Commit Graph

2 Commits

  • app-server: persist device key bindings in sqlite (#19206)
    ## Why
    
    Device-key providers should only own platform key material. The
    account/client binding used to authorize a signing payload is app-server
    state, and keeping that state in provider-specific metadata makes the
    same check harder to audit and harder to share across platform
    implementations.
    
    Persisting the binding in the shared state database gives the device-key
    crate a platform-neutral source of truth before it asks a provider to
    sign. It also lets app-server move potentially blocking key operations
    off the main message processor path, which matters once providers may
    wait for OS authentication prompts.
    
    ## What changed
    
    - Add a `device_key_bindings` state migration plus `StateRuntime`
    helpers keyed by `key_id`.
    - Add an async `DeviceKeyBindingStore` abstraction to `codex-device-key`
    and use it from `DeviceKeyStore::create` and `DeviceKeyStore::sign`.
    - Keep provider calls behind async store methods and run the synchronous
    provider work through `spawn_blocking`.
    - Wire app-server device-key RPC handling to the SQLite-backed binding
    store and spawn response/error delivery tasks for device-key requests.
    - Run the turn-start tracing test on the existing larger current-thread
    test harness after the larger async surface made the default test stack
    too small locally.
    
    ## Validation
    
    - `cargo test -p codex-device-key`
    - `cargo test -p codex-state device_key`
    - `cargo test -p codex-state`
    - `cargo test -p codex-app-server device_key`
    - `cargo test -p codex-app-server
    message_processor::tracing_tests::turn_start_jsonrpc_span_parents_core_turn_spans`
    - `cargo test -p codex-app-server`
    - `just fix -p codex-device-key`
    - `just fix -p codex-state`
    - `just fix -p codex-app-server`
    - `just bazel-lock-update`
    - `just bazel-lock-check`
    - `git diff --check`
  • app-server: add codex-device-key crate (#18429)
    ## Why
    
    Device-key storage and signing are local security-sensitive operations
    with platform-specific behavior. Keeping the core API in
    `codex-device-key` keeps app-server focused on routing and business
    logic instead of owning key-management details.
    
    The crate keeps the signing surface intentionally narrow: callers can
    create a bound key, fetch its public key, or sign one of the structured
    payloads accepted by the crate. It does not expose a generic
    arbitrary-byte signing API.
    
    Key IDs cross into platform-specific labels, tags, and metadata paths,
    so externally supplied IDs are constrained to the same auditable
    namespace created by the crate: `dk_` followed by unpadded base64url for
    32 bytes. Remote-control target paths are also tied to each signed
    payload shape so connection proofs cannot be reused for enrollment
    endpoints, or vice versa.
    
    ## What changed
    
    - Added the `codex-device-key` workspace crate.
    - Added account/client-bound key creation with stable `dk_` key IDs.
    - Added strict `key_id` validation before public-key lookup or signing
    reaches a provider.
    - Added public-key lookup and structured signing APIs.
    - Split remote-control client endpoint allowlists by connection vs
    enrollment payload shape.
    - Added validation for key bindings, accepted payload fields, token
    expiration, and payload/key binding mismatches.
    - Added flow-oriented docs on the validation helpers that gate provider
    signing.
    - Added protection policy and protection-class types without wiring a
    platform provider yet.
    - Added an unsupported default provider so platforms without an
    implementation fail explicitly instead of silently falling back to
    software-backed keys.
    - Updated Cargo and Bazel lock metadata for the new crate and
    non-platform-specific dependencies.
    
    ## Stack
    
    This is stacked on #18428.
    
    ## Validation
    
    - `cargo test -p codex-device-key`
    - Added unit coverage for strict `key_id` validation before provider
    use.
    - Added unit coverage that rejects remote-control paths from the wrong
    signed payload shape.
    - `just bazel-lock-update`
    - `just bazel-lock-check`