Skip to content

Commit 8b9b154

Browse files
Remove legacy Codex token env references
1 parent c0a5df6 commit 8b9b154

7 files changed

Lines changed: 13 additions & 28 deletions

File tree

AGENTS.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,8 +26,7 @@ Do not bake credentials into the image or Compose files.
2626
- Docker Hub auth belongs in local Docker credential storage via `docker login`.
2727
- The wrapper bearer token belongs in `data/secrets/proxy_api_key`.
2828
- Codex/ChatGPT auth belongs in the dedicated bind-mounted `data/codex-home`.
29-
- Do not use or add `OPENAI_API_KEY`, `CODEX_API_KEY`, or
30-
`CODEX_ACCESS_TOKEN` for this project.
29+
- Do not use or add `OPENAI_API_KEY` for this project.
3130

3231
Codex login is completed inside the running container so credentials are written
3332
to the mounted `/root/.codex` backed by `data/codex-home`:

README.md

Lines changed: 7 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -19,13 +19,10 @@ that login is allowed by the applicable OpenAI product terms and policies. This
1919
repository does not grant permission to power third-party integrations with a
2020
ChatGPT subscription.
2121

22-
The service deliberately refuses startup when API-key environment variables are
23-
present:
22+
The service deliberately refuses startup when `OPENAI_API_KEY` is present:
2423

2524
```text
2625
OPENAI_API_KEY
27-
CODEX_API_KEY
28-
CODEX_ACCESS_TOKEN
2926
```
3027

3128
Codex authentication belongs only in the dedicated bind-mounted
@@ -170,9 +167,9 @@ Check readiness:
170167
curl -sS http://127.0.0.1:8320/healthz
171168
```
172169

173-
`/healthz` returns 200 only after the container sees the pinned Codex CLI, a
174-
dedicated ChatGPT login, and no API-key mode. It is normal for the container to
175-
report unhealthy before device login is complete.
170+
`/healthz` returns 200 only after the container sees the pinned Codex CLI and a
171+
dedicated ChatGPT login. It is normal for the container to report unhealthy
172+
before device login is complete.
176173

177174
## API Examples
178175

@@ -292,8 +289,8 @@ docker compose -f docker-compose.image.yml up -d
292289
```
293290

294291
Docker registry authentication belongs in local Docker credential storage via
295-
`docker login`. Do not put Docker Hub passwords, ChatGPT/Codex credentials,
296-
OpenAI API keys, or Codex access tokens in Compose files.
292+
`docker login`. Do not put Docker Hub passwords, ChatGPT/Codex credentials, or
293+
OpenAI API keys in Compose files.
297294

298295
Codex authentication still lives only in the mounted `data/codex-home`
299296
directory and must be completed inside the running container.
@@ -371,8 +368,7 @@ docker compose restart
371368
- `502` or `/healthz` returning `503`: check
372369
`docker exec -it codex-cli-provider codex login status`, then re-run device
373370
login if needed.
374-
- Accidental API-key detection: unset `OPENAI_API_KEY`, `CODEX_API_KEY`, and
375-
`CODEX_ACCESS_TOKEN` before starting.
371+
- Accidental API-key detection: unset `OPENAI_API_KEY` before starting.
376372
- Sandbox failure: this configuration intentionally uses Codex
377373
`danger-full-access` inside Docker. Do not add `privileged`, `SYS_ADMIN`,
378374
unconfined seccomp/AppArmor, host networking, or host home mounts.

docs/discovery.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,8 +61,7 @@ The official repository README says each archive contains a single platform-name
6161
- Browser login can fail in headless environments; OpenAI docs recommend device-code auth first.
6262
- File-backed ChatGPT sessions refresh tokens automatically during use, so the dedicated `CODEX_HOME` must be writable if token refresh is required.
6363
- Official docs describe copying `auth.json` for headless/CI workflows, but this project must not copy a normal user `~/.codex`; any login flow must use a dedicated project auth home.
64-
- `CODEX_API_KEY` is supported by `codex exec`; this project must refuse API-key mode.
65-
- `CODEX_ACCESS_TOKEN` is documented for trusted automation but must not be used by this adapter.
64+
- This project uses only device-based ChatGPT login in the dedicated project auth home.
6665

6766
## Tool And Persistence Controls
6867

scripts/check_compose_security.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
from typing import Any
88

99

10-
FORBIDDEN_ENV = {"OPENAI_API_KEY", "CODEX_API_KEY", "CODEX_ACCESS_TOKEN"}
10+
FORBIDDEN_ENV = {"OPENAI_API_KEY"}
1111

1212

1313
def fail(message: str) -> None:
@@ -118,7 +118,7 @@ def main() -> None:
118118
env = service.get("environment") or {}
119119
env_names = set(env if isinstance(env, dict) else [])
120120
if FORBIDDEN_ENV.intersection(env_names):
121-
fail("API-key environment variables must not be set in compose")
121+
fail("OPENAI_API_KEY must not be set in compose")
122122

123123
tmpfs = {str(item).split(":", 1)[0] for item in as_list(service.get("tmpfs"))}
124124
if "/tmp" not in tmpfs:

src/codex_runner.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
DEFAULT_WORK_DIR = "/workspace"
1616
STDERR_LIMIT = 64_000
1717
STDOUT_LIMIT = 256_000
18-
FORBIDDEN_ENV_VARS = ("OPENAI_API_KEY", "CODEX_API_KEY", "CODEX_ACCESS_TOKEN")
18+
FORBIDDEN_ENV_VARS = ("OPENAI_API_KEY",)
1919
FORBIDDEN_EVENT_FRAGMENTS = (
2020
"exec_command",
2121
"shell",
@@ -59,7 +59,7 @@ def from_env(cls, default_model: str | None, request_timeout_seconds: int) -> "R
5959
def fail_if_api_key_environment() -> None:
6060
present = [name for name in FORBIDDEN_ENV_VARS if os.environ.get(name)]
6161
if present:
62-
raise RuntimeError("API-key or access-token environment variables are not allowed")
62+
raise RuntimeError("OPENAI_API_KEY is not allowed")
6363

6464

6565
def build_child_env(codex_home: str, child_home: str) -> dict[str, str]:

src/server.py

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,6 @@
1717
from fastapi.responses import FileResponse, JSONResponse, RedirectResponse, Response, StreamingResponse
1818

1919
from src.codex_runner import (
20-
FORBIDDEN_ENV_VARS,
2120
LocalCodexRunner,
2221
RunnerError,
2322
build_child_env,

tests/test_server.py

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -573,14 +573,6 @@ def test_api_key_environment_causes_startup_refusal(monkeypatch):
573573
AppSettings.from_env()
574574

575575

576-
@pytest.mark.parametrize("name", ["CODEX_API_KEY", "CODEX_ACCESS_TOKEN"])
577-
def test_other_api_key_environments_cause_startup_refusal(monkeypatch, name):
578-
monkeypatch.delenv("OPENAI_API_KEY", raising=False)
579-
monkeypatch.setenv(name, "not-allowed")
580-
with pytest.raises(RuntimeError):
581-
AppSettings.from_env()
582-
583-
584576
def test_weak_proxy_secret_causes_startup_refusal(monkeypatch):
585577
monkeypatch.delenv("OPENAI_API_KEY", raising=False)
586578
monkeypatch.setenv("PROXY_API_KEY", "change-me")

0 commit comments

Comments
 (0)