feat(agent): GitHub token bridge for refresh + codex compatibility#1976
Draft
ryans-posthog wants to merge 1 commit intomainfrom
Draft
feat(agent): GitHub token bridge for refresh + codex compatibility#1976ryans-posthog wants to merge 1 commit intomainfrom
ryans-posthog wants to merge 1 commit intomainfrom
Conversation
The orchestrator can now POST a fresh GitHub token to the agent server mid-run, and a per-process loopback endpoint hands that token to the gh wrapper and a git credential helper. This decouples auth refresh from the codex-acp child process, whose env is snapshotted at spawn time and can't be mutated after the fact. - POST /github-token (JWT-auth) stores the token, updates GH_TOKEN / GITHUB_TOKEN in process.env for the in-process Claude path - GET /github-token (loopback + x-posthog-local-secret header) is what the gh wrapper and credential helper call - On start(), generate a 32-byte secret + URL into env before any child spawns, then install a git credential helper at credential.https:// github.com.helper that curls GET /github-token - Vitest now isolates GIT_CONFIG_GLOBAL with gpgsign forced off so tests no longer fail on hosts with global commit signing enabled Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
POST /github-token(JWT-auth) on the agent server so the orchestrator can push a refreshed GitHub token mid-run, andGET /github-token(loopback + per-process secret) for theghwrapper and a git credential helper to read it.start(), generatesPOSTHOG_GH_WRAPPER_URL+POSTHOG_GH_WRAPPER_SECRETintoprocess.envbeforeautoInitializeSession()so the codex-acp child inherits them, then installs a globalcredential.https://github.bokerqi.top.helpershim that fetches the latest token via the local endpoint.GIT_CONFIG_GLOBALwithcommit.gpgsign=false, fixingsettings.test.tsfailures on hosts with global signing on and preventing the credential-helper install from ever touching the dev's real~/.gitconfig.Why
The
ghCLI and anygit pushin the sandbox both need a live GitHub token. The Claude adapter runs in-process, so mutatingprocess.env.GH_TOKENfromPOST /github-tokenreaches it. The codex-acp adapter is spawned as a child withenv: { ...process.env }snapshotted at spawn time — env updates after that point are invisible. Routing both adapters through the loopback endpoint (via theghwrapper and the git credential helper) gives a single source of truth that works for both.Test plan
settings.test.ts).git pushsucceeds for both Claude and codex runs.git/ghcall without restarting the agent.🤖 Generated with Claude Code