From 4c0eb149854fa36ae1aab2ac796791c689613ea1 Mon Sep 17 00:00:00 2001 From: Eva Date: Sat, 11 Apr 2026 04:11:08 +0700 Subject: [PATCH] fix: address remaining runtime truthfulness review --- .../reply/commands-system-prompt.test.ts | 34 +++++++++++++++++++ .../reply/commands-system-prompt.ts | 2 +- src/commands/openai-codex-oauth.test.ts | 25 ++++++++++++++ src/plugins/provider-openai-codex-oauth.ts | 5 ++- 4 files changed, 64 insertions(+), 2 deletions(-) diff --git a/src/auto-reply/reply/commands-system-prompt.test.ts b/src/auto-reply/reply/commands-system-prompt.test.ts index d5207ef99b0..ba8509c4626 100644 --- a/src/auto-reply/reply/commands-system-prompt.test.ts +++ b/src/auto-reply/reply/commands-system-prompt.test.ts @@ -165,4 +165,38 @@ describe("resolveCommandsSystemPromptBundle", () => { }), ); }); + + it("uses the resolved session key and forwards full-access block reasons", async () => { + const { resolveCommandsSystemPromptBundle } = await import("./commands-system-prompt.js"); + const sandboxRuntime = await import("../../agents/sandbox.js"); + const systemPromptRuntime = await import("../../agents/system-prompt.js"); + + vi.mocked(sandboxRuntime.resolveSandboxRuntimeStatus).mockImplementation(({ sessionKey }) => { + expect(sessionKey).toBe("agent:target:default"); + return { sandboxed: true, mode: "workspace-write" } as never; + }); + + const params = makeParams(); + params.sessionKey = "agent:target:default"; + params.ctx.SessionKey = "agent:source:default"; + params.elevated = { + enabled: true, + allowed: false, + failures: [], + }; + + await resolveCommandsSystemPromptBundle(params); + + expect(vi.mocked(systemPromptRuntime.buildAgentSystemPrompt)).toHaveBeenCalledWith( + expect.objectContaining({ + sandboxInfo: expect.objectContaining({ + enabled: true, + elevated: expect.objectContaining({ + fullAccessAvailable: false, + fullAccessBlockedReason: "host-policy", + }), + }), + }), + ); + }); }); diff --git a/src/auto-reply/reply/commands-system-prompt.ts b/src/auto-reply/reply/commands-system-prompt.ts index 22773d48aef..a9bd5f9e4d6 100644 --- a/src/auto-reply/reply/commands-system-prompt.ts +++ b/src/auto-reply/reply/commands-system-prompt.ts @@ -112,7 +112,7 @@ export async function resolveCommandsSystemPromptBundle( }, }); const fullAccessState = resolveEmbeddedFullAccessState({ - sandboxEnabled: true, + sandboxEnabled: sandboxRuntime.sandboxed, execElevated: { enabled: params.elevated.enabled, allowed: params.elevated.allowed, diff --git a/src/commands/openai-codex-oauth.test.ts b/src/commands/openai-codex-oauth.test.ts index 14ec07ff1ae..09f7308fc82 100644 --- a/src/commands/openai-codex-oauth.test.ts +++ b/src/commands/openai-codex-oauth.test.ts @@ -141,6 +141,31 @@ describe("loginOpenAICodexOAuth", () => { ); }); + it("normalizes slash-terminated authorize paths too", async () => { + const creds = { + provider: "openai-codex" as const, + access: "access-token", + refresh: "refresh-token", + expires: Date.now() + 60_000, + email: "user@example.com", + }; + mocks.loginOpenAICodex.mockImplementation( + async (opts: { onAuth: (event: { url: string }) => Promise }) => { + await opts.onAuth({ + url: "https://auth.openai.com/oauth/authorize/?state=abc", + }); + return creds; + }, + ); + + const openUrl = vi.fn(async () => {}); + await runCodexOAuth({ isRemote: false, openUrl }); + + expect(openUrl).toHaveBeenCalledWith( + "https://auth.openai.com/oauth/authorize/?state=abc&scope=openid+profile+email+offline_access+model.request+api.responses.write", + ); + }); + it("reports oauth errors and rethrows", async () => { mocks.loginOpenAICodex.mockRejectedValue(new Error("oauth failed")); diff --git a/src/plugins/provider-openai-codex-oauth.ts b/src/plugins/provider-openai-codex-oauth.ts index 99731ea0231..6dd459acfd6 100644 --- a/src/plugins/provider-openai-codex-oauth.ts +++ b/src/plugins/provider-openai-codex-oauth.ts @@ -26,7 +26,10 @@ function normalizeOpenAICodexAuthorizeUrl(rawUrl: string): string { } try { const url = new URL(trimmed); - if (!/(?:^|\.)openai\.com$/i.test(url.hostname) || !/\/oauth\/authorize$/i.test(url.pathname)) { + if ( + !/(?:^|\.)openai\.com$/i.test(url.hostname) || + !/\/oauth\/authorize\/?$/i.test(url.pathname) + ) { return rawUrl; }