[codex] Add Doubao coding plan usage#1727
Conversation
|
OpenCLI follow-up notes for reviewers:
Validation already run locally:
|
The signer emitted canonical headers / SignedHeaders as host;x-date;x-content-sha256;content-type. Volcengine V4 (AWS SigV4 derived) requires them sorted by lower-cased header name, and the server re-sorts + recomputes the signature, so the unsorted order would yield a signature mismatch (HTTP 403) on live GetCodingPlanUsage calls. Sort to content-type;host;x-content-sha256;x-date and update the test expectation. Note: the signing test asserts structure only (no golden vector), so this still needs a live AK/SK request to confirm the server accepts it.
|
Pushed Heads-up: the signing test asserts structure only (credential scope + SignedHeaders string), not a golden signature, so it would not have caught this. A real AK/SK request is still needed to confirm the server accepts the signature end-to-end. The decode/mapping (QuotaUsage session/weekly/monthly → RateWindow) I verified against a live console response and it matches. |
|
Codex review: needs maintainer review before merge. Reviewed July 2, 2026, 4:39 AM ET / 08:39 UTC. Summary Reproducibility: not applicable. as a bug reproduction: this is a feature PR for a new Doubao Coding Plan fetch path. The after-fix behavior is nevertheless supported by redacted live CodexBarCLI output in the PR discussion. Review metrics: 3 noteworthy metrics.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Risk before merge
Maintainer options:
Next step before merge
Security Review detailsBest possible solution: Have a maintainer explicitly approve or reject the Doubao AK/SK credential direction; if approved, land after required checks and keep STS/session-token support as a follow-up. Do we have a high-confidence way to reproduce the issue? Not applicable as a bug reproduction: this is a feature PR for a new Doubao Coding Plan fetch path. The after-fix behavior is nevertheless supported by redacted live CodexBarCLI output in the PR discussion. Is this the best way to solve the issue? Technically yes, this is a focused implementation for GetCodingPlanUsage and preserves the Ark bearer fallback with tests. Product-wise it remains pending until maintainers accept the new AK/SK credential path. AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against 450ca4d91565. Label changesLabel changes:
Label justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: eefcab4092
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…plan # Conflicts: # Tests/CodexBarTests/ConfigValidationTests.swift
|
Addressed the current P2 in
Validation:
Proof note: I checked local env/config presence without printing secret values. This machine has Doubao API-key material but no Volcengine AK/SK pair, so I still cannot produce the requested signed Coding Plan live fetch proof here. That still needs real Volcengine AK/SK. @codex review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 22a6bad6d5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
Addressed the new Ark preservation P2 in
Validation:
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: decf7f4f66
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
Addressed the latest Doubao P2s in
Validation:
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b63582afd7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
Addressed the signed-to-Ark fallback P2 in
Validation:
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f17026c97b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9678247b12
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
Addressed the Ark request-label P2 in
Validation:
Real Coding Plan proof is still unavailable from this machine because no Volcengine AK/SK env/config credentials are present. @codex review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d4a1419065
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
Addressed the Coding Plan reset P2s in
Validation:
Real Coding Plan proof is still unavailable from this machine because no Volcengine AK/SK env/config credentials are present. @codex review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
Codex Review: Didn't find any major issues. Already looking forward to the next diff. Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Supplemental redacted Coding Plan proofCurrent branch head: This does not replace ClawSweeper's requested after-fix CodexBar signed AK/SK proof, but it narrows the remaining blocker and confirms the live Coding Plan response shape the PR implements. What I could verify from this machine today:
{
"observedAt": "2026-06-25T03:58:33Z",
"httpStatus": 200,
"action": "GetCodingPlanUsage",
"version": "2024-01-01",
"service": "ark",
"region": "cn-beijing",
"resultStatus": "Running",
"updatedAt": "2026-06-25 11:58:34 CST",
"quotaUsage": [
{
"level": "session",
"percent": 0.01392,
"resetAt": "2026-06-25 15:46:05 CST"
},
{
"level": "weekly",
"percent": 3.2836043333333333,
"resetAt": "2026-06-29 00:00:00 CST"
},
{
"level": "monthly",
"percent": 7.623784166666667,
"resetAt": "2026-06-25 23:59:59 CST"
}
]
}No cookies, auth headers, account IDs, request IDs, phone/email, raw identity responses, or secrets are included. Remaining decision before this can clear the ClawSweeper gate:
@steipete could you pick the path you want here? I am holding off on another @clawsweeper re-review until there is either signed-path proof or maintainer acceptance of an alternative, to avoid a noisy rerun. |
…plan # Conflicts: # Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift # Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift
Rebased onto latest
|
|
Codex Review: Didn't find any major issues. Delightful! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Live
|
… failures
apiErrorSummary only parsed `error.message`/`message`, so Volcengine's
`ResponseMetadata.Error.{Code,Message}` shape fell through to an opaque
"HTTP 403 (322 bytes)". Users hitting an IAM AccessDenied on
ark:GetCodingPlanUsage now see the real reason instead of a byte count.
Add a regression test asserting a 403 ResponseMetadata.Error body is
surfaced as "AccessDenied: User is not authorized to perform: ark:GetCodingPlanUsage".
Added: surface Volcengine API error code/message (commit
|
✅ After-fix live repro — CodexBar's own signed path renders real Coding Plan barsGranted the Cross-checks 1:1 with the earlier official Recap of what's now validated:
|
|
Landed via #1841 as The original fork branch could not be updated because maintainer edits were disabled, so I recreated the contributor patch on a maintainer branch, resolved the integration changes, and ran focused tests, Thanks @LeoLin990405. For future pull requests, enabling Allow edits by maintainers lets us apply integration fixups directly to the contributor branch. |
Summary
Fixes #1724.
This adds first-class Doubao Coding Plan usage fetching through Volcengine's signed OpenAPI path while preserving the existing Ark API-key probe as a fallback.
What changed
GetCodingPlanUsage.QuotaUsageinto 5-hour, weekly, and monthly usage windows.ResponseMetadata.Error.{Code,Message}on failures, so a key lacking theark:GetCodingPlanUsagepermission showsAccessDenied: …instead of an opaqueHTTP 403 (322 bytes).Investigation notes
opencliinspection of the Volcengine Ark console showed the Coding Plan page callingGetCodingPlanUsage, returningsession,weekly, andmonthlypercentages plus reset timestamps. The signing implementation follows Volcengine's documented HMAC-SHA256 request shape with thedate/region/service/requestcredential scope.Live proof (after-fix, CodexBar's own signed path)
Ran CodexBar's own signed CLI with a long-term Volcengine AK/SK (via
CODEXBAR_CONFIG, noark-cliinvolved).DoubaoUsageFetchersigns the request, callsGetCodingPlanUsage, and renders the three windows — "Limits not available" is gone:Independently cross-checked with the official
@volcengine/ark-cli(arkcli usage plan --product coding-plan) — matches 1:1 (session 0.0023% used → 99% left, weekly 2.49% → 97%, monthly 1.26% → 99%). Details: #1727 (comment)While validating, an under-permissioned key returned Volcengine
AccessDeniedonark:GetCodingPlanUsage(notSignatureDoesNotMatch), confirming the signer itself is correct — the request authenticates and is authorized server-side. That also motivated the error-surfacing change above.Note (scope): the signer uses long-term AK/SK only — it does not attach an STS
X-Security-Token, so SSO/temporary credentials won't work. Happy to add session-token support as a follow-up if wanted.Validation
make checkswift test --filter 'Doubao|ProviderConfigEnvironment|ConfigValidation'— green (incl. newcoding plan fetch surfaces volcengine access denied error)swift run CodexBarCLI usage --provider doubao --source api— renders real Coding Plan windows with a permissioned AK/SK; falls back to the Ark bearer probe when only an Ark API key is presentmain; branch isMERGEABLEand CI is green.Remaining gate
Product decision (issue is labeled
needs-product-decision): whether to accept a Volcengine AK/SK credential path for Doubao. The implementation keeps a single settings field and auto-selects signed vs. bearer by input shape (AKLT…access key → signed), so it doesn't force a second credential UI or regress bearer-only users.