Skip to content

[codex] Use AgentAssertion downstream behind use_agent_identity#17980

Open
adrian-openai wants to merge 1 commit intodev/adrian/codex/agent-task-state-prewarmfrom
dev/adrian/codex/agent-identity-use-assertion-split
Open

[codex] Use AgentAssertion downstream behind use_agent_identity#17980
adrian-openai wants to merge 1 commit intodev/adrian/codex/agent-task-state-prewarmfrom
dev/adrian/codex/agent-identity-use-assertion-split

Conversation

@adrian-openai
Copy link
Copy Markdown
Contributor

@adrian-openai adrian-openai commented Apr 15, 2026
edited
Loading

Summary

This is the AgentAssertion downstream slice for feature-gated agent identity support, replacing the oversized AgentAssertion slice from PR #17807.

It isolates downstream AgentAssertion wiring on top of PR3.1 (dev/adrian/codex/agent-task-state-prewarm) without re-carrying the earlier agent registration, task registration, or task-state history.

Stack

What Changed

  • add AgentAssertion envelope generation in codex-core
  • route downstream HTTP and websocket auth through AgentAssertion when an agent task is present
  • add targeted client and assertion tests for the new auth path
  • extend CoreAuthProvider so non-bearer authorization schemes can be passed through cleanly

Why

The original PR had drifted ancestry and showed a much larger diff than the semantic change actually required. Restacking it onto PR3.1 keeps the reviewable surface down to the downstream assertion slice.

Validation

  • just fmt
  • cargo test -p codex-api core_auth_provider
  • cargo test -p codex-core --lib authorization_header_for_task
  • cargo test -p codex-core --lib client::tests::responses_http_uses_agent_assertion_when_agent_task_is_present
  • cargo test -p codex-core websocket_agent_task_bypasses_cached_bearer_prewarm

This was referenced Apr 15, 2026
Closed
Open
@adrian-openai adrian-openai marked this pull request as ready for review April 15, 2026 21:05
efrazer-oai
efrazer-oai reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@efrazer-oai efrazer-oai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had Codex go find all the places that are still hardcoded to use Bearer as discussed on Slack, here are the results:

As it stands, we have successfully migrated the shared Responses HTTP, Responses websocket, compact, and ChatGPT-backend realtime-call paths.

But there are still several other backend surfaces that build Authorization: Bearer ... directly or go through helpers that only understand bearer tokens. Those still need to migrate if we want this change to be exhaustive.

Shared backend client paths that still need the new auth shape:

  • codex-rs/backend-client/src/client.rs
    • /wham/usage
    • /wham/tasks/list
    • /wham/tasks/{id}
    • /wham/tasks/{id}/turns/{turn_id}/sibling_turns
    • /wham/config/requirements
    • POST /wham/tasks

Current callers of that shared client include:

  • codex-rs/cloud-requirements/src/lib.rs
  • codex-rs/app-server/src/codex_message_processor.rs
  • codex-rs/cloud-tasks-client/src/http.rs

Direct backend callers that still attach bearer auth themselves:

  • codex-rs/codex-api/src/files.rs
    • /files
    • /files/{id}/uploaded
  • codex-rs/core/src/mcp_openai_file.rs
  • codex-rs/models-manager/src/manager.rs
    • /codex/models
  • codex-rs/codex-mcp/src/mcp/mod.rs
    • .../wham/apps
  • codex-rs/chatgpt/src/chatgpt_client.rs
    • shared GET helper used by:
      • codex-rs/chatgpt/src/get_task.rs
      • connector directory loading paths
  • codex-rs/core/src/connectors.rs
    • connector directory requests
  • codex-rs/core/src/plugins/remote.rs
    • /plugins/list
    • /plugins/featured
    • /plugins/{id}/enable
    • /plugins/{id}/uninstall
  • codex-rs/core-skills/src/remote.rs
    • /hazelnuts
    • /hazelnuts/{skill_id}/export
  • codex-rs/analytics/src/client.rs
    • /codex/analytics-events/events
  • codex-rs/core/src/arc_monitor.rs
    • /codex/safety/arc
  • codex-rs/app-server/src/transport/remote_control/enroll.rs
    • /wham/remote/control/server/enroll
  • codex-rs/app-server/src/transport/remote_control/websocket.rs
    • websocket handshake for /wham/remote/control/server
  • codex-rs/cloud-tasks/src/util.rs
  • codex-rs/cloud-tasks/src/env_detect.rs
    • /wham/environments
    • /wham/environments/by-repo/...

One backend hit I found that does not look like part of this auth migration is:

  • codex-rs/core/src/plugins/startup_sync.rs
    • backup archive fetch at /backend-api/plugins/export/curated

So the main point is: this PR fixes the shared model path, but it does not yet migrate all of the places where we talk to codex-backend.

@adrian-openai adrian-openai force-pushed the dev/adrian/codex/agent-identity-use-assertion-split branch from ed316a9 to d1373d4 Compare April 15, 2026 23:53
@adrian-openai adrian-openai changed the base branch from dev/adrian/codex/agent-identity-register-task to dev/adrian/codex/agent-task-state-prewarm April 15, 2026 23:53
@adrian-openai adrian-openai force-pushed the dev/adrian/codex/agent-identity-use-assertion-split branch from d1373d4 to dfd9aa0 Compare April 16, 2026 00:15
@adrian-openai adrian-openai force-pushed the dev/adrian/codex/agent-identity-use-assertion-split branch from dfd9aa0 to 688aad3 Compare April 16, 2026 01:11
@github-actions github-actions bot mentioned this pull request Apr 16, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efrazer-oai efrazer-oai efrazer-oai left review comments

@shijie-oai shijie-oai Awaiting requested review from shijie-oai

@nicksteele-oai nicksteele-oai Awaiting requested review from nicksteele-oai

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adrian-openai @efrazer-oai