fix: use OpenAI Codex OAuth in Agent Manager so ChatGPT Plus/Pro work…#5993
Merged
kevinvandijk merged 4 commits intoKilo-Org:mainfrom Feb 21, 2026
Merged
Conversation
…s in agent mode - Pass OpenAI Codex credentials from main extension secrets into agent config - Agent runtime injects secrets into extension context so Codex provider can authenticate - Export OPENAI_CODEX_CREDENTIALS_KEY for agent-manager; add injectSecrets to ExtensionHost
🦋 Changeset detectedLatest commit: d5908df The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
Code Review SummaryStatus: No Issues Found | Recommendation: Merge OverviewThis PR adds OpenAI Codex OAuth credential passing from the main extension to agent processes via
Other Observations (not in diff)These are minor observations about unchanged code that don't block merge:
Files Reviewed (6 files)
(pnpm-lock.yaml skipped - generated file) |
This was referenced Feb 21, 2026
Closed
Contributor
|
Hi @saneroen could you please send an email to hi@kilocode.ai with your Kilo account so we can grant you credits? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #5973
Context
Agent Manager spawns agent processes via fork() with agent-runtime. Each agent runs in an isolated process with its own extension context and has no access to the main extension's SecretStorage. When users select OpenAI Codex (ChatGPT Plus/Pro) as the API provider, the agent process could not authenticate because it couldn't read the OAuth credentials stored in the main extension. This PR passes those credentials from the main extension into the agent config so the agent runtime can inject them into the extension context, allowing the Codex provider to authenticate.
Implementation
Flow: (1) AgentManagerProvider reads Codex credentials from
context.secretswhenapiProvider === "openai-codex"and passes them assecretstospawnProcess(). (2) RuntimeProcessHandler includesoptions.secretsinbuildAgentConfigso they're serialized into theAGENT_CONFIGenv var. (3) Agent runtime extendsAgentConfigwithsecrets, and onreadycallsextensionHost.injectSecrets(config.secrets)after injecting configuration. (4) ExtensionHost addsinjectSecrets()that stores each key-value intovscodeAPI.context.secrets.Key changes: Export
OPENAI_CODEX_CREDENTIALS_KEYfrom oauth.ts; addsecretsto agent config and pass-through in RuntimeProcessHandler; addinjectSecrets()to ExtensionHost; wire secrets into the agent process ready handler before the Codex provider makes API calls.Tradeoffs: Credentials are passed in-process via env/config; the agent process is already a trusted child. No network exposure. This matches how other providers (e.g. Anthropic, ` API key) work: their API keys are already in providerSettings and go through AGENT_CONFIG—Codex is just using the same pattern for its OAuth credentials.
Screenshots
How to Test
[AgentManager] Passing OpenAI Codex credentials to agent process.Get in Touch
I'm in the Kilo Code Discord—handle: @santy2509.