refactor(egress): deduplicate token resolution across backends (PRD 0030)

Extract egress_resolve_token_values_with_provider into bot_bottle/egress.py. Both docker and smolmachines launch paths now call the shared function instead of duplicating the forward_host_credentials / CODEX_HOST_CREDENTIAL_TOKEN_REF resolution block. Also fixes the host_env: object annotation on smolmachines._resolve_token_env to the correct dict[str, str]. Closes #118.
2026-06-02 04:22:43 +00:00
parent 6682357fbb
commit 75f0f9d907
4 changed files with 104 additions and 35 deletions
@@ -29,6 +29,7 @@ from dataclasses import dataclass
 from pathlib import Path
 from typing import TYPE_CHECKING

+from .codex_auth import codex_host_access_token
 from .log import die

 if TYPE_CHECKING:
@@ -360,6 +361,31 @@ def egress_resolve_token_values(
    return out


+def egress_resolve_token_values_with_provider(
+    token_env_map: dict[str, str],
+    forward_host_credentials: bool,
+    host_env: dict[str, str],
+) -> dict[str, str]:
+    """Resolve all egress token env-var values, including the optional
+    Codex host credential slot.
+
+    Combines `egress_resolve_token_values` (manifest-declared token refs)
+    with the `forward_host_credentials` path (Codex ChatGPT bearer).
+    Returns an empty dict when `token_env_map` is empty.
+
+    Pure function: `host_env` is passed in so tests can use a sealed
+    mapping without touching `os.environ`."""
+    if not token_env_map:
+        return {}
+    token_values = egress_resolve_token_values(token_env_map, host_env)
+    if forward_host_credentials:
+        access_token = codex_host_access_token(host_env)
+        for token_env, token_ref in token_env_map.items():
+            if token_ref == CODEX_HOST_CREDENTIAL_TOKEN_REF:
+                token_values[token_env] = access_token
+    return token_values
+
+
 class Egress(ABC):
    """The per-bottle egress proxy. Encapsulates the host-side prepare
    (route lift + routes.yaml render + token-env-map derivation); the
@@ -403,6 +429,7 @@ __all__ = [
    "egress_manifest_routes",
    "egress_render_routes",
    "egress_resolve_token_values",
+    "egress_resolve_token_values_with_provider",
    "egress_routes_for_bottle",
    "egress_token_env_map",
 ]