refactor(manifest): remove codex_auth egress role
Both provider-owned roles are now gone. Provider auth routes are provisioner-owned (claude: auth_token, codex: forward_host_credentials); the role field and validation plumbing stay for future use but EGRESS_ROLES is empty. Any manifest declaring a role now fails at parse time. Assisted-by: Claude Code
This commit is contained in:
+8
-26
@@ -175,33 +175,15 @@ class GitEntry:
|
|||||||
# token-not-Bearer quirk (go-gitea/gitea#16734).
|
# token-not-Bearer quirk (go-gitea/gitea#16734).
|
||||||
EGRESS_AUTH_SCHEMES = ("Bearer", "token")
|
EGRESS_AUTH_SCHEMES = ("Bearer", "token")
|
||||||
|
|
||||||
# Optional per-route role markers. A role signals "this route plays
|
# Per-route role markers. Both former roles (claude_code_oauth,
|
||||||
# a specific named part in the bottle's auth flow"; the launch step
|
# codex_auth) have been removed — provider auth is now provisioner-owned
|
||||||
# acts on the marker.
|
# via agent_provider.auth_token / forward_host_credentials. The field
|
||||||
#
|
# and validation plumbing remain for future roles.
|
||||||
# codex_auth: placeholder marker for Codex egress-held auth flows.
|
EGRESS_ROLES: frozenset[str] = frozenset()
|
||||||
# Accepted on Codex routes for forward-compatibility;
|
EGRESS_SINGLETON_ROLES: frozenset[str] = frozenset()
|
||||||
# the provisioner does not act on it today.
|
PROVIDER_EGRESS_ROLES: dict[str, frozenset[str]] = {
|
||||||
#
|
|
||||||
# Routes without a `role` are pure proxy entries: egress
|
|
||||||
# enforces path_allowlist + injects auth on its own, but nothing
|
|
||||||
# special happens on the agent side.
|
|
||||||
#
|
|
||||||
# Note: the former `claude_code_oauth` role has been removed. Claude
|
|
||||||
# OAuth is now provisioner-owned via `agent_provider.auth_token`; the
|
|
||||||
# provisioner injects the api.anthropic.com route automatically.
|
|
||||||
EGRESS_ROLES = frozenset({
|
|
||||||
"codex_auth",
|
|
||||||
})
|
|
||||||
|
|
||||||
# Singleton roles may appear on at most one route per bottle.
|
|
||||||
EGRESS_SINGLETON_ROLES = frozenset({
|
|
||||||
"codex_auth",
|
|
||||||
})
|
|
||||||
|
|
||||||
PROVIDER_EGRESS_ROLES = {
|
|
||||||
"claude": frozenset(),
|
"claude": frozenset(),
|
||||||
"codex": frozenset({"codex_auth"}),
|
"codex": frozenset(),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -203,35 +203,12 @@ class TestRole(unittest.TestCase):
|
|||||||
b = _bottle([{"host": "x.example"}])
|
b = _bottle([{"host": "x.example"}])
|
||||||
self.assertEqual((), b.egress.routes[0].Role)
|
self.assertEqual((), b.egress.routes[0].Role)
|
||||||
|
|
||||||
def test_string_normalizes_to_tuple(self):
|
def test_any_role_rejected(self):
|
||||||
b = _provider_bottle("codex", [{
|
# All former roles removed; the field is reserved for future use.
|
||||||
"host": "api.openai.com",
|
for role in ("claude_code_oauth", "codex_auth", "totally-made-up"):
|
||||||
"role": "codex_auth",
|
with self.subTest(role=role):
|
||||||
"auth": {"scheme": "Bearer", "token_ref": "T"},
|
with self.assertRaises(ManifestError):
|
||||||
}])
|
_bottle([{"host": "x.example", "role": role}])
|
||||||
self.assertEqual(("codex_auth",), b.egress.routes[0].Role)
|
|
||||||
|
|
||||||
def test_list_supported(self):
|
|
||||||
b = _provider_bottle("codex", [{
|
|
||||||
"host": "api.openai.com",
|
|
||||||
"role": ["codex_auth"],
|
|
||||||
"auth": {"scheme": "Bearer", "token_ref": "T"},
|
|
||||||
}])
|
|
||||||
self.assertEqual(("codex_auth",), b.egress.routes[0].Role)
|
|
||||||
|
|
||||||
def test_unknown_role_rejected(self):
|
|
||||||
# The role enum is locked down — typos shouldn't silently
|
|
||||||
# become no-op markers.
|
|
||||||
with self.assertRaises(ManifestError):
|
|
||||||
_bottle([{"host": "x.example", "role": "totally-made-up"}])
|
|
||||||
|
|
||||||
def test_claude_code_oauth_role_rejected(self):
|
|
||||||
# claude_code_oauth was removed; provisioner injects the route
|
|
||||||
# automatically via agent_provider.auth_token.
|
|
||||||
with self.assertRaises(ManifestError):
|
|
||||||
_bottle([{"host": "api.anthropic.com",
|
|
||||||
"role": "claude_code_oauth",
|
|
||||||
"auth": {"scheme": "Bearer", "token_ref": "T"}}])
|
|
||||||
|
|
||||||
def test_non_string_role_rejected(self):
|
def test_non_string_role_rejected(self):
|
||||||
with self.assertRaises(ManifestError):
|
with self.assertRaises(ManifestError):
|
||||||
@@ -239,24 +216,7 @@ class TestRole(unittest.TestCase):
|
|||||||
|
|
||||||
def test_list_with_non_string_item_rejected(self):
|
def test_list_with_non_string_item_rejected(self):
|
||||||
with self.assertRaises(ManifestError):
|
with self.assertRaises(ManifestError):
|
||||||
_bottle([{"host": "x.example",
|
_bottle([{"host": "x.example", "role": ["x", 42]}])
|
||||||
"role": ["codex_auth", 42]}])
|
|
||||||
|
|
||||||
def test_codex_auth_role_allowed_for_codex_provider(self):
|
|
||||||
b = _provider_bottle("codex", [{
|
|
||||||
"host": "api.openai.com",
|
|
||||||
"role": "codex_auth",
|
|
||||||
"auth": {"scheme": "Bearer", "token_ref": "OPENAI_TOKEN"},
|
|
||||||
}])
|
|
||||||
self.assertEqual(("codex_auth",), b.egress.routes[0].Role)
|
|
||||||
|
|
||||||
def test_codex_role_rejected_for_default_claude_provider(self):
|
|
||||||
with self.assertRaises(ManifestError):
|
|
||||||
_bottle([{
|
|
||||||
"host": "api.openai.com",
|
|
||||||
"role": "codex_auth",
|
|
||||||
"auth": {"scheme": "Bearer", "token_ref": "T"},
|
|
||||||
}])
|
|
||||||
|
|
||||||
|
|
||||||
class TestPipelockPolicy(unittest.TestCase):
|
class TestPipelockPolicy(unittest.TestCase):
|
||||||
|
|||||||
Reference in New Issue
Block a user