didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

PRD 0029: Codex host credentials through egress #110

Merged
didericis merged 25 commits from codex/prd-codex-host-credentials into main 2026-06-01 23:16:25 -04:00
Conversation 18 Commits 25 Files Changed 32
+18 -6
4 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit a5d83bdcdc - Show all commits
bot_bottle/backend/docker/provision/provider_auth.py
+8 -3
View File
@@ -9,6 +9,7 @@ import subprocess
from ..bottle_plan import DockerBottlePlan
_CODEX_HOME_PROJECT = "/home/node"
_CODEX_WORKSPACE = "/home/node/workspace"
@@ -16,9 +17,10 @@ def provision_provider_auth(plan: DockerBottlePlan, target: str) -> None:
"""Prepare Codex home state inside a Docker bottle.
Every Codex bottle gets a minimal config.toml that trusts the
in-container workspace path. When host credentials are forwarded,
auth.json contains no real access or refresh token values; it only
nudges Codex into the same user/device auth branch as the host.
in-container launch directory and workspace path. When host
credentials are forwarded, auth.json contains no real access or
refresh token values; it only nudges Codex into the same user/device
auth branch as the host.
"""
if plan.agent_provider_template != "codex":
return
@@ -42,6 +44,9 @@ def provision_provider_auth(plan: DockerBottlePlan, target: str) -> None:
)
config_path = f"{auth_dir}/config.toml"
config = (
f'[projects."{_CODEX_HOME_PROJECT}"]\n'
'trust_level = "trusted"\n'
"\n"
f'[projects."{_CODEX_WORKSPACE}"]\n'
'trust_level = "trusted"\n'
)
bot_bottle/backend/smolmachines/provision/provider_auth.py
+8 -3
View File
@@ -11,6 +11,7 @@ from ..bottle_plan import SmolmachinesBottlePlan
_DEFAULT_GUEST_HOME = "/home/node"
_CODEX_HOME_PROJECT = "/home/node"
_CODEX_WORKSPACE = "/home/node/workspace"
@@ -18,9 +19,10 @@ def provision_provider_auth(plan: SmolmachinesBottlePlan, target: str) -> None:
"""Prepare Codex home state inside the smolmachine.
Every Codex bottle gets a minimal config.toml that trusts the
in-guest workspace path. When host credentials are forwarded, the
real host access token remains in the egress bundle env; auth.json
only selects Codex's user/device auth code path.
in-guest launch directory and workspace path. When host credentials
are forwarded, the real host access token remains in the egress
bundle env; auth.json only selects Codex's user/device auth code
path.
"""
if plan.agent_provider_template != "codex":
return
@@ -70,6 +72,9 @@ def provision_provider_auth(plan: SmolmachinesBottlePlan, target: str) -> None:
config_path = f"{auth_dir}/config.toml"
config = (
f'[projects."{_CODEX_HOME_PROJECT}"]\n'
'trust_level = "trusted"\n'
"\n"
f'[projects."{_CODEX_WORKSPACE}"]\n'
'trust_level = "trusted"\n'
)
tests/unit/test_docker_provision_provider_auth.py
+1
View File
@@ -90,6 +90,7 @@ class TestProvisionProviderAuth(unittest.TestCase):
a for a in argvs
if a[:6] == ["docker", "exec", "-u", "0", "bot-bottle-demo-abc12", "sh"]
)
self.assertIn('[projects."/home/node"]', trust_config[-1])
self.assertIn('[projects."/home/node/workspace"]', trust_config[-1])
self.assertIn('trust_level = "trusted"', trust_config[-1])
self.assertIn(
tests/unit/test_smolmachines_provision.py
+1
View File
@@ -228,6 +228,7 @@ class TestProvisionProviderAuth(unittest.TestCase):
a for a in argv_seen
if a[:2] == ["sh", "-c"] and "config.toml" in a[2]
)
self.assertIn('[projects."/home/node"]', trust_config[2])
self.assertIn('[projects."/home/node/workspace"]', trust_config[2])
self.assertIn('trust_level = "trusted"', trust_config[2])
self.assertIn(