Last synced:
2026-07-10T09:43:42Z(auto-sync workflow)
GitHub Variables & Secrets β Master Reference GuideΒΆ
Last Updated: 2026-06-22
Version: 1.7.0 (W-142/S116 phase 3, 2026-03-07)
Owner: @mbaetiong
Status: β Current β reflects live state as of 2026-03-07 (phase 3: REDIS_URL Β§6f added for SAR-G02 RedisBackend; DuckDB offline materialization evaluated; multivariate drift OTel spans added SAR-G05; autonomy CI matrix all 7 phases)
Audience: Human admins, Copilot agents, CI/CD authors
Auto-synced by:repo-var-sync-schedule.yml(daily 06:00 UTC β.codex/agent_context.json)β οΈ This is the single source of truth. All other variable docs link here.
Table of ContentsΒΆ
- Architecture Overview
- How to Set Variables β Quick Links
- Organization Secrets
- Repository Secrets
- Environment Secrets (Aries_Serpent_codex_)
- Repository Variables
- 6a. Cognitive Brain
- 6b. Copilot Agent Runtime
- 6c. CI/CD Health
- 6d. Identity & Static Config
- 6e. Runtime / Build Config
- 6f. ML / HuggingFace / Weights & Biases
- 6g. Webhook / Infra
- 6h. π€ Autonomous Agent Config β¬ οΈ New (S116)
- Environment Variables (Aries_Serpent_codex_)
- Codespace Secrets
- Workflow-Defined env: Variables
- Known Issues & Inconsistencies
- Troubleshooting
- Related Documentation
- β Previously Missing β All Resolved (2026-03-07)
1. Architecture OverviewΒΆ
GitHub provides six distinct storage layers for variables and secrets. Choosing the wrong layer is the most common misconfiguration.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Variable Storage Hierarchy β
β β
β π’ ORGANIZATION LEVEL (Aries-Serpent) β
β ββ Org Secrets β shared across all repos in org β # pragma: allowlist secret
β ββ Org Variables β [none currently, use repo vars instead] β
β β
β π¦ REPOSITORY LEVEL (Aries-Serpent/_codex_) β
β ββ Repo Secrets β encrypted, not readable by agents β # pragma: allowlist secret
β ββ Repo Variables β readable plaintext, writable via API β
β β
β π ENVIRONMENT LEVEL (Aries_Serpent_codex_ environment) β
β ββ Env Secrets β override repo secrets for this env β # pragma: allowlist secret
β ββ Env Variables β override repo variables for this env β
β β
β π» CODESPACE LEVEL (org or user-scoped) β
β ββ Codespace Secrets β injected into interactive Codespace only β # pragma: allowlist secret
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Resolution order (GitHub Actions): Env > Repo > Org (most specific wins)
Token access: CODEX_MASTER_KEY > CODEX_BACKUP_KEY > GITHUB_TOKEN # pragma: allowlist secret
Key constraints:
- GITHUB_TOKEN cannot read/write the Variables API β requires CODEX_MASTER_KEY (classic PAT, repo scope).
- Secrets are never readable by agents or logs β only injected as env vars.
- Env-level values silently override repo-level values of the same name.
2. How to Set Variables β Quick LinksΒΆ
| Storage Type | GitHub UI Location | API / CLI |
|---|---|---|
| Org Secrets | Settings β Security β Secrets β Actions | gh secret set NAME --org Aries-Serpent |
| Org Variables | Settings β Security β Variables β Actions | gh variable set NAME --org Aries-Serpent |
| Repo Secrets | Settings β Secrets and variables β Actions β Secrets tab | gh secret set NAME --repo Aries-Serpent/_codex_ |
| Repo Variables | Settings β Secrets and variables β Actions β Variables tab | gh variable set NAME --body VALUE --repo Aries-Serpent/_codex_ |
| Env Secrets | Settings β Environments β Aries_Serpent_codex_ β Secrets | gh secret set NAME --env Aries_Serpent_codex_ --repo Aries-Serpent/_codex_ |
| Env Variables | Settings β Environments β Aries_Serpent_codex_ β Variables | gh variable set NAME --env Aries_Serpent_codex_ --repo Aries-Serpent/_codex_ |
| Codespace Secrets (org) | Settings β Codespaces β Secrets | gh secret set NAME --app codespaces --org Aries-Serpent |
| Codespace Secrets (user) | github.com/settings/secrets/codespaces | gh secret set NAME --app codespaces |
3. Organization SecretsΒΆ
Location: Aries-Serpent β Settings β Security β Secrets β Actions
Referenced in workflows as:${{ secrets.NAME }}
Access via API: RequiresCODEX_MASTER_KEYor org-admin token
| # | Secret Name | Status | Last Updated | Purpose | Required By |
|---|---|---|---|---|---|
| 1 | CODECOV_TOKEN | β
Present | 2 months ago | Code coverage upload to codecov.io | coverage*.yml workflows |
| 2 | CODEX_ADMIN_KEY | β
Present | 3 hours ago | Fine-grained PAT (Webhooks:write). Used for webhook_configurator.py least-privilege mode. | apply-webhooks job in agent_infrastructure_manager.yml |
| 3 | CODEX_BACKUP_KEY | β
Present | 2 hours ago | Fallback GitHub PAT β auto-used on 401/403 from CODEX_MASTER_KEY. Same scope as master. | All auth-delegation workflows, variable_manager.py, brain_client.py, github_app.py |
| 4 | CODEX_MASTER_KEY | β
Present | now (2026-03-06) | Primary full-scope GitHub PAT (classic, repo scope + admin:repo_hook). Required for Variables API, Secrets API, Webhooks API. Re-rotated 2026-03-06 β next rotation due ~2026-06-04. | agent-auth-delegation.yml, variable_manager.py, webhook_configurator.py, brain_client.py |
| 5 | HF_TOKEN | β
Present | 2 months ago | HuggingFace API token for model downloads | ML training workflows |
| 6 | NPM_TOKEN | β
Present | 2 months ago | npm publish authentication | Node.js package publish workflows |
| 7 | PYPI_TOKEN | β
Present | 2 months ago | PyPI publish authentication | Python package publish workflows |
| 8 | RAG_OPENAI_KEY | β
Present | 3 weeks ago | OpenAI API key for RAG embeddings | RAG index build workflows |
| 9 | _CODEX_ACTION_RUNNER | β
Present | 2 months ago | Runner registration token for self-hosted Actions runners | Runner registration |
| 10 | _GITHUB_APP_CLIENT_SECRET | β
Present | 8 hours ago | GitHub App OAuth client secret for web-flow App authentication | github_app.py, OAuth web-flow auth |
| 11 | _GITHUB_APP_ID | β
Present | 8 hours ago | Numeric GitHub App ID for RS256 JWT generation | github_app.py, App JWT auth flows |
| 12 | _GITHUB_APP_INSTALLATION_ID | β
Present | 8 hours ago | App installation ID for generating installation access tokens | github_app.py, installation token flows |
| 13 | _GITHUB_APP_PRIVATE_KEY | β
Present | 8 hours ago | RSA-2048 PEM private key for signing GitHub App JWTs | github_app.py, RS256 JWT signing |
β
CODEX_MASTER_KEYandCODEX_BACKUP_KEYrotated 2026-03-06 (latest rotation "now" per @mbaetiong β repo-level Codespace override removed, org secret active directly). Next rotation due ~2026-06-04 (90-day cycle).
Seedocs/ops/secrets_rotation_runbook.mdfor the full rotation procedure.
Token chain in code: CODEX_MASTER_KEY β CODEX_BACKUP_KEY β AGENT_GITHUB_TOKEN β GITHUB_TOKEN
This is enforced by _resolve_github_token() in src/codex/auth/github_app.py and scripts/tools/variable_manager.py.
GitHub App Authentication Secrets (_GITHUB_APP_*)ΒΆ
The four _GITHUB_APP_* secrets were added 2026-03-06 to support GitHub Appβbased authentication
(RS256 JWT flow) as an alternative to PAT-based auth. They are consumed by src/codex/auth/github_app.py.
Codespace note: These org Actions secrets are separate from Codespace secrets. Codespace-based agent sessions that need GitHub App auth must also have these values set at the Codespace level (see Β§8). The naming convention (leading
_) marks them as system/infrastructure secrets managed by the org admin.
4. Repository SecretsΒΆ
Location: Settings β Secrets and variables β Actions β Secrets tab
Referenced in workflows as:${{ secrets.NAME }}
| # | Secret Name | Status | Last Updated | Purpose | Notes |
|---|---|---|---|---|---|
| 1 | CODEX_GHP_TOKEN_BASE64 | β
Present | 2 months ago | Base64-encoded GitHub token for copilot-with-mcp workflow | Decoder priority #3 in copilot_token_decoder.py |
| 2 | CODEX_GHP_TOKEN_HEX | β
Present | 2 months ago | Hex-encoded GitHub token (alternative encoding) | Decoder priority #4 |
| 3 | CODEX_GHP_TOKEN_SHA256 | β
Present | 2 months ago | One-way SHA-256 hash of GHP token for integrity validation | Verification only β not a usable token |
| 4 | CODEX_REPO_ID | β
Present | 6 hours ago | Repository numeric ID (GitHub internal) | Used in manifest generation |
| 5 | CODEX_WEBHOOK_SECRET | β
Present | 12 minutes ago | HMAC-SHA256 shared secret for incoming webhook verification | WebhookVerifier in src/codex/auth/github_app.py |
| 6 | OPENAI_API_KEY | β
Present | 5 hours ago | OpenAI API key for LLM agent operations | Consumed by brain_client.py and LLM-based CI workflows |
| 7 | _CODEX_BOT_RUNNER | β
Present | 45 minutes ago | Bot runner registration token | β
Rotated 2026-03-06 |
Token Decoder Priority OrderΒΆ
1. CODEX_GHP_TOKEN_CONFIG (Combined AES β not currently set) # pragma: allowlist secret
2. CODEX_GHP_TOKEN_BASE64 β
(present β simplest, recommended) # pragma: allowlist secret
3. CODEX_GHP_TOKEN_HEX β
(present β alternative) # pragma: allowlist secret
4. GITHUB_TOKEN (auto-provided by Actions) # pragma: allowlist secret
5. Environment Secrets (Aries_Serpent_codex_)ΒΆ
Location: Settings β Environments β Aries_Serpent_codex_
Override scope: These override org/repo secrets for jobs usingenvironment: Aries_Serpent_codex_
| # | Secret Name | Status | Last Updated | Value | Notes |
|---|---|---|---|---|---|
| 1 | CODEX_ENVIRONMENT_RUNNER | β
Present | 48 minutes ago | (secret) | β
Rotated 2026-03-06 |
| 2 | CODEX_RUNNER_SHA256 | β
Present | 50 minutes ago | (secret hash) | β
Rotated 2026-03-06 |
| 3 | CODEX_RUNNER_TOKEN | β
Present | 50 minutes ago | (secret) | β
Rotated 2026-03-06 |
β Issue 1 resolved (2026-03-06):
CODEX_ENV_NODE_VERSIONwas previously stored here as an environment secret. It has been deleted from env secrets and recreated as an environment variable (see Β§7). Node.js version strings are non-sensitive and should be variables, not secrets.
β Current runtime baseline (2026-06-05): Node.js22is the required active value; older18/20references in this document are historical records only.
6. Repository VariablesΒΆ
Location: Settings β Secrets and variables β Actions β Variables tab
Referenced in workflows as:${{ vars.NAME }}
Readable by agents via:VariableManager(requiresCODEX_MASTER_KEY)
Auto-synced to:.codex/agent_context.jsondaily
Variables are grouped by subsystem. Human-governance flags must never be overwritten by automation without explicit owner approval.
6a. π§ Cognitive BrainΒΆ
| # | Variable | Status | Current Value | Purpose |
|---|---|---|---|---|
| 1 | COGNITIVE_BRAIN_ALLOWED_ACTORS |
β | mbaetiong,github-actions[bot],copilot-swe-agent[bot],github-copilot[bot] |
Actors permitted to interact with cognitive brain memory |
| 2 | COGNITIVE_BRAIN_INJECTION_ENABLED |
β | true |
Master switch for session context injection |
| 3 | COGNITIVE_BRAIN_LTM_RETENTION_DAYS |
β | 90 |
Long-term memory retention in days |
| 4 | COGNITIVE_BRAIN_MAX_CONTEXT_TOKENS |
β | 128000 |
Maximum tokens for context injection |
| 5 | COGNITIVE_BRAIN_MEMORY_TIER |
β | both |
Memory tier: stm, ltm, or both |
| 6 | COGNITIVE_BRAIN_PATTERN_MIN_CONFIDENCE |
β | 0.75 |
Minimum confidence to inject a pattern |
| 7 | COGNITIVE_BRAIN_SESSION_NUMBER |
β | 120 (auto-increments) |
Current session number β auto-incremented by agent-auth-delegation.yml activate-delegation step |
6b. π₯οΈ Copilot Agent RuntimeΒΆ
| # | Variable | Status | Current Value | Purpose |
|---|---|---|---|---|
| 1 | COPILOT_AGENT_AUTH_ENABLED |
β | true |
β οΈ Human governance flag β gates token delegation workflow |
| 2 | COPILOT_AGENT_FIREWALL_ENABLED |
β | true |
β οΈ Human governance flag β network isolation control |
| 3 | COPILOT_AGENT_FIREWALL_ALLOW_LIST_ADDITIONS |
β | (long allowlist) | Additional URLs allowed through Copilot firewall |
| 4 | COPILOT_AGENT_MAX_AUTONOMY_LEVEL |
β | D |
Maximum D_CAPABLE autonomy level |
| 5 | COPILOT_AGENT_SESSION_RESTORE_ENABLED |
β | true |
Enable session context restoration |
| 6 | COPILOT_CLI_BASE_URL |
β | http://localhost:8765 |
Cognitive Brain CLI API URL (local server) |
| 7 | COPILOT_CLI_ENABLED |
β | true |
Enable CLI API server integration |
6c. βοΈ CI/CD HealthΒΆ
| # | Variable | Status | Current Value | Purpose |
|---|---|---|---|---|
| 1 | AGENT_HANDOFF_TIMEOUT_SECONDS |
β | 120 |
Timeout for agent handoff operations |
| 2 | AUTO_PROMOTE_TIER_ENABLED |
β | true |
Auto-promotion tier for agent capabilities |
| 3 | AUTONOMOUS_ACTIONS_ENABLED |
β | true |
β οΈ Human governance flag β gates autonomous agent actions |
| 4 | CODEX_CI_FAILURE_RATE |
β | 10.7:degraded (auto-updated) |
Current CI failure rate (%) β format: <float>:<status> where status β {ok, degraded, critical}. Updated by ci-health-monitor.yml. |
| 5 | CODEX_CI_FAILURE_THRESHOLD |
β | 10.0 |
CI failure rate threshold (%) for degraded state (e.g., 10.0 = 10.0%) |
| 6 | CODEX_CI_LAST_GREEN_SHA |
β | (sha) (auto-updated) | Last commit SHA with all-green CI |
| 7 | EMBEDDING_INDEX_AUTO_REBUILD |
β | true |
Auto-rebuild FAISS embedding index on changes |
6d. π Identity & Static ConfigΒΆ
| # | Variable | Status | Current Value | Purpose |
|---|---|---|---|---|
| 1 | AUDIT_RETENTION_DAYS |
β | 90 |
Audit artifact retention period |
| 2 | CODEX_AGENT_NAME |
β | ai_org_repo_admin |
Agent identity name |
| 3 | CODEX_API_VERSION |
β | 2022-11-28 |
GitHub API version pin |
| 4 | CODEX_ISOLATED_PATH |
β | /codex/network/isolated |
Network isolation path |
| 5 | CODEX_LOG_LEVEL |
β | INFO |
Logging verbosity |
| 6 | CODEX_NETWORK_MODE |
β | isolated |
Network mode policy |
| 7 | CODEX_ORG_NAME |
β | Aries-Serpent |
Organization name constant |
| 8 | GENESIS_TIMESTAMP |
β | 2025-12-26T16:04:45Z |
Repository genesis timestamp (immutable) |
6e. π Runtime / Build ConfigΒΆ
| # | Variable | Status | Current Value | Purpose |
|---|---|---|---|---|
| 1 | CODEX_CACHE_VERSION |
β | v2 |
Cache-busting version for CI dependency caches |
| 2 | CODEX_CLI_API_URL |
β | http://localhost:8765 |
CLI API server URL |
| 3 | CODEX_COVERAGE_THRESHOLD |
β | 80 |
Minimum test coverage % gate |
| 4 | CODEX_D365_POLICIES_PATH |
β | configs/deployment/d365/sla_policies.json |
D365 SLA policies config path |
| 5 | CODEX_FORCE_CPU |
β | 0 |
Force CPU-only torch (0=off, 1=on) |
| 6 | CODEX_LINT_STRICT |
β | true |
Enable strict Ruff/mypy linting |
| 7 | CODEX_LLM_MODEL |
β | gpt-4o |
LLM model for agent operations |
| 8 | CODEX_LLM_RATE_LIMIT_DELAY |
β | 1.0 |
Seconds between LLM requests |
| 9 | CODEX_OFFLINE |
β | 1 |
Offline mode for CI (1=offline) |
| 10 | CODEX_PYTHON_VERSION |
β | 3.12 |
Python version target (pinned minor, floating patch): resolves to the latest available 3.12.x patch at runtime (not pinned to 3.12.0 or any specific patch) β aligned with env-level CODEX_ENV_PYTHON_VERSION. Issue 2 resolved. |
| 11 | CODEX_SANDBOX_TIMEOUT |
β | 60 |
Sandbox operation timeout (seconds) |
| 12 | CODEX_SESSION_ID |
β | UUID v4 (auto-set per session) |
Current or most-recent logical session identifier. Written by copilot-setup-steps.yml on session start. Format: UUID v4 string. |
| 13 | CODEX_SESSION_LOG_DIR |
β | .codex/sessions |
Session log directory |
| 14 | CODEX_TEST_PARALLELISM |
β | auto |
Pytest parallel execution mode |
| 15 | CODEX_ZENDESK_DOCS_ROOT |
β | docs/vendors/zendesk |
Zendesk documentation root |
| 16 | ENABLE_LIVE_TESTS |
β | true |
Enable live/integration tests in CI |
6f. π€ ML / HuggingFace / Weights & BiasesΒΆ
| # | Variable | Status | Current Value | Purpose |
|---|---|---|---|---|
| 1 | COMPOSE_DOCKER_CLI_BUILD |
β | 1 |
Enable BuildKit for Docker Compose |
| 2 | DOCKER_BUILDKIT |
β | 1 |
Enable Docker BuildKit |
| 3 | GPU_OPT |
β | --gpus all |
Docker GPU passthrough flag |
| 4 | HF_HOME |
β | ~/.cache/huggingface |
HuggingFace cache directory |
| 5 | MLFLOW_EXPERIMENT_NAME |
β | saas_knowledge_training |
MLflow experiment name |
| 6 | TORCH_HOME |
β | ~/.cache/torch |
PyTorch cache directory |
| 7 | TRANSFORMERS_OFFLINE |
β | 1 |
Run HF Transformers offline |
| 8 | WANDB_MODE |
β | offline |
Weights & Biases run mode |
| 9 | ZENDESK_RATE_LIMIT |
β | 100 |
Zendesk API rate limit |
| 10 | ZENDESK_SYNC_INTERVAL |
β | 3600 |
Zendesk sync interval (seconds) |
6g. Webhook / InfraΒΆ
| # | Variable | Status | Current Value | Purpose |
|---|---|---|---|---|
| 1 | CODEX_ACTIVE_CODESPACE |
β Auto-set by Codespace | <auto-set-on-start> |
Name of the currently active Codespace. Created automatically on first Codespace start; updated on every subsequent start/resume via post-start.sh. Changes whenever a new Codespace is created β never hardcode this value. |
| 2 | WEBHOOK_RECEIVER_URL |
β Auto-set by Codespace | https://<codespace-name>-8765.<codespaces-domain>/webhook/github |
Public URL for webhook delivery. Derived from CODEX_ACTIVE_CODESPACE; updated automatically alongside it. Domain suffix may vary by Codespaces environment (for example, preview.app.github.dev or app.github.dev); use the auto-set value rather than hardcoding. |
Both variables above are written atomically by step 4b in
.devcontainer/scripts/post-start.shon every Codespace start and resume.
gh variable setcreates the variable if absent, so no manual seeding is required β the first Codespace start after this commit will provision both variables automatically.
ObservabilityΒΆ
| # | Variable | Status | Current Value | Purpose |
|---|---|---|---|---|
| 1 | OTEL_EXPORTER_OTLP_ENDPOINT |
βοΈ Optional | (not set β no-op mode) | OpenTelemetry OTLP gRPC endpoint (e.g. http://jaeger:4317). When set, the init_tracing() function in src/codex/observability/tracing.py enables distributed tracing. Setup requirements are detailed in the OTel setup note below. SAR-G05. |
OTel setup noteΒΆ
- Required Python packages (minimum):
opentelemetry-sdk>=1.20.0plus a protocol-specific OTLP exporter: - gRPC (recommended for
OTEL_EXPORTER_OTLP_ENDPOINT, e.g.:4317):opentelemetry-exporter-otlp-proto-grpc>=1.20.0 - HTTP (if using OTLP/HTTP):
opentelemetry-exporter-otlp-proto-http>=1.20.0 - Optional convenience meta-package:
opentelemetry-exporter-otlp>=1.20.0 - Install with (gRPC):
pip install "opentelemetry-sdk>=1.20.0" "opentelemetry-exporter-otlp-proto-grpc>=1.20.0" - Install with (HTTP):
pip install "opentelemetry-sdk>=1.20.0" "opentelemetry-exporter-otlp-proto-http>=1.20.0" - Leave
OTEL_EXPORTER_OTLP_ENDPOINTunset for offline/local environments (no-op mode).
Data Store / Feature BackendΒΆ
| # | Variable | Status | Current Value | Purpose |
|---|---|---|---|---|
| 1 | REDIS_URL |
βοΈ Optional | (not set β uses SQLite or in-memory backend) | Redis connection URL for enabling Feast Redis online-store mode in production (e.g. redis://localhost:6379/0 or rediss://host:6380/0). Leave unset to use default local/offline backends. SAR-G02. |
β οΈ Security note (REDIS_URL): If authentication is required, do not store credentials in a repository variable. Set
REDIS_URLfrom a GitHub Actions Secret or Codespaces Secret containing the full authenticated URL (including credentials if needed). Repository variables are visible to users with read access, while runtime environment variables injected from secrets are appropriate for credentialed values.
REDIS_URL implementation notesΒΆ
- Backend selection logic is implemented in
src/codex_ml/features/feast_compat.pyviacreate_backend(). - When
REDIS_URLis set, the Redis backend path is selected for online-store usage. - When unset, the system falls back to default local backends (
SQLiteBackend/InMemoryBackend).
6h. π€ Autonomous Agent ConfigΒΆ
Variables controlling the 7-phase autonomous agent framework introduced in S116 (PR #3508). All scripts fall back to safe coded defaults when variables are unset.
Set via:
gh variable set <NAME> --body "<VALUE>" --repo Aries-Serpent/_codex_
| # | Variable | Status | Recommended Value | Script Default | Purpose |
|---|---|---|---|---|---|
| 1 | AGENT_KILL_SWITCH |
β
Set 0 (2026-03-07) |
0 (intentional; matches default) |
0 |
β οΈ Human governance flag β set to "1" to halt agent loops (Phases 1 & 7). See operational notes below. |
| 2 | AUTONOMY_BUDGET_SECONDS |
β
Set 90 (2026-03-07) |
60 |
300 |
Max wall-clock seconds per autonomy_scheduler.py run (Phase 1). Admin chose 90s (between recommended CI=60 and script default=300). |
| 3 | AUTONOMY_MAX_ITERATIONS |
β
Set 3 (2026-03-07) |
3 |
10 |
Max health-sense/decide/act iterations per scheduler run (Phase 1). |
| 4 | AUTONOMY_DRY_RUN |
β
Set 0 (2026-03-07) |
0 |
0 |
Set to "1" to disable all mutating filesystem writes in autonomy_scheduler.py (Phase 1). |
| 5 | AGENT_RUNNER_BUDGET_SECONDS |
β
Set 180 (2026-03-07) |
120 |
180 |
Total wall-clock budget per agent_runner.py orchestration daemon invocation (Phase 7). Admin chose script default of 180s. |
| 6 | AGENT_RUNNER_ITERATIONS |
β
Set 2 (2026-03-07) |
2 |
3 |
Number of full-phase loops per agent_runner.py invocation (Phase 7). |
| 7 | AGENT_RUNNER_DRY_RUN |
β
Set 0 (2026-03-07) |
0 |
0 |
Set to "1" to skip all write operations in agent_runner.py (Phase 7). |
| 8 | UNCERTAINTY_BUDGET_SECONDS |
β
Set 20 (2026-03-07) |
10 |
10 |
Per-query wall-time cap for Dirichlet inference in budget_uncertainty.py (Phases 4/5). Admin chose 20s for extra safety margin. |
AGENT_KILL_SWITCH operational notesΒΆ
- Checked at loop entry before any work runs.
- If unset, scripts explicitly fall back to coded default
"0"so CI passes by default. - Workflow steps invoking
autonomy_scheduler.pyoragent_runner.pywithAGENT_KILL_SWITCH=1receive exit code1. - For non-blocking execution in that mode, use
continue-on-error: trueon the relevant step.
Governance note:
AGENT_KILL_SWITCHis analogous toAUTONOMOUS_ACTIONS_ENABLEDβ both are human-governance flags.AGENT_KILL_SWITCH=1provides a fast path to halt agent loops without changingAUTONOMOUS_ACTIONS_ENABLED, which gates the broader token delegation workflow.Quick-set all agent config vars:
gh variable set AGENT_KILL_SWITCH --body "0" --repo Aries-Serpent/_codex_ gh variable set AUTONOMY_BUDGET_SECONDS --body "60" --repo Aries-Serpent/_codex_ gh variable set AUTONOMY_MAX_ITERATIONS --body "3" --repo Aries-Serpent/_codex_ gh variable set AUTONOMY_DRY_RUN --body "0" --repo Aries-Serpent/_codex_ gh variable set AGENT_RUNNER_BUDGET_SECONDS --body "120" --repo Aries-Serpent/_codex_ gh variable set AGENT_RUNNER_ITERATIONS --body "2" --repo Aries-Serpent/_codex_ gh variable set AGENT_RUNNER_DRY_RUN --body "0" --repo Aries-Serpent/_codex_ gh variable set UNCERTAINTY_BUDGET_SECONDS --body "10" --repo Aries-Serpent/_codex_
7. Environment Variables (Aries_Serpent_codex_)ΒΆ
Location: Settings β Environments β Aries_Serpent_codex_
Override scope: These override repository variables of the same name for jobs usingenvironment: Aries_Serpent_codex_
| # | Variable | Status | Value | Env (overrides repo?) | Notes |
|---|---|---|---|---|---|
| 1 | CARGO_TERM_COLOR |
β | always |
Overrides repo (always) |
No conflict |
| 2 | CODEX_BRIDGE_DIR |
β | /tmp/codex_secure_bridge |
New (not in repo-level) | IPC bridge directory for Codespace |
| 3 | CODEX_BRIDGE_OWNER_ONLY |
β | true |
New (not in repo-level) | IPC bridge access control |
| 4 | CODEX_DB_PATH |
β | .codex/logs.db |
Overrides repo (.codex/logs.db) |
No conflict |
| 5 | CODEX_ENV_GO_VERSION |
β | 1.21 |
Overrides repo (1.21) |
No conflict |
| 6 | CODEX_ENV_NODE_VERSION |
β | 22 |
Overrides repo β env variable only | β
Issue 1 resolved (2026-03-06): Previously stored as an env secret. Deleted from secrets; recreated as an env variable. Current-state note: 22 is intentionally major-only and tracks the latest 22.x release (not a pinned full semver). |
| 7 | CODEX_ENV_PYTHON_VERSION |
β | 3.12 |
Overrides repo (3.12) |
β
Issue 2 resolved (2026-03-06): Updated from 3.11 to 3.12. Now consistent with CODEX_PYTHON_VERSION. |
| 8 | CODEX_ENV_RUST_VERSION |
β | 1.92 |
Overrides repo (1.92) |
No conflict |
| 9 | CODEX_ENV_SWIFT_VERSION |
β | 5.9 |
Overrides repo (5.9) |
Interpreted as latest 5.9.x patch release (minor pinned, patch floating). |
| 10 | CODEX_LOG_DB_PATH |
β | .codex/logs.db |
Overrides repo (.codex/logs.db) |
No conflict |
| 11 | CODEX_SQLITE_POOL |
β | 1 |
Overrides repo (1) |
No conflict |
| 12 | RUST_BACKTRACE |
β | 1 |
Overrides repo (1) |
No conflict |
| 13 | RUST_TEST_THREADS |
β | 1 |
Overrides repo (1) |
No conflict |
8. Codespace SecretsΒΆ
Location (org): Settings β Codespaces β Secrets
Location (user): github.com/settings/secrets/codespaces
Injected by:.devcontainer/devcontainer.json"secrets":block
When: Only available inside an active GitHub Codespace session
π Quick Start β Active CodespaceΒΆ
| Codespace name | <auto-set-on-start> |
| Resume existing | Open GitHub Codespaces and select the active Codespace |
| New from PR | Open GitHub Codespaces, choose New with options, then select the target PR/branch for this workstream |
| Branch | <active-development-branch> (e.g., current PR branch) |
| Repo variable | CODEX_ACTIVE_CODESPACE β auto-updated on every start/resume |
The Codespace name changes when a new Codespace is created.
CODEX_ACTIVE_CODESPACEis always kept in sync bypost-start.shautomatically.
These secrets mirror the Actions org secrets but are injected into Codespace containers for interactive agent sessions.
β οΈ Codespace secrets are NOT automatically mirrored from org Actions secrets β they must be set separately at the Codespace level even when the same secret exists as an Actions org secret.
| # | Secret Name | Status | Purpose | Where to Set | Actions Org Secret Equivalent |
|---|---|---|---|---|---|
| 1 | CODEX_MASTER_KEY | β
Confirmed (org-level, 2026-03-06) | Primary GitHub PAT for Variables API, Secrets API, Webhooks API | Org Codespace secrets | CODEX_MASTER_KEY (org secret β
) |
| 2 | CODEX_BACKUP_KEY | β
Confirmed (user secret, 2026-03-06) | Fallback PAT for 401/403 retries | User Codespace secrets | CODEX_BACKUP_KEY (org secret β
) |
| 3 | CODEX_ADMIN_KEY | β
Confirmed (user secret, 2026-03-06) | Fine-grained PAT (Webhooks:write) for webhook management | User Codespace secrets | CODEX_ADMIN_KEY (org secret β
) |
| 4 | _GITHUB_APP_ID | β
Confirmed (user secret, 2026-03-06) | Numeric GitHub App ID for RS256 JWT auth | User Codespace secrets | _GITHUB_APP_ID (org secret β
) |
| 5 | _GITHUB_APP_PRIVATE_KEY | β
Confirmed (user secret, 2026-03-06) | PEM RSA-2048 private key for GitHub App | User Codespace secrets (multi-line value) | _GITHUB_APP_PRIVATE_KEY (org secret β
) |
| 6 | _GITHUB_APP_INSTALLATION_ID | β
Confirmed (user secret, 2026-03-06) | App installation ID for generating installation tokens | User Codespace secrets | _GITHUB_APP_INSTALLATION_ID (org secret β
) |
| 7 | _GITHUB_APP_CLIENT_SECRET | β
Confirmed (user secret, 2026-03-07) | GitHub App OAuth client secret | User Codespace secrets | _GITHUB_APP_CLIENT_SECRET (org secret β
) |
| 8 | WEBHOOK_SECRET | β
Confirmed (user secret, 2026-03-06) | HMAC-SHA256 shared secret for webhook signature verification | User Codespace secrets | CODEX_WEBHOOK_SECRET (repo secret β
) |
| 9 | WEBHOOK_RECEIVER_URL | β
Confirmed (user secret + repo var, 2026-03-06) | Webhook receiver URL (also auto-set as repo var by post-start.sh) | User Codespace secrets | Repo variable WEBHOOK_RECEIVER_URL β
|
β SAR-G01 COMPLETE (2026-03-07) β All 9 Codespace secrets confirmed set by @mbaetiong. Secrets are stored as user-level Codespace secrets (not org-level), which works identically for personal Codespace sessions.
Note: Secrets 4β7 use the same
_GITHUB_APP_*naming as the corresponding org Actions secrets (leading underscore is the standard convention for these system/infrastructure secrets).
Seedocs/agent/CODESPACE_COPILOT_AGENT_GUIDE.mdfor detailed setup instructions.Note (2026-03-06):
CODEX_MASTER_KEYwas briefly set as a repository-level Codespace secret (overriding the org secret). That repo-level override has been removed by @mbaetiong β the org-level Codespace secret is now active directly. Secret was re-rotated at this time.
β All Codespace secrets confirmed (SAR-G01 COMPLETE 2026-03-07)ΒΆ
All 9 Codespace secrets were set by @mbaetiong as user-level Codespace secrets on 2026-03-06/07. No further admin action is required for Codespace agent sessions.
For reference, the CLI commands used were:
# All secrets are now set β commands below are for documentation/recovery only
gh secret set CODEX_BACKUP_KEY --app codespaces # user-level
gh secret set CODEX_ADMIN_KEY --app codespaces # user-level
gh secret set _GITHUB_APP_ID --app codespaces # user-level
gh secret set _GITHUB_APP_PRIVATE_KEY --app codespaces # user-level
gh secret set _GITHUB_APP_INSTALLATION_ID --app codespaces # user-level
gh secret set _GITHUB_APP_CLIENT_SECRET --app codespaces # user-level
gh secret set WEBHOOK_SECRET --app codespaces # user-level
gh secret set WEBHOOK_RECEIVER_URL --app codespaces # user-level
9. Workflow-Defined env: VariablesΒΆ
These are not stored in GitHub Settings β they are defined inline in workflow files and can reference secrets/variables.
| Variable | Defined In | Value / Source | Purpose |
|---|---|---|---|
GITHUB_TOKEN |
Auto-injected by Actions | GitHub-provisioned short-lived token | Default token for all workflow steps |
AGENT_GITHUB_TOKEN |
copilot-setup-steps.yml Export step |
${{ env.GITHUB_TOKEN }} |
Stable alias for GITHUB_TOKEN written to GITHUB_ENV |
CODEX_SESSION_ID |
copilot-setup-steps.yml + repo variable |
UUID v4 (written per session to repo var) | Logical session identifier for log grouping. Also persisted as repo variable (Β§6e). |
CARGO_TERM_COLOR |
Rust workflows | always |
Rust compiler coloured output |
RUST_BACKTRACE |
Rust workflows | 1 |
Enable Rust backtraces on panic |
Reference:
docs/agent/COPILOT_TOKEN_GUIDE.mdβ complete token permission matrix.
10. Known Issues & InconsistenciesΒΆ
β
Issue 1 β CODEX_ENV_NODE_VERSION stored as a Secret β RESOLVED 2026-03-06ΒΆ
| Detail | |
|---|---|
| ~~Problem~~ | ~~CODEX_ENV_NODE_VERSION is stored as an Environment Secret with value 18.~~ |
| Resolution | CODEX_ENV_NODE_VERSION env secret has been deleted. A replacement env variable was created under Aries_Serpent_codex_ (verified in 2026-03-06 export). The active baseline value is now 22; older 18 references are historical migration context. Agents and logs can read this value. |
β
Issue 2 β Python version conflict: 3.12 vs 3.11 β RESOLVED 2026-03-06ΒΆ
| Detail | |
|---|---|
| ~~Problem~~ | ~~CODEX_ENV_PYTHON_VERSION (env variable) = 3.11 conflicted with CODEX_PYTHON_VERSION (repo variable) = 3.12.~~ |
| Resolution | CODEX_ENV_PYTHON_VERSION updated to 3.12 (verified in 2026-03-06 export). Both layers now agree on Python 3.12. CI should no longer have version discrepancies between environment and non-environment jobs. |
β
Issue 3 β Duplicate path variable: CODEX_D365_POLICIES_PATH and D365_SLA_POLICY_PATH β RESOLVED 2026-03-06ΒΆ
| Detail | |
|---|---|
| ~~Problem~~ | ~~Both variables pointed to configs/deployment/d365/sla_policies.json.~~ |
| Resolution | D365_SLA_POLICY_PATH has been deleted from GitHub repo variables (confirmed absent in 2026-03-06 live export). CODEX_D365_POLICIES_PATH remains as the canonical name. |
β Issue 4 β Stale secrets (> 90-day rotation guideline) β RESOLVED 2026-03-06ΒΆ
| Secret | Previous Age | Resolution |
|---|---|---|
| CODEX_MASTER_KEY | Rotated 2026-03-05 | β
Re-rotated 2026-03-06 (~2 h before export). Next due ~2026-06-04. |
| CODEX_BACKUP_KEY | 5+ days | β
Re-rotated 2026-03-06 (~2 h before export). |
| _CODEX_BOT_RUNNER | 7 months | β
Rotated 2026-03-06 (~45 min before export). |
| CODEX_ENVIRONMENT_RUNNER | 7 months | β
Rotated 2026-03-06 (~48 min before export). |
| CODEX_RUNNER_TOKEN | 7 months | β
Rotated 2026-03-06 (~50 min before export). |
| CODEX_RUNNER_SHA256 | 7 months | β
Rotated 2026-03-06 (~50 min before export). |
β
Issue 5 β CODEX_ADMIN_KEY missing β RESOLVED 2026-03-06ΒΆ
| Detail | |
|---|---|
| ~~Problem~~ | ~~webhook_configurator.py preferred CODEX_ADMIN_KEY but it was missing.~~ |
| Resolution | CODEX_ADMIN_KEY was added as an org secret (updated 3 hours before 2026-03-06 export). webhook_configurator.py can now use least-privilege webhook management without falling back to CODEX_MASTER_KEY. |
β
Issue 6 β WEBHOOK_RECEIVER_URL missing β RESOLVED 2026-03-06ΒΆ
| Detail | |
|---|---|
| ~~Problem~~ | ~~2 webhooks configured but active=false because WEBHOOK_RECEIVER_URL not set.~~ |
| Resolution | WEBHOOK_RECEIVER_URL is now auto-set on every Codespace start/resume by .devcontainer/scripts/post-start.sh. Canonical format: https://${CODESPACE_NAME}-8765.app.github.dev/webhook/github; some environments may surface https://${CODESPACE_NAME}-8765.preview.app.github.dev/webhook/github (Codespaces forwarding variant). The POST /webhook/github endpoint is now implemented in cognitive_app/src/server/cli_api_server.py with HMAC-SHA256 verification. For webhook delivery to work, port 8765 must be set to public visibility in the Codespace. |
β Issue 7 β Codespace secrets confirmation β RESOLVED 2026-03-07ΒΆ
| Detail | |
|---|---|
| ~~Problem~~ | ~~The 9 Codespace secrets declared in .devcontainer/devcontainer.json were not confirmed as set at the Codespace level (org or user).~~ |
| Resolution | All 9 Codespace secrets listed in Β§8 are confirmed set at the Codespace level (org or user) (SAR-G01 complete). |
| Verification | Codespace-based Copilot agent sessions have required authentication tokens, and post-start.sh can start the CLI server. |
| Instructions | For audit/revalidation, see Β§8 Codespace Secrets for CLI/UI steps. |
11. TroubleshootingΒΆ
"Variables API returns 403 / 404"ΒΆ
Symptom: VariableManager or brain_client raises AuthenticationError on variable read/write
Cause: GITHUB_TOKEN used instead of CODEX_MASTER_KEY # pragma: allowlist secret
Fix:
1. Confirm CODEX_MASTER_KEY is set as an org secret (Β§3) # pragma: allowlist secret
2. Confirm copilot-setup-steps.yml "π Export Auth Tokens" step is running # pragma: allowlist secret
3. In code, use: from scripts.tools.variable_manager import VariableManager; vm = VariableManager()
Reference: docs/agent/COPILOT_TOKEN_GUIDE.md β Permission Matrix # pragma: allowlist secret
"Webhooks return 403 on create/update"ΒΆ
Symptom: webhook_configurator.py fails with HTTP 403 on webhook API calls
Cause: GITHUB_TOKEN cannot manage webhooks; CODEX_ADMIN_KEY / CODEX_MASTER_KEY needed # pragma: allowlist secret
Fix:
1. Confirm CODEX_MASTER_KEY has admin:repo_hook scope, OR
2. Create CODEX_ADMIN_KEY (fine-grained, Webhooks:write) and set as org secret # pragma: allowlist secret
Reference: docs/agent/COPILOT_TOKEN_GUIDE.md β Webhook operations section # pragma: allowlist secret
"Python version mismatch between jobs"ΒΆ
Symptom: Tests pass in some jobs, fail in others due to Python syntax/type differences
Status: β
RESOLVED (2026-03-06) β CODEX_ENV_PYTHON_VERSION updated to 3.12 (Issue 2)
Both CODEX_PYTHON_VERSION (repo var) and CODEX_ENV_PYTHON_VERSION (env var) are now 3.12.
If you still see version mismatches, confirm no other variable overrides exist.
"CODEX_ENV_NODE_VERSION appears as *** in logs"ΒΆ
Symptom: Node.js version appears masked in CI logs
Status: β
RESOLVED (2026-03-06) β CODEX_ENV_NODE_VERSION deleted from env secrets and # pragma: allowlist secret
recreated as an env variable. Value is now readable in logs and by the Variables API.
Current required value: `22` (major-only).
"Codespace starts but CLI API server not running"ΒΆ
Symptom: post-start.sh health check fails; uvicorn :8765 not reachable
Cause: CODEX_MASTER_KEY or CODEX_BACKUP_KEY not set as Codespace secrets # pragma: allowlist secret
Fix: All 9 Codespace secrets are now set (SAR-G01 COMPLETE 2026-03-07) β see Β§8 # pragma: allowlist secret
Reference: docs/agent/CODESPACE_COPILOT_AGENT_GUIDE.md
"CODEX_CI_FAILURE_RATE shows stale value"ΒΆ
Symptom: CODEX_CI_FAILURE_RATE hasn't updated in > 24 hours
Cause: ci-health-monitor.yml workflow not running, or CODEX_MASTER_KEY lacked write access
Fix:
1. Check .github/workflows/ci-health-monitor.yml is enabled
2. Verify CODEX_MASTER_KEY has variables:write permission
Format: "<float>:<status>" β e.g. "6.3:ok", "15.2:degraded", "22.1:critical"
"Secret rotation β CODEX_MASTER_KEY / CODEX_BACKUP_KEY"ΒΆ
Full runbook: docs/ops/secrets_rotation_runbook.md # pragma: allowlist secret
Quick summary:
1. Generate new 32-byte base64 key offline
2. Copy current CODEX_MASTER_KEY β set as CODEX_BACKUP_KEY (opens grace window)
3. Set new key as CODEX_MASTER_KEY
4. Wait 48 hours (grace window) then verify
5. Update CODEX_BACKUP_KEY to new value (closes grace window)
"Incorrect variable format"ΒΆ
Variable: CODEX_CI_FAILURE_RATE
Required format: "<float>:<status>" (e.g. "6.3:ok")
Invalid examples: "6.3", "ok", "6.3-ok", "6.3 ok"
Fix: gh variable set CODEX_CI_FAILURE_RATE --body "6.3:ok" --repo Aries-Serpent/_codex_
Variable: COGNITIVE_BRAIN_SESSION_NUMBER
Required format: Integer (e.g. "120")
Invalid examples: "S120", "session-120", "120.0"
Fix: gh variable set COGNITIVE_BRAIN_SESSION_NUMBER --body "120" --repo Aries-Serpent/_codex_
12. Related DocumentationΒΆ
| Document | Scope | Notes |
|---|---|---|
docs/agent/COPILOT_TOKEN_GUIDE.md |
Token priority chain, permission matrix, how tokens reach agents | Primary auth reference |
docs/admin/REPO_VARIABLES_IMPLEMENTATION_GUIDE.md |
Architecture, subsystem wiring, variable dependency map | Technical deep-dive |
docs/admin/HUMAN_ADMIN_REPO_VARIABLES_SETUP.md |
Step-by-step CLI / UI setup for repo variables | Admin setup guide |
docs/ops/secrets_rotation_runbook.md |
Full rotation procedure for CODEX_MASTER_KEY / CODEX_BACKUP_KEY | Required for 90-day rotation |
docs/agent/CODESPACE_COPILOT_AGENT_GUIDE.md |
Codespace secrets, lifecycle hooks, environment parity with Actions | Codespace setup |
docs/agent/GITHUB_APP_CLI_MAPPING.md |
GitHub App ID, private key, installation ID setup | GitHub App authentication |
docs/ops/WEBHOOK_REGISTRY.md |
Webhook config, registry, apply procedure, CODEX_ADMIN_KEY | Webhook activation |
.codex/runtime_variables.md |
Legacy env var catalog (pre-unification) | Superseded by this guide |
docs/security/CURRENT_EXPECTED_VARIABLES.md |
Security-focused variable inventory (pre-unification) | Superseded by this guide |
docs/security/secret_handling.md |
Secret handling best practices, never-log rules | Security policy |
.codex/agent_context.json |
Live snapshot of repo variables (synced daily) | Machine-readable state |
scripts/tools/variable_manager.py |
Python API for reading/writing repo variables | Code reference |
src/aries_serpent_core/auth/github_app.py |
_resolve_github_token() β token fallback chain implementation |
Code reference |
13. β Previously Missing β All Resolved (2026-03-07)ΒΆ
All previously-blocked items are now resolved. This section is retained as an audit trail.
β WEBHOOK_RECEIVER_URL (Repo Variable) β RESOLVED 2026-03-06ΒΆ
Resolution: WEBHOOK_RECEIVER_URL is now auto-set on every Codespace start/resume by
.devcontainer/scripts/post-start.sh. The URL format is:
https://${CODESPACE_NAME}-8765.app.github.dev/webhook/github
The POST /webhook/github endpoint is implemented in cognitive_app/src/server/cli_api_server.py.
For webhook delivery to work, port 8765 must be set to public visibility in the Codespace Ports panel.
β
Issue 3 β Delete duplicate D365_SLA_POLICY_PATH repo variable β RESOLVED 2026-03-06ΒΆ
D365_SLA_POLICY_PATH is absent from the 2026-03-06 live export β the variable has been deleted.
β Codespace Secrets (9 items) β RESOLVED 2026-03-07 (SAR-G01 COMPLETE)ΒΆ
All 9 Codespace secrets confirmed set by @mbaetiong as user-level Codespace secrets. See Β§8 for the complete confirmed status table.
| Codespace Secret | Resolution |
|---|---|
| CODEX_MASTER_KEY | β
Org-level (2026-03-06) |
| CODEX_BACKUP_KEY | β
User secret (2026-03-06) |
| CODEX_ADMIN_KEY | β
User secret (2026-03-06) |
| _GITHUB_APP_ID | β
User secret (2026-03-06) |
| _GITHUB_APP_PRIVATE_KEY | β
User secret (2026-03-06) |
| _GITHUB_APP_INSTALLATION_ID | β
User secret (2026-03-06) |
| _GITHUB_APP_CLIENT_SECRET | β
User secret (2026-03-07) |
| WEBHOOK_SECRET | β
User secret (2026-03-06) |
| WEBHOOK_RECEIVER_URL | β
User secret + repo var (2026-03-06) |
β Autonomous Agent Config Variables (8 items) β RESOLVED 2026-03-07ΒΆ
All 8 Β§6h autonomous agent repo variables confirmed set by @mbaetiong. See Β§6h for details.
Note: If any of these need to be re-provisioned in the future (e.g., after secret rotation), refer to the historical CLI commands preserved in the sub-sections above.
Summary ChecklistΒΆ
β Previously Blocked β All Resolved (2026-03-07)ΒΆ
- ~~Set 9 Codespace secrets~~ β RESOLVED 2026-03-07 (SAR-G01 COMPLETE) β all set as user Codespace secrets by @mbaetiong; see Β§8
- ~~Set 8 autonomous agent repo variables~~ β RESOLVED 2026-03-07 β all 8 set:
AGENT_KILL_SWITCH=0,AUTONOMY_BUDGET_SECONDS=90,AUTONOMY_MAX_ITERATIONS=3,AUTONOMY_DRY_RUN=0,AGENT_RUNNER_BUDGET_SECONDS=180,AGENT_RUNNER_ITERATIONS=2,AGENT_RUNNER_DRY_RUN=0,UNCERTAINTY_BUDGET_SECONDS=20; see Β§6h
β ResolvedΒΆ
- ~~Fix Issue 1: Delete
CODEX_ENV_NODE_VERSIONenv secret; recreate as env variable~~ β Done 2026-03-06 - ~~Fix Issue 2: Update
CODEX_ENV_PYTHON_VERSIONenv variable from3.11β3.12~~ β Done 2026-03-06 - ~~Fix Issue 3: Remove duplicate
D365_SLA_POLICY_PATHrepo variable~~ β Done 2026-03-06 (deleted from GitHub; absent in live export) - ~~Fix Issue 4: Rotate stale runner secrets (7 months old)~~ β Done 2026-03-06 (
_CODEX_BOT_RUNNER,CODEX_ENVIRONMENT_RUNNER,CODEX_RUNNER_TOKEN,CODEX_RUNNER_SHA256all rotated;CODEX_MASTER_KEY+CODEX_BACKUP_KEYre-rotated) - ~~Fix Issue 5: Create
CODEX_ADMIN_KEYorg secret (fine-grained PAT,Webhooks:write)~~ β Done 2026-03-06 - ~~Fix Issue 6: Set
WEBHOOK_RECEIVER_URLrepo variable~~ β Done 2026-03-06 (auto-set by Codespacepost-start.sh) - ~~Document autonomous agent env vars (Β§6h)~~ β Done 2026-03-07 (S116 PR #3508, 8 variables:
AGENT_KILL_SWITCH,AUTONOMY_BUDGET_SECONDS,AUTONOMY_MAX_ITERATIONS,AUTONOMY_DRY_RUN,AGENT_RUNNER_BUDGET_SECONDS,AGENT_RUNNER_ITERATIONS,AGENT_RUNNER_DRY_RUN,UNCERTAINTY_BUDGET_SECONDS)
π’ Monitor / MaintenanceΒΆ
- Rotate
CODEX_MASTER_KEY+CODEX_BACKUP_KEYbefore 2026-06-04 (rotated 2026-03-06 β 90-day window) - Rotate
_CODEX_BOT_RUNNER,CODEX_ENVIRONMENT_RUNNER,CODEX_RUNNER_TOKEN,CODEX_RUNNER_SHA256before 2026-06-04
Supersedes: .codex/runtime_variables.md Β· docs/security/CURRENT_EXPECTED_VARIABLES.md Β· .codex/QUICK_REFERENCE_TOKEN_STATUS.md
Maintained by: @mbaetiong Β· Last reviewed: 2026-03-07 (S116/W-142 phase 3 β Β§6f REDIS_URL added (SAR-G02); DuckDB offline backend evaluated; Β§6h all 8 autonomous agent vars confirmed β
; SAR-G01 all 9 Codespace secrets confirmed β
; Β§13 converted to resolved archive; v1.7.0)