agent-ecosystem/docs/research/codex-app-server-account-signoff.md

9 KiB

Codex App-Server Account Feature - Signoff Evidence

Date: 2026-04-20

Worktree:

  • /Users/belief/dev/projects/claude/claude_team_codex_native_runtime_plan

Branch:

  • spike/codex-native-runtime-plan

Related plan:

Scope

This signoff covers the app-server-backed Codex account feature work implemented in this repo:

  • shared Codex app-server transport extraction
  • codex-account feature slice
  • Codex preferredAuthMode config migration and validation
  • renderer/runtime integration for managed ChatGPT account plus API key truth
  • per-launch forced_login_method overrides for native Codex execution
  • lazy rate-limits support
  • login lifecycle wiring in the real UI path

Automated Verification

Targeted tests

Command:

pnpm vitest run \
  test/features/codex-account/core/evaluateCodexLaunchReadiness.test.ts \
  test/features/codex-account/main/CodexAccountEnvBuilder.test.ts \
  test/features/codex-account/main/createCodexAccountFeature.test.ts \
  test/features/codex-account/main/CodexLoginSessionManager.test.ts \
  test/features/codex-account/preload/createCodexAccountBridge.test.ts \
  test/features/codex-account/renderer/useCodexAccountSnapshot.test.ts \
  test/main/services/runtime/providerAwareCliEnv.test.ts \
  test/main/services/runtime/ProviderConnectionService.test.ts \
  test/main/services/runtime/ClaudeMultimodelBridgeService.test.ts \
  test/main/services/schedule/ScheduledTaskExecutor.test.ts \
  test/main/services/team/TeamProvisioningServicePrepare.test.ts \
  test/main/services/team/TeamProvisioningServicePrompts.test.ts \
  test/main/services/infrastructure/ConfigManager.codexMigration.test.ts \
  test/renderer/api/httpClient.codexAccount.test.ts \
  test/renderer/api/httpClient.exactTaskLogs.test.ts \
  test/renderer/components/runtime/ProviderRuntimeSettingsDialog.test.ts \
  test/renderer/components/runtime/providerConnectionUi.test.ts \
  test/renderer/components/cli/CliStatusVisibility.test.ts \
  test/renderer/components/team/dialogs/ProvisioningProviderStatusList.test.ts \
  test/main/ipc/configValidation.test.ts \
  test/features/recent-projects/main/infrastructure/CodexAppServerClient.test.ts \
  test/features/recent-projects/main/adapters/output/CodexRecentProjectsSourceAdapter.test.ts \
  test/features/recent-projects/core/application/ListDashboardRecentProjectsUseCase.test.ts \
  test/features/recent-projects/contracts/normalizeDashboardRecentProjectsPayload.test.ts \
  test/features/recent-projects/renderer/adapters/RecentProjectsSectionAdapter.test.ts

Result:

  • 25 test files passed
  • 204 tests passed

Typecheck

Command:

pnpm exec tsc -p tsconfig.json --noEmit

Result:

  • passed

Targeted lint

Command:

pnpm exec eslint \
  src/main/services/infrastructure/ConfigManager.ts \
  src/main/services/runtime/ProviderConnectionService.ts \
  src/main/services/runtime/providerAwareCliEnv.ts \
  src/main/services/schedule/ScheduledTaskExecutor.ts \
  src/features/codex-account/preload/createCodexAccountBridge.ts \
  src/features/codex-account/renderer/hooks/useCodexAccountSnapshot.ts \
  src/renderer/api/httpClient.ts \
  src/renderer/components/runtime/ProviderRuntimeSettingsDialog.tsx \
  test/main/services/infrastructure/ConfigManager.codexMigration.test.ts \
  test/features/codex-account/preload/createCodexAccountBridge.test.ts \
  test/features/codex-account/renderer/useCodexAccountSnapshot.test.ts \
  test/main/services/runtime/ProviderConnectionService.test.ts \
  test/main/services/runtime/providerAwareCliEnv.test.ts \
  test/renderer/api/httpClient.codexAccount.test.ts \
  test/renderer/components/runtime/ProviderRuntimeSettingsDialog.test.ts

Result:

  • passed

Live Read-Only Signoff

1. Real codex app-server account/read

Probe result:

{
  "account": {
    "type": "chatgpt",
    "email": "quantjumppro@gmail.com",
    "planType": "pro"
  },
  "requiresOpenaiAuth": true
}

What this proves:

  • installed Codex binary supports the stable app-server initialize flow used by the extracted transport
  • ChatGPT account autodetect works on the real machine
  • managed account truth is available without touching legacy transport

2. Real codex app-server account/rateLimits/read

Probe result summary:

{
  "rateLimits": {
    "limitId": "codex",
    "primary": {
      "usedPercent": 77,
      "windowDurationMins": 300
    },
    "secondary": {
      "usedPercent": 45,
      "windowDurationMins": 10080
    },
    "credits": {
      "hasCredits": false,
      "unlimited": false,
      "balance": "0"
    },
    "planType": "pro"
  }
}

What this proves:

  • live rate-limit payload shape matches the feature assumptions
  • plan/rate-limit surface can be driven from the real app-server contract

3. Real feature-facade snapshot

Command path:

  • createCodexAccountFeature(...).refreshSnapshot({ includeRateLimits: true })

Observed summary:

{
  "preferredAuthMode": "chatgpt",
  "effectiveAuthMode": "chatgpt",
  "appServerState": "healthy",
  "managedAccount": {
    "type": "chatgpt",
    "email": "quantjumppro@gmail.com",
    "planType": "pro"
  },
  "apiKey": {
    "available": true,
    "source": "environment",
    "sourceLabel": "Detected from OPENAI_API_KEY"
  },
  "launchAllowed": true,
  "launchReadinessState": "ready_chatgpt",
  "planType": "pro",
  "rateLimitPrimaryUsedPercent": 77
}

What this proves:

  • the real feature composition builds the expected snapshot
  • app-server truth, API-key availability merge, readiness evaluation, and rate-limit shaping all work together

4. Live preference-resolution checks through the feature facade

Observed summary:

{
  "preferredAuthMode": "auto",
  "effectiveAuthMode": "chatgpt",
  "launchAllowed": true,
  "launchReadinessState": "ready_both",
  "managedAccountType": "chatgpt",
  "apiKeyAvailable": true
}
{
  "preferredAuthMode": "api_key",
  "effectiveAuthMode": "api_key",
  "launchAllowed": true,
  "launchReadinessState": "ready_api_key",
  "managedAccountType": "chatgpt",
  "apiKeyAvailable": true
}

What this proves:

  • auto mode prefers ChatGPT when both auth sources exist
  • api_key preference still resolves correctly even when a managed account is also present

5. Live execution env sanitization check through ProviderConnectionService

With a connected managed-account snapshot and preferredAuthMode = "chatgpt", observed result:

{
  "OPENAI_API_KEY": null,
  "CODEX_API_KEY": null
}

What this proves:

  • ChatGPT-mode execution sanitizes ambient API-key env vars when managed-account launch is selected

6. Live provider-aware launch override check

Command path:

  • providerConnectionService.setCodexAccountFeature(createCodexAccountFeature(...))
  • buildProviderAwareCliEnv({ binaryPath: "codex", providerId: "codex" })

Observed summary:

{
  "providerArgs": [
    "-c",
    "forced_login_method=\"chatgpt\""
  ],
  "connectionIssues": {}
}

What this proves:

  • the native Codex launch policy now emits a deterministic forced_login_method override
  • the override is available through the shared provider-aware execution seam used by runtime launch paths

Definition Of Done Cross-Check

  1. Previously logged-in ChatGPT Codex account autodetects automatically. Status: yes - proven by live account/read.

  2. UI clearly distinguishes managed account and API key availability. Status: yes - implemented in the Codex panel and covered by renderer tests.

  3. auto mode works and prefers ChatGPT when available. Status: yes - proven by live feature-facade check.

  4. Launch policy no longer falsely requires API key when managed account exists. Status: yes - feature readiness plus live snapshot show launchAllowed = true in ChatGPT mode.

  5. ChatGPT-mode execution sanitizes API-key env vars. Status: yes - covered by tests and live ProviderConnectionService probe.

  6. API-key mode still works. Status: yes - covered by tests and live preference-resolution probe.

  7. Login, cancel, and logout work from the real UI. Status: code path and tests are implemented; live destructive signoff was intentionally not executed in this document to avoid mutating the active local Codex account session.

  8. Codex terminal-login path is no longer used in normal UI flows. Status: yes - normal Codex settings flow uses feature IPC actions, not terminal modal auth.

  9. recent-projects remains green. Status: yes - targeted recent-projects safety suites passed.

  10. Existing non-Codex provider UX remains unchanged. Status: targeted Anthropic/Gemini runtime and renderer tests passed.

Conclusion

For this repo, the planned app-server account feature work is in signoffable shape:

  • architecture is aligned with the feature-slice plan
  • renderer/runtime behavior is covered by targeted automated tests
  • live app-server read and rate-limit contracts were verified on the installed Codex binary
  • provider-aware native launch paths now receive deterministic Codex auth-mode overrides