fix(codex): auto-clear api key for subscription auth

2026-05-06 15:40:44 +00:00 · 2026-04-27 18:52:46 -04:00
parent aeb007e4e5
commit 20ff49f7c8
4 changed files with 229 additions and 31 deletions
--- a/docs/plugins/codex-harness.md
+++ b/docs/plugins/codex-harness.md
@@ -509,9 +509,15 @@ For an already-running app-server, use WebSocket transport:
 ```

 Stdio app-server launches inherit OpenClaw's process environment by default.
-When the Gateway needs `OPENAI_API_KEY` for embeddings or direct OpenAI models
-but Codex should use the local ChatGPT login, clear that variable only for the
-Codex child:
+When OpenClaw sees that the Codex harness is using a ChatGPT subscription-style
+auth profile, including the local Codex CLI login imported as
+`openai-codex:default`, it automatically removes `OPENAI_API_KEY` from the
+spawned Codex child process. That keeps Gateway-level API keys available for
+embeddings or direct OpenAI models without making native Codex app-server turns
+bill through the API by accident.
+
+Explicit Codex API-key profiles are left alone. If a deployment needs additional
+environment isolation, add those variables to `appServer.clearEnv`:

 ```json5
 {
@@ -534,21 +540,21 @@ Codex child:

 Supported `appServer` fields:

-| Field               | Default                                  | Meaning                                                                                                                       |
-| ------------------- | ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
-| `transport`         | `"stdio"`                                | `"stdio"` spawns Codex; `"websocket"` connects to `url`.                                                                      |
-| `command`           | managed Codex binary                     | Executable for stdio transport. Leave unset to use the managed binary; set it only for an explicit override.                  |
-| `args`              | `["app-server", "--listen", "stdio://"]` | Arguments for stdio transport.                                                                                                |
-| `url`               | unset                                    | WebSocket app-server URL.                                                                                                     |
-| `authToken`         | unset                                    | Bearer token for WebSocket transport.                                                                                         |
-| `headers`           | `{}`                                     | Extra WebSocket headers.                                                                                                      |
-| `clearEnv`          | `[]`                                     | Environment variable names removed from the spawned stdio app-server process after OpenClaw builds its inherited environment. |
-| `requestTimeoutMs`  | `60000`                                  | Timeout for app-server control-plane calls.                                                                                   |
-| `mode`              | `"yolo"`                                 | Preset for YOLO or guardian-reviewed execution.                                                                               |
-| `approvalPolicy`    | `"never"`                                | Native Codex approval policy sent to thread start/resume/turn.                                                                |
-| `sandbox`           | `"danger-full-access"`                   | Native Codex sandbox mode sent to thread start/resume.                                                                        |
-| `approvalsReviewer` | `"user"`                                 | Use `"auto_review"` to let Codex review native approval prompts. `guardian_subagent` remains a legacy alias.                  |
-| `serviceTier`       | unset                                    | Optional Codex app-server service tier: `"fast"`, `"flex"`, or `null`. Invalid legacy values are ignored.                     |
+| Field               | Default                                  | Meaning                                                                                                                             |
+| ------------------- | ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `transport`         | `"stdio"`                                | `"stdio"` spawns Codex; `"websocket"` connects to `url`.                                                                            |
+| `command`           | managed Codex binary                     | Executable for stdio transport. Leave unset to use the managed binary; set it only for an explicit override.                        |
+| `args`              | `["app-server", "--listen", "stdio://"]` | Arguments for stdio transport.                                                                                                      |
+| `url`               | unset                                    | WebSocket app-server URL.                                                                                                           |
+| `authToken`         | unset                                    | Bearer token for WebSocket transport.                                                                                               |
+| `headers`           | `{}`                                     | Extra WebSocket headers.                                                                                                            |
+| `clearEnv`          | `[]`                                     | Extra environment variable names removed from the spawned stdio app-server process after OpenClaw builds its inherited environment. |
+| `requestTimeoutMs`  | `60000`                                  | Timeout for app-server control-plane calls.                                                                                         |
+| `mode`              | `"yolo"`                                 | Preset for YOLO or guardian-reviewed execution.                                                                                     |
+| `approvalPolicy`    | `"never"`                                | Native Codex approval policy sent to thread start/resume/turn.                                                                      |
+| `sandbox`           | `"danger-full-access"`                   | Native Codex sandbox mode sent to thread start/resume.                                                                              |
+| `approvalsReviewer` | `"user"`                                 | Use `"auto_review"` to let Codex review native approval prompts. `guardian_subagent` remains a legacy alias.                        |
+| `serviceTier`       | unset                                    | Optional Codex app-server service tier: `"fast"`, `"flex"`, or `null`. Invalid legacy values are ignored.                           |

 Environment overrides remain available for local testing: