codex websocket responses support

[akshaydeo]

Summary

Updates AWS SDK for Go v2 dependencies to their latest versions and fixes virtual key handling in WebSocket responses by removing incorrect prefix trimming.

Changes

• Updated AWS SDK for Go v2 from v1.41.0 to v1.41.3 and related services
• Updated smithy-go from v1.24.0 to v1.24.2
• Updated maxim-go dependency from v0.1.16 to v0.2.0
• Fixed virtual key handling in WebSocket responses by preserving the full "sk-bf-" prefixed token instead of incorrectly trimming it
• Minor formatting fix (spacing alignment)

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (Next.js)
• Docs

How to test

Validate the dependency updates and virtual key handling:

# Core/Transports
go version
go test ./...

# Test WebSocket virtual key handling
# Ensure tokens with "sk-bf-" prefix are properly handled without trimming

The virtual key fix ensures that Bearer tokens starting with "sk-bf-" are stored with their full value rather than having the prefix incorrectly removed.

Screenshots/Recordings

N/A - Dependency updates and backend logic fix

Breaking changes

• Yes
• No

Related issues

N/A

Security considerations

The virtual key handling fix ensures proper token validation and storage, maintaining security boundaries for API key authentication.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores

  • Updated AWS SDK for Go v2 and all related submodules to newer patch versions across core, framework, plugin modules, and transports
  • Updated Smithy dependency and other indirect dependencies to ensure compatibility

• Bug Fixes

  • Fixed Bearer token extraction and handling logic in HTTP request processing layer

Walkthrough

AWS SDK for Go v2 dependencies across multiple modules are updated to newer patch versions (v1.41.0 → v1.41.3, v1.32.6 → v1.32.11, etc.), alongside smithy-go updates. One code change modifies Bearer token extraction in the Bifrost HTTP handler to preserve the sk-bf- prefix.

Changes

Cohort / File(s)	Summary
AWS SDK v2 Dependency Updates core/go.mod, framework/go.mod, transports/go.mod, plugins/governance/go.mod, plugins/jsonparser/go.mod, plugins/litellmcompat/go.mod, plugins/logging/go.mod, plugins/mocker/go.mod, plugins/otel/go.mod, plugins/semanticcache/go.mod, plugins/telemetry/go.mod	Consistent version bumps across AWS SDK v2 modules (aws-sdk-go-v2 v1.41.0→v1.41.3, config v1.32.6→v1.32.11, credentials v1.19.6→v1.19.11, etc.) and smithy-go v1.24.0→v1.24.2. transports/go.mod also updates maximhq/maxim-go v0.1.16→v0.2.0.
Bearer Token Processing transports/bifrost-http/handlers/wsresponses.go	Modified virtual-key derivation for Bearer tokens to preserve the sk-bf- prefix in the extracted token value instead of trimming it.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• danpiths

Poem

🐰 Hop along the dependency tree so tall,
AWS SDKs get patched versions for all,
Bearer tokens now keep their prefixes so sweet,
Updates and fixes—our code stays neat!

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	Linked issue #123 requires File APIs support (POST /v1/files for OpenAI/Anthropic), but PR contains only dependency updates and WebSocket token handling fixes with no File API implementation.	Add implementation for File APIs support as required by issue #123, or update PR objectives to clarify this PR is unrelated to the linked issue.
Out of Scope Changes check	⚠️ Warning	PR contains significant out-of-scope changes: AWS SDK dependency updates across 11 go.mod files and maxim-go bump appear disconnected from WebSocket responses support or File API requirements.	Separate dependency updates into a distinct PR or justify their necessity for WebSocket/File API functionality in the description.
Title check	❓ Inconclusive	Title 'codex websocket responses support' is vague and generic, lacking specificity about actual changes (dependency updates and token handling fix).	Clarify title to reflect main changes: e.g., 'Update AWS SDK dependencies and fix Bearer token handling in WebSocket responses' or 'Fix virtual key handling in WebSocket responses'

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	PR description is complete and well-structured, covering all major sections: summary, changes, type, affected areas, testing, breaking changes, security, and checklist.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 03-24-codex_websocket_responses_support

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[akshaydeo]

• codex websocket responses support #2261 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

🧪 Test Suite Available

This PR can be tested by a repository admin.

Run tests for PR #2261

[coderabbitai]

🧹 Nitpick comments (1)

transports/bifrost-http/handlers/wsresponses.go (1)

488-488: Normalize sk-bf- virtual key handling across all auth headers.

Line 488 now preserves the prefix for Authorization, but Line 502 and Line 515 still strip it for x-api-key/x-goog-api-key. This can produce different BifrostContextKeyVirtualKey values for the same credential depending on header source.

Suggested consistency patch

 	if auth.apiKey != "" {
 		if strings.HasPrefix(auth.apiKey, "sk-bf-") {
-			ctx.SetValue(schemas.BifrostContextKeyVirtualKey, strings.TrimPrefix(auth.apiKey, "sk-bf-"))
+			ctx.SetValue(schemas.BifrostContextKeyVirtualKey, auth.apiKey)
 		} else if h.handlerStore.ShouldAllowDirectKeys() {
 			key := schemas.Key{
 				ID:     "header-provided",
 				Value:  *schemas.NewEnvVar(auth.apiKey),
 				Models: []string{},
 				Weight: 1.0,
 			}
 			ctx.SetValue(schemas.BifrostContextKeyDirectKey, key)
 		}
 	}
 	if auth.googAPIKey != "" {
 		if strings.HasPrefix(auth.googAPIKey, "sk-bf-") {
-			ctx.SetValue(schemas.BifrostContextKeyVirtualKey, strings.TrimPrefix(auth.googAPIKey, "sk-bf-"))
+			ctx.SetValue(schemas.BifrostContextKeyVirtualKey, auth.googAPIKey)
 		} else if h.handlerStore.ShouldAllowDirectKeys() {
 			key := schemas.Key{
 				ID:     "header-provided",
 				Value:  *schemas.NewEnvVar(auth.googAPIKey),
 				Models: []string{},
 				Weight: 1.0,
 			}
 			ctx.SetValue(schemas.BifrostContextKeyDirectKey, key)
 		}
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@transports/bifrost-http/handlers/wsresponses.go` at line 488, Auth header
handling is inconsistent: preserve the 'sk-bf-' prefix for virtual keys across
all header types (Authorization, x-api-key, x-goog-api-key) instead of stripping
it in some branches; find the code paths that parse these headers (the spots
that ultimately call ctx.SetValue(schemas.BifrostContextKeyVirtualKey, token))
and change the x-api-key and x-goog-api-key parsing so they do not remove the
'sk-bf-' prefix (i.e., set ctx.SetValue(schemas.BifrostContextKeyVirtualKey,
token) with the original token including the prefix, matching the Authorization
branch).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@transports/bifrost-http/handlers/wsresponses.go`:
- Line 488: Auth header handling is inconsistent: preserve the 'sk-bf-' prefix
for virtual keys across all header types (Authorization, x-api-key,
x-goog-api-key) instead of stripping it in some branches; find the code paths
that parse these headers (the spots that ultimately call
ctx.SetValue(schemas.BifrostContextKeyVirtualKey, token)) and change the
x-api-key and x-goog-api-key parsing so they do not remove the 'sk-bf-' prefix
(i.e., set ctx.SetValue(schemas.BifrostContextKeyVirtualKey, token) with the
original token including the prefix, matching the Authorization branch).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b1bd15bf-f337-4cac-bbf7-ad36be321a55

📥 Commits

Reviewing files that changed from the base of the PR and between 7289704 and 7e85445.

⛔ Files ignored due to path filters (11)

• core/go.sum is excluded by !**/*.sum
• framework/go.sum is excluded by !**/*.sum
• plugins/governance/go.sum is excluded by !**/*.sum
• plugins/jsonparser/go.sum is excluded by !**/*.sum
• plugins/litellmcompat/go.sum is excluded by !**/*.sum
• plugins/logging/go.sum is excluded by !**/*.sum
• plugins/mocker/go.sum is excluded by !**/*.sum
• plugins/otel/go.sum is excluded by !**/*.sum
• plugins/semanticcache/go.sum is excluded by !**/*.sum
• plugins/telemetry/go.sum is excluded by !**/*.sum
• transports/go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

• core/go.mod
• framework/go.mod
• plugins/governance/go.mod
• plugins/jsonparser/go.mod
• plugins/litellmcompat/go.mod
• plugins/logging/go.mod
• plugins/mocker/go.mod
• plugins/otel/go.mod
• plugins/semanticcache/go.mod
• plugins/telemetry/go.mod
• transports/bifrost-http/handlers/wsresponses.go
• transports/go.mod

[ilkersigirci]

@akshaydeo I am using latest version of codex, codex-cli 0.117.0 with latest bifrost v1.4.18. I have configured codex config.toml like following.

requires_openai_auth = true
openai_base_url = "BIFROST_URL/v1"

However, I got following websocket error in the bifrost. Doesn't this PR fixes it? Is the commit not released yet? Thanks

{"level":"warn","time":"2026-03-31T13:58:49Z","message":"websocket read error: websocket: close 1006 (abnormal closure): unexpected EOF"}

Note that i have also tried openai_base_url = "BIFROST_URL/openai/v1" which also doesn't work

[akshaydeo]

this is actually released already - and should ideally work. Ill test once and respond here

[ilkersigirci]

this is actually released already - and should ideally work. Ill test once and respond here

Thanks. I can help to test the feature if you need it.