fix(codex): provision dummy user auth state
This commit is contained in:
@@ -21,10 +21,11 @@ routes that declare an egress-owned token. Bare `api.openai.com` or
|
||||
`chatgpt.com` routes therefore forward Codex requests without the
|
||||
ChatGPT bearer token.
|
||||
|
||||
Copying `~/.codex/auth.json` into the agent would solve auth but would
|
||||
also put access and refresh material inside the agent sandbox. That cuts
|
||||
against bot-bottle's credential minimization model: provider credentials
|
||||
should live in the sidecar boundary when possible, not in the agent.
|
||||
Copying the host `~/.codex/auth.json` into the agent would solve auth
|
||||
mode detection but would also put access and refresh material inside the
|
||||
agent sandbox. That cuts against bot-bottle's credential minimization
|
||||
model: provider credentials should live in the sidecar boundary when
|
||||
possible, not in the agent.
|
||||
|
||||
## Goals / Success Criteria
|
||||
|
||||
@@ -33,11 +34,14 @@ should live in the sidecar boundary when possible, not in the agent.
|
||||
- Host credential forwarding happens only when the bottle declares
|
||||
`agent_provider.forward_host_credentials: true`.
|
||||
- The agent container does not receive `OPENAI_API_KEY`,
|
||||
`CODEX_ACCESS_TOKEN`, `tokens.access_token`, `tokens.refresh_token`,
|
||||
or `auth.json`.
|
||||
`CODEX_ACCESS_TOKEN`, or real `tokens.access_token` /
|
||||
`tokens.refresh_token` values.
|
||||
- The agent container receives only a dummy Codex `auth.json` that
|
||||
preserves the host auth-mode shape and replaces credential values
|
||||
with placeholders.
|
||||
- Egress route files remain non-secret: they contain only host/path/auth
|
||||
slot metadata, never token values.
|
||||
- Missing, non-ChatGPT, malformed, or expired host Codex auth fails
|
||||
- Missing, API-key, malformed, or expired host Codex auth fails
|
||||
launch with a clear operator-facing message.
|
||||
- Existing Claude OAuth placeholder behavior remains unchanged.
|
||||
|
||||
@@ -46,7 +50,7 @@ should live in the sidecar boundary when possible, not in the agent.
|
||||
- Refreshing Codex tokens in the sidecar. The first cut reads the host's
|
||||
current access token at launch; operators can restart after host Codex
|
||||
refreshes auth.
|
||||
- Copying host `~/.codex/auth.json` into the agent.
|
||||
- Copying host `~/.codex/auth.json` credentials into the agent.
|
||||
- Allowing arbitrary host credential forwarding. This PRD covers Codex
|
||||
ChatGPT/device-login credentials only.
|
||||
- Hot-applying new authenticated Codex routes to an existing running
|
||||
@@ -62,9 +66,11 @@ should live in the sidecar boundary when possible, not in the agent.
|
||||
- Support the flag for `agent_provider.template: codex`.
|
||||
- Read host Codex auth from `$CODEX_HOME/auth.json` when `CODEX_HOME` is
|
||||
set, otherwise from `~/.codex/auth.json`.
|
||||
- Extract only `tokens.access_token`.
|
||||
- Validate that `auth_mode` is `chatgpt` and the access token is present,
|
||||
JWT-shaped, and not expired.
|
||||
- Extract only `tokens.access_token` for egress injection.
|
||||
- Generate a dummy agent-side `auth.json` from the host auth file's
|
||||
mode and key shape, without copying real token values.
|
||||
- Validate that host auth is not API-key mode and the access token is
|
||||
present, JWT-shaped, and not expired.
|
||||
- Add or upgrade `api.openai.com` and `chatgpt.com` egress routes to
|
||||
inject that access token via a shared `EGRESS_TOKEN_N` sidecar env
|
||||
slot.
|
||||
@@ -100,7 +106,7 @@ At prepare/launch time, when the flag is enabled for Codex:
|
||||
1. Resolve the host Codex home directory from `$CODEX_HOME`, falling
|
||||
back to `~/.codex`.
|
||||
2. Parse `auth.json`.
|
||||
3. Require `auth_mode == "chatgpt"`.
|
||||
3. Require user/device auth mode rather than API-key auth.
|
||||
4. Require a non-empty `tokens.access_token`.
|
||||
5. Parse the JWT payload enough to require an `exp` claim in the future.
|
||||
6. Return only the access token value to the launch path.
|
||||
@@ -141,6 +147,7 @@ environment for that `EGRESS_TOKEN_N` slot. It must not be written to
|
||||
flowchart LR
|
||||
H["Host ~/.codex/auth.json"] --> L["bot-bottle launch"]
|
||||
L -->|access token only| S["egress sidecar env"]
|
||||
L -->|dummy auth.json only| A
|
||||
A["Codex agent"] -->|HTTPS via proxy, auth stripped| E["egress"]
|
||||
E -->|Bearer injected from env| C["api.openai.com / chatgpt.com"]
|
||||
```
|
||||
@@ -156,9 +163,12 @@ flowchart LR
|
||||
4. **Effective egress route.** Add/upgrade the Codex API routes when the
|
||||
flag is enabled, and add tests for bare route upgrade,
|
||||
missing-route insertion, and authenticated-route conflict.
|
||||
5. **Launch wiring.** Pass the host access token into the egress sidecar
|
||||
5. **Agent auth marker.** Provision a dummy Codex `auth.json` into the
|
||||
agent home so Codex selects the host's user/device auth branch while
|
||||
real credentials stay in egress.
|
||||
6. **Launch wiring.** Pass the host access token into the egress sidecar
|
||||
env for Docker and smolmachines without exposing it to the agent.
|
||||
6. **Docs and tests.** Update README examples and run the unit suite.
|
||||
7. **Docs and tests.** Update README examples and run the unit suite.
|
||||
|
||||
## Open questions
|
||||
|
||||
|
||||
Reference in New Issue
Block a user