Skip to content

[codex] Separate managed Bedrock credentials by provider#31324

Draft
celia-oai wants to merge 1 commit into
mainfrom
codex/provider-auth-foundation
Draft

[codex] Separate managed Bedrock credentials by provider#31324
celia-oai wants to merge 1 commit into
mainfrom
codex/provider-auth-foundation

Conversation

@celia-oai

@celia-oai celia-oai commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Why

Managed Amazon Bedrock API keys are persisted in the same durable auth store as general Codex credentials, but they belong to a different model-provider auth domain. Treating them as a CodexAuth variant couples Bedrock credential updates to the general auth cache: replacing the persisted record with Bedrock credentials can cause an auth reload to discard the OpenAI credentials already held by a loaded session.

This is the first PR in the Phase 1 provider-scoped auth stack. It establishes the cache and provider boundaries needed for later PRs to add the managed Bedrock login/logout APIs without changing credentials underneath existing sessions. It does not add a new user-facing login flow by itself.

What changed

  • Split AuthManager's in-memory state into general CodexAuth and managed BedrockApiKeyAuth caches, with Bedrock-specific persistence and reload paths that leave cached general auth untouched.
  • Exclude persisted Bedrock records from general Codex auth loading while continuing to enforce configured login restrictions against them.
  • Snapshot managed credentials when constructing the Amazon Bedrock model provider, and report BedrockApiKey through the provider's auth-mode boundary instead of representing it as bearer-style CodexAuth.
  • Resolve auth status through the active model provider in app-server account notifications, codex login status, codex doctor, and request telemetry.
  • Redact managed Bedrock API keys from Debug output.
  • Add coverage for independent cache loading/reloading, provider credential snapshots, auth-mode reporting, and API-key redaction.

Validation

  • just test -p codex-login
  • just test -p codex-model-provider
  • just test -p codex-cli
  • Scoped Clippy checks for the affected crates

Stack

  1. #31324 Provider-scoped auth foundation — base: main
  2. #31327 Managed Bedrock experimental API — base: codex/provider-auth-foundation
  3. #31326 Managed Bedrock login — base: codex/managed-bedrock-api
  4. #31325 Managed Bedrock logout — base: codex/managed-bedrock-login-v2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant