fix: add ACP authenticate step for codex-acp

codex-acp requires an explicit `conn.authenticate()` call after
initialize and before session creation. Auto-detect the auth method
from environment variables (CODEX_API_KEY or OPENAI_API_KEY).
Without this, codex-acp returns "Authentication required" when
trying to create a session in the remote runtime container.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: simonrosenberg

openhands-sdk/openhands/sdk/agent/acp_agent.py

@@ -112,6 +112,30 @@ def _make_dummy_llm() -> LLM:
 }
 _DEFAULT_BYPASS_MODE = "full-access"
 
+# ACP auth method ID → environment variable that supplies the credential.
+# When the server reports auth_methods, we pick the first method whose
+# required env var is set.
+_AUTH_METHOD_ENV_MAP: dict[str, str] = {
+    "codex-api-key": "CODEX_API_KEY",
+    "openai-api-key": "OPENAI_API_KEY",
+}
+
+
+def _select_auth_method(
+    auth_methods: list[Any],
+    env: dict[str, str],
+) -> str | None:
+    """Pick an auth method whose required env var is present.
+
+    Returns the ``id`` of the first matching method, or ``None`` if no
+    env-var-based method is available (the server may not require auth).
+    """
+    method_ids = {m.id for m in auth_methods}
+    for method_id, env_var in _AUTH_METHOD_ENV_MAP.items():
+        if method_id in method_ids and env_var in env:
+            return method_id
+    return None
+
 
 def _resolve_bypass_mode(agent_name: str) -> str:
     """Return the session mode ID that bypasses all permission prompts.
@@ -540,6 +564,25 @@ async def _init() -> tuple[Any, Any, Any, str, str]:
                 agent_name = init_response.agent_info.name or ""
             logger.info("ACP server initialized: agent_name=%r", agent_name)
 
+            # Authenticate if the server requires it.  Some ACP servers
+            # (e.g. codex-acp) require an explicit authenticate call
+            # before session creation.  We auto-detect the method from
+            # the env vars that are available to the process.
+            auth_methods = init_response.auth_methods or []
+            if auth_methods:
+                method_id = _select_auth_method(auth_methods, env)
+                if method_id is not None:
+                    logger.info(
+                        "Authenticating with ACP method: %s", method_id
+                    )
+                    await conn.authenticate(method_id=method_id)
+                else:
+                    logger.warning(
+                        "ACP server offers auth methods %s but no matching "
+                        "env var is set — session creation may fail",
+                        [m.id for m in auth_methods],
+                    )
+
             # Create a new session
             response = await conn.new_session(cwd=working_dir)
             session_id = response.session_id

tests/sdk/agent/test_acp_agent.py

@@ -13,6 +13,7 @@
     ACPAgent,
     _OpenHandsACPBridge,
     _resolve_bypass_mode,
+    _select_auth_method,
 )
 from openhands.sdk.agent.base import AgentBase
 from openhands.sdk.conversation.state import (
@@ -1301,6 +1302,61 @@ def test_empty_name_defaults_to_full_access(self):
 # ---------------------------------------------------------------------------
 
 
+# ---------------------------------------------------------------------------
+# _select_auth_method
+# ---------------------------------------------------------------------------
+
+
+class TestSelectAuthMethod:
+    """Test auto-detection of ACP auth method from env vars."""
+
+    @staticmethod
+    def _make_auth_method(method_id: str) -> MagicMock:
+        m = MagicMock()
+        m.id = method_id
+        return m
+
+    def test_openai_api_key(self):
+        methods = [
+            self._make_auth_method("chatgpt"),
+            self._make_auth_method("codex-api-key"),
+            self._make_auth_method("openai-api-key"),
+        ]
+        env = {"OPENAI_API_KEY": "sk-test"}
+        assert _select_auth_method(methods, env) == "openai-api-key"
+
+    def test_codex_api_key_preferred(self):
+        """CODEX_API_KEY is checked first (appears first in the map)."""
+        methods = [
+            self._make_auth_method("codex-api-key"),
+            self._make_auth_method("openai-api-key"),
+        ]
+        env = {"CODEX_API_KEY": "key1", "OPENAI_API_KEY": "key2"}
+        assert _select_auth_method(methods, env) == "codex-api-key"
+
+    def test_no_matching_env_var(self):
+        methods = [
+            self._make_auth_method("chatgpt"),
+            self._make_auth_method("openai-api-key"),
+        ]
+        env = {"UNRELATED": "value"}
+        assert _select_auth_method(methods, env) is None
+
+    def test_empty_auth_methods(self):
+        assert _select_auth_method([], {}) is None
+
+    def test_method_not_in_server_list(self):
+        """Even if env var is set, method must be offered by server."""
+        methods = [self._make_auth_method("chatgpt")]
+        env = {"OPENAI_API_KEY": "sk-test"}
+        assert _select_auth_method(methods, env) is None
+
+
+# ---------------------------------------------------------------------------
+# acp_session_mode field
+# ---------------------------------------------------------------------------
+
+
 class TestACPSessionMode:
     def test_default_is_none(self):
         agent = _make_agent()