fix: use OpenAI Codex OAuth in Agent Manager so ChatGPT Plus/Pro work…

[saneroen]

Fixes #5973

Context

Agent Manager spawns agent processes via fork() with agent-runtime. Each agent runs in an isolated process with its own extension context and has no access to the main extension's SecretStorage. When users select OpenAI Codex (ChatGPT Plus/Pro) as the API provider, the agent process could not authenticate because it couldn't read the OAuth credentials stored in the main extension. This PR passes those credentials from the main extension into the agent config so the agent runtime can inject them into the extension context, allowing the Codex provider to authenticate.

Implementation

Flow: (1) AgentManagerProvider reads Codex credentials from context.secrets when apiProvider === "openai-codex" and passes them as secrets to spawnProcess(). (2) RuntimeProcessHandler includes options.secrets in buildAgentConfig so they're serialized into the AGENT_CONFIG env var. (3) Agent runtime extends AgentConfig with secrets, and on ready calls extensionHost.injectSecrets(config.secrets) after injecting configuration. (4) ExtensionHost adds injectSecrets() that stores each key-value into vscodeAPI.context.secrets.

Key changes: Export OPENAI_CODEX_CREDENTIALS_KEY from oauth.ts; add secrets to agent config and pass-through in RuntimeProcessHandler; add injectSecrets() to ExtensionHost; wire secrets into the agent process ready handler before the Codex provider makes API calls.

Tradeoffs: Credentials are passed in-process via env/config; the agent process is already a trusted child. No network exposure. This matches how other providers (e.g. Anthropic, ` API key) work: their API keys are already in providerSettings and go through AGENT_CONFIG—Codex is just using the same pattern for its OAuth credentials.

Screenshots

before	after
Agent shows "Not authenticated with OpenAI Codex. Please sign in using the OpenAI Codex OAuth flow." when using Codex in Agent Manager	Agent successfully authenticates and uses OpenAI Codex when credentials exist in main extension

How to Test

1. Sign in to OpenAI Codex via Kilo Code sidebar (Settings → API configuration → OpenAI Codex / ChatGPT Plus).
2. Open Agent Manager (Cmd+Shift+P → "Kilo Code: Open Agent Manager").
3. Start a new agent session with API provider set to OpenAI Codex.
4. Send a prompt—verify the agent responds without auth errors. Check Output panel for [AgentManager] Passing OpenAI Codex credentials to agent process.
5. Optionally: start an agent without signing in first—verify the "no credentials found" message appears.

Get in Touch

I'm in the Kilo Code Discord—handle: @santy2509.

[changeset-bot]

🦋 Changeset detected

Latest commit: d5908df

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
kilo-code	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Overview

This PR adds OpenAI Codex OAuth credential passing from the main extension to agent processes via AGENT_CONFIG.secrets, and cleans up the removed yoloMode feature. The implementation is clean and follows existing patterns:

• Secrets are passed through the same AGENT_CONFIG env var that already carries providerSettings (which includes API keys), so no new security surface is introduced
• The injectSecrets method correctly logs only key names, not values
• Agent processes use InMemorySecretStorage, so credentials stay in memory and are not written to disk
• The guard checks (Object.keys(secrets).length > 0) are consistent across all three layers (AgentManagerProvider → RuntimeProcessHandler → process.ts → ExtensionHost)

Other Observations (not in diff)

These are minor observations about unchanged code that don't block merge:

File	Line	Issue
src/core/kilocode/agent-manager/AgentRegistry.ts	8, 42, 77	yoloMode property is still defined and referenced in AgentRegistry but no caller passes it anymore after this PR. Consider cleaning up this dead code in a follow-up.

Files Reviewed (6 files)

• .changeset/openai-codex-agent-manager-auth.md
• packages/agent-runtime/src/host/ExtensionHost.ts - New injectSecrets method
• packages/agent-runtime/src/process.ts - Secrets field in AgentConfig + injection call
• src/core/kilocode/agent-manager/AgentManagerProvider.ts - OAuth credential reading + yoloMode/renameSession cleanup
• src/core/kilocode/agent-manager/RuntimeProcessHandler.ts - Secrets passthrough + yoloMode cleanup
• src/integrations/openai-codex/oauth.ts - Exported OPENAI_CODEX_CREDENTIALS_KEY

(pnpm-lock.yaml skipped - generated file)

[kevinvandijk]

Thanks for this!

[LigiaZ]

Hi @saneroen could you please send an email to hi@kilocode.ai with your Kilo account so we can grant you credits?