Commit Graph

1 Commits

  • app-server: add codex-device-key crate (#18429)
    ## Why
    
    Device-key storage and signing are local security-sensitive operations
    with platform-specific behavior. Keeping the core API in
    `codex-device-key` keeps app-server focused on routing and business
    logic instead of owning key-management details.
    
    The crate keeps the signing surface intentionally narrow: callers can
    create a bound key, fetch its public key, or sign one of the structured
    payloads accepted by the crate. It does not expose a generic
    arbitrary-byte signing API.
    
    Key IDs cross into platform-specific labels, tags, and metadata paths,
    so externally supplied IDs are constrained to the same auditable
    namespace created by the crate: `dk_` followed by unpadded base64url for
    32 bytes. Remote-control target paths are also tied to each signed
    payload shape so connection proofs cannot be reused for enrollment
    endpoints, or vice versa.
    
    ## What changed
    
    - Added the `codex-device-key` workspace crate.
    - Added account/client-bound key creation with stable `dk_` key IDs.
    - Added strict `key_id` validation before public-key lookup or signing
    reaches a provider.
    - Added public-key lookup and structured signing APIs.
    - Split remote-control client endpoint allowlists by connection vs
    enrollment payload shape.
    - Added validation for key bindings, accepted payload fields, token
    expiration, and payload/key binding mismatches.
    - Added flow-oriented docs on the validation helpers that gate provider
    signing.
    - Added protection policy and protection-class types without wiring a
    platform provider yet.
    - Added an unsupported default provider so platforms without an
    implementation fail explicitly instead of silently falling back to
    software-backed keys.
    - Updated Cargo and Bazel lock metadata for the new crate and
    non-platform-specific dependencies.
    
    ## Stack
    
    This is stacked on #18428.
    
    ## Validation
    
    - `cargo test -p codex-device-key`
    - Added unit coverage for strict `key_id` validation before provider
    use.
    - Added unit coverage that rejects remote-control paths from the wrong
    signed payload shape.
    - `just bazel-lock-update`
    - `just bazel-lock-check`