Problem
When ENABLE_AGENT_CODEX=true is set, the provisioning script attempts to authenticate Codex CLI via OpenAI's OAuth device flow. In a headless server environment (SSH, no browser), this flow silently fails or hangs because:
- The device flow URL is not printed as a clickable link
- There is no mechanism to provide the auth code non-interactively
- The
CODEX_OPENAI_AUTH_CODE env variable is present in the config but not currently wired up in infra/agents.sh
Expected Behavior
The provisioning script should:
- Print the OAuth device activation URL as a plain clickable link (e.g.
https://auth.openai.com/device?user_code=XXXX-XXXX) so it is visible in the cloud-init log
- Accept a pre-obtained auth code via
CODEX_OPENAI_AUTH_CODE in /etc/dev-server/env to perform authentication non-interactively during provisioning
- Fall back gracefully (warn + skip) if neither an API key nor an auth code is provided, instead of hanging
Steps to Reproduce
- Set
ENABLE_AGENT_CODEX=true and leave OPENAI_API_KEY empty in cloud-init config
- Deploy server — observe that Codex auth hangs or fails silently in
/var/log/dev-server-provision.log
Acceptance Criteria
Notes
- The
CODEX_OPENAI_AUTH_CODE field already exists in the env file template — it just needs to be consumed
- This also affects
ENABLE_AGENT_OPENCODE if it shares the same OAuth flow
Labels: bug, agents, codex
Problem
When
ENABLE_AGENT_CODEX=trueis set, the provisioning script attempts to authenticate Codex CLI via OpenAI's OAuth device flow. In a headless server environment (SSH, no browser), this flow silently fails or hangs because:CODEX_OPENAI_AUTH_CODEenv variable is present in the config but not currently wired up ininfra/agents.shExpected Behavior
The provisioning script should:
https://auth.openai.com/device?user_code=XXXX-XXXX) so it is visible in thecloud-initlogCODEX_OPENAI_AUTH_CODEin/etc/dev-server/envto perform authentication non-interactively during provisioningSteps to Reproduce
ENABLE_AGENT_CODEX=trueand leaveOPENAI_API_KEYempty in cloud-init config/var/log/dev-server-provision.logAcceptance Criteria
infra/agents.sh: ifCODEX_OPENAI_AUTH_CODEis set, pass it tocodex --auth-code(or equivalent) for non-interactive authCODEX_OPENAI_AUTH_CODEis empty andOPENAI_API_KEYis empty, print a clear warning and skip Codex setup (do not fail the whole provisioning)CODEX_OPENAI_AUTH_CODEdocs/oauth-setup.mdNotes
CODEX_OPENAI_AUTH_CODEfield already exists in the env file template — it just needs to be consumedENABLE_AGENT_OPENCODEif it shares the same OAuth flowLabels:
bug,agents,codex