Skip to content

feat(codex): isolate Floway provider auth#223

Open
Menci wants to merge 14 commits into
mainfrom
codex/require-openai-auth
Open

feat(codex): isolate Floway provider auth#223
Menci wants to merge 14 commits into
mainfrom
codex/require-openai-auth

Conversation

@Menci

@Menci Menci commented Jul 14, 2026

Copy link
Copy Markdown
Owner

What

Configure Codex to authenticate the Floway model provider independently from its account-level login.

The generated provider reads its token through Codex command-backed auth from a mode-0600 file under the active CODEX_HOME. Command auth triggers provider-relative model refresh, so Floway remains the source for rich model metadata, additional models, and context-window overrides while an official Codex account can continue serving account-backed features. The generated TOML includes explicit Linux/macOS and Windows auth-command alternatives, and the dashboard provides matching token-file setup commands.

A non-secret actor-authorization marker makes current Codex expose its client-owned web.run and image_gen.imagegen tools for the custom Floway provider. Floway strips that marker at the gateway boundary. Standalone web search is enabled for every supported Codex model.

The model-provider base retains its Azure marker because current Codex couples it to remote /responses/compact and store:true. Floway keeps the Responses WebSocket, compact, Responses, models, and provider-relative image routes, but no longer emulates a ChatGPT account or auxiliary ChatGPT backend.

Test plan

  • pnpm run test — 354 files / 4314 tests
  • pnpm run lint
  • pnpm run typecheck — 19 workspace projects
  • Isolated Codex 0.144.4 command-auth probe refreshed Floway /models and resolved GPT-5.4 at a 1,050,000-token context window
  • Isolated Codex search probe completed one web.run → /alpha/search round trip
  • Isolated Codex image probe exposed both namespace tools, called /images/generations, and returned the image through the second model turn
  • Live model requests retained store:true
  • PowerShell token writer preserved an apostrophe-bearing key as UTF-8 without a BOM
  • ChatGPT Codex subscription upstream probe — waiting for a test account

Menci added 5 commits July 15, 2026 03:52
Mark the generated Floway model provider as OpenAI-authenticated so current Codex enables its supported client-owned auth surface. Keep the under-development Agent Identity flow disabled and serve empty, honest usage and rate-limit-reset credit responses at the paths Codex queries in this mode.
Verify provider and feature flags within their owning TOML sections, and align the route and setup documentation with the exact client-owned auth behavior.
Menci added 6 commits July 15, 2026 22:30
Authenticate the Floway provider through its own environment key so official Codex account state can coexist. Use the actor eligibility marker for client-owned search and image tools, force standalone search, disable the provider WebSocket, and retain the compact-capable model-provider base. Remove the synthetic ChatGPT account and auxiliary backend surface.
Store the Floway key in the provider-scoped bearer slot instead of an environment variable or global auth state, preserving an existing official Codex account while retaining client-tool eligibility.
Keep the simulated account credential and auxiliary startup surface that provide the authoritative catalog, Apps handshake, plugin absence shapes, and TUI identity. Layer client-owned search and image eligibility on top without changing the original account-mode contract.
Use command-backed provider auth so Floway refreshes its rich catalog without replacing the account-level Codex login. Store the provider token under the active CODEX_HOME, retain actor-gated client tools and compact routing, and remove auxiliary ChatGPT stubs that the generated provider no longer owns.
@Menci Menci changed the title feat(codex): require ChatGPT-style provider auth feat(codex): isolate Floway provider auth Jul 15, 2026
Menci added 3 commits July 16, 2026 01:05
Generate explicit Unix and Windows command-auth alternatives, plus matching token-file setup commands under CODEX_HOME. Restore the supported provider WebSocket transport while retaining command-backed catalog refresh.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant