Files
openclaw/extensions/codex/src/app-server/auth-binding.ts
Peter Steinberger 96f0983a85 fix(onboarding): skip setup for configured gateways and require inference first (#102883)
* fix(crestodian): keep onboarding RPCs restart-safe

* fix(profiles): isolate approval state migrations

* fix(crestodian): bypass configured gateway setup

* test(crestodian): type onboarding mocks

* fix(onboarding): require inference before Crestodian

* fix(onboarding): enforce verified inference handoff

* fix(macos): reset setup on gateway endpoint edits

* chore(i18n): refresh native source inventory

* fix(gateway): keep socket on request cancellation

* test(packaging): require workspace templates

* fix(onboarding): bind setup to verified inference

* fix(onboarding): align inference gate contracts

* fix(crestodian): classify concurrent policy rejection

* test(crestodian): expect registry restoration

* fix(onboarding): bind setup to configured gateways

* fix(codex): preserve startup phase deadlines

* test(crestodian): match fail-closed policy ordering

* test(onboarding): assert bound gateway handoff

* fix(codex): bind runtime resolution to spawn cwd

* test(crestodian): assert policy rejection order

* fix(cli): preserve gateway routing across restarts

* fix(macos): fail closed during gateway edits

* test(macos): cover gateway route generation races

* chore: keep release notes out of onboarding PR

* fix(ci): refresh onboarding generated checks

* style(swift): align gateway channel formatting

* fix(ci): refresh plugin SDK surface budgets

* fix(ci): resync native string inventory

* refactor(swift): split gateway channel support

* test(doctor): isolate plugin compatibility registry

* test(macos): isolate gateway onboarding fixtures

* test(macos): assert gateway lease health ordering

* fix(codex): reconcile computer-use startup changes
2026-07-11 10:25:14 -07:00

79 lines
2.6 KiB
TypeScript

import {
fingerprintResolvedAuthProfileCredential,
type AgentHarnessAuthBindingFingerprintParams,
} from "openclaw/plugin-sdk/agent-harness-runtime";
import {
resolveApiKeyForProfile,
type AuthProfileCredential,
type AuthProfileStore,
} from "openclaw/plugin-sdk/agent-runtime";
export type CodexAppServerPreparedAuthBinding = {
authProfileStore: AuthProfileStore;
fingerprint: string;
};
function withMaterializedCredential(params: {
store: AuthProfileStore;
profileId: string;
credential: AuthProfileCredential;
value: string;
}): AuthProfileStore {
const store = structuredClone(params.store);
if (params.credential.type === "api_key") {
const { keyRef: _keyRef, ...credential } = params.credential;
store.profiles[params.profileId] = { ...credential, key: params.value };
} else if (params.credential.type === "token") {
const { tokenRef: _tokenRef, ...credential } = params.credential;
store.profiles[params.profileId] = { ...credential, token: params.value };
}
return store;
}
/** Resolves one forwarded profile once so attestation and execution share exact material. */
export async function prepareCodexAppServerAuthBinding(
params: AgentHarnessAuthBindingFingerprintParams,
): Promise<CodexAppServerPreparedAuthBinding | undefined> {
const credential = params.authProfileStore.profiles[params.authProfileId];
if (!credential || credential.type === "oauth") {
return undefined;
}
const resolved = await resolveApiKeyForProfile({
cfg: params.config,
store: params.authProfileStore,
profileId: params.authProfileId,
agentDir: params.agentDir,
});
if (!resolved?.apiKey) {
throw new Error(`Codex could not resolve auth profile "${params.authProfileId}".`);
}
const fingerprint = fingerprintResolvedAuthProfileCredential({
profileId: params.authProfileId,
credential,
resolvedAuth: {
apiKey: resolved.apiKey,
profileId: params.authProfileId,
source: `profile:${params.authProfileId}`,
mode: credential.type === "api_key" ? "api-key" : "token",
},
});
if (!fingerprint) {
throw new Error(`Codex could not attest auth profile "${params.authProfileId}".`);
}
return {
fingerprint,
authProfileStore: withMaterializedCredential({
store: params.authProfileStore,
profileId: params.authProfileId,
credential,
value: resolved.apiKey,
}),
};
}
export async function fingerprintCodexAppServerAuthBinding(
params: AgentHarnessAuthBindingFingerprintParams,
): Promise<string | undefined> {
return (await prepareCodexAppServerAuthBinding(params))?.fingerprint;
}