Load cloud requirements for agent identity#19708
Load cloud requirements for agent identity#19708shijie-oai wants to merge 3 commits intodev/efrazer/agent-identity-jwt-verifyfrom
Conversation
shijie-oai
force-pushed
the
shijie/agent-identity-cloud-requirements
branch
2 times, most recently
from
4f7f8ca to
202fc0d
Compare
|
|
||
| pub async fn initialize_runtime( | ||
| &self, | ||
| _chatgpt_base_url: Option<String>, |
| return Ok(None); | ||
| } | ||
| let Some(plan_type) = auth.account_plan_type() else { | ||
| let Some(auth) = self.auth_manager.auth_snapshot().await else { |
There was a problem hiding this comment.
The reason to auth_snapshot so that we are not getting a task identity because it is not necessary for us to use the exiting auth state to validate and apply the cloud requirements. Previously auth() failure would fail open even if the agent identity is tied to an enterprise or a business liked plan.
shijie-oai
force-pushed
the
shijie/agent-identity-cloud-requirements
branch
from
f929847 to
0e04e40
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f929847f00
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| auth.initialize_runtime() | ||
| .await |
There was a problem hiding this comment.
BackendRequirementsFetcher::fetch_requirements now performs auth.initialize_runtime() before the requirements request. Startup still applies a 15s overall timeout to self.fetch() (cloud-requirements/src/lib.rs), but agent task registration itself allows up to 30s (agent-identity/src/lib.rs). A registration that would succeed in 15–30s now deterministically times out and fails cloud requirements loading for eligible workspaces.
Useful? React with 👍 / 👎.
shijie-oai
force-pushed
the
shijie/agent-identity-cloud-requirements
branch
from
0e04e40 to
be8ae40
Compare
shijie-oai
changed the base branch from
main
to
dev/efrazer/agent-identity-jwt-verify
| let Some(auth) = self.auth_manager.auth().await else { | ||
| return Ok(None); | ||
| }; | ||
| if matches!(auth, CodexAuth::AgentIdentity(_)) { |
There was a problem hiding this comment.
For agent identities - we would like to fetch cloud requirements as expected.
| signed_agent_identity_jwt_with_plan_type(record, json!(record.plan_type)) | ||
| } | ||
|
|
||
| fn signed_agent_identity_jwt_with_plan_type( |
There was a problem hiding this comment.
Let's just make signed_agent_identity_jwt accept PlanType instead of helper below, otherwise lgtm
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-jwt-verify
branch
from
da21113 to
849b6c8
Compare
2 participants
Why
Agent Identity sessions can represent Business and Enterprise ChatGPT workspaces, but cloud requirements were skipped before fetch. That meant workspace-managed requirements were not loaded for Agent Identity even when the JWT carried the same account identity and plan information that normal ChatGPT token auth exposes.
This PR now sits on top of the Agent Identity stack through #19764. Because #19763 moved task registration into Agent Identity auth loading, cloud requirements no longer needs a separate runtime-initialization step before building the backend client.
What changed
CodexAuth::AgentIdentityin the cloud requirements loader.AgentAssertionheaders.plan_typeas the auth-layer plan type, then convert it through a sharedauth::PlanType->account::PlanTypemapping.educationplan string and add coverage for raw Agent Identity plan aliases such ashcandeducation.Testing
cargo test -p codex-agent-identity -p codex-login -p codex-cloud-requirements -p codex-protocol