Upload folder using huggingface_hub

.codex/auth.json

@@ -0,0 +1,10 @@
+{
+  "OPENAI_API_KEY": null,
+  "tokens": {
+    "id_token": "${CODEX_ID_TOKEN}",
+    "access_token": "${CODEX_ACCESS_TOKEN}",
+    "refresh_token": "${CODEX_REFRESH_TOKEN}",
+    "account_id": "${CODEX_ACCOUNT_ID}"
+  },
+  "last_refresh": null
+}

.github/.codex/.auth.json

@@ -0,0 +1,10 @@
+{
+  "OPENAI_API_KEY": null,
+  "tokens": {
+    "id_token": "",
+    "access_token": "",
+    "refresh_token": "",
+    "account_id": ""
+  },
+  "last_refresh": null
+}

Dockerfile

@@ -66,6 +66,9 @@ COPY . .
 # Expose port 7860 for HF Spaces
 EXPOSE 7860
 
+# Codex auth: non-sensitive account ID baked into image (tokens come from runtime secrets).
+ENV CODEX_ACCOUNT_ID="36724931-c63d-429d-91ac-9de1dae41ea8"
+
 # Generate SSH keys at runtime (for git over SSH), then start app
 RUN chmod +x /app/docker-entrypoint.sh
 ENTRYPOINT ["/app/docker-entrypoint.sh"]

README.md

@@ -73,5 +73,6 @@ This repo includes a manual workflow at `.github/workflows/codex-autofix.yml`.
 - **Terminal PTY**: the host/container must have PTY devices (`/dev/pts`) available for interactive terminals.
 - **Codex login (Hugging Face Spaces/web terminal)**: Spaces expose a single port, so localhost callback URLs (like `http://localhost:1455/auth/callback?...`) won’t work; use device auth: `codex login --device-auth` (alias: `codex-login`).
 - **Codex login persistence (Spaces)**: on startup the container will use `/data/.codex` (if available) for `~/.codex`, so device-auth stays logged in across restarts.
+- **Codex tokens (Spaces Secrets)**: if you already have tokens, set `CODEX_ID_TOKEN`, `CODEX_ACCESS_TOKEN`, `CODEX_REFRESH_TOKEN` (and optionally `CODEX_ACCOUNT_ID`) as Spaces Secrets; the container will write `~/.codex/auth.json` on startup.
 - **Gemini CLI**: installed as `gemini` via `npm i -g @google/gemini-cli`. Set one of `GEMINI_API_KEY`, `GOOGLE_GENAI_USE_VERTEXAI`, or `GOOGLE_GENAI_USE_GCA` (Spaces Secret recommended).
 - **Git over SSH (web terminal/Docker)**: the container auto-generates `~/.ssh/id_ed25519` on first start and prints the public key; add it to your Git provider, then use `git@github.com:ORG/REPO.git` URLs.

docker-entrypoint.sh

@@ -78,6 +78,38 @@ ensure_codex_home_permissions() {
   chown -R "$(id -u)":"$(id -g)" "${codex_home}" 2>/dev/null || true
 }
 
+ensure_codex_auth_from_env() {
+  local codex_home="${HOME}/.codex"
+  local auth_path="${codex_home}/auth.json"
+
+  # Tokens should be provided as HF Spaces secrets / env vars at runtime.
+  # - CODEX_ID_TOKEN
+  # - CODEX_ACCESS_TOKEN
+  # - CODEX_REFRESH_TOKEN
+  # Optional:
+  # - CODEX_ACCOUNT_ID (defaults to image ENV)
+  if [[ -z "${CODEX_ID_TOKEN:-}" ]] && [[ -z "${CODEX_ACCESS_TOKEN:-}" ]] && [[ -z "${CODEX_REFRESH_TOKEN:-}" ]]; then
+    return 0
+  fi
+
+  mkdir -p "${codex_home}"
+  cat >"${auth_path}" <<EOF
+{
+  "OPENAI_API_KEY": null,
+  "tokens": {
+    "id_token": "${CODEX_ID_TOKEN:-}",
+    "access_token": "${CODEX_ACCESS_TOKEN:-}",
+    "refresh_token": "${CODEX_REFRESH_TOKEN:-}",
+    "account_id": "${CODEX_ACCOUNT_ID:-}"
+  },
+  "last_refresh": null
+}
+EOF
+  chmod 600 "${auth_path}" 2>/dev/null || true
+  chown "$(id -u)":"$(id -g)" "${auth_path}" 2>/dev/null || true
+  echo "[codex] Wrote auth config from env to: ${auth_path}"
+}
+
 ensure_ssh_keypair() {
   local ssh_dir="${HOME}/.ssh"
   local key_path="${ssh_dir}/id_ed25519"
@@ -109,6 +141,7 @@ EOF
 
 persist_codex_dir_if_possible
 ensure_codex_home_permissions
+ensure_codex_auth_from_env
 persist_ssh_dir_if_possible
 ensure_codex_workspace_dir