fix(oauth): route assistant oauth connect --callback-transport=gateway through daemon IPC#29570
Merged
credence-the-bot[bot] merged 5 commits intoMay 5, 2026
Conversation
…y through daemon IPC
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
- Sort imports per simple-import-sort/imports rule (autofix) - Add eslint-disable for the intentionally-let resolvedState binding - Narrow OAuthConnectResult union before reading .error (split into two if branches) - Narrow OAuthConnectStatusResponse before reading .error in CLI poll loop - Regenerate openapi.yaml to include the 2 new internal routes
…x P1 review) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Author
Contributor
Author
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
…nsistency (Devin review) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…Codex review) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Author
Contributor
Author
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5138bfdda9
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| }, | ||
| ); | ||
|
|
||
| if (startResult.ok && startResult.result?.auth_url) { |
There was a problem hiding this comment.
Only transport/unavailability errors should trigger the in-process fallback, but this branch falls back for any non-OK IPC result, including daemon-side OAuth start failures. When internal_oauth_connect_start returns a real error (for example gateway transport preconditions failing), the CLI silently retries via orchestrateOAuthConnect(...), which re-enters the legacy in-process path this PR is trying to avoid for gateway callbacks and can reintroduce the original timeout behavior instead of surfacing the daemon error. Gate fallback on connectivity/unknown-method cases and return daemon route errors directly.
Useful? React with 👍 / 👎.
credence-the-bot
Bot
merged commit 68ec346
into
credence-the-bot/oauth-connect-daemon-flow
13 checks passed
noanflaherty
pushed a commit
that referenced
this pull request
May 5, 2026
…ay` through daemon IPC (#29596) * fix(oauth): route `assistant oauth connect --callback-transport=gateway` through daemon IPC (#29570) * fix(oauth): route assistant oauth connect --callback-transport=gateway through daemon IPC * fix(oauth-connect): pass lint, type-check, and openapi-check - Sort imports per simple-import-sort/imports rule (autofix) - Add eslint-disable for the intentionally-let resolvedState binding - Narrow OAuthConnectResult union before reading .error (split into two if branches) - Narrow OAuthConnectStatusResponse before reading .error in CLI poll loop - Regenerate openapi.yaml to include the 2 new internal routes * fix: use operationId and structured params for cliIpcCall (Devin/Codex P1 review) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: thread grantedScopes through IPC path to avoid empty-scopes inconsistency (Devin review) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(oauth): align IPC poll timeout with 5-min loopback OAuth window (Codex review) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: credence-the-bot <credence@vellum.ai> Co-authored-by: credence-the-bot[bot] <183148327+credence-the-bot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: surface daemon errors instead of silent fallback; add gateway transport test and policy tests (#29590) Co-authored-by: credence-the-bot <credence@vellum.ai> * fix: add defensive guards for poll daemon errors and ok:true missing auth_url (#29593) Co-authored-by: credence-the-bot <credence@vellum.ai> * test: add missing test coverage for oauth-connect daemon flow (round-3) (#29595) Co-authored-by: credence-the-bot <credence@vellum.ai> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: suppress browser-wait log in JSON mode; sweep expired OAuth state on insertion (#29597) * fix: suppress browser-wait log in JSON mode; sweep expired state on insert * test: make JSON-mode log suppression test exercise the actual if (!jsonMode) guard Configure the logger mock to write to process.stdout in the specific test so the test would fail if the guard were removed from connect.ts. Also reset mockLogInfo to no-op in beforeEach for test isolation. --------- Co-authored-by: credence-the-bot <credence@vellum.ai> * fix(oauth): replace 'Daemon' with 'assistant' in user-facing error strings (#29603) * fix(oauth): replace 'Daemon' with 'assistant' in user-facing error strings * test: update assertion to match new 'assistant' string from devin nit fix The previous commit replaced 'Daemon' with 'assistant' in user-facing error strings (per Devin review), but missed updating the test that asserts on the old 'Daemon returned unexpected response' wording. --------- Co-authored-by: credence-the-bot <credence@vellum.ai> Co-authored-by: credence-the-bot[bot] <credence-the-bot[bot]@users.noreply.github.com> * fix(security): add IPC policy entries for daemon OAuth connect routes (#29612) Closes Codex P1 on #29596 by adding IPC policy entries for the new daemon OAuth connect routes (`internal_oauth_connect_start`, `internal_oauth_connect_status`). Mirrors the pattern from #29571 for the MCP OAuth routes. 4-line additive change, 6/6 tests pass. Both Codex and Devin re-reviewed clean. --------- Co-authored-by: credence-the-bot[bot] <277301654+credence-the-bot[bot]@users.noreply.github.com> Co-authored-by: credence-the-bot <credence@vellum.ai> Co-authored-by: credence-the-bot[bot] <183148327+credence-the-bot[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: credence-the-bot[bot] <credence-the-bot[bot]@users.noreply.github.com> Co-authored-by: credence-the-bot[bot] <credence-the-bot@vellum.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
assistant oauth connect --callback-transport=gateway: prepareOAuth2Flow now runs in the daemon heap (where consumeCallback also lives), not the CLI heapinternal/oauth/connect/startandinternal/oauth/connect/status/:stateIPC routes with daemon-side state map for CLI pollingPart of plan: oauth-connect-daemon-flow.md (PR 1 of 1)