spawnfile 0.1.3 → 0.1.4

package/README.md

@@ -43,6 +43,8 @@ spawnfile run    --tag my-agent --auth-profile dev
 
 Compiled output lands under `.spawn/` by default, including a `Dockerfile`, `entrypoint.sh`, `.env.example`, and a prebuilt `container/rootfs/` tree. `spawnfile build` uses the pinned runtime artifacts from `runtimes.yaml`; it does not rebuild runtimes from source.
 
+Declare external credentials in `secrets:` and provide values through an ignored env file or the shell environment. `spawnfile auth sync --env-file .env` stores declared model auth and project secrets in a local auth profile; `spawnfile run --env-file .env` can inject the same values directly for a single run. This is the intended pattern for credentials like `GH_TOKEN`, MCP tokens, and provider API keys.
+
 ## Project structure
 
 A Spawnfile project is either an `agent` or a `team`.

package/dist/cli/runCli.js

@@ -113,12 +113,14 @@ export const runCli = async (argv, optionsOrStreams, handlerOverrides = {}) => {
         .option("-t, --tag <image>", "Docker image tag")
         .option("--auth-profile <name>", "Local Spawnfile auth profile")
         .option("--name <container>", "Docker container name")
+        .option("--env-file <file>", "Path to an env file for runtime secrets")
         .option("-d, --detach", "Run the container in detached mode")
         .action(async (inputPath, options) => {
         const result = await handlers.runProject(inputPath, {
             authProfile: options.authProfile,
             containerName: options.name,
             detach: options.detach,
+            envFilePath: options.envFile,
             imageTag: options.tag,
             outputDirectory: options.out
         });
@@ -232,7 +234,7 @@ export const runCli = async (argv, optionsOrStreams, handlerOverrides = {}) => {
         .command("sync")
         .argument("[path]", "Project directory or Spawnfile path", process.cwd())
         .option("-p, --profile <name>", "Auth profile name", "default")
-        .option("--env-file <file>", "Path to an env file with model API keys")
+        .option("--env-file <file>", "Path to an env file with model keys and runtime secrets")
         .option("--claude-from <directory>", "Source Claude Code config directory")
         .option("--codex-from <directory>", "Source Codex config directory")
         .action(async (inputPath, options) => {

package/dist/compiler/containerEntrypointRender.js

@@ -8,9 +8,9 @@ const createEnvironmentAssignments = (plan) => {
     if (plan.instancePaths.homePath) {
         envAssignments.push(`HOME=${shellQuote(plan.instancePaths.homePath)}`);
     }
-    if (plan.runtimeName === "tinyclaw" &&
-        plan.instancePaths.homePath &&
-        (plan.modelAuthMethods.openai === "api_key" || plan.modelAuthMethods.openai === "codex")) {
+    if (plan.instancePaths.homePath && ((plan.runtimeName === "tinyclaw" &&
+        (plan.modelAuthMethods.openai === "api_key" || plan.modelAuthMethods.openai === "codex")) ||
+        (plan.runtimeName === "picoclaw" && plan.modelAuthMethods.openai === "codex"))) {
         envAssignments.push(`CODEX_HOME=${shellQuote(path.posix.join(plan.instancePaths.homePath, ".codex"))}`);
     }
     if (plan.meta.homeEnv && plan.instancePaths.homePath) {

package/dist/compiler/runProject.d.ts

@@ -16,6 +16,7 @@ export interface RunProjectOptions extends CompileProjectOptions {
     containerName?: string;
     detach?: boolean;
     dockerCommand?: string;
+    envFilePath?: string;
     imageTag?: string;
     runRunner?: DockerRunRunner;
 }
@@ -29,6 +30,7 @@ export declare const createDockerRunInvocation: (compileResult: CompileProjectRe
     containerName?: string;
     detach?: boolean;
     dockerCommand?: string;
+    envFilePath?: string;
 }) => Promise<DockerRunInvocation>;
 export declare const runDockerContainer: DockerRunRunner;
 export declare const runProject: (inputPath: string, options?: RunProjectOptions) => Promise<RunProjectResult>;

package/dist/compiler/runProject.js

@@ -3,8 +3,8 @@ import path from "node:path";
 import { mkdtemp } from "node:fs/promises";
 import { randomBytes } from "node:crypto";
 import { spawn } from "node:child_process";
-import { requireAuthProfile } from "../auth/index.js";
-import { ensureDirectory, fileExists, removeDirectory, writeUtf8File } from "../filesystem/index.js";
+import { parseEnvFile, requireAuthProfile } from "../auth/index.js";
+import { ensureDirectory, fileExists, readUtf8File, removeDirectory, writeUtf8File } from "../filesystem/index.js";
 import { SpawnfileError } from "../shared/index.js";
 import { compileProject } from "./compileProject.js";
 import { createDefaultImageTag } from "./buildProject.js";
@@ -47,9 +47,10 @@ const collectMissingRequiredSecrets = (containerReport, env, coveredModelSecrets
     }
     return [...missing].sort();
 };
-const resolveRunEnvironment = (containerReport, authProfile) => {
+const resolveRunEnvironment = (containerReport, authProfile, envFileEnv = {}) => {
     const env = {
-        ...(authProfile?.env ?? {})
+        ...(authProfile?.env ?? {}),
+        ...envFileEnv
     };
     for (const name of new Set([...Object.keys(env), ...containerReport.secrets_required])) {
         const processValue = process.env[name];
@@ -83,6 +84,18 @@ const renderDockerEnvFile = (env) => `${Object.entries(env)
     .sort(([left], [right]) => left.localeCompare(right))
     .map(([name, value]) => `${name}=${value}`)
     .join("\n")}\n`;
+const readRunEnvFile = async (envFilePath) => {
+    if (!envFilePath) {
+        return {};
+    }
+    try {
+        return parseEnvFile(await readUtf8File(envFilePath));
+    }
+    catch (error) {
+        const reason = error instanceof Error ? error.message : String(error);
+        throw new SpawnfileError("validation_error", `Unable to read env file ${envFilePath}: ${reason}`);
+    }
+};
 const resolveAuthMountArgs = async (containerReport, authProfile) => {
     if (!authProfile || containerReport.runtime_homes.length === 0) {
         return [];
@@ -110,7 +123,7 @@ export const createDockerRunInvocation = async (compileResult, imageTag, options
     const envFilePath = path.join(supportDirectory, "run.env");
     try {
         assertDeclaredModelAuthSatisfied(containerReport, options.authProfile ?? null);
-        const env = resolveRunEnvironment(containerReport, options.authProfile ?? null);
+        const env = resolveRunEnvironment(containerReport, options.authProfile ?? null, await readRunEnvFile(options.envFilePath));
         const preparedRuntimeAuth = await prepareRuntimeAuthMounts(compileResult.outputDirectory, containerReport, options.authProfile ?? null, env, supportDirectory);
         assertRunEnvironmentSatisfied(containerReport, env, preparedRuntimeAuth.coveredModelSecrets);
         await ensureDirectory(supportDirectory);
@@ -178,7 +191,8 @@ export const runProject = async (inputPath, options = {}) => {
         authProfile,
         containerName: options.containerName,
         detach: options.detach,
-        dockerCommand: options.dockerCommand
+        dockerCommand: options.dockerCommand,
+        envFilePath: options.envFilePath
     });
     try {
         await (options.runRunner ?? runDockerContainer)(invocation);

package/dist/compiler/syncProjectAuth.js

@@ -7,39 +7,64 @@ import { listExecutionModelSecretNames, resolveExecutionModelAuthMethods } from
 const resolveAuthRequirements = async (inputPath) => {
     const plan = await buildCompilePlan(inputPath);
     const methods = new Set();
-    const envNames = new Set();
+    const optionalEnvNames = new Set();
+    const requiredEnvNames = new Set();
+    const addProjectSecret = (secret) => {
+        if (secret.required) {
+            requiredEnvNames.add(secret.name);
+            optionalEnvNames.delete(secret.name);
+        }
+        else if (!requiredEnvNames.has(secret.name)) {
+            optionalEnvNames.add(secret.name);
+        }
+    };
     for (const node of plan.nodes) {
         if (node.value.kind !== "agent") {
+            for (const secret of node.value.shared.secrets) {
+                addProjectSecret(secret);
+            }
             continue;
         }
+        for (const secret of node.value.secrets) {
+            addProjectSecret(secret);
+        }
         for (const method of Object.values(resolveExecutionModelAuthMethods(node.value.execution))) {
             methods.add(method);
         }
         for (const envName of listExecutionModelSecretNames(node.value.execution)) {
-            envNames.add(envName);
+            requiredEnvNames.add(envName);
+            optionalEnvNames.delete(envName);
         }
         for (const envName of listAgentSurfaceSecretNames(node.value.surfaces)) {
-            envNames.add(envName);
+            requiredEnvNames.add(envName);
+            optionalEnvNames.delete(envName);
         }
     }
-    return { envNames, methods };
+    return { methods, optionalEnvNames, requiredEnvNames };
+};
+const readEnvFile = async (envFilePath) => envFilePath ? parseEnvFile(await readUtf8File(envFilePath)) : {};
+const resolveEnvValue = (envName, fileEnv) => {
+    const processValue = process.env[envName];
+    if (typeof processValue === "string" && processValue.length > 0) {
+        return processValue;
+    }
+    const fileValue = fileEnv[envName];
+    if (typeof fileValue === "string" && fileValue.length > 0) {
+        return fileValue;
+    }
+    return null;
 };
-const resolveRequiredEnv = async (envNames, envFilePath) => {
-    if (envNames.size === 0) {
+const resolveRequiredEnv = async (requiredEnvNames, optionalEnvNames, envFilePath) => {
+    if (requiredEnvNames.size === 0 && optionalEnvNames.size === 0) {
         return {};
     }
-    const fileEnv = envFilePath ? parseEnvFile(await readUtf8File(envFilePath)) : {};
+    const fileEnv = await readEnvFile(envFilePath);
     const resolvedEnv = {};
     const missingEnv = [];
-    for (const envName of [...envNames].sort()) {
-        const processValue = process.env[envName];
-        if (typeof processValue === "string" && processValue.length > 0) {
-            resolvedEnv[envName] = processValue;
-            continue;
-        }
-        const fileValue = fileEnv[envName];
-        if (typeof fileValue === "string" && fileValue.length > 0) {
-            resolvedEnv[envName] = fileValue;
+    for (const envName of [...requiredEnvNames].sort()) {
+        const value = resolveEnvValue(envName, fileEnv);
+        if (value !== null) {
+            resolvedEnv[envName] = value;
             continue;
         }
         missingEnv.push(envName);
@@ -47,10 +72,19 @@ const resolveRequiredEnv = async (envNames, envFilePath) => {
     if (missingEnv.length > 0) {
         throw new SpawnfileError("validation_error", `Missing required auth env: ${missingEnv.join(", ")}`);
     }
+    for (const envName of [...optionalEnvNames].sort()) {
+        if (requiredEnvNames.has(envName)) {
+            continue;
+        }
+        const value = resolveEnvValue(envName, fileEnv);
+        if (value !== null) {
+            resolvedEnv[envName] = value;
+        }
+    }
     return resolvedEnv;
 };
 export const syncProjectAuth = async (inputPath, options) => {
-    const { envNames, methods } = await resolveAuthRequirements(inputPath);
+    const { methods, optionalEnvNames, requiredEnvNames } = await resolveAuthRequirements(inputPath);
     await ensureAuthProfile(options.profileName);
     if (methods.has("codex")) {
         await importCodexAuth(options.profileName, options.codexDirectory);
@@ -58,8 +92,8 @@ export const syncProjectAuth = async (inputPath, options) => {
     if (methods.has("claude-code")) {
         await importClaudeCodeAuth(options.profileName, options.claudeCodeDirectory);
     }
-    if (envNames.size > 0) {
-        await setAuthProfileEnv(options.profileName, await resolveRequiredEnv(envNames, options.envFilePath));
+    if (requiredEnvNames.size > 0 || optionalEnvNames.size > 0) {
+        await setAuthProfileEnv(options.profileName, await resolveRequiredEnv(requiredEnvNames, optionalEnvNames, options.envFilePath));
     }
     return requireAuthProfile(options.profileName);
 };

package/dist/runtime/picoclaw/adapter.js

@@ -47,6 +47,13 @@ const buildModelList = (node) => {
                 model_name: target.name
             };
         }
+        if (target.provider === "openai" && target.auth.method === "codex") {
+            return {
+                model: `codex-cli/${target.name}`,
+                model_name: target.name,
+                workspace: "<workspace-path>"
+            };
+        }
         return {
             ...(target.auth.method === "api_key"
                 ? {

package/dist/runtime/picoclaw/runAuth.js

@@ -1,12 +1,12 @@
 import path from "node:path";
-import { loadImportedClaudeCodeCredential, loadImportedCodexCredential } from "../../auth/index.js";
+import { loadImportedClaudeCodeCredential } from "../../auth/index.js";
 import { copyDirectory, ensureDirectory, readUtf8File, writeUtf8File } from "../../filesystem/index.js";
 const resolveRootfsSourcePath = (outputDirectory, containerPath) => path.join(outputDirectory, "container", "rootfs", ...path.posix.relative("/", containerPath).split("/"));
 const createMountArgs = (hostPath, containerPath) => [
     "-v",
     `${hostPath}:${containerPath}`
 ];
-const createMountedHomeDirectory = async (input, patchedConfig, authStore) => {
+const createMountedHomeDirectory = async (input, patchedConfig) => {
     const sourceHomePath = resolveRootfsSourcePath(input.outputDirectory, input.instance.home_path);
     const mountedHomePath = path.join("runtime-auth", "picoclaw", input.instance.id, "home");
     const hostHomePath = path.join(input.tempRoot, mountedHomePath);
@@ -14,26 +14,10 @@ const createMountedHomeDirectory = async (input, patchedConfig, authStore) => {
     await copyDirectory(sourceHomePath, hostHomePath);
     const relativeConfigPath = path.posix.relative(input.instance.home_path, input.instance.config_path);
     const hostConfigPath = path.join(hostHomePath, ...relativeConfigPath.split("/"));
-    const hostAuthPath = path.join(hostHomePath, "auth.json");
     await ensureDirectory(path.dirname(hostConfigPath));
     await writeUtf8File(hostConfigPath, `${JSON.stringify(patchedConfig, null, 2)}\n`);
-    if (authStore) {
-        await writeUtf8File(hostAuthPath, `${JSON.stringify(authStore, null, 2)}\n`);
-    }
     return hostHomePath;
 };
-const createPicoClawCredential = (provider, credential) => ({
-    access_token: credential.access,
-    ...("type" in credential && credential.type === "oauth" && credential.refresh
-        ? { refresh_token: credential.refresh }
-        : !("type" in credential)
-            ? { refresh_token: credential.refresh }
-            : {}),
-    ...("accountId" in credential && credential.accountId ? { account_id: credential.accountId } : {}),
-    auth_method: "oauth",
-    expires_at: new Date(credential.expires).toISOString(),
-    provider
-});
 const normalizeClaudeCliModelName = (modelName) => modelName.replaceAll(".", "-");
 const patchPicoClawConfig = (config, options) => {
     const agents = config.agents ?? {};
@@ -55,21 +39,11 @@ const patchPicoClawConfig = (config, options) => {
                 record.model = `claude-cli/${normalizeClaudeCliModelName(modelName)}`;
             }
         }
-        if (options.useCodex && typeof model === "string" && model.startsWith("openai/")) {
-            delete record.api_key;
-            record.auth_method = "oauth";
-        }
         return record;
     });
     if (options.useClaudeCode) {
         delete nextProviders.anthropic;
     }
-    if (options.useCodex) {
-        nextProviders.openai = {
-            ...(nextProviders.openai ?? {}),
-            auth_method: "oauth"
-        };
-    }
     return {
         ...config,
         agents: {
@@ -87,29 +61,19 @@ export const preparePicoClawRuntimeAuth = async (input) => {
     const claudeCode = input.authProfile.imports["claude-code"]
         ? await loadImportedClaudeCodeCredential(input.authProfile.imports["claude-code"].path)
         : null;
-    const codex = input.authProfile.imports.codex
-        ? await loadImportedCodexCredential(input.authProfile.imports.codex.path)
-        : null;
     const useClaudeCode = input.instance.model_auth_methods.anthropic === "claude-code" && claudeCode;
-    const useCodex = input.instance.model_auth_methods.openai === "codex" && codex;
-    if (!useClaudeCode && !useCodex) {
+    if (!useClaudeCode) {
         return { coveredModelSecrets: [], mountArgs: [] };
     }
-    const credentials = {};
     const coveredModelSecrets = [];
-    if (useCodex) {
-        credentials.openai = createPicoClawCredential("openai", codex);
-        coveredModelSecrets.push("OPENAI_API_KEY");
-    }
     if (useClaudeCode) {
         coveredModelSecrets.push("ANTHROPIC_API_KEY");
     }
     const sourceConfig = JSON.parse(await readUtf8File(resolveRootfsSourcePath(input.outputDirectory, input.instance.config_path)));
     const patchedConfig = patchPicoClawConfig(sourceConfig, {
-        useClaudeCode: Boolean(useClaudeCode),
-        useCodex: Boolean(useCodex)
+        useClaudeCode: Boolean(useClaudeCode)
     });
-    const mountedHomePath = await createMountedHomeDirectory(input, patchedConfig, Object.keys(credentials).length > 0 ? { credentials } : null);
+    const mountedHomePath = await createMountedHomeDirectory(input, patchedConfig);
     return {
         coveredModelSecrets,
         mountArgs: createMountArgs(mountedHomePath, input.instance.home_path)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "spawnfile",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "description": "Canonical source compiler for autonomous agents and teams.",
   "license": "MIT",
   "type": "module",