diff --git a/bot_bottle/agent_provider.py b/bot_bottle/agent_provider.py
index cd271dc..6ae8f50 100644
--- a/bot_bottle/agent_provider.py
+++ b/bot_bottle/agent_provider.py
@@ -154,9 +154,13 @@ def agent_provision_plan(
         dirs.append(AgentProvisionDir(auth_dir))
         config_path = f"{auth_dir}/config.toml"
         config_file = state_dir / "codex-config.toml"
+        workspace = f"{guest_home}/workspace"
         config_file.write_text(
             f'[projects."{guest_home}"]\n'
             'trust_level = "trusted"\n'
+            "\n"
+            f'[projects."{workspace}"]\n'
+            'trust_level = "trusted"\n'
         )
         config_file.chmod(0o600)
         files.append(AgentProvisionFile(config_file, config_path))
diff --git a/bot_bottle/egress.py b/bot_bottle/egress.py
index db58920..000d5e1 100644
--- a/bot_bottle/egress.py
+++ b/bot_bottle/egress.py
@@ -201,6 +201,8 @@ def egress_routes_for_bottle(
 
 def _find_or_alloc_token_env(routes: list[EgressRoute], token_ref: str) -> str:
     """Return the existing token_env slot for `token_ref`, or allocate the next one."""
+    if not token_ref:
+        return ""
     for route in routes:
         if route.token_ref == token_ref and route.token_env:
             return route.token_env
@@ -239,7 +241,11 @@ def _merge_provider_route(
                 f"ref). Remove the manifest route's auth block or disable the "
                 f"feature that adds this provider route."
             )
-        token_env = _find_or_alloc_token_env(routes, pr.token_ref)
+        token_env = (
+            _find_or_alloc_token_env(routes, pr.token_ref)
+            if pr.auth_scheme and pr.token_ref
+            else ""
+        )
         routes[idx] = EgressRoute(
             host=route.host,
             path_allowlist=route.path_allowlist,
@@ -250,7 +256,11 @@ def _merge_provider_route(
             tls_passthrough=pr.tls_passthrough,
         )
         return routes
-    token_env = _find_or_alloc_token_env(routes, pr.token_ref)
+    token_env = (
+        _find_or_alloc_token_env(routes, pr.token_ref)
+        if pr.auth_scheme and pr.token_ref
+        else ""
+    )
     routes.append(EgressRoute(
         host=pr.host,
         auth_scheme=pr.auth_scheme,
@@ -273,7 +283,7 @@ def egress_token_env_map(
     silently picking one."""
     out: dict[str, str] = {}
     for r in routes:
-        if not r.token_env:
+        if not (r.auth_scheme and r.token_ref and r.token_env):
             continue
         existing = out.get(r.token_env)
         if existing is not None and existing != r.token_ref:
diff --git a/tests/unit/test_agent_provider.py b/tests/unit/test_agent_provider.py
index 8d4f4b6..b0f5714 100644
--- a/tests/unit/test_agent_provider.py
+++ b/tests/unit/test_agent_provider.py
@@ -31,6 +31,7 @@ class TestAgentProviderRuntime(unittest.TestCase):
                 dockerfile="/tmp/Dockerfile.codex",
                 state_dir=Path(tmp),
             )
+            config = (Path(tmp) / "codex-config.toml").read_text()
         self.assertEqual("codex", plan.template)
         self.assertEqual("codex", plan.command)
         self.assertEqual("read_prompt_file", plan.prompt_mode)
@@ -45,6 +46,9 @@ class TestAgentProviderRuntime(unittest.TestCase):
             ("/home/node/.codex/config.toml",),
             tuple(f.guest_path for f in plan.files),
         )
+        self.assertIn('[projects."/home/node"]', config)
+        self.assertIn('[projects."/home/node/workspace"]', config)
+        self.assertEqual(2, config.count('trust_level = "trusted"'))
 
     def test_codex_forward_host_credentials_adds_auth_and_verify(self):
         with tempfile.TemporaryDirectory(prefix="bb-provider.") as tmp:
diff --git a/tests/unit/test_egress.py b/tests/unit/test_egress.py
index 24ad532..7d7107c 100644
--- a/tests/unit/test_egress.py
+++ b/tests/unit/test_egress.py
@@ -145,6 +145,28 @@ class TestProviderRouteMerge(unittest.TestCase):
         self.assertEqual("EGRESS_TOKEN_0", routes[0].token_env)
         self.assertEqual("TOK", routes[0].token_ref)
 
+    def test_unauthenticated_provider_route_appends_without_token_slot(self):
+        b = _bottle([])
+        pr = EgressRoute(host="api.openai.com", tls_passthrough=True)
+        routes = egress_routes_for_bottle(b, (pr,))
+        self.assertEqual(1, len(routes))
+        self.assertEqual("api.openai.com", routes[0].host)
+        self.assertEqual("", routes[0].auth_scheme)
+        self.assertEqual("", routes[0].token_env)
+        self.assertEqual("", routes[0].token_ref)
+        self.assertEqual({}, egress_token_env_map(routes))
+
+    def test_unauthenticated_provider_route_upgrades_bare_without_token_slot(self):
+        b = _bottle([{"host": "api.openai.com"}])
+        pr = EgressRoute(host="api.openai.com", tls_passthrough=True)
+        routes = egress_routes_for_bottle(b, (pr,))
+        self.assertEqual(1, len(routes))
+        self.assertEqual("", routes[0].auth_scheme)
+        self.assertEqual("", routes[0].token_env)
+        self.assertEqual("", routes[0].token_ref)
+        self.assertTrue(routes[0].tls_passthrough)
+        self.assertEqual({}, egress_token_env_map(routes))
+
     def test_two_provider_routes_with_same_token_ref_share_slot(self):
         b = _bottle([])
         routes = egress_routes_for_bottle(b, (