fix(agents-login): codex login --device-auth + parse its one-time code#738
Merged
Conversation
…me code Codex sign-in failed instantly with "CLI reported a login failure". The worker spawned `codex login --device`, but Codex 0.141.0 renamed the flag to `--device-auth`; clap rejected the unknown argument and exited 2, and the worker's failure detector matched the "error:" output. Correcting the flag exposed a second mismatch: 0.141 prints "Enter this one-time code (expires in 15 minutes)" with the code on the following line, so the device-code parser — which expected the code immediately after a "device code"/"code:" keyword — never extracted it. The pattern now spans prose and newlines between the keyword and the code, recognises the "one-time code" wording, and uses a digit lookahead so it locks onto the real code rather than surrounding words.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What was broken
Codex sign-in on the credentials page failed immediately with "CLI reported a login failure". Worker logs showed the Codex PTY exiting with code 2 ~130 ms after spawn.
Root cause
The worker spawned
codex login --device. Codex0.141.0(the version pinned in the worker image) renamed that flag to--device-auth; clap rejected the unknown argument, printederror: unexpected argument '--device'and exited 2. The worker's failure detector (error:) matched and reported the login failure.Correcting the flag surfaced a second mismatch.
codex login --device-authprints:The keyword ("one-time code") and the code are on separate lines with prose between them. The device-code parser expected the code immediately after a
device code/user code/code:keyword, so it would not have extracted the code even with the right flag — the card would show the verification URL but never the code, and the flow would stall instarting.Fix
codex login --device-auth(verified against@openai/codex@0.141.0login --help).DEVICE_CODE_PATTERNnow recognises the "one-time code" wording, spans prose/newlines between the keyword and the code (bounded), and uses a digit lookahead (hyphen-aware) so it locks onto the real code (8PGY-109RY) rather than nearby words like "expires". The verification-URL pattern already matchedauth.openai.com.Codex device-auth writes
auth.jsonand exits 0 on approval, which the worker's clean-exit path already finalizes.Validation
Captured the real
--device-authoutput from@openai/codex@0.141.0and added a parse test for it; the existingWXYZ-1234/AB12CDdevice-code tests still pass. Worker suite green (92/92), typecheck clean.