From 19d8fa43e8951943efe9fa61f11b5af69d2252f7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 15 May 2026 20:20:04 +0000
Subject: [PATCH 1/2] Initial plan


From 89320da83a4cad4cfa8f0276fdbf3dac6cf1d86e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 15 May 2026 20:24:30 +0000
Subject: [PATCH 2/2] fix: remove codex openai-proxy env_key requirement

---
 .../workflows/secret-digger-codex.lock.yml    |  2 -
 .github/workflows/smoke-codex.lock.yml        |  1 -
 .../ci/postprocess-smoke-workflows.test.ts    | 44 +++++++++++++++++++
 scripts/ci/postprocess-smoke-workflows.ts     | 15 +++++--
 4 files changed, 56 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/secret-digger-codex.lock.yml b/.github/workflows/secret-digger-codex.lock.yml
index 96444ec42..1427f1c5b 100644
--- a/.github/workflows/secret-digger-codex.lock.yml
+++ b/.github/workflows/secret-digger-codex.lock.yml
@@ -761,7 +761,6 @@ jobs:
           [model_providers.openai-proxy]
           name = "OpenAI AWF proxy"
           base_url = "http://172.30.0.30:10000"
-          env_key = "OPENAI_API_KEY"
           supports_websockets = false
           [shell_environment_policy]
           inherit = "core"
@@ -1367,7 +1366,6 @@ jobs:
           [model_providers.openai-proxy]
           name = "OpenAI AWF proxy"
           base_url = "http://172.30.0.30:10000"
-          env_key = "OPENAI_API_KEY"
           supports_websockets = false
           [shell_environment_policy]
           inherit = "core"
diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml
index 818a7618f..bde883974 100644
--- a/.github/workflows/smoke-codex.lock.yml
+++ b/.github/workflows/smoke-codex.lock.yml
@@ -946,7 +946,6 @@ jobs:
           [model_providers.openai-proxy]
           name = "OpenAI AWF proxy"
           base_url = "http://172.30.0.30:10000"
-          env_key = "OPENAI_API_KEY"
           supports_websockets = false
           [shell_environment_policy]
           inherit = "core"
diff --git a/scripts/ci/postprocess-smoke-workflows.test.ts b/scripts/ci/postprocess-smoke-workflows.test.ts
index 82d9d8a62..79a810421 100644
--- a/scripts/ci/postprocess-smoke-workflows.test.ts
+++ b/scripts/ci/postprocess-smoke-workflows.test.ts
@@ -234,6 +234,50 @@ describe('cacheRestoreKeyPrefixRegex', () => {
   });
 });
 
+// ── Codex openai-proxy provider injection tests ──────────────────────────────
+// Mirrors the patterns in postprocess-smoke-workflows.ts.
+
+const codexConfigTomlHeredocRegex =
+  /^(\s+)(cat > "\/tmp\/gh-aw\/mcp-config\/config\.toml" << GH_AW_CODEX_SHELL_POLICY_\w+_EOF\n)(?:\1[^\n]*\n)*?(\1\[shell_environment_policy\])/m;
+const CODEX_PROXY_ENV_KEY_REGEX =
+  /(^\s+\[model_providers\.openai-proxy\]\n(?:^\s+.*\n)*?)^\s+env_key = "OPENAI_API_KEY"\n/m;
+
+describe('codexConfigTomlHeredocRegex + CODEX_PROXY_ENV_KEY_REGEX', () => {
+  it('injects openai-proxy provider without env_key', () => {
+    const input =
+      '          cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_hash_EOF\n' +
+      '          [shell_environment_policy]\n' +
+      '          inherit = "core"\n';
+    const match = input.match(codexConfigTomlHeredocRegex);
+    expect(match).not.toBeNull();
+    const indent = match![1];
+    const modelProvidersBlock =
+      `${indent}model_provider = "openai-proxy"\n` +
+      `${indent}\n` +
+      `${indent}[model_providers.openai-proxy]\n` +
+      `${indent}name = "OpenAI AWF proxy"\n` +
+      `${indent}base_url = "http://172.30.0.30:10000"\n` +
+      `${indent}supports_websockets = false\n` +
+      `${indent}\n`;
+    const result = input.replace(codexConfigTomlHeredocRegex, `$1$2${modelProvidersBlock}$3`);
+    expect(result).toContain('[model_providers.openai-proxy]');
+    expect(result).not.toContain('env_key = "OPENAI_API_KEY"');
+  });
+
+  it('removes legacy env_key from openai-proxy provider blocks', () => {
+    const input =
+      '          [model_providers.openai-proxy]\n' +
+      '          name = "OpenAI AWF proxy"\n' +
+      '          base_url = "http://172.30.0.30:10000"\n' +
+      '          env_key = "OPENAI_API_KEY"\n' +
+      '          supports_websockets = false\n' +
+      '          [shell_environment_policy]\n';
+    const result = input.replace(CODEX_PROXY_ENV_KEY_REGEX, '$1');
+    expect(result).not.toContain('env_key = "OPENAI_API_KEY"');
+    expect(result).toContain('supports_websockets = false');
+  });
+});
+
 // ── Session state dir injection and Copy step replacement tests ──────────────
 // Mirrors the patterns in postprocess-smoke-workflows.ts.
 
diff --git a/scripts/ci/postprocess-smoke-workflows.ts b/scripts/ci/postprocess-smoke-workflows.ts
index ba9915d9e..2722cffe3 100644
--- a/scripts/ci/postprocess-smoke-workflows.ts
+++ b/scripts/ci/postprocess-smoke-workflows.ts
@@ -775,14 +775,16 @@ for (const workflowPath of workflowPaths) {
 // custom provider "openai-proxy" that:
 //   - points to the AWF api-proxy sidecar at http://172.30.0.30:10000
 //   - sets supports_websockets=false to force REST (which respects base_url)
-//   - uses OPENAI_API_KEY (placeholder injected by AWF) for auth; the sidecar
-//     replaces it with the real key before forwarding to OpenAI
+//   - omits env_key so Codex does not hard-require OPENAI_API_KEY at startup;
+//     auth is handled by the sidecar
 // We then set model_provider = "openai-proxy" to activate it.
 //
 // See: https://developers.openai.com/codex/config-reference
 const codexConfigTomlHeredocRegex =
   /^(\s+)(cat > "\/tmp\/gh-aw\/mcp-config\/config\.toml" << GH_AW_CODEX_SHELL_POLICY_\w+_EOF\n)(?:\1[^\n]*\n)*?(\1\[shell_environment_policy\])/m;
 const CODEX_PROXY_PROVIDER_SENTINEL = 'model_providers.openai-proxy';
+const CODEX_PROXY_ENV_KEY_REGEX =
+  /(^\s+\[model_providers\.openai-proxy\]\n(?:^\s+.*\n)*?)^\s+env_key = "OPENAI_API_KEY"\n/m;
 
 // Apply Codex-specific transformations to OpenAI/Codex workflow files only.
 // These transformations must not be applied to Claude, Copilot, or other
@@ -810,7 +812,6 @@ for (const workflowPath of codexWorkflowPaths) {
         `${indent}[model_providers.openai-proxy]\n` +
         `${indent}name = "OpenAI AWF proxy"\n` +
         `${indent}base_url = "http://172.30.0.30:10000"\n` +
-        `${indent}env_key = "OPENAI_API_KEY"\n` +
         `${indent}supports_websockets = false\n` +
         `${indent}\n`;
       content = content.replace(
@@ -829,6 +830,14 @@ for (const workflowPath of codexWorkflowPaths) {
     console.log(`  openai-proxy custom provider already present in Codex config.toml`);
   }
 
+  // Remove legacy env_key for openai-proxy so Codex doesn't require OPENAI_API_KEY
+  // in the sandbox when auth is provided by the sidecar.
+  if (CODEX_PROXY_ENV_KEY_REGEX.test(content)) {
+    content = content.replace(CODEX_PROXY_ENV_KEY_REGEX, '$1');
+    modified = true;
+    console.log('  Removed legacy env_key from openai-proxy provider');
+  }
+
   // Preserve empty lines as truly empty (no trailing whitespace) to keep the
   // YAML block scalar clean and diff-friendly.
   function buildXpiaHeredoc(indent: string, appendSuffix: string): string {