diff --git a/CHANGELOG.md b/CHANGELOG.md index b3211052baf..fb10aebfa2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ Docs: https://docs.openclaw.ai - fix: harden safe-bin argument validation [AI]. (#80999) Thanks @pgondhi987. - fix: scan plugin runtime entries during install [AI]. (#80998) Thanks @pgondhi987. +- Codex harness: keep auth-profile-backed media tools such as `image_generate` available when OpenAI auth lives in the agent's auth-profile store instead of environment variables. - Require auth for sandbox browser CDP relay [AI]. (#81002) Thanks @pgondhi987. - fix: detect carried exec command forms [AI]. (#81000) Thanks @pgondhi987. - Reject truncated exec approval commands [AI]. (#81001) Thanks @pgondhi987. diff --git a/extensions/codex/src/app-server/run-attempt.test.ts b/extensions/codex/src/app-server/run-attempt.test.ts index d30d9f1ea52..32983a12fee 100644 --- a/extensions/codex/src/app-server/run-attempt.test.ts +++ b/extensions/codex/src/app-server/run-attempt.test.ts @@ -691,6 +691,47 @@ describe("runCodexAppServerAttempt", () => { } }); + it("passes auth profiles into Codex dynamic tool construction", async () => { + const sessionFile = path.join(tempDir, "session.jsonl"); + const workspaceDir = path.join(tempDir, "workspace"); + const params = createParams(sessionFile, workspaceDir); + const authProfileStore = { + version: 1, + profiles: { + "openai:api-key-backup": { + provider: "openai", + type: "api_key", + key: "not-a-real-key", + }, + }, + } satisfies EmbeddedRunAttemptParams["authProfileStore"]; + params.disableTools = false; + params.authProfileStore = authProfileStore; + + const factoryOptions: unknown[] = []; + __testing.setOpenClawCodingToolsFactoryForTests((options) => { + factoryOptions.push(options); + return []; + }); + + await __testing.buildDynamicTools({ + params, + resolvedWorkspace: workspaceDir, + effectiveWorkspace: workspaceDir, + sandboxSessionKey: params.sessionKey!, + sandbox: null as never, + runAbortController: new AbortController(), + sessionAgentId: "main", + pluginConfig: {}, + onYieldDetected: () => undefined, + }); + + expect(factoryOptions).toHaveLength(1); + expect(factoryOptions[0]).toMatchObject({ + authProfileStore, + }); + }); + it("normalizes Codex dynamic toolsAllow entries before filtering", () => { const tools = ["exec", "apply_patch", "read", "message"].map((name) => ({ name })); diff --git a/extensions/codex/src/app-server/run-attempt.ts b/extensions/codex/src/app-server/run-attempt.ts index 9ad02c5e04e..19b9810caf2 100644 --- a/extensions/codex/src/app-server/run-attempt.ts +++ b/extensions/codex/src/app-server/run-attempt.ts @@ -2229,6 +2229,7 @@ async function buildDynamicTools(input: DynamicToolBuildParams) { resolvedWorkspace: input.resolvedWorkspace, }), config: params.config, + authProfileStore: params.authProfileStore, abortSignal: input.runAbortController.signal, modelProvider: params.model.provider, modelId: params.modelId, diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index f651ae2ff73..421f3c1c642 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -28,7 +28,7 @@ overrides: tar: 7.5.15 tough-cookie: 4.1.3 yauzl: 3.2.1 - protobufjs: 7.5.5 + protobufjs: 7.5.6 uuid: 14.0.0 packageExtensionsChecksum: sha256-oc/FAHkBR844HBfph1RZWyRMHHBpIFya25tyv5SGf6s= @@ -6849,8 +6849,8 @@ packages: property-information@7.1.0: resolution: {integrity: sha512-TwEZ+X+yCJmYfL7TPUOcvBZ4QfoT5YenQiJuX//0th53DE6w0xxLEtfK3iyryQFddXuvkIk51EEgrJQ0WJkOmQ==} - protobufjs@7.5.5: - resolution: {integrity: sha512-3wY1AxV+VBNW8Yypfd1yQY9pXnqTAN+KwQxL8iYm3/BjKYMNg4i0owhEe26PWDOMaIrzeeF98Lqd5NGz4omiIg==} + protobufjs@7.5.6: + resolution: {integrity: sha512-M71sTMB146U3u0di3yup8iM+zv8yPRNQVr1KK4tyBitl3qFvEGucq/rGDRShD2rsJhtN02RJaJ7j5X5hmy8SJg==} engines: {node: '>=12.0.0'} proxy-addr@2.0.7: @@ -9173,7 +9173,7 @@ snapshots: dependencies: google-auth-library: 10.6.2 p-retry: 4.6.2 - protobufjs: 7.5.5 + protobufjs: 7.5.6 ws: 8.20.0 optionalDependencies: '@modelcontextprotocol/sdk': 1.29.0(zod@4.4.3) @@ -9186,7 +9186,7 @@ snapshots: dependencies: google-auth-library: 10.6.2 p-retry: 4.6.2 - protobufjs: 7.5.5 + protobufjs: 7.5.6 ws: 8.20.0 optionalDependencies: '@modelcontextprotocol/sdk': 1.29.0(zod@4.4.3) @@ -9216,7 +9216,7 @@ snapshots: dependencies: lodash.camelcase: 4.3.0 long: 5.3.2 - protobufjs: 7.5.5 + protobufjs: 7.5.6 yargs: 17.7.2 '@hapi/boom@9.1.4': @@ -9659,7 +9659,7 @@ snapshots: lodash.identity: 3.0.0 lodash.merge: 4.6.2 lodash.pickby: 4.6.0 - protobufjs: 7.5.5 + protobufjs: 7.5.6 qs: 6.14.2 ws: 8.20.0 transitivePeerDependencies: @@ -10193,7 +10193,7 @@ snapshots: '@opentelemetry/sdk-logs': 0.217.0(@opentelemetry/api@1.9.1) '@opentelemetry/sdk-metrics': 2.7.1(@opentelemetry/api@1.9.1) '@opentelemetry/sdk-trace-base': 2.7.1(@opentelemetry/api@1.9.1) - protobufjs: 7.5.5 + protobufjs: 7.5.6 '@opentelemetry/propagator-b3@2.7.1(@opentelemetry/api@1.9.1)': dependencies: @@ -11300,7 +11300,7 @@ snapshots: '@whiskeysockets/libsignal-node@https://codeload.github.com/whiskeysockets/libsignal-node/tar.gz/1c30d7d7e76a3b0aa120b04dc6a26f5a12dccf67': dependencies: curve25519-js: 0.0.4 - protobufjs: 7.5.5 + protobufjs: 7.5.6 '@zed-industries/codex-acp-darwin-arm64@0.14.0': optional: true @@ -11495,7 +11495,7 @@ snapshots: music-metadata: 11.12.3 p-queue: 9.2.0 pino: 9.14.0 - protobufjs: 7.5.5 + protobufjs: 7.5.6 sharp: 0.34.5 whatsapp-rust-bridge: 0.5.3 ws: 8.20.0 @@ -13870,7 +13870,7 @@ snapshots: property-information@7.1.0: {} - protobufjs@7.5.5: + protobufjs@7.5.6: dependencies: '@protobufjs/aspromise': 1.1.2 '@protobufjs/base64': 1.1.2 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index c1deeb71278..96a53913044 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -59,7 +59,7 @@ overrides: tar: 7.5.15 tough-cookie: 4.1.3 yauzl: 3.2.1 - protobufjs: 7.5.5 + protobufjs: 7.5.6 uuid: 14.0.0 allowBuilds: