didericis/bot-bottle
1
0
Fork 0
Code Issues 5 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

fix(codex): provision dummy user auth state

Browse Source
This commit is contained in:
didericis (codex)
2026-05-29 03:46:15 -04:00
parent 55117c5ff4
commit 91d6f5d8d2
15 changed files with 406 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+9 -7
View File
@@ -369,13 +369,15 @@ egress:
```
Run `codex login --device-auth` on the host before launch. The
launcher reads only `tokens.access_token` from the host's
`~/.codex/auth.json`, verifies it is fresh ChatGPT auth, and passes it
to the sidecar's `EGRESS_TOKEN_N` env slot. The agent container does
not receive `auth.json`, refresh tokens, access-token env vars, or
`OPENAI_API_KEY`. The effective egress table automatically adds or
upgrades `api.openai.com` and `chatgpt.com` to authenticated routes
when `forward_host_credentials` is true.
launcher reads `tokens.access_token` from the host's
`~/.codex/auth.json`, verifies it is fresh user/device auth, and passes
it to the sidecar's `EGRESS_TOKEN_N` env slot. The agent container gets
a dummy `~/.codex/auth.json` that preserves the host auth-mode shape
but replaces credential values with placeholders, so Codex chooses the
user/device auth path without receiving real access tokens, refresh
tokens, or `OPENAI_API_KEY`. The effective egress table automatically
adds or upgrades `api.openai.com` and `chatgpt.com` to authenticated
routes when `forward_host_credentials` is true.
The built-in Codex template uses `Dockerfile.codex`; set
`agent_provider.dockerfile` to build the agent from a custom Dockerfile