feat: add async codex audit service

Author: Pigbibi

…/workflows/selfhosted_monthly_review.yml .github/workflows/codex_audit.yml.github/workflows/selfhosted_monthly_review.yml renamed to .github/workflows/codex_audit.yml .github/workflows/selfhosted_monthly_review.yml renamed to .github/workflows/codex_audit.yml

@@ -1,12 +1,12 @@
-name: Codex Monthly Review
+name: Codex Audit
 
 on:
   workflow_dispatch:
     inputs:
       source_repo:
         description: "Repository that owns the monthly review issue"
         required: true
-        default: "QuantStrategyLab/CryptoSnapshotPipelines"
+        default: "QuantStrategyLab/CryptoLivePoolPipelines"
       issue_number:
         description: "Monthly review issue number in source_repo"
         required: true
@@ -55,16 +55,16 @@ permissions:
   id-token: write
 
 concurrency:
-  group: selfhosted-codex-monthly-${{ github.event.client_payload.source_repo || inputs.source_repo }}-${{ github.event.client_payload.issue_number || inputs.issue_number }}
+  group: codex-audit-${{ github.event.client_payload.source_repo || inputs.source_repo }}-${{ github.event.client_payload.issue_number || inputs.issue_number }}
   cancel-in-progress: false
 
 jobs:
-  codex-monthly-review:
+  codex-audit:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     env:
       FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
-      SOURCE_REPO: ${{ github.event.client_payload.source_repo || inputs.source_repo || 'QuantStrategyLab/CryptoSnapshotPipelines' }}
+      SOURCE_REPO: ${{ github.event.client_payload.source_repo || inputs.source_repo || 'QuantStrategyLab/CryptoLivePoolPipelines' }}
       ISSUE_NUMBER: ${{ github.event.client_payload.issue_number || inputs.issue_number }}
       SOURCE_REF: ${{ github.event.client_payload.source_ref || inputs.source_ref || 'main' }}
       CODEX_AUDIT_MODE: ${{ github.event.client_payload.mode || inputs.mode || 'review_and_fix' }}
@@ -114,7 +114,7 @@ jobs:
           permission-issues: write
           permission-pull-requests: write
 
-      - name: Run Monthly Codex Audit
+      - name: Run Codex Audit
         env:
           CODEX_AUDIT_GH_TOKEN: ${{ steps.source_app_token.outputs.token || secrets.CODEX_AUDIT_GH_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

CONTRIBUTING.md

@@ -14,7 +14,7 @@ Thanks for contributing to `CodexAuditBridge`.
 
 - Prefer small pull requests with one clear purpose.
 - Keep refactors separate from behavior, contract, workflow, or documentation changes.
-- Preserve this repository's boundary as a self-hosted audit automation bridge; do not move broker execution, live-allocation decisions, private credentials, or unrelated platform logic into it.
+- Preserve this repository's boundary as a service-backed audit automation bridge; do not move broker execution, live-allocation decisions, private credentials, or unrelated platform logic into it.
 - Add or update tests, examples, docs, or reproducible evidence when changing behavior or public contracts.
 
 ## Documentation Standards

README.md

@@ -6,7 +6,7 @@
 
 ## What this repository is
 
-CodexAuditBridge is a QuantStrategyLab audit automation bridge. It runs self-hosted Codex audit workflows for snapshot reviews and low-risk fix pull requests.
+CodexAuditBridge is a QuantStrategyLab audit automation bridge. It runs service-backed Codex audit workflows for snapshot reviews and low-risk fix pull requests.
 
 It produces research, audit, or orchestration artifacts. It should not submit broker orders or mutate live allocations by itself.
 
@@ -17,7 +17,7 @@ CodexAuditBridge is the organization-local Codex boundary for QuantStrategyLab.
 Current execution model:
 
 1. A source repository creates or identifies an audit issue.
-2. The source repository dispatches `.github/workflows/selfhosted_monthly_review.yml` in this repository.
+2. The source repository dispatches this repository's monthly review workflow. The workflow filename is still `codex_audit.yml` for dispatch compatibility, but Codex execution is service-backed.
 3. CodexAuditBridge validates the source repository and task mapping, clones the source repository with a scoped GitHub token, and runs the selected provider/backend.
 4. Only CodexAuditBridge performs GitHub writes such as comments, branches, commits, pushes, and pull requests.
 
@@ -31,9 +31,7 @@ This avoids hard-coding Codex CLI setup in every source repository and avoids de
 
 | Source repository | Allowed task |
 | --- | --- |
-| `QuantStrategyLab/AiLongHorizonSignalPipelines` | `long_horizon_signal_shadow` |
 | `QuantStrategyLab/CryptoLivePoolPipelines` | `monthly_snapshot_audit` |
-| `QuantStrategyLab/CryptoSnapshotPipelines` | `monthly_snapshot_audit` |
 | `QuantStrategyLab/HkEquitySnapshotPipelines` | `monthly_snapshot_audit` |
 | `QuantStrategyLab/ResearchSignalContextPipelines` | `long_horizon_signal_shadow` |
 | `QuantStrategyLab/UsEquitySnapshotPipelines` | `monthly_snapshot_audit` |
@@ -55,15 +53,17 @@ Run the service host with:
 
 ```bash
 CODEX_AUDIT_SERVICE_ALLOWED_REPOSITORIES=QuantStrategyLab/CodexAuditBridge \
-CODEX_AUDIT_SERVICE_ALLOWED_SOURCE_REPOSITORIES='QuantStrategyLab/CryptoSnapshotPipelines,QuantStrategyLab/CryptoLivePoolPipelines,QuantStrategyLab/HkEquitySnapshotPipelines,QuantStrategyLab/UsEquitySnapshotPipelines,QuantStrategyLab/AiLongHorizonSignalPipelines,QuantStrategyLab/ResearchSignalContextPipelines' \
+CODEX_AUDIT_SERVICE_ALLOWED_SOURCE_REPOSITORIES='QuantStrategyLab/CryptoLivePoolPipelines,QuantStrategyLab/HkEquitySnapshotPipelines,QuantStrategyLab/UsEquitySnapshotPipelines,QuantStrategyLab/ResearchSignalContextPipelines' \
 CODEX_AUDIT_SERVICE_AUDIENCE=quant-codex-audit \
 OPENAI_API_KEY=... \
 python3 scripts/codex_audit_service.py
 ```
 
 Terminate TLS on 443 with the platform load balancer or a reverse proxy and forward `/v1/codex-audit` to the service port. Do not pass GitHub write tokens to this service.
 
-The manual `VPS Codex Service Ops` workflow can be used by maintainers to inspect or deploy the VPS-side service through the existing `self-hosted,codex-vps` runner. The deployment keeps the Pigbibi `/v1/codex` gateway unchanged and adds an exact nginx route from `/v1/codex-audit` to this repository's audit service.
+If no custom domain is available, `cloudflare/codex-audit-proxy/` contains a minimal Cloudflare Worker that can publish a free `workers.dev` HTTPS entry point while keeping the VPS origin URL in a Cloudflare secret. The production service path is async: submit `POST /v1/codex-audit/jobs`, then poll `GET /v1/codex-audit/jobs/{job_id}`. See `docs/async_service_deployment.md` for the deployment and open-source repository checklist.
+
+The manual `VPS Codex Service Ops` workflow can be used by maintainers to inspect or deploy the VPS-side service through the existing `self-hosted,codex-vps` runner. The deployment keeps the Pigbibi `/v1/codex` gateway unchanged and adds an nginx route for `/v1/codex-audit` to this repository's audit service.
 
 ### Service patch contract
 

README.zh-CN.md

@@ -6,7 +6,7 @@
 
 ## 这个仓库是什么
 
-CodexAuditBridge 是 QuantStrategyLab 的审计自动化桥接工具。运行 self-hosted Codex 审计 workflow，用于 snapshot review 和低风险修复 PR。
+CodexAuditBridge 是 QuantStrategyLab 的审计自动化桥接工具。运行 service-backed Codex 审计 workflow，用于 snapshot review 和低风险修复 PR。
 
 它产出研究、审计或编排类 artifact，不应自行提交券商订单，也不应直接修改 live allocation。
 
@@ -17,7 +17,7 @@ CodexAuditBridge 是 QuantStrategyLab 组织内的 Codex 调用边界。各 sour
 当前执行模型：
 
 1. source repository 创建或定位审计 issue。
-2. source repository 派发本仓库的 `.github/workflows/selfhosted_monthly_review.yml`。
+2. source repository 派发本仓库的 monthly review workflow。workflow 文件名仍为 `codex_audit.yml` 以保持 dispatch 入口稳定，但 Codex 执行已经是 service-backed。
 3. CodexAuditBridge 校验 source repository 和 task mapping，使用受限 GitHub token clone source repository，并运行指定 provider/backend。
 4. 评论、分支、commit、push、PR 等 GitHub 写操作只由 CodexAuditBridge 负责。
 
@@ -31,9 +31,7 @@ Codex 执行现在只走 service backend：workflow 从 GitHub-hosted runner 调
 
 | Source repository | 允许的 task |
 | --- | --- |
-| `QuantStrategyLab/AiLongHorizonSignalPipelines` | `long_horizon_signal_shadow` |
 | `QuantStrategyLab/CryptoLivePoolPipelines` | `monthly_snapshot_audit` |
-| `QuantStrategyLab/CryptoSnapshotPipelines` | `monthly_snapshot_audit` |
 | `QuantStrategyLab/HkEquitySnapshotPipelines` | `monthly_snapshot_audit` |
 | `QuantStrategyLab/ResearchSignalContextPipelines` | `long_horizon_signal_shadow` |
 | `QuantStrategyLab/UsEquitySnapshotPipelines` | `monthly_snapshot_audit` |
@@ -55,15 +53,17 @@ service host 启动示例：
 
 ```bash
 CODEX_AUDIT_SERVICE_ALLOWED_REPOSITORIES=QuantStrategyLab/CodexAuditBridge \
-CODEX_AUDIT_SERVICE_ALLOWED_SOURCE_REPOSITORIES='QuantStrategyLab/CryptoSnapshotPipelines,QuantStrategyLab/CryptoLivePoolPipelines,QuantStrategyLab/HkEquitySnapshotPipelines,QuantStrategyLab/UsEquitySnapshotPipelines,QuantStrategyLab/AiLongHorizonSignalPipelines,QuantStrategyLab/ResearchSignalContextPipelines' \
+CODEX_AUDIT_SERVICE_ALLOWED_SOURCE_REPOSITORIES='QuantStrategyLab/CryptoLivePoolPipelines,QuantStrategyLab/HkEquitySnapshotPipelines,QuantStrategyLab/UsEquitySnapshotPipelines,QuantStrategyLab/ResearchSignalContextPipelines' \
 CODEX_AUDIT_SERVICE_AUDIENCE=quant-codex-audit \
 OPENAI_API_KEY=... \
 python3 scripts/codex_audit_service.py
 ```
 
 443/TLS 建议由平台负载均衡或反向代理负责，并把 `/v1/codex-audit` 转发到 service 端口。不要把 GitHub 写 token 传给这个 service。
 
-维护者可以通过手动触发 `VPS Codex Service Ops` workflow，借助现有 `self-hosted,codex-vps` runner 巡检或部署 VPS 侧服务。部署时保持 Pigbibi `/v1/codex` gateway 不变，只在 nginx 上增加 `/v1/codex-audit` 精确路由到本仓库的 audit service。
+如果暂时没有自定义域名，`cloudflare/codex-audit-proxy/` 提供了一个最小 Cloudflare Worker，可用免费的 `workers.dev` HTTPS 入口，并把 VPS origin URL 保存在 Cloudflare secret 中。生产服务路径使用异步模式：先 `POST /v1/codex-audit/jobs`，再轮询 `GET /v1/codex-audit/jobs/{job_id}`。部署步骤和开源仓库注意事项见 `docs/async_service_deployment.md`。
+
+维护者可以通过手动触发 `VPS Codex Service Ops` workflow，借助现有 `self-hosted,codex-vps` runner 巡检或部署 VPS 侧服务。部署时保持 Pigbibi `/v1/codex` gateway 不变，只在 nginx 上增加 `/v1/codex-audit` 路由到本仓库的 audit service。
 
 ### Service patch contract
 

cloudflare/codex-audit-proxy/README.md

@@ -0,0 +1,41 @@
+# Cloudflare Worker Proxy for CodexAuditBridge
+
+This Worker provides a free `workers.dev` HTTPS entry point for CodexAuditBridge when no custom domain is available.
+
+This Worker should stay separate from the Pigbibi CodexGateway Worker so origin URLs, repository allowlists, and logs remain isolated.
+
+The Worker is intentionally thin:
+
+- serves `GET /healthz` locally, proxies legacy `POST /v1/codex-audit`, and proxies async `POST /v1/codex-audit/jobs` plus `GET /v1/codex-audit/jobs/{job_id}`;
+- forwards the GitHub Actions OIDC `Authorization` header to the existing Codex audit service;
+- keeps the VPS origin URL in a Cloudflare Worker secret, not in git;
+- does not store provider keys, GitHub tokens, or Codex credentials.
+
+## Deploy
+
+From this directory:
+
+```bash
+npx -y wrangler@latest secret put CODEX_AUDIT_ORIGIN_URL
+npx -y wrangler@latest deploy
+```
+
+`CODEX_AUDIT_ORIGIN_URL` should be the current HTTPS origin for the Codex audit service. It may be either the service base URL or the full `/v1/codex-audit` URL.
+
+After deploy, set the `CodexAuditBridge` GitHub secret `CODEX_AUDIT_SERVICE_URL` to the Worker URL, for example:
+
+```text
+https://quantstrategylab-codex-audit-proxy.<cloudflare-account-subdomain>.workers.dev
+```
+
+The account subdomain is controlled by the Cloudflare account. If it is still `pigbibi`, the organization name should be represented in the Worker name, not by changing the whole account subdomain.
+
+Keep `CODEX_AUDIT_SERVICE_AUDIENCE` unchanged unless the origin service audience changes.
+
+## Smoke test
+
+```bash
+curl -fsS https://quantstrategylab-codex-audit-proxy.<cloudflare-account-subdomain>.workers.dev/healthz
+```
+
+A full async audit request still requires a valid GitHub Actions OIDC bearer token and should be tested from the bridge workflow. An unauthenticated `POST /v1/codex-audit/jobs` should return `401`, proving that the Worker reached the authenticated origin.

cloudflare/codex-audit-proxy/src/index.mjs

@@ -0,0 +1,115 @@
+const AUDIT_ROUTE = "/v1/codex-audit";
+const HEALTH_ROUTE = "/healthz";
+const JOB_ID_PATTERN = /^[A-Za-z0-9_-]{24,96}$/;
+
+function jsonResponse(status, payload) {
+  return new Response(JSON.stringify(payload), {
+    status,
+    headers: {
+      "Content-Type": "application/json; charset=utf-8",
+      "Cache-Control": "no-store",
+    },
+  });
+}
+
+function isLocalhost(hostname) {
+  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+}
+
+function withoutTrailingSlash(pathname) {
+  return pathname.replace(/\/+$/, "");
+}
+
+function isAuditPath(pathname) {
+  if (pathname === AUDIT_ROUTE || pathname === `${AUDIT_ROUTE}/jobs`) {
+    return true;
+  }
+  const prefix = `${AUDIT_ROUTE}/jobs/`;
+  return pathname.startsWith(prefix) && JOB_ID_PATTERN.test(pathname.slice(prefix.length));
+}
+
+function methodAllowed(method, pathname) {
+  if (pathname === HEALTH_ROUTE) {
+    return method === "GET";
+  }
+  if (pathname === AUDIT_ROUTE || pathname === `${AUDIT_ROUTE}/jobs`) {
+    return method === "POST";
+  }
+  if (pathname.startsWith(`${AUDIT_ROUTE}/jobs/`)) {
+    return method === "GET";
+  }
+  return false;
+}
+
+export function buildOriginUrl(rawOriginUrl, routePath, search = "") {
+  if (!rawOriginUrl || !rawOriginUrl.trim()) {
+    throw new Error("CODEX_AUDIT_ORIGIN_URL is required");
+  }
+  if (!isAuditPath(routePath)) {
+    throw new Error("route is not allowed");
+  }
+
+  const origin = new URL(rawOriginUrl.trim());
+  if (origin.protocol !== "https:" && !(origin.protocol === "http:" && isLocalhost(origin.hostname))) {
+    throw new Error("CODEX_AUDIT_ORIGIN_URL must use HTTPS");
+  }
+
+  let basePath = withoutTrailingSlash(origin.pathname);
+  if (!basePath.endsWith(AUDIT_ROUTE)) {
+    basePath = `${basePath}${AUDIT_ROUTE}`;
+  }
+  const suffix = routePath.slice(AUDIT_ROUTE.length);
+
+  origin.pathname = `${basePath}${suffix}`;
+  origin.search = search;
+  origin.hash = "";
+  return origin.toString();
+}
+
+function forwardedHeaders(request, url) {
+  const headers = new Headers(request.headers);
+  headers.delete("host");
+  headers.delete("content-length");
+  headers.set("X-Forwarded-Host", url.host);
+  headers.set("X-Forwarded-Proto", "https");
+  headers.set("X-Codex-Audit-Proxy", "cloudflare-worker");
+  return headers;
+}
+
+async function proxyRequest(request, env) {
+  const url = new URL(request.url);
+  const originUrl = buildOriginUrl(env.CODEX_AUDIT_ORIGIN_URL, url.pathname, url.search);
+  const hasBody = request.method !== "GET" && request.method !== "HEAD";
+
+  return fetch(originUrl, {
+    method: request.method,
+    headers: forwardedHeaders(request, url),
+    body: hasBody ? request.body : undefined,
+    redirect: "manual",
+  });
+}
+
+export default {
+  async fetch(request, env) {
+    const url = new URL(request.url);
+    if (url.pathname !== HEALTH_ROUTE && !isAuditPath(url.pathname)) {
+      return jsonResponse(404, { status: "error", error: "not found" });
+    }
+    if (!methodAllowed(request.method, url.pathname)) {
+      return jsonResponse(405, { status: "error", error: "method not allowed" });
+    }
+    if (url.pathname === HEALTH_ROUTE) {
+      return jsonResponse(200, { status: "ok" });
+    }
+
+    try {
+      return await proxyRequest(request, env);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "origin request failed";
+      if (message.includes("CODEX_AUDIT_ORIGIN_URL") || message.includes("HTTPS")) {
+        return jsonResponse(500, { status: "error", error: message });
+      }
+      return jsonResponse(502, { status: "error", error: "origin request failed" });
+    }
+  },
+};

cloudflare/codex-audit-proxy/tests/index.test.mjs

@@ -0,0 +1,72 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+
+import worker, { buildOriginUrl } from "../src/index.mjs";
+
+const JOB_ID = "abcdefghijklmnopqrstuvwxyzABCD12";
+
+test("buildOriginUrl appends audit route to base origin", () => {
+  assert.equal(
+    buildOriginUrl("https://origin.example", "/v1/codex-audit", "?run=1"),
+    "https://origin.example/v1/codex-audit?run=1",
+  );
+});
+
+test("buildOriginUrl accepts full audit endpoint origin", () => {
+  assert.equal(
+    buildOriginUrl("https://origin.example/v1/codex-audit", "/v1/codex-audit"),
+    "https://origin.example/v1/codex-audit",
+  );
+});
+
+test("buildOriginUrl maps async submit route next to audit endpoint", () => {
+  assert.equal(
+    buildOriginUrl("https://origin.example/v1/codex-audit", "/v1/codex-audit/jobs"),
+    "https://origin.example/v1/codex-audit/jobs",
+  );
+});
+
+test("buildOriginUrl maps async status route next to audit endpoint", () => {
+  assert.equal(
+    buildOriginUrl("https://origin.example/v1/codex-audit", `/v1/codex-audit/jobs/${JOB_ID}`),
+    `https://origin.example/v1/codex-audit/jobs/${JOB_ID}`,
+  );
+});
+
+test("buildOriginUrl preserves nested base path", () => {
+  assert.equal(
+    buildOriginUrl("https://origin.example/codex", "/v1/codex-audit"),
+    "https://origin.example/codex/v1/codex-audit",
+  );
+});
+
+test("buildOriginUrl rejects insecure external origins", () => {
+  assert.throws(
+    () => buildOriginUrl("http://origin.example", "/v1/codex-audit"),
+    /must use HTTPS/,
+  );
+});
+
+test("worker health check is local and does not require origin", async () => {
+  const response = await worker.fetch(new Request("https://proxy.example/healthz"), {});
+  assert.equal(response.status, 200);
+  assert.deepEqual(await response.json(), { status: "ok" });
+});
+
+test("worker rejects unsupported route before origin lookup", async () => {
+  const response = await worker.fetch(new Request("https://proxy.example/other"), {});
+  assert.equal(response.status, 404);
+  assert.deepEqual(await response.json(), { status: "error", error: "not found" });
+});
+
+test("worker rejects unsupported method before origin lookup", async () => {
+  const response = await worker.fetch(new Request("https://proxy.example/v1/codex-audit", { method: "GET" }), {});
+  assert.equal(response.status, 405);
+  assert.deepEqual(await response.json(), { status: "error", error: "method not allowed" });
+});
+
+test("worker rejects malformed job ids before origin lookup", async () => {
+  const response = await worker.fetch(new Request("https://proxy.example/v1/codex-audit/jobs/nope"), {});
+  assert.equal(response.status, 404);
+  assert.deepEqual(await response.json(), { status: "error", error: "not found" });
+});

cloudflare/codex-audit-proxy/wrangler.jsonc

@@ -0,0 +1,10 @@
+{
+  "$schema": "node_modules/wrangler/config-schema.json",
+  "name": "quantstrategylab-codex-audit-proxy",
+  "main": "src/index.mjs",
+  "compatibility_date": "2025-12-01",
+  "workers_dev": true,
+  "observability": {
+    "enabled": true
+  }
+}