Skip to content

fix(sandbox): codex-login injects OAuth only (never the API key) + leaves config untouched#110

Open
dinghengda-creator wants to merge 1 commit into
volcengine:mainfrom
dinghengda-creator:feat/codex-login-oauth-only
Open

fix(sandbox): codex-login injects OAuth only (never the API key) + leaves config untouched#110
dinghengda-creator wants to merge 1 commit into
volcengine:mainfrom
dinghengda-creator:feat/codex-login-oauth-only

Conversation

@dinghengda-creator

@dinghengda-creator dinghengda-creator commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Follow-up to #100.

auth.json can hold a long-lived OPENAI_API_KEY next to the chatgpt oauth tokens. The current codex-login injects the file as-is, so that key ends up in the sandbox. This strips it before injecting: only the oauth tokens go in, OPENAI_API_KEY is set to null, and an api-key-only file is rejected.

Also removes the config.toml rewrite and the --keep-model-config flag. The config is left as the platform wrote it; select the subscription with codex exec -c model_provider=openai.

Tested with a crafted auth.json containing a fake key: the sandbox copy has OPENAI_API_KEY null and the key is absent. Unit tests + ruff/mypy pass.

auth.json can also hold a long-lived OPENAI_API_KEY next to the oauth tokens. The
previous code injected the whole file, so that key could end up in the sandbox. Now
only the oauth tokens are injected (OPENAI_API_KEY set to null) and api-key-only auth
is rejected.

Also removed the config.toml rewrite and the --keep-model-config flag; the config is
left as the platform wrote it. Use `codex exec -c model_provider=openai` to select the
subscription.
@dinghengda-creator dinghengda-creator force-pushed the feat/codex-login-oauth-only branch from 001077f to 7a6837e Compare July 1, 2026 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant