Update auth tests to use codex-auth

Co-authored-by: Codex <noreply@openai.com>

codex-rs/Cargo.lock

@@ -1594,6 +1594,28 @@ dependencies = [
  "tokio-util",
 ]
 
+[[package]]
+name = "codex-auth"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "base64 0.22.1",
+ "chrono",
+ "codex-app-server-protocol",
+ "codex-keyring-store",
+ "keyring",
+ "once_cell",
+ "pretty_assertions",
+ "schemars 0.8.22",
+ "serde",
+ "serde_json",
+ "sha2",
+ "tempfile",
+ "thiserror 2.0.18",
+ "tokio",
+ "tracing",
+]
+
 [[package]]
 name = "codex-backend-client"
 version = "0.0.0"
@@ -1786,10 +1808,12 @@ name = "codex-config"
 version = "0.0.0"
 dependencies = [
  "anyhow",
+ "base64 0.22.1",
  "codex-app-server-protocol",
  "codex-execpolicy",
  "codex-protocol",
  "codex-utils-absolute-path",
+ "core-foundation 0.9.4",
  "futures",
  "multimap",
  "pretty_assertions",
@@ -1802,6 +1826,7 @@ dependencies = [
  "toml 0.9.11+spec-1.1.0",
  "toml_edit 0.24.0+spec-1.1.0",
  "tracing",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -1838,6 +1863,7 @@ dependencies = [
  "codex-arg0",
  "codex-artifacts",
  "codex-async-utils",
+ "codex-auth",
  "codex-client",
  "codex-config",
  "codex-connectors",
@@ -1866,7 +1892,6 @@ dependencies = [
  "codex-utils-stream-parser",
  "codex-utils-string",
  "codex-windows-sandbox",
- "core-foundation 0.9.4",
  "core_test_support",
  "csv",
  "ctor 0.6.3",
@@ -1926,7 +1951,6 @@ dependencies = [
  "walkdir",
  "which",
  "wildmatch",
- "windows-sys 0.52.0",
  "wiremock",
  "zip",
  "zstd",
@@ -2147,6 +2171,7 @@ dependencies = [
  "base64 0.22.1",
  "chrono",
  "codex-app-server-protocol",
+ "codex-auth",
  "codex-client",
  "codex-core",
  "core_test_support",
@@ -3048,6 +3073,7 @@ dependencies = [
  "anyhow",
  "assert_cmd",
  "base64 0.22.1",
+ "codex-auth",
  "codex-core",
  "codex-protocol",
  "codex-utils-absolute-path",

codex-rs/Cargo.toml

@@ -2,6 +2,7 @@
 members = [
     "backend-client",
     "ansi-escape",
+    "auth",
     "async-utils",
     "app-server",
     "app-server-client",
@@ -86,6 +87,7 @@ license = "Apache-2.0"
 app_test_support = { path = "app-server/tests/common" }
 codex-ansi-escape = { path = "ansi-escape" }
 codex-api = { path = "codex-api" }
+codex-auth = { path = "auth" }
 codex-artifacts = { path = "artifacts" }
 codex-package-manager = { path = "package-manager" }
 codex-app-server = { path = "app-server" }

codex-rs/auth/BUILD.bazel

@@ -0,0 +1,6 @@
+load("//:defs.bzl", "codex_rust_crate")
+
+codex_rust_crate(
+    name = "auth",
+    crate_name = "codex_auth",
+)

codex-rs/auth/Cargo.toml

@@ -0,0 +1,39 @@
+[package]
+name = "codex-auth"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[lints]
+workspace = true
+
+[dependencies]
+base64 = { workspace = true }
+chrono = { workspace = true, features = ["serde"] }
+codex-app-server-protocol = { workspace = true }
+codex-keyring-store = { workspace = true }
+once_cell = { workspace = true }
+schemars = { workspace = true }
+serde = { workspace = true, features = ["derive"] }
+serde_json = { workspace = true }
+sha2 = { workspace = true }
+thiserror = { workspace = true }
+tracing = { workspace = true }
+
+[target.'cfg(target_os = "linux")'.dependencies]
+keyring = { workspace = true, features = ["linux-native-async-persistent"] }
+
+[target.'cfg(target_os = "macos")'.dependencies]
+keyring = { workspace = true, features = ["apple-native"] }
+
+[target.'cfg(target_os = "windows")'.dependencies]
+keyring = { workspace = true, features = ["windows-native"] }
+
+[target.'cfg(any(target_os = "freebsd", target_os = "openbsd"))'.dependencies]
+keyring = { workspace = true, features = ["sync-secret-service"] }
+
+[dev-dependencies]
+anyhow = { workspace = true }
+pretty_assertions = { workspace = true }
+tempfile = { workspace = true }
+tokio = { workspace = true, features = ["macros", "rt"] }

codex-rs/auth/src/env_telemetry.rs

@@ -0,0 +1,52 @@
+use crate::CODEX_API_KEY_ENV_VAR;
+use crate::OPENAI_API_KEY_ENV_VAR;
+use crate::REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR;
+
+#[derive(Debug, Clone, Default, PartialEq, Eq)]
+pub struct AuthEnvTelemetry {
+    pub openai_api_key_env_present: bool,
+    pub codex_api_key_env_present: bool,
+    pub codex_api_key_env_enabled: bool,
+    pub provider_env_key_name: Option<String>,
+    pub provider_env_key_present: Option<bool>,
+    pub refresh_token_url_override_present: bool,
+}
+
+pub fn collect_auth_env_telemetry(
+    provider_env_key_configured: bool,
+    provider_env_key: Option<&str>,
+    codex_api_key_env_enabled: bool,
+) -> AuthEnvTelemetry {
+    AuthEnvTelemetry {
+        openai_api_key_env_present: env_var_present(OPENAI_API_KEY_ENV_VAR),
+        codex_api_key_env_present: env_var_present(CODEX_API_KEY_ENV_VAR),
+        codex_api_key_env_enabled,
+        provider_env_key_name: provider_env_key_configured.then(|| "configured".to_string()),
+        provider_env_key_present: provider_env_key.map(env_var_present),
+        refresh_token_url_override_present: env_var_present(REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR),
+    }
+}
+
+fn env_var_present(name: &str) -> bool {
+    match std::env::var(name) {
+        Ok(value) => !value.trim().is_empty(),
+        Err(std::env::VarError::NotUnicode(_)) => true,
+        Err(std::env::VarError::NotPresent) => false,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use pretty_assertions::assert_eq;
+
+    #[test]
+    fn collect_auth_env_telemetry_buckets_provider_env_key_name() {
+        let telemetry = collect_auth_env_telemetry(true, Some("sk-should-not-leak"), false);
+
+        assert_eq!(
+            telemetry.provider_env_key_name,
+            Some("configured".to_string())
+        );
+    }
+}

codex-rs/auth/src/lib.rs

@@ -0,0 +1,103 @@
+mod env_telemetry;
+pub mod storage;
+pub mod token_data;
+
+use std::env;
+use std::path::Path;
+
+use codex_app_server_protocol::AuthMode;
+
+pub use env_telemetry::AuthEnvTelemetry;
+pub use env_telemetry::collect_auth_env_telemetry;
+pub use storage::AuthCredentialsStoreMode;
+pub use storage::AuthDotJson;
+pub use storage::AuthStorageBackend;
+pub use storage::create_auth_storage;
+pub use token_data::IdTokenInfo;
+pub use token_data::IdTokenInfoError;
+pub use token_data::KnownPlan;
+pub use token_data::PlanType;
+pub use token_data::TokenData;
+pub use token_data::parse_chatgpt_jwt_claims;
+
+pub const OPENAI_API_KEY_ENV_VAR: &str = "OPENAI_API_KEY";
+pub const CODEX_API_KEY_ENV_VAR: &str = "CODEX_API_KEY";
+pub const REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR: &str = "CODEX_REFRESH_TOKEN_URL_OVERRIDE";
+
+#[derive(Clone, Debug, PartialEq, Eq)]
+pub struct ExternalAuthTokens {
+    pub access_token: String,
+    pub chatgpt_account_id: String,
+    pub chatgpt_plan_type: Option<String>,
+}
+
+pub fn read_openai_api_key_from_env() -> Option<String> {
+    env::var(OPENAI_API_KEY_ENV_VAR)
+        .ok()
+        .map(|value| value.trim().to_string())
+        .filter(|value| !value.is_empty())
+}
+
+pub fn read_codex_api_key_from_env() -> Option<String> {
+    env::var(CODEX_API_KEY_ENV_VAR)
+        .ok()
+        .map(|value| value.trim().to_string())
+        .filter(|value| !value.is_empty())
+}
+
+pub fn logout(
+    codex_home: &Path,
+    auth_credentials_store_mode: AuthCredentialsStoreMode,
+) -> std::io::Result<bool> {
+    let storage = create_auth_storage(codex_home.to_path_buf(), auth_credentials_store_mode);
+    storage.delete()
+}
+
+pub fn login_with_api_key(
+    codex_home: &Path,
+    api_key: &str,
+    auth_credentials_store_mode: AuthCredentialsStoreMode,
+) -> std::io::Result<()> {
+    let auth_dot_json = AuthDotJson {
+        auth_mode: Some(AuthMode::ApiKey),
+        openai_api_key: Some(api_key.to_string()),
+        tokens: None,
+        last_refresh: None,
+    };
+    save_auth(codex_home, &auth_dot_json, auth_credentials_store_mode)
+}
+
+pub fn login_with_chatgpt_auth_tokens(
+    codex_home: &Path,
+    access_token: &str,
+    chatgpt_account_id: &str,
+    chatgpt_plan_type: Option<&str>,
+) -> std::io::Result<()> {
+    let auth_dot_json = AuthDotJson::from_external_access_token(
+        access_token,
+        chatgpt_account_id,
+        chatgpt_plan_type,
+    )?;
+    save_auth(
+        codex_home,
+        &auth_dot_json,
+        AuthCredentialsStoreMode::Ephemeral,
+    )
+}
+
+pub fn save_auth(
+    codex_home: &Path,
+    auth: &AuthDotJson,
+    auth_credentials_store_mode: AuthCredentialsStoreMode,
+) -> std::io::Result<()> {
+    let storage = create_auth_storage(codex_home.to_path_buf(), auth_credentials_store_mode);
+    storage.save(auth)
+}
+
+pub fn load_auth_dot_json(
+    codex_home: &Path,
+    auth_credentials_store_mode: AuthCredentialsStoreMode,
+) -> std::io::Result<Option<AuthDotJson>> {
+    let storage = create_auth_storage(codex_home.to_path_buf(), auth_credentials_store_mode);
+    storage.load()
+}

codex-rs/auth/src/storage.rs

@@ -0,0 +1,371 @@
+use chrono::DateTime;
+use chrono::Utc;
+use schemars::JsonSchema;
+use serde::Deserialize;
+use serde::Serialize;
+use sha2::Digest;
+use sha2::Sha256;
+use std::collections::HashMap;
+use std::fmt::Debug;
+use std::fs::File;
+use std::fs::OpenOptions;
+use std::io::Read;
+use std::io::Write;
+#[cfg(unix)]
+use std::os::unix::fs::OpenOptionsExt;
+use std::path::Path;
+use std::path::PathBuf;
+use std::sync::Arc;
+use std::sync::Mutex;
+use tracing::warn;
+
+use crate::PlanType;
+use crate::TokenData;
+use crate::parse_chatgpt_jwt_claims;
+use codex_app_server_protocol::AuthMode;
+use codex_keyring_store::DefaultKeyringStore;
+use codex_keyring_store::KeyringStore;
+use once_cell::sync::Lazy;
+
+#[derive(Debug, Default, Copy, Clone, PartialEq, Eq, Serialize, Deserialize, JsonSchema)]
+#[serde(rename_all = "lowercase")]
+pub enum AuthCredentialsStoreMode {
+    #[default]
+    File,
+    Keyring,
+    Auto,
+    Ephemeral,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, PartialEq)]
+pub struct AuthDotJson {
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub auth_mode: Option<AuthMode>,
+    #[serde(rename = "OPENAI_API_KEY")]
+    pub openai_api_key: Option<String>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub tokens: Option<TokenData>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub last_refresh: Option<DateTime<Utc>>,
+}
+
+impl AuthDotJson {
+    pub fn from_external_access_token(
+        access_token: &str,
+        chatgpt_account_id: &str,
+        chatgpt_plan_type: Option<&str>,
+    ) -> std::io::Result<Self> {
+        let mut token_info =
+            parse_chatgpt_jwt_claims(access_token).map_err(std::io::Error::other)?;
+        token_info.chatgpt_account_id = Some(chatgpt_account_id.to_string());
+        token_info.chatgpt_plan_type = chatgpt_plan_type
+            .map(PlanType::from_raw_value)
+            .or(token_info.chatgpt_plan_type)
+            .or(Some(PlanType::Unknown("unknown".to_string())));
+        let tokens = TokenData {
+            id_token: token_info,
+            access_token: access_token.to_string(),
+            refresh_token: String::new(),
+            account_id: Some(chatgpt_account_id.to_string()),
+        };
+
+        Ok(Self {
+            auth_mode: Some(AuthMode::ChatgptAuthTokens),
+            openai_api_key: None,
+            tokens: Some(tokens),
+            last_refresh: Some(Utc::now()),
+        })
+    }
+
+    pub fn resolved_mode(&self) -> AuthMode {
+        if let Some(mode) = self.auth_mode {
+            return mode;
+        }
+        if self.openai_api_key.is_some() {
+            return AuthMode::ApiKey;
+        }
+        AuthMode::Chatgpt
+    }
+
+    pub fn storage_mode(
+        &self,
+        auth_credentials_store_mode: AuthCredentialsStoreMode,
+    ) -> AuthCredentialsStoreMode {
+        if self.resolved_mode() == AuthMode::ChatgptAuthTokens {
+            AuthCredentialsStoreMode::Ephemeral
+        } else {
+            auth_credentials_store_mode
+        }
+    }
+}
+
+fn get_auth_file(codex_home: &Path) -> PathBuf {
+    codex_home.join("auth.json")
+}
+
+fn delete_file_if_exists(codex_home: &Path) -> std::io::Result<bool> {
+    let auth_file = get_auth_file(codex_home);
+    match std::fs::remove_file(&auth_file) {
+        Ok(()) => Ok(true),
+        Err(err) if err.kind() == std::io::ErrorKind::NotFound => Ok(false),
+        Err(err) => Err(err),
+    }
+}
+
+pub trait AuthStorageBackend: Debug + Send + Sync {
+    fn load(&self) -> std::io::Result<Option<AuthDotJson>>;
+    fn save(&self, auth: &AuthDotJson) -> std::io::Result<()>;
+    fn delete(&self) -> std::io::Result<bool>;
+}
+
+#[derive(Clone, Debug)]
+struct FileAuthStorage {
+    codex_home: PathBuf,
+}
+
+impl FileAuthStorage {
+    fn new(codex_home: PathBuf) -> Self {
+        Self { codex_home }
+    }
+
+    fn try_read_auth_json(&self, auth_file: &Path) -> std::io::Result<AuthDotJson> {
+        let mut file = File::open(auth_file)?;
+        let mut contents = String::new();
+        file.read_to_string(&mut contents)?;
+        let auth_dot_json: AuthDotJson = serde_json::from_str(&contents)?;
+        Ok(auth_dot_json)
+    }
+}
+
+impl AuthStorageBackend for FileAuthStorage {
+    fn load(&self) -> std::io::Result<Option<AuthDotJson>> {
+        let auth_file = get_auth_file(&self.codex_home);
+        let auth_dot_json = match self.try_read_auth_json(&auth_file) {
+            Ok(auth) => auth,
+            Err(err) if err.kind() == std::io::ErrorKind::NotFound => return Ok(None),
+            Err(err) => return Err(err),
+        };
+        Ok(Some(auth_dot_json))
+    }
+
+    fn save(&self, auth_dot_json: &AuthDotJson) -> std::io::Result<()> {
+        let auth_file = get_auth_file(&self.codex_home);
+        if let Some(parent) = auth_file.parent() {
+            std::fs::create_dir_all(parent)?;
+        }
+        let json_data = serde_json::to_string_pretty(auth_dot_json)?;
+        let mut options = OpenOptions::new();
+        options.truncate(true).write(true).create(true);
+        #[cfg(unix)]
+        {
+            options.mode(0o600);
+        }
+        let mut file = options.open(auth_file)?;
+        file.write_all(json_data.as_bytes())?;
+        file.flush()?;
+        Ok(())
+    }
+
+    fn delete(&self) -> std::io::Result<bool> {
+        delete_file_if_exists(&self.codex_home)
+    }
+}
+
+const KEYRING_SERVICE: &str = "Codex Auth";
+
+fn compute_store_key(codex_home: &Path) -> std::io::Result<String> {
+    let canonical = codex_home
+        .canonicalize()
+        .unwrap_or_else(|_| codex_home.to_path_buf());
+    let path_str = canonical.to_string_lossy();
+    let mut hasher = Sha256::new();
+    hasher.update(path_str.as_bytes());
+    let digest = hasher.finalize();
+    let hex = format!("{digest:x}");
+    let truncated = hex.get(..16).unwrap_or(&hex);
+    Ok(format!("cli|{truncated}"))
+}
+
+#[derive(Clone, Debug)]
+struct KeyringAuthStorage {
+    codex_home: PathBuf,
+    keyring_store: Arc<dyn KeyringStore>,
+}
+
+impl KeyringAuthStorage {
+    fn new(codex_home: PathBuf, keyring_store: Arc<dyn KeyringStore>) -> Self {
+        Self {
+            codex_home,
+            keyring_store,
+        }
+    }
+
+    fn load_from_keyring(&self, key: &str) -> std::io::Result<Option<AuthDotJson>> {
+        match self.keyring_store.load(KEYRING_SERVICE, key) {
+            Ok(Some(serialized)) => serde_json::from_str(&serialized).map(Some).map_err(|err| {
+                std::io::Error::other(format!(
+                    "failed to deserialize CLI auth from keyring: {err}"
+                ))
+            }),
+            Ok(None) => Ok(None),
+            Err(error) => Err(std::io::Error::other(format!(
+                "failed to load CLI auth from keyring: {}",
+                error.message()
+            ))),
+        }
+    }
+
+    fn save_to_keyring(&self, key: &str, value: &str) -> std::io::Result<()> {
+        match self.keyring_store.save(KEYRING_SERVICE, key, value) {
+            Ok(()) => Ok(()),
+            Err(error) => {
+                let message = format!(
+                    "failed to write OAuth tokens to keyring: {}",
+                    error.message()
+                );
+                warn!("{message}");
+                Err(std::io::Error::other(message))
+            }
+        }
+    }
+}
+
+impl AuthStorageBackend for KeyringAuthStorage {
+    fn load(&self) -> std::io::Result<Option<AuthDotJson>> {
+        let key = compute_store_key(&self.codex_home)?;
+        self.load_from_keyring(&key)
+    }
+
+    fn save(&self, auth: &AuthDotJson) -> std::io::Result<()> {
+        let key = compute_store_key(&self.codex_home)?;
+        let serialized = serde_json::to_string(auth).map_err(std::io::Error::other)?;
+        self.save_to_keyring(&key, &serialized)?;
+        if let Err(err) = delete_file_if_exists(&self.codex_home) {
+            warn!("failed to remove CLI auth fallback file: {err}");
+        }
+        Ok(())
+    }
+
+    fn delete(&self) -> std::io::Result<bool> {
+        let key = compute_store_key(&self.codex_home)?;
+        let keyring_removed = self
+            .keyring_store
+            .delete(KEYRING_SERVICE, &key)
+            .map_err(|err| {
+                std::io::Error::other(format!("failed to delete auth from keyring: {err}"))
+            })?;
+        let file_removed = delete_file_if_exists(&self.codex_home)?;
+        Ok(keyring_removed || file_removed)
+    }
+}
+
+#[derive(Clone, Debug)]
+struct AutoAuthStorage {
+    keyring_storage: Arc<KeyringAuthStorage>,
+    file_storage: Arc<FileAuthStorage>,
+}
+
+impl AutoAuthStorage {
+    fn new(codex_home: PathBuf, keyring_store: Arc<dyn KeyringStore>) -> Self {
+        Self {
+            keyring_storage: Arc::new(KeyringAuthStorage::new(codex_home.clone(), keyring_store)),
+            file_storage: Arc::new(FileAuthStorage::new(codex_home)),
+        }
+    }
+}
+
+impl AuthStorageBackend for AutoAuthStorage {
+    fn load(&self) -> std::io::Result<Option<AuthDotJson>> {
+        match self.keyring_storage.load() {
+            Ok(Some(auth)) => Ok(Some(auth)),
+            Ok(None) => self.file_storage.load(),
+            Err(err) => {
+                warn!("failed to load CLI auth from keyring, falling back to file storage: {err}");
+                self.file_storage.load()
+            }
+        }
+    }
+
+    fn save(&self, auth: &AuthDotJson) -> std::io::Result<()> {
+        match self.keyring_storage.save(auth) {
+            Ok(()) => Ok(()),
+            Err(err) => {
+                warn!("failed to save auth to keyring, falling back to file storage: {err}");
+                self.file_storage.save(auth)
+            }
+        }
+    }
+
+    fn delete(&self) -> std::io::Result<bool> {
+        self.keyring_storage.delete()
+    }
+}
+
+static EPHEMERAL_AUTH_STORE: Lazy<Mutex<HashMap<String, AuthDotJson>>> =
+    Lazy::new(|| Mutex::new(HashMap::new()));
+
+#[derive(Clone, Debug)]
+struct EphemeralAuthStorage {
+    codex_home: PathBuf,
+}
+
+impl EphemeralAuthStorage {
+    fn new(codex_home: PathBuf) -> Self {
+        Self { codex_home }
+    }
+
+    fn with_store<F, T>(&self, action: F) -> std::io::Result<T>
+    where
+        F: FnOnce(&mut HashMap<String, AuthDotJson>, String) -> std::io::Result<T>,
+    {
+        let key = compute_store_key(&self.codex_home)?;
+        let mut store = EPHEMERAL_AUTH_STORE
+            .lock()
+            .map_err(|_| std::io::Error::other("failed to lock ephemeral auth storage"))?;
+        action(&mut store, key)
+    }
+}
+
+impl AuthStorageBackend for EphemeralAuthStorage {
+    fn load(&self) -> std::io::Result<Option<AuthDotJson>> {
+        self.with_store(|store, key| Ok(store.get(&key).cloned()))
+    }
+
+    fn save(&self, auth: &AuthDotJson) -> std::io::Result<()> {
+        self.with_store(|store, key| {
+            store.insert(key, auth.clone());
+            Ok(())
+        })
+    }
+
+    fn delete(&self) -> std::io::Result<bool> {
+        self.with_store(|store, key| Ok(store.remove(&key).is_some()))
+    }
+}
+
+pub fn create_auth_storage(
+    codex_home: PathBuf,
+    mode: AuthCredentialsStoreMode,
+) -> Arc<dyn AuthStorageBackend> {
+    let keyring_store: Arc<dyn KeyringStore> = Arc::new(DefaultKeyringStore);
+    create_auth_storage_with_keyring_store(codex_home, mode, keyring_store)
+}
+
+fn create_auth_storage_with_keyring_store(
+    codex_home: PathBuf,
+    mode: AuthCredentialsStoreMode,
+    keyring_store: Arc<dyn KeyringStore>,
+) -> Arc<dyn AuthStorageBackend> {
+    match mode {
+        AuthCredentialsStoreMode::File => Arc::new(FileAuthStorage::new(codex_home)),
+        AuthCredentialsStoreMode::Keyring => {
+            Arc::new(KeyringAuthStorage::new(codex_home, keyring_store))
+        }
+        AuthCredentialsStoreMode::Auto => Arc::new(AutoAuthStorage::new(codex_home, keyring_store)),
+        AuthCredentialsStoreMode::Ephemeral => Arc::new(EphemeralAuthStorage::new(codex_home)),
+    }
+}
+
+#[cfg(test)]
+#[path = "storage_tests.rs"]
+mod tests;

codex-rs/auth/src/storage_tests.rs

@@ -0,0 +1,289 @@
+use super::*;
+use crate::token_data::IdTokenInfo;
+use anyhow::Context;
+use base64::Engine;
+use codex_keyring_store::tests::MockKeyringStore;
+use keyring::Error as KeyringError;
+use pretty_assertions::assert_eq;
+use serde::Serialize;
+use serde_json::json;
+use tempfile::tempdir;
+
+#[tokio::test]
+async fn file_storage_load_returns_auth_dot_json() -> anyhow::Result<()> {
+    let codex_home = tempdir()?;
+    let storage = FileAuthStorage::new(codex_home.path().to_path_buf());
+    let auth_dot_json = AuthDotJson {
+        auth_mode: Some(AuthMode::ApiKey),
+        openai_api_key: Some("test-key".to_string()),
+        tokens: None,
+        last_refresh: Some(Utc::now()),
+    };
+
+    storage
+        .save(&auth_dot_json)
+        .context("failed to save auth file")?;
+
+    let loaded = storage.load().context("failed to load auth file")?;
+    assert_eq!(Some(auth_dot_json), loaded);
+    Ok(())
+}
+
+#[tokio::test]
+async fn file_storage_save_persists_auth_dot_json() -> anyhow::Result<()> {
+    let codex_home = tempdir()?;
+    let storage = FileAuthStorage::new(codex_home.path().to_path_buf());
+    let auth_dot_json = AuthDotJson {
+        auth_mode: Some(AuthMode::ApiKey),
+        openai_api_key: Some("test-key".to_string()),
+        tokens: None,
+        last_refresh: Some(Utc::now()),
+    };
+
+    let file = get_auth_file(codex_home.path());
+    storage
+        .save(&auth_dot_json)
+        .context("failed to save auth file")?;
+
+    let same_auth_dot_json = storage
+        .try_read_auth_json(&file)
+        .context("failed to read auth file after save")?;
+    assert_eq!(auth_dot_json, same_auth_dot_json);
+    Ok(())
+}
+
+#[test]
+fn file_storage_delete_removes_auth_file() -> anyhow::Result<()> {
+    let dir = tempdir()?;
+    let auth_dot_json = AuthDotJson {
+        auth_mode: Some(AuthMode::ApiKey),
+        openai_api_key: Some("sk-test-key".to_string()),
+        tokens: None,
+        last_refresh: None,
+    };
+    let storage = create_auth_storage(dir.path().to_path_buf(), AuthCredentialsStoreMode::File);
+    storage.save(&auth_dot_json)?;
+    assert!(dir.path().join("auth.json").exists());
+    let storage = FileAuthStorage::new(dir.path().to_path_buf());
+    let removed = storage.delete()?;
+    assert!(removed);
+    assert!(!dir.path().join("auth.json").exists());
+    Ok(())
+}
+
+#[test]
+fn ephemeral_storage_save_load_delete_is_in_memory_only() -> anyhow::Result<()> {
+    let dir = tempdir()?;
+    let storage = create_auth_storage(
+        dir.path().to_path_buf(),
+        AuthCredentialsStoreMode::Ephemeral,
+    );
+    let auth_dot_json = AuthDotJson {
+        auth_mode: Some(AuthMode::ApiKey),
+        openai_api_key: Some("sk-ephemeral".to_string()),
+        tokens: None,
+        last_refresh: Some(Utc::now()),
+    };
+
+    storage.save(&auth_dot_json)?;
+    let loaded = storage.load()?;
+    assert_eq!(Some(auth_dot_json), loaded);
+
+    let removed = storage.delete()?;
+    assert!(removed);
+    let loaded = storage.load()?;
+    assert_eq!(None, loaded);
+    assert!(!get_auth_file(dir.path()).exists());
+    Ok(())
+}
+
+fn seed_keyring_and_fallback_auth_file_for_delete<F>(
+    mock_keyring: &MockKeyringStore,
+    codex_home: &Path,
+    compute_key: F,
+) -> anyhow::Result<(String, PathBuf)>
+where
+    F: FnOnce() -> std::io::Result<String>,
+{
+    let key = compute_key()?;
+    mock_keyring.save(KEYRING_SERVICE, &key, "{}")?;
+    let auth_file = get_auth_file(codex_home);
+    std::fs::write(&auth_file, "stale")?;
+    Ok((key, auth_file))
+}
+
+fn seed_keyring_with_auth<F>(
+    mock_keyring: &MockKeyringStore,
+    compute_key: F,
+    auth: &AuthDotJson,
+) -> anyhow::Result<()>
+where
+    F: FnOnce() -> std::io::Result<String>,
+{
+    let key = compute_key()?;
+    let serialized = serde_json::to_string(auth)?;
+    mock_keyring.save(KEYRING_SERVICE, &key, &serialized)?;
+    Ok(())
+}
+
+fn assert_keyring_saved_auth_and_removed_fallback(
+    mock_keyring: &MockKeyringStore,
+    key: &str,
+    codex_home: &Path,
+    expected: &AuthDotJson,
+) {
+    let saved_value = mock_keyring
+        .saved_value(key)
+        .expect("keyring entry should exist");
+    let expected_serialized = serde_json::to_string(expected).expect("serialize expected auth");
+    assert_eq!(saved_value, expected_serialized);
+    let auth_file = get_auth_file(codex_home);
+    assert!(
+        !auth_file.exists(),
+        "fallback auth.json should be removed after keyring save"
+    );
+}
+
+fn id_token_with_prefix(prefix: &str) -> IdTokenInfo {
+    #[derive(Serialize)]
+    struct Header {
+        alg: &'static str,
+        typ: &'static str,
+    }
+
+    let header = Header {
+        alg: "none",
+        typ: "JWT",
+    };
+    let payload = json!({
+        "email": format!("{prefix}@example.com"),
+        "https://api.openai.com/auth": {
+            "chatgpt_account_id": format!("{prefix}-account"),
+        },
+    });
+    let encode = |bytes: &[u8]| base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes);
+    let header_b64 = encode(&serde_json::to_vec(&header).expect("serialize header"));
+    let payload_b64 = encode(&serde_json::to_vec(&payload).expect("serialize payload"));
+    let signature_b64 = encode(b"sig");
+    let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");
+
+    crate::token_data::parse_chatgpt_jwt_claims(&fake_jwt).expect("fake JWT should parse")
+}
+
+fn auth_with_prefix(prefix: &str) -> AuthDotJson {
+    AuthDotJson {
+        auth_mode: Some(AuthMode::ApiKey),
+        openai_api_key: Some(format!("{prefix}-api-key")),
+        tokens: Some(TokenData {
+            id_token: id_token_with_prefix(prefix),
+            access_token: format!("{prefix}-access"),
+            refresh_token: format!("{prefix}-refresh"),
+            account_id: Some(format!("{prefix}-account-id")),
+        }),
+        last_refresh: None,
+    }
+}
+
+#[test]
+fn keyring_auth_storage_load_returns_deserialized_auth() -> anyhow::Result<()> {
+    let codex_home = tempdir()?;
+    let mock_keyring = MockKeyringStore::default();
+    let storage = KeyringAuthStorage::new(
+        codex_home.path().to_path_buf(),
+        Arc::new(mock_keyring.clone()),
+    );
+    let expected = AuthDotJson {
+        auth_mode: Some(AuthMode::ApiKey),
+        openai_api_key: Some("sk-test".to_string()),
+        tokens: None,
+        last_refresh: None,
+    };
+    seed_keyring_with_auth(
+        &mock_keyring,
+        || compute_store_key(codex_home.path()),
+        &expected,
+    )?;
+
+    let loaded = storage.load()?;
+    assert_eq!(Some(expected), loaded);
+    Ok(())
+}
+
+#[test]
+fn keyring_auth_storage_compute_store_key_for_home_directory() -> anyhow::Result<()> {
+    let codex_home = PathBuf::from("~/.codex");
+
+    let key = compute_store_key(codex_home.as_path())?;
+
+    assert_eq!(key, "cli|940db7b1d0e4eb40");
+    Ok(())
+}
+
+#[test]
+fn keyring_auth_storage_save_persists_and_removes_fallback_file() -> anyhow::Result<()> {
+    let codex_home = tempdir()?;
+    let mock_keyring = MockKeyringStore::default();
+    let storage = KeyringAuthStorage::new(
+        codex_home.path().to_path_buf(),
+        Arc::new(mock_keyring.clone()),
+    );
+    let auth_file = get_auth_file(codex_home.path());
+    std::fs::write(&auth_file, "stale")?;
+    let auth = AuthDotJson {
+        auth_mode: Some(AuthMode::Chatgpt),
+        openai_api_key: None,
+        tokens: Some(TokenData {
+            id_token: Default::default(),
+            access_token: "access".to_string(),
+            refresh_token: "refresh".to_string(),
+            account_id: Some("account".to_string()),
+        }),
+        last_refresh: Some(Utc::now()),
+    };
+
+    storage.save(&auth)?;
+
+    let key = compute_store_key(codex_home.path())?;
+    assert_keyring_saved_auth_and_removed_fallback(&mock_keyring, &key, codex_home.path(), &auth);
+    Ok(())
+}
+
+#[test]
+fn keyring_auth_storage_delete_removes_keyring_and_file() -> anyhow::Result<()> {
+    let codex_home = tempdir()?;
+    let mock_keyring = MockKeyringStore::default();
+    let storage = KeyringAuthStorage::new(
+        codex_home.path().to_path_buf(),
+        Arc::new(mock_keyring.clone()),
+    );
+    let (key, auth_file) =
+        seed_keyring_and_fallback_auth_file_for_delete(&mock_keyring, codex_home.path(), || {
+            compute_store_key(codex_home.path())
+        })?;
+
+    let removed = storage.delete()?;
+
+    assert!(removed);
+    assert!(!mock_keyring.contains(&key));
+    assert!(!auth_file.exists());
+    Ok(())
+}
+
+#[test]
+fn auto_auth_storage_falls_back_to_file_on_keyring_load_error() -> anyhow::Result<()> {
+    let codex_home = tempdir()?;
+    let mock_keyring = MockKeyringStore::default();
+    let key = compute_store_key(codex_home.path())?;
+    mock_keyring.set_error(&key, KeyringError::NoEntry);
+    let storage = AutoAuthStorage::new(
+        codex_home.path().to_path_buf(),
+        Arc::new(mock_keyring.clone()),
+    );
+    let expected = auth_with_prefix("fallback");
+    FileAuthStorage::new(codex_home.path().to_path_buf()).save(&expected)?;
+
+    let loaded = storage.load()?;
+
+    assert_eq!(Some(expected), loaded);
+    Ok(())
+}

codex-rs/auth/src/token_data.rs

@@ -0,0 +1,167 @@
+use base64::Engine;
+use serde::Deserialize;
+use serde::Serialize;
+use thiserror::Error;
+
+#[derive(Deserialize, Serialize, Clone, Debug, PartialEq, Default)]
+pub struct TokenData {
+    #[serde(
+        deserialize_with = "deserialize_id_token",
+        serialize_with = "serialize_id_token"
+    )]
+    pub id_token: IdTokenInfo,
+    pub access_token: String,
+    pub refresh_token: String,
+    pub account_id: Option<String>,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Default, Serialize, Deserialize)]
+pub struct IdTokenInfo {
+    pub email: Option<String>,
+    pub chatgpt_plan_type: Option<PlanType>,
+    pub chatgpt_user_id: Option<String>,
+    pub chatgpt_account_id: Option<String>,
+    pub raw_jwt: String,
+}
+
+impl IdTokenInfo {
+    pub fn get_chatgpt_plan_type(&self) -> Option<String> {
+        self.chatgpt_plan_type.as_ref().map(|t| match t {
+            PlanType::Known(plan) => format!("{plan:?}"),
+            PlanType::Unknown(s) => s.clone(),
+        })
+    }
+
+    pub fn is_workspace_account(&self) -> bool {
+        matches!(
+            self.chatgpt_plan_type,
+            Some(PlanType::Known(
+                KnownPlan::Team | KnownPlan::Business | KnownPlan::Enterprise | KnownPlan::Edu
+            ))
+        )
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(untagged)]
+pub enum PlanType {
+    Known(KnownPlan),
+    Unknown(String),
+}
+
+impl PlanType {
+    pub fn from_raw_value(raw: &str) -> Self {
+        match raw.to_ascii_lowercase().as_str() {
+            "free" => Self::Known(KnownPlan::Free),
+            "go" => Self::Known(KnownPlan::Go),
+            "plus" => Self::Known(KnownPlan::Plus),
+            "pro" => Self::Known(KnownPlan::Pro),
+            "team" => Self::Known(KnownPlan::Team),
+            "business" => Self::Known(KnownPlan::Business),
+            "enterprise" => Self::Known(KnownPlan::Enterprise),
+            "education" | "edu" => Self::Known(KnownPlan::Edu),
+            _ => Self::Unknown(raw.to_string()),
+        }
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum KnownPlan {
+    Free,
+    Go,
+    Plus,
+    Pro,
+    Team,
+    Business,
+    Enterprise,
+    Edu,
+}
+
+#[derive(Deserialize)]
+struct IdClaims {
+    #[serde(default)]
+    email: Option<String>,
+    #[serde(rename = "https://api.openai.com/profile", default)]
+    profile: Option<ProfileClaims>,
+    #[serde(rename = "https://api.openai.com/auth", default)]
+    auth: Option<AuthClaims>,
+}
+
+#[derive(Deserialize)]
+struct ProfileClaims {
+    #[serde(default)]
+    email: Option<String>,
+}
+
+#[derive(Deserialize)]
+struct AuthClaims {
+    #[serde(default)]
+    chatgpt_plan_type: Option<PlanType>,
+    #[serde(default)]
+    chatgpt_user_id: Option<String>,
+    #[serde(default)]
+    user_id: Option<String>,
+    #[serde(default)]
+    chatgpt_account_id: Option<String>,
+}
+
+#[derive(Debug, Error)]
+pub enum IdTokenInfoError {
+    #[error("invalid ID token format")]
+    InvalidFormat,
+    #[error(transparent)]
+    Base64(#[from] base64::DecodeError),
+    #[error(transparent)]
+    Json(#[from] serde_json::Error),
+}
+
+pub fn parse_chatgpt_jwt_claims(jwt: &str) -> Result<IdTokenInfo, IdTokenInfoError> {
+    let mut parts = jwt.split('.');
+    let (_header_b64, payload_b64, _sig_b64) = match (parts.next(), parts.next(), parts.next()) {
+        (Some(h), Some(p), Some(s)) if !h.is_empty() && !p.is_empty() && !s.is_empty() => (h, p, s),
+        _ => return Err(IdTokenInfoError::InvalidFormat),
+    };
+
+    let payload_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(payload_b64)?;
+    let claims: IdClaims = serde_json::from_slice(&payload_bytes)?;
+    let email = claims
+        .email
+        .or_else(|| claims.profile.and_then(|profile| profile.email));
+
+    match claims.auth {
+        Some(auth) => Ok(IdTokenInfo {
+            email,
+            raw_jwt: jwt.to_string(),
+            chatgpt_plan_type: auth.chatgpt_plan_type,
+            chatgpt_user_id: auth.chatgpt_user_id.or(auth.user_id),
+            chatgpt_account_id: auth.chatgpt_account_id,
+        }),
+        None => Ok(IdTokenInfo {
+            email,
+            raw_jwt: jwt.to_string(),
+            chatgpt_plan_type: None,
+            chatgpt_user_id: None,
+            chatgpt_account_id: None,
+        }),
+    }
+}
+
+fn deserialize_id_token<'de, D>(deserializer: D) -> Result<IdTokenInfo, D::Error>
+where
+    D: serde::Deserializer<'de>,
+{
+    let s = String::deserialize(deserializer)?;
+    parse_chatgpt_jwt_claims(&s).map_err(serde::de::Error::custom)
+}
+
+fn serialize_id_token<S>(id_token: &IdTokenInfo, serializer: S) -> Result<S::Ok, S::Error>
+where
+    S: serde::Serializer,
+{
+    serializer.serialize_str(&id_token.raw_jwt)
+}
+
+#[cfg(test)]
+#[path = "token_data_tests.rs"]
+mod tests;

codex-rs/auth/src/token_data_tests.rs

@@ -0,0 +1,20 @@
+use super::*;
+use pretty_assertions::assert_eq;
+
+#[test]
+fn parses_id_token_claims() {
+    let jwt = "eyJhbGciOiJub25lIn0.eyJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJodHRwczovL2FwaS5vcGVuYWkuY29tL2F1dGgiOnsiY2hhdGdwdF9wbGFuX3R5cGUiOiJwcm8iLCJjaGF0Z3B0X3VzZXJfaWQiOiJ1c2VyLTEiLCJjaGF0Z3B0X2FjY291bnRfaWQiOiJ3cy0xIn19.c2ln";
+
+    let claims = parse_chatgpt_jwt_claims(jwt).expect("jwt should parse");
+
+    assert_eq!(
+        claims,
+        IdTokenInfo {
+            email: Some("user@example.com".to_string()),
+            chatgpt_plan_type: Some(PlanType::Known(KnownPlan::Pro)),
+            chatgpt_user_id: Some("user-1".to_string()),
+            chatgpt_account_id: Some("ws-1".to_string()),
+            raw_jwt: jwt.to_string(),
+        }
+    );
+}

codex-rs/config/Cargo.toml

@@ -4,10 +4,14 @@ version.workspace = true
 edition.workspace = true
 license.workspace = true
 
+[lib]
+doctest = false
+
 [lints]
 workspace = true
 
 [dependencies]
+base64 = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-execpolicy = { workspace = true }
 codex-protocol = { workspace = true }
@@ -24,6 +28,16 @@ toml = { workspace = true }
 toml_edit = { workspace = true }
 tracing = { workspace = true }
 
+[target.'cfg(target_os = "macos")'.dependencies]
+core-foundation = "0.9"
+
+[target.'cfg(target_os = "windows")'.dependencies]
+windows-sys = { version = "0.52", features = [
+    "Win32_Foundation",
+    "Win32_System_Com",
+    "Win32_UI_Shell",
+] }
+
 [dev-dependencies]
 anyhow = { workspace = true }
 pretty_assertions = { workspace = true }

codex-rs/config/src/layer_io.rs

@@ -1,10 +1,10 @@
-use super::LoaderOverrides;
+use crate::LoaderOverrides;
+use crate::config_error_from_toml;
+use crate::io_error_from_config_error;
 #[cfg(target_os = "macos")]
-use super::macos::ManagedAdminConfigLayer;
+use crate::macos::ManagedAdminConfigLayer;
 #[cfg(target_os = "macos")]
-use super::macos::load_managed_admin_config_layer;
-use codex_config::config_error_from_toml;
-use codex_config::io_error_from_config_error;
+use crate::macos::load_managed_admin_config_layer;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use std::io;
 use std::path::Path;
@@ -16,26 +16,26 @@ use toml::Value as TomlValue;
 const CODEX_MANAGED_CONFIG_SYSTEM_PATH: &str = "/etc/codex/managed_config.toml";
 
 #[derive(Debug, Clone)]
-pub(super) struct MangedConfigFromFile {
+pub struct ManagedConfigFromFile {
     pub managed_config: TomlValue,
     pub file: AbsolutePathBuf,
 }
 
 #[derive(Debug, Clone)]
-pub(super) struct ManagedConfigFromMdm {
+pub struct ManagedConfigFromMdm {
     pub managed_config: TomlValue,
     pub raw_toml: String,
 }
 
 #[derive(Debug, Clone)]
-pub(super) struct LoadedConfigLayers {
+pub struct LoadedConfigLayers {
     /// If present, data read from a file such as `/etc/codex/managed_config.toml`.
-    pub managed_config: Option<MangedConfigFromFile>,
+    pub managed_config: Option<ManagedConfigFromFile>,
     /// If present, data read from managed preferences (macOS only).
     pub managed_config_from_mdm: Option<ManagedConfigFromMdm>,
 }
 
-pub(super) async fn load_config_layers_internal(
+pub async fn load_config_layers_internal(
     codex_home: &Path,
     overrides: LoaderOverrides,
 ) -> io::Result<LoadedConfigLayers> {
@@ -59,7 +59,7 @@ pub(super) async fn load_config_layers_internal(
     let managed_config =
         read_config_from_path(&managed_config_path, /*log_missing_as_info*/ false)
             .await?
-            .map(|managed_config| MangedConfigFromFile {
+            .map(|managed_config| ManagedConfigFromFile {
                 managed_config,
                 file: managed_config_path.clone(),
             });
@@ -88,7 +88,7 @@ fn map_managed_admin_layer(layer: ManagedAdminConfigLayer) -> ManagedConfigFromM
     }
 }
 
-pub(super) async fn read_config_from_path(
+async fn read_config_from_path(
     path: impl AsRef<Path>,
     log_missing_as_info: bool,
 ) -> io::Result<Option<TomlValue>> {
@@ -120,8 +120,7 @@ pub(super) async fn read_config_from_path(
     }
 }
 
-/// Return the default managed config path.
-pub(super) fn managed_config_default_path(codex_home: &Path) -> PathBuf {
+fn managed_config_default_path(codex_home: &Path) -> PathBuf {
     #[cfg(unix)]
     {
         let _ = codex_home;

codex-rs/config/src/lib.rs

@@ -3,6 +3,10 @@ mod config_requirements;
 mod constraint;
 mod diagnostics;
 mod fingerprint;
+mod layer_io;
+mod loader;
+#[cfg(target_os = "macos")]
+mod macos;
 mod merge;
 mod overrides;
 mod requirements_exec_policy;
@@ -44,6 +48,15 @@ pub use diagnostics::format_config_error;
 pub use diagnostics::format_config_error_with_source;
 pub use diagnostics::io_error_from_config_error;
 pub use fingerprint::version_for_toml;
+pub use layer_io::LoadedConfigLayers;
+pub use layer_io::ManagedConfigFromFile;
+pub use layer_io::ManagedConfigFromMdm;
+pub use layer_io::load_config_layers_internal;
+pub use loader::load_managed_admin_requirements;
+pub use loader::load_requirements_from_legacy_scheme;
+pub use loader::load_requirements_toml;
+pub use loader::system_config_toml_file;
+pub use loader::system_requirements_toml_file;
 pub use merge::merge_toml_values;
 pub use overrides::build_cli_overrides_layer;
 pub use requirements_exec_policy::RequirementsExecPolicy;

codex-rs/config/src/loader.rs

@@ -0,0 +1,236 @@
+use crate::ConfigRequirementsToml;
+use crate::ConfigRequirementsWithSources;
+use crate::LoadedConfigLayers;
+use crate::RequirementSource;
+#[cfg(target_os = "macos")]
+use crate::macos::load_managed_admin_requirements_toml;
+use codex_protocol::config_types::SandboxMode;
+use codex_protocol::protocol::AskForApproval;
+use codex_utils_absolute_path::AbsolutePathBuf;
+use serde::Deserialize;
+use std::io;
+use std::path::Path;
+#[cfg(windows)]
+use std::path::PathBuf;
+
+#[cfg(unix)]
+pub const SYSTEM_CONFIG_TOML_FILE_UNIX: &str = "/etc/codex/config.toml";
+
+#[cfg(windows)]
+const DEFAULT_PROGRAM_DATA_DIR_WINDOWS: &str = r"C:\ProgramData";
+
+pub async fn load_requirements_toml(
+    config_requirements_toml: &mut ConfigRequirementsWithSources,
+    requirements_toml_file: impl AsRef<Path>,
+) -> io::Result<()> {
+    let requirements_toml_file =
+        AbsolutePathBuf::from_absolute_path(requirements_toml_file.as_ref())?;
+    match tokio::fs::read_to_string(&requirements_toml_file).await {
+        Ok(contents) => {
+            let requirements_config: ConfigRequirementsToml =
+                toml::from_str(&contents).map_err(|err| {
+                    io::Error::new(
+                        io::ErrorKind::InvalidData,
+                        format!(
+                            "Error parsing requirements file {}: {err}",
+                            requirements_toml_file.as_ref().display(),
+                        ),
+                    )
+                })?;
+            config_requirements_toml.merge_unset_fields(
+                RequirementSource::SystemRequirementsToml {
+                    file: requirements_toml_file.clone(),
+                },
+                requirements_config,
+            );
+        }
+        Err(err) if err.kind() == io::ErrorKind::NotFound => {}
+        Err(err) => {
+            return Err(io::Error::new(
+                err.kind(),
+                format!(
+                    "Failed to read requirements file {}: {err}",
+                    requirements_toml_file.as_ref().display(),
+                ),
+            ));
+        }
+    }
+
+    Ok(())
+}
+
+pub async fn load_managed_admin_requirements(
+    config_requirements_toml: &mut ConfigRequirementsWithSources,
+    managed_config_requirements_base64: Option<&str>,
+) -> io::Result<()> {
+    #[cfg(target_os = "macos")]
+    {
+        load_managed_admin_requirements_toml(
+            config_requirements_toml,
+            managed_config_requirements_base64,
+        )
+        .await
+    }
+
+    #[cfg(not(target_os = "macos"))]
+    {
+        let _ = config_requirements_toml;
+        let _ = managed_config_requirements_base64;
+        Ok(())
+    }
+}
+
+#[cfg(unix)]
+pub fn system_requirements_toml_file() -> io::Result<AbsolutePathBuf> {
+    AbsolutePathBuf::from_absolute_path(Path::new("/etc/codex/requirements.toml"))
+}
+
+#[cfg(windows)]
+pub fn system_requirements_toml_file() -> io::Result<AbsolutePathBuf> {
+    windows_system_requirements_toml_file()
+}
+
+#[cfg(unix)]
+pub fn system_config_toml_file() -> io::Result<AbsolutePathBuf> {
+    AbsolutePathBuf::from_absolute_path(Path::new(SYSTEM_CONFIG_TOML_FILE_UNIX))
+}
+
+#[cfg(windows)]
+pub fn system_config_toml_file() -> io::Result<AbsolutePathBuf> {
+    windows_system_config_toml_file()
+}
+
+#[cfg(windows)]
+fn windows_codex_system_dir() -> PathBuf {
+    let program_data = windows_program_data_dir_from_known_folder().unwrap_or_else(|err| {
+        tracing::warn!(
+            error = %err,
+            "Failed to resolve ProgramData known folder; using default path"
+        );
+        PathBuf::from(DEFAULT_PROGRAM_DATA_DIR_WINDOWS)
+    });
+    program_data.join("OpenAI").join("Codex")
+}
+
+#[cfg(windows)]
+fn windows_system_requirements_toml_file() -> io::Result<AbsolutePathBuf> {
+    let requirements_toml_file = windows_codex_system_dir().join("requirements.toml");
+    AbsolutePathBuf::try_from(requirements_toml_file)
+}
+
+#[cfg(windows)]
+fn windows_system_config_toml_file() -> io::Result<AbsolutePathBuf> {
+    let config_toml_file = windows_codex_system_dir().join("config.toml");
+    AbsolutePathBuf::try_from(config_toml_file)
+}
+
+#[cfg(windows)]
+fn windows_program_data_dir_from_known_folder() -> io::Result<PathBuf> {
+    use std::ffi::OsString;
+    use std::os::windows::ffi::OsStringExt;
+    use windows_sys::Win32::System::Com::CoTaskMemFree;
+    use windows_sys::Win32::UI::Shell::FOLDERID_ProgramData;
+    use windows_sys::Win32::UI::Shell::KF_FLAG_DEFAULT;
+    use windows_sys::Win32::UI::Shell::SHGetKnownFolderPath;
+
+    let mut path_ptr = std::ptr::null_mut::<u16>();
+    let known_folder_flags = u32::try_from(KF_FLAG_DEFAULT).map_err(|_| {
+        io::Error::other(format!(
+            "KF_FLAG_DEFAULT did not fit in u32: {KF_FLAG_DEFAULT}"
+        ))
+    })?;
+    let hr = unsafe {
+        SHGetKnownFolderPath(&FOLDERID_ProgramData, known_folder_flags, 0, &mut path_ptr)
+    };
+    if hr != 0 {
+        return Err(io::Error::other(format!(
+            "SHGetKnownFolderPath(FOLDERID_ProgramData) failed with HRESULT {hr:#010x}"
+        )));
+    }
+    if path_ptr.is_null() {
+        return Err(io::Error::other(
+            "SHGetKnownFolderPath(FOLDERID_ProgramData) returned a null pointer",
+        ));
+    }
+
+    let path = unsafe {
+        let mut len = 0usize;
+        while *path_ptr.add(len) != 0 {
+            len += 1;
+        }
+        let wide = std::slice::from_raw_parts(path_ptr, len);
+        let path = PathBuf::from(OsString::from_wide(wide));
+        CoTaskMemFree(path_ptr.cast());
+        path
+    };
+
+    Ok(path)
+}
+
+pub async fn load_requirements_from_legacy_scheme(
+    config_requirements_toml: &mut ConfigRequirementsWithSources,
+    loaded_config_layers: LoadedConfigLayers,
+) -> io::Result<()> {
+    let LoadedConfigLayers {
+        managed_config,
+        managed_config_from_mdm,
+    } = loaded_config_layers;
+
+    for (source, config) in managed_config_from_mdm
+        .map(|config| {
+            (
+                RequirementSource::LegacyManagedConfigTomlFromMdm,
+                config.managed_config,
+            )
+        })
+        .into_iter()
+        .chain(managed_config.map(|config| {
+            (
+                RequirementSource::LegacyManagedConfigTomlFromFile { file: config.file },
+                config.managed_config,
+            )
+        }))
+    {
+        let legacy_config: LegacyManagedConfigToml =
+            config.try_into().map_err(|err: toml::de::Error| {
+                io::Error::new(
+                    io::ErrorKind::InvalidData,
+                    format!("Failed to parse config requirements as TOML: {err}"),
+                )
+            })?;
+
+        let requirements = ConfigRequirementsToml::from(legacy_config);
+        config_requirements_toml.merge_unset_fields(source, requirements);
+    }
+
+    Ok(())
+}
+
+#[derive(Deserialize, Debug, Clone, Default, PartialEq)]
+struct LegacyManagedConfigToml {
+    approval_policy: Option<AskForApproval>,
+    sandbox_mode: Option<SandboxMode>,
+}
+
+impl From<LegacyManagedConfigToml> for ConfigRequirementsToml {
+    fn from(legacy: LegacyManagedConfigToml) -> Self {
+        let mut config_requirements_toml = ConfigRequirementsToml::default();
+
+        let LegacyManagedConfigToml {
+            approval_policy,
+            sandbox_mode,
+        } = legacy;
+        if let Some(approval_policy) = approval_policy {
+            config_requirements_toml.allowed_approval_policies = Some(vec![approval_policy]);
+        }
+        if let Some(sandbox_mode) = sandbox_mode {
+            let required_mode = sandbox_mode.into();
+            let mut allowed_modes = vec![crate::SandboxModeRequirement::ReadOnly];
+            if required_mode != crate::SandboxModeRequirement::ReadOnly {
+                allowed_modes.push(required_mode);
+            }
+            config_requirements_toml.allowed_sandbox_modes = Some(allowed_modes);
+        }
+        config_requirements_toml
+    }
+}

codex-rs/config/src/macos.rs

@@ -1,6 +1,6 @@
-use super::ConfigRequirementsToml;
-use super::ConfigRequirementsWithSources;
-use super::RequirementSource;
+use crate::ConfigRequirementsToml;
+use crate::ConfigRequirementsWithSources;
+use crate::RequirementSource;
 use base64::Engine;
 use base64::prelude::BASE64_STANDARD;
 use core_foundation::base::TCFType;
@@ -16,19 +16,19 @@ const MANAGED_PREFERENCES_CONFIG_KEY: &str = "config_toml_base64";
 const MANAGED_PREFERENCES_REQUIREMENTS_KEY: &str = "requirements_toml_base64";
 
 #[derive(Debug, Clone)]
-pub(super) struct ManagedAdminConfigLayer {
+pub struct ManagedAdminConfigLayer {
     pub config: TomlValue,
     pub raw_toml: String,
 }
 
-pub(super) fn managed_preferences_requirements_source() -> RequirementSource {
+fn managed_preferences_requirements_source() -> RequirementSource {
     RequirementSource::MdmManagedPreferences {
         domain: MANAGED_PREFERENCES_APPLICATION_ID.to_string(),
         key: MANAGED_PREFERENCES_REQUIREMENTS_KEY.to_string(),
     }
 }
 
-pub(crate) async fn load_managed_admin_config_layer(
+pub async fn load_managed_admin_config_layer(
     override_base64: Option<&str>,
 ) -> io::Result<Option<ManagedAdminConfigLayer>> {
     if let Some(encoded) = override_base64 {
@@ -61,7 +61,7 @@ fn load_managed_admin_config() -> io::Result<Option<ManagedAdminConfigLayer>> {
         .transpose()
 }
 
-pub(crate) async fn load_managed_admin_requirements_toml(
+pub async fn load_managed_admin_requirements_toml(
     target: &mut ConfigRequirementsWithSources,
     override_base64: Option<&str>,
 ) -> io::Result<()> {

codex-rs/core/Cargo.toml

@@ -28,6 +28,7 @@ chardetng = { workspace = true }
 chrono = { workspace = true, features = ["serde"] }
 clap = { workspace = true, features = ["derive"] }
 codex-api = { workspace = true }
+codex-auth = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-apply-patch = { workspace = true }
 codex-async-utils = { workspace = true }
@@ -123,7 +124,6 @@ landlock = { workspace = true }
 seccompiler = { workspace = true }
 
 [target.'cfg(target_os = "macos")'.dependencies]
-core-foundation = "0.9"
 keyring = { workspace = true, features = ["apple-native"] }
 
 # Build OpenSSL from source for musl builds.
@@ -136,11 +136,6 @@ openssl-sys = { workspace = true, features = ["vendored"] }
 
 [target.'cfg(target_os = "windows")'.dependencies]
 keyring = { workspace = true, features = ["windows-native"] }
-windows-sys = { version = "0.52", features = [
-    "Win32_Foundation",
-    "Win32_System_Com",
-    "Win32_UI_Shell",
-] }
 
 [target.'cfg(any(target_os = "freebsd", target_os = "openbsd"))'.dependencies]
 keyring = { workspace = true, features = ["sync-secret-service"] }
@@ -151,6 +146,7 @@ codex-shell-escalation = { workspace = true }
 [dev-dependencies]
 assert_cmd = { workspace = true }
 assert_matches = { workspace = true }
+codex-auth = { workspace = true }
 codex-arg0 = { workspace = true }
 codex-otel = { workspace = true, features = [
     "disable-default-metrics-exporter",

codex-rs/core/src/auth.rs

@@ -7,7 +7,6 @@ use serde::Deserialize;
 use serde::Serialize;
 #[cfg(test)]
 use serial_test::serial;
-use std::env;
 use std::fmt::Debug;
 use std::path::Path;
 use std::path::PathBuf;
@@ -31,6 +30,14 @@ use crate::token_data::PlanType as InternalPlanType;
 use crate::token_data::TokenData;
 use crate::token_data::parse_chatgpt_jwt_claims;
 use crate::util::try_parse_error_message;
+pub use codex_auth::REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR;
+pub use codex_auth::load_auth_dot_json;
+pub use codex_auth::login_with_api_key;
+pub use codex_auth::login_with_chatgpt_auth_tokens;
+pub use codex_auth::logout;
+pub use codex_auth::read_codex_api_key_from_env;
+pub use codex_auth::read_openai_api_key_from_env;
+pub use codex_auth::save_auth;
 use codex_client::CodexHttpClient;
 use codex_protocol::account::PlanType as AccountPlanType;
 use serde_json::Value;
@@ -102,7 +109,6 @@ const REFRESH_TOKEN_UNKNOWN_MESSAGE: &str =
     "Your access token could not be refreshed. Please log out and sign in again.";
 const REFRESH_TOKEN_ACCOUNT_MISMATCH_MESSAGE: &str = "Your access token could not be refreshed because you have since logged out or signed in to another account. Please sign in again.";
 const REFRESH_TOKEN_URL: &str = "https://auth.openai.com/oauth/token";
-pub const REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR: &str = "CODEX_REFRESH_TOKEN_URL_OVERRIDE";
 
 #[derive(Debug, Error)]
 pub enum RefreshTokenError {
@@ -112,12 +118,7 @@ pub enum RefreshTokenError {
     Transient(#[from] std::io::Error),
 }
 
-#[derive(Clone, Debug, PartialEq, Eq)]
-pub struct ExternalAuthTokens {
-    pub access_token: String,
-    pub chatgpt_account_id: String,
-    pub chatgpt_plan_type: Option<String>,
-}
+pub use codex_auth::ExternalAuthTokens;
 
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 pub enum ExternalAuthRefreshReason {
@@ -374,90 +375,6 @@ impl ChatgptAuth {
     }
 }
 
-pub const OPENAI_API_KEY_ENV_VAR: &str = "OPENAI_API_KEY";
-pub const CODEX_API_KEY_ENV_VAR: &str = "CODEX_API_KEY";
-
-pub fn read_openai_api_key_from_env() -> Option<String> {
-    env::var(OPENAI_API_KEY_ENV_VAR)
-        .ok()
-        .map(|value| value.trim().to_string())
-        .filter(|value| !value.is_empty())
-}
-
-pub fn read_codex_api_key_from_env() -> Option<String> {
-    env::var(CODEX_API_KEY_ENV_VAR)
-        .ok()
-        .map(|value| value.trim().to_string())
-        .filter(|value| !value.is_empty())
-}
-
-/// Delete the auth.json file inside `codex_home` if it exists. Returns `Ok(true)`
-/// if a file was removed, `Ok(false)` if no auth file was present.
-pub fn logout(
-    codex_home: &Path,
-    auth_credentials_store_mode: AuthCredentialsStoreMode,
-) -> std::io::Result<bool> {
-    let storage = create_auth_storage(codex_home.to_path_buf(), auth_credentials_store_mode);
-    storage.delete()
-}
-
-/// Writes an `auth.json` that contains only the API key.
-pub fn login_with_api_key(
-    codex_home: &Path,
-    api_key: &str,
-    auth_credentials_store_mode: AuthCredentialsStoreMode,
-) -> std::io::Result<()> {
-    let auth_dot_json = AuthDotJson {
-        auth_mode: Some(ApiAuthMode::ApiKey),
-        openai_api_key: Some(api_key.to_string()),
-        tokens: None,
-        last_refresh: None,
-    };
-    save_auth(codex_home, &auth_dot_json, auth_credentials_store_mode)
-}
-
-/// Writes an in-memory auth payload for externally managed ChatGPT tokens.
-pub fn login_with_chatgpt_auth_tokens(
-    codex_home: &Path,
-    access_token: &str,
-    chatgpt_account_id: &str,
-    chatgpt_plan_type: Option<&str>,
-) -> std::io::Result<()> {
-    let auth_dot_json = AuthDotJson::from_external_access_token(
-        access_token,
-        chatgpt_account_id,
-        chatgpt_plan_type,
-    )?;
-    save_auth(
-        codex_home,
-        &auth_dot_json,
-        AuthCredentialsStoreMode::Ephemeral,
-    )
-}
-
-/// Persist the provided auth payload using the specified backend.
-pub fn save_auth(
-    codex_home: &Path,
-    auth: &AuthDotJson,
-    auth_credentials_store_mode: AuthCredentialsStoreMode,
-) -> std::io::Result<()> {
-    let storage = create_auth_storage(codex_home.to_path_buf(), auth_credentials_store_mode);
-    storage.save(auth)
-}
-
-/// Load CLI auth data using the configured credential store backend.
-/// Returns `None` when no credentials are stored. This function is
-/// provided only for tests. Production code should not directly load
-/// from the auth.json storage. It should use the AuthManager abstraction
-/// instead.
-pub fn load_auth_dot_json(
-    codex_home: &Path,
-    auth_credentials_store_mode: AuthCredentialsStoreMode,
-) -> std::io::Result<Option<AuthDotJson>> {
-    let storage = create_auth_storage(codex_home.to_path_buf(), auth_credentials_store_mode);
-    storage.load()
-}
-
 pub fn enforce_login_restrictions(config: &Config) -> std::io::Result<()> {
     let Some(auth) = load_auth(
         &config.codex_home,
@@ -752,67 +669,6 @@ fn refresh_token_endpoint() -> String {
         .unwrap_or_else(|_| REFRESH_TOKEN_URL.to_string())
 }
 
-impl AuthDotJson {
-    fn from_external_tokens(external: &ExternalAuthTokens) -> std::io::Result<Self> {
-        let mut token_info =
-            parse_chatgpt_jwt_claims(&external.access_token).map_err(std::io::Error::other)?;
-        token_info.chatgpt_account_id = Some(external.chatgpt_account_id.clone());
-        token_info.chatgpt_plan_type = external
-            .chatgpt_plan_type
-            .as_deref()
-            .map(InternalPlanType::from_raw_value)
-            .or(token_info.chatgpt_plan_type)
-            .or(Some(InternalPlanType::Unknown("unknown".to_string())));
-        let tokens = TokenData {
-            id_token: token_info,
-            access_token: external.access_token.clone(),
-            refresh_token: String::new(),
-            account_id: Some(external.chatgpt_account_id.clone()),
-        };
-
-        Ok(Self {
-            auth_mode: Some(ApiAuthMode::ChatgptAuthTokens),
-            openai_api_key: None,
-            tokens: Some(tokens),
-            last_refresh: Some(Utc::now()),
-        })
-    }
-
-    fn from_external_access_token(
-        access_token: &str,
-        chatgpt_account_id: &str,
-        chatgpt_plan_type: Option<&str>,
-    ) -> std::io::Result<Self> {
-        let external = ExternalAuthTokens {
-            access_token: access_token.to_string(),
-            chatgpt_account_id: chatgpt_account_id.to_string(),
-            chatgpt_plan_type: chatgpt_plan_type.map(str::to_string),
-        };
-        Self::from_external_tokens(&external)
-    }
-
-    fn resolved_mode(&self) -> ApiAuthMode {
-        if let Some(mode) = self.auth_mode {
-            return mode;
-        }
-        if self.openai_api_key.is_some() {
-            return ApiAuthMode::ApiKey;
-        }
-        ApiAuthMode::Chatgpt
-    }
-
-    fn storage_mode(
-        &self,
-        auth_credentials_store_mode: AuthCredentialsStoreMode,
-    ) -> AuthCredentialsStoreMode {
-        if self.resolved_mode() == ApiAuthMode::ChatgptAuthTokens {
-            AuthCredentialsStoreMode::Ephemeral
-        } else {
-            auth_credentials_store_mode
-        }
-    }
-}
-
 /// Internal cached auth state.
 #[derive(Clone)]
 struct CachedAuth {
@@ -1412,8 +1268,12 @@ impl AuthManager {
                 ),
             )));
         }
-        let auth_dot_json =
-            AuthDotJson::from_external_tokens(&refreshed).map_err(RefreshTokenError::Transient)?;
+        let auth_dot_json = AuthDotJson::from_external_access_token(
+            &refreshed.access_token,
+            &refreshed.chatgpt_account_id,
+            refreshed.chatgpt_plan_type.as_deref(),
+        )
+        .map_err(RefreshTokenError::Transient)?;
         save_auth(
             &self.codex_home,
             &auth_dot_json,

codex-rs/core/src/auth/storage.rs

@@ -1,336 +1,4 @@
-use chrono::DateTime;
-use chrono::Utc;
-use schemars::JsonSchema;
-use serde::Deserialize;
-use serde::Serialize;
-use sha2::Digest;
-use sha2::Sha256;
-use std::collections::HashMap;
-use std::fmt::Debug;
-use std::fs::File;
-use std::fs::OpenOptions;
-use std::io::Read;
-use std::io::Write;
-#[cfg(unix)]
-use std::os::unix::fs::OpenOptionsExt;
-use std::path::Path;
-use std::path::PathBuf;
-use std::sync::Arc;
-use std::sync::Mutex;
-use tracing::warn;
-
-use crate::token_data::TokenData;
-use codex_app_server_protocol::AuthMode;
-use codex_keyring_store::DefaultKeyringStore;
-use codex_keyring_store::KeyringStore;
-use once_cell::sync::Lazy;
-
-/// Determine where Codex should store CLI auth credentials.
-#[derive(Debug, Default, Copy, Clone, PartialEq, Eq, Serialize, Deserialize, JsonSchema)]
-#[serde(rename_all = "lowercase")]
-pub enum AuthCredentialsStoreMode {
-    #[default]
-    /// Persist credentials in CODEX_HOME/auth.json.
-    File,
-    /// Persist credentials in the keyring. Fail if unavailable.
-    Keyring,
-    /// Use keyring when available; otherwise, fall back to a file in CODEX_HOME.
-    Auto,
-    /// Store credentials in memory only for the current process.
-    Ephemeral,
-}
-
-/// Expected structure for $CODEX_HOME/auth.json.
-#[derive(Deserialize, Serialize, Clone, Debug, PartialEq)]
-pub struct AuthDotJson {
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub auth_mode: Option<AuthMode>,
-
-    #[serde(rename = "OPENAI_API_KEY")]
-    pub openai_api_key: Option<String>,
-
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub tokens: Option<TokenData>,
-
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub last_refresh: Option<DateTime<Utc>>,
-}
-
-pub(super) fn get_auth_file(codex_home: &Path) -> PathBuf {
-    codex_home.join("auth.json")
-}
-
-pub(super) fn delete_file_if_exists(codex_home: &Path) -> std::io::Result<bool> {
-    let auth_file = get_auth_file(codex_home);
-    match std::fs::remove_file(&auth_file) {
-        Ok(()) => Ok(true),
-        Err(err) if err.kind() == std::io::ErrorKind::NotFound => Ok(false),
-        Err(err) => Err(err),
-    }
-}
-
-pub(super) trait AuthStorageBackend: Debug + Send + Sync {
-    fn load(&self) -> std::io::Result<Option<AuthDotJson>>;
-    fn save(&self, auth: &AuthDotJson) -> std::io::Result<()>;
-    fn delete(&self) -> std::io::Result<bool>;
-}
-
-#[derive(Clone, Debug)]
-pub(super) struct FileAuthStorage {
-    codex_home: PathBuf,
-}
-
-impl FileAuthStorage {
-    pub(super) fn new(codex_home: PathBuf) -> Self {
-        Self { codex_home }
-    }
-
-    /// Attempt to read and parse the `auth.json` file in the given `CODEX_HOME` directory.
-    /// Returns the full AuthDotJson structure.
-    pub(super) fn try_read_auth_json(&self, auth_file: &Path) -> std::io::Result<AuthDotJson> {
-        let mut file = File::open(auth_file)?;
-        let mut contents = String::new();
-        file.read_to_string(&mut contents)?;
-        let auth_dot_json: AuthDotJson = serde_json::from_str(&contents)?;
-
-        Ok(auth_dot_json)
-    }
-}
-
-impl AuthStorageBackend for FileAuthStorage {
-    fn load(&self) -> std::io::Result<Option<AuthDotJson>> {
-        let auth_file = get_auth_file(&self.codex_home);
-        let auth_dot_json = match self.try_read_auth_json(&auth_file) {
-            Ok(auth) => auth,
-            Err(err) if err.kind() == std::io::ErrorKind::NotFound => return Ok(None),
-            Err(err) => return Err(err),
-        };
-        Ok(Some(auth_dot_json))
-    }
-
-    fn save(&self, auth_dot_json: &AuthDotJson) -> std::io::Result<()> {
-        let auth_file = get_auth_file(&self.codex_home);
-
-        if let Some(parent) = auth_file.parent() {
-            std::fs::create_dir_all(parent)?;
-        }
-        let json_data = serde_json::to_string_pretty(auth_dot_json)?;
-        let mut options = OpenOptions::new();
-        options.truncate(true).write(true).create(true);
-        #[cfg(unix)]
-        {
-            options.mode(0o600);
-        }
-        let mut file = options.open(auth_file)?;
-        file.write_all(json_data.as_bytes())?;
-        file.flush()?;
-        Ok(())
-    }
-
-    fn delete(&self) -> std::io::Result<bool> {
-        delete_file_if_exists(&self.codex_home)
-    }
-}
-
-const KEYRING_SERVICE: &str = "Codex Auth";
-
-// turns codex_home path into a stable, short key string
-fn compute_store_key(codex_home: &Path) -> std::io::Result<String> {
-    let canonical = codex_home
-        .canonicalize()
-        .unwrap_or_else(|_| codex_home.to_path_buf());
-    let path_str = canonical.to_string_lossy();
-    let mut hasher = Sha256::new();
-    hasher.update(path_str.as_bytes());
-    let digest = hasher.finalize();
-    let hex = format!("{digest:x}");
-    let truncated = hex.get(..16).unwrap_or(&hex);
-    Ok(format!("cli|{truncated}"))
-}
-
-#[derive(Clone, Debug)]
-struct KeyringAuthStorage {
-    codex_home: PathBuf,
-    keyring_store: Arc<dyn KeyringStore>,
-}
-
-impl KeyringAuthStorage {
-    fn new(codex_home: PathBuf, keyring_store: Arc<dyn KeyringStore>) -> Self {
-        Self {
-            codex_home,
-            keyring_store,
-        }
-    }
-
-    fn load_from_keyring(&self, key: &str) -> std::io::Result<Option<AuthDotJson>> {
-        match self.keyring_store.load(KEYRING_SERVICE, key) {
-            Ok(Some(serialized)) => serde_json::from_str(&serialized).map(Some).map_err(|err| {
-                std::io::Error::other(format!(
-                    "failed to deserialize CLI auth from keyring: {err}"
-                ))
-            }),
-            Ok(None) => Ok(None),
-            Err(error) => Err(std::io::Error::other(format!(
-                "failed to load CLI auth from keyring: {}",
-                error.message()
-            ))),
-        }
-    }
-
-    fn save_to_keyring(&self, key: &str, value: &str) -> std::io::Result<()> {
-        match self.keyring_store.save(KEYRING_SERVICE, key, value) {
-            Ok(()) => Ok(()),
-            Err(error) => {
-                let message = format!(
-                    "failed to write OAuth tokens to keyring: {}",
-                    error.message()
-                );
-                warn!("{message}");
-                Err(std::io::Error::other(message))
-            }
-        }
-    }
-}
-
-impl AuthStorageBackend for KeyringAuthStorage {
-    fn load(&self) -> std::io::Result<Option<AuthDotJson>> {
-        let key = compute_store_key(&self.codex_home)?;
-        self.load_from_keyring(&key)
-    }
-
-    fn save(&self, auth: &AuthDotJson) -> std::io::Result<()> {
-        let key = compute_store_key(&self.codex_home)?;
-        // Simpler error mapping per style: prefer method reference over closure
-        let serialized = serde_json::to_string(auth).map_err(std::io::Error::other)?;
-        self.save_to_keyring(&key, &serialized)?;
-        if let Err(err) = delete_file_if_exists(&self.codex_home) {
-            warn!("failed to remove CLI auth fallback file: {err}");
-        }
-        Ok(())
-    }
-
-    fn delete(&self) -> std::io::Result<bool> {
-        let key = compute_store_key(&self.codex_home)?;
-        let keyring_removed = self
-            .keyring_store
-            .delete(KEYRING_SERVICE, &key)
-            .map_err(|err| {
-                std::io::Error::other(format!("failed to delete auth from keyring: {err}"))
-            })?;
-        let file_removed = delete_file_if_exists(&self.codex_home)?;
-        Ok(keyring_removed || file_removed)
-    }
-}
-
-#[derive(Clone, Debug)]
-struct AutoAuthStorage {
-    keyring_storage: Arc<KeyringAuthStorage>,
-    file_storage: Arc<FileAuthStorage>,
-}
-
-impl AutoAuthStorage {
-    fn new(codex_home: PathBuf, keyring_store: Arc<dyn KeyringStore>) -> Self {
-        Self {
-            keyring_storage: Arc::new(KeyringAuthStorage::new(codex_home.clone(), keyring_store)),
-            file_storage: Arc::new(FileAuthStorage::new(codex_home)),
-        }
-    }
-}
-
-impl AuthStorageBackend for AutoAuthStorage {
-    fn load(&self) -> std::io::Result<Option<AuthDotJson>> {
-        match self.keyring_storage.load() {
-            Ok(Some(auth)) => Ok(Some(auth)),
-            Ok(None) => self.file_storage.load(),
-            Err(err) => {
-                warn!("failed to load CLI auth from keyring, falling back to file storage: {err}");
-                self.file_storage.load()
-            }
-        }
-    }
-
-    fn save(&self, auth: &AuthDotJson) -> std::io::Result<()> {
-        match self.keyring_storage.save(auth) {
-            Ok(()) => Ok(()),
-            Err(err) => {
-                warn!("failed to save auth to keyring, falling back to file storage: {err}");
-                self.file_storage.save(auth)
-            }
-        }
-    }
-
-    fn delete(&self) -> std::io::Result<bool> {
-        // Keyring storage will delete from disk as well
-        self.keyring_storage.delete()
-    }
-}
-
-// A global in-memory store for mapping codex_home -> AuthDotJson.
-static EPHEMERAL_AUTH_STORE: Lazy<Mutex<HashMap<String, AuthDotJson>>> =
-    Lazy::new(|| Mutex::new(HashMap::new()));
-
-#[derive(Clone, Debug)]
-struct EphemeralAuthStorage {
-    codex_home: PathBuf,
-}
-
-impl EphemeralAuthStorage {
-    fn new(codex_home: PathBuf) -> Self {
-        Self { codex_home }
-    }
-
-    fn with_store<F, T>(&self, action: F) -> std::io::Result<T>
-    where
-        F: FnOnce(&mut HashMap<String, AuthDotJson>, String) -> std::io::Result<T>,
-    {
-        let key = compute_store_key(&self.codex_home)?;
-        let mut store = EPHEMERAL_AUTH_STORE
-            .lock()
-            .map_err(|_| std::io::Error::other("failed to lock ephemeral auth storage"))?;
-        action(&mut store, key)
-    }
-}
-
-impl AuthStorageBackend for EphemeralAuthStorage {
-    fn load(&self) -> std::io::Result<Option<AuthDotJson>> {
-        self.with_store(|store, key| Ok(store.get(&key).cloned()))
-    }
-
-    fn save(&self, auth: &AuthDotJson) -> std::io::Result<()> {
-        self.with_store(|store, key| {
-            store.insert(key, auth.clone());
-            Ok(())
-        })
-    }
-
-    fn delete(&self) -> std::io::Result<bool> {
-        self.with_store(|store, key| Ok(store.remove(&key).is_some()))
-    }
-}
-
-pub(super) fn create_auth_storage(
-    codex_home: PathBuf,
-    mode: AuthCredentialsStoreMode,
-) -> Arc<dyn AuthStorageBackend> {
-    let keyring_store: Arc<dyn KeyringStore> = Arc::new(DefaultKeyringStore);
-    create_auth_storage_with_keyring_store(codex_home, mode, keyring_store)
-}
-
-fn create_auth_storage_with_keyring_store(
-    codex_home: PathBuf,
-    mode: AuthCredentialsStoreMode,
-    keyring_store: Arc<dyn KeyringStore>,
-) -> Arc<dyn AuthStorageBackend> {
-    match mode {
-        AuthCredentialsStoreMode::File => Arc::new(FileAuthStorage::new(codex_home)),
-        AuthCredentialsStoreMode::Keyring => {
-            Arc::new(KeyringAuthStorage::new(codex_home, keyring_store))
-        }
-        AuthCredentialsStoreMode::Auto => Arc::new(AutoAuthStorage::new(codex_home, keyring_store)),
-        AuthCredentialsStoreMode::Ephemeral => Arc::new(EphemeralAuthStorage::new(codex_home)),
-    }
-}
-
-#[cfg(test)]
-#[path = "storage_tests.rs"]
-mod tests;
+pub use codex_auth::AuthCredentialsStoreMode;
+pub use codex_auth::AuthDotJson;
+pub use codex_auth::AuthStorageBackend;
+pub use codex_auth::create_auth_storage;

codex-rs/core/src/auth_env_telemetry.rs

@@ -1,8 +1,5 @@
 use codex_otel::AuthEnvTelemetryMetadata;
 
-use crate::auth::CODEX_API_KEY_ENV_VAR;
-use crate::auth::OPENAI_API_KEY_ENV_VAR;
-use crate::auth::REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR;
 use crate::model_provider_info::ModelProviderInfo;
 
 #[derive(Debug, Clone, Default, PartialEq, Eq)]
@@ -32,55 +29,17 @@ pub(crate) fn collect_auth_env_telemetry(
     provider: &ModelProviderInfo,
     codex_api_key_env_enabled: bool,
 ) -> AuthEnvTelemetry {
-    AuthEnvTelemetry {
-        openai_api_key_env_present: env_var_present(OPENAI_API_KEY_ENV_VAR),
-        codex_api_key_env_present: env_var_present(CODEX_API_KEY_ENV_VAR),
+    let telemetry = codex_auth::collect_auth_env_telemetry(
+        provider.env_key.is_some(),
+        provider.env_key.as_deref(),
         codex_api_key_env_enabled,
-        // Custom provider `env_key` is arbitrary config text, so emit only a safe bucket.
-        provider_env_key_name: provider.env_key.as_ref().map(|_| "configured".to_string()),
-        provider_env_key_present: provider.env_key.as_deref().map(env_var_present),
-        refresh_token_url_override_present: env_var_present(REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR),
-    }
-}
-
-fn env_var_present(name: &str) -> bool {
-    match std::env::var(name) {
-        Ok(value) => !value.trim().is_empty(),
-        Err(std::env::VarError::NotUnicode(_)) => true,
-        Err(std::env::VarError::NotPresent) => false,
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use pretty_assertions::assert_eq;
-
-    #[test]
-    fn collect_auth_env_telemetry_buckets_provider_env_key_name() {
-        let provider = ModelProviderInfo {
-            name: "Custom".to_string(),
-            base_url: None,
-            env_key: Some("sk-should-not-leak".to_string()),
-            env_key_instructions: None,
-            experimental_bearer_token: None,
-            wire_api: crate::model_provider_info::WireApi::Responses,
-            query_params: None,
-            http_headers: None,
-            env_http_headers: None,
-            request_max_retries: None,
-            stream_max_retries: None,
-            stream_idle_timeout_ms: None,
-            websocket_connect_timeout_ms: None,
-            requires_openai_auth: false,
-            supports_websockets: false,
-        };
-
-        let telemetry = collect_auth_env_telemetry(&provider, false);
-
-        assert_eq!(
-            telemetry.provider_env_key_name,
-            Some("configured".to_string())
-        );
+    );
+    AuthEnvTelemetry {
+        openai_api_key_env_present: telemetry.openai_api_key_env_present,
+        codex_api_key_env_present: telemetry.codex_api_key_env_present,
+        codex_api_key_env_enabled: telemetry.codex_api_key_env_enabled,
+        provider_env_key_name: telemetry.provider_env_key_name,
+        provider_env_key_present: telemetry.provider_env_key_present,
+        refresh_token_url_override_present: telemetry.refresh_token_url_override_present,
     }
 }

codex-rs/core/src/config_loader/mod.rs

@@ -1,27 +1,18 @@
-mod layer_io;
-#[cfg(target_os = "macos")]
-mod macos;
-
 #[cfg(test)]
 mod tests;
 
 use crate::config::ConfigToml;
-use crate::config_loader::layer_io::LoadedConfigLayers;
 use crate::git_info::resolve_root_git_project_for_trust;
 use codex_app_server_protocol::ConfigLayerSource;
 use codex_config::CONFIG_TOML_FILE;
 use codex_config::ConfigRequirementsWithSources;
-use codex_protocol::config_types::SandboxMode;
 use codex_protocol::config_types::TrustLevel;
-use codex_protocol::protocol::AskForApproval;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use codex_utils_absolute_path::AbsolutePathBufGuard;
 use dunce::canonicalize as normalize_path;
 use serde::Deserialize;
 use std::io;
 use std::path::Path;
-#[cfg(windows)]
-use std::path::PathBuf;
 use toml::Value as TomlValue;
 
 pub use codex_config::AppRequirementToml;
@@ -38,6 +29,7 @@ pub use codex_config::ConfigRequirements;
 pub use codex_config::ConfigRequirementsToml;
 pub use codex_config::ConstrainedWithSource;
 pub use codex_config::FeatureRequirementsToml;
+use codex_config::LoadedConfigLayers;
 pub use codex_config::LoaderOverrides;
 pub use codex_config::McpServerIdentity;
 pub use codex_config::McpServerRequirement;
@@ -55,18 +47,16 @@ pub(crate) use codex_config::config_error_from_toml;
 pub use codex_config::format_config_error;
 pub use codex_config::format_config_error_with_source;
 pub(crate) use codex_config::io_error_from_config_error;
+use codex_config::load_config_layers_internal;
+use codex_config::load_managed_admin_requirements;
+use codex_config::load_requirements_from_legacy_scheme;
+pub(crate) use codex_config::load_requirements_toml;
 pub use codex_config::merge_toml_values;
+use codex_config::system_config_toml_file;
+use codex_config::system_requirements_toml_file;
 #[cfg(test)]
 pub(crate) use codex_config::version_for_toml;
 
-/// On Unix systems, load default settings from this file path, if present.
-/// Note that /etc/codex/ is treated as a "config folder," so subfolders such
-/// as skills/ and rules/ will also be honored.
-pub const SYSTEM_CONFIG_TOML_FILE_UNIX: &str = "/etc/codex/config.toml";
-
-#[cfg(windows)]
-const DEFAULT_PROGRAM_DATA_DIR_WINDOWS: &str = r"C:\ProgramData";
-
 const DEFAULT_PROJECT_ROOT_MARKERS: &[&str] = &[".git"];
 
 pub(crate) async fn first_layer_config_error(layers: &ConfigLayerStack) -> Option<ConfigError> {
@@ -125,8 +115,7 @@ pub async fn load_config_layers_state(
             .merge_unset_fields(RequirementSource::CloudRequirements, requirements);
     }
 
-    #[cfg(target_os = "macos")]
-    macos::load_managed_admin_requirements_toml(
+    load_managed_admin_requirements(
         &mut config_requirements_toml,
         overrides
             .macos_managed_config_requirements_base64
@@ -140,7 +129,7 @@ pub async fn load_config_layers_state(
 
     // Make a best-effort to support the legacy `managed_config.toml` as a
     // requirements specification.
-    let loaded_config_layers = layer_io::load_config_layers_internal(codex_home, overrides).await?;
+    let loaded_config_layers = load_config_layers_internal(codex_home, overrides).await?;
     load_requirements_from_legacy_scheme(
         &mut config_requirements_toml,
         loaded_config_layers.clone(),
@@ -343,185 +332,6 @@ async fn load_config_toml_for_required_layer(
     Ok(create_entry(toml_value))
 }
 
-/// If available, apply requirements from the platform system
-/// `requirements.toml` location to `config_requirements_toml` by filling in
-/// any unset fields.
-async fn load_requirements_toml(
-    config_requirements_toml: &mut ConfigRequirementsWithSources,
-    requirements_toml_file: impl AsRef<Path>,
-) -> io::Result<()> {
-    let requirements_toml_file =
-        AbsolutePathBuf::from_absolute_path(requirements_toml_file.as_ref())?;
-    match tokio::fs::read_to_string(&requirements_toml_file).await {
-        Ok(contents) => {
-            let requirements_config: ConfigRequirementsToml =
-                toml::from_str(&contents).map_err(|e| {
-                    io::Error::new(
-                        io::ErrorKind::InvalidData,
-                        format!(
-                            "Error parsing requirements file {}: {e}",
-                            requirements_toml_file.as_ref().display(),
-                        ),
-                    )
-                })?;
-            config_requirements_toml.merge_unset_fields(
-                RequirementSource::SystemRequirementsToml {
-                    file: requirements_toml_file.clone(),
-                },
-                requirements_config,
-            );
-        }
-        Err(e) => {
-            if e.kind() != io::ErrorKind::NotFound {
-                return Err(io::Error::new(
-                    e.kind(),
-                    format!(
-                        "Failed to read requirements file {}: {e}",
-                        requirements_toml_file.as_ref().display(),
-                    ),
-                ));
-            }
-        }
-    }
-
-    Ok(())
-}
-
-#[cfg(unix)]
-fn system_requirements_toml_file() -> io::Result<AbsolutePathBuf> {
-    AbsolutePathBuf::from_absolute_path(Path::new("/etc/codex/requirements.toml"))
-}
-
-#[cfg(windows)]
-fn system_requirements_toml_file() -> io::Result<AbsolutePathBuf> {
-    windows_system_requirements_toml_file()
-}
-
-#[cfg(unix)]
-fn system_config_toml_file() -> io::Result<AbsolutePathBuf> {
-    AbsolutePathBuf::from_absolute_path(Path::new(SYSTEM_CONFIG_TOML_FILE_UNIX))
-}
-
-#[cfg(windows)]
-fn system_config_toml_file() -> io::Result<AbsolutePathBuf> {
-    windows_system_config_toml_file()
-}
-
-#[cfg(windows)]
-fn windows_codex_system_dir() -> PathBuf {
-    let program_data = windows_program_data_dir_from_known_folder().unwrap_or_else(|err| {
-        tracing::warn!(
-            error = %err,
-            "Failed to resolve ProgramData known folder; using default path"
-        );
-        PathBuf::from(DEFAULT_PROGRAM_DATA_DIR_WINDOWS)
-    });
-    program_data.join("OpenAI").join("Codex")
-}
-
-#[cfg(windows)]
-fn windows_system_requirements_toml_file() -> io::Result<AbsolutePathBuf> {
-    let requirements_toml_file = windows_codex_system_dir().join("requirements.toml");
-    AbsolutePathBuf::try_from(requirements_toml_file)
-}
-
-#[cfg(windows)]
-fn windows_system_config_toml_file() -> io::Result<AbsolutePathBuf> {
-    let config_toml_file = windows_codex_system_dir().join("config.toml");
-    AbsolutePathBuf::try_from(config_toml_file)
-}
-
-#[cfg(windows)]
-fn windows_program_data_dir_from_known_folder() -> io::Result<PathBuf> {
-    use std::ffi::OsString;
-    use std::os::windows::ffi::OsStringExt;
-    use windows_sys::Win32::System::Com::CoTaskMemFree;
-    use windows_sys::Win32::UI::Shell::FOLDERID_ProgramData;
-    use windows_sys::Win32::UI::Shell::KF_FLAG_DEFAULT;
-    use windows_sys::Win32::UI::Shell::SHGetKnownFolderPath;
-
-    let mut path_ptr = std::ptr::null_mut::<u16>();
-    let known_folder_flags = u32::try_from(KF_FLAG_DEFAULT).map_err(|_| {
-        io::Error::other(format!(
-            "KF_FLAG_DEFAULT did not fit in u32: {KF_FLAG_DEFAULT}"
-        ))
-    })?;
-    // Known folder IDs reference:
-    // https://learn.microsoft.com/en-us/windows/win32/shell/knownfolderid
-    // SAFETY: SHGetKnownFolderPath initializes path_ptr with a CoTaskMem-allocated,
-    // null-terminated UTF-16 string on success.
-    let hr = unsafe {
-        SHGetKnownFolderPath(&FOLDERID_ProgramData, known_folder_flags, 0, &mut path_ptr)
-    };
-    if hr != 0 {
-        return Err(io::Error::other(format!(
-            "SHGetKnownFolderPath(FOLDERID_ProgramData) failed with HRESULT {hr:#010x}"
-        )));
-    }
-    if path_ptr.is_null() {
-        return Err(io::Error::other(
-            "SHGetKnownFolderPath(FOLDERID_ProgramData) returned a null pointer",
-        ));
-    }
-
-    // SAFETY: path_ptr is a valid null-terminated UTF-16 string allocated by
-    // SHGetKnownFolderPath and must be freed with CoTaskMemFree.
-    let path = unsafe {
-        let mut len = 0usize;
-        while *path_ptr.add(len) != 0 {
-            len += 1;
-        }
-        let wide = std::slice::from_raw_parts(path_ptr, len);
-        let path = PathBuf::from(OsString::from_wide(wide));
-        CoTaskMemFree(path_ptr.cast());
-        path
-    };
-
-    Ok(path)
-}
-
-async fn load_requirements_from_legacy_scheme(
-    config_requirements_toml: &mut ConfigRequirementsWithSources,
-    loaded_config_layers: LoadedConfigLayers,
-) -> io::Result<()> {
-    // In this implementation, earlier layers cannot be overwritten by later
-    // layers, so list managed_config_from_mdm first because it has the highest
-    // precedence.
-    let LoadedConfigLayers {
-        managed_config,
-        managed_config_from_mdm,
-    } = loaded_config_layers;
-
-    for (source, config) in managed_config_from_mdm
-        .map(|config| {
-            (
-                RequirementSource::LegacyManagedConfigTomlFromMdm,
-                config.managed_config,
-            )
-        })
-        .into_iter()
-        .chain(managed_config.map(|c| {
-            (
-                RequirementSource::LegacyManagedConfigTomlFromFile { file: c.file },
-                c.managed_config,
-            )
-        }))
-    {
-        let legacy_config: LegacyManagedConfigToml =
-            config.try_into().map_err(|err: toml::de::Error| {
-                io::Error::new(
-                    io::ErrorKind::InvalidData,
-                    format!("Failed to parse config requirements as TOML: {err}"),
-                )
-            })?;
-
-        let new_requirements_toml = ConfigRequirementsToml::from(legacy_config);
-        config_requirements_toml.merge_unset_fields(source, new_requirements_toml);
-    }
-
-    Ok(())
-}
-
 /// Reads `project_root_markers` from the [toml::Value] produced by merging
 /// `config.toml` from the config layers in the stack preceding
 /// [ConfigLayerSource::Project].
@@ -895,51 +705,12 @@ async fn load_project_layers(
     Ok(layers)
 }
 
-/// The legacy mechanism for specifying admin-enforced configuration is to read
-/// from a file like `/etc/codex/managed_config.toml` that has the same
-/// structure as `config.toml` where fields like `approval_policy` can specify
-/// exactly one value rather than a list of allowed values.
-///
-/// If present, re-interpret `managed_config.toml` as a `requirements.toml`
-/// where each specified field is treated as a constraint allowing only that
-/// value.
-#[derive(Deserialize, Debug, Clone, Default, PartialEq)]
-struct LegacyManagedConfigToml {
-    approval_policy: Option<AskForApproval>,
-    sandbox_mode: Option<SandboxMode>,
-}
-
-impl From<LegacyManagedConfigToml> for ConfigRequirementsToml {
-    fn from(legacy: LegacyManagedConfigToml) -> Self {
-        let mut config_requirements_toml = ConfigRequirementsToml::default();
-
-        let LegacyManagedConfigToml {
-            approval_policy,
-            sandbox_mode,
-        } = legacy;
-        if let Some(approval_policy) = approval_policy {
-            config_requirements_toml.allowed_approval_policies = Some(vec![approval_policy]);
-        }
-        if let Some(sandbox_mode) = sandbox_mode {
-            let required_mode: SandboxModeRequirement = sandbox_mode.into();
-            // Allowing read-only is a requirement for Codex to function correctly.
-            // So in this backfill path, we append read-only if it's not already specified.
-            let mut allowed_modes = vec![SandboxModeRequirement::ReadOnly];
-            if required_mode != SandboxModeRequirement::ReadOnly {
-                allowed_modes.push(required_mode);
-            }
-            config_requirements_toml.allowed_sandbox_modes = Some(allowed_modes);
-        }
-        config_requirements_toml
-    }
-}
-
 // Cannot name this `mod tests` because of tests.rs in this folder.
 #[cfg(test)]
 mod unit_tests {
     use super::*;
-    #[cfg(windows)]
-    use std::path::Path;
+    use codex_config::ManagedConfigFromFile;
+    use codex_protocol::protocol::SandboxPolicy;
     use tempfile::tempdir;
 
     #[test]
@@ -979,65 +750,81 @@ foo = "xyzzy"
         Ok(())
     }
 
-    #[test]
-    fn legacy_managed_config_backfill_includes_read_only_sandbox_mode() {
-        let legacy = LegacyManagedConfigToml {
-            approval_policy: None,
-            sandbox_mode: Some(SandboxMode::WorkspaceWrite),
+    #[tokio::test]
+    async fn legacy_managed_config_backfill_includes_read_only_sandbox_mode() {
+        let tmp = tempdir().expect("tempdir");
+        let managed_path = AbsolutePathBuf::try_from(tmp.path().join("managed_config.toml"))
+            .expect("managed path");
+        let loaded_layers = LoadedConfigLayers {
+            managed_config: Some(ManagedConfigFromFile {
+                managed_config: toml::toml! {
+                    sandbox_mode = "workspace-write"
+                }
+                .into(),
+                file: managed_path.clone(),
+            }),
+            managed_config_from_mdm: None,
         };
-
-        let requirements = ConfigRequirementsToml::from(legacy);
+        let mut requirements_with_sources = ConfigRequirementsWithSources::default();
+        load_requirements_from_legacy_scheme(&mut requirements_with_sources, loaded_layers)
+            .await
+            .expect("load legacy requirements");
+        let requirements: ConfigRequirements = requirements_with_sources
+            .try_into()
+            .expect("requirements parse");
 
         assert_eq!(
-            requirements.allowed_sandbox_modes,
-            Some(vec![
-                SandboxModeRequirement::ReadOnly,
-                SandboxModeRequirement::WorkspaceWrite
-            ])
+            requirements.sandbox_policy.get(),
+            &SandboxPolicy::new_read_only_policy()
+        );
+        assert!(
+            requirements
+                .sandbox_policy
+                .can_set(&SandboxPolicy::new_workspace_write_policy())
+                .is_ok()
+        );
+        assert_eq!(
+            requirements
+                .sandbox_policy
+                .can_set(&SandboxPolicy::DangerFullAccess),
+            Err(codex_config::ConstraintError::InvalidValue {
+                field_name: "sandbox_mode",
+                candidate: "DangerFullAccess".into(),
+                allowed: "[ReadOnly, WorkspaceWrite]".into(),
+                requirement_source: RequirementSource::LegacyManagedConfigTomlFromFile {
+                    file: managed_path,
+                },
+            })
         );
     }
 
     #[cfg(windows)]
     #[test]
     fn windows_system_requirements_toml_file_uses_expected_suffix() {
-        let expected = windows_program_data_dir_from_known_folder()
-            .unwrap_or_else(|_| PathBuf::from(DEFAULT_PROGRAM_DATA_DIR_WINDOWS))
-            .join("OpenAI")
-            .join("Codex")
-            .join("requirements.toml");
-        assert_eq!(
-            windows_system_requirements_toml_file()
-                .expect("requirements.toml path")
-                .as_path(),
-            expected.as_path()
-        );
         assert!(
-            windows_system_requirements_toml_file()
+            system_requirements_toml_file()
                 .expect("requirements.toml path")
                 .as_path()
-                .ends_with(Path::new("OpenAI").join("Codex").join("requirements.toml"))
+                .ends_with(
+                    std::path::Path::new("OpenAI")
+                        .join("Codex")
+                        .join("requirements.toml")
+                )
         );
     }
 
     #[cfg(windows)]
     #[test]
     fn windows_system_config_toml_file_uses_expected_suffix() {
-        let expected = windows_program_data_dir_from_known_folder()
-            .unwrap_or_else(|_| PathBuf::from(DEFAULT_PROGRAM_DATA_DIR_WINDOWS))
-            .join("OpenAI")
-            .join("Codex")
-            .join("config.toml");
-        assert_eq!(
-            windows_system_config_toml_file()
-                .expect("config.toml path")
-                .as_path(),
-            expected.as_path()
-        );
         assert!(
-            windows_system_config_toml_file()
+            system_config_toml_file()
                 .expect("config.toml path")
                 .as_path()
-                .ends_with(Path::new("OpenAI").join("Codex").join("config.toml"))
+                .ends_with(
+                    std::path::Path::new("OpenAI")
+                        .join("Codex")
+                        .join("config.toml")
+                )
         );
     }
 }

codex-rs/core/src/token_data.rs

@@ -1,178 +1,9 @@
-use base64::Engine;
-use serde::Deserialize;
-use serde::Serialize;
-use thiserror::Error;
-
-#[derive(Deserialize, Serialize, Clone, Debug, PartialEq, Default)]
-pub struct TokenData {
-    /// Flat info parsed from the JWT in auth.json.
-    #[serde(
-        deserialize_with = "deserialize_id_token",
-        serialize_with = "serialize_id_token"
-    )]
-    pub id_token: IdTokenInfo,
-
-    /// This is a JWT.
-    pub access_token: String,
-
-    pub refresh_token: String,
-
-    pub account_id: Option<String>,
-}
-
-/// Flat subset of useful claims in id_token from auth.json.
-#[derive(Debug, Clone, PartialEq, Eq, Default, Serialize, Deserialize)]
-pub struct IdTokenInfo {
-    pub email: Option<String>,
-    /// The ChatGPT subscription plan type
-    /// (e.g., "free", "plus", "pro", "business", "enterprise", "edu").
-    /// (Note: values may vary by backend.)
-    pub(crate) chatgpt_plan_type: Option<PlanType>,
-    /// ChatGPT user identifier associated with the token, if present.
-    pub chatgpt_user_id: Option<String>,
-    /// Organization/workspace identifier associated with the token, if present.
-    pub chatgpt_account_id: Option<String>,
-    pub raw_jwt: String,
-}
-
-impl IdTokenInfo {
-    pub fn get_chatgpt_plan_type(&self) -> Option<String> {
-        self.chatgpt_plan_type.as_ref().map(|t| match t {
-            PlanType::Known(plan) => format!("{plan:?}"),
-            PlanType::Unknown(s) => s.clone(),
-        })
-    }
-
-    pub fn is_workspace_account(&self) -> bool {
-        matches!(
-            self.chatgpt_plan_type,
-            Some(PlanType::Known(
-                KnownPlan::Team | KnownPlan::Business | KnownPlan::Enterprise | KnownPlan::Edu
-            ))
-        )
-    }
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
-#[serde(untagged)]
-pub(crate) enum PlanType {
-    Known(KnownPlan),
-    Unknown(String),
-}
-
-impl PlanType {
-    pub(crate) fn from_raw_value(raw: &str) -> Self {
-        match raw.to_ascii_lowercase().as_str() {
-            "free" => Self::Known(KnownPlan::Free),
-            "go" => Self::Known(KnownPlan::Go),
-            "plus" => Self::Known(KnownPlan::Plus),
-            "pro" => Self::Known(KnownPlan::Pro),
-            "team" => Self::Known(KnownPlan::Team),
-            "business" => Self::Known(KnownPlan::Business),
-            "enterprise" => Self::Known(KnownPlan::Enterprise),
-            "education" | "edu" => Self::Known(KnownPlan::Edu),
-            _ => Self::Unknown(raw.to_string()),
-        }
-    }
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
-#[serde(rename_all = "lowercase")]
-pub(crate) enum KnownPlan {
-    Free,
-    Go,
-    Plus,
-    Pro,
-    Team,
-    Business,
-    Enterprise,
-    Edu,
-}
-
-#[derive(Deserialize)]
-struct IdClaims {
-    #[serde(default)]
-    email: Option<String>,
-    #[serde(rename = "https://api.openai.com/profile", default)]
-    profile: Option<ProfileClaims>,
-    #[serde(rename = "https://api.openai.com/auth", default)]
-    auth: Option<AuthClaims>,
-}
-
-#[derive(Deserialize)]
-struct ProfileClaims {
-    #[serde(default)]
-    email: Option<String>,
-}
-
-#[derive(Deserialize)]
-struct AuthClaims {
-    #[serde(default)]
-    chatgpt_plan_type: Option<PlanType>,
-    #[serde(default)]
-    chatgpt_user_id: Option<String>,
-    #[serde(default)]
-    user_id: Option<String>,
-    #[serde(default)]
-    chatgpt_account_id: Option<String>,
-}
-
-#[derive(Debug, Error)]
-pub enum IdTokenInfoError {
-    #[error("invalid ID token format")]
-    InvalidFormat,
-    #[error(transparent)]
-    Base64(#[from] base64::DecodeError),
-    #[error(transparent)]
-    Json(#[from] serde_json::Error),
-}
-
-pub fn parse_chatgpt_jwt_claims(jwt: &str) -> Result<IdTokenInfo, IdTokenInfoError> {
-    // JWT format: header.payload.signature
-    let mut parts = jwt.split('.');
-    let (_header_b64, payload_b64, _sig_b64) = match (parts.next(), parts.next(), parts.next()) {
-        (Some(h), Some(p), Some(s)) if !h.is_empty() && !p.is_empty() && !s.is_empty() => (h, p, s),
-        _ => return Err(IdTokenInfoError::InvalidFormat),
-    };
-
-    let payload_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(payload_b64)?;
-    let claims: IdClaims = serde_json::from_slice(&payload_bytes)?;
-    let email = claims
-        .email
-        .or_else(|| claims.profile.and_then(|profile| profile.email));
-
-    match claims.auth {
-        Some(auth) => Ok(IdTokenInfo {
-            email,
-            raw_jwt: jwt.to_string(),
-            chatgpt_plan_type: auth.chatgpt_plan_type,
-            chatgpt_user_id: auth.chatgpt_user_id.or(auth.user_id),
-            chatgpt_account_id: auth.chatgpt_account_id,
-        }),
-        None => Ok(IdTokenInfo {
-            email,
-            raw_jwt: jwt.to_string(),
-            chatgpt_plan_type: None,
-            chatgpt_user_id: None,
-            chatgpt_account_id: None,
-        }),
-    }
-}
-
-fn deserialize_id_token<'de, D>(deserializer: D) -> Result<IdTokenInfo, D::Error>
-where
-    D: serde::Deserializer<'de>,
-{
-    let s = String::deserialize(deserializer)?;
-    parse_chatgpt_jwt_claims(&s).map_err(serde::de::Error::custom)
-}
-
-fn serialize_id_token<S>(id_token: &IdTokenInfo, serializer: S) -> Result<S::Ok, S::Error>
-where
-    S: serde::Serializer,
-{
-    serializer.serialize_str(&id_token.raw_jwt)
-}
+pub use codex_auth::IdTokenInfo;
+pub use codex_auth::IdTokenInfoError;
+pub use codex_auth::KnownPlan;
+pub use codex_auth::PlanType;
+pub use codex_auth::TokenData;
+pub use codex_auth::parse_chatgpt_jwt_claims;
 
 #[cfg(test)]
 #[path = "token_data_tests.rs"]

codex-rs/core/tests/common/Cargo.toml

@@ -11,6 +11,7 @@ path = "lib.rs"
 anyhow = { workspace = true }
 assert_cmd = { workspace = true }
 base64 = { workspace = true }
+codex-auth = { workspace = true }
 codex-core = { workspace = true }
 codex-protocol = { workspace = true }
 codex-utils-absolute-path = { workspace = true }

codex-rs/core/tests/common/test_codex_exec.rs

@@ -1,5 +1,5 @@
 #![allow(clippy::expect_used)]
-use codex_core::auth::CODEX_API_KEY_ENV_VAR;
+use codex_auth::CODEX_API_KEY_ENV_VAR;
 use std::path::Path;
 use tempfile::TempDir;
 use wiremock::MockServer;

codex-rs/core/tests/suite/cli_stream.rs

@@ -1,5 +1,4 @@
 use assert_cmd::Command as AssertCommand;
-use codex_core::auth::CODEX_API_KEY_ENV_VAR;
 use codex_protocol::protocol::GitInfo;
 use codex_utils_cargo_bin::find_resource;
 use core_test_support::fs_wait;

codex-rs/core/tests/suite/realtime_conversation.rs

@@ -1,8 +1,8 @@
 use anyhow::Context;
 use anyhow::Result;
 use chrono::Utc;
+use codex_auth::OPENAI_API_KEY_ENV_VAR;
 use codex_core::CodexAuth;
-use codex_core::auth::OPENAI_API_KEY_ENV_VAR;
 use codex_protocol::ThreadId;
 use codex_protocol::protocol::CodexErrorInfo;
 use codex_protocol::protocol::ConversationAudioParams;

codex-rs/login/Cargo.toml

@@ -11,6 +11,7 @@ workspace = true
 base64 = { workspace = true }
 chrono = { workspace = true, features = ["serde"] }
 codex-client = { workspace = true }
+codex-auth = { workspace = true }
 codex-core = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 rand = { workspace = true }

codex-rs/login/src/lib.rs

@@ -2,6 +2,13 @@ mod device_code_auth;
 mod pkce;
 mod server;
 
+pub use codex_auth::AuthDotJson;
+pub use codex_auth::CODEX_API_KEY_ENV_VAR;
+pub use codex_auth::OPENAI_API_KEY_ENV_VAR;
+pub use codex_auth::TokenData;
+pub use codex_auth::login_with_api_key;
+pub use codex_auth::logout;
+pub use codex_auth::save_auth;
 pub use codex_client::BuildCustomCaTransportError as BuildLoginHttpClientError;
 pub use device_code_auth::DeviceCode;
 pub use device_code_auth::complete_device_code_login;
@@ -16,11 +23,4 @@ pub use server::run_login_server;
 pub use codex_app_server_protocol::AuthMode;
 pub use codex_core::AuthManager;
 pub use codex_core::CodexAuth;
-pub use codex_core::auth::AuthDotJson;
 pub use codex_core::auth::CLIENT_ID;
-pub use codex_core::auth::CODEX_API_KEY_ENV_VAR;
-pub use codex_core::auth::OPENAI_API_KEY_ENV_VAR;
-pub use codex_core::auth::login_with_api_key;
-pub use codex_core::auth::logout;
-pub use codex_core::auth::save_auth;
-pub use codex_core::token_data::TokenData;

codex-rs/login/src/server.rs

@@ -28,13 +28,13 @@ use crate::pkce::generate_pkce;
 use base64::Engine;
 use chrono::Utc;
 use codex_app_server_protocol::AuthMode;
+use codex_auth::AuthCredentialsStoreMode;
+use codex_auth::AuthDotJson;
+use codex_auth::TokenData;
+use codex_auth::parse_chatgpt_jwt_claims;
+use codex_auth::save_auth;
 use codex_client::build_reqwest_client_with_custom_ca;
-use codex_core::auth::AuthCredentialsStoreMode;
-use codex_core::auth::AuthDotJson;
-use codex_core::auth::save_auth;
 use codex_core::default_client::originator;
-use codex_core::token_data::TokenData;
-use codex_core::token_data::parse_chatgpt_jwt_claims;
 use rand::RngCore;
 use serde_json::Value as JsonValue;
 use tiny_http::Header;