Skip to content

fix: Codex OAuth (BYO auth.json) crashes with missing OPENAI_API_KEY#1087

Merged
simple-agent-manager[bot] merged 3 commits into
mainfrom
fix/codex-oauth-byo-api-key-error
May 20, 2026
Merged

fix: Codex OAuth (BYO auth.json) crashes with missing OPENAI_API_KEY#1087
simple-agent-manager[bot] merged 3 commits into
mainfrom
fix/codex-oauth-byo-api-key-error

Conversation

@simple-agent-manager
Copy link
Copy Markdown
Contributor

@simple-agent-manager simple-agent-manager Bot commented May 20, 2026
edited
Loading

Summary

Fixes a production bug where Codex users with BYO OAuth tokens (auth.json) crash immediately with Missing environment variable: OPENAI_API_KEY.

Root cause: Two-sided bug introduced by the unified billing passthrough proxy work:

  1. API side (runtime.ts:133): The OAuth exclusion from the passthrough proxy path only checked for Claude Code, not Codex. Codex OAuth users received an inferenceConfig with provider: "openai-passthrough" they shouldn't get.
  2. VM agent side (gateway.go): codexProxyProviderConfigFromCredential generated a proxy provider config with env_key = "OPENAI_API_KEY" even when the credential was an OAuth token using auth-file injection. That env var is never set in auth-file mode.

Fix:

  • API: Extended the OAuth exclusion condition to (isClaudeCode || isCodex) && credentialKind === 'oauth-token'
  • VM agent: Added early return in codexProxyProviderConfigFromCredential when credentialKind == "oauth-token" (belt-and-suspenders)

Agent Preflight (Required)

  • Preflight completed before code changes

Classification

  • external-api-change
  • cross-component-change
  • business-logic-change
  • public-surface-change
  • docs-sync-change
  • security-sensitive-change
  • ui-change
  • infra-change

External References

N/A: Bug fix for existing conditional logic in runtime.ts and gateway.go. No new external APIs or documentation needed.

Codebase Impact Analysis

Affected components: apps/api/src/routes/workspaces/runtime.ts (line 133 OAuth exclusion condition) and packages/vm-agent/internal/acp/gateway.go (codexProxyProviderConfigFromCredential early return). Cross-component trace: API runtime.ts controls whether inferenceConfig is included in credential response, VM agent gateway.go reads inferenceConfig to generate config.toml proxy provider entry, Codex reads config.toml and expects OPENAI_API_KEY env var. Only Codex + OAuth path affected; Claude Code + OAuth and env-var credential paths are unaffected.

Documentation & Specs

N/A: Bug fix restoring correct conditional logic. No spec or doc changes needed.

Constitution & Risk Check

Principle XI (No Hardcoded Values): No hardcoded values introduced. Fix restores correct conditional logic by extending an existing exclusion to also cover Codex OAuth credentials. No new URLs, timeouts, or limits added.

Specialist Review Evidence

Reviewer Status Findings
Hotfix - production bug N/A Two-line fix with belt-and-suspenders defense. All 4807 API tests + Go ACP tests pass.

Staging Verification

  • Staging deployment green (run 26154903084)
  • All code quality CI checks pass (typecheck, lint, build, test, VM agent tests)
  • Live app verified via Playwright — dashboard, projects, settings all load correctly
  • API health endpoint responds correctly
  • No console errors

Test plan

  • API typecheck passes
  • All 4807 API tests pass
  • Go ACP tests pass
  • Go build succeeds
  • Staging deploy succeeds

🤖 Generated with Claude Code

@raphaeltm @claude
fix: Codex OAuth (BYO auth.json) crashes with missing OPENAI_API_KEY
2992acf 
Two-sided fix for Codex users who bring their own OAuth token (auth.json):

API side: The passthrough proxy exclusion on runtime.ts:133 only checked
for Claude Code + OAuth, allowing Codex + OAuth users to receive an
inferenceConfig with provider "openai-passthrough" they shouldn't get.
Extended the condition to also exclude Codex OAuth credentials.

VM agent side: Belt-and-suspenders guard in
codexProxyProviderConfigFromCredential — when the credential kind is
"oauth-token" (auth-file injection), skip generating a proxy provider
config that would write env_key = "OPENAI_API_KEY" to config.toml.
That env var is never set in auth-file mode, causing Codex to crash.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
raphaeltm and others added 2 commits May 20, 2026 10:08
@raphaeltm @claude
ci: trigger re-run with updated PR description
7c23bb7 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@raphaeltm @claude
ci: trigger with corrected preflight section names
dd1669f 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 20, 2026

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@simple-agent-manager simple-agent-manager Bot merged commit 8b91521 into main May 20, 2026
21 checks passed
@simple-agent-manager simple-agent-manager Bot deleted the fix/codex-oauth-byo-api-key-error branch May 20, 2026 10:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@raphaeltm