feat: add opt-in provider runtime abstraction (#17713)

## Summary - Add `codex-model-provider` as the runtime home for model-provider behavior that does not belong in `codex-core`, `codex-login`, or `codex-api`. - The new crate wraps configured `ModelProviderInfo` in a `ModelProvider` trait object that can resolve the API provider config, provider-scoped auth manager, and request auth provider for each call. - This centralizes provider auth behavior in one place today, and gives us an extension point for future provider-specific auth, model listing, request setup, and related runtime behavior. ## Tests Ran tests manually to make sure that provider auth under different configs still work as expected. --------- Co-authored-by: pakrym-oai <pakrym@openai.com>
2026-05-04 13:21:54 +03:00 · 2026-04-16 19:27:45 -07:00
parent 91e8eebd03
commit a803790a10
45 changed files with 577 additions and 369 deletions
--- a/codex-rs/codex-api/src/api_bridge.rs
+++ b/codex-rs/codex-api/src/api_bridge.rs
@@ -1,4 +1,3 @@
-use crate::AuthProvider as ApiAuthProvider;
 use crate::TransportError;
 use crate::error::ApiError;
 use crate::rate_limits::parse_promo_message;
@@ -12,7 +11,6 @@ use codex_protocol::error::RetryLimitReachedError;
 use codex_protocol::error::UnexpectedResponseError;
 use codex_protocol::error::UsageLimitReachedError;
 use http::HeaderMap;
-use http::HeaderValue;
 use serde::Deserialize;
 use serde_json::Value;

@@ -174,48 +172,3 @@ struct UsageErrorBody {
    plan_type: Option<PlanType>,
    resets_at: Option<i64>,
 }
-
-#[derive(Clone, Default)]
-pub struct CoreAuthProvider {
-    pub token: Option<String>,
-    pub account_id: Option<String>,
-    pub is_fedramp_account: bool,
-}
-
-impl CoreAuthProvider {
-    pub fn auth_header_attached(&self) -> bool {
-        self.token
-            .as_ref()
-            .is_some_and(|token| http::HeaderValue::from_str(&format!("Bearer {token}")).is_ok())
-    }
-
-    pub fn auth_header_name(&self) -> Option<&'static str> {
-        self.auth_header_attached().then_some("authorization")
-    }
-
-    pub fn for_test(token: Option<&str>, account_id: Option<&str>) -> Self {
-        Self {
-            token: token.map(str::to_string),
-            account_id: account_id.map(str::to_string),
-            is_fedramp_account: false,
-        }
-    }
-}
-
-impl ApiAuthProvider for CoreAuthProvider {
-    fn add_auth_headers(&self, headers: &mut HeaderMap) {
-        if let Some(token) = self.token.as_ref()
-            && let Ok(header) = HeaderValue::from_str(&format!("Bearer {token}"))
-        {
-            let _ = headers.insert(http::header::AUTHORIZATION, header);
-        }
-        if let Some(account_id) = self.account_id.as_ref()
-            && let Ok(header) = HeaderValue::from_str(account_id)
-        {
-            let _ = headers.insert("ChatGPT-Account-ID", header);
-        }
-        if self.is_fedramp_account {
-            crate::auth::add_fedramp_routing_header(headers);
-        }
-    }
-}
--- a/codex-rs/codex-api/src/api_bridge_tests.rs
+++ b/codex-rs/codex-api/src/api_bridge_tests.rs
@@ -130,55 +130,3 @@ fn map_api_error_extracts_identity_auth_details_from_headers() {
    );
    assert_eq!(err.identity_error_code.as_deref(), Some("token_expired"));
 }
-
-#[test]
-fn core_auth_provider_reports_when_auth_header_will_attach() {
-    let auth = CoreAuthProvider {
-        token: Some("access-token".to_string()),
-        account_id: None,
-        is_fedramp_account: false,
-    };
-
-    assert!(auth.auth_header_attached());
-    assert_eq!(auth.auth_header_name(), Some("authorization"));
-}
-
-#[test]
-fn core_auth_provider_adds_auth_headers() {
-    let auth = CoreAuthProvider::for_test(Some("access-token"), Some("workspace-123"));
-    let mut headers = HeaderMap::new();
-
-    crate::AuthProvider::add_auth_headers(&auth, &mut headers);
-
-    assert_eq!(
-        headers
-            .get(http::header::AUTHORIZATION)
-            .and_then(|value| value.to_str().ok()),
-        Some("Bearer access-token")
-    );
-    assert_eq!(
-        headers
-            .get("ChatGPT-Account-ID")
-            .and_then(|value| value.to_str().ok()),
-        Some("workspace-123")
-    );
-}
-
-#[test]
-fn core_auth_provider_adds_fedramp_routing_header_for_fedramp_accounts() {
-    let auth = CoreAuthProvider {
-        token: Some("access-token".to_string()),
-        account_id: Some("workspace-123".to_string()),
-        is_fedramp_account: true,
-    };
-    let mut headers = HeaderMap::new();
-
-    crate::AuthProvider::add_auth_headers(&auth, &mut headers);
-
-    assert_eq!(
-        headers
-            .get("X-OpenAI-Fedramp")
-            .and_then(|value| value.to_str().ok()),
-        Some("true")
-    );
-}
--- a/codex-rs/codex-api/src/auth.rs
+++ b/codex-rs/codex-api/src/auth.rs
@@ -1,5 +1,5 @@
 use http::HeaderMap;
-use http::HeaderValue;
+use std::sync::Arc;

 /// Adds authentication headers to API requests.
 ///
@@ -10,25 +10,23 @@ pub trait AuthProvider: Send + Sync {
    fn add_auth_headers(&self, headers: &mut HeaderMap);
 }

-pub(crate) fn add_fedramp_routing_header(headers: &mut HeaderMap) {
-    headers.insert("X-OpenAI-Fedramp", HeaderValue::from_static("true"));
+/// Shared auth handle passed through API clients.
+pub type SharedAuthProvider = Arc<dyn AuthProvider>;
+
+#[derive(Clone, Copy, Debug, Default, PartialEq, Eq)]
+pub struct AuthHeaderTelemetry {
+    pub attached: bool,
+    pub name: Option<&'static str>,
 }

-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn add_fedramp_routing_header_sets_header() {
-        let mut headers = HeaderMap::new();
-
-        add_fedramp_routing_header(&mut headers);
-
-        assert_eq!(
-            headers
-                .get("X-OpenAI-Fedramp")
-                .and_then(|v| v.to_str().ok()),
-            Some("true")
-        );
+pub fn auth_header_telemetry(auth: &dyn AuthProvider) -> AuthHeaderTelemetry {
+    let mut headers = HeaderMap::new();
+    auth.add_auth_headers(&mut headers);
+    let name = headers
+        .contains_key(http::header::AUTHORIZATION)
+        .then_some("authorization");
+    AuthHeaderTelemetry {
+        attached: name.is_some(),
+        name,
    }
 }
--- a/codex-rs/codex-api/src/endpoint/compact.rs
+++ b/codex-rs/codex-api/src/endpoint/compact.rs
@@ -1,4 +1,4 @@
-use crate::auth::AuthProvider;
+use crate::auth::SharedAuthProvider;
 use crate::common::CompactionInput;
 use crate::endpoint::session::EndpointSession;
 use crate::error::ApiError;
@@ -12,12 +12,12 @@ use serde::Deserialize;
 use serde_json::to_value;
 use std::sync::Arc;

-pub struct CompactClient<T: HttpTransport, A: AuthProvider> {
-    session: EndpointSession<T, A>,
+pub struct CompactClient<T: HttpTransport> {
+    session: EndpointSession<T>,
 }

-impl<T: HttpTransport, A: AuthProvider> CompactClient<T, A> {
-    pub fn new(transport: T, provider: Provider, auth: A) -> Self {
+impl<T: HttpTransport> CompactClient<T> {
+    pub fn new(transport: T, provider: Provider, auth: SharedAuthProvider) -> Self {
        Self {
            session: EndpointSession::new(transport, provider, auth),
        }
@@ -86,18 +86,8 @@ mod tests {
        }
    }

-    #[derive(Clone, Default)]
-    struct DummyAuth;
-
-    impl AuthProvider for DummyAuth {
-        fn add_auth_headers(&self, _headers: &mut HeaderMap) {}
-    }
-
    #[test]
    fn path_is_responses_compact() {
-        assert_eq!(
-            CompactClient::<DummyTransport, DummyAuth>::path(),
-            "responses/compact"
-        );
+        assert_eq!(CompactClient::<DummyTransport>::path(), "responses/compact");
    }
 }
--- a/codex-rs/codex-api/src/endpoint/memories.rs
+++ b/codex-rs/codex-api/src/endpoint/memories.rs
@@ -1,4 +1,4 @@
-use crate::auth::AuthProvider;
+use crate::auth::SharedAuthProvider;
 use crate::common::MemorySummarizeInput;
 use crate::common::MemorySummarizeOutput;
 use crate::endpoint::session::EndpointSession;
@@ -12,12 +12,12 @@ use serde::Deserialize;
 use serde_json::to_value;
 use std::sync::Arc;

-pub struct MemoriesClient<T: HttpTransport, A: AuthProvider> {
-    session: EndpointSession<T, A>,
+pub struct MemoriesClient<T: HttpTransport> {
+    session: EndpointSession<T>,
 }

-impl<T: HttpTransport, A: AuthProvider> MemoriesClient<T, A> {
-    pub fn new(transport: T, provider: Provider, auth: A) -> Self {
+impl<T: HttpTransport> MemoriesClient<T> {
+    pub fn new(transport: T, provider: Provider, auth: SharedAuthProvider) -> Self {
        Self {
            session: EndpointSession::new(transport, provider, auth),
        }
@@ -67,6 +67,7 @@ struct SummarizeResponse {
 #[cfg(test)]
 mod tests {
    use super::*;
+    use crate::auth::AuthProvider;
    use crate::common::RawMemory;
    use crate::common::RawMemoryMetadata;
    use crate::provider::RetryConfig;
@@ -157,7 +158,7 @@ mod tests {
    #[test]
    fn path_is_memories_trace_summarize_for_wire_compatibility() {
        assert_eq!(
-            MemoriesClient::<DummyTransport, DummyAuth>::path(),
+            MemoriesClient::<DummyTransport>::path(),
            "memories/trace_summarize"
        );
    }
@@ -178,7 +179,7 @@ mod tests {
        let client = MemoriesClient::new(
            transport.clone(),
            provider("https://example.com/api/codex"),
-            DummyAuth,
+            Arc::new(DummyAuth),
        );

        let input = MemorySummarizeInput {
--- a/codex-rs/codex-api/src/endpoint/models.rs
+++ b/codex-rs/codex-api/src/endpoint/models.rs
@@ -1,4 +1,4 @@
-use crate::auth::AuthProvider;
+use crate::auth::SharedAuthProvider;
 use crate::endpoint::session::EndpointSession;
 use crate::error::ApiError;
 use crate::provider::Provider;
@@ -11,12 +11,12 @@ use http::Method;
 use http::header::ETAG;
 use std::sync::Arc;

-pub struct ModelsClient<T: HttpTransport, A: AuthProvider> {
-    session: EndpointSession<T, A>,
+pub struct ModelsClient<T: HttpTransport> {
+    session: EndpointSession<T>,
 }

-impl<T: HttpTransport, A: AuthProvider> ModelsClient<T, A> {
-    pub fn new(transport: T, provider: Provider, auth: A) -> Self {
+impl<T: HttpTransport> ModelsClient<T> {
+    pub fn new(transport: T, provider: Provider, auth: SharedAuthProvider) -> Self {
        Self {
            session: EndpointSession::new(transport, provider, auth),
        }
@@ -76,6 +76,7 @@ impl<T: HttpTransport, A: AuthProvider> ModelsClient<T, A> {
 #[cfg(test)]
 mod tests {
    use super::*;
+    use crate::auth::AuthProvider;
    use crate::provider::RetryConfig;
    use async_trait::async_trait;
    use codex_client::Request;
@@ -165,7 +166,7 @@ mod tests {
        let client = ModelsClient::new(
            transport.clone(),
            provider("https://example.com/api/codex"),
-            DummyAuth,
+            Arc::new(DummyAuth),
        );

        let (models, _) = client
@@ -229,7 +230,7 @@ mod tests {
        let client = ModelsClient::new(
            transport,
            provider("https://example.com/api/codex"),
-            DummyAuth,
+            Arc::new(DummyAuth),
        );

        let (models, _) = client
@@ -256,7 +257,7 @@ mod tests {
        let client = ModelsClient::new(
            transport,
            provider("https://example.com/api/codex"),
-            DummyAuth,
+            Arc::new(DummyAuth),
        );

        let (models, etag) = client
--- a/codex-rs/codex-api/src/endpoint/realtime_call.rs
+++ b/codex-rs/codex-api/src/endpoint/realtime_call.rs
@@ -1,4 +1,4 @@
-use crate::auth::AuthProvider;
+use crate::auth::SharedAuthProvider;
 use crate::endpoint::realtime_websocket::RealtimeSessionConfig;
 use crate::endpoint::realtime_websocket::session_update_session_json;
 use crate::endpoint::session::EndpointSession;
@@ -24,8 +24,8 @@ use tracing::trace;
 const MULTIPART_BOUNDARY: &str = "codex-realtime-call-boundary";
 const MULTIPART_CONTENT_TYPE: &str = "multipart/form-data; boundary=codex-realtime-call-boundary";

-pub struct RealtimeCallClient<T: HttpTransport, A: AuthProvider> {
-    session: EndpointSession<T, A>,
+pub struct RealtimeCallClient<T: HttpTransport> {
+    session: EndpointSession<T>,
 }

 /// Answer from creating a WebRTC Realtime call.
@@ -44,8 +44,8 @@ struct BackendRealtimeCallRequest<'a> {
    session: &'a Value,
 }

-impl<T: HttpTransport, A: AuthProvider> RealtimeCallClient<T, A> {
-    pub fn new(transport: T, provider: Provider, auth: A) -> Self {
+impl<T: HttpTransport> RealtimeCallClient<T> {
+    pub fn new(transport: T, provider: Provider, auth: SharedAuthProvider) -> Self {
        Self {
            session: EndpointSession::new(transport, provider, auth),
        }
@@ -221,6 +221,7 @@ fn decode_call_id_from_location(headers: &HeaderMap) -> Result<String, ApiError>
 #[cfg(test)]
 mod tests {
    use super::*;
+    use crate::auth::AuthProvider;
    use crate::endpoint::realtime_websocket::RealtimeEventParser;
    use crate::endpoint::realtime_websocket::RealtimeOutputModality;
    use crate::endpoint::realtime_websocket::RealtimeSessionMode;
@@ -327,7 +328,7 @@ mod tests {
        let client = RealtimeCallClient::new(
            transport.clone(),
            provider("https://api.openai.com/v1"),
-            DummyAuth,
+            Arc::new(DummyAuth),
        );

        let response = client
@@ -370,7 +371,7 @@ mod tests {
        let client = RealtimeCallClient::new(
            transport.clone(),
            provider("https://chatgpt.com/backend-api/codex"),
-            DummyAuth,
+            Arc::new(DummyAuth),
        );

        let response = client
@@ -404,7 +405,7 @@ mod tests {
        let client = RealtimeCallClient::new(
            transport.clone(),
            provider("https://api.openai.com/v1"),
-            DummyAuth,
+            Arc::new(DummyAuth),
        );

        let response = client
@@ -466,7 +467,7 @@ mod tests {
        let client = RealtimeCallClient::new(
            transport.clone(),
            provider("https://chatgpt.com/backend-api/codex"),
-            DummyAuth,
+            Arc::new(DummyAuth),
        );

        let response = client
@@ -512,8 +513,11 @@ mod tests {
    #[tokio::test]
    async fn errors_when_location_is_missing() {
        let transport = CapturingTransport::without_location();
-        let client =
-            RealtimeCallClient::new(transport, provider("https://api.openai.com/v1"), DummyAuth);
+        let client = RealtimeCallClient::new(
+            transport,
+            provider("https://api.openai.com/v1"),
+            Arc::new(DummyAuth),
+        );

        let err = client
            .create("v=offer\r\n".to_string())
--- a/codex-rs/codex-api/src/endpoint/responses.rs
+++ b/codex-rs/codex-api/src/endpoint/responses.rs
@@ -1,4 +1,4 @@
-use crate::auth::AuthProvider;
+use crate::auth::SharedAuthProvider;
 use crate::common::ResponseStream;
 use crate::common::ResponsesApiRequest;
 use crate::endpoint::session::EndpointSession;
@@ -23,8 +23,8 @@ use std::sync::Arc;
 use std::sync::OnceLock;
 use tracing::instrument;

-pub struct ResponsesClient<T: HttpTransport, A: AuthProvider> {
-    session: EndpointSession<T, A>,
+pub struct ResponsesClient<T: HttpTransport> {
+    session: EndpointSession<T>,
    sse_telemetry: Option<Arc<dyn SseTelemetry>>,
 }

@@ -37,8 +37,8 @@ pub struct ResponsesOptions {
    pub turn_state: Option<Arc<OnceLock<String>>>,
 }

-impl<T: HttpTransport, A: AuthProvider> ResponsesClient<T, A> {
-    pub fn new(transport: T, provider: Provider, auth: A) -> Self {
+impl<T: HttpTransport> ResponsesClient<T> {
+    pub fn new(transport: T, provider: Provider, auth: SharedAuthProvider) -> Self {
        Self {
            session: EndpointSession::new(transport, provider, auth),
            sse_telemetry: None,
--- a/codex-rs/codex-api/src/endpoint/responses_websocket.rs
+++ b/codex-rs/codex-api/src/endpoint/responses_websocket.rs
@@ -1,4 +1,4 @@
-use crate::auth::AuthProvider;
+use crate::auth::SharedAuthProvider;
 use crate::common::ResponseEvent;
 use crate::common::ResponseStream;
 use crate::common::ResponsesWsRequest;
@@ -279,13 +279,13 @@ impl ResponsesWebsocketConnection {
    }
 }

-pub struct ResponsesWebsocketClient<A: AuthProvider> {
+pub struct ResponsesWebsocketClient {
    provider: Provider,
-    auth: A,
+    auth: SharedAuthProvider,
 }

-impl<A: AuthProvider> ResponsesWebsocketClient<A> {
-    pub fn new(provider: Provider, auth: A) -> Self {
+impl ResponsesWebsocketClient {
+    pub fn new(provider: Provider, auth: SharedAuthProvider) -> Self {
        Self { provider, auth }
    }

--- a/codex-rs/codex-api/src/endpoint/session.rs
+++ b/codex-rs/codex-api/src/endpoint/session.rs
@@ -1,4 +1,4 @@
-use crate::auth::AuthProvider;
+use crate::auth::SharedAuthProvider;
 use crate::error::ApiError;
 use crate::provider::Provider;
 use crate::telemetry::run_with_request_telemetry;
@@ -14,15 +14,15 @@ use serde_json::Value;
 use std::sync::Arc;
 use tracing::instrument;

-pub(crate) struct EndpointSession<T: HttpTransport, A: AuthProvider> {
+pub(crate) struct EndpointSession<T: HttpTransport> {
    transport: T,
    provider: Provider,
-    auth: A,
+    auth: SharedAuthProvider,
    request_telemetry: Option<Arc<dyn RequestTelemetry>>,
 }

-impl<T: HttpTransport, A: AuthProvider> EndpointSession<T, A> {
-    pub(crate) fn new(transport: T, provider: Provider, auth: A) -> Self {
+impl<T: HttpTransport> EndpointSession<T> {
+    pub(crate) fn new(transport: T, provider: Provider, auth: SharedAuthProvider) -> Self {
        Self {
            transport,
            provider,
--- a/codex-rs/codex-api/src/files.rs
+++ b/codex-rs/codex-api/src/files.rs
@@ -96,7 +96,7 @@ pub fn openai_file_uri(file_id: &str) -> String {

 pub async fn upload_local_file(
    base_url: &str,
-    auth: &impl AuthProvider,
+    auth: &dyn AuthProvider,
    path: &Path,
 ) -> Result<UploadedOpenAiFile, OpenAiFileError> {
    let metadata = tokio::fs::metadata(path)
@@ -252,7 +252,7 @@ pub async fn upload_local_file(
 }

 fn authorized_request(
-    auth: &impl AuthProvider,
+    auth: &dyn AuthProvider,
    method: reqwest::Method,
    url: &str,
 ) -> reqwest::RequestBuilder {
@@ -276,8 +276,8 @@ fn build_reqwest_client() -> reqwest::Client {
 #[cfg(test)]
 mod tests {
    use super::*;
-    use crate::CoreAuthProvider;
    use pretty_assertions::assert_eq;
+    use reqwest::header::HeaderValue;
    use std::sync::Arc;
    use std::sync::atomic::AtomicUsize;
    use std::sync::atomic::Ordering;
@@ -291,8 +291,21 @@ mod tests {
    use wiremock::matchers::method;
    use wiremock::matchers::path;

-    fn chatgpt_auth() -> CoreAuthProvider {
-        CoreAuthProvider::for_test(Some("token"), Some("account_id"))
+    #[derive(Clone, Copy)]
+    struct ChatGptTestAuth;
+
+    impl AuthProvider for ChatGptTestAuth {
+        fn add_auth_headers(&self, headers: &mut reqwest::header::HeaderMap) {
+            headers.insert(
+                reqwest::header::AUTHORIZATION,
+                HeaderValue::from_static("Bearer token"),
+            );
+            headers.insert("ChatGPT-Account-ID", HeaderValue::from_static("account_id"));
+        }
+    }
+
+    fn chatgpt_auth() -> ChatGptTestAuth {
+        ChatGptTestAuth
    }

    fn base_url_for(server: &MockServer) -> String {
--- a/codex-rs/codex-api/src/lib.rs
+++ b/codex-rs/codex-api/src/lib.rs
@@ -15,9 +15,11 @@ pub use codex_client::RequestTelemetry;
 pub use codex_client::ReqwestTransport;
 pub use codex_client::TransportError;

-pub use crate::api_bridge::CoreAuthProvider;
 pub use crate::api_bridge::map_api_error;
+pub use crate::auth::AuthHeaderTelemetry;
 pub use crate::auth::AuthProvider;
+pub use crate::auth::SharedAuthProvider;
+pub use crate::auth::auth_header_telemetry;
 pub use crate::common::CompactionInput;
 pub use crate::common::MemorySummarizeInput;
 pub use crate::common::MemorySummarizeOutput;