didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

PRD 0036: Codex Auth Redaction Policy #132

Merged
didericis merged 3 commits from prd-0036-codex-auth-redaction into main 2026-06-02 04:14:31 -04:00
Conversation 1 Commits 3 Files Changed 3
+236 -31
didericis-codex commented 2026-06-02 03:59:52 -04:00
Collaborator
Copy Link
Copy Source

Closes #129.

Parent hotspot review: #117.

PRD: a79ef61b62/docs/prds/0036-codex-auth-redaction-policy.md

Summary

Implements the Codex auth redaction PRD. Dummy guest auth is now synthesized from explicit top-level and token-block policy instead of recursively preserving unknown auth fields.

Implementation

  • Preserves only auth_mode, nulls API keys, and synthesizes tokens.
  • Replaces access/id tokens with dummy JWTs aligned to the host access-token expiry.
  • Preserves only the non-secret selected account id in token blocks.
  • Redacts unknown scalar fields to placeholders and collapses unknown objects/lists to empty containers.
  • Adds hostile future-field fixture coverage for top-level auth fields, token-block fields, JWT custom claims, and OpenAI auth claims.

Verification

  • python3 -m unittest tests.unit.test_codex_auth
  • python3 -m py_compile bot_bottle/codex_auth.py
  • git diff --check
  • python3 -m unittest discover -s tests/unit

Changes (3 commits)

  • docs(prd): add codex auth redaction policy
  • fix(codex): harden auth redaction
  • complete(prd): mark PRD 0036 active
Closes #129. Parent hotspot review: #117. PRD: https://gitea.dideric.is/didericis/bot-bottle/src/commit/a79ef61b629bfec4c25e2109b032b6b9e8173f55/docs/prds/0036-codex-auth-redaction-policy.md ## Summary Implements the Codex auth redaction PRD. Dummy guest auth is now synthesized from explicit top-level and token-block policy instead of recursively preserving unknown auth fields. ## Implementation - Preserves only `auth_mode`, nulls API keys, and synthesizes `tokens`. - Replaces access/id tokens with dummy JWTs aligned to the host access-token expiry. - Preserves only the non-secret selected account id in token blocks. - Redacts unknown scalar fields to placeholders and collapses unknown objects/lists to empty containers. - Adds hostile future-field fixture coverage for top-level auth fields, token-block fields, JWT custom claims, and OpenAI auth claims. ## Verification - `python3 -m unittest tests.unit.test_codex_auth` - `python3 -m py_compile bot_bottle/codex_auth.py` - `git diff --check` - `python3 -m unittest discover -s tests/unit` ## Changes (3 commits) - `docs(prd): add codex auth redaction policy` - `fix(codex): harden auth redaction` - `complete(prd): mark PRD 0036 active`
didericis added 1 commit 2026-06-02 04:09:25 -04:00
docs(prd): add codex auth redaction policy
test / unit (pull_request) Successful in 35s
Details
test / integration (pull_request) Successful in 42s
Details
2247d730cd
didericis force-pushed prd-0036-codex-auth-redaction from 1c5d8adb55 to 2247d730cd 2026-06-02 04:09:25 -04:00 Compare
didericis added 2 commits 2026-06-02 04:10:47 -04:00
fix(codex): harden auth redaction 0a8bba58c7
complete(prd): mark PRD 0036 active
test / unit (pull_request) Successful in 32s
Details
test / integration (pull_request) Successful in 44s
Details
test / unit (push) Successful in 31s
Details
test / integration (push) Successful in 45s
Details
a79ef61b62
didericis approved these changes 2026-06-02 04:11:56 -04:00
didericis merged commit a79ef61b62 into main 2026-06-02 04:14:31 -04:00
didericis deleted branch prd-0036-codex-auth-redaction 2026-06-02 04:14:31 -04:00
Sign in to join this conversation.
Reviewers
No Reviewers
didericis
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: didericis/bot-bottle#132
Delete Branch "prd-0036-codex-auth-redaction"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?