fix(codex): hash app-server env values in client keys

extensions/codex/src/app-server/config.test.ts

@@ -302,6 +302,27 @@ describe("Codex app-server config", () => {
     expect(second).not.toContain("tok_second");
   });
 
+  it("derives distinct shared-client keys for distinct env values without exposing them", () => {
+    const first = codexAppServerStartOptionsKey({
+      transport: "stdio",
+      command: "codex",
+      args: ["app-server"],
+      headers: {},
+      env: { OPENAI_API_KEY: "sk-first" },
+    });
+    const second = codexAppServerStartOptionsKey({
+      transport: "stdio",
+      command: "codex",
+      args: ["app-server"],
+      headers: {},
+      env: { OPENAI_API_KEY: "sk-second" },
+    });
+
+    expect(first).not.toEqual(second);
+    expect(first).not.toContain("sk-first");
+    expect(second).not.toContain("sk-second");
+  });
+
   it("keeps runtime config keys aligned with manifest schema and UI hints", async () => {
     const manifest = JSON.parse(
       await fs.readFile(new URL("../../openclaw.plugin.json", import.meta.url), "utf8"),

extensions/codex/src/app-server/config.ts

@@ -304,7 +304,9 @@ export function codexAppServerStartOptionsKey(
     headers: Object.entries(options.headers).toSorted(([left], [right]) =>
       left.localeCompare(right),
     ),
-    env: Object.entries(options.env ?? {}).toSorted(([left], [right]) => left.localeCompare(right)),
+    env: Object.entries(options.env ?? {})
+      .toSorted(([left], [right]) => left.localeCompare(right))
+      .map(([key, value]) => [key, hashSecretForKey(value)]),
     clearEnv: [...(options.clearEnv ?? [])].toSorted(),
     authProfileId: params.authProfileId ?? null,
   });