[REMOTE-1688] Add Codex auth secret types to CLI

[abhishekp106]

Description

Adds an oz secret create codex api-key <NAME> subcommand that mirrors the existing oz secret create anthropic ... provider flow. The Codex harness currently only authenticates via an OpenAI API key (with an optional custom base URL, e.g. for regional endpoints), which matches the single Codex auth secret type the server already supports (openai_api_key).

# Read the API key from a file
oz secret create codex api-key my-key --value-file key.txt

# Pin a regional base URL alongside the key
oz secret create codex api-key my-key \
    --base-url https://us.api.openai.com/v1 \
    --team

The API key value is read from --value-file, stdin, or an interactive password prompt — same as the existing simple-secret flows. The --base-url flag is optional; an empty value is normalized to None so we never persist a blank base URL.

Closes REMOTE-1688.

Linked Issue

• The linked issue is labeled ready-to-spec or ready-to-implement.
• Where appropriate, screenshots or a short video of the implementation are included below (especially for user-visible or UI changes). N/A — CLI-only change.

Testing

• Added clap parser tests in crates/warp_cli/src/lib_tests.rs covering:

  • the minimal oz secret create codex api-key <NAME> form,
  • the form with --value-file, --base-url, --description, and --team together,
  • and a regression case asserting the secret name is still required.

• All 148 warp_cli tests pass under cargo nextest run -p warp_cli.

• cargo fmt --check -p warp_cli -p warp and cargo clippy -p warp_cli -p warp --all-targets --tests -- -D warnings are clean.

• I have manually tested my changes locally with ./script/run

I tested an API key that doesn't require a us endpoint and one that does (the staging one). Creating, deleting and actually using the secrets works.

Agent Mode

• Warp Agent Mode - This PR was created via Warp's AI Agent Mode

Conversation: https://staging.warp.dev/conversation/5d5a73fb-ec89-4c6c-91c0-54d49f9bfc90
Run: https://oz.staging.warp.dev/runs/019e3365-8f0e-70d3-8384-e763989d8229

This PR was generated with Oz.

[abhishekp106]

• [REMOTE-1688] Add Codex auth secret types to CLI #11122 👈 (View in Graphite)
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[oz-for-oss]

@abhishekp106

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

[oz-for-oss]

Overview

This PR adds the oz secret create codex api-key <NAME> provider flow, threads the optional OpenAI base URL into the managed secret value, and adds clap parser coverage for the new command shape.

Concerns

No blocking correctness, security, or error-handling concerns found in the changed lines.

Verdict

Found: 0 critical, 0 important, 0 suggestions

Approve

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

[liliwilson]

nit: it's a little odd to me that it's oz secret create anthropic and oz secret create codex - could we switch the former to be oz secret create claude for consistency?

[abhishekp106]

nit: it's a little odd to me that it's oz secret create anthropic and oz secret create codex - could we switch the former to be oz secret create claude for consistency?

oh shoot yes I meant to do this here, thanks for calling out