Skip to content

Last synced: 2026-07-10T09:43:42Z (auto-sync workflow)

GitHub Variables & Secrets β€” Master Reference GuideΒΆ

Last Updated: 2026-06-22

Version: 1.7.0 (W-142/S116 phase 3, 2026-03-07)
Owner: @mbaetiong
Status: βœ… Current β€” reflects live state as of 2026-03-07 (phase 3: REDIS_URL Β§6f added for SAR-G02 RedisBackend; DuckDB offline materialization evaluated; multivariate drift OTel spans added SAR-G05; autonomy CI matrix all 7 phases)
Audience: Human admins, Copilot agents, CI/CD authors
Auto-synced by: repo-var-sync-schedule.yml (daily 06:00 UTC β†’ .codex/agent_context.json)

⚠️ This is the single source of truth. All other variable docs link here.


Table of ContentsΒΆ

  1. Architecture Overview
  2. How to Set Variables β€” Quick Links
  3. Organization Secrets
  4. Repository Secrets
  5. Environment Secrets (Aries_Serpent_codex_)
  6. Repository Variables
  7. 6a. Cognitive Brain
  8. 6b. Copilot Agent Runtime
  9. 6c. CI/CD Health
  10. 6d. Identity & Static Config
  11. 6e. Runtime / Build Config
  12. 6f. ML / HuggingFace / Weights & Biases
  13. 6g. Webhook / Infra
  14. 6h. πŸ€– Autonomous Agent Config ⬅️ New (S116)
  15. Environment Variables (Aries_Serpent_codex_)
  16. Codespace Secrets
  17. Workflow-Defined env: Variables
  18. Known Issues & Inconsistencies
  19. Troubleshooting
  20. Related Documentation
  21. βœ… Previously Missing β€” All Resolved (2026-03-07)

1. Architecture OverviewΒΆ

GitHub provides six distinct storage layers for variables and secrets. Choosing the wrong layer is the most common misconfiguration.

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                    Variable Storage Hierarchy                        β”‚
β”‚                                                                      β”‚
β”‚  🏒 ORGANIZATION LEVEL  (Aries-Serpent)                             β”‚
β”‚  β”œβ”€ Org Secrets       β†’ shared across all repos in org              β”‚  # pragma: allowlist secret
β”‚  └─ Org Variables     β†’ [none currently, use repo vars instead]     β”‚
β”‚                                                                      β”‚
β”‚  πŸ“¦ REPOSITORY LEVEL  (Aries-Serpent/_codex_)                       β”‚
β”‚  β”œβ”€ Repo Secrets      β†’ encrypted, not readable by agents           β”‚  # pragma: allowlist secret
β”‚  └─ Repo Variables    β†’ readable plaintext, writable via API        β”‚
β”‚                                                                      β”‚
β”‚  🌍 ENVIRONMENT LEVEL  (Aries_Serpent_codex_ environment)           β”‚
β”‚  β”œβ”€ Env Secrets       β†’ override repo secrets for this env          β”‚  # pragma: allowlist secret
β”‚  └─ Env Variables     β†’ override repo variables for this env        β”‚
β”‚                                                                      β”‚
β”‚  πŸ’» CODESPACE LEVEL  (org or user-scoped)                           β”‚
β”‚  └─ Codespace Secrets β†’ injected into interactive Codespace only    β”‚  # pragma: allowlist secret
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Resolution order (GitHub Actions): Env > Repo > Org (most specific wins)
Token access:  CODEX_MASTER_KEY > CODEX_BACKUP_KEY > GITHUB_TOKEN  # pragma: allowlist secret

Key constraints: - GITHUB_TOKEN cannot read/write the Variables API β€” requires CODEX_MASTER_KEY (classic PAT, repo scope). - Secrets are never readable by agents or logs β€” only injected as env vars. - Env-level values silently override repo-level values of the same name.


Storage Type GitHub UI Location API / CLI
Org Secrets Settings β†’ Security β†’ Secrets β†’ Actions gh secret set NAME --org Aries-Serpent
Org Variables Settings β†’ Security β†’ Variables β†’ Actions gh variable set NAME --org Aries-Serpent
Repo Secrets Settings β†’ Secrets and variables β†’ Actions β†’ Secrets tab gh secret set NAME --repo Aries-Serpent/_codex_
Repo Variables Settings β†’ Secrets and variables β†’ Actions β†’ Variables tab gh variable set NAME --body VALUE --repo Aries-Serpent/_codex_
Env Secrets Settings β†’ Environments β†’ Aries_Serpent_codex_ β†’ Secrets gh secret set NAME --env Aries_Serpent_codex_ --repo Aries-Serpent/_codex_
Env Variables Settings β†’ Environments β†’ Aries_Serpent_codex_ β†’ Variables gh variable set NAME --env Aries_Serpent_codex_ --repo Aries-Serpent/_codex_
Codespace Secrets (org) Settings β†’ Codespaces β†’ Secrets gh secret set NAME --app codespaces --org Aries-Serpent
Codespace Secrets (user) github.com/settings/secrets/codespaces gh secret set NAME --app codespaces

3. Organization SecretsΒΆ

Location: Aries-Serpent β†’ Settings β†’ Security β†’ Secrets β†’ Actions
Referenced in workflows as: ${{ secrets.NAME }}
Access via API: Requires CODEX_MASTER_KEY or org-admin token

| # | Secret Name | Status | Last Updated | Purpose | Required By | |---|---|---|---|---|---| | 1 | CODECOV_TOKEN | βœ… Present | 2 months ago | Code coverage upload to codecov.io | coverage*.yml workflows | | 2 | CODEX_ADMIN_KEY | βœ… Present | 3 hours ago | Fine-grained PAT (Webhooks:write). Used for webhook_configurator.py least-privilege mode. | apply-webhooks job in agent_infrastructure_manager.yml | | 3 | CODEX_BACKUP_KEY | βœ… Present | 2 hours ago | Fallback GitHub PAT β€” auto-used on 401/403 from CODEX_MASTER_KEY. Same scope as master. | All auth-delegation workflows, variable_manager.py, brain_client.py, github_app.py | | 4 | CODEX_MASTER_KEY | βœ… Present | now (2026-03-06) | Primary full-scope GitHub PAT (classic, repo scope + admin:repo_hook). Required for Variables API, Secrets API, Webhooks API. Re-rotated 2026-03-06 β€” next rotation due ~2026-06-04. | agent-auth-delegation.yml, variable_manager.py, webhook_configurator.py, brain_client.py | | 5 | HF_TOKEN | βœ… Present | 2 months ago | HuggingFace API token for model downloads | ML training workflows | | 6 | NPM_TOKEN | βœ… Present | 2 months ago | npm publish authentication | Node.js package publish workflows | | 7 | PYPI_TOKEN | βœ… Present | 2 months ago | PyPI publish authentication | Python package publish workflows | | 8 | RAG_OPENAI_KEY | βœ… Present | 3 weeks ago | OpenAI API key for RAG embeddings | RAG index build workflows | | 9 | _CODEX_ACTION_RUNNER | βœ… Present | 2 months ago | Runner registration token for self-hosted Actions runners | Runner registration | | 10 | _GITHUB_APP_CLIENT_SECRET | βœ… Present | 8 hours ago | GitHub App OAuth client secret for web-flow App authentication | github_app.py, OAuth web-flow auth | | 11 | _GITHUB_APP_ID | βœ… Present | 8 hours ago | Numeric GitHub App ID for RS256 JWT generation | github_app.py, App JWT auth flows | | 12 | _GITHUB_APP_INSTALLATION_ID | βœ… Present | 8 hours ago | App installation ID for generating installation access tokens | github_app.py, installation token flows | | 13 | _GITHUB_APP_PRIVATE_KEY | βœ… Present | 8 hours ago | RSA-2048 PEM private key for signing GitHub App JWTs | github_app.py, RS256 JWT signing |

βœ… CODEX_MASTER_KEY and CODEX_BACKUP_KEY rotated 2026-03-06 (latest rotation "now" per @mbaetiong β€” repo-level Codespace override removed, org secret active directly). Next rotation due ~2026-06-04 (90-day cycle).
See docs/ops/secrets_rotation_runbook.md for the full rotation procedure.

Token chain in code: CODEX_MASTER_KEY β†’ CODEX_BACKUP_KEY β†’ AGENT_GITHUB_TOKEN β†’ GITHUB_TOKEN
This is enforced by _resolve_github_token() in src/codex/auth/github_app.py and scripts/tools/variable_manager.py.

GitHub App Authentication Secrets (_GITHUB_APP_*)ΒΆ

The four _GITHUB_APP_* secrets were added 2026-03-06 to support GitHub App–based authentication (RS256 JWT flow) as an alternative to PAT-based auth. They are consumed by src/codex/auth/github_app.py.

Codespace note: These org Actions secrets are separate from Codespace secrets. Codespace-based agent sessions that need GitHub App auth must also have these values set at the Codespace level (see Β§8). The naming convention (leading _) marks them as system/infrastructure secrets managed by the org admin.


4. Repository SecretsΒΆ

Location: Settings β†’ Secrets and variables β†’ Actions β†’ Secrets tab
Referenced in workflows as: ${{ secrets.NAME }}

| # | Secret Name | Status | Last Updated | Purpose | Notes | |---|---|---|---|---|---| | 1 | CODEX_GHP_TOKEN_BASE64 | βœ… Present | 2 months ago | Base64-encoded GitHub token for copilot-with-mcp workflow | Decoder priority #3 in copilot_token_decoder.py | | 2 | CODEX_GHP_TOKEN_HEX | βœ… Present | 2 months ago | Hex-encoded GitHub token (alternative encoding) | Decoder priority #4 | | 3 | CODEX_GHP_TOKEN_SHA256 | βœ… Present | 2 months ago | One-way SHA-256 hash of GHP token for integrity validation | Verification only β€” not a usable token | | 4 | CODEX_REPO_ID | βœ… Present | 6 hours ago | Repository numeric ID (GitHub internal) | Used in manifest generation | | 5 | CODEX_WEBHOOK_SECRET | βœ… Present | 12 minutes ago | HMAC-SHA256 shared secret for incoming webhook verification | WebhookVerifier in src/codex/auth/github_app.py | | 6 | OPENAI_API_KEY | βœ… Present | 5 hours ago | OpenAI API key for LLM agent operations | Consumed by brain_client.py and LLM-based CI workflows | | 7 | _CODEX_BOT_RUNNER | βœ… Present | 45 minutes ago | Bot runner registration token | βœ… Rotated 2026-03-06 |

Token Decoder Priority OrderΒΆ

1. CODEX_GHP_TOKEN_CONFIG   (Combined AES β€” not currently set)  # pragma: allowlist secret
2. CODEX_GHP_TOKEN_BASE64   βœ… (present β€” simplest, recommended)  # pragma: allowlist secret
3. CODEX_GHP_TOKEN_HEX      βœ… (present β€” alternative)  # pragma: allowlist secret
4. GITHUB_TOKEN             (auto-provided by Actions)  # pragma: allowlist secret

5. Environment Secrets (Aries_Serpent_codex_)ΒΆ

Location: Settings β†’ Environments β†’ Aries_Serpent_codex_
Override scope: These override org/repo secrets for jobs using environment: Aries_Serpent_codex_

| # | Secret Name | Status | Last Updated | Value | Notes | |---|---|---|---|---|---| | 1 | CODEX_ENVIRONMENT_RUNNER | βœ… Present | 48 minutes ago | (secret) | βœ… Rotated 2026-03-06 | | 2 | CODEX_RUNNER_SHA256 | βœ… Present | 50 minutes ago | (secret hash) | βœ… Rotated 2026-03-06 | | 3 | CODEX_RUNNER_TOKEN | βœ… Present | 50 minutes ago | (secret) | βœ… Rotated 2026-03-06 |

βœ… Issue 1 resolved (2026-03-06): CODEX_ENV_NODE_VERSION was previously stored here as an environment secret. It has been deleted from env secrets and recreated as an environment variable (see Β§7). Node.js version strings are non-sensitive and should be variables, not secrets.
βœ… Current runtime baseline (2026-06-05): Node.js 22 is the required active value; older 18/20 references in this document are historical records only.


6. Repository VariablesΒΆ

Location: Settings β†’ Secrets and variables β†’ Actions β†’ Variables tab
Referenced in workflows as: ${{ vars.NAME }}
Readable by agents via: VariableManager (requires CODEX_MASTER_KEY)
Auto-synced to: .codex/agent_context.json daily

Variables are grouped by subsystem. Human-governance flags must never be overwritten by automation without explicit owner approval.

6a. 🧠 Cognitive Brain¢

# Variable Status Current Value Purpose
1 COGNITIVE_BRAIN_ALLOWED_ACTORS βœ… mbaetiong,github-actions[bot],copilot-swe-agent[bot],github-copilot[bot] Actors permitted to interact with cognitive brain memory
2 COGNITIVE_BRAIN_INJECTION_ENABLED βœ… true Master switch for session context injection
3 COGNITIVE_BRAIN_LTM_RETENTION_DAYS βœ… 90 Long-term memory retention in days
4 COGNITIVE_BRAIN_MAX_CONTEXT_TOKENS βœ… 128000 Maximum tokens for context injection
5 COGNITIVE_BRAIN_MEMORY_TIER βœ… both Memory tier: stm, ltm, or both
6 COGNITIVE_BRAIN_PATTERN_MIN_CONFIDENCE βœ… 0.75 Minimum confidence to inject a pattern
7 COGNITIVE_BRAIN_SESSION_NUMBER βœ… 120 (auto-increments) Current session number β€” auto-incremented by agent-auth-delegation.yml activate-delegation step

6b. πŸ–₯️ Copilot Agent RuntimeΒΆ

# Variable Status Current Value Purpose
1 COPILOT_AGENT_AUTH_ENABLED βœ… true ⚠️ Human governance flag β€” gates token delegation workflow
2 COPILOT_AGENT_FIREWALL_ENABLED βœ… true ⚠️ Human governance flag β€” network isolation control
3 COPILOT_AGENT_FIREWALL_ALLOW_LIST_ADDITIONS βœ… (long allowlist) Additional URLs allowed through Copilot firewall
4 COPILOT_AGENT_MAX_AUTONOMY_LEVEL βœ… D Maximum D_CAPABLE autonomy level
5 COPILOT_AGENT_SESSION_RESTORE_ENABLED βœ… true Enable session context restoration
6 COPILOT_CLI_BASE_URL βœ… http://localhost:8765 Cognitive Brain CLI API URL (local server)
7 COPILOT_CLI_ENABLED βœ… true Enable CLI API server integration

6c. βš™οΈ CI/CD HealthΒΆ

# Variable Status Current Value Purpose
1 AGENT_HANDOFF_TIMEOUT_SECONDS βœ… 120 Timeout for agent handoff operations
2 AUTO_PROMOTE_TIER_ENABLED βœ… true Auto-promotion tier for agent capabilities
3 AUTONOMOUS_ACTIONS_ENABLED βœ… true ⚠️ Human governance flag β€” gates autonomous agent actions
4 CODEX_CI_FAILURE_RATE βœ… 10.7:degraded (auto-updated) Current CI failure rate (%) β€” format: <float>:<status> where status ∈ {ok, degraded, critical}. Updated by ci-health-monitor.yml.
5 CODEX_CI_FAILURE_THRESHOLD βœ… 10.0 CI failure rate threshold (%) for degraded state (e.g., 10.0 = 10.0%)
6 CODEX_CI_LAST_GREEN_SHA βœ… (sha) (auto-updated) Last commit SHA with all-green CI
7 EMBEDDING_INDEX_AUTO_REBUILD βœ… true Auto-rebuild FAISS embedding index on changes

6d. πŸ”’ Identity & Static ConfigΒΆ

# Variable Status Current Value Purpose
1 AUDIT_RETENTION_DAYS βœ… 90 Audit artifact retention period
2 CODEX_AGENT_NAME βœ… ai_org_repo_admin Agent identity name
3 CODEX_API_VERSION βœ… 2022-11-28 GitHub API version pin
4 CODEX_ISOLATED_PATH βœ… /codex/network/isolated Network isolation path
5 CODEX_LOG_LEVEL βœ… INFO Logging verbosity
6 CODEX_NETWORK_MODE βœ… isolated Network mode policy
7 CODEX_ORG_NAME βœ… Aries-Serpent Organization name constant
8 GENESIS_TIMESTAMP βœ… 2025-12-26T16:04:45Z Repository genesis timestamp (immutable)

6e. 🐍 Runtime / Build Config¢

# Variable Status Current Value Purpose
1 CODEX_CACHE_VERSION βœ… v2 Cache-busting version for CI dependency caches
2 CODEX_CLI_API_URL βœ… http://localhost:8765 CLI API server URL
3 CODEX_COVERAGE_THRESHOLD βœ… 80 Minimum test coverage % gate
4 CODEX_D365_POLICIES_PATH βœ… configs/deployment/d365/sla_policies.json D365 SLA policies config path
5 CODEX_FORCE_CPU βœ… 0 Force CPU-only torch (0=off, 1=on)
6 CODEX_LINT_STRICT βœ… true Enable strict Ruff/mypy linting
7 CODEX_LLM_MODEL βœ… gpt-4o LLM model for agent operations
8 CODEX_LLM_RATE_LIMIT_DELAY βœ… 1.0 Seconds between LLM requests
9 CODEX_OFFLINE βœ… 1 Offline mode for CI (1=offline)
10 CODEX_PYTHON_VERSION βœ… 3.12 Python version target (pinned minor, floating patch): resolves to the latest available 3.12.x patch at runtime (not pinned to 3.12.0 or any specific patch) β€” aligned with env-level CODEX_ENV_PYTHON_VERSION. Issue 2 resolved.
11 CODEX_SANDBOX_TIMEOUT βœ… 60 Sandbox operation timeout (seconds)
12 CODEX_SESSION_ID βœ… UUID v4 (auto-set per session) Current or most-recent logical session identifier. Written by copilot-setup-steps.yml on session start. Format: UUID v4 string.
13 CODEX_SESSION_LOG_DIR βœ… .codex/sessions Session log directory
14 CODEX_TEST_PARALLELISM βœ… auto Pytest parallel execution mode
15 CODEX_ZENDESK_DOCS_ROOT βœ… docs/vendors/zendesk Zendesk documentation root
16 ENABLE_LIVE_TESTS βœ… true Enable live/integration tests in CI

6f. πŸ€– ML / HuggingFace / Weights & BiasesΒΆ

# Variable Status Current Value Purpose
1 COMPOSE_DOCKER_CLI_BUILD βœ… 1 Enable BuildKit for Docker Compose
2 DOCKER_BUILDKIT βœ… 1 Enable Docker BuildKit
3 GPU_OPT βœ… --gpus all Docker GPU passthrough flag
4 HF_HOME βœ… ~/.cache/huggingface HuggingFace cache directory
5 MLFLOW_EXPERIMENT_NAME βœ… saas_knowledge_training MLflow experiment name
6 TORCH_HOME βœ… ~/.cache/torch PyTorch cache directory
7 TRANSFORMERS_OFFLINE βœ… 1 Run HF Transformers offline
8 WANDB_MODE βœ… offline Weights & Biases run mode
9 ZENDESK_RATE_LIMIT βœ… 100 Zendesk API rate limit
10 ZENDESK_SYNC_INTERVAL βœ… 3600 Zendesk sync interval (seconds)

6g. Webhook / InfraΒΆ

# Variable Status Current Value Purpose
1 CODEX_ACTIVE_CODESPACE βœ… Auto-set by Codespace <auto-set-on-start> Name of the currently active Codespace. Created automatically on first Codespace start; updated on every subsequent start/resume via post-start.sh. Changes whenever a new Codespace is created β€” never hardcode this value.
2 WEBHOOK_RECEIVER_URL βœ… Auto-set by Codespace https://<codespace-name>-8765.<codespaces-domain>/webhook/github Public URL for webhook delivery. Derived from CODEX_ACTIVE_CODESPACE; updated automatically alongside it. Domain suffix may vary by Codespaces environment (for example, preview.app.github.dev or app.github.dev); use the auto-set value rather than hardcoding.

Both variables above are written atomically by step 4b in .devcontainer/scripts/post-start.sh on every Codespace start and resume.
gh variable set creates the variable if absent, so no manual seeding is required β€” the first Codespace start after this commit will provision both variables automatically.

ObservabilityΒΆ

# Variable Status Current Value Purpose
1 OTEL_EXPORTER_OTLP_ENDPOINT βš™οΈ Optional (not set β€” no-op mode) OpenTelemetry OTLP gRPC endpoint (e.g. http://jaeger:4317). When set, the init_tracing() function in src/codex/observability/tracing.py enables distributed tracing. Setup requirements are detailed in the OTel setup note below. SAR-G05.
OTel setup noteΒΆ
  • Required Python packages (minimum): opentelemetry-sdk>=1.20.0 plus a protocol-specific OTLP exporter:
  • gRPC (recommended for OTEL_EXPORTER_OTLP_ENDPOINT, e.g. :4317): opentelemetry-exporter-otlp-proto-grpc>=1.20.0
  • HTTP (if using OTLP/HTTP): opentelemetry-exporter-otlp-proto-http>=1.20.0
  • Optional convenience meta-package: opentelemetry-exporter-otlp>=1.20.0
  • Install with (gRPC): pip install "opentelemetry-sdk>=1.20.0" "opentelemetry-exporter-otlp-proto-grpc>=1.20.0"
  • Install with (HTTP): pip install "opentelemetry-sdk>=1.20.0" "opentelemetry-exporter-otlp-proto-http>=1.20.0"
  • Leave OTEL_EXPORTER_OTLP_ENDPOINT unset for offline/local environments (no-op mode).

Data Store / Feature BackendΒΆ

# Variable Status Current Value Purpose
1 REDIS_URL βš™οΈ Optional (not set β€” uses SQLite or in-memory backend) Redis connection URL for enabling Feast Redis online-store mode in production (e.g. redis://localhost:6379/0 or rediss://host:6380/0). Leave unset to use default local/offline backends. SAR-G02.

⚠️ Security note (REDIS_URL): If authentication is required, do not store credentials in a repository variable. Set REDIS_URL from a GitHub Actions Secret or Codespaces Secret containing the full authenticated URL (including credentials if needed). Repository variables are visible to users with read access, while runtime environment variables injected from secrets are appropriate for credentialed values.

REDIS_URL implementation notesΒΆ
  • Backend selection logic is implemented in src/codex_ml/features/feast_compat.py via create_backend().
  • When REDIS_URL is set, the Redis backend path is selected for online-store usage.
  • When unset, the system falls back to default local backends (SQLiteBackend / InMemoryBackend).

6h. πŸ€– Autonomous Agent ConfigΒΆ

Variables controlling the 7-phase autonomous agent framework introduced in S116 (PR #3508). All scripts fall back to safe coded defaults when variables are unset.

Set via: gh variable set <NAME> --body "<VALUE>" --repo Aries-Serpent/_codex_

# Variable Status Recommended Value Script Default Purpose
1 AGENT_KILL_SWITCH βœ… Set 0 (2026-03-07) 0 (intentional; matches default) 0 ⚠️ Human governance flag β€” set to "1" to halt agent loops (Phases 1 & 7). See operational notes below.
2 AUTONOMY_BUDGET_SECONDS βœ… Set 90 (2026-03-07) 60 300 Max wall-clock seconds per autonomy_scheduler.py run (Phase 1). Admin chose 90s (between recommended CI=60 and script default=300).
3 AUTONOMY_MAX_ITERATIONS βœ… Set 3 (2026-03-07) 3 10 Max health-sense/decide/act iterations per scheduler run (Phase 1).
4 AUTONOMY_DRY_RUN βœ… Set 0 (2026-03-07) 0 0 Set to "1" to disable all mutating filesystem writes in autonomy_scheduler.py (Phase 1).
5 AGENT_RUNNER_BUDGET_SECONDS βœ… Set 180 (2026-03-07) 120 180 Total wall-clock budget per agent_runner.py orchestration daemon invocation (Phase 7). Admin chose script default of 180s.
6 AGENT_RUNNER_ITERATIONS βœ… Set 2 (2026-03-07) 2 3 Number of full-phase loops per agent_runner.py invocation (Phase 7).
7 AGENT_RUNNER_DRY_RUN βœ… Set 0 (2026-03-07) 0 0 Set to "1" to skip all write operations in agent_runner.py (Phase 7).
8 UNCERTAINTY_BUDGET_SECONDS βœ… Set 20 (2026-03-07) 10 10 Per-query wall-time cap for Dirichlet inference in budget_uncertainty.py (Phases 4/5). Admin chose 20s for extra safety margin.

AGENT_KILL_SWITCH operational notesΒΆ

  • Checked at loop entry before any work runs.
  • If unset, scripts explicitly fall back to coded default "0" so CI passes by default.
  • Workflow steps invoking autonomy_scheduler.py or agent_runner.py with AGENT_KILL_SWITCH=1 receive exit code 1.
  • For non-blocking execution in that mode, use continue-on-error: true on the relevant step.

Governance note: AGENT_KILL_SWITCH is analogous to AUTONOMOUS_ACTIONS_ENABLED β€” both are human-governance flags. AGENT_KILL_SWITCH=1 provides a fast path to halt agent loops without changing AUTONOMOUS_ACTIONS_ENABLED, which gates the broader token delegation workflow.

Quick-set all agent config vars:

gh variable set AGENT_KILL_SWITCH            --body "0"   --repo Aries-Serpent/_codex_
gh variable set AUTONOMY_BUDGET_SECONDS      --body "60"  --repo Aries-Serpent/_codex_
gh variable set AUTONOMY_MAX_ITERATIONS      --body "3"   --repo Aries-Serpent/_codex_
gh variable set AUTONOMY_DRY_RUN             --body "0"   --repo Aries-Serpent/_codex_
gh variable set AGENT_RUNNER_BUDGET_SECONDS  --body "120" --repo Aries-Serpent/_codex_
gh variable set AGENT_RUNNER_ITERATIONS      --body "2"   --repo Aries-Serpent/_codex_
gh variable set AGENT_RUNNER_DRY_RUN         --body "0"   --repo Aries-Serpent/_codex_
gh variable set UNCERTAINTY_BUDGET_SECONDS   --body "10"  --repo Aries-Serpent/_codex_


7. Environment Variables (Aries_Serpent_codex_)ΒΆ

Location: Settings β†’ Environments β†’ Aries_Serpent_codex_
Override scope: These override repository variables of the same name for jobs using environment: Aries_Serpent_codex_

# Variable Status Value Env (overrides repo?) Notes
1 CARGO_TERM_COLOR βœ… always Overrides repo (always) No conflict
2 CODEX_BRIDGE_DIR βœ… /tmp/codex_secure_bridge New (not in repo-level) IPC bridge directory for Codespace
3 CODEX_BRIDGE_OWNER_ONLY βœ… true New (not in repo-level) IPC bridge access control
4 CODEX_DB_PATH βœ… .codex/logs.db Overrides repo (.codex/logs.db) No conflict
5 CODEX_ENV_GO_VERSION βœ… 1.21 Overrides repo (1.21) No conflict
6 CODEX_ENV_NODE_VERSION βœ… 22 Overrides repo β€” env variable only βœ… Issue 1 resolved (2026-03-06): Previously stored as an env secret. Deleted from secrets; recreated as an env variable. Current-state note: 22 is intentionally major-only and tracks the latest 22.x release (not a pinned full semver).
7 CODEX_ENV_PYTHON_VERSION βœ… 3.12 Overrides repo (3.12) βœ… Issue 2 resolved (2026-03-06): Updated from 3.11 to 3.12. Now consistent with CODEX_PYTHON_VERSION.
8 CODEX_ENV_RUST_VERSION βœ… 1.92 Overrides repo (1.92) No conflict
9 CODEX_ENV_SWIFT_VERSION βœ… 5.9 Overrides repo (5.9) Interpreted as latest 5.9.x patch release (minor pinned, patch floating).
10 CODEX_LOG_DB_PATH βœ… .codex/logs.db Overrides repo (.codex/logs.db) No conflict
11 CODEX_SQLITE_POOL βœ… 1 Overrides repo (1) No conflict
12 RUST_BACKTRACE βœ… 1 Overrides repo (1) No conflict
13 RUST_TEST_THREADS βœ… 1 Overrides repo (1) No conflict

8. Codespace SecretsΒΆ

Location (org): Settings β†’ Codespaces β†’ Secrets
Location (user): github.com/settings/secrets/codespaces
Injected by: .devcontainer/devcontainer.json "secrets": block
When: Only available inside an active GitHub Codespace session

πŸš€ Quick Start β€” Active CodespaceΒΆ

Codespace name <auto-set-on-start>
Resume existing Open GitHub Codespaces and select the active Codespace
New from PR Open GitHub Codespaces, choose New with options, then select the target PR/branch for this workstream
Branch <active-development-branch> (e.g., current PR branch)
Repo variable CODEX_ACTIVE_CODESPACE β€” auto-updated on every start/resume

The Codespace name changes when a new Codespace is created. CODEX_ACTIVE_CODESPACE is always kept in sync by post-start.sh automatically.

These secrets mirror the Actions org secrets but are injected into Codespace containers for interactive agent sessions.

⚠️ Codespace secrets are NOT automatically mirrored from org Actions secrets β€” they must be set separately at the Codespace level even when the same secret exists as an Actions org secret.

| # | Secret Name | Status | Purpose | Where to Set | Actions Org Secret Equivalent | |---|---|---|---|---|---| | 1 | CODEX_MASTER_KEY | βœ… Confirmed (org-level, 2026-03-06) | Primary GitHub PAT for Variables API, Secrets API, Webhooks API | Org Codespace secrets | CODEX_MASTER_KEY (org secret βœ…) | | 2 | CODEX_BACKUP_KEY | βœ… Confirmed (user secret, 2026-03-06) | Fallback PAT for 401/403 retries | User Codespace secrets | CODEX_BACKUP_KEY (org secret βœ…) | | 3 | CODEX_ADMIN_KEY | βœ… Confirmed (user secret, 2026-03-06) | Fine-grained PAT (Webhooks:write) for webhook management | User Codespace secrets | CODEX_ADMIN_KEY (org secret βœ…) | | 4 | _GITHUB_APP_ID | βœ… Confirmed (user secret, 2026-03-06) | Numeric GitHub App ID for RS256 JWT auth | User Codespace secrets | _GITHUB_APP_ID (org secret βœ…) | | 5 | _GITHUB_APP_PRIVATE_KEY | βœ… Confirmed (user secret, 2026-03-06) | PEM RSA-2048 private key for GitHub App | User Codespace secrets (multi-line value) | _GITHUB_APP_PRIVATE_KEY (org secret βœ…) | | 6 | _GITHUB_APP_INSTALLATION_ID | βœ… Confirmed (user secret, 2026-03-06) | App installation ID for generating installation tokens | User Codespace secrets | _GITHUB_APP_INSTALLATION_ID (org secret βœ…) | | 7 | _GITHUB_APP_CLIENT_SECRET | βœ… Confirmed (user secret, 2026-03-07) | GitHub App OAuth client secret | User Codespace secrets | _GITHUB_APP_CLIENT_SECRET (org secret βœ…) | | 8 | WEBHOOK_SECRET | βœ… Confirmed (user secret, 2026-03-06) | HMAC-SHA256 shared secret for webhook signature verification | User Codespace secrets | CODEX_WEBHOOK_SECRET (repo secret βœ…) | | 9 | WEBHOOK_RECEIVER_URL | βœ… Confirmed (user secret + repo var, 2026-03-06) | Webhook receiver URL (also auto-set as repo var by post-start.sh) | User Codespace secrets | Repo variable WEBHOOK_RECEIVER_URL βœ… |

βœ… SAR-G01 COMPLETE (2026-03-07) β€” All 9 Codespace secrets confirmed set by @mbaetiong. Secrets are stored as user-level Codespace secrets (not org-level), which works identically for personal Codespace sessions.

Note: Secrets 4–7 use the same _GITHUB_APP_* naming as the corresponding org Actions secrets (leading underscore is the standard convention for these system/infrastructure secrets).
See docs/agent/CODESPACE_COPILOT_AGENT_GUIDE.md for detailed setup instructions.

Note (2026-03-06): CODEX_MASTER_KEY was briefly set as a repository-level Codespace secret (overriding the org secret). That repo-level override has been removed by @mbaetiong β€” the org-level Codespace secret is now active directly. Secret was re-rotated at this time.

βœ… All Codespace secrets confirmed (SAR-G01 COMPLETE 2026-03-07)ΒΆ

All 9 Codespace secrets were set by @mbaetiong as user-level Codespace secrets on 2026-03-06/07. No further admin action is required for Codespace agent sessions.

For reference, the CLI commands used were:

# All secrets are now set β€” commands below are for documentation/recovery only
gh secret set CODEX_BACKUP_KEY             --app codespaces  # user-level
gh secret set CODEX_ADMIN_KEY              --app codespaces  # user-level
gh secret set _GITHUB_APP_ID              --app codespaces  # user-level
gh secret set _GITHUB_APP_PRIVATE_KEY     --app codespaces  # user-level
gh secret set _GITHUB_APP_INSTALLATION_ID --app codespaces  # user-level
gh secret set _GITHUB_APP_CLIENT_SECRET   --app codespaces  # user-level
gh secret set WEBHOOK_SECRET               --app codespaces  # user-level
gh secret set WEBHOOK_RECEIVER_URL         --app codespaces  # user-level


9. Workflow-Defined env: VariablesΒΆ

These are not stored in GitHub Settings β€” they are defined inline in workflow files and can reference secrets/variables.

Variable Defined In Value / Source Purpose
GITHUB_TOKEN Auto-injected by Actions GitHub-provisioned short-lived token Default token for all workflow steps
AGENT_GITHUB_TOKEN copilot-setup-steps.yml Export step ${{ env.GITHUB_TOKEN }} Stable alias for GITHUB_TOKEN written to GITHUB_ENV
CODEX_SESSION_ID copilot-setup-steps.yml + repo variable UUID v4 (written per session to repo var) Logical session identifier for log grouping. Also persisted as repo variable (Β§6e).
CARGO_TERM_COLOR Rust workflows always Rust compiler coloured output
RUST_BACKTRACE Rust workflows 1 Enable Rust backtraces on panic

Reference: docs/agent/COPILOT_TOKEN_GUIDE.md β€” complete token permission matrix.


10. Known Issues & InconsistenciesΒΆ

βœ… Issue 1 β€” CODEX_ENV_NODE_VERSION stored as a Secret β€” RESOLVED 2026-03-06ΒΆ

Detail
~~Problem~~ ~~CODEX_ENV_NODE_VERSION is stored as an Environment Secret with value 18.~~
Resolution CODEX_ENV_NODE_VERSION env secret has been deleted. A replacement env variable was created under Aries_Serpent_codex_ (verified in 2026-03-06 export). The active baseline value is now 22; older 18 references are historical migration context. Agents and logs can read this value.

βœ… Issue 2 β€” Python version conflict: 3.12 vs 3.11 β€” RESOLVED 2026-03-06ΒΆ

Detail
~~Problem~~ ~~CODEX_ENV_PYTHON_VERSION (env variable) = 3.11 conflicted with CODEX_PYTHON_VERSION (repo variable) = 3.12.~~
Resolution CODEX_ENV_PYTHON_VERSION updated to 3.12 (verified in 2026-03-06 export). Both layers now agree on Python 3.12. CI should no longer have version discrepancies between environment and non-environment jobs.

βœ… Issue 3 β€” Duplicate path variable: CODEX_D365_POLICIES_PATH and D365_SLA_POLICY_PATH β€” RESOLVED 2026-03-06ΒΆ

Detail
~~Problem~~ ~~Both variables pointed to configs/deployment/d365/sla_policies.json.~~
Resolution D365_SLA_POLICY_PATH has been deleted from GitHub repo variables (confirmed absent in 2026-03-06 live export). CODEX_D365_POLICIES_PATH remains as the canonical name.

βœ… Issue 4 β€” Stale secrets (> 90-day rotation guideline) β€” RESOLVED 2026-03-06ΒΆ

| Secret | Previous Age | Resolution | |---|---|---| | CODEX_MASTER_KEY | Rotated 2026-03-05 | βœ… Re-rotated 2026-03-06 (~2 h before export). Next due ~2026-06-04. | | CODEX_BACKUP_KEY | 5+ days | βœ… Re-rotated 2026-03-06 (~2 h before export). | | _CODEX_BOT_RUNNER | 7 months | βœ… Rotated 2026-03-06 (~45 min before export). | | CODEX_ENVIRONMENT_RUNNER | 7 months | βœ… Rotated 2026-03-06 (~48 min before export). | | CODEX_RUNNER_TOKEN | 7 months | βœ… Rotated 2026-03-06 (~50 min before export). | | CODEX_RUNNER_SHA256 | 7 months | βœ… Rotated 2026-03-06 (~50 min before export). |

βœ… Issue 5 β€” CODEX_ADMIN_KEY missing β€” RESOLVED 2026-03-06ΒΆ

Detail
~~Problem~~ ~~webhook_configurator.py preferred CODEX_ADMIN_KEY but it was missing.~~
Resolution CODEX_ADMIN_KEY was added as an org secret (updated 3 hours before 2026-03-06 export). webhook_configurator.py can now use least-privilege webhook management without falling back to CODEX_MASTER_KEY.

βœ… Issue 6 β€” WEBHOOK_RECEIVER_URL missing β€” RESOLVED 2026-03-06ΒΆ

Detail
~~Problem~~ ~~2 webhooks configured but active=false because WEBHOOK_RECEIVER_URL not set.~~
Resolution WEBHOOK_RECEIVER_URL is now auto-set on every Codespace start/resume by .devcontainer/scripts/post-start.sh. Canonical format: https://${CODESPACE_NAME}-8765.app.github.dev/webhook/github; some environments may surface https://${CODESPACE_NAME}-8765.preview.app.github.dev/webhook/github (Codespaces forwarding variant). The POST /webhook/github endpoint is now implemented in cognitive_app/src/server/cli_api_server.py with HMAC-SHA256 verification. For webhook delivery to work, port 8765 must be set to public visibility in the Codespace.

βœ… Issue 7 β€” Codespace secrets confirmation β€” RESOLVED 2026-03-07ΒΆ

Detail
~~Problem~~ ~~The 9 Codespace secrets declared in .devcontainer/devcontainer.json were not confirmed as set at the Codespace level (org or user).~~
Resolution All 9 Codespace secrets listed in Β§8 are confirmed set at the Codespace level (org or user) (SAR-G01 complete).
Verification Codespace-based Copilot agent sessions have required authentication tokens, and post-start.sh can start the CLI server.
Instructions For audit/revalidation, see Β§8 Codespace Secrets for CLI/UI steps.

11. TroubleshootingΒΆ

"Variables API returns 403 / 404"ΒΆ

Symptom: VariableManager or brain_client raises AuthenticationError on variable read/write
Cause:   GITHUB_TOKEN used instead of CODEX_MASTER_KEY  # pragma: allowlist secret
Fix:
  1. Confirm CODEX_MASTER_KEY is set as an org secret (Β§3)  # pragma: allowlist secret
  2. Confirm copilot-setup-steps.yml "πŸ”‘ Export Auth Tokens" step is running  # pragma: allowlist secret
  3. In code, use: from scripts.tools.variable_manager import VariableManager; vm = VariableManager()
  Reference: docs/agent/COPILOT_TOKEN_GUIDE.md β€” Permission Matrix  # pragma: allowlist secret

"Webhooks return 403 on create/update"ΒΆ

Symptom: webhook_configurator.py fails with HTTP 403 on webhook API calls
Cause:   GITHUB_TOKEN cannot manage webhooks; CODEX_ADMIN_KEY / CODEX_MASTER_KEY needed  # pragma: allowlist secret
Fix:
  1. Confirm CODEX_MASTER_KEY has admin:repo_hook scope, OR
  2. Create CODEX_ADMIN_KEY (fine-grained, Webhooks:write) and set as org secret  # pragma: allowlist secret
  Reference: docs/agent/COPILOT_TOKEN_GUIDE.md β€” Webhook operations section  # pragma: allowlist secret

"Python version mismatch between jobs"ΒΆ

Symptom: Tests pass in some jobs, fail in others due to Python syntax/type differences
Status:  βœ… RESOLVED (2026-03-06) β€” CODEX_ENV_PYTHON_VERSION updated to 3.12 (Issue 2)
Both CODEX_PYTHON_VERSION (repo var) and CODEX_ENV_PYTHON_VERSION (env var) are now 3.12.
If you still see version mismatches, confirm no other variable overrides exist.

"CODEX_ENV_NODE_VERSION appears as *** in logs"ΒΆ

Symptom: Node.js version appears masked in CI logs
Status:  βœ… RESOLVED (2026-03-06) β€” CODEX_ENV_NODE_VERSION deleted from env secrets and  # pragma: allowlist secret
         recreated as an env variable. Value is now readable in logs and by the Variables API.
Current required value: `22` (major-only).

"Codespace starts but CLI API server not running"ΒΆ

Symptom: post-start.sh health check fails; uvicorn :8765 not reachable
Cause:   CODEX_MASTER_KEY or CODEX_BACKUP_KEY not set as Codespace secrets  # pragma: allowlist secret
Fix:     All 9 Codespace secrets are now set (SAR-G01 COMPLETE 2026-03-07) β€” see Β§8  # pragma: allowlist secret
         Reference: docs/agent/CODESPACE_COPILOT_AGENT_GUIDE.md

"CODEX_CI_FAILURE_RATE shows stale value"ΒΆ

Symptom: CODEX_CI_FAILURE_RATE hasn't updated in > 24 hours
Cause:   ci-health-monitor.yml workflow not running, or CODEX_MASTER_KEY lacked write access
Fix:
  1. Check .github/workflows/ci-health-monitor.yml is enabled
  2. Verify CODEX_MASTER_KEY has variables:write permission
  Format: "<float>:<status>" β€” e.g. "6.3:ok", "15.2:degraded", "22.1:critical"

"Secret rotation β€” CODEX_MASTER_KEY / CODEX_BACKUP_KEY"ΒΆ

Full runbook: docs/ops/secrets_rotation_runbook.md  # pragma: allowlist secret
Quick summary:
  1. Generate new 32-byte base64 key offline
  2. Copy current CODEX_MASTER_KEY β†’ set as CODEX_BACKUP_KEY (opens grace window)
  3. Set new key as CODEX_MASTER_KEY
  4. Wait 48 hours (grace window) then verify
  5. Update CODEX_BACKUP_KEY to new value (closes grace window)

"Incorrect variable format"ΒΆ

Variable: CODEX_CI_FAILURE_RATE
Required format: "<float>:<status>" (e.g. "6.3:ok")
Invalid examples: "6.3", "ok", "6.3-ok", "6.3 ok"
Fix: gh variable set CODEX_CI_FAILURE_RATE --body "6.3:ok" --repo Aries-Serpent/_codex_

Variable: COGNITIVE_BRAIN_SESSION_NUMBER
Required format: Integer (e.g. "120")
Invalid examples: "S120", "session-120", "120.0"
Fix: gh variable set COGNITIVE_BRAIN_SESSION_NUMBER --body "120" --repo Aries-Serpent/_codex_

Document Scope Notes
docs/agent/COPILOT_TOKEN_GUIDE.md Token priority chain, permission matrix, how tokens reach agents Primary auth reference
docs/admin/REPO_VARIABLES_IMPLEMENTATION_GUIDE.md Architecture, subsystem wiring, variable dependency map Technical deep-dive
docs/admin/HUMAN_ADMIN_REPO_VARIABLES_SETUP.md Step-by-step CLI / UI setup for repo variables Admin setup guide
docs/ops/secrets_rotation_runbook.md Full rotation procedure for CODEX_MASTER_KEY / CODEX_BACKUP_KEY Required for 90-day rotation
docs/agent/CODESPACE_COPILOT_AGENT_GUIDE.md Codespace secrets, lifecycle hooks, environment parity with Actions Codespace setup
docs/agent/GITHUB_APP_CLI_MAPPING.md GitHub App ID, private key, installation ID setup GitHub App authentication
docs/ops/WEBHOOK_REGISTRY.md Webhook config, registry, apply procedure, CODEX_ADMIN_KEY Webhook activation
.codex/runtime_variables.md Legacy env var catalog (pre-unification) Superseded by this guide
docs/security/CURRENT_EXPECTED_VARIABLES.md Security-focused variable inventory (pre-unification) Superseded by this guide
docs/security/secret_handling.md Secret handling best practices, never-log rules Security policy
.codex/agent_context.json Live snapshot of repo variables (synced daily) Machine-readable state
scripts/tools/variable_manager.py Python API for reading/writing repo variables Code reference
src/aries_serpent_core/auth/github_app.py _resolve_github_token() β€” token fallback chain implementation Code reference

13. βœ… Previously Missing β€” All Resolved (2026-03-07)ΒΆ

All previously-blocked items are now resolved. This section is retained as an audit trail.


βœ… WEBHOOK_RECEIVER_URL (Repo Variable) β€” RESOLVED 2026-03-06ΒΆ

Resolution: WEBHOOK_RECEIVER_URL is now auto-set on every Codespace start/resume by .devcontainer/scripts/post-start.sh. The URL format is: https://${CODESPACE_NAME}-8765.app.github.dev/webhook/github

The POST /webhook/github endpoint is implemented in cognitive_app/src/server/cli_api_server.py. For webhook delivery to work, port 8765 must be set to public visibility in the Codespace Ports panel.


βœ… Issue 3 β€” Delete duplicate D365_SLA_POLICY_PATH repo variable β€” RESOLVED 2026-03-06ΒΆ

D365_SLA_POLICY_PATH is absent from the 2026-03-06 live export β€” the variable has been deleted.


βœ… Codespace Secrets (9 items) β€” RESOLVED 2026-03-07 (SAR-G01 COMPLETE)ΒΆ

All 9 Codespace secrets confirmed set by @mbaetiong as user-level Codespace secrets. See Β§8 for the complete confirmed status table.

| Codespace Secret | Resolution | |---|---| | CODEX_MASTER_KEY | βœ… Org-level (2026-03-06) | | CODEX_BACKUP_KEY | βœ… User secret (2026-03-06) | | CODEX_ADMIN_KEY | βœ… User secret (2026-03-06) | | _GITHUB_APP_ID | βœ… User secret (2026-03-06) | | _GITHUB_APP_PRIVATE_KEY | βœ… User secret (2026-03-06) | | _GITHUB_APP_INSTALLATION_ID | βœ… User secret (2026-03-06) | | _GITHUB_APP_CLIENT_SECRET | βœ… User secret (2026-03-07) | | WEBHOOK_SECRET | βœ… User secret (2026-03-06) | | WEBHOOK_RECEIVER_URL | βœ… User secret + repo var (2026-03-06) |


βœ… Autonomous Agent Config Variables (8 items) β€” RESOLVED 2026-03-07ΒΆ

All 8 Β§6h autonomous agent repo variables confirmed set by @mbaetiong. See Β§6h for details.


Note: If any of these need to be re-provisioned in the future (e.g., after secret rotation), refer to the historical CLI commands preserved in the sub-sections above.


Summary ChecklistΒΆ

βœ… Previously Blocked β€” All Resolved (2026-03-07)ΒΆ

  • ~~Set 9 Codespace secrets~~ β€” RESOLVED 2026-03-07 (SAR-G01 COMPLETE) β€” all set as user Codespace secrets by @mbaetiong; see Β§8
  • ~~Set 8 autonomous agent repo variables~~ β€” RESOLVED 2026-03-07 β€” all 8 set: AGENT_KILL_SWITCH=0, AUTONOMY_BUDGET_SECONDS=90, AUTONOMY_MAX_ITERATIONS=3, AUTONOMY_DRY_RUN=0, AGENT_RUNNER_BUDGET_SECONDS=180, AGENT_RUNNER_ITERATIONS=2, AGENT_RUNNER_DRY_RUN=0, UNCERTAINTY_BUDGET_SECONDS=20; see Β§6h

βœ… ResolvedΒΆ

  • ~~Fix Issue 1: Delete CODEX_ENV_NODE_VERSION env secret; recreate as env variable~~ β€” Done 2026-03-06
  • ~~Fix Issue 2: Update CODEX_ENV_PYTHON_VERSION env variable from 3.11 β†’ 3.12~~ β€” Done 2026-03-06
  • ~~Fix Issue 3: Remove duplicate D365_SLA_POLICY_PATH repo variable~~ β€” Done 2026-03-06 (deleted from GitHub; absent in live export)
  • ~~Fix Issue 4: Rotate stale runner secrets (7 months old)~~ β€” Done 2026-03-06 (_CODEX_BOT_RUNNER, CODEX_ENVIRONMENT_RUNNER, CODEX_RUNNER_TOKEN, CODEX_RUNNER_SHA256 all rotated; CODEX_MASTER_KEY + CODEX_BACKUP_KEY re-rotated)
  • ~~Fix Issue 5: Create CODEX_ADMIN_KEY org secret (fine-grained PAT, Webhooks:write)~~ β€” Done 2026-03-06
  • ~~Fix Issue 6: Set WEBHOOK_RECEIVER_URL repo variable~~ β€” Done 2026-03-06 (auto-set by Codespace post-start.sh)
  • ~~Document autonomous agent env vars (Β§6h)~~ β€” Done 2026-03-07 (S116 PR #3508, 8 variables: AGENT_KILL_SWITCH, AUTONOMY_BUDGET_SECONDS, AUTONOMY_MAX_ITERATIONS, AUTONOMY_DRY_RUN, AGENT_RUNNER_BUDGET_SECONDS, AGENT_RUNNER_ITERATIONS, AGENT_RUNNER_DRY_RUN, UNCERTAINTY_BUDGET_SECONDS)

🟒 Monitor / Maintenance¢

  • Rotate CODEX_MASTER_KEY + CODEX_BACKUP_KEY before 2026-06-04 (rotated 2026-03-06 β€” 90-day window)
  • Rotate _CODEX_BOT_RUNNER, CODEX_ENVIRONMENT_RUNNER, CODEX_RUNNER_TOKEN, CODEX_RUNNER_SHA256 before 2026-06-04

Supersedes: .codex/runtime_variables.md Β· docs/security/CURRENT_EXPECTED_VARIABLES.md Β· .codex/QUICK_REFERENCE_TOKEN_STATUS.md
Maintained by: @mbaetiong Β· Last reviewed: 2026-03-07 (S116/W-142 phase 3 β€” Β§6f REDIS_URL added (SAR-G02); DuckDB offline backend evaluated; Β§6h all 8 autonomous agent vars confirmed βœ…; SAR-G01 all 9 Codespace secrets confirmed βœ…; Β§13 converted to resolved archive; v1.7.0)