fix(codex): exclude codex-app-server synthetic apiKey from secrets audit (#69581)

* fix(codex): exclude codex-app-server synthetic apiKey from secrets audit The Codex extension uses the literal string "codex-app-server" as a hardcoded placeholder apiKey in provider.ts, since the real authentication is managed by the app-server transport itself. The secrets audit currently reports this as a real plaintext leak (PLAINTEXT_FOUND), producing a false positive for any user who has configured the Codex harness. Declare it as a plugin-owned non-secret marker in the Codex plugin manifest, so it flows through the standard `listKnownNonSecretApiKeyMarkers()` path alongside `ollama-local`, `lmstudio-local`, `gcp-vertex-credentials`, and `minimax-oauth`. Also extends the existing `model auth markers` unit tests to lock in the behavior. Fixes #69511 * ci: retrigger checks (no-op)
2026-05-06 19:40:42 +00:00 · 2026-04-21 04:38:26 -07:00
parent 850b6d2d46
commit 081da17090
2 changed files with 3 additions and 0 deletions
--- a/extensions/codex/openclaw.plugin.json
+++ b/extensions/codex/openclaw.plugin.json
@@ -3,6 +3,7 @@
  "name": "Codex",
  "description": "Codex app-server harness and Codex-managed GPT model catalog.",
  "providers": ["codex"],
+  "nonSecretAuthMarkers": ["codex-app-server"],
  "activation": {
    "onAgentHarnesses": ["codex"]
  },