Add /api-provision to app-server TUI

Wire the app-backed UI through a new internal ephemeral API-key login path so /api-provision can reuse the browser provisioning flow, persist OPENAI_API_KEY to .env, and hot-apply the key without writing auth.json. Co-authored-by: Codex <noreply@openai.com> (cherry picked from commit e7d7aebb48)
2026-05-03 12:52:11 +03:00 · 2026-03-24 22:00:30 +00:00
parent 2c08f00f65
commit a734106aff
16 changed files with 541 additions and 9 deletions
--- a/codex-rs/app-server/tests/suite/v2/account.rs
+++ b/codex-rs/app-server/tests/suite/v2/account.rs
@@ -854,6 +854,57 @@ async fn login_account_api_key_succeeds_and_notifies() -> Result<()> {
    Ok(())
 }

+#[tokio::test]
+async fn login_account_ephemeral_api_key_succeeds_and_does_not_write_auth_json() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path(), CreateConfigTomlParams::default())?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let req_id = mcp
+        .send_login_account_ephemeral_api_key_request("sk-ephemeral-test-key")
+        .await?;
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(req_id)),
+    )
+    .await??;
+    let login: LoginAccountResponse = to_response(resp)?;
+    assert_eq!(login, LoginAccountResponse::ApiKey {});
+
+    let note = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("account/login/completed"),
+    )
+    .await??;
+    let parsed: ServerNotification = note.try_into()?;
+    let ServerNotification::AccountLoginCompleted(payload) = parsed else {
+        bail!("unexpected notification: {parsed:?}");
+    };
+    pretty_assertions::assert_eq!(payload.login_id, None);
+    pretty_assertions::assert_eq!(payload.success, true);
+    pretty_assertions::assert_eq!(payload.error, None);
+
+    let note = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("account/updated"),
+    )
+    .await??;
+    let parsed: ServerNotification = note.try_into()?;
+    let ServerNotification::AccountUpdated(payload) = parsed else {
+        bail!("unexpected notification: {parsed:?}");
+    };
+    pretty_assertions::assert_eq!(payload.auth_mode, Some(AuthMode::ApiKey));
+    pretty_assertions::assert_eq!(payload.plan_type, None);
+
+    assert!(
+        !codex_home.path().join("auth.json").exists(),
+        "ephemeral API-key login should not write auth.json"
+    );
+    Ok(())
+}
+
 #[tokio::test]
 async fn login_account_api_key_rejected_when_forced_chatgpt() -> Result<()> {
    let codex_home = TempDir::new()?;