feat: add run task identity primitives#19047
Open
adrian-openai wants to merge 1 commit into
Open
Conversation
This was referenced Apr 22, 2026
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-env-jwt
branch
from
c588673 to
c74a2f3
Compare
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
from
3254ce5 to
0324e8a
Compare
adrian-openai
changed the title
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
from
0324e8a to
2685c9e
Compare
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
from
2685c9e to
55dced3
Compare
adrian-openai
changed the title
adrian-openai
requested review from
efrazer-oai,
nicksteele-oai and
pakrym-oai
and removed request for
efrazer-oai and
pakrym-oai
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-env-jwt
branch
3 times, most recently
from
8d2470f to
c5d5e7c
Compare
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
2 times, most recently
from
baf2618 to
110e2a4
Compare
tigrantsat-openai
left a comment
tigrantsat-openai
left a comment
There was a problem hiding this comment.
Let's ensure full set of features + launching internally before enabling into codex.
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
2 times, most recently
from
0e79c01 to
03963fc
Compare
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
from
03963fc to
8810088
Compare
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
from
8810088 to
ef4a89f
Compare
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
4 times, most recently
from
1d62ce5 to
f220d79
Compare
adrian-openai
commented
Jun 9, 2026
adrian-openai
commented
Jun 9, 2026
adrian-openai
commented
Jun 9, 2026
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
2 times, most recently
from
134085f to
d13cbcc
Compare
adrian-openai
changed the title
adrian-openai
commented
Jun 10, 2026
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
3 times, most recently
from
7026cbc to
d7289e0
Compare
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
3 times, most recently
from
2b9ca9a to
7f15c05
Compare
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
from
7f15c05 to
796f8f0
Compare
Zemnmez
approved these changes
Jun 10, 2026
|
|
||
| pub fn agent_identity_jwks_url(chatgpt_base_url: &str) -> String { | ||
| let trimmed = chatgpt_base_url.trim_end_matches('/'); | ||
| pub fn agent_identity_jwks_url(agent_identity_jwt_base_url: &str) -> String { |
There was a problem hiding this comment.
i think in future this should be the standard issuer derivation (i.e. https://[agent_id].something.something/.well-known) so this doesn't have to be so specific
| task_id: task_id.to_string(), | ||
| timestamp: timestamp.clone(), | ||
| signature: sign_agent_assertion_payload(key, target.task_id, ×tamp)?, | ||
| signature: sign_agent_assertion_payload(key, task_id, ×tamp)?, |
There was a problem hiding this comment.
In future let's remove the signature collision via JSON.stringify([ field_1, field_2, field_3 ]) or something to that effect.
| ) -> String { | ||
| agent_identity_authapi_url( | ||
| agent_identity_authapi_base_url, | ||
| &format!("/v1/agent/{agent_runtime_id}/task/register"), |
There was a problem hiding this comment.
the agent_runtime_id needs to be escaped, clamped or have other URL parts stripped
| )) | ||
| fn agent_identity_authapi_url(agent_identity_authapi_base_url: &str, api_path: &str) -> String { | ||
| let base_url = normalize_agent_identity_authapi_base_url(agent_identity_authapi_base_url); | ||
| format!("{base_url}{api_path}") |
There was a problem hiding this comment.
would be great to do this via a proper URL construction rather than a naiive string concatenation
|
|
||
| pub fn agent_identity_authapi_base_url_from_chatgpt_base_url(chatgpt_base_url: &str) -> String { | ||
| let mut base_url = chatgpt_base_url.trim_end_matches('/').to_string(); | ||
| for suffix in [ |
There was a problem hiding this comment.
this seems very brittle but is probably fine for v0
| break; | ||
| } | ||
| } | ||
| if matches!( |
There was a problem hiding this comment.
perhaps we can build all these mappings statically? so there's no ambiguity at runtime?
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
from
796f8f0 to
d7994fd
Compare
adrian-openai
force-pushed
the
dev/adrian/codex/hai-task-primitives
branch
from
d7994fd to
bcf4294
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stack
This is PR 1 of the simplified HAI single-run-task stack:
#19054 collapsed out of the active stack because the simplified design no longer needs a separate background/control-plane task helper.
Summary
The simplified POC shape is one backend-owned task per Agent Identity run. This PR makes the first layer match that final shape directly instead of introducing task targets, caller-owned external task refs, or intermediate wrappers that later PRs would need to undo.
What changed:
AgentAssertionwire payload asagent_runtime_id,task_id,timestamp, andsignatureregister_agent_taskas the single task-registration helper for both existing Agent Identity JWT auth and the ChatGPT-registration path added later in the stackcodex-agent-identityThis PR intentionally does not enable ChatGPT-derived Agent Identity. That opt-in and config gate are added in the next PR.
Testing
just test -p codex-agent-identity