Skip to content

[codex] Implement managed Bedrock login#31326

Draft
celia-oai wants to merge 1 commit into
codex/managed-bedrock-apifrom
codex/managed-bedrock-login-v2
Draft

[codex] Implement managed Bedrock login#31326
celia-oai wants to merge 1 commit into
codex/managed-bedrock-apifrom
codex/managed-bedrock-login-v2

Conversation

@celia-oai

@celia-oai celia-oai commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Why

App-server clients need a supported way to onboard users with Codex-managed Amazon Bedrock API keys. Bedrock API-key auth is already a primary CodexAuth mode, so login should reuse the existing auth persistence and reload lifecycle instead of maintaining a separate provider-scoped cache.

What changed

  • Validate non-empty managed Bedrock API keys and Mantle-supported regions.
  • Reject login when ChatGPT auth is externally managed or ChatGPT login is forced, while allowing the existing API-login policy.
  • Persist the credential with login_with_bedrock_api_key, write model_provider = "amazon-bedrock", and reload the shared AuthManager through its generic path.
  • Cancel any pending ChatGPT login before replacing the primary Codex auth.
  • Emit the standard login-completed and account-updated notifications.
  • Preserve command-line provider overrides while updating the user-level default.
  • Add integration coverage for capability gating, validation, primary-auth replacement, provider overrides, policy enforcement, persistence, and active Bedrock account reporting.

Impact

Managed Bedrock login replaces the current stored Codex login and updates the in-memory auth snapshot. Existing loaded sessions keep their current provider selection, so clients should restart the app-server before sending more model requests.

The auth and config writes remain non-transactional: if the config write fails after credential persistence, durable Bedrock auth can remain for a later retry or explicit cleanup.

Validation

  • just test -p codex-app-server -E 'test(/suite::v2::account/)' — 40 passed
  • Scoped tests for codex-app-server-protocol, codex-login, and codex-model-provider passed in the combined run
  • just fix -p codex-app-server -p codex-app-server-protocol -p codex-model-provider

Stack

  1. [codex] Add managed Bedrock login API #31327 Managed Bedrock experimental API — base: main
  2. [codex] Implement managed Bedrock login #31326 Managed Bedrock login — base: codex/managed-bedrock-api
  3. [codex] Implement managed Bedrock logout #31325 Managed Bedrock logout — base: codex/managed-bedrock-login-v2

@celia-oai celia-oai force-pushed the codex/managed-bedrock-login-v2 branch from fc7cbe0 to fa240d8 Compare July 8, 2026 00:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant