|
| 1 | +# AGENTS.md |
| 2 | + |
| 3 | +Project notes for future Codex/agent sessions. |
| 4 | + |
| 5 | +## Published Images |
| 6 | + |
| 7 | +Public users should build locally by default: |
| 8 | + |
| 9 | +```bash |
| 10 | +docker compose up --build -d |
| 11 | +``` |
| 12 | + |
| 13 | +Use the image-only Compose file only when pulling a published image. Do not use |
| 14 | +`latest`; tags should include the image name and version, for example |
| 15 | +`codex-cli-provider-0.1.2`. |
| 16 | + |
| 17 | +```bash |
| 18 | +CODEX_CLI_PROVIDER_IMAGE=registry.example.com/your-org/codex-cli-provider:codex-cli-provider-0.1.2 \ |
| 19 | + docker compose -f docker-compose.image.yml up -d |
| 20 | +``` |
| 21 | + |
| 22 | +## Auth Boundaries |
| 23 | + |
| 24 | +Do not bake credentials into the image or Compose files. |
| 25 | + |
| 26 | +- Docker Hub auth belongs in local Docker credential storage via `docker login`. |
| 27 | +- The wrapper bearer token belongs in `data/secrets/proxy_api_key`. |
| 28 | +- Codex/ChatGPT auth belongs in the dedicated bind-mounted `data/codex-home`. |
| 29 | +- Do not use or add `OPENAI_API_KEY`, `CODEX_API_KEY`, or |
| 30 | + `CODEX_ACCESS_TOKEN` for this project. |
| 31 | + |
| 32 | +Codex login is completed inside the running container so credentials are written |
| 33 | +to the mounted `/root/.codex` backed by `data/codex-home`: |
| 34 | + |
| 35 | +```bash |
| 36 | +docker exec -it codex-cli-provider \ |
| 37 | + codex login --device-auth \ |
| 38 | + -c forced_login_method='"chatgpt"' \ |
| 39 | + -c cli_auth_credentials_store='"file"' |
| 40 | +``` |
| 41 | + |
| 42 | +## Local Development |
| 43 | + |
| 44 | +Use the default Compose file when building locally: |
| 45 | + |
| 46 | +```bash |
| 47 | +docker compose up --build -d |
| 48 | +``` |
| 49 | + |
| 50 | +Use `docker-compose.image.yml` only when pulling a published image. |
| 51 | + |
| 52 | +## Verification |
| 53 | + |
| 54 | +Before handing off changes, run: |
| 55 | + |
| 56 | +```bash |
| 57 | +python3 scripts/check_repo_hygiene.py |
| 58 | +python3 scripts/check_compose_security.py |
| 59 | +COMPOSE_FILE=docker-compose.image.yml CODEX_CLI_PROVIDER_IMAGE=registry.example.com/your-org/codex-cli-provider:codex-cli-provider-0.1.2 python3 scripts/check_compose_security.py |
| 60 | +PYTHONPATH=. .venv/bin/pytest -q |
| 61 | +``` |
| 62 | + |
| 63 | +The test suite expects the repo root on `PYTHONPATH`, matching the container's |
| 64 | +`PYTHONPATH=/app` setting. |
| 65 | + |
| 66 | +## Security Notes |
| 67 | + |
| 68 | +The Dockerfile currently copies only `requirements.txt` and `src/`. Keep it that |
| 69 | +way unless there is a specific reason to widen the build context. `.dockerignore` |
| 70 | +excludes `.env`, `data/`, Codex auth files, virtualenvs, logs, and other local |
| 71 | +state that must not be published in images. |
0 commit comments