Support Cordon in cloud Codex and GitHub agent environments #12
Description
Enable Cordon to capture agent activity from headless cloud agent sessions in Codex environments and GitHub Copilot coding agent environments. Both platforms allow custom environment setup scripts and secret storage, which is sufficient to install and authenticate the Cordon CLI.
Value:
Cloud agent sessions currently produce ephemeral logs that vanish when the environment is destroyed. Cordon would be the persistent, unified record of what those agents did, viewable alongside local development activity in one dashboard. Entitlement policies follow the agent regardless of where it runs.
Scope:
- Codex environments:
support custom setup scripts and key-value secrets. Cordon install script runs during environment setup, authenticates via a machine API token stored as a secret. - GitHub Copilot coding agent:
supports custom agent environments via devcontainer or setup scripts. Same install and auth pattern.
Implementation:
- Add machine token generation page to cordon-web for issuing scoped, non-interactive API tokens for CI/cloud use
- Machine tokens should be limited to event sync and policy read (no policy write, no team management)
- cordon login --token for non-interactive authentication in headless environments or use of the environment variables or secrets directly
Major Assumption: ###
- Same hook enforcement applies: cloud agents respect the same entitlement policies as local agents