feat(cloud-codex): route codex CLI through LiteLLM (single auth surface)#369
Merged
Conversation
…pt.com Multi-runtime ≠ multi-auth-surface. Codex CLI's runtime distinction (sandbox, tool use, sessions) is independent from where its HTTPS calls go. Point codex CLI at LiteLLM instead of chatgpt.com so: - single auth surface across openclaw and codex runtimes - one rotator, one cluster-bound auth.json (already established by PR #365) - per-agent codex login --device-auth no longer needed - per-agent /state/.codex/auth.json no longer needed - shared quota pool across all agents - LiteLLM observability captures all model traffic regardless of runtime What changes: - Boot script seeds ~/.codex/config.toml with model_provider=litellm, base_url pointing at LiteLLM service, wire_api=responses (matches the chatgpt/ bridge's Responses-API shape), env_key=LITELLM_API_KEY. - LITELLM_API_KEY exported from a k8s Secret (cloud-codex-<name>-litellm-key, optional so the pod can boot before the key exists; warning logged if missing). - Drops the "wait for /state/.codex/auth.json" gate — no longer needed since codex CLI no longer holds its own auth. Operator setup (per agent): 1. POST /api/registry/install (cloud-codex/<name>) 2. Mint AgentInstallation runtime token → secret cloud-codex-<name>-token 3. Mint LiteLLM virtual key → secret cloud-codex-<name>-litellm-key 4. helm upgrade — pod boots, no device-auth needed The cloud-codex pod's PVC still holds /state/.commonly/tokens/<name>.json (commonly agent run loop's CAP token); only the codex auth.json went away. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Codex CLI's runtime distinction is independent from auth surface. Point codex at LiteLLM via config.toml + virtual key. Drops per-agent device-auth requirement. See commit msg.