Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MintCapToken ¶
MintCapToken produces a workspace-scoped capability token consumed by codex-exec-gateway's VerifyCapabilityToken. Format and HMAC are kept identical (HS256 over "headerB64.payloadB64", base64url-no-pad) — see internal/codexexecgateway/auth.go for the verifier.
Per the 2026-05-16 fixed-tools redesign, one token covers any executor in the workspace; /bridge enforces workspace ownership at request time via the workspace_executors table.
Types ¶
type ExecGatewayClient ¶
type ExecGatewayClient struct {
// contains filtered or unexported fields
}
ExecGatewayClient calls codex-exec-gateway's internal HTTP API.
Auth model: each request carries an `Authorization: Bearer <internal-shared-secret>`. Both gateway pods read the same secret out of the shared k8s Secret; see deploy/helm/agentserver/templates/codex-exec-gateway-secrets.yaml.
func NewExecGatewayClient ¶
func NewExecGatewayClient(baseURL, bearer string) *ExecGatewayClient
NewExecGatewayClient constructs a client. baseURL is the http(s) base (e.g. "http://release-codex-exec-gateway:6060"); bearer is the shared-secret used for the `/api/exec-gateway` routes.
func (*ExecGatewayClient) Connected ¶
func (c *ExecGatewayClient) Connected(ctx context.Context, workspaceID string) ([]execmodel.ConnectedExecutor, error)
Connected returns the intersection of (workspace's bound executors) ∩ (currently-connected executors at the gateway). May be empty.
type S3Config ¶
type S3Config struct {
Endpoint string
Region string
Bucket string
AccessKeyID string
SecretAccessKey string
PathStyle bool
}
S3Config matches the shape used by internal/ccbroker/workspace/s3store.go; dedup into a shared storage package is a known follow-up. Until then, keep validation here in sync with ccbroker's.
type ServeConfig ¶
type ServeConfig struct {
InboundHMACSecret []byte
S3 S3Config
TmpRoot string
IdleShutdown time.Duration
ExecGatewayWSURL string
ExecGatewayInternalURL string
ExecGatewayInternalSecret string
CapTokenHMACSecret []byte
CapTokenTTL time.Duration
LogLevel slog.Level
// Model provider config — written verbatim into each per-thread
// config.toml. The codex subprocess reads ModelProviderEnvKey from its
// own env (forwarded from CodexAPIKey here) to authenticate to the
// LLM gateway (typically llmproxy in-cluster).
ModelProvider string
Model string
ModelProviderBaseURL string
ModelProviderEnvKey string
ModelProviderWireAPI string
CodexAPIKey string
// ProjectTrustedPaths is the list of paths marked `trust_level = "trusted"`
// in config.toml. Without at least one, codex refuses to run shell-side
// operations on the project root.
ProjectTrustedPaths []string
// AgentserverInternalURL is the http base for codex token verification
// (e.g. "http://release-agentserver.namespace.svc:8080"). Required when
// the gateway uses RemoteVerifier (production default).
AgentserverInternalURL string
// AgentserverInternalSecret matches the agentserver's INTERNAL_API_SECRET
// env. Sent in every verify request as X-Internal-Secret.
AgentserverInternalSecret string
// ListenAddr is the gateway's HTTP listen address (e.g. ":8086"). Used
// to derive the loopback URL env-mcp uses for /internal/connected.
// Set by main.go before NewServer; tests may leave it empty (codexhome
// then emits no AppGatewayInternalURL and env-mcp won't be able to
// list environments, which is fine for tests that don't exercise
// list_environments).
ListenAddr string
// OperationLog endpoint + auth. When OperationLogURL is empty,
// oplogClient is nil and Submit calls are no-ops.
OperationLogURL string
OperationLogSecret string // X-Internal-Secret header value
OperationLogChan int // bounded channel capacity, default 1024
}
func LoadServeConfigFromEnv ¶
func LoadServeConfigFromEnv() (ServeConfig, error)
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is the codex-app-gateway HTTP/WS server.
func NewServer ¶
NewServer wires up the production server. selfBin is the absolute path to the codex-app-gateway binary itself, used as the `command =` for each per-executor `[mcp_servers.exe_*]` entry (codex spawns it as the env-mcp child).
func (*Server) Close ¶ added in v0.60.14
func (s *Server) Close()
Close releases per-server resources. Must be called on shutdown.
func (*Server) Routes ¶
Routes builds the chi router. Public for tests.
Two paths serve the same handler for the inbound TUI ws upgrade:
- "/" — required by upstream codex's --remote URL parser, which only accepts ws[s]://host:port and connects to "/" (no path component).
- "/codex-app/ws" — kept for direct in-cluster testing (curl, kubectl port-forward) and path-based ingress setups.
type WorkspaceTokenClient ¶ added in v0.52.0
type WorkspaceTokenClient struct {
// contains filtered or unexported fields
}
WorkspaceTokenClient fetches the workspace's persistent proxy token from agentserver. Mirrors the cc-broker pattern: a long-lived token scoped to a workspace, injected into spawned subprocesses as their LLM credential. llmproxy validates the token per request and swaps it for a fresh modelserver JWT bound to the workspace's OAuth grant — so OAuth refreshes server-side surface to the pod transparently without needing a respawn.
func NewWorkspaceTokenClient ¶ added in v0.52.0
func NewWorkspaceTokenClient(baseURL, secret string) *WorkspaceTokenClient
NewWorkspaceTokenClient constructs a client against agentserver's `POST /internal/workspace-token` endpoint. secret must match the agentserver pod's INTERNAL_API_SECRET (sent as X-Internal-Secret).
func (*WorkspaceTokenClient) GetOrCreate ¶ added in v0.52.0
GetOrCreate returns the workspace's persistent proxy token. The endpoint auto-creates one on first call.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package approvalfilter synthesizes auto-accept responses for codex app-server's server-to-client approval/elicitation requests.
|
Package approvalfilter synthesizes auto-accept responses for codex app-server's server-to-client approval/elicitation requests. |
|
Package auth handles inbound caller authentication for codex-app-gateway.
|
Package auth handles inbound caller authentication for codex-app-gateway. |
|
Package broker is a thin REST→ws codex v2 JSON-RPC adapter inside CXG.
|
Package broker is a thin REST→ws codex v2 JSON-RPC adapter inside CXG. |
|
Package codexhome owns per-thread CODEX_HOME tmpdirs: creation, destruction, and the rendering of the config.toml fragment we plant inside each one before spawning `codex app-server`.
|
Package codexhome owns per-thread CODEX_HOME tmpdirs: creation, destruction, and the rendering of the config.toml fragment we plant inside each one before spawning `codex app-server`. |
|
Package envmcp implements the `codex-app-gateway env-mcp` subcommand: a stateless MCP server that codex spawns as a child process.
|
Package envmcp implements the `codex-app-gateway env-mcp` subcommand: a stateless MCP server that codex spawns as a child process. |
|
Package oplog publishes per-call operation records from codex-app-gateway to agentserver's /internal/operations POST endpoint.
|
Package oplog publishes per-call operation records from codex-app-gateway to agentserver's /internal/operations POST endpoint. |
|
Package supervisor spawns and tracks per-thread `codex app-server` subprocesses inside the codex-app-gateway pod.
|
Package supervisor spawns and tracks per-thread `codex app-server` subprocesses inside the codex-app-gateway pod. |