feat(cli): add codex init templates (sync / async / temporal)

[declan-scale]

Summary

Final slice of #425. Adds the codex agentex init templates across all three tiers.

• New default-codex, sync-codex, temporal-codex template dirs.
• Wires DEFAULT_CODEX, SYNC_CODEX, TEMPORAL_CODEX into init.py (enum, project-files map, prompts). TemplateType is now complete at 19.
• Scaffolded code imports CodexTurn from the agentex.lib.adk facade.

Test plan

• pytest tests/lib/cli/ — 66 passed (all 19 template types render to valid Python)
• full stack reconstructs refactor(harness)!: post-merge cleanup + init templates for the unified harness surface (PR 10) #425 exactly, modulo the intended OpenAI facade-export improvement

Notes

Stacked on #435. Retarget to next after the chain merges.

🤖 Generated with Claude Code

Greptile Summary

• Adds Codex scaffold templates for the default, sync, and Temporal init tiers.
• Wires the new Codex template types into the CLI init enum, project file map, and prompts.
• Includes generated Docker, uv, manifest, environment, README, notebook, and agent implementation files using the Codex ADK facade.

Confidence Score: 4/5

The Codex scaffold templates need fixes before merge because fresh generated projects can fail to build and async Codex task handling can fork conversation state.

Focused runtime checks reproduced the Docker template parsing issue, the uv lockfile mismatch, and the concurrent task state overwrite while the rest of the change is localized template wiring.

src/agentex/lib/cli/templates/default-codex/Dockerfile.j2, src/agentex/lib/cli/templates/default-codex/Dockerfile-uv.j2, src/agentex/lib/cli/templates/default-codex/project/acp.py.j2, plus the sibling sync and Temporal Codex templates with the same Dockerfile patterns.

T-Rex Logs

What T-Rex did

• Reproduced a Dockerfile RUN fragment syntax error in the default-codex rendering path and confirmed the shell parser failed on the broken line continuation.
• Reproduced the missing generated uv.lock in the scaffold, showing that the Dockerfile COPY source validation failed due to the missing uv.lock.
• Reproduced the concurrent turns fork state using a focused async harness, which showed the last finisher overwrote the codex_thread_id.
• Compared before and after states for codex-init-templates rendering, confirming that initially templates were missing and later rendering succeeded with TemplateType_count showing 19.
• Compared before/after runs for the codex scaffold Python correction, confirming six files were missing at base and six files exist after correction with successful parsing and imports.

_{Ran code and verified through T-Rex}

Comments Outside Diff (1)

1. src/agentex/lib/cli/templates/default-codex/manifest.yaml.j2, line 599-613 (link)

   LITELLM_API_KEY credential won't satisfy codex exec

   The active credentials entry maps LITELLM_API_KEY into the container, but codex exec reads OPENAI_API_KEY directly from the environment. When a user scaffolds this template and deploys, the Kubernetes secret for litellm-api-key is mounted but OPENAI_API_KEY is never set, so every codex exec invocation will fail with an auth error. The credential name (and the env: entry below it) should reference OPENAI_API_KEY / openai-api-key to match what the CLI actually consumes. The same issue is present in sync-codex/manifest.yaml.j2.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: src/agentex/lib/cli/templates/default-codex/manifest.yaml.j2
   Line: 599-613
   
   Comment:
   **`LITELLM_API_KEY` credential won't satisfy `codex exec`**
   
   The active credentials entry maps `LITELLM_API_KEY` into the container, but `codex exec` reads `OPENAI_API_KEY` directly from the environment. When a user scaffolds this template and deploys, the Kubernetes secret for `litellm-api-key` is mounted but `OPENAI_API_KEY` is never set, so every `codex exec` invocation will fail with an auth error. The credential name (and the `env:` entry below it) should reference `OPENAI_API_KEY` / `openai-api-key` to match what the CLI actually consumes. The same issue is present in `sync-codex/manifest.yaml.j2`.
   
   How can I resolve this? If you propose a fix, please make it concise.

   

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
src/agentex/lib/cli/templates/default-codex/Dockerfile-uv.j2:34-38
**Missing generated lockfile**

The uv Dockerfile requires `uv.lock`, but `agentex init` only renders `pyproject.toml` for uv projects and does not create a lockfile. A freshly scaffolded Codex project generated with the uv option can fail its Docker build at this `COPY` or at `uv sync --locked` before the agent starts. The same lockfile assumption should be fixed in the sync and Temporal Codex uv Dockerfiles.

### Issue 2 of 2
src/agentex/lib/cli/templates/default-codex/project/acp.py.j2:159-177
**Concurrent turns fork state**

This handler reads `state.codex_thread_id`, then awaits the full Codex subprocess stream before saving the new `turn.session_id`. If two `task/event/send` calls for the same async task arrive close together, both handlers can read the same old thread id or `None`, run independent Codex turns, and then race to overwrite the stored thread id. The next user message resumes only one branch, so the Codex conversation history can lose one of the messages.

_{Reviews (18): Last reviewed commit: "fix(cli): wire OPENAI_API_KEY and serial..." | Re-trigger Greptile}

Greptile also left 2 inline comments on this PR.

[declan-scale]

@greptile review

[declan-scale]

@greptile review

[declan-scale]

@greptile review

[declan-scale]

@greptile review

[declan-scale]

@greptile review

[declan-scale]

@greptile review

[declan-scale]

@greptile review

[greptile-apps]

Missing generated lockfile

The uv Dockerfile requires uv.lock, but agentex init only renders pyproject.toml for uv projects and does not create a lockfile. A freshly scaffolded Codex project generated with the uv option can fail its Docker build at this COPY or at uv sync --locked before the agent starts. The same lockfile assumption should be fixed in the sync and Temporal Codex uv Dockerfiles.

Artifacts

Repro: scaffold render and Dockerfile COPY validation script

• Contains supporting evidence from the run (text/x-python; charset=utf-8).

Repro: generated scaffold listing and missing uv.lock COPY validation failure

• Keeps the command output available without making the summary code-heavy.

_{Ran code and verified through T-Rex}

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/agentex/lib/cli/templates/default-codex/Dockerfile-uv.j2
Line: 34-38

Comment:
**Missing generated lockfile**

The uv Dockerfile requires `uv.lock`, but `agentex init` only renders `pyproject.toml` for uv projects and does not create a lockfile. A freshly scaffolded Codex project generated with the uv option can fail its Docker build at this `COPY` or at `uv sync --locked` before the agent starts. The same lockfile assumption should be fixed in the sync and Temporal Codex uv Dockerfiles.

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

Concurrent turns fork state

This handler reads state.codex_thread_id, then awaits the full Codex subprocess stream before saving the new turn.session_id. If two task/event/send calls for the same async task arrive close together, both handlers can read the same old thread id or None, run independent Codex turns, and then race to overwrite the stored thread id. The next user message resumes only one branch, so the Codex conversation history can lose one of the messages.

Artifacts

Repro: async harness generated from the template handler with mocked Codex and state services

• Contains supporting evidence from the run (text/x-python; charset=utf-8).

Repro: verbose harness output showing forked thread IDs, write order, final state, and assertions

• Keeps the command output available without making the summary code-heavy.

_{Ran code and verified through T-Rex}

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/agentex/lib/cli/templates/default-codex/project/acp.py.j2
Line: 159-177

Comment:
**Concurrent turns fork state**

This handler reads `state.codex_thread_id`, then awaits the full Codex subprocess stream before saving the new `turn.session_id`. If two `task/event/send` calls for the same async task arrive close together, both handlers can read the same old thread id or `None`, run independent Codex turns, and then race to overwrite the stored thread id. The next user message resumes only one branch, so the Codex conversation history can lose one of the messages.

How can I resolve this? If you propose a fix, please make it concise.