Skip to content

[codex] Support multiple forced ChatGPT workspaces#18161

Merged
rreichel3-oai merged 21 commits into
mainfrom
rreichel3/forced-chatgpt-workspace-id-list
May 14, 2026
Merged

[codex] Support multiple forced ChatGPT workspaces#18161
rreichel3-oai merged 21 commits into
mainfrom
rreichel3/forced-chatgpt-workspace-id-list

Conversation

@rreichel3-oai
Copy link
Copy Markdown
Contributor

@rreichel3-oai rreichel3-oai commented Apr 16, 2026
edited
Loading

Summary

This change lets forced_chatgpt_workspace_id accept multiple workspace IDs instead of a single value.

It keeps the existing config key name, adds backward-compatible parsing for a single string in config.toml, and normalizes the setting into an allowed workspace list across login enforcement, app-server config surfaces, and local ChatGPT auth helpers.

Why

Workspace-restricted deployments may need to allow more than one ChatGPT workspace without dropping the guardrail entirely.

Server-side impact

Codex's local server and app-server protocol needed changes because they previously assumed a single workspace ID. The local login flow now matches the auth backend interface by sending the allowed workspace list as a single comma-separated allowed_workspace_id query parameter.

Validation

This was tested with:

  • A single workspace config
  • With multi-workspace configs
  • With multiple workspaces in the config
  • The user only being a part of a subset of them

All were successful.

Automated coverage:

  • cargo test -p codex-login
  • cargo test -p codex-app-server-protocol
  • cargo test -p codex-tui local_chatgpt_auth
  • cargo test --locked -p codex-app-server login_account_chatgpt_includes_forced_workspace_allowlist_query_param
rreichel3-oai added a commit that referenced this pull request Apr 16, 2026
@rreichel3-oai
codex: fix CI failure on PR #18161
a19bddd
rreichel3-oai added a commit that referenced this pull request Apr 16, 2026
@rreichel3-oai
codex: fix remaining CI lint on PR #18161
6efb453
rreichel3-oai added a commit that referenced this pull request Apr 16, 2026
@rreichel3-oai
codex: fix CI failure on PR #18161
7c65799
@rreichel3-oai rreichel3-oai force-pushed the rreichel3/forced-chatgpt-workspace-id-list branch from 6efb453 to 8b4867b Compare April 16, 2026 23:56
rreichel3-oai added a commit that referenced this pull request Apr 16, 2026
@rreichel3-oai
codex: fix remaining CI lint on PR #18161
8b4867b
@rreichel3-oai rreichel3-oai mentioned this pull request Apr 17, 2026
Draft
rreichel3-oai added a commit that referenced this pull request Apr 21, 2026
@rreichel3-oai
codex: fix CI failure on PR #18161
4a4419b
rreichel3-oai added a commit that referenced this pull request Apr 21, 2026
@rreichel3-oai
codex: fix remaining CI lint on PR #18161
7b43801
@rreichel3-oai rreichel3-oai force-pushed the rreichel3/forced-chatgpt-workspace-id-list branch from 9545da1 to d189b55 Compare April 21, 2026 15:06
rreichel3-oai added a commit that referenced this pull request Apr 22, 2026
@rreichel3-oai
codex: fix CI failure on PR #18161
d95d062
rreichel3-oai added a commit that referenced this pull request Apr 22, 2026
@rreichel3-oai
codex: fix remaining CI lint on PR #18161
8240466
@rreichel3-oai rreichel3-oai force-pushed the rreichel3/forced-chatgpt-workspace-id-list branch from de2e639 to fd71d7c Compare April 22, 2026 19:49
rreichel3-oai added a commit that referenced this pull request Apr 22, 2026
@rreichel3-oai
codex: fix CI failure on PR #18161
4b83ea9
rreichel3-oai added a commit that referenced this pull request Apr 22, 2026
@rreichel3-oai
codex: fix remaining CI lint on PR #18161
e95ec63
@rreichel3-oai rreichel3-oai force-pushed the rreichel3/forced-chatgpt-workspace-id-list branch from fd71d7c to e12d9db Compare April 22, 2026 19:50
rreichel3-oai added a commit that referenced this pull request May 4, 2026
@rreichel3-oai
codex: fix CI failure on PR #18161
74158a6
rreichel3-oai added a commit that referenced this pull request May 4, 2026
@rreichel3-oai
codex: fix remaining CI lint on PR #18161
457e2e2
@rreichel3-oai rreichel3-oai force-pushed the rreichel3/forced-chatgpt-workspace-id-list branch from e12d9db to 7c19791 Compare May 4, 2026 15:10
rreichel3-oai added a commit that referenced this pull request May 4, 2026
@rreichel3-oai
codex: fix CI failure on PR #18161
e94fd5e
rreichel3-oai added a commit that referenced this pull request May 4, 2026
@rreichel3-oai
codex: fix remaining CI lint on PR #18161
721a746
@rreichel3-oai rreichel3-oai force-pushed the rreichel3/forced-chatgpt-workspace-id-list branch from 5ae4cef to a2d466d Compare May 4, 2026 17:18
rreichel3-oai added a commit that referenced this pull request May 6, 2026
@rreichel3-oai
codex: fix CI failure on PR #18161
036601b
@rreichel3-oai rreichel3-oai force-pushed the rreichel3/forced-chatgpt-workspace-id-list branch from a2d466d to 12f6b43 Compare May 6, 2026 00:12
rreichel3-oai added a commit that referenced this pull request May 6, 2026
@rreichel3-oai
codex: fix remaining CI lint on PR #18161
8161dc4
rreichel3-oai added a commit that referenced this pull request May 6, 2026
@rreichel3-oai
codex: fix CI failure on PR #18161
b1ee2dc
rreichel3-oai added a commit that referenced this pull request May 6, 2026
@rreichel3-oai
codex: fix remaining CI lint on PR #18161
9e489d5
@rreichel3-oai rreichel3-oai force-pushed the rreichel3/forced-chatgpt-workspace-id-list branch 2 times, most recently from cd69a02 to 949782b Compare May 8, 2026 20:39
rreichel3-oai added a commit that referenced this pull request May 8, 2026
@rreichel3-oai
codex: fix CI failure on PR #18161
2207e96
rreichel3-oai added a commit that referenced this pull request May 8, 2026
@rreichel3-oai
codex: fix remaining CI lint on PR #18161
d36eb4f
@rreichel3-oai rreichel3-oai mentioned this pull request May 12, 2026
Closed
@owenlin0
Copy link
Copy Markdown
Collaborator

owenlin0 commented May 12, 2026
edited
Loading

codex flagged this, mind taking a look? the rest looks good! nice catch on the agent identity thing

Potential regression: config/read looks like it can fail for existing configs that still use the legacy single-string shape.

Scenario:

  1. A user has forced_chatgpt_workspace_id = "ws_123" in config.toml. This branch still accepts that as ForcedChatgptWorkspaceIds::Single, so normal config loading works.
  2. ConfigManagerService::read loads the effective config into ConfigToml, then serializes it with serde_json::to_value(&effective_config_toml) and deserializes it into the v2 API Config.
  3. The untagged enum serializes the single form as JSON string: { "forced_chatgpt_workspace_id": "ws_123" }.
  4. The v2 API type now expects Option<Vec<String>>, so it expects { "forced_chatgpt_workspace_id": ["ws_123"] }.

That means config/read can return a deserialization error for an existing valid single-string config. The fix should normalize this field before the API round-trip, or use a compatibility conversion/type for the API config response.
@rreichel3-oai rreichel3-oai marked this pull request as ready for review May 12, 2026 21:39
@rreichel3-oai rreichel3-oai requested a review from a team as a code owner May 12, 2026 21:39
@rreichel3-oai
Support multiple forced ChatGPT workspaces
4775449
@rreichel3-oai
codex: fix CI failure on PR #18161
f5af116
@rreichel3-oai
codex: fix remaining CI lint on PR #18161
5b26582
@rreichel3-oai
Add debug escape hatch for managed config
d4ee841 
codex-rs/core/src/config/mod.rs: honor a debug-only CODEX_DISABLE_MANAGED_CONFIG env var in the main config loader so local interactive testing can ignore managed config and managed preferences outside app-server flows.
@rreichel3-oai
Restore forced workspace config shape
756b317 
codex-rs/config/src/config_toml.rs: restore the backward-compatible ForcedChatgptWorkspaceIds enum that the rebased branch still references when parsing forced_chatgpt_workspace_id.
@rreichel3-oai
Fix rebased login tests
ee00c25 
codex-rs/login/src/auth/auth_tests.rs: drop a stale auth-manager watcher test that no longer matches the main-branch API.

codex-rs/login/tests/suite/device_code_login.rs: pass the current ServerOptions::new streamlined-login argument.
@rreichel3-oai
Fix login server test constructor
4125240 
codex-rs/login/tests/suite/login_server_e2e.rs: pass the current ServerOptions::new streamlined-login argument in the fallback-port test.
@rreichel3-oai
Fix device login test server options
6be3c41 
codex-rs/login/tests/suite/device_code_login.rs: keep ServerOptions::new aligned with the current four-argument constructor.
@rreichel3-oai
Fix remaining rebased login test callsites
7cf541b 
codex-rs/login/tests/suite/login_server_e2e.rs: add the streamlined-login field to the multi-workspace server options literal and remove a stale extra constructor argument.
@rreichel3-oai
Fix app-server protocol TS schema fixture
fdecfe3
@rreichel3-oai
Send forced workspaces as one auth query param
94def61 
codex-rs/login/src/server.rs: join forced ChatGPT workspace IDs into one comma-separated allowed_workspace_id query parameter for authapi compatibility.

codex-rs/login/tests/suite/login_server_e2e.rs: update the multi-workspace login-server regression test to assert exactly one allowed_workspace_id value.
@rreichel3-oai
Reject comma-separated forced workspace config
e8f9e50 
codex-rs/config/src/config_toml.rs: add a custom forced_chatgpt_workspace_id deserializer that keeps single-string and list forms but rejects comma-separated strings with guidance to use a TOML list, plus focused parser tests.

codex-rs/core/config.schema.json: refresh the generated config schema description for the workspace allowlist shape.
@rreichel3-oai
Test forced workspace allowlist login URL
5f73df3 
Add app-server coverage for ChatGPT login URLs when config contains multiple forced workspaces.

Assert the interactive account/login/start response carries one comma-separated allowed_workspace_id query parameter, matching authapi's allowlist contract.
@rreichel3-oai
Update generated Python SDK config type
98acfb0 
sdk/python/src/openai_codex/generated/v2_all.py: regenerate the v2 app-server client model after rebasing so forced_chatgpt_workspace_id matches the current schema.
@rreichel3-oai
Remove managed config debug hook
949f45e
@rreichel3-oai
Restore agent identity workspace enforcement
1a7eeaa 
Update enforced ChatGPT workspace checks so AgentIdentity credentials are compared against the configured workspace allowlist instead of skipping workspace enforcement.

Add a regression test for AgentIdentity credentials that belong to a disallowed workspace and verify the auth file is removed.
@rreichel3-oai
Normalize forced workspace config reads
9200634 
Normalize legacy single-string forced_chatgpt_workspace_id values before converting ConfigToml into the app-server v2 Config response.

Add config/read coverage for existing configs that still use the legacy single workspace string shape.
@rreichel3-oai
Use UUID-shaped workspace IDs in tests
e67e522 
Update workspace allowlist and ChatGPT account test fixtures to use UUID-shaped IDs instead of org/ws/acct placeholders.

Refresh config TOML examples and app-server/login assertions to match the same ID shape.
@rreichel3-oai
Remove stale commit attribution config from rebase
d14a17b 
Keep the PR rebased on current main without carrying the removed commit_attribution field from the old merge side of the conflict.
@rreichel3-oai rreichel3-oai force-pushed the rreichel3/forced-chatgpt-workspace-id-list branch from e2503f3 to d14a17b Compare May 13, 2026 21:06
@rreichel3-oai
Preserve forced workspace config compatibility
7e56448 
Allow app-server config payloads to represent forced ChatGPT workspace IDs as either a single string or a string list.

Preserve legacy config/read string responses while accepting list configs, refresh generated app-server schemas, and cover both config shapes in tests.
@rreichel3-oai
Cover empty forced workspace config values
585c44d 
Add runtime config coverage showing unset, empty string, whitespace string, empty list, and blank-only lists disable forced workspace restriction, while mixed lists keep trimmed valid workspace IDs.
@rreichel3-oai rreichel3-oai merged commit 02a7205 into main May 14, 2026
31 checks passed
@rreichel3-oai rreichel3-oai deleted the rreichel3/forced-chatgpt-workspace-id-list branch May 14, 2026 21:11
@github-actions github-actions Bot locked and limited conversation to collaborators May 14, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

2 participants

@rreichel3-oai @owenlin0