feat(codex): resolve auth path via CODEX_HOME and host env API

[igalarzab]

Summary

OpenUsage is not respecting the value of $CODEX_HOME[1], so if the config is not in ~/.codex is not able to read it.

This PR allows OpenUsage to read $CODEX_HOME, and if defined, uses it. Otherwise it fallsback to ~/.config/codex and ~/.codex

This should be backward compatible for everyone

[1] https://developers.openai.com/codex/config-advanced/#config-and-state-locations

What changed

• Added host.env.get(name) to the plugin host API (src-tauri/src/plugin_engine/host_api.rs).
• Updated Codex plugin auth lookup logic (plugins/codex/plugin.js):
  • If CODEX_HOME is set: use ${CODEX_HOME}/auth.json.
  • Otherwise: prefer ~/.config/codex/auth.json, then ~/.codex/auth.json.
• Token refresh now writes back to the resolved auth file path instead of a fixed path.
• Documented the new env API (docs/plugins/api.md).
• Added/updated tests:
  • New plugin tests for env/path precedence and no-fallback behavior (plugins/codex/plugin.test.js).
  • Added env mock in shared test helpers (plugins/test-helpers.js).
  • Added Rust host API test for env.get exposure (src-tauri/src/plugin_engine/host_api.rs).

---

Summary by cubic

Respect CODEX_HOME for Codex auth and add a safe env API for plugins. If CODEX_HOME is set, use ${CODEX_HOME}/auth.json with no fallback; otherwise use the first existing auth file in ~/.config/codex or ~/.codex and write refreshes back to that path.

• New Features
  • Expose host.env.get(name) to plugins with an allowlist (only CODEX_HOME; others return null).
  • Update auth path resolution and refresh write-back; docs and tests cover env/path precedence and the no-fallback rule.

^{Written for commit 1092716. Summary will update on new commits.}

[macroscopeapp]

Expose host.env.get for whitelisted vars and resolve Codex auth path via CODEX_HOME in plugins/codex

Add host.env.get with an allowlist in the host API, update the Codex plugin to read CODEX_HOME for auth.json resolution with fallback to config paths, persist refreshed tokens to the resolved path, and document the env API.

📍Where to Start

Start with the env injection in host_api.rs, then review resolveAuthPath and loadAuth in plugin.js.

---

Macroscope summarized fec0d68.

[cubic-dev-ai]

1 issue found across 5 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="src-tauri/src/plugin_engine/host_api.rs">

<violation number="1" location="src-tauri/src/plugin_engine/host_api.rs:222">
P1: This implementation exposes all environment variables to the plugin, including potentially sensitive secrets (like `AWS_ACCESS_KEY_ID`, `SSH_AUTH_SOCK`, or generic API keys) that the plugin does not need.

Restrict access to an allowlist (e.g., `["CODEX_HOME"]`) or a safe namespace (e.g., `OPENUSAGE_*`).</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Ask questions if you need clarification on any suggestion

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[robinebers]

Awesome, thank you @igalarzab!

[igalarzab]

thank you for open sourcing this app!