Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MintCapToken ¶
func MintCapToken(secret []byte, turnID, workspaceID, exeID string, ttl time.Duration) (string, error)
MintCapToken produces a capability token consumed by codex-exec-gateway's VerifyCapabilityToken. Format and HMAC are kept identical (HS256 over "headerB64.payloadB64", base64url-no-pad) — see internal/codexexecgateway/auth.go for the verifier.
Per the 2026-05-10 refinement, each minted token authorises exactly one exe_id (one bridge connection per executor per turn). Verifier still accepts multi-id payloads for forward compat.
Types ¶
type ExecGatewayClient ¶
type ExecGatewayClient struct {
// contains filtered or unexported fields
}
ExecGatewayClient calls codex-exec-gateway's internal HTTP API.
Auth model: each request carries an `Authorization: Bearer <internal-shared-secret>`. Both gateway pods read the same secret out of the shared k8s Secret; see deploy/helm/agentserver/templates/codex-exec-gateway-secrets.yaml.
func NewExecGatewayClient ¶
func NewExecGatewayClient(baseURL, bearer string) *ExecGatewayClient
NewExecGatewayClient constructs a client. baseURL is the http(s) base (e.g. "http://release-codex-exec-gateway:6060"); bearer is the shared-secret used for the `/api/exec-gateway` routes.
func (*ExecGatewayClient) Connected ¶
func (c *ExecGatewayClient) Connected(ctx context.Context, workspaceID string) ([]execmodel.ConnectedExecutor, error)
Connected returns the intersection of (workspace's bound executors) ∩ (currently-connected executors at the gateway). May be empty.
type ModelserverClient ¶ added in v0.50.3
type ModelserverClient struct {
// contains filtered or unexported fields
}
ModelserverClient fetches per-workspace ModelServer OAuth access tokens from agentserver's internal API. The endpoint (`GET /internal/workspaces/{id}/modelserver-token`) auto-refreshes expired tokens via the workspace's stored refresh token.
Tokens are short-lived (~1h depending on the upstream OAuth provider). The gateway fetches one at spawn time and injects it as the spawned codex's CODEX_API_KEY (or whatever ModelProviderEnvKey resolves to); if the codex subprocess outlives the token, LLM calls start returning 401. Operators can `POST /admin/sessions/restart` to force a respawn with a fresh token. Auto-refresh inside the running subprocess is a follow-up.
func NewModelserverClient ¶ added in v0.50.3
func NewModelserverClient(baseURL string) *ModelserverClient
func (*ModelserverClient) FetchToken ¶ added in v0.50.3
FetchToken returns the workspace's current ModelServer access token. Returns ("", nil) when the workspace has no ModelServer connection yet — callers should fall back to a static key (or fail-soft).
type S3Config ¶
type S3Config struct {
Endpoint string
Region string
Bucket string
AccessKeyID string
SecretAccessKey string
PathStyle bool
}
S3Config matches the shape used by internal/ccbroker/workspace/s3store.go; dedup into a shared storage package is a known follow-up. Until then, keep validation here in sync with ccbroker's.
type ServeConfig ¶
type ServeConfig struct {
InboundHMACSecret []byte
S3 S3Config
TmpRoot string
IdleShutdown time.Duration
ExecGatewayWSURL string
ExecGatewayInternalURL string
ExecGatewayInternalSecret string
CapTokenHMACSecret []byte
CapTokenTTL time.Duration
LogLevel slog.Level
// Model provider config — written verbatim into each per-thread
// config.toml. The codex subprocess reads ModelProviderEnvKey from its
// own env (forwarded from CodexAPIKey here) to authenticate to the
// LLM gateway (typically llmproxy in-cluster).
ModelProvider string
Model string
ModelProviderBaseURL string
ModelProviderEnvKey string
ModelProviderWireAPI string
CodexAPIKey string
// ProjectTrustedPaths is the list of paths marked `trust_level = "trusted"`
// in config.toml. Without at least one, codex refuses to run shell-side
// operations on the project root.
ProjectTrustedPaths []string
// AgentserverInternalURL is the http base for codex token verification
// (e.g. "http://release-agentserver.namespace.svc:8080"). Required when
// the gateway uses RemoteVerifier (production default).
AgentserverInternalURL string
// AgentserverInternalSecret matches the agentserver's INTERNAL_API_SECRET
// env. Sent in every verify request as X-Internal-Secret.
AgentserverInternalSecret string
}
func LoadServeConfigFromEnv ¶
func LoadServeConfigFromEnv() (ServeConfig, error)
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is the codex-app-gateway HTTP/WS server.
func NewServer ¶
NewServer wires up the production server. selfBin is the absolute path to the codex-app-gateway binary itself, used as the `command =` for each per-executor `[mcp_servers.exe_*]` entry (codex spawns it as the env-mcp child).
func (*Server) Routes ¶
Routes builds the chi router. Public for tests.
Two paths serve the same handler for the inbound TUI ws upgrade:
- "/" — required by upstream codex's --remote URL parser, which only accepts ws[s]://host:port and connects to "/" (no path component).
- "/codex-app/ws" — kept for direct in-cluster testing (curl, kubectl port-forward) and path-based ingress setups.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package auth handles inbound caller authentication for codex-app-gateway.
|
Package auth handles inbound caller authentication for codex-app-gateway. |
|
Package codexhome owns per-thread CODEX_HOME tmpdirs: creation, destruction, and the rendering of the config.toml fragment we plant inside each one before spawning `codex app-server`.
|
Package codexhome owns per-thread CODEX_HOME tmpdirs: creation, destruction, and the rendering of the config.toml fragment we plant inside each one before spawning `codex app-server`. |
|
Package supervisor spawns and tracks per-thread `codex app-server` subprocesses inside the codex-app-gateway pod.
|
Package supervisor spawns and tracks per-thread `codex app-server` subprocesses inside the codex-app-gateway pod. |