codex: expose auth broker pr preflight contract

This commit is contained in:
Codex
2026-05-21 14:04:33 +00:00
parent 7d80e2c259
commit dff355c5a4
6 changed files with 474 additions and 34 deletions
+10
View File
@@ -203,6 +203,10 @@ async function main(): Promise<void> {
assertCondition(noTokenData.failureKind === "auth-missing", "missing token should classify as auth-missing", noTokenData);
assertCondition(noTokenData.degradedReason === "broker-needed", "missing token should classify as broker-needed", noTokenData);
assertCondition(noTokenData.brokerNeeded === true, "missing token should set brokerNeeded", noTokenData);
const noTokenAuthBroker = noTokenData.authBroker as Record<string, unknown>;
assertCondition(noTokenAuthBroker.source === "broker/auth-broker-needed", "missing broker endpoint should expose broker-needed auth source", noTokenAuthBroker);
assertCondition(noTokenAuthBroker.capability === "missing-token", "missing broker endpoint should expose missing-token capability", noTokenAuthBroker);
assertCondition(noTokenAuthBroker.nextAction === "configure-auth-broker", "missing broker endpoint should expose next action", noTokenAuthBroker);
assertCondition(!noToken.stdout.includes("contract-secret-marker"), "missing-token response must not leak secret marker strings", noToken.stdout);
const brokerReady = await runCli([
@@ -225,13 +229,19 @@ async function main(): Promise<void> {
const readyData = dataOf(brokerReady.json ?? {});
const tokenCoverage = readyData.tokenCoverage as Record<string, unknown>;
const brokerCoverage = readyData.brokerCoverage as Record<string, unknown>;
const readyAuthBroker = readyData.authBroker as Record<string, unknown>;
const prCapability = readyData.prCapabilityContract as Record<string, unknown>;
const brokerProxy = prCapability.brokerProxy as Record<string, unknown>;
assertCondition(readyAuthBroker.source === "auth-broker", "ready auth broker source should be auth-broker", readyAuthBroker);
assertCondition(readyAuthBroker.capability === "broker-issued-token", "ready auth broker capability should be broker-issued-token", readyAuthBroker);
assertCondition(readyAuthBroker.nextAction === "use-auth-broker", "ready auth broker next action should use broker", readyAuthBroker);
assertCondition(tokenCoverage.source === "auth-broker", "ready token coverage should come from broker", tokenCoverage);
assertCondition(tokenCoverage.runnerEnvTokenRequired === false, "ready token coverage should not require runner env token", tokenCoverage);
assertCondition(tokenCoverage.valuesPrinted === false, "ready token coverage must not print values", tokenCoverage);
assertCondition(String(brokerCoverage.endpoint).includes("http://***:***@127.0.0.1:4291/?..."), "endpoint should be sanitized", brokerCoverage);
assertCondition(prCapability.targetBranch === "master", "P0 capability should preserve target branch", prCapability);
assertCondition(prCapability.authSource === "broker-issued-token", "P0 capability should expose broker-issued-token auth source", prCapability);
assertCondition(prCapability.realPrCreateRequiresCommanderAuthorization === true, "real PR create should require commander authorization", prCapability);
assertCondition(prCapability.preflightCreatesPr === false && prCapability.preflightMergesPr === false, "P0 PR preflight must not write or merge", prCapability);
assertCondition(brokerProxy.writesRemote === false, "P0 broker proxy should not write remote", brokerProxy);
assertCondition(Array.isArray(brokerProxy.operations) && brokerProxy.operations.includes("github.pr.create"), "P0 broker proxy should include PR create dry-run operation", brokerProxy);