openclaw - 💡(How to fix) Fix secrets audit counts codex-app-server auth marker as plaintext

Summary

After updating to OpenClaw 2026.5.27 (27ae826), the generated Codex provider cache can contain:

{
  "providers": {
    "codex": {
      "apiKey": "codex-app-server"
    }
  }
}

This value is not a plaintext API key. It is the bundled Codex app-server auth marker. However, openclaw secrets audit --json counted it as a plaintext secret until a local marker-classification patch was applied.

Expected behavior

openclaw secrets audit should treat codex-app-server as a non-secret auth marker, analogous to other provider-owned non-secret markers.

Expected audit summary:

{
  "plaintextCount": 0,
  "unresolvedRefCount": 0,
  "shadowedRefCount": 0
}

Actual behavior

Before the local installed-runtime patch, audit reported one plaintext finding:

providers.codex.apiKey is stored as plaintext

The value was:

codex-app-server

Attempts to normalize that field to a generic SecretRef marker were not durable because the generated provider cache rewrote it back to codex-app-server after Codex-backed runs. The durable fix appears to be classification, not repeated cache rewriting.

Local workaround

The local installed runtime was patched so the non-secret marker list includes:

"codex-app-server"

After that patch, openclaw secrets audit --json reported:

{
  "plaintextCount": 0,
  "unresolvedRefCount": 0,
  "shadowedRefCount": 0
}

Verification evidence

After local patch:

• generated Codex provider cache still contains apiKey: "codex-app-server";
• openclaw secrets audit --json reports plaintextCount: 0;
• openclaw secrets reload --json reports OK;
• gateway health remains OK;
• Codex-backed no-delivery probe succeeds.

Requested upstream outcome

Add codex-app-server to the built-in non-secret auth marker classification, or have the Codex provider manifest declare it as a non-secret marker so secrets audit does not warn on generated Codex app-server provider caches.