feat: render agentrun codex config from yaml

This commit is contained in:
Codex
2026-07-09 08:58:34 +02:00
parent 3c9227c1ce
commit b9bc21d847
6 changed files with 220 additions and 11 deletions
@@ -46,7 +46,7 @@ JD01 v0.2 的 runtime boot repoURL、Argo repoURL 和 CI git read URL 必须使
Runner egress proxy、持久化、idle timeout 和 retention 只从 `config/agentrun.yaml``deployment.runner.*` 进入部署。验收不能只看 manager Deployment/Pod env;必须用 HWLAB/AgentRun 原入口创建新 turn 或 runner Job,并检查新 runner Job env、session PVC、`AGENTRUN_SOURCE_COMMIT` 和 trace/result 是否复用同一 run 且没有 `reuse-blocked`
Provider credential 的 `config.toml` 变更同样走 YAML `sourceRef``secret-sync``restart`lane config 只声明该 lane 需要的 Codex CLI runtime options。不要复制指挥机全局 `~/.codex/config.toml` 作为长期事实。
Provider credential 的 `config.toml` 变更同样走 YAML `sourceRef``secret-sync``restart`lane config 只声明该 lane 需要的 Codex CLI runtime options。模型、provider 和 endpoint 需要由 lane YAML 拥有时,使用 `sourceMode: codex-config``codexConfig` 渲染 Secret 中的 `config.toml`;不要修改或复制指挥机全局 `~/.codex/config.toml` 作为长期事实。
## AgentRun v0.1 Compatibility
+42
View File
@@ -1006,6 +1006,48 @@ controlPlane:
key: config.toml
providerCredential:
profile: codex
- id: provider-gpt-pika-auth-json
sourceMode: file
sourceRef: /root/.codex/auth.json
targetRef:
namespace: agentrun-v02
name: agentrun-v02-provider-gpt-pika
key: auth.json
providerCredential:
profile: gpt.pika
- id: provider-gpt-pika-config
sourceMode: codex-config
sourceRef: config/agentrun.yaml#controlPlane.lanes.nc01-v02.secrets.provider-gpt-pika-config.codexConfig
codexConfig:
modelProvider: OpenAI
model: gpt-5.4-mini
reviewModel: gpt-5.4-mini
modelReasoningEffort: xhigh
disableResponseStorage: true
networkAccess: enabled
windowsWslSetupAcknowledged: true
serviceTier: fast
modelProviders:
OpenAI:
name: OpenAI
baseUrl: https://api.pikapython.com/
wireApi: responses
requiresOpenaiAuth: true
features:
goals: true
projects:
/root:
trustLevel: trusted
/root/unidesk:
trustLevel: trusted
tuiModelAvailabilityNux:
gpt-5.4-mini: 4
targetRef:
namespace: agentrun-v02
name: agentrun-v02-provider-gpt-pika
key: config.toml
providerCredential:
profile: gpt.pika
- extends: controlPlane.templates.secrets.githubPrRawToken
- extends: controlPlane.templates.secrets.unideskSshToken
extends: controlPlane.templates.agentrunV02Lane
+1 -1
View File
@@ -964,7 +964,7 @@ lanes:
secretNamespace: agentrun-v02
repoUrlFrom: runtimeGitReadUrl
providerIdFrom: runtimeNodeId
defaultProviderProfile: fake-echo
defaultProviderProfile: gpt.pika
codexStdioSupervisor: repo-owned
publicExposure:
extends: templates.hwlabV03.publicExposurePk01
+1 -1
View File
@@ -108,7 +108,7 @@ AgentRun YAML-only lane 发布收口必须以当前 k8s git-mirror snapshot tip
YAML-only lane 的 `trigger-current` 会先确保目标 branch 已同步到 k8s git-mirror snapshot,再从 UniDesk YAML 声明的 image build、GitOps branch/path、runtime namespace、Secret、数据库和 manager env 渲染 artifact catalog 与 GitOps desired state。该路径会删除新 lane source branch 中的 `deploy/deploy.json`,因为部署真相已经迁入 UniDesk YAML;旧 `v0.1` branch 中历史文件只作为迁移前遗留产物存在,不能作为新 lane 的事实来源。Secret export 格式或外部数据库连接参数变化时,先用 `platform-db postgres export-secrets --confirm` 物化本地 Secret source,再用 `agentrun control-plane secret-sync --node <node> --lane <lane> --confirm` 下发,最后用 `agentrun control-plane restart --node <node> --lane <lane> --confirm` 让 manager Deployment 通过 rollout 读取新 Secret;不要手工删除 Pod 或直接 patch Secret。
Provider credential Secret 的 `auth.json``config.toml` 也必须按 lane 的 YAML `sourceRef` 下发,不能把指挥机全局 Codex 配置当成所有 lane 的运行真相。HWLAB 通过 D601 `agentrun-v02` 使用 Codex profile 时,`config.toml` 应只携带该 lane 需要的 Codex CLI runtime options,例如 model、reasoning、context window、auto compact、storage 和 network 相关键;除非对应 `auth.json` / API key source 也由同一 lane 明确拥有并已验证,否则不要在 lane config 中覆盖 provider endpoint、`base_url``model_provider` 或其他 endpoint 绑定。常见回归有两类:同步到 runner 的 config 缺少 `model_context_window` / `model_auto_compact_token_limit`,导致多轮 tool/webSearch 后报 context-window failure;或者为了补参数误加不匹配的 provider endpoint,导致 provider auth failure。修复必须走 `agentrun control-plane secret-sync --node <node> --lane <lane>` 的 dry-run/confirm,再用 `restart` 生效,并通过 HWLAB `hwlab-cli client agent send|trace|result` 原入口验证;不要从 Kubernetes Secret 反解配置内容或在 issue/trace 中打印 payload。
Provider credential Secret 的 `auth.json``config.toml` 也必须按 lane 的 YAML `sourceRef` 下发,不能把指挥机全局 Codex 配置当成所有 lane 的运行真相。lane 的模型、provider、endpoint 和 Codex runtime options 需要由 UniDesk YAML 拥有时,使用 `sourceMode: codex-config` 和同一 Secret spec 下的 `codexConfig` 渲染 `config.toml`;不要通过修改 `/root/.codex/config.toml``~/.codex/config.toml` 来改变 HWLAB/AgentRun 运行面模型。HWLAB 通过 D601/NC01 `agentrun-v02` 使用 Codex profile 时,`config.toml` 应只携带该 lane 需要的 Codex CLI runtime options,例如 model、reasoning、context window、auto compact、storage 和 network 相关键;除非对应 `auth.json` / API key source 也由同一 lane 明确拥有并已验证,否则不要在 lane config 中覆盖 provider endpoint、`base_url``model_provider` 或其他 endpoint 绑定。常见回归有两类:同步到 runner 的 config 缺少 `model_context_window` / `model_auto_compact_token_limit`,导致多轮 tool/webSearch 后报 context-window failure;或者为了补参数误加不匹配的 provider endpoint,导致 provider auth failure。修复必须走 `agentrun control-plane secret-sync --node <node> --lane <lane>` 的 dry-run/confirm,再用 `restart` 生效,并通过 HWLAB `hwlab-cli client agent send|trace|result` 原入口验证;不要从 Kubernetes Secret 反解配置内容或在 issue/trace 中打印 payload。
AgentRun resource/session client policy 也由 `config/agentrun.yaml` 声明。`client.sessionPolicy` 是未显式选择 node/lane 时 `agentrun send session/...` 和相关 session payload 生成的默认 `tenantId``projectId``providerId``backendProfile``workspaceRef` 和 execution policy 来源;显式 `--node <node> --lane <lane>` 后,`explain session-policy``send session`、resource primitives 和 AipodSpec render 都必须改用目标 lane 的 YAML 事实。lane `secrets[].providerCredential.profile` 声明 provider credential Secret 归属,UniDesk CLI 只按 YAML 聚合 Secret name/key,不再用代码拼接 provider Secret 名称。只读入口 `bun scripts/cli.ts agentrun explain session-policy` 用于查看选中目标 lane、policy 来源、实际 executionPolicy payload 和 provider credential binding 来源;输出只能包含 Secret metadata、key 名和 `valuesPrinted=false`,不得打印 Secret value。
+112 -3
View File
@@ -47,13 +47,42 @@ export interface AgentRunSecretRef {
export interface AgentRunLaneSecretSpec {
readonly id: string;
readonly sourceRef: string;
readonly sourceMode: "env" | "file";
readonly sourceMode: "env" | "file" | "codex-config";
readonly sourceKey: string | null;
readonly sourceFormat: "env" | "raw-token" | null;
readonly codexConfig: AgentRunCodexConfigSpec | null;
readonly targetRef: AgentRunSecretRef;
readonly providerCredentialProfile: string | null;
}
export interface AgentRunCodexConfigSpec {
readonly modelProvider: string;
readonly model: string;
readonly reviewModel: string | null;
readonly modelReasoningEffort: string | null;
readonly disableResponseStorage: boolean | null;
readonly networkAccess: string | null;
readonly windowsWslSetupAcknowledged: boolean | null;
readonly serviceTier: string | null;
readonly modelProviders: readonly AgentRunCodexModelProviderSpec[];
readonly features: Readonly<Record<string, boolean>>;
readonly projects: readonly AgentRunCodexProjectSpec[];
readonly tuiModelAvailabilityNux: Readonly<Record<string, number>>;
}
export interface AgentRunCodexModelProviderSpec {
readonly id: string;
readonly name: string;
readonly baseUrl: string;
readonly wireApi: string;
readonly requiresOpenaiAuth: boolean | null;
}
export interface AgentRunCodexProjectSpec {
readonly path: string;
readonly trustLevel: string;
}
export interface AgentRunProviderCredentialRef {
readonly profile: string;
readonly secretRef: {
@@ -406,12 +435,22 @@ export function agentRunLaneSummary(spec: AgentRunLaneSpec): Record<string, unkn
},
secrets: spec.secrets.map((secret) => ({
id: secret.id,
sourceRef: secret.sourceRef.startsWith("/") ? secret.sourceRef : `.state/secrets/${secret.sourceRef}`,
sourceRef: secret.sourceMode === "codex-config" ? secret.sourceRef : secret.sourceRef.startsWith("/") ? secret.sourceRef : `.state/secrets/${secret.sourceRef}`,
sourceMode: secret.sourceMode,
sourceKey: secret.sourceKey,
sourceFormat: secret.sourceFormat,
targetRef: secret.targetRef,
providerCredential: secret.providerCredentialProfile === null ? null : { profile: secret.providerCredentialProfile },
codexConfig: secret.codexConfig === null ? null : {
modelProvider: secret.codexConfig.modelProvider,
model: secret.codexConfig.model,
reviewModel: secret.codexConfig.reviewModel,
modelReasoningEffort: secret.codexConfig.modelReasoningEffort,
networkAccess: secret.codexConfig.networkAccess,
serviceTier: secret.codexConfig.serviceTier,
modelProviderCount: secret.codexConfig.modelProviders.length,
projectCount: secret.codexConfig.projects.length,
},
valuesPrinted: false,
})),
providerCredentials: agentRunProviderCredentialRefs(spec).map((credential) => ({
@@ -831,12 +870,14 @@ function parseImageBuild(input: Record<string, unknown>, path: string): AgentRun
function parseLaneSecret(input: Record<string, unknown>, path: string): AgentRunLaneSecretSpec {
const sourceMode = optionalStringField(input, "sourceMode", path) ?? "env";
if (sourceMode !== "env" && sourceMode !== "file") throw new Error(`${path}.sourceMode must be env or file`);
if (sourceMode !== "env" && sourceMode !== "file" && sourceMode !== "codex-config") throw new Error(`${path}.sourceMode must be env, file, or codex-config`);
const sourceKey = optionalStringField(input, "sourceKey", path) ?? null;
if (sourceMode === "env" && sourceKey === null) throw new Error(`${path}.sourceKey is required when sourceMode is env`);
const sourceFormat = optionalStringField(input, "sourceFormat", path) ?? null;
if (sourceFormat !== null && sourceFormat !== "env" && sourceFormat !== "raw-token") throw new Error(`${path}.sourceFormat must be env or raw-token`);
if (sourceFormat === "raw-token" && sourceMode !== "env") throw new Error(`${path}.sourceFormat raw-token requires sourceMode env`);
if (sourceMode === "codex-config" && sourceKey !== null) throw new Error(`${path}.sourceKey is not supported when sourceMode is codex-config`);
if (sourceMode === "codex-config" && sourceFormat !== null) throw new Error(`${path}.sourceFormat is not supported when sourceMode is codex-config`);
const providerCredential = parseProviderCredentialBinding(input, `${path}.providerCredential`);
return {
id: stringField(input, "id", path),
@@ -844,11 +885,79 @@ function parseLaneSecret(input: Record<string, unknown>, path: string): AgentRun
sourceMode,
sourceKey,
sourceFormat,
codexConfig: sourceMode === "codex-config" ? parseCodexConfig(recordField(input, "codexConfig", path), `${path}.codexConfig`) : null,
targetRef: parseNamespacedSecretRef(recordField(input, "targetRef", path), `${path}.targetRef`),
providerCredentialProfile: providerCredential,
};
}
function parseCodexConfig(input: Record<string, unknown>, path: string): AgentRunCodexConfigSpec {
const providersRaw = recordField(input, "modelProviders", path);
const modelProviders = Object.entries(providersRaw).map(([id, raw]) => {
validateSimpleId(id, `${path}.modelProviders`);
const provider = asRecord(raw, `${path}.modelProviders.${id}`);
return {
id,
name: stringField(provider, "name", `${path}.modelProviders.${id}`),
baseUrl: stringField(provider, "baseUrl", `${path}.modelProviders.${id}`),
wireApi: stringField(provider, "wireApi", `${path}.modelProviders.${id}`),
requiresOpenaiAuth: optionalBooleanField(provider, "requiresOpenaiAuth", `${path}.modelProviders.${id}`),
};
});
if (modelProviders.length === 0) throw new Error(`${path}.modelProviders must not be empty`);
const features = booleanRecord(input.features, `${path}.features`);
const projectsRaw = input.projects === undefined || input.projects === null ? {} : asRecord(input.projects, `${path}.projects`);
const projects = Object.entries(projectsRaw).map(([projectPath, raw]) => {
const project = asRecord(raw, `${path}.projects.${projectPath}`);
return { path: projectPath, trustLevel: stringField(project, "trustLevel", `${path}.projects.${projectPath}`) };
});
const tuiModelAvailabilityNux = integerRecord(input.tuiModelAvailabilityNux, `${path}.tuiModelAvailabilityNux`);
return {
modelProvider: stringField(input, "modelProvider", path),
model: stringField(input, "model", path),
reviewModel: optionalStringField(input, "reviewModel", path) ?? null,
modelReasoningEffort: optionalStringField(input, "modelReasoningEffort", path) ?? null,
disableResponseStorage: optionalBooleanField(input, "disableResponseStorage", path),
networkAccess: optionalStringField(input, "networkAccess", path) ?? null,
windowsWslSetupAcknowledged: optionalBooleanField(input, "windowsWslSetupAcknowledged", path),
serviceTier: optionalStringField(input, "serviceTier", path) ?? null,
modelProviders,
features,
projects,
tuiModelAvailabilityNux,
};
}
function optionalBooleanField(obj: Record<string, unknown>, key: string, path: string): boolean | null {
const value = obj[key];
if (value === undefined || value === null) return null;
if (typeof value !== "boolean") throw new Error(`${path}.${key} must be a boolean when set`);
return value;
}
function booleanRecord(value: unknown, path: string): Readonly<Record<string, boolean>> {
if (value === undefined || value === null) return {};
const raw = asRecord(value, path);
const result: Record<string, boolean> = {};
for (const [key, item] of Object.entries(raw)) {
validateSimpleId(key, path);
if (typeof item !== "boolean") throw new Error(`${path}.${key} must be a boolean`);
result[key] = item;
}
return result;
}
function integerRecord(value: unknown, path: string): Readonly<Record<string, number>> {
if (value === undefined || value === null) return {};
const raw = asRecord(value, path);
const result: Record<string, number> = {};
for (const [key, item] of Object.entries(raw)) {
if (!Number.isInteger(item)) throw new Error(`${path}.${key} must be an integer`);
result[key] = item;
}
return result;
}
function parseProviderCredentialBinding(input: Record<string, unknown>, path: string): string | null {
const value = input.providerCredential;
if (value === undefined || value === null) return null;
+63 -5
View File
@@ -21,6 +21,7 @@ import {
agentRunSourceSnapshotRef,
agentRunSourceSnapshotStageRefPrefix,
resolveAgentRunLaneTarget,
type AgentRunCodexConfigSpec,
type AgentRunCancelLifecycleSpec,
type AgentRunLaneSpec,
} from "../agentrun-lanes";
@@ -705,9 +706,10 @@ export function yamlLaneGitMirrorStatusScript(spec: AgentRunLaneSpec): string {
export type LaneSecretSource = {
id: string;
sourceRef: string;
sourceMode: "env" | "file";
sourceMode: "env" | "file" | "codex-config";
sourceKey: string | null;
sourceFormat?: "env" | "raw-token" | null;
codexConfig?: AgentRunCodexConfigSpec | null;
targetRef: { namespace: string; name: string; key: string };
transform?: "local-postgres-database" | "local-postgres-user" | "local-postgres-database-url";
};
@@ -715,14 +717,19 @@ export type LaneSecretSource = {
export function readSecretSourceValue(spec: AgentRunLaneSpec, source: LaneSecretSource): { redactedPath: string; value: string; valueBytes: number; fingerprint: string } {
const { sourceRef } = source;
if (sourceRef.includes("..")) throw new Error(`secret sourceRef must not contain ..: ${sourceRef}`);
const sourcePath = sourceRef.startsWith("/")
const sourcePath = source.sourceMode === "codex-config" ? null : sourceRef.startsWith("/")
? sourceRef
: join(resolveSecretSourceRoot(spec), ...sourceRef.split("/"));
if (!existsSync(sourcePath)) throw new Error(`secret source ${sourceRef} is missing`);
if (sourcePath !== null && !existsSync(sourcePath)) throw new Error(`secret source ${sourceRef} is missing`);
let value: string;
if (source.sourceMode === "file") {
if (source.sourceMode === "codex-config") {
if (source.codexConfig === undefined || source.codexConfig === null) throw new Error(`secret source ${sourceRef} is missing codexConfig`);
value = renderCodexConfigToml(source.codexConfig);
} else if (source.sourceMode === "file") {
if (sourcePath === null) throw new Error(`secret source ${sourceRef} has no source path`);
value = readFileSync(sourcePath, "utf8");
} else {
if (sourcePath === null) throw new Error(`secret source ${sourceRef} has no source path`);
if (source.sourceKey === null) throw new Error(`secret source ${sourceRef} is missing sourceKey`);
const text = readFileSync(sourcePath, "utf8");
const envValue = source.sourceFormat === "raw-token" ? text.trim() : parseEnvFile(text).get(source.sourceKey);
@@ -732,13 +739,63 @@ export function readSecretSourceValue(spec: AgentRunLaneSpec, source: LaneSecret
if (value.length === 0) throw new Error(`secret source ${sourceRef} is empty`);
value = transformSecretSourceValue(spec, source, value);
return {
redactedPath: sourceRef.startsWith("/") ? redactAbsoluteSecretPath(sourceRef) : `.state/secrets/${sourceRef}`,
redactedPath: source.sourceMode === "codex-config" ? sourceRef : sourceRef.startsWith("/") ? redactAbsoluteSecretPath(sourceRef) : `.state/secrets/${sourceRef}`,
value,
valueBytes: Buffer.byteLength(value, "utf8"),
fingerprint: sha256Fingerprint(value),
};
}
function renderCodexConfigToml(config: AgentRunCodexConfigSpec): string {
const lines = [
`model_provider = ${tomlString(config.modelProvider)}`,
`model = ${tomlString(config.model)}`,
...(config.reviewModel === null ? [] : [`review_model = ${tomlString(config.reviewModel)}`]),
...(config.modelReasoningEffort === null ? [] : [`model_reasoning_effort = ${tomlString(config.modelReasoningEffort)}`]),
...(config.disableResponseStorage === null ? [] : [`disable_response_storage = ${tomlBoolean(config.disableResponseStorage)}`]),
...(config.networkAccess === null ? [] : [`network_access = ${tomlString(config.networkAccess)}`]),
...(config.windowsWslSetupAcknowledged === null ? [] : [`windows_wsl_setup_acknowledged = ${tomlBoolean(config.windowsWslSetupAcknowledged)}`]),
...(config.serviceTier === null ? [] : [`service_tier = ${tomlString(config.serviceTier)}`]),
"",
];
for (const provider of config.modelProviders) {
lines.push(
`[model_providers.${tomlKeySegment(provider.id)}]`,
`name = ${tomlString(provider.name)}`,
`base_url = ${tomlString(provider.baseUrl)}`,
`wire_api = ${tomlString(provider.wireApi)}`,
...(provider.requiresOpenaiAuth === null ? [] : [`requires_openai_auth = ${tomlBoolean(provider.requiresOpenaiAuth)}`]),
"",
);
}
if (Object.keys(config.features).length > 0) {
lines.push("[features]");
for (const [key, value] of Object.entries(config.features)) lines.push(`${tomlKeySegment(key)} = ${tomlBoolean(value)}`);
lines.push("");
}
for (const project of config.projects) {
lines.push(`[projects.${tomlKeySegment(project.path)}]`, `trust_level = ${tomlString(project.trustLevel)}`, "");
}
if (Object.keys(config.tuiModelAvailabilityNux).length > 0) {
lines.push("[tui.model_availability_nux]");
for (const [key, value] of Object.entries(config.tuiModelAvailabilityNux)) lines.push(`${tomlKeySegment(key)} = ${value}`);
lines.push("");
}
return `${lines.join("\n").trimEnd()}\n`;
}
function tomlString(value: string): string {
return JSON.stringify(value);
}
function tomlBoolean(value: boolean): string {
return value ? "true" : "false";
}
function tomlKeySegment(value: string): string {
return /^[A-Za-z0-9_-]+$/u.test(value) ? value : tomlString(value);
}
function transformSecretSourceValue(spec: AgentRunLaneSpec, source: LaneSecretSource, rawValue: string): string {
if (source.transform === undefined) return rawValue;
const localPostgres = spec.deployment.localPostgres;
@@ -843,6 +900,7 @@ export function collectLaneSecretSources(spec: AgentRunLaneSpec): LaneSecretSour
sourceMode: secret.sourceMode,
sourceKey: secret.sourceKey,
sourceFormat: secret.sourceFormat,
codexConfig: secret.codexConfig,
targetRef: secret.targetRef,
});
}