feat(manifest): add agent_provider.auth_token for Claude OAuth via egress
Operators can now declare:
agent_provider:
template: claude
auth_token: BOT_BOTTLE_CLAUDE_OAUTH_TOKEN
and the provisioner injects a provider-owned api.anthropic.com egress
route (Bearer, tls_passthrough) rather than requiring a manually
declared route with the former claude_code_oauth role.
Changes:
- Add auth_token field to AgentProvider; validate claude-only.
- Remove claude_code_oauth from EGRESS_ROLES / PROVIDER_EGRESS_ROLES.
Manifests that declare the role now fail at parse time with "unknown
role" — the provisioner owns the route.
- agent_provision_plan: replace manifest_egress_routes/has_provider_auth
with auth_token; Claude branch injects the api.anthropic.com route,
placeholder env, and nonessential-traffic flags when auth_token is set.
- Add hidden_env_names: frozenset[str] to AgentProvisionPlan; Claude
branch populates it with CLAUDE_CODE_OAUTH_TOKEN.
- Remove auth_role from AgentProviderRuntime and placeholder_env_for().
- print_util.visible_agent_env_names: accept hidden_env_names from the
plan instead of dispatching on agent_provider_template.
- Both backends: drop manifest_egress_routes call, pass auth_token.
- PRD 0029 rescoped to cover both Codex and Claude provider auth.
Assisted-by: Claude Code
This commit is contained in:
@@ -1,4 +1,4 @@
|
||||
# PRD 0029: Codex host credentials through egress
|
||||
# PRD 0029: Provider auth credentials through egress
|
||||
|
||||
- **Status:** Draft
|
||||
- **Author:** didericis-codex
|
||||
@@ -7,9 +7,12 @@
|
||||
|
||||
## Summary
|
||||
|
||||
Allow Codex bottles to use a host-authorized ChatGPT/device-login
|
||||
access token by forwarding it only into the egress sidecar, gated by an
|
||||
explicit `agent_provider.forward_host_credentials` manifest flag.
|
||||
Allow provider bottles to inject host credentials into the egress
|
||||
sidecar without exposing them to the agent. Codex uses
|
||||
`agent_provider.forward_host_credentials` for ChatGPT/device-login
|
||||
access tokens. Claude uses `agent_provider.auth_token` to name the host
|
||||
env var holding its OAuth token, which egress injects on
|
||||
`api.anthropic.com` requests.
|
||||
|
||||
## Problem
|
||||
|
||||
@@ -51,8 +54,8 @@ possible, not in the agent.
|
||||
current access token at launch; operators can restart after host Codex
|
||||
refreshes auth.
|
||||
- Copying host `~/.codex/auth.json` credentials into the agent.
|
||||
- Allowing arbitrary host credential forwarding. This PRD covers Codex
|
||||
ChatGPT/device-login credentials only.
|
||||
- Allowing arbitrary host credential forwarding beyond the two providers
|
||||
covered here (Codex ChatGPT/device-login and Claude OAuth).
|
||||
- Hot-applying new authenticated Codex routes to an existing running
|
||||
sidecar. The current hot-apply path cannot safely populate new token
|
||||
env slots in an already-running container.
|
||||
@@ -64,6 +67,15 @@ possible, not in the agent.
|
||||
- Add `agent_provider.forward_host_credentials` to the bottle manifest
|
||||
schema, defaulting to `false`.
|
||||
- Support the flag for `agent_provider.template: codex`.
|
||||
- Add `agent_provider.auth_token` to the bottle manifest schema.
|
||||
- Support the field for `agent_provider.template: claude`: the named
|
||||
host env var is forwarded only into the egress sidecar as the Bearer
|
||||
token for `api.anthropic.com`, and a placeholder
|
||||
`CLAUDE_CODE_OAUTH_TOKEN` is set in the agent so the Claude Code CLI
|
||||
starts without a real credential.
|
||||
- Remove the `claude_code_oauth` egress route role, which previously
|
||||
required operators to declare the OAuth route manually. The provisioner
|
||||
now injects it from `auth_token`.
|
||||
- Read host Codex auth from `$CODEX_HOME/auth.json` when `CODEX_HOME` is
|
||||
set, otherwise from `~/.codex/auth.json`.
|
||||
- Extract only `tokens.access_token` for egress injection.
|
||||
|
||||
Reference in New Issue
Block a user