fix(cli): wire OPENAI_API_KEY and serialize turns in codex templates

Round-5 Greptile review (parity with the claude-code fixes):
- default/sync/temporal codex manifests now map OPENAI_API_KEY (the key the
  codex CLI actually reads) instead of LITELLM_API_KEY, and no longer set an
  empty-string env value that would shadow it at runtime.
- temporal-codex workflow serializes signal turns with an asyncio.Lock so
  overlapping messages don't race on _codex_thread_id and fork the session.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: declan-scale

src/agentex/lib/cli/templates/default-codex/manifest.yaml.j2

@@ -76,8 +76,10 @@ agent:
   # Maps Kubernetes secrets to environment variables
   # Common credentials include:
   credentials:
-    - env_var_name: LITELLM_API_KEY
-      secret_name: litellm-api-key
+    # The codex CLI (`codex exec`) reads OPENAI_API_KEY directly; it does not
+    # use a LiteLLM key.
+    - env_var_name: OPENAI_API_KEY
+      secret_name: openai-api-key
       secret_key: api-key
     - env_var_name: SGP_API_KEY
       secret_name: sgp-api-key
@@ -87,9 +89,10 @@ agent:
       secret_key: url
 
   # Optional: Set Environment variables for running your agent locally as well
-  # as for deployment later on
-  env:
-    LITELLM_API_KEY: ""  # Set your LLM API key
+  # as for deployment later on. OPENAI_API_KEY is supplied via the credential
+  # mapping above (deploy) or your local .env. Do NOT set it to an empty string
+  # here — that would shadow the real key at runtime.
+  env: {}
   #   OPENAI_BASE_URL: "<YOUR_OPENAI_BASE_URL_HERE>"
 
 # Deployment Configuration

src/agentex/lib/cli/templates/sync-codex/manifest.yaml.j2

@@ -75,17 +75,20 @@ agent:
   # Maps Kubernetes secrets to environment variables
   # Common credentials include:
   credentials:
-    - env_var_name: LITELLM_API_KEY
-      secret_name: litellm-api-key
+    # The codex CLI (`codex exec`) reads OPENAI_API_KEY directly; it does not
+    # use a LiteLLM key.
+    - env_var_name: OPENAI_API_KEY
+      secret_name: openai-api-key
       secret_key: api-key
     - env_var_name: SGP_API_KEY
       secret_name: sgp-api-key
       secret_key: api-key
 
   # Optional: Set Environment variables for running your agent locally as well
-  # as for deployment later on
-  env:
-    LITELLM_API_KEY: ""  # Set your LLM API key
+  # as for deployment later on. OPENAI_API_KEY is supplied via the credential
+  # mapping above (deploy) or your local .env. Do NOT set it to an empty string
+  # here — that would shadow the real key at runtime.
+  env: {}
   #   OPENAI_BASE_URL: "<YOUR_OPENAI_BASE_URL_HERE>"
 
 

src/agentex/lib/cli/templates/temporal-codex/manifest.yaml.j2

@@ -100,10 +100,12 @@ agent:
     - env_var_name: REDIS_URL
       secret_name: redis-url-secret
       secret_key: url
-  #   - env_var_name: LITELLM_API_KEY
-  #     secret_name: litellm-api-key
-  #     secret_key: api-key
-  
+    # The codex CLI spawned in project/activities.py reads OPENAI_API_KEY
+    # directly; without it every turn fails with an auth error.
+    - env_var_name: OPENAI_API_KEY
+      secret_name: openai-api-key
+      secret_key: api-key
+
   # Optional: Set Environment variables for running your agent locally as well 
   # as for deployment later on
   env: {}

src/agentex/lib/cli/templates/temporal-codex/project/workflow.py.j2

@@ -21,6 +21,7 @@ KEY CONCEPTS DEMONSTRATED:
 from __future__ import annotations
 
 import os
+import asyncio
 from datetime import timedelta
 
 from temporalio import workflow
@@ -72,51 +73,57 @@ class {{ workflow_class }}(BaseWorkflow):
         self._complete_task = False
         self._turn_number = 0
         self._codex_thread_id: str | None = None
+        # Serialize turns: signal handlers can interleave at await points, so two
+        # quick messages could both read the same stale _codex_thread_id and fork
+        # the codex session. The lock keeps turns sequential and preserves
+        # conversation continuity.
+        self._turn_lock = asyncio.Lock()
 
     @workflow.signal(name=SignalName.RECEIVE_EVENT)
     async def on_task_event_send(self, params: SendEventParams) -> None:
         """Handle a new user message: spawn codex, stream events via UnifiedEmitter."""
         logger.info("Received task event: %s", params.task.id)
-        self._turn_number += 1
-
-        await adk.messages.create(task_id=params.task.id, content=params.event.content)
-
-        user_message = params.event.content.content
-
-        async with adk.tracing.span(
-            trace_id=params.task.id,
-            task_id=params.task.id,
-            name=f"Turn {self._turn_number}",
-            input={"message": user_message},
-        ) as span:
-            # Delegate the subprocess turn to an activity: subprocess I/O is not
-            # permitted on the Temporal workflow event loop. The activity streams
-            # events to the task and returns the final text + codex thread id.
-            # workflow.now() gives a deterministic timestamp under replay.
-            result = await workflow.execute_activity(
-                run_codex_turn,
-                RunCodexTurnParams(
-                    task_id=params.task.id,
-                    prompt=user_message,
-                    model=MODEL,
-                    trace_id=params.task.id,
-                    parent_span_id=span.id if span else None,
-                    thread_id=self._codex_thread_id,
-                    created_at=workflow.now(),
-                ),
-                start_to_close_timeout=timedelta(minutes=5),
-            )
-
-            # Persist the codex thread id so the next turn resumes the session.
-            session_id = result.get("session_id")
-            if session_id:
-                self._codex_thread_id = session_id
-
-            if span:
-                span.output = {
-                    "final_text": result.get("final_text"),
-                    "model": result.get("model"),
-                }
+        async with self._turn_lock:
+            self._turn_number += 1
+
+            await adk.messages.create(task_id=params.task.id, content=params.event.content)
+
+            user_message = params.event.content.content
+
+            async with adk.tracing.span(
+                trace_id=params.task.id,
+                task_id=params.task.id,
+                name=f"Turn {self._turn_number}",
+                input={"message": user_message},
+            ) as span:
+                # Delegate the subprocess turn to an activity: subprocess I/O is not
+                # permitted on the Temporal workflow event loop. The activity streams
+                # events to the task and returns the final text + codex thread id.
+                # workflow.now() gives a deterministic timestamp under replay.
+                result = await workflow.execute_activity(
+                    run_codex_turn,
+                    RunCodexTurnParams(
+                        task_id=params.task.id,
+                        prompt=user_message,
+                        model=MODEL,
+                        trace_id=params.task.id,
+                        parent_span_id=span.id if span else None,
+                        thread_id=self._codex_thread_id,
+                        created_at=workflow.now(),
+                    ),
+                    start_to_close_timeout=timedelta(minutes=5),
+                )
+
+                # Persist the codex thread id so the next turn resumes the session.
+                session_id = result.get("session_id")
+                if session_id:
+                    self._codex_thread_id = session_id
+
+                if span:
+                    span.output = {
+                        "final_text": result.get("final_text"),
+                        "model": result.get("model"),
+                    }
 
     @workflow.run
     async def on_task_create(self, params: CreateTaskParams) -> str: