Skip to content
~/krishnakumar.dev
cd /home
WritingSecurity / TypeScript / TanStack Start

Displaying Codex activity without putting credentials in the cloud

A local collector, signed aggregate payloads, and a small public read model keep account credentials off the portfolio server.

This portfolio displays combined Codex activity from three accounts. The obvious implementation would copy the account credentials into the deployed application and fetch usage there. That would also turn a public portfolio into a credential vault.

The boundary

The collector runs locally on my Mac. It reads the existing Codex profiles, requests each account's token profile, removes account identity, merges daily buckets, and signs the sanitized result. Only that aggregate payload reaches the portfolio.

The deployed application knows one ingestion secret. It never receives OpenAI access tokens, refresh tokens, account IDs, prompts, repository names, or file paths.

Why complete snapshots matter

If one account fails, publishing the other two would make the combined total appear to fall. The collector therefore publishes only when every configured profile succeeds. The site keeps the last complete snapshot and makes its age visible.

Why HMAC is enough here

The payload is public aggregate data, but writes still need authentication. The collector signs the timestamp and exact request body with HMAC-SHA256. The server rejects old timestamps and mismatched signatures, then performs an idempotent upsert.

A replay inside the accepted time window writes the same snapshot again. There is no balance transfer or one-time action, so a nonce database would add complexity without changing the outcome.

The fragile part

The account profile endpoint is used by the open-source Codex CLI but is not a documented public API. Its adapter lives in one module, validates external data at the boundary, and fails without replacing the last good snapshot if the response changes.