feat: disable codex credential sharing, enable proxied calls

[Claude]

Removes temporary exception that allowed CODEX_API_KEY to bypass credential isolation. Enables OPENAI_BASE_URL to route OpenAI/Codex API calls through the api-proxy sidecar.

Changes

Credential isolation (src/docker-manager.ts)

• Add CODEX_API_KEY to EXCLUDED_ENV_VARS when api-proxy enabled (line 334)
• Apply conditional exclusion in selective pass-through (line 422)
• Enable OPENAI_BASE_URL configuration to proxy calls to http://{proxyIp}:10000/v1 (lines 1011-1014)

Health checks (containers/agent/api-proxy-health-check.sh)

• Verify CODEX_API_KEY not present in agent environment (lines 67-75)

Tests (src/docker-manager.test.ts)

• Update test expectations: CODEX_API_KEY excluded, OPENAI_BASE_URL set when api-proxy enabled

Behavior

Before:

// CODEX_API_KEY passed directly to agent container
environment.CODEX_API_KEY = process.env.CODEX_API_KEY;
// OPENAI_BASE_URL commented out

After:

// CODEX_API_KEY held in api-proxy sidecar
EXCLUDED_ENV_VARS.add('CODEX_API_KEY');
// Agent uses proxy endpoint
environment.OPENAI_BASE_URL = `http://${proxyIp}:10000/v1`;

Codex agents now use the same credential isolation pattern as other LLM providers.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.68%	82.86%	📈 +0.18%
Statements	82.60%	82.78%	📈 +0.18%
Functions	82.74%	82.74%	➡️ +0.00%
Branches	74.78%	74.88%	📈 +0.10%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	84.0% → 84.7% (+0.68%)	83.2% → 83.9% (+0.66%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Bun Build Test Results ✅

All Bun projects tested successfully!

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: PASS

• Bun version: 1.3.9
• All dependencies installed successfully
• All tests executed without errors

AI generated by Build Test Bun

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

AI generated by Build Test Deno

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS ✅

All .NET projects successfully restored, built, and ran.

AI generated by Build Test .NET

[github-actions]

Node.js Build Test Results

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS ✅

All Node.js projects installed successfully and all tests passed.

AI generated by Build Test Node.js

[github-actions]

Merged PRs: feat: proxy claude api calls to secure auth token; fix: use 0o666 mode for ~/.claude.json to fix permissions
GitHub MCP review ✅
Safeinputs GH PR list ✅
Playwright title check ❌ (tool missing)
Tavily search ❌ (tool missing)
File write ✅
Bash cat ✅
Discussion query + comment ✅
Build (npm ci && npm run build) ✅
Overall: FAIL

AI generated by Smoke Codex

[github-actions]

Go Build Test Results

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS ✅

All Go projects successfully downloaded dependencies and passed their tests.

AI generated by Build Test Go

[github-actions]

Rust Build Test Results ✅

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: PASS

All Rust projects built and tested successfully!

AI generated by Build Test Rust

[github-actions]

Smoke Test Results (Run #22024159945)

Last 2 Merged PRs:

• feat: proxy claude api calls to secure auth token #849: feat: proxy claude api calls to secure auth token
• fix: use 0o666 mode for ~/.claude.json to fix permissions #852: fix: use 0o666 mode for ~/.claude.json to fix permissions

Test Results:

• ✅ GitHub MCP: Retrieved PRs successfully
• ✅ Playwright: Page title verified
• ✅ File Writing: Test file created
• ✅ Bash Tool: File verified

Status: PASS ✅

cc: @lpcox @Claude

AI generated by Smoke Copilot

[github-actions]

Chroot Version Comparison Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.13.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall Status: ❌ Tests did not pass

The chroot environment successfully accesses host binaries, but version mismatches detected for Python and Node.js. Go versions match correctly.

AI generated by Smoke Chroot

[github-actions]

Build Test: Java - Results

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: PASS

All Java projects successfully compiled and tested through the AWF firewall with Maven proxy configuration.

AI generated by Build Test Java

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• feat: proxy claude api calls to secure auth token
• fix: use 0o666 mode for ~/.claude.json to fix permissions

Test Results:

• ✅ GitHub MCP: Retrieved PR data
• ✅ Playwright: Verified GitHub page title
• ✅ File Writing: Created test file
• ✅ Bash Tool: Verified file contents

Overall Status: PASS

AI generated by Smoke Claude

[Copilot]

Pull request overview

This PR tightens credential isolation for Codex by removing the CODEX_API_KEY pass-through to the agent container when --enable-api-proxy is used, and re-enables proxied OpenAI/Codex calls by setting OPENAI_BASE_URL to the api-proxy sidecar endpoint.

Changes:

• Exclude CODEX_API_KEY from the agent environment when api-proxy is enabled.
• Set OPENAI_BASE_URL in the agent to route OpenAI/Codex traffic through the sidecar (http://{proxyIp}:10000/v1).
• Update health-check enforcement and Jest expectations to reflect the new isolation/proxy behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
src/docker-manager.ts	Stops leaking CODEX_API_KEY to the agent under api-proxy and re-enables OPENAI_BASE_URL for proxied OpenAI/Codex calls.
src/docker-manager.test.ts	Updates tests to expect OPENAI_BASE_URL and to assert CODEX_API_KEY is not exposed to the agent when api-proxy is enabled.
containers/agent/api-proxy-health-check.sh	Extends credential isolation checks to fail if CODEX_API_KEY is present in the agent environment.

Comments suppressed due to low confidence (1)

src/docker-manager.ts:336

• With enableApiProxy on, CODEX_API_KEY is always added to EXCLUDED_ENV_VARS. If a user enables the proxy but only provides CODEX_API_KEY (no config.openaiApiKey / OPENAI_API_KEY), the agent will lose CODEX_API_KEY while OPENAI_BASE_URL is never set, which can break Codex runs without actually configuring the OpenAI proxy. Consider either (a) only excluding CODEX_API_KEY when the OpenAI proxy is configured, or (b) treating CODEX_API_KEY as an OpenAI key for proxy configuration (pass it to the sidecar and set OPENAI_BASE_URL).

  if (config.enableApiProxy) {
    EXCLUDED_ENV_VARS.add('OPENAI_API_KEY');
    EXCLUDED_ENV_VARS.add('OPENAI_KEY');
    EXCLUDED_ENV_VARS.add('CODEX_API_KEY');
    EXCLUDED_ENV_VARS.add('ANTHROPIC_API_KEY');
    EXCLUDED_ENV_VARS.add('CLAUDE_API_KEY');

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

OPENAI_BASE_URL is only set when config.openaiApiKey is present. In combination with excluding CODEX_API_KEY when enableApiProxy is true, this creates a failure mode where Codex credentials are removed but no proxy endpoint is configured (e.g., proxy enabled + CODEX_API_KEY present + openaiApiKey absent). Consider aligning the condition for setting OPENAI_BASE_URL with the condition for excluding Codex/OpenAI keys (or emit a hard error when enableApiProxy is enabled without an OpenAI key).

This issue also appears on line 331 of the same file.

Suggested change

	if (config.openaiApiKey) {
	environment.OPENAI_BASE_URL = `http://${networkConfig.proxyIp}:10000/v1`;
	logger.debug(`OpenAI API will be proxied through sidecar at http://${networkConfig.proxyIp}:10000/v1`);
	}
	environment.OPENAI_BASE_URL = `http://${networkConfig.proxyIp}:10000/v1`;
	logger.debug(`OpenAI API will be proxied through sidecar at http://${networkConfig.proxyIp}:10000/v1`);

[Copilot]

Test coverage currently validates that CODEX_API_KEY is excluded when enableApiProxy is true and openaiApiKey is provided, but it doesn’t cover the important edge case where enableApiProxy is true and only process.env.CODEX_API_KEY is set (no openaiApiKey). Given the new exclusion logic, adding an explicit test for that scenario would prevent regressions and clarify intended behavior (pass-through vs proxy configuration vs error).