PLT-1260: Codex Cloud environments and secrets — consolidation brief
Linear: PLT-1260
Date: 2026-04-06
Related: PLT-1259 (where Codex secrets live), PLT-586, PLT-784
Linear workflow (as of 2026-04-06): Issue remains Triage; assignee Sam.
Linear thread (accounted for)
| Source | Intent | Reflected here |
|---|---|---|
| Issue comment (2026-04-03) | Next steps: inventory Codex Cloud envs; cross-walk secrets with the 1Password plan before cutover | Credentials point to PLT-1259; Cutover gate below |
| Same comment | Positions Codex consolidation alongside a unified agent execution story (parent project: Codex, Cursor Agent, OpenCode) | Non-Codex agent surfaces (Cursor, OpenCode) are out of scope for repo-only Codex edits but in scope for shared secrets verification via PLT-1259 (ticket AC aligns Railway / Codex Cloud / OpenCode paths) |
Cutover gate (from Linear)
Do not merge, retire, or rename Codex Cloud org projects until PLT-1259 target-state mapping is agreed and secrets are cross-walked (item titles and consumers only — no values in Linear).
Summary
This monorepo has a single canonical project-level Codex config at config.toml: Azure East US 2, gpt-5.2-codex, model_provider = "azure-eastus2", env_key = "AZURE_OPENAI_API_KEY". A second .codex tree exists under Luke GPT / second-brain content (knowledge/sales/content/cc-content-system/luke-gpt/.codex/) with skills only — different purpose from Platform engineering.
Codex Cloud (OpenAI-hosted projects/workspaces) must be listed and named in the OpenAI/Codex admin UI; that list is not fully captured in git. This brief records repo-side truth and defers org-level Cloud project consolidation to whoever has admin access.
The updated recommendation is to keep Codex runtime secrets on an op-first path: Codex should consume Azure/OpenAI credentials from 1Password at execution time, with service-account access for cloud automation and desktop-auth access only for local human development. 1Password Environments may help group stage-level config, but they should not be the only modeled source for Codex credentials.
This is closer to a 1Password/Doppler-style injection model than to checked-in .env management. If Brainforge later wants a stronger schema/redaction layer for app config, a Varlock-style layer could sit above this without changing the underlying secret store decision.
Current state — repo inventory
| Path | Purpose |
|---|---|
| config.toml | Canonical Platform Codex: Azure East US 2, Responses API wire, workspace-write sandbox |
| README.md | Local Environments setup script (Option B: npm install + apps/platform install) |
knowledge/sales/content/cc-content-system/luke-gpt/.codex/skills/** | Second-brain skills for Codex; not the Platform default coding workflow |
No other .codex/config.toml found in this monorepo (2026-04-06 glob).
Credentials (1Password — titles only)
- brainforge-openai-eastus2 — canonical East US 2 key for Codex alignment with codex-setup.md.
- Other OpenAI/Azure-related items: see PLT-1259 brief.
Codex Cloud (org) — manual inventory required
Action for admin: In Codex / OpenAI admin, export or note:
- Named Codex Cloud (or equivalent) projects/workspaces tied to Brainforge.
- Which repos or GitHub connections each uses.
- Whether any duplicate Cloud configs exist for the same workload.
Paste names only into an internal appendix (not Linear).
Current state vs target state
| Dimension | Current state | Target state | Gap to close |
|---|---|---|---|
| Repo-level Codex config | One canonical root config.toml; separate luke-gpt skills subtree | Keep one canonical engineering config; keep secondary subtree explicitly scoped | Mostly done in repo; keep docs clear |
| Azure/OpenAI credential source | Canonical East US 2 item identified, but broader org inventory still cross-referenced via PLT-1259 | One documented canonical item path for shared Codex usage | Finish duplicate review in PLT-1259 |
| Codex Cloud org projects/workspaces | Not yet enumerated in git; requires admin pass | Named set of Codex Cloud projects/workspaces with clear repo ownership and no ambiguous duplicates | Admin inventory still pending |
| Injection model | Mixed/implicit; risk of broad env inheritance if left undocumented | op + scoped service accounts by surface | Documented here; still needs admin/runtime rollout |
| Engineer guidance | Repo brief exists; no standalone consolidated admin appendix yet | Repo brief plus standards pointer plus admin appendix of project names | Admin appendix still pending |
Target state
| Layer | Target |
|---|---|
| Repo default | One canonical .codex/config.toml at monorepo root for brainforge-platform engineering work; trust + Local Environment script documented in .codex/README.md |
| Experimental / content | Keep luke-gpt/.codex scoped to that subtree; document in README that it is not the Platform engineering default |
| Client pilots (ABC, Eden) | Per PLT-1261: either dedicated Codex Cloud project per pilot or strict repo allowlists — see that doc |
| Secrets | All Codex Azure usage points at East US 2; keys from 1Password per PLT-1259 — no duplicate undocumented key items |
| Injection model | Codex Cloud and related automation resolve secrets via op / scoped service accounts; no dependence on a developer desktop session or broad shared token |
| 1Password Environments | Optional grouping for shared non-secret or low-risk stage config; not a substitute for canonical secret items or per-surface access control |
Recommended operating model
- Keep one canonical Azure/OpenAI item for the shared Brainforge Codex path (
brainforge-openai-eastus2), then inject it into Codex at runtime. - Do not assume env inheritance is safe for agent tooling. Codex Cloud, sub-agents, and spawned tools should not inherit a single broad secret set if the workload can be scoped tighter.
- Use separate machine identities where the trust boundary changes. At minimum: Brainforge shared engineering, each client pilot, and any production-touched automation should not all share one service account.
- Treat 1Password Environments as optional UX. If they make onboarding better, use them for stage-level config; if not, the consolidation still works with plain vault items plus
op.
Staged consolidation plan
| Stage | Change | Evidence in this branch | Remaining work |
|---|---|---|---|
| 1 | Establish canonical repo-side Codex config and docs | Root .codex inventory captured; README link fixed; repo default clarified | Done for repo-side documentation |
| 2 | Cross-walk Codex credential sourcing to PLT-1259 | Brief now points to canonical East US 2 item and op-first runtime model | Complete duplicate-item cleanup in 1Password |
| 3 | Inventory Codex Cloud org projects/workspaces | Placeholder admin action documented | Admin pass still required |
| 4 | Retire redundant or ambiguous Cloud configs | Not executed yet | Requires inventory plus owner decision |
| 5 | Validate smoke checks after cutover | Smoke checklist defined | Run after any actual admin-side consolidation |
Changelog (planned)
| Date | Change | Status |
|---|---|---|
| 2026-04-06 | Brief created; repo inventory complete | Done |
| 2026-04-06 | Fix .codex/README.md link to codex-setup.md (was broken) | Done |
| 2026-04-07 | Add op-first / service-account guidance and clarify Environments role | Done |
| TBD | Admin: Codex Cloud project list documented | Pending |
| TBD | Deprecate redundant OpenAI items in 1Password after PLT-1259 mapping | Pending |
Smoke checklist (after any config change)
- Trust repo; load
.codex/config.toml. - Run a trivial Codex task (“list files in repo root”).
- Confirm East US 2 /
gpt-5.2-codexper codex-setup.md verification section. - Confirm the task used the intended identity path for that surface: local desktop auth for human dev, or the scoped service account for cloud automation.
- For any client-scoped project, verify the Codex workspace cannot access unrelated client or production secrets.
Paste for Linear (comment)
PLT-1260 draft: repo has one canonical .codex/config.toml (Azure East US 2) + separate luke-gpt/.codex skills tree. Full Codex Cloud org project list needs admin UI pass. Changelog + smoke checklist in:
knowledge/engineering/environments/plt-1260-codex-cloud-consolidation-brief-2026-04-06.md
Secrets mapping: follow PLT-1259 brief, with op + scoped service-account injection as the default runtime model.
Acceptance-criteria status
- Current-state vs target-state table: covered in Current state vs target state.
- Staged consolidation + changelog: covered in Staged consolidation plan and Changelog.
- Repo notes updated so engineers know which Codex environment to use: covered by the repo inventory, target-state section, and README.md.
- Cross-reference to PLT-1259 for secret mapping: covered in Related, Credentials, and the final Linear paste section.