diff --git a/bot_bottle/manifest.py b/bot_bottle/manifest.py index 38d3386..5ae00a6 100644 --- a/bot_bottle/manifest.py +++ b/bot_bottle/manifest.py @@ -175,33 +175,15 @@ class GitEntry: # token-not-Bearer quirk (go-gitea/gitea#16734). EGRESS_AUTH_SCHEMES = ("Bearer", "token") -# Optional per-route role markers. A role signals "this route plays -# a specific named part in the bottle's auth flow"; the launch step -# acts on the marker. -# -# codex_auth: placeholder marker for Codex egress-held auth flows. -# Accepted on Codex routes for forward-compatibility; -# the provisioner does not act on it today. -# -# Routes without a `role` are pure proxy entries: egress -# enforces path_allowlist + injects auth on its own, but nothing -# special happens on the agent side. -# -# Note: the former `claude_code_oauth` role has been removed. Claude -# OAuth is now provisioner-owned via `agent_provider.auth_token`; the -# provisioner injects the api.anthropic.com route automatically. -EGRESS_ROLES = frozenset({ - "codex_auth", -}) - -# Singleton roles may appear on at most one route per bottle. -EGRESS_SINGLETON_ROLES = frozenset({ - "codex_auth", -}) - -PROVIDER_EGRESS_ROLES = { +# Per-route role markers. Both former roles (claude_code_oauth, +# codex_auth) have been removed — provider auth is now provisioner-owned +# via agent_provider.auth_token / forward_host_credentials. The field +# and validation plumbing remain for future roles. +EGRESS_ROLES: frozenset[str] = frozenset() +EGRESS_SINGLETON_ROLES: frozenset[str] = frozenset() +PROVIDER_EGRESS_ROLES: dict[str, frozenset[str]] = { "claude": frozenset(), - "codex": frozenset({"codex_auth"}), + "codex": frozenset(), } diff --git a/tests/unit/test_manifest_egress.py b/tests/unit/test_manifest_egress.py index 1a03d0b..1dba6a5 100644 --- a/tests/unit/test_manifest_egress.py +++ b/tests/unit/test_manifest_egress.py @@ -203,35 +203,12 @@ class TestRole(unittest.TestCase): b = _bottle([{"host": "x.example"}]) self.assertEqual((), b.egress.routes[0].Role) - def test_string_normalizes_to_tuple(self): - b = _provider_bottle("codex", [{ - "host": "api.openai.com", - "role": "codex_auth", - "auth": {"scheme": "Bearer", "token_ref": "T"}, - }]) - self.assertEqual(("codex_auth",), b.egress.routes[0].Role) - - def test_list_supported(self): - b = _provider_bottle("codex", [{ - "host": "api.openai.com", - "role": ["codex_auth"], - "auth": {"scheme": "Bearer", "token_ref": "T"}, - }]) - self.assertEqual(("codex_auth",), b.egress.routes[0].Role) - - def test_unknown_role_rejected(self): - # The role enum is locked down — typos shouldn't silently - # become no-op markers. - with self.assertRaises(ManifestError): - _bottle([{"host": "x.example", "role": "totally-made-up"}]) - - def test_claude_code_oauth_role_rejected(self): - # claude_code_oauth was removed; provisioner injects the route - # automatically via agent_provider.auth_token. - with self.assertRaises(ManifestError): - _bottle([{"host": "api.anthropic.com", - "role": "claude_code_oauth", - "auth": {"scheme": "Bearer", "token_ref": "T"}}]) + def test_any_role_rejected(self): + # All former roles removed; the field is reserved for future use. + for role in ("claude_code_oauth", "codex_auth", "totally-made-up"): + with self.subTest(role=role): + with self.assertRaises(ManifestError): + _bottle([{"host": "x.example", "role": role}]) def test_non_string_role_rejected(self): with self.assertRaises(ManifestError): @@ -239,24 +216,7 @@ class TestRole(unittest.TestCase): def test_list_with_non_string_item_rejected(self): with self.assertRaises(ManifestError): - _bottle([{"host": "x.example", - "role": ["codex_auth", 42]}]) - - def test_codex_auth_role_allowed_for_codex_provider(self): - b = _provider_bottle("codex", [{ - "host": "api.openai.com", - "role": "codex_auth", - "auth": {"scheme": "Bearer", "token_ref": "OPENAI_TOKEN"}, - }]) - self.assertEqual(("codex_auth",), b.egress.routes[0].Role) - - def test_codex_role_rejected_for_default_claude_provider(self): - with self.assertRaises(ManifestError): - _bottle([{ - "host": "api.openai.com", - "role": "codex_auth", - "auth": {"scheme": "Bearer", "token_ref": "T"}, - }]) + _bottle([{"host": "x.example", "role": ["x", 42]}]) class TestPipelockPolicy(unittest.TestCase):