a/tests/unit/test_docker_provision_provider_auth.py +++ b/tests/unit/test_docker_provision_provider_auth.py @@ -90,6 +90,7 @@ class TestProvisionProviderAuth(unittest.TestCase): a for a in argvs if a[:6] == ["docker", "exec", "-u", "0", "bot-bottle-demo-abc12", "sh"] ) + self.assertIn('[projects."/home/node"]', trust_config[-1]) self.assertIn('[projects."/home/node/workspace"]', trust_config[-1]) self.assertIn('trust_level = "trusted"', trust_config[-1]) self.assertIn( diff --git a/tests/unit/test_smolmachines_provision.py b/tests/unit/test_smolmachines_provision.py index 5aa780f..14a0451 100644 --- a/tests/unit/test_smolmachines_provision.py +++ b/tests/unit/test_smolmachines_provision.py @@ -228,6 +228,7 @@ class TestProvisionProviderAuth(unittest.TestCase): a for a in argv_seen if a[:2] == ["sh", "-c"] and "config.toml" in a[2] ) + self.assertIn('[projects."/home/node"]', trust_config[2]) self.assertIn('[projects."/home/node/workspace"]', trust_config[2]) self.assertIn('trust_level = "trusted"', trust_config[2]) self.assertIn(