app-server: persist device key bindings in sqlite (#19206)

mirror of https://github.com/openai/codex.git synced 2026-05-04 21:32:21 +03:00

## Why

Device-key providers should only own platform key material. The
account/client binding used to authorize a signing payload is app-server
state, and keeping that state in provider-specific metadata makes the
same check harder to audit and harder to share across platform
implementations.

Persisting the binding in the shared state database gives the device-key
crate a platform-neutral source of truth before it asks a provider to
sign. It also lets app-server move potentially blocking key operations
off the main message processor path, which matters once providers may
wait for OS authentication prompts.

## What changed

- Add a `device_key_bindings` state migration plus `StateRuntime`
helpers keyed by `key_id`.
- Add an async `DeviceKeyBindingStore` abstraction to `codex-device-key`
and use it from `DeviceKeyStore::create` and `DeviceKeyStore::sign`.
- Keep provider calls behind async store methods and run the synchronous
provider work through `spawn_blocking`.
- Wire app-server device-key RPC handling to the SQLite-backed binding
store and spawn response/error delivery tasks for device-key requests.
- Run the turn-start tracing test on the existing larger current-thread
test harness after the larger async surface made the default test stack
too small locally.

## Validation

- `cargo test -p codex-device-key`
- `cargo test -p codex-state device_key`
- `cargo test -p codex-state`
- `cargo test -p codex-app-server device_key`
- `cargo test -p codex-app-server
message_processor::tracing_tests::turn_start_jsonrpc_span_parents_core_turn_spans`
- `cargo test -p codex-app-server`
- `just fix -p codex-device-key`
- `just fix -p codex-state`
- `just fix -p codex-app-server`
- `just bazel-lock-update`
- `just bazel-lock-check`
- `git diff --check`

This commit is contained in:

Ruslan Nigmatullin

2026-04-23 21:55:56 -07:00

committed by

GitHub

parent e8d8080818

commit 19badb0be2

11 changed files with 622 additions and 258 deletions

									
										7

codex-rs/state/migrations/0028_device_key_bindings.sql
									
										Normal file
									
												View File
												
				@@ -0,0 +1,7 @@

				CREATE TABLE device_key_bindings (

				    key_id TEXT PRIMARY KEY NOT NULL,

				    account_user_id TEXT NOT NULL,

				    client_id TEXT NOT NULL,

				    created_at INTEGER NOT NULL,

				    updated_at INTEGER NOT NULL

				);

app-server: persist device key bindings in sqlite (#19206)

7 codex-rs/state/migrations/0028_device_key_bindings.sql Normal file Unescape Escape View File

7

codex-rs/state/migrations/0028_device_key_bindings.sql Normal file

View File