From 9040cda408bfc1f3141541a2593154ff2b5ea0e3 Mon Sep 17 00:00:00 2001
From: Sanjay Santhanam <51058514+Sanjays2402@users.noreply.github.com>
Date: Tue, 21 Apr 2026 04:38:26 -0700
Subject: [PATCH] fix(codex): exclude codex-app-server synthetic apiKey from
 secrets audit (#69581)

* fix(codex): exclude codex-app-server synthetic apiKey from secrets audit

The Codex extension uses the literal string "codex-app-server" as a
hardcoded placeholder apiKey in provider.ts, since the real
authentication is managed by the app-server transport itself.

The secrets audit currently reports this as a real plaintext leak
(PLAINTEXT_FOUND), producing a false positive for any user who has
configured the Codex harness.

Declare it as a plugin-owned non-secret marker in the Codex plugin
manifest, so it flows through the standard
`listKnownNonSecretApiKeyMarkers()` path alongside `ollama-local`,
`lmstudio-local`, `gcp-vertex-credentials`, and `minimax-oauth`.

Also extends the existing `model auth markers` unit tests to lock
in the behavior.

Fixes #69511

* ci: retrigger checks (no-op)

(cherry picked from commit 081da17090b94405406904e0d223cfae15b2d1b7)
---
 extensions/codex/openclaw.plugin.json | 1 +
 src/agents/model-auth-markers.test.ts | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/extensions/codex/openclaw.plugin.json b/extensions/codex/openclaw.plugin.json
index 120885b67e4..76a4df052b8 100644
--- a/extensions/codex/openclaw.plugin.json
+++ b/extensions/codex/openclaw.plugin.json
@@ -3,6 +3,7 @@
   "name": "Codex",
   "description": "Codex app-server harness and Codex-managed GPT model catalog.",
   "providers": ["codex"],
+  "nonSecretAuthMarkers": ["codex-app-server"],
   "activation": {
     "onAgentHarnesses": ["codex"]
   },
diff --git a/src/agents/model-auth-markers.test.ts b/src/agents/model-auth-markers.test.ts
index da769abaeb3..44a7451a68d 100644
--- a/src/agents/model-auth-markers.test.ts
+++ b/src/agents/model-auth-markers.test.ts
@@ -69,12 +69,14 @@ describe("model auth markers", () => {
     expect(isNonSecretApiKeyMarker(resolveOAuthApiKeyMarker("chutes"))).toBe(true);
     expect(isNonSecretApiKeyMarker("ollama-local")).toBe(true);
     expect(isNonSecretApiKeyMarker("lmstudio-local")).toBe(true);
+    expect(isNonSecretApiKeyMarker("codex-app-server")).toBe(true);
     expect(isNonSecretApiKeyMarker(GCP_VERTEX_CREDENTIALS_MARKER)).toBe(true);
   });
 
   it("reads bundled plugin-owned non-secret markers from manifests", () => {
     expect(listKnownNonSecretApiKeyMarkers()).toEqual(
       expect.arrayContaining([
+        "codex-app-server",
         "gcp-vertex-credentials",
         "lmstudio-local",
         "minimax-oauth",