Ravi

CodexMonitor + Ravi

CodexMonitor + Ravi

CodexMonitor is a Tauri-based desktop application for orchestrating multiple OpenAI Codex agent sessions across isolated workspaces. It lets you add local repos, spawn one codex app-server per workspace, and manage all agent threads from a single UI — with git worktree isolation, thread management, GitHub PR integration, and a headless remote daemon mode.

Ravi is the identity layer that makes CodexMonitor safe to run at scale: encrypted credential storage, per-worktree agent identities, and non-interactive auth for headless daemon setups.

The Problem

CodexMonitor’s daemon stores its auth token in plaintext settings.json. When you’re running multiple parallel agents across worktrees, each one shares the same OS-level identity — same email, same git config, same GitHub account. As soon as you go headless (daemon mode over Tailscale, for example), you also hit a browser-flow requirement for the initial codex_login that breaks non-interactive startup.

These aren’t obscure edge cases. They’re what happens the moment you try to run CodexMonitor seriously: multiple agents, a remote machine, no human sitting at a keyboard.

What Ravi Adds

Encrypted credential storage. Ravi’s secrets vault replaces plaintext settings.json for the daemon auth token. The token is E2E encrypted at rest, portable across machines, and rotatable without touching config files. At daemon init, swap the file read for a single API call.

Per-worktree agent identity. Git worktrees are filesystem-isolated but share OS identity. Ravi identity provisioning gives each worktree a unique email address and phone number. Each agent’s git config user.email points to its own Ravi address, and any email verification that arrives (GitHub confirmations, OAuth flows) lands in that identity’s inbox and can be handled programmatically — no human required.

GitHub token isolation. CodexMonitor uses gh for issue and PR lookups per workspace. Ravi’s secrets store can hold a separate GitHub token per workspace identity. Each worktree authenticates as a distinct agent, with its own GitHub account and commit attribution, rather than sharing a single developer credential.

Headless OAuth. codex_login requires a browser flow — a hard blocker for daemon restarts on remote machines. Ravi holds the resulting session token after initial setup and restores it programmatically on subsequent starts. The daemon becomes fully non-interactive.

Setup Guide

1. Store the daemon auth token in Ravi

Instead of reading the token from settings.json at startup, store it once in the Ravi vault:

# Using the Ravi CLI or any Ravi-integrated agent
ravi secrets set CODEX_MONITOR_DAEMON_TOKEN <your-token>

At daemon init, retrieve it:

// Before: read from settings.json
const token = settings.daemonAuthToken;

// After: retrieve from Ravi vault
const token = await ravi.secrets.get("CODEX_MONITOR_DAEMON_TOKEN");

The token is now encrypted at rest, portable to any machine with Ravi access, and rotatable without a config file edit.

2. Provision a Ravi identity per worktree

For each workspace you add to CodexMonitor, create a corresponding Ravi identity:

# Example: workspace "payments-agent"
ravi identity create --name "payments-agent" --email payments-agent

Configure the worktree’s git identity to use the provisioned address:

git -C /path/to/worktree config user.email payments-agent@yourdomain.raviapp.com
git -C /path/to/worktree config user.name "payments-agent"

Any email verification triggered by that agent’s activity — GitHub notifications, OAuth confirmations — now arrives in that identity’s inbox. A Ravi-connected agent can handle verification automatically without human intervention.

3. Store per-workspace GitHub tokens

If each worktree agent uses its own GitHub account:

# Store per-workspace
ravi secrets set CODEX_MONITOR_GH_TOKEN_PAYMENTS_AGENT ghp_...

Pass the workspace-scoped token to gh at runtime instead of relying on the shared system credential:

GH_TOKEN=$(ravi secrets get CODEX_MONITOR_GH_TOKEN_PAYMENTS_AGENT) gh pr list

4. Restore the Codex session token on daemon restart

After completing initial codex_login, extract and store the session token:

ravi secrets set CODEX_SESSION_TOKEN <extracted-token>

On subsequent daemon starts, restore it programmatically — no browser prompt, no human required. The daemon restarts cleanly on any machine with Ravi access.

Why This Matters

CodexMonitor is already good at parallelism at the UI level. The gap is identity: multiple agents sharing one credential set, auth tokens in plaintext, and a login flow that breaks headless operation.

Ravi fills that gap without requiring any changes to CodexMonitor’s core. The secrets vault is a two-line integration. The per-identity provisioning is a git config change. The result is a CodexMonitor deployment where each agent is genuinely isolated — its own identity, its own credentials, its own audit trail — and the whole thing restarts without a human at the keyboard.

Resources