refactor(codex): derive trusted paths from guest home

bot_bottle/backend/docker/provision/provider_auth.py

@@ -9,22 +9,22 @@ import subprocess
 from ..bottle_plan import DockerBottlePlan
 
 
-_CODEX_HOME_PROJECT = "/home/node"
+_DEFAULT_GUEST_HOME = "/home/node"
-_CODEX_WORKSPACE = "/home/node/workspace"
 
 
 def provision_provider_auth(plan: DockerBottlePlan, target: str) -> None:
     """Prepare Codex home state inside a Docker bottle.
 
     Every Codex bottle gets a minimal config.toml that trusts the
-    in-container launch directory and workspace path. When host
+    in-container launch directory. When host credentials are forwarded,
-    credentials are forwarded, auth.json contains no real access or
+    auth.json contains no real access or refresh token values; it only
-    refresh token values; it only nudges Codex into the same user/device
+    nudges Codex into the same user/device auth branch as the host.
-    auth branch as the host.
     """
     if plan.agent_provider_template != "codex":
         return
-    container_home = os.environ.get("BOT_BOTTLE_CONTAINER_HOME", "/home/node")
+    container_home = os.environ.get(
+        "BOT_BOTTLE_CONTAINER_HOME", _DEFAULT_GUEST_HOME,
+    )
     auth_dir = f"{container_home}/.codex"
 
     subprocess.run(
@@ -44,10 +44,7 @@ def provision_provider_auth(plan: DockerBottlePlan, target: str) -> None:
     )
     config_path = f"{auth_dir}/config.toml"
     config = (
-        f'[projects."{_CODEX_HOME_PROJECT}"]\n'
+        f'[projects."{container_home}"]\n'
-        'trust_level = "trusted"\n'
-        "\n"
-        f'[projects."{_CODEX_WORKSPACE}"]\n'
         'trust_level = "trusted"\n'
     )
     subprocess.run(

bot_bottle/backend/smolmachines/provision/provider_auth.py

@@ -11,18 +11,15 @@ from ..bottle_plan import SmolmachinesBottlePlan
 
 
 _DEFAULT_GUEST_HOME = "/home/node"
-_CODEX_HOME_PROJECT = "/home/node"
-_CODEX_WORKSPACE = "/home/node/workspace"
 
 
 def provision_provider_auth(plan: SmolmachinesBottlePlan, target: str) -> None:
     """Prepare Codex home state inside the smolmachine.
 
     Every Codex bottle gets a minimal config.toml that trusts the
-    in-guest launch directory and workspace path. When host credentials
+    in-guest launch directory. When host credentials are forwarded,
-    are forwarded, the real host access token remains in the egress
+    the real host access token remains in the egress bundle env;
-    bundle env; auth.json only selects Codex's user/device auth code
+    auth.json only selects Codex's user/device auth code path.
-    path.
     """
     if plan.agent_provider_template != "codex":
         return
@@ -72,10 +69,7 @@ def provision_provider_auth(plan: SmolmachinesBottlePlan, target: str) -> None:
 
     config_path = f"{auth_dir}/config.toml"
     config = (
-        f'[projects."{_CODEX_HOME_PROJECT}"]\n'
+        f'[projects."{guest_home}"]\n'
-        'trust_level = "trusted"\n'
-        "\n"
-        f'[projects."{_CODEX_WORKSPACE}"]\n'
         'trust_level = "trusted"\n'
     )
     result = _smolvm.machine_exec(

tests/unit/test_docker_provision_provider_auth.py

@@ -75,7 +75,7 @@ class TestProvisionProviderAuth(unittest.TestCase):
             )
         self.assertEqual(0, run.call_count)
 
-    def test_codex_provider_trusts_workspace_without_auth_file(self):
+    def test_codex_provider_trusts_launch_dir_without_auth_file(self):
         with patch.object(_provider_auth.subprocess, "run") as run:
             _provider_auth.provision_provider_auth(
                 _plan(), "bot-bottle-demo-abc12",
@@ -91,7 +91,6 @@ class TestProvisionProviderAuth(unittest.TestCase):
             if a[:6] == ["docker", "exec", "-u", "0", "bot-bottle-demo-abc12", "sh"]
         )
         self.assertIn('[projects."/home/node"]', trust_config[-1])
-        self.assertIn('[projects."/home/node/workspace"]', trust_config[-1])
         self.assertIn('trust_level = "trusted"', trust_config[-1])
         self.assertIn(
             ["docker", "exec", "-u", "0", "bot-bottle-demo-abc12",

tests/unit/test_smolmachines_provision.py

@@ -213,7 +213,7 @@ class TestProvisionProviderAuth(unittest.TestCase):
         self.assertEqual(0, cp.call_count)
         self.assertEqual(0, ex.call_count)
 
-    def test_codex_provider_trusts_workspace_without_auth_file(self):
+    def test_codex_provider_trusts_launch_dir_without_auth_file(self):
         cp_p, ex_p = self._patch()
         with cp_p as cp, ex_p as ex:
             ex.return_value = SmolvmRunResult(0, "", "")
@@ -229,7 +229,6 @@ class TestProvisionProviderAuth(unittest.TestCase):
             if a[:2] == ["sh", "-c"] and "config.toml" in a[2]
         )
         self.assertIn('[projects."/home/node"]', trust_config[2])
-        self.assertIn('[projects."/home/node/workspace"]', trust_config[2])
         self.assertIn('trust_level = "trusted"', trust_config[2])
         self.assertIn(
             ["chown", "node:node", "/home/node/.codex/config.toml"],