codex

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 11, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package codex implements the Codex credential and agent provider.

The Codex provider manages OpenAI credentials for running the Codex CLI in containers. It implements both CredentialProvider and AgentProvider interfaces.

Authentication

Codex supports OpenAI API key authentication:

  • API keys are validated against the /v1/models endpoint
  • Keys must start with "sk-" prefix
  • The real API key is never exposed to containers
  • Proxy injection adds Authorization headers at network layer

Credential Provider

The credential provider configures:

  • Proxy headers for api.openai.com with Bearer token
  • Container env with OPENAI_API_KEY placeholder (passes format validation)
  • No container mounts needed (uses staging directory approach)

Agent Provider

The agent provider handles:

  • Container preparation with staging directory
  • CLI registration for `moat codex` commands
  • Doctor diagnostics for Codex configuration

Placeholder Tokens

The container receives placeholder values that pass format validation:

OPENAI_API_KEY=sk-moat-proxy-injected-placeholder-...

This allows the Codex CLI to start without prompting for credentials, while the real API key is injected by the proxy at the network layer.

Index

Constants

View Source
const CodexInitMountPath = "/moat/codex-init"

CodexInitMountPath is where the staging directory is mounted in containers.

View Source
const OpenAIAPIKeyPlaceholder = "sk-moat-proxy-injected-placeholder-0000000000000000000000000000000000000000"

OpenAIAPIKeyPlaceholder is a placeholder that looks like a valid OpenAI API key. Some tools validate the API key format locally before making requests. Using a valid-looking placeholder bypasses these checks while still allowing the proxy to inject the real key at the network layer.

View Source
const ProxyInjectedPlaceholder = "moat-proxy-injected"

ProxyInjectedPlaceholder is a generic placeholder value for credentials that will be injected by the Moat proxy at runtime.

Variables

This section is empty.

Functions

func DefaultDependencies

func DefaultDependencies() []string

DefaultDependencies returns the default dependencies for running Codex CLI.

func GenerateMCPConfig

func GenerateMCPConfig(cfg *config.Config, grants []string) ([]byte, error)

GenerateMCPConfig generates MCP server configuration for Codex. Returns nil if no MCP servers are configured.

func HasCredential

func HasCredential() bool

HasCredential checks if an OpenAI credential exists in the store.

func NetworkHosts

func NetworkHosts() []string

NetworkHosts returns the list of hosts that Codex needs network access to. These should be added to the network allow list for containers running Codex.

func PopulateStagingDir

func PopulateStagingDir(cred *provider.Credential, stagingDir string) error

PopulateStagingDir populates the Codex staging directory with auth configuration.

Files added:

  • auth.json (placeholder API key - real auth is via proxy)

SECURITY: The real token is NEVER written to the container filesystem. Authentication is handled by the TLS-intercepting proxy at the network layer.

func WriteCodexConfig

func WriteCodexConfig(stagingDir string) error

WriteCodexConfig writes a minimal ~/.codex/config.toml to the staging directory. This provides default settings for the Codex CLI.

func WriteMCPConfig

func WriteMCPConfig(workspaceDir string, mcpJSON []byte) error

WriteMCPConfig writes the MCP configuration to the workspace.

Types

type DoctorSection

type DoctorSection struct{}

DoctorSection implements doctor.Section for Codex configuration.

func (*DoctorSection) Name

func (d *DoctorSection) Name() string

Name returns the section name.

func (*DoctorSection) Print

func (d *DoctorSection) Print(w io.Writer) error

Print outputs Codex diagnostic information.

type Grant

type Grant struct {
	// contains filtered or unexported fields
}

Grant handles the OpenAI API key grant process. It checks for an existing key in the environment, validates it, and stores it in the credential store.

func NewGrant

func NewGrant() *Grant

NewGrant creates a new Grant instance.

func (*Grant) Execute

func (g *Grant) Execute(ctx context.Context) (*provider.Credential, error)

Execute performs the grant process. It checks for OPENAI_API_KEY in the environment first, then prompts the user if not found. Returns a provider.Credential that can be used for proxy configuration.

type MCPConfig

type MCPConfig struct {
	MCPServers map[string]MCPServer `json:"mcpServers"`
}

MCPConfig represents the MCP configuration structure for Codex.

type MCPServer

type MCPServer struct {
	Command string            `json:"command"`
	Args    []string          `json:"args,omitempty"`
	Env     map[string]string `json:"env,omitempty"`
	Cwd     string            `json:"cwd,omitempty"`
}

MCPServer represents a single MCP server configuration.

type Provider

type Provider struct{}

Provider implements provider.CredentialProvider and provider.AgentProvider for OpenAI Codex CLI credentials.

func (*Provider) Cleanup

func (p *Provider) Cleanup(cleanupPath string)

Cleanup cleans up OpenAI resources.

func (*Provider) ConfigureProxy

func (p *Provider) ConfigureProxy(proxy provider.ProxyConfigurer, cred *provider.Credential)

ConfigureProxy sets up proxy headers for OpenAI API. The proxy intercepts requests to api.openai.com and injects the Authorization header with the real API key.

func (*Provider) ContainerEnv

func (p *Provider) ContainerEnv(cred *provider.Credential) []string

ContainerEnv returns environment variables for OpenAI. Sets OPENAI_API_KEY with a placeholder that looks like a valid API key. This tells Codex CLI it's authenticated (skips login prompts) and bypasses local format validation. The real token is injected by the proxy at the network layer.

func (*Provider) ContainerMounts

func (p *Provider) ContainerMounts(cred *provider.Credential, containerHome string) ([]provider.MountConfig, string, error)

ContainerMounts returns mounts needed for OpenAI/Codex. This method returns empty because Codex setup uses the staging directory approach instead of direct mounts. The staging directory is populated by PrepareContainer and copied to the container at startup by moat-init.

func (*Provider) Grant

func (p *Provider) Grant(ctx context.Context) (*provider.Credential, error)

Grant acquires OpenAI credentials interactively or from environment.

func (*Provider) ImpliedDependencies

func (p *Provider) ImpliedDependencies() []string

ImpliedDependencies returns dependencies implied by the Codex provider. Codex doesn't imply any specific tool dependencies.

func (*Provider) Name

func (p *Provider) Name() string

Name returns the provider identifier.

func (*Provider) PrepareContainer

func (p *Provider) PrepareContainer(ctx context.Context, opts provider.PrepareOpts) (*provider.ContainerConfig, error)

PrepareContainer sets up staging directories and config files for Codex CLI. It creates a staging directory with auth.json and config.toml files that will be copied to ~/.codex at container startup by moat-init.

func (*Provider) RegisterCLI

func (p *Provider) RegisterCLI(root *cobra.Command)

RegisterCLI registers Codex-related CLI commands. This adds the `moat codex` command group with subcommands.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL