[codex] Route Fed ChatGPT auth through Fed edge (#17151)

## Summary - parse chatgpt_account_is_fedramp from signed ChatGPT auth metadata - add _account_is_fedramp=true to ChatGPT backend-api requests only for FedRAMP ChatGPT-auth accounts
2026-05-04 13:21:54 +03:00 · 2026-04-16 00:13:15 -07:00
parent 4cd85b28d2
commit f97be7dfff
11 changed files with 103 additions and 0 deletions
--- a/codex-rs/codex-api/src/api_bridge.rs
+++ b/codex-rs/codex-api/src/api_bridge.rs
@@ -179,6 +179,7 @@ struct UsageErrorBody {
 pub struct CoreAuthProvider {
    pub token: Option<String>,
    pub account_id: Option<String>,
+    pub is_fedramp_account: bool,
 }

 impl CoreAuthProvider {
@@ -196,6 +197,7 @@ impl CoreAuthProvider {
        Self {
            token: token.map(str::to_string),
            account_id: account_id.map(str::to_string),
+            is_fedramp_account: false,
        }
    }
 }
@@ -212,5 +214,8 @@ impl ApiAuthProvider for CoreAuthProvider {
        {
            let _ = headers.insert("ChatGPT-Account-ID", header);
        }
+        if self.is_fedramp_account {
+            crate::auth::add_fedramp_routing_header(headers);
+        }
    }
 }
--- a/codex-rs/codex-api/src/api_bridge_tests.rs
+++ b/codex-rs/codex-api/src/api_bridge_tests.rs
@@ -136,6 +136,7 @@ fn core_auth_provider_reports_when_auth_header_will_attach() {
    let auth = CoreAuthProvider {
        token: Some("access-token".to_string()),
        account_id: None,
+        is_fedramp_account: false,
    };

    assert!(auth.auth_header_attached());
@@ -162,3 +163,22 @@ fn core_auth_provider_adds_auth_headers() {
        Some("workspace-123")
    );
 }
+
+#[test]
+fn core_auth_provider_adds_fedramp_routing_header_for_fedramp_accounts() {
+    let auth = CoreAuthProvider {
+        token: Some("access-token".to_string()),
+        account_id: Some("workspace-123".to_string()),
+        is_fedramp_account: true,
+    };
+    let mut headers = HeaderMap::new();
+
+    crate::AuthProvider::add_auth_headers(&auth, &mut headers);
+
+    assert_eq!(
+        headers
+            .get("X-OpenAI-Fedramp")
+            .and_then(|value| value.to_str().ok()),
+        Some("true")
+    );
+}
--- a/codex-rs/codex-api/src/auth.rs
+++ b/codex-rs/codex-api/src/auth.rs
@@ -1,4 +1,5 @@
 use http::HeaderMap;
+use http::HeaderValue;

 /// Adds authentication headers to API requests.
 ///
@@ -8,3 +9,26 @@ use http::HeaderMap;
 pub trait AuthProvider: Send + Sync {
    fn add_auth_headers(&self, headers: &mut HeaderMap);
 }
+
+pub(crate) fn add_fedramp_routing_header(headers: &mut HeaderMap) {
+    headers.insert("X-OpenAI-Fedramp", HeaderValue::from_static("true"));
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn add_fedramp_routing_header_sets_header() {
+        let mut headers = HeaderMap::new();
+
+        add_fedramp_routing_header(&mut headers);
+
+        assert_eq!(
+            headers
+                .get("X-OpenAI-Fedramp")
+                .and_then(|v| v.to_str().ok()),
+            Some("true")
+        );
+    }
+}