feat(codex): isolate Floway provider auth#223
Open
Menci wants to merge 14 commits into
Open
Conversation
Mark the generated Floway model provider as OpenAI-authenticated so current Codex enables its supported client-owned auth surface. Keep the under-development Agent Identity flow disabled and serve empty, honest usage and rate-limit-reset credit responses at the paths Codex queries in this mode.
Verify provider and feature flags within their owning TOML sections, and align the route and setup documentation with the exact client-owned auth behavior.
5 tasks
Authenticate the Floway provider through its own environment key so official Codex account state can coexist. Use the actor eligibility marker for client-owned search and image tools, force standalone search, disable the provider WebSocket, and retain the compact-capable model-provider base. Remove the synthetic ChatGPT account and auxiliary backend surface.
Store the Floway key in the provider-scoped bearer slot instead of an environment variable or global auth state, preserving an existing official Codex account while retaining client-tool eligibility.
Keep the simulated account credential and auxiliary startup surface that provide the authoritative catalog, Apps handshake, plugin absence shapes, and TUI identity. Layer client-owned search and image eligibility on top without changing the original account-mode contract.
Use command-backed provider auth so Floway refreshes its rich catalog without replacing the account-level Codex login. Store the provider token under the active CODEX_HOME, retain actor-gated client tools and compact routing, and remove auxiliary ChatGPT stubs that the generated provider no longer owns.
Generate explicit Unix and Windows command-auth alternatives, plus matching token-file setup commands under CODEX_HOME. Restore the supported provider WebSocket transport while retaining command-backed catalog refresh.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Configure Codex to authenticate the Floway model provider independently from its account-level login.
The generated provider reads its token through Codex command-backed auth from a mode-0600 file under the active
CODEX_HOME. Command auth triggers provider-relative model refresh, so Floway remains the source for rich model metadata, additional models, and context-window overrides while an official Codex account can continue serving account-backed features. The generated TOML includes explicit Linux/macOS and Windows auth-command alternatives, and the dashboard provides matching token-file setup commands.A non-secret actor-authorization marker makes current Codex expose its client-owned
web.runandimage_gen.imagegentools for the custom Floway provider. Floway strips that marker at the gateway boundary. Standalone web search is enabled for every supported Codex model.The model-provider base retains its Azure marker because current Codex couples it to remote
/responses/compactandstore:true. Floway keeps the Responses WebSocket, compact, Responses, models, and provider-relative image routes, but no longer emulates a ChatGPT account or auxiliary ChatGPT backend.Test plan
pnpm run test— 354 files / 4314 testspnpm run lintpnpm run typecheck— 19 workspace projects/modelsand resolved GPT-5.4 at a 1,050,000-token context windowweb.run → /alpha/searchround trip/images/generations, and returned the image through the second model turnstore:true