feat: proxy claude api calls to secure auth token

[Claude]

• Update OPENAI_BASE_URL in docker-manager.ts to include /v1 path (http://172.30.0.30:10000/v1)
• Update documentation in types.ts to reflect the /v1 path
• Build and verify no compilation errors

[lpcox]

@claude[agent] the codex agent also supports api proxying through the OPENAI_BASE_URL environment variable. Using the same architecture used to secure claude, implement api-proxying for codex via the OPENAI_BASE_URL

[Claude]

@claude[agent] the codex agent also supports api proxying through the OPENAI_BASE_URL environment variable. Using the same architecture used to secure claude, implement api-proxying for codex via the...

Done! The documentation now clearly shows that Codex (OpenAI) uses the identical credential isolation architecture as Claude.

Key updates in commit 0f73e98:

Architecture confirmation:

• OpenAI API key held exclusively in api-proxy container (port 10000)
• Agent receives only OPENAI_BASE_URL=http://172.30.0.30:10000
• API proxy injects Authorization: Bearer $OPENAI_API_KEY
• Routes through Squid for domain filtering (same as Claude)

Documentation enhancements:

• Added callout box emphasizing both providers use identical architecture
• Side-by-side code examples (Anthropic SDK vs OpenAI SDK)
• Parallel traffic flow diagrams for both providers
• Separate configuration examples for Claude, Codex, and both together

The implementation already existed—the doc now gives equal treatment to both providers.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

Smoke test complete - GitHub MCP, file writing, and bash tools validated. Playwright blocked by network restrictions (expected in firewall environment). Results posted to PR #849.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🧪 Bun Build Test Results

Project	Install	Tests	Status
elysia	✅	1/1	✅ PASS
hono	✅	1/1	✅ PASS

Overall: ✅ PASS

All Bun projects successfully installed dependencies and passed their test suites.

AI generated by Build Test Bun

[github-actions]

Smoke Test Results (Claude Engine)

Last 2 Merged PRs:

• feat: kong proxy for codex
• feat(ci): add api-proxy image to release pipeline

Test Results:

• ✅ GitHub MCP (list PRs)
• ❌ Playwright (browser download blocked by firewall)
• ✅ File Writing (/tmp/gh-aw/agent/smoke-test-claude-22018519698.txt)
• ✅ Bash Tool (verified file contents)

Status: PARTIAL PASS (3/4 tests passed, Playwright blocked by network restrictions)

AI generated by Smoke Claude

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

AI generated by Build Test Deno

[github-actions]

Node.js Build Test Results

Project	Install	Tests	Status
clsx	✅	PASS	✅ PASS
execa	✅	PASS	✅ PASS
p-limit	✅	PASS	✅ PASS

Overall: ✅ PASS

All Node.js projects installed and tested successfully.

AI generated by Build Test Node.js

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

Go Build Test Results

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS ✅

All Go projects built and tested successfully.

AI generated by Build Test Go

[github-actions]

Chroot Mode Version Test Results

Runtime	Host Version	Chroot Version	Match?
Python	3.12.12	3.12.3	❌ NO
Node.js	v24.13.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall Result: ❌ Tests FAILED - Not all runtimes matched between host and chroot environments.

The chroot mode successfully accessed Go from the host, but Python and Node.js versions differ between the host and chroot environments.

AI generated by Smoke Chroot

[Claude]

@claude[agent] please do not set OPENA_BASE_URL for the codex agent for now. we will renable it at a future time

Fixed in ee0424b. OPENAI_BASE_URL is now disabled for Codex agents. The change is temporary and can be re-enabled in the future by uncommenting lines 1012-1016 in src/docker-manager.ts.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	82.82%	82.83%	📈 +0.01%
Statements	82.81%	82.74%	📉 -0.07%
Functions	82.74%	82.74%	➡️ +0.00%
Branches	74.87%	74.88%	➡️ +0.01%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	84.7% → 84.6% (-0.09%)	84.1% → 83.8% (-0.36%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

Go Build Test Results

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS ✅

All Go projects tested successfully.

AI generated by Build Test Go

[github-actions]

Bun Build Test Results

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: PASS ✅

All Bun projects built and tested successfully.

AI generated by Build Test Bun

[github-actions]

Build Test: Node.js - Results

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS ✅

All Node.js projects built and tested successfully.

AI generated by Build Test Node.js

[github-actions]

Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: PASS ✅

All Rust projects built successfully and passed their test suites.

AI generated by Build Test Rust

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

AI generated by Build Test Deno

[github-actions]

.NET Build Test Results ✅

All .NET projects successfully restored, built, and ran.

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS

Details

hello-world:

• Restored in 89 ms
• Build succeeded with 0 warnings/errors
• Output: Hello, World!

json-parse:

• Restored in 849 ms (NuGet package downloaded)
• Build succeeded with 0 warnings/errors
• Output: Successfully parsed JSON and displayed structured data

AI generated by Build Test .NET

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• fix: use 0o666 mode for ~/.claude.json to fix permissions #852: fix: use 0o666 mode for ~/.claude.json to fix permissions
• fix: set CLAUDE_CODE_API_KEY_HELPER env var for credential isolation #851: fix: set CLAUDE_CODE_API_KEY_HELPER env var for credential isolation

Test Results:

• ✅ GitHub MCP (reviewed PRs)
• ❌ Playwright (firewall blocked azureedge.net domains)
• ✅ File Write (smoke-test-copilot-22023872982.txt)
• ✅ Bash Commands (file verified)

Status: FAIL (Playwright blocked)

cc: @lpcox @Claude

AI generated by Smoke Copilot

[github-actions]

✅ Java Build Test Results

All Java projects compiled and tested successfully through the AWF firewall.

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: PASS

Both projects successfully downloaded dependencies through the Squid proxy (172.30.0.10:3128) and passed all tests.

AI generated by Build Test Java

[github-actions]

Smoke Test Results for Claude Engine

Last 2 Merged PRs:

• fix: use 0o666 mode for ~/.claude.json to fix permissions #852: fix: use 0o666 mode for ~/.claude.json to fix permissions
• fix: set CLAUDE_CODE_API_KEY_HELPER env var for credential isolation #851: fix: set CLAUDE_CODE_API_KEY_HELPER env var for credential isolation

Test Results:

• ✅ GitHub MCP: Retrieved PR data
• ✅ Playwright: GitHub page title verified
• ✅ File Writing: Created test file successfully
• ✅ Bash Tool: File verified with cat

Overall Status: PASS

AI generated by Smoke Claude

[github-actions]

Chroot Version Comparison Results

The chroot mode test compared runtime versions between the host and chroot environment:

Runtime	Host Version	Chroot Version	Match?
Python	3.12.12	3.12.3	❌ NO
Node.js	v24.13.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall Result: ❌ Tests did not pass

The version mismatches indicate that the chroot environment is accessing container binaries rather than the host binaries as expected. This suggests that the chroot mode transparent host binary access is not working correctly for Python and Node.js.

AI generated by Smoke Chroot

[github-actions]

PR titles:
fix: use 0o666 mode for ~/.claude.json to fix permissions
fix: set CLAUDE_CODE_API_KEY_HELPER env var for credential isolation
GitHub MCP merged PRs review: ✅
safeinputs-gh PR list: ✅
Playwright title check: ❌ (tool unavailable)
Tavily search: ❌ (tool unavailable)
File write+cat / Discussion comment / Build: ✅
Overall status: FAIL

AI generated by Smoke Codex