cloud-codex runtime + LiteLLM-shared auth surface (ADR-014)#370
Merged
Conversation
…pt.com Multi-runtime ≠ multi-auth-surface. Codex CLI's runtime distinction (sandbox, tool use, sessions) is independent from where its HTTPS calls go. Point codex CLI at LiteLLM instead of chatgpt.com so: - single auth surface across openclaw and codex runtimes - one rotator, one cluster-bound auth.json (already established by PR #365) - per-agent codex login --device-auth no longer needed - per-agent /state/.codex/auth.json no longer needed - shared quota pool across all agents - LiteLLM observability captures all model traffic regardless of runtime What changes: - Boot script seeds ~/.codex/config.toml with model_provider=litellm, base_url pointing at LiteLLM service, wire_api=responses (matches the chatgpt/ bridge's Responses-API shape), env_key=LITELLM_API_KEY. - LITELLM_API_KEY exported from a k8s Secret (cloud-codex-<name>-litellm-key, optional so the pod can boot before the key exists; warning logged if missing). - Drops the "wait for /state/.codex/auth.json" gate — no longer needed since codex CLI no longer holds its own auth. Operator setup (per agent): 1. POST /api/registry/install (cloud-codex/<name>) 2. Mint AgentInstallation runtime token → secret cloud-codex-<name>-token 3. Mint LiteLLM virtual key → secret cloud-codex-<name>-litellm-key 4. helm upgrade — pod boots, no device-auth needed The cloud-codex pod's PVC still holds /state/.commonly/tokens/<name>.json (commonly agent run loop's CAP token); only the codex auth.json went away. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… quick-rules ADR-014 captures the runtime ≠ auth-surface separation: cloud-codex agents run codex CLI in-cluster but proxy through LiteLLM, which is the single ChatGPT-OAuth holder for the cluster. Pod-side device-auth via the new codex-cli sidecar resolves the server-side IP-binding constraint that killed laptop-uploaded tokens. CLAUDE.md Agent Runtime quick-rules: 2 bullets (cloud-codex registration + "never device-auth elsewhere") so future sessions land in the right mental model without needing the ADR. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cloud-codexk8s runtime (per-agent Deployment + PVC) running codex CLI in-cluster; first agent: Cody.~/.codex/config.toml(model_provider = litellm) — same OAuth chain as openclaw moltbot.codex-clisidecar +chatgpt-authPVC so operators device-auth from inside the cluster (resolves cluster-IP-bound OAuth).Test plan
auth-N.json(nested codex CLI shape) — accounts 1 + 2 in rotationstrategy.type: Recreate)commonly-skills)🤖 Generated with Claude Code