feat(manifest): add agent_provider.auth_token for Claude OAuth via egress

Operators can now declare: agent_provider: template: claude auth_token: BOT_BOTTLE_CLAUDE_OAUTH_TOKEN and the provisioner injects a provider-owned api.anthropic.com egress route (Bearer, tls_passthrough) rather than requiring a manually declared route with the former claude_code_oauth role. Changes: - Add auth_token field to AgentProvider; validate claude-only. - Remove claude_code_oauth from EGRESS_ROLES / PROVIDER_EGRESS_ROLES. Manifests that declare the role now fail at parse time with "unknown role" — the provisioner owns the route. - agent_provision_plan: replace manifest_egress_routes/has_provider_auth with auth_token; Claude branch injects the api.anthropic.com route, placeholder env, and nonessential-traffic flags when auth_token is set. - Add hidden_env_names: frozenset[str] to AgentProvisionPlan; Claude branch populates it with CLAUDE_CODE_OAUTH_TOKEN. - Remove auth_role from AgentProviderRuntime and placeholder_env_for(). - print_util.visible_agent_env_names: accept hidden_env_names from the plan instead of dispatching on agent_provider_template. - Both backends: drop manifest_egress_routes call, pass auth_token. - PRD 0029 rescoped to cover both Codex and Claude provider auth. Assisted-by: Claude Code
2026-06-02 01:24:18 +00:00
parent 952dcd7eec
commit de9bd7eb83
11 changed files with 136 additions and 113 deletions
@@ -33,7 +33,6 @@ class AgentProviderRuntime:
    command: str
    image: str
    dockerfile: str
-    auth_role: str
    prompt_mode: PromptMode
    bypass_args: tuple[str, ...]
    resume_args: tuple[str, ...]
@@ -73,6 +72,11 @@ class AgentProvisionPlan:
    pass to `Egress.prepare` and `PipelockProxy.prepare`. This keeps
    provider logic out of the egress and pipelock modules — they merge
    provider routes generically without knowing the provider type.
+
+    `hidden_env_names` is the set of env var names the provider injected
+    as non-secret placeholders. `print_util.visible_agent_env_names` uses
+    this to suppress them from the preflight summary so operators don't
+    mistake them for real credentials.
    """

    template: str
@@ -87,6 +91,7 @@ class AgentProvisionPlan:
    pre_copy: tuple[AgentProvisionCommand, ...] = ()
    verify: tuple[AgentProvisionCommand, ...] = ()
    egress_routes: tuple[EgressRoute, ...] = ()
+    hidden_env_names: frozenset[str] = field(default_factory=frozenset)


 _REPO_ROOT = Path(__file__).resolve().parent.parent
@@ -98,7 +103,6 @@ _RUNTIMES = {
        command="claude",
        image="bot-bottle-claude:latest",
        dockerfile=str(_REPO_ROOT / "Dockerfile.claude"),
-        auth_role="claude_code_oauth",
        prompt_mode="append_file",
        bypass_args=("--dangerously-skip-permissions",),
        resume_args=("--continue",),
@@ -109,7 +113,6 @@ _RUNTIMES = {
        command="codex",
        image="bot-bottle-codex:latest",
        dockerfile=str(_REPO_ROOT / "Dockerfile.codex"),
-        auth_role="",
        prompt_mode="read_prompt_file",
        bypass_args=("--dangerously-bypass-approvals-and-sandbox",),
        resume_args=("resume", "--last"),
@@ -122,13 +125,6 @@ def runtime_for(template: str) -> AgentProviderRuntime:
    return _RUNTIMES[template]


-def placeholder_env_for(template: str) -> str:
-    """Return the provider auth placeholder env var name, or empty string."""
-    if template == PROVIDER_CLAUDE:
-        return "CLAUDE_CODE_OAUTH_TOKEN"
-    return ""
-
-
 def agent_provision_plan(
    *,
    template: str,
@@ -136,14 +132,11 @@ def agent_provision_plan(
    state_dir: Path,
    guest_home: str = "/home/node",
    guest_env: dict[str, str] | None = None,
+    auth_token: str = "",
    forward_host_credentials: bool = False,
-    manifest_egress_routes: tuple[EgressRoute, ...] = (),
    host_env: dict[str, str] | None = None,
 ) -> AgentProvisionPlan:
    runtime = runtime_for(template)
-    has_provider_auth = bool(runtime.auth_role) and any(
-        runtime.auth_role in r.roles for r in manifest_egress_routes
-    )
    resolved_guest_env = dict(guest_env or {})
    env_vars: dict[str, str] = {}
    dirs: list[AgentProvisionDir] = []
@@ -151,6 +144,7 @@ def agent_provision_plan(
    pre_copy: list[AgentProvisionCommand] = []
    verify: list[AgentProvisionCommand] = []
    egress_routes: list[EgressRoute] = []
+    hidden_env_names: frozenset[str] = frozenset()

    if template == PROVIDER_CODEX:
        env_vars["CODEX_CA_CERTIFICATE"] = "/etc/ssl/certs/ca-certificates.crt"
@@ -199,10 +193,17 @@ def agent_provision_plan(
                "codex host credentials: dummy auth was copied into the "
                "guest, but Codex did not accept it"
            )))
-    if template == PROVIDER_CLAUDE and has_provider_auth:
+    if template == PROVIDER_CLAUDE and auth_token:
+        egress_routes.append(EgressRoute(
+            host="api.anthropic.com",
+            auth_scheme="Bearer",
+            token_ref=auth_token,
+            tls_passthrough=True,
+        ))
        env_vars["CLAUDE_CODE_OAUTH_TOKEN"] = "egress-placeholder"
        env_vars["CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC"] = "1"
        env_vars["DISABLE_ERROR_REPORTING"] = "1"
+        hidden_env_names = frozenset({"CLAUDE_CODE_OAUTH_TOKEN"})

    return AgentProvisionPlan(
        template=template,
@@ -217,6 +218,7 @@ def agent_provision_plan(
        pre_copy=tuple(pre_copy),
        verify=tuple(verify),
        egress_routes=tuple(egress_routes),
+        hidden_env_names=hidden_env_names,
    )


@@ -89,7 +89,7 @@ class DockerBottlePlan(BottlePlan):
                | set(self.forwarded_env.keys())
                | set(self.agent_provision.guest_env.keys())
            ),
-            agent_provider_template=self.agent_provider_template,
+            hidden_env_names=self.agent_provision.hidden_env_names,
        )

        print(file=sys.stderr)
@@ -16,7 +16,7 @@ from dataclasses import replace
 from pathlib import Path

 from ...agent_provider import agent_provision_plan, runtime_for
-from ...egress import Egress, egress_manifest_routes
+from ...egress import Egress
 from ...env import ResolvedEnv, resolve_env
 from ...git_gate import GitGate
 from ...log import die
@@ -178,7 +178,7 @@ def resolve_plan(
        state_dir=agent_dir,
        guest_home=os.environ.get("BOT_BOTTLE_CONTAINER_HOME", "/home/node"),
        forward_host_credentials=provider.forward_host_credentials,
-        manifest_egress_routes=egress_manifest_routes(bottle),
+        auth_token=provider.auth_token,
        host_env=dict(os.environ),
    )
    guest_env = dict(agent_provision.guest_env)
@@ -9,7 +9,6 @@ from __future__ import annotations

 from typing import Sequence

-from ..agent_provider import placeholder_env_for
 from ..log import info


@@ -30,16 +29,13 @@ def print_multi(label: str, values: Sequence[str]) -> None:


 def visible_agent_env_names(
-    env_names: Sequence[str], *, agent_provider_template: str,
+    env_names: Sequence[str], *, hidden_env_names: frozenset[str],
 ) -> list[str]:
    """Env names worth showing in launch summaries.

-    Provider auth placeholders (currently `CLAUDE_CODE_OAUTH_TOKEN`)
-    are implementation details: they are non-secret dummy values that
-    satisfy the provider CLI while egress injects the real upstream
-    Authorization header. Showing them in preflight makes the operator
-    think a real key is entering the agent, so hide only the active
-    provider-owned placeholder.
+    Provider-injected placeholder env vars are implementation details:
+    they are non-secret dummy values that satisfy provider CLIs while
+    egress injects the real Authorization header. The plan's
+    `hidden_env_names` carries exactly which names to suppress.
    """
-    hidden = {placeholder_env_for(agent_provider_template)}
-    return sorted({name for name in env_names if name and name not in hidden})
+    return sorted({name for name in env_names if name and name not in hidden_env_names})
@@ -125,7 +125,7 @@ class SmolmachinesBottlePlan(BottlePlan):
                set(bottle.env.keys())
                | set(self.agent_provision.guest_env.keys())
            ),
-            agent_provider_template=self.agent_provider_template,
+            hidden_env_names=self.agent_provision.hidden_env_names,
        )
        upstreams = [
            f"{g.Name} → {g.Upstream}" for g in bottle.git
@@ -16,7 +16,6 @@ from dataclasses import replace
 from pathlib import Path

 from ...agent_provider import agent_provision_plan, runtime_for
-from ...egress import egress_manifest_routes
 from ...backend import BottleSpec
 from ...backend.docker.bottle_state import (
    BottleMetadata,
@@ -134,7 +133,7 @@ def resolve_plan(
        guest_home=os.environ.get("BOT_BOTTLE_GUEST_HOME", "/home/node"),
        guest_env=guest_env,
        forward_host_credentials=provider.forward_host_credentials,
-        manifest_egress_routes=egress_manifest_routes(bottle),
+        auth_token=provider.auth_token,
        host_env=dict(os.environ),
    )
    merged_guest_env = dict(agent_provision.guest_env)
@@ -179,40 +179,28 @@ EGRESS_AUTH_SCHEMES = ("Bearer", "token")
 # a specific named part in the bottle's auth flow"; the launch step
 # acts on the marker.
 #
-#   claude_code_oauth: this route auth-injects on the agent's
-#                      claude-code OAuth flow. Triggers prepare.py
-#                      to ship a placeholder CLAUDE_CODE_OAUTH_TOKEN
-#                      to the agent (so claude-code starts) and
-#                      disable nonessential-traffic / error-reporting
-#                      env vars. Host doesn't matter to the placeholder
-#                      logic — declare the role on whichever route
-#                      injects the OAuth header.
-#
-#   codex_auth: placeholder marker reserved for follow-up Codex
-#               credential-injection work. It is still accepted so
-#               existing manifests and future egress-held auth flows
-#               have a stable role name, but it no longer triggers an
-#               OPENAI_API_KEY placeholder. Codex bottles should prefer
-#               device/ChatGPT login state today.
+#   codex_auth: placeholder marker for Codex egress-held auth flows.
+#               Accepted on Codex routes for forward-compatibility;
+#               the provisioner does not act on it today.
 #
 # Routes without a `role` are pure proxy entries: egress
 # enforces path_allowlist + injects auth on its own, but nothing
 # special happens on the agent side.
+#
+# Note: the former `claude_code_oauth` role has been removed. Claude
+# OAuth is now provisioner-owned via `agent_provider.auth_token`; the
+# provisioner injects the api.anthropic.com route automatically.
 EGRESS_ROLES = frozenset({
-    "claude_code_oauth",
    "codex_auth",
 })

-# Singleton roles may appear on at most one route per bottle. Some
-# roles drive a single provider auth path; two routes claiming one
-# marker would leave "which one is canonical?" ambiguous.
+# Singleton roles may appear on at most one route per bottle.
 EGRESS_SINGLETON_ROLES = frozenset({
-    "claude_code_oauth",
    "codex_auth",
 })

 PROVIDER_EGRESS_ROLES = {
-    "claude": frozenset({"claude_code_oauth"}),
+    "claude": frozenset(),
    "codex": frozenset({"codex_auth"}),
 }

@@ -224,20 +212,30 @@ class AgentProvider:
    `template` selects a built-in launch/runtime contract. `dockerfile`
    optionally points at a custom agent-image Dockerfile while leaving
    bot-bottle's sidecar infrastructure intact.
+
+    `auth_token` names the host env var that holds the provider's OAuth
+    token (Claude only). The provisioner injects a provider-owned egress
+    route for api.anthropic.com that re-injects this token as the Bearer
+    header, and sets a placeholder CLAUDE_CODE_OAUTH_TOKEN in the agent
+    so the Claude Code CLI starts.
+
+    `forward_host_credentials` forwards the host Codex auth token into
+    the egress sidecar (Codex only).
    """

    template: str = "claude"
    dockerfile: str = ""
+    auth_token: str = ""
    forward_host_credentials: bool = False

    @classmethod
    def from_dict(cls, bottle_name: str, raw: object) -> "AgentProvider":
        d = _as_json_object(raw, f"bottle '{bottle_name}' agent_provider")
        for k in d:
-            if k not in {"template", "dockerfile", "forward_host_credentials"}:
+            if k not in {"template", "dockerfile", "auth_token", "forward_host_credentials"}:
                raise ManifestError(
                    f"bottle '{bottle_name}' agent_provider has unknown key {k!r}; "
-                    f"allowed: template, dockerfile, forward_host_credentials"
+                    f"allowed: template, dockerfile, auth_token, forward_host_credentials"
                )
        template = d.get("template", "claude")
        if not isinstance(template, str) or not template:
@@ -256,6 +254,17 @@ class AgentProvider:
                f"bottle '{bottle_name}' agent_provider.dockerfile must be a "
                f"string (was {type(dockerfile).__name__})"
            )
+        auth_token = d.get("auth_token", "")
+        if not isinstance(auth_token, str):
+            raise ManifestError(
+                f"bottle '{bottle_name}' agent_provider.auth_token must be a "
+                f"string (was {type(auth_token).__name__})"
+            )
+        if auth_token and template != "claude":
+            raise ManifestError(
+                f"bottle '{bottle_name}' agent_provider.auth_token is only "
+                f"supported for template 'claude'"
+            )
        forward_host_credentials = d.get("forward_host_credentials", False)
        if not isinstance(forward_host_credentials, bool):
            raise ManifestError(
@@ -270,6 +279,7 @@ class AgentProvider:
        return cls(
            template=template,
            dockerfile=dockerfile,
+            auth_token=auth_token,
            forward_host_credentials=forward_host_credentials,
        )

@@ -428,10 +438,7 @@ class EgressRoute:
    manifest's `auth` block is omitted both fields are empty strings —
    no Authorization is written, no token forwarded.

-    `Role` is an optional tuple of named markers (see
-    EGRESS_ROLES). The launch step reads these and triggers
-    associated side effects (e.g. the `claude_code_oauth` marker
-    causes prepare.py to set a placeholder OAuth env on the agent).
+    `Role` is an optional tuple of named markers (see EGRESS_ROLES).

    Validation rules (enforced in `from_dict`):
      - `host` required, non-empty.