refactor(egress): deduplicate token resolution across backends (PRD 0030)

Extract egress_resolve_token_values_with_provider into bot_bottle/egress.py. Both docker and smolmachines launch paths now call the shared function instead of duplicating the forward_host_credentials / CODEX_HOST_CREDENTIAL_TOKEN_REF resolution block. Also fixes the host_env: object annotation on smolmachines._resolve_token_env to the correct dict[str, str]. Closes #118.
2026-06-02 04:22:43 +00:00
parent 6682357fbb
commit 75f0f9d907
4 changed files with 104 additions and 35 deletions
@@ -42,11 +42,7 @@ from contextlib import ExitStack, contextmanager
 from pathlib import Path
 from typing import Callable, Generator

-from ...codex_auth import codex_host_access_token
-from ...egress import (
-    CODEX_HOST_CREDENTIAL_TOKEN_REF,
-    egress_resolve_token_values,
-)
+from ...egress import egress_resolve_token_values_with_provider
 from ...log import info
 from . import network as network_mod
 from . import util as docker_mod
@@ -180,18 +176,12 @@ def launch(
        # Step 7: compose up. Token values + the OAuth placeholder
        # flow through subprocess env; the compose file holds only
        # bare names for the secret-carrying entries.
-        token_values: dict[str, str] = {}
-        if plan.egress_plan.routes:
-            token_values = egress_resolve_token_values(
-                plan.egress_plan.token_env_map, dict(os.environ),
-            )
-            if plan.spec.manifest.bottle_for(
-                plan.spec.agent_name,
-            ).agent_provider.forward_host_credentials:
-                access_token = codex_host_access_token(dict(os.environ))
-                for token_env, token_ref in plan.egress_plan.token_env_map.items():
-                    if token_ref == CODEX_HOST_CREDENTIAL_TOKEN_REF:
-                        token_values[token_env] = access_token
+        bottle = plan.spec.manifest.bottle_for(plan.spec.agent_name)
+        token_values = egress_resolve_token_values_with_provider(
+            plan.egress_plan.token_env_map,
+            bottle.agent_provider.forward_host_credentials,
+            dict(os.environ),
+        )
        compose_env: dict[str, str] = {
            **os.environ,
            **plan.forwarded_env,
@@ -26,11 +26,9 @@ from contextlib import ExitStack, contextmanager
 from pathlib import Path
 from typing import Callable, Generator

-from ...codex_auth import codex_host_access_token
 from ...egress import (
-    CODEX_HOST_CREDENTIAL_TOKEN_REF,
    EGRESS_ROUTES_IN_CONTAINER,
-    egress_resolve_token_values,
+    egress_resolve_token_values_with_provider,
 )
 from ...pipelock import (
    PIPELOCK_CA_CERT_IN_CONTAINER,
@@ -146,7 +144,7 @@ def launch(
        # spec's ports_to_publish list expands depending on which
        # daemons the agent needs to reach from the smolvm guest.
        bundle_spec = _bundle_launch_spec(plan, network, loopback_ip)
-        token_env = _resolve_token_env(plan, os.environ)
+        token_env = _resolve_token_env(plan, dict(os.environ))
        _bundle.ensure_bundle_image(bundle_spec.image)
        _bundle.start_bundle(bundle_spec, env={**os.environ, **token_env})
        stack.callback(_bundle.stop_bundle, plan.slug)
@@ -420,24 +418,17 @@ def _bundle_launch_spec(


 def _resolve_token_env(
-    plan: SmolmachinesBottlePlan, host_env: object
+    plan: SmolmachinesBottlePlan, host_env: dict[str, str],
 ) -> dict[str, str]:
    """Resolve the egress token env-var values from the host's
    environ so they reach the bundle's process env via docker's
    `-e NAME` inheritance. Empty when no routes declare auth."""
-    ep = plan.egress_plan
-    if not ep.routes:
-        return {}
-    env = dict(host_env)
-    token_values = egress_resolve_token_values(ep.token_env_map, env)
-    if plan.spec.manifest.bottle_for(
-        plan.spec.agent_name,
-    ).agent_provider.forward_host_credentials:
-        access_token = codex_host_access_token(env)
-        for token_env, token_ref in ep.token_env_map.items():
-            if token_ref == CODEX_HOST_CREDENTIAL_TOKEN_REF:
-                token_values[token_env] = access_token
-    return token_values
+    bottle = plan.spec.manifest.bottle_for(plan.spec.agent_name)
+    return egress_resolve_token_values_with_provider(
+        plan.egress_plan.token_env_map,
+        bottle.agent_provider.forward_host_credentials,
+        host_env,
+    )


 def _ensure_smolmachine(image_ref: str, *, dockerfile: str = "") -> Path: