doer-agent 0.3.4 → 0.3.5

package/dist/agent.js

@@ -609,7 +609,6 @@ function createDefaultAgentSettingsConfig() {
         codex: {
             model: "gpt-5.4",
             authMode: "api_key",
-            apiKey: null,
         },
         realtime: {
             model: process.env.OPENAI_REALTIME_MODEL?.trim() || "gpt-realtime",
@@ -687,7 +686,6 @@ function normalizeAgentSettingsConfig(value, fallback) {
         codex: {
             model: typeof codex.model === "string" && codex.model.trim() ? codex.model.trim() : base.codex.model,
             authMode: codex.authMode === "oauth" ? "oauth" : codex.authMode === "api_key" ? "api_key" : base.codex.authMode,
-            apiKey: codex.apiKey === null ? null : normalizeNullableString(codex.apiKey) ?? base.codex.apiKey,
         },
         realtime: {
             model: typeof realtime.model === "string" && realtime.model.trim() ? realtime.model.trim() : base.realtime.model,
@@ -768,7 +766,6 @@ function toMaskedSecret(value) {
     return { has: true, masked: maskSecretPreview(value), length: value.length };
 }
 function toAgentSettingsPublic(config) {
-    const codexKey = toMaskedSecret(config.codex.apiKey);
     const realtimeKey = toMaskedSecret(config.realtime.apiKey);
     const gitOauth = toMaskedSecret(config.git.oauthToken);
     const awsSecret = toMaskedSecret(config.aws.secretAccessKey);
@@ -784,9 +781,9 @@ function toAgentSettingsPublic(config) {
         codex: {
             model: config.codex.model,
             authMode: config.codex.authMode,
-            hasApiKey: codexKey.has,
-            apiKeyMasked: codexKey.masked,
-            apiKeyLength: codexKey.length,
+            hasApiKey: false,
+            apiKeyMasked: null,
+            apiKeyLength: null,
         },
         realtime: {
             model: config.realtime.model,
@@ -874,7 +871,6 @@ function normalizeAgentSettingsPatch(value) {
     move("firstTurnPrompt", "general", "firstTurnPrompt");
     move("codexModel", "codex", "model");
     move("codexAuthMode", "codex", "authMode");
-    move("codexApiKey", "codex", "apiKey");
     move("realtimeModel", "realtime", "model");
     move("realtimeVoice", "realtime", "voice");
     move("realtimeWakeName", "realtime", "wakeName");
@@ -915,9 +911,6 @@ async function resolveAgentSettingsConfig(args) {
 }
 function buildAgentSettingsEnvPatch(config) {
     const envPatch = {};
-    if (config.codex.authMode === "api_key" && config.codex.apiKey) {
-        envPatch.OPENAI_API_KEY = config.codex.apiKey;
-    }
     if (config.git.enabled) {
         if (config.git.name)
             envPatch.GIT_AUTHOR_NAME = config.git.name;
@@ -1113,6 +1106,7 @@ async function startManagedRun(args) {
         userId: args.userId,
         taskId: args.runId,
         codexAuthBundle: args.codexAuthBundle,
+        runtimeEnvPatch: args.runtimeEnvPatch,
     });
     const child = spawnManagedCodexCommand({
         codexArgs: args.codexArgs,
@@ -1312,6 +1306,62 @@ async function runLocalCodexCli(args, timeoutMs, envPatch) {
         });
     });
 }
+async function runLocalCodexCliWithInput(args, input, timeoutMs, envPatch) {
+    const command = buildLocalCodexCliCommand(args);
+    const workspaceRoot = workspaceRootOverride ?? (process.env.WORKSPACE?.trim() || process.cwd());
+    const env = {
+        ...process.env,
+        ...(envPatch ?? {}),
+        WORKSPACE: workspaceRoot,
+        CODEX_HOME: resolveCodexHomePath(),
+    };
+    return await new Promise((resolve, reject) => {
+        const child = spawn(command, {
+            cwd: workspaceRoot,
+            shell: resolveShellPath(),
+            env,
+            stdio: ["pipe", "pipe", "pipe"],
+        });
+        let stdout = "";
+        let stderr = "";
+        let done = false;
+        let timedOut = false;
+        child.stdout.setEncoding("utf8");
+        child.stderr.setEncoding("utf8");
+        child.stdout.on("data", (chunk) => {
+            stdout += chunk;
+        });
+        child.stderr.on("data", (chunk) => {
+            stderr += chunk;
+        });
+        child.stdin?.write(input);
+        if (!input.endsWith("\n")) {
+            child.stdin?.write("\n");
+        }
+        child.stdin?.end();
+        const timer = setTimeout(() => {
+            timedOut = true;
+            sendSignalToTaskProcess(child, "SIGTERM");
+            setTimeout(() => sendSignalToTaskProcess(child, "SIGKILL"), 1000);
+        }, Math.max(500, timeoutMs));
+        child.once("error", (error) => {
+            if (done) {
+                return;
+            }
+            done = true;
+            clearTimeout(timer);
+            reject(error);
+        });
+        child.once("exit", (code) => {
+            if (done) {
+                return;
+            }
+            done = true;
+            clearTimeout(timer);
+            resolve({ code, stdout, stderr, timedOut });
+        });
+    });
+}
 function buildSkillGeneratorPrompt(userPrompt) {
     return [
         "Create a Codex skill from the user's description.",
@@ -1663,6 +1713,20 @@ async function startLocalCodexLogin() {
     }
     throw new Error(normalized || `Codex login failed with code ${result.code ?? "null"}`);
 }
+async function loginLocalCodexWithApiKey(apiKey) {
+    const result = await runLocalCodexCliWithInput(["login", "--with-api-key"], apiKey, 15000);
+    const normalized = stripAnsi([result.stdout, result.stderr].filter(Boolean).join("\n")).trim();
+    if ((result.code ?? 1) !== 0) {
+        throw new Error(normalized || `Codex API key login failed with code ${result.code ?? "null"}`);
+    }
+    const status = await getLocalCodexLoginStatus().catch(() => null);
+    return {
+        loggedIn: status?.loggedIn === true,
+        output: status?.output || normalized || "Logged in",
+        verificationUri: null,
+        userCode: null,
+    };
+}
 async function logoutLocalCodexAuth() {
     if (pendingCodexDeviceAuth && pendingCodexDeviceAuth.child.exitCode === null) {
         sendSignalToTaskProcess(pendingCodexDeviceAuth.child, "SIGTERM");
@@ -1694,11 +1758,15 @@ function normalizeCodexAuthRpcRequest(args) {
     const responseSubject = typeof args.request.responseSubject === "string" ? args.request.responseSubject.trim() : "";
     const requestAgentId = typeof args.request.agentId === "string" ? args.request.agentId.trim() : "";
     const actionRaw = typeof args.request.action === "string" ? args.request.action.trim() : "";
-    const action = actionRaw === "start" || actionRaw === "logout" ? actionRaw : "status";
+    const action = actionRaw === "start" || actionRaw === "logout" || actionRaw === "login_api_key" ? actionRaw : "status";
+    const apiKey = typeof args.request.apiKey === "string" && args.request.apiKey.trim() ? args.request.apiKey.trim() : null;
     if (!requestId || !responseSubject || !requestAgentId || requestAgentId !== args.agentId) {
         throw new Error("invalid codex auth rpc request");
     }
-    return { requestId, responseSubject, action };
+    if (action === "login_api_key" && !apiKey) {
+        throw new Error("api key is required");
+    }
+    return { requestId, responseSubject, action, apiKey };
 }
 function publishCodexAuthRpcResponse(args) {
     args.nc.publish(args.responseSubject, codexAuthRpcCodec.encode(JSON.stringify(args.payload)));
@@ -1712,7 +1780,10 @@ async function handleCodexAuthRpcMessage(args) {
         requestId = request.requestId;
         responseSubject = request.responseSubject;
         let result = null;
-        if (request.action === "start") {
+        if (request.action === "login_api_key") {
+            result = await loginLocalCodexWithApiKey(request.apiKey ?? "");
+        }
+        else if (request.action === "start") {
             const status = await getLocalCodexLoginStatus();
             if (status.loggedIn) {
                 result = { loggedIn: true, output: status.output };
@@ -3560,16 +3631,18 @@ function normalizeShellRpcCodexAuthBundle(value) {
     }
     const row = value;
     const authJson = typeof row.authJson === "string" ? row.authJson : null;
-    if (!authJson) {
+    const authMode = row.authMode === "oauth" ? "oauth" : row.authMode === "api_key" ? "api_key" : undefined;
+    const apiKey = typeof row.apiKey === "string" || row.apiKey === null ? row.apiKey : undefined;
+    if (!authJson && authMode !== "api_key" && apiKey === undefined) {
         return null;
     }
     return {
         taskId: typeof row.taskId === "string" ? row.taskId : undefined,
-        authMode: row.authMode === "oauth" ? "oauth" : row.authMode === "api_key" ? "api_key" : undefined,
+        authMode,
         issuedAt: typeof row.issuedAt === "string" ? row.issuedAt : undefined,
         expiresAt: typeof row.expiresAt === "string" ? row.expiresAt : undefined,
-        authJson,
-        apiKey: typeof row.apiKey === "string" || row.apiKey === null ? row.apiKey : undefined,
+        authJson: authJson ?? undefined,
+        apiKey,
     };
 }
 async function postJson(url, body) {
@@ -3734,27 +3807,49 @@ async function checkCancelRequested(args) {
     const response = await getJson(`${args.serverBaseUrl}/api/agent/tasks/${encodeURIComponent(args.taskId)}/events?${query.toString()}`);
     return Boolean(response.task?.cancelRequested);
 }
-async function prepareTaskCodexAuth(args) {
-    void args;
+async function syncCodexAuthState(args) {
+    const envPatch = {};
+    const synced = false;
+    if (args.authMode === "api_key") {
+        if (args.apiKey) {
+            envPatch.OPENAI_API_KEY = args.apiKey;
+        }
+    }
     return {
-        envPatch: {},
+        envPatch,
         cleanup: async () => { },
         meta: {
-            codexAuthSource: "agent_local",
-            codexAuthSynced: false,
+            codexAuthSource: args.source,
+            codexAuthMode: args.authMode ?? null,
+            codexAuthHasApiKey: Boolean(args.apiKey),
+            codexAuthHasAuthJson: Boolean(args.authJson),
+            codexAuthIssuedAt: args.issuedAt ?? null,
+            codexAuthExpiresAt: args.expiresAt ?? null,
+            codexAuthSynced: synced,
         },
     };
 }
+async function prepareTaskCodexAuth(args) {
+    void args;
+    return await syncCodexAuthState({
+        source: "agent_local",
+        authJson: null,
+        issuedAt: null,
+        expiresAt: null,
+    });
+}
 async function prepareCodexAuthBundle(bundle) {
-    void bundle;
-    return {
-        envPatch: {},
-        cleanup: async () => { },
-        meta: {
-            codexAuthSource: "agent_local",
-            codexAuthSynced: false,
-        },
-    };
+    if (!bundle) {
+        return null;
+    }
+    return await syncCodexAuthState({
+        source: "server_bundle",
+        authMode: bundle.authMode,
+        apiKey: bundle.apiKey,
+        authJson: bundle.authJson ?? null,
+        issuedAt: bundle.issuedAt ?? null,
+        expiresAt: bundle.expiresAt ?? null,
+    });
 }
 async function prepareCommandExecution(args) {
     const shellPath = resolveShellPath();
@@ -3768,6 +3863,7 @@ async function prepareCommandExecution(args) {
         DOER_USER_ID: args.userId,
         DOER_AGENT_TASK_ID: args.taskId,
         ...buildAgentSettingsEnvPatch(localAgentSettings),
+        ...args.runtimeEnvPatch,
         ...(codexAuth?.envPatch ?? {}),
         WORKSPACE: taskWorkspace,
     };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "doer-agent",
-  "version": "0.3.4",
+  "version": "0.3.5",
   "description": "Reverse-polling agent runtime for doer",
   "type": "module",
   "main": "dist/agent.js",