feat(codex): Codex agent-provider payload v2 — app-server on capability seams, vault-only auth#2757
Merged
Merged
Conversation
…ty seams, vault-only auth Rewrite the Codex provider onto the host's capability seams. Codex runs as a real agent provider via `codex app-server` — planning, MCP tools, server-side history, session resume — not as an MCP tool under Claude. - Host provider (src/providers/codex.ts, codex-agents-md.ts): registers on the provider-container seam, composes AGENTS.md from the real config row, mounts a per-group ~/.codex state dir, vault-only auth stub (no credential in-container). - Container runtime (codex.ts, codex-app-server.ts): app-server transport, turn lifecycle, racing-follow-up fix (clear the active turn on completion). - Provider-owned per-exchange archiving (exchange-archive.ts) via onExchangeComplete. - Codex CLI pinned to 0.138.0 in the Dockerfile (ARG + global install), guarded by a structural dockerfile test. - macOS first-spawn fix: pre-create the auth-stub mountpoint. The /add-codex skill is dropped from this branch — trunk is its canonical home. The authored-skills canonical store is deferred to a future provider-seam PR (its stale host-contribution assertion is removed). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
Replaces the old Codex payload with v2: Codex as a full agent provider on the host's capability seams, authenticated vault-only through OneCLI. This branch carries only the Codex-specific files; the OpenCode payload on this branch is untouched.
Surface area
Host —
src/providers/codex.ts,src/providers/codex-agents-md.ts(+ tests): seam registration, AGENTS.md composition from the DB row, per-group~/.codexmount, vault-only auth stub.Container —
container/agent-runner/src/providers/codex.ts,codex-app-server.ts,exchange-archive.ts(+ turns/factory/dockerfile tests): app-server transport, turn lifecycle, provider-owned exchange archiving.Image —
container/Dockerfile:ARG CODEX_VERSION=0.138.0+ pinned global install, covered by a structuralcodex-dockerfile.test.ts.Setup module —
setup/providers/codex.ts(+ tests): the registry entry the setup picker consumes.Notable fixes
Removed
/add-codexSKILL.md — trunk is its canonical home.Testing
Host Codex suite 5/5; container Codex logic green; image builds clean with the pin (
codex-cli 0.138.0at/pnpm/codex); live agent validated end-to-end on a clean VM.