Commit Graph

6 Commits

  • Load cloud requirements for agent identity (#19708)
    ## Why
    
    Agent Identity sessions can represent Business and Enterprise ChatGPT
    workspaces, but cloud requirements were skipped before fetch. That meant
    workspace-managed requirements were not loaded for Agent Identity even
    when the JWT carried the same account identity and plan information that
    normal ChatGPT token auth exposes.
    
    This PR now sits on top of the Agent Identity stack through
    [#19764](https://github.com/openai/codex/pull/19764). Because
    [#19763](https://github.com/openai/codex/pull/19763) moved task
    registration into Agent Identity auth loading, cloud requirements no
    longer needs a separate runtime-initialization step before building the
    backend client.
    
    ## What changed
    
    - Stop skipping `CodexAuth::AgentIdentity` in the cloud requirements
    loader.
    - Share the cloud requirements eligibility check between startup load
    and background cache refresh.
    - Rely on eagerly loaded Agent Identity auth so backend requests can
    attach task-scoped `AgentAssertion` headers.
    - Decode Agent Identity JWT `plan_type` as the auth-layer plan type,
    then convert it through a shared `auth::PlanType` -> `account::PlanType`
    mapping.
    - Add the missing serde alias for the `education` plan string and add
    coverage for raw Agent Identity plan aliases such as `hc` and
    `education`.
    
    ## Testing
    
    - `cargo test -p codex-agent-identity -p codex-login -p
    codex-cloud-requirements -p codex-protocol`
  • feat: split memories part 2 (#19860)
    Keep extracting memories out of core and moving the write trigger in the
    app-server
    This is temporary and it should move at the client level as a follow-up
    This makes core fully independant from `codex-memories-write`
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • feat: load AgentIdentity from JWT login/env (#18904)
    ## Summary
    
    This PR lets programmatic AgentIdentity users provide one token through
    either stdin login or environment auth.
    
    `codex login --with-agent-identity` reads an Agent Identity JWT from
    stdin, validates that it has the required claims, and stores that token
    as the `agent_identity` value in `auth.json`. The file format is
    token-only; the decoded account and key fields are runtime state, not
    hand-authored auth.json fields.
    
    The Agent Identity JWT claim shape and decoder live in
    `codex-agent-identity`; `codex-login` only owns env/storage precedence
    and conversion into `CodexAuth::AgentIdentity`.
    
    When env auth is enabled, `CODEX_AGENT_IDENTITY` can provide the same
    JWT without writing auth state to disk. `CODEX_API_KEY` still wins if
    both env vars are set.
    
    Reference old stack: https://github.com/openai/codex/pull/17387/changes
    Reference JWT/env stack: https://github.com/openai/codex/pull/18176
    
    ## Stack
    
    1. https://github.com/openai/codex/pull/18757: full revert
    2. https://github.com/openai/codex/pull/18871: isolated Agent Identity
    crate
    3. https://github.com/openai/codex/pull/18785: explicit AgentIdentity
    auth mode and startup task allocation
    4. https://github.com/openai/codex/pull/18811: migrate Codex backend
    auth callsites through AuthProvider
    5. This PR: accept AgentIdentity JWTs through login/env
    
    ## Testing
    
    Tests: targeted login and Agent Identity crate tests, CLI checks, scoped
    formatter/linter cleanup, and CI.
    
    ---------
    
    Co-authored-by: Shijie Rao <shijie.rao@openai.com>
  • feat: add explicit AgentIdentity auth mode (#18785)
    ## Summary
    
    This PR adds `CodexAuth::AgentIdentity` as an explicit auth mode.
    
    An AgentIdentity auth record is a standalone `auth.json` mode. When
    `AuthManager::auth().await` loads that mode, it registers one
    process-scoped task and stores it in runtime-only state on the auth
    value. Header creation stays synchronous after that because the task is
    initialized before callers receive the auth object.
    
    This PR also removes the old feature flag path. AgentIdentity is
    selected by explicit auth mode, not by a hidden flag or lazy mutation of
    ChatGPT auth records.
    
    Reference old stack: https://github.com/openai/codex/pull/17387/changes
    
    ## Design Decisions
    
    - AgentIdentity is a real auth enum variant because it can be the only
    credential in `auth.json`.
    - The process task is ephemeral runtime state. It is not serialized and
    is not stored in rollout/session data.
    - Account/user metadata needed by existing Codex backend checks lives on
    the AgentIdentity record for now.
    - `is_chatgpt_auth()` remains token-specific.
    - `uses_codex_backend()` is the broader predicate for ChatGPT-token auth
    and AgentIdentity auth.
    
    ## Stack
    
    1. https://github.com/openai/codex/pull/18757: full revert
    2. https://github.com/openai/codex/pull/18871: isolated Agent Identity
    crate
    3. This PR: explicit AgentIdentity auth mode and startup task allocation
    4. https://github.com/openai/codex/pull/18811: migrate Codex backend
    auth callsites through AuthProvider
    5. https://github.com/openai/codex/pull/18904: accept AgentIdentity JWTs
    and load `CODEX_AGENT_IDENTITY`
    
    ## Testing
    
    Tests: targeted Rust checks, cargo-shear, Bazel lock check, and CI.
  • refactor: add agent identity crate (#18871)
    ## Summary
    
    This PR adds `codex-agent-identity` as an isolated crate for Agent
    Identity business logic.
    
    The crate owns:
    - AgentAssertion construction.
    - Agent task registration.
    - private-key assertion signing.
    - bounded blocking HTTP for task registration.
    
    It does not wire AgentIdentity into `auth.json`, `AuthManager`, rollout
    state, or request callsites. That integration happens in later PRs.
    
    Reference old stack: https://github.com/openai/codex/pull/17387/changes
    
    ## Stack
    
    1. https://github.com/openai/codex/pull/18757: full revert
    2. This PR: isolated Agent Identity crate
    3. https://github.com/openai/codex/pull/18785: explicit AgentIdentity
    auth mode and startup task allocation
    4. https://github.com/openai/codex/pull/18811: migrate Codex backend
    auth callsites through AuthProvider
    5. https://github.com/openai/codex/pull/18904: accept AgentIdentity JWTs
    and load `CODEX_AGENT_IDENTITY`
    
    ## Testing
    
    Tests: targeted Rust checks, cargo-shear, Bazel lock check, and CI.