chore: bump OAuth Codex submodules + harden grupomirandas swarm#27
Closed
NeritonDias wants to merge 18 commits intoEvolutionAPI:mainfrom
Closed
chore: bump OAuth Codex submodules + harden grupomirandas swarm#27NeritonDias wants to merge 18 commits intoEvolutionAPI:mainfrom
NeritonDias wants to merge 18 commits intoEvolutionAPI:mainfrom
Conversation
…-35030) Adds OAuth Codex (OpenAI) as an alternative authentication method for AI providers in Evo CRM, allowing ChatGPT Plus/Pro subscribers to use GPT-5.x models without a separate API key. Includes critical LiteLLM security upgrade. Backend: - Alembic migration: auth_type + oauth_data columns on api_keys table - OAuth device code flow service with thread-safe token refresh - 4 new REST endpoints under /agents/oauth/codex/* - Model remapping: chatgpt/ -> openai/ prefix with custom api_base Frontend: - New provider "ChatGPT (OAuth)" with 10 GPT-5.x models - OAuthDeviceCodeFlow and OAuthStatusBadge components - ApiKeysDialog conditional UI for OAuth vs API key Security: - LiteLLM upgrade v1.68.0 -> v1.83.3 (fixes CVE-2026-35030 OIDC bypass) - Supply chain attack mitigation (v1.82.7/v1.82.8 compromised Mar 2026) - 22 integration tests, 3-agent debug sweep with 10 findings fixed Docs: OAUTH-CODEX-pt-BR.md + OAUTH-CODEX-en.md
- bash→sh Alpine compatibility fix (EvolutionAPI#22) - Role select dropdown fix via frontend submodule (EvolutionAPI#17) - OAuth Codex implementation docs (from main) - .gitmodules switched to HTTPS for CI compatibility - Frontend submodule points to NeritonDias fork with role fix - Added build-test.yml workflow for Docker image builds
Docker Compose configured for grupomirandas.com.br deployment using test images from ghcr.io/neritondias/* built from test/all-fixes branch. Includes bash→sh fix for evocrm_auth and frontend with role select fix.
- Frontend: OAuth device code flow UI + OpenAI modal tabs (API Key / OAuth) - Processor: OAuth service, token refresh, 4 endpoints + internal token endpoint - CRM: Audio transcription with OAuth support (Whisper via ChatGPT subscription)
…essor + build gateway image The 404 was caused by two issues: 1. oauth_routes.py was not registered in processor main.py 2. nginx gateway routes /api/v1/agents/* to Core service, not Processor Fixes: - Register oauth_router in processor main.py - Change router prefix to /agents/oauth/codex - Add nginx location for /api/v1/agents/oauth -> processor - Add gateway to build workflow
The nginx.conf had hardcoded service names (evo_crm, evo_auth, etc.) but Swarm services use different names (evocrm_crm, evocrm_auth, etc.). Fix: replace hardcoded names with env vars (AUTH_UPSTREAM, CRM_UPSTREAM, etc.) and use nginx:alpine templates dir for automatic envsubst at startup.
…vars The previous approach used nginx templates dir which runs envsubst on ALL variables, destroying nginx internals like \, \, etc. Fix: use explicit envsubst with only the 5 upstream variables listed.
…ecrets
docker-compose.grupomirandas.yml:
- Point evocrm_gateway at ghcr.io/neritondias/evo-gateway:test (the
custom gateway built by .github/workflows/build-test.yml) instead of
evoapicloud/evo-crm-gateway:develop. The custom image carries the
/api/v1/agents/oauth nginx location that routes OAuth requests to
the processor. With the upstream image in place, every OAuth call
was falling through to the core service and returning 404.
- Add VITE_WS_URL=wss://api-crm.grupomirandas.com.br/cable to the
frontend service env. The frontend image's docker-entrypoint.sh
only rewrites VITE_* placeholders when the matching env var is
present; without this, VITE_WS_URL_PLACEHOLDER leaked into the JS
bundle at runtime and the ActionCable socket never connected.
- Replace every hardcoded shared secret (SECRET_KEY_BASE,
JWT_SECRET_KEY, DOORKEEPER_JWT_SECRET_KEY, EVOAI_CRM_API_TOKEN,
ENCRYPTION_KEY, BOT_RUNTIME_SECRET, POSTGRES_PASSWORD, SMTP_PASSWORD)
with ${VAR} placeholders so Docker Swarm / Portainer interpolates
them from the stack env-file. The previous values are leaked in the
public git history and MUST be rotated at the postgres server, at
the SMTP provider, and at any external system that holds them.
.env.grupomirandas.example:
- New file documenting every variable the grupomirandas stack expects,
how to generate each one, and which services consume it. The real
.env stays gitignored as today.
The processor service read POSTGRES_CONNECTION_STRING rather than the
individual POSTGRES_* pieces, and the connection string still embedded
the raw password. Rewrite the string to use ${POSTGRES_PASSWORD} so
no credential stays in the YAML.
evo-ai-processor-community: 688eaf5 → a6fc98d (feat/oauth-codex-v2) - chore(deps): bump litellm 1.68.2 → 1.83.3 (CVE-2026-35030, supply chain) - fix(oauth): security hardening + align with Codex CLI spec (state validation, SELECT FOR UPDATE, scopes, plan_type, env constants) evo-ai-frontend-community: 2a3e397 → c70ad83 (feat/oauth-codex-v2) - fix(oauth): validate callback origin, code, state, and errors in browser - fix: use account.id as clientId in OAuthStatusBadge (not apiKey.id)
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Sorry @NeritonDias, you have reached your weekly rate limit of 500000 diff characters.
Please try again later or upgrade to continue using Sourcery
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR is the monorepo counterpart of the OAuth Codex refactor split into three reviewable PRs. It:
Submodule pointers
evo-ai-processor-communityevo-ai-frontend-communitydocker-compose.grupomirandas.ymlevoapicloud/evo-crm-gateway:develop(upstream, no/api/v1/agents/oauthroute) toghcr.io/neritondias/evo-gateway:test— the custom gateway built by.github/workflows/build-test.ymlthat carries the nginx location sending OAuth traffic to the processor. With the upstream image in place, every OAuth call was falling through to the core service and returning 404.VITE_WS_URLadded to the frontend service env. The frontend image'sdocker-entrypoint.shonly rewrites aVITE_*placeholder when the matching env var is present; without this,VITE_WS_URL_PLACEHOLDERwas leaking into the JS bundle and the ActionCable socket never connected.${VAR}placeholders:SECRET_KEY_BASE,JWT_SECRET_KEY,DOORKEEPER_JWT_SECRET_KEY,EVOAI_CRM_API_TOKEN,ENCRYPTION_KEY,BOT_RUNTIME_SECRET,POSTGRES_PASSWORD,SMTP_PASSWORD(plus the embedded password in the processor'sPOSTGRES_CONNECTION_STRING). The previous values are in the public git history and must be rotated in Postgres and at the SMTP provider.New file:
.env.grupomirandas.exampleDocuments every variable the stack expects, how to generate each one, and which services consume it. The real
.envstays gitignored.Test plan
docker stack deploy -c docker-compose.grupomirandas.yml(or equivalent Portainer deploy) succeeds when the 9 env vars from.env.grupomirandas.exampleare providedcurl https://api-crm.grupomirandas.com.br/api/v1/agents/oauth/codex/auth-start(with valid JWT) reaches the processor, not the core servicehttps://crm.grupomirandas.com.br, WebSocket connects towss://api-crm.grupomirandas.com.br/cable, noVITE_WS_URL_PLACEHOLDERin the bundlemodel="chatgpt/gpt-5.4"replies using the ChatGPT subscriptionSupersedes
Closes #14 — that PR used device-code +
openai/remapping, which does not work against LiteLLM (theopenai/provider does not speak the ChatGPT backend API). This 3-PR split uses PKCE + the nativechatgpt/provider shipped in LiteLLM 1.83.3.