CLIProxy Runtime Credentials
CLIProxy Runtime Credentials
Section titled “CLIProxy Runtime Credentials”FractalOps uses CLIProxyAPI as a runtime credential gateway, not as an agent process adapter.
Boundary
Section titled “Boundary”- Agent process adapter selection remains
codex-cli,claude-cli,zai-cli,langgraph-native,browser-only, orworkspace-cli. cliproxyexposes a short-lived proxy handoff for CLI adapters that need provider account material.- Armory attaches the
codex-cli-runtimebundle when an agent uses the Codex provider. - The credential broker returns only lease metadata, fingerprint, provider, proxy URL, model prefix, and OpenBao artifact ref.
- Raw OAuth/account material never leaves OpenBao through Portal, Studio metadata, GitHub issues, or browser DOM.
Storage Contract
Section titled “Storage Contract”Canonical OpenBao scope:
fractalops/default/runtime-providers/cliproxyRuntime provider secrets use Portal secret scope runtime_provider, which maps to:
runtime-providers/{provider}/{environment}/secretsExample key:
CODEX_OAUTH_BUNDLEThe credential broker default artifact ref is:
ref:runtime-providers/cliproxy:CODEX_OAUTH_BUNDLEDeployment
Section titled “Deployment”- Container build context:
ops/containers/cliproxy - Image build and GitOps bump workflow:
.github/workflows/cliproxy-release.yml - GitOps application:
platform/k8s/argocd/runtime/resources/cliproxy.application.yaml - Kubernetes app:
platform/k8s/apps/cliproxy - Runtime asset id:
cliproxy-runtime - Internal service:
http://cliproxy.fractalops.svc.cluster.local:8317 - Public protected host:
https://cliproxy.yamon.io
The Kubernetes deployment reads one secret-backed config.yaml from External Secrets. Account import and OAuth rotation are explicit high-trust operations; they are not inferred from ~/.codex, ~/.claude, or any host-local credential directory.
Policy
Section titled “Policy”Low-risk scopes:
open, bootstrapHigh-risk scopes requiring trusted device and WebAuthn:
account_import, raw_oauth_rotation, admin