feat: add Codex CLI AI tool

[zreigz]

Test Plan

Test environment: https://console.plrl-dev-aws.onplural.sh

Checklist

• I have added a meaningful title and summary to convey the impact of this PR to a user.
• I have deployed the agent to a test environment and verified that it works as expected.
  • Agent starts successfully.
  • Service creation works without any issues when using raw manifests and Helm templates.
  • Service creation works when resources contain both CRD and CRD instances.
  • Service templating works correctly.
  • Service errors are reported properly and visible in the UI.
  • Service updates are reflected properly in the cluster.
  • Service resync triggers immediately and works as expected.
  • Sync waves annotations are respected.
  • Sync phases annotations are respected. Phases are executed in the correct order.
  • Sync hook delete policies are respected. Resources are not recreated once they reach the desired state.
  • Service deletion works and cleanups resources properly.
  • Services can be recreated after deletion.
  • Service detachment works and keeps resources unaffected.
  • Services can be recreated after detachment.
  • Service component trees are working as expected.
  • Cluster health statuses are being updated.
  • Agent logs do not contain any errors (after running for at least 30 minutes).
  • There are no visible anomalies in Datadog (after running for at least 30 minutes).
• I have added tests to cover my changes.
• If required, I have updated the Plural documentation accordingly.

[linear]

PROD-4441 add codex cli support in agent runtime handlers

[greptile-apps]

Greptile Summary

This PR integrates the OpenAI Codex CLI as a new CODEX agent runtime type, following the same pattern established by the existing Claude, Gemini, and OpenCode tools. It adds the full stack: CRD types and generated deepcopy, controller env-var handling, pod image-tag mapping, a multi-stage Dockerfile, CI matrix entries, and the Go implementation package (New, Configure, Run, OnMessage).

Key findings:

• Proxy mode missing token validation — ensure() validates the API key only for the non-proxy path. When proxy is enabled and config.Run.PluralCreds is nil, in.consoleToken is empty but ensure() still returns nil, so the agent starts up and only fails at the first API call. A symmetric guard is needed (see inline comment on ensure()).

• "message" item type not handled in stream parser — mapStreamItem handles "reasoning" and "command_execution" items but has no case for "message". The Codex CLI emits "message" type items for the assistant's final text responses; without a handler these are silently discarded and never forwarded to the console API, leaving the conversation view empty of actual replies.

• The deployToken parameter in Configure() is accepted but unused. This is consistent with other tools (Claude ignores it with _, Gemini/OpenCode accept it but their templates do not render it); GIT_ACCESS_TOKEN is set globally by the harness environment module instead, so this is not a functional gap.

• The .codex system-prompt directory is flat (vs .gemini/contexts or .opencode/prompts for other tools), which places the system-prompt file alongside config.toml. This should be verified to not conflict with Codex's own config file loading.

Confidence Score: 2/5

• Not safe to merge as-is — proxy mode auth validation is missing and assistant text messages are silently dropped from the conversation stream.
• Two functional bugs in the core implementation file: the proxy-mode token guard is absent in ensure() (causing a runtime auth failure with no early signal), and the "message" item type is unhandled in mapStreamItem (causing all assistant text replies to be silently discarded from the console UI). Both need to be fixed before the feature is usable in either mode.
• pkg/agentrun-harness/tool/codex/codex.go — both the ensure() proxy validation gap and the incomplete mapStreamItem switch require fixes before this is production-ready.

Important Files Changed

Filename	Overview
pkg/agentrun-harness/tool/codex/codex.go	Core Codex tool implementation. Two issues: (1) ensure() does not validate consoleToken in proxy mode, allowing a silent auth failure at runtime; (2) mapStreamItem has no handler for "message" type items, so assistant text responses are silently dropped and never forwarded to the console.
pkg/agentrun-harness/tool/codex/model.go	Defines model constants and DefaultModel() with env-driven override. Default model is gpt-5; the model whitelist also includes gpt-5.1-codex, gpt-5.1-codex-mini, gpt-5.2-codex, and codex-mini-latest.
pkg/agentrun-harness/tool/codex/codex_types.go	Type definitions for the Codex struct, streaming event types, TOML config types, and input helpers. Well-structured with clear comments on each event field.
pkg/agentrun-harness/tool/codex/codex_templates.go	Builds and writes the Codex config.toml via go-toml. Correctly creates profiles, MCP server entries, model provider entries, and project trust-level entries.
dockerfiles/agent-harness/codex.Dockerfile	Multi-stage Docker build that installs the @openai/codex npm package, promotes nested native binaries to the top-level @openai scope, and copies the result into the agent-harness base image. Includes a workaround for Node module resolution with native platform packages.
api/v1alpha1/agentruntime_types.go	Adds CodexConfig, CodexConfigRaw, and ToCodexConfigRaw() following the same pattern as existing Claude/Gemini types. ToAgentRuntimeConfigRaw is correctly extended to include Codex.

_{Last reviewed commit: 78238f4}

[greptile-apps]

_{10 files reviewed, 7 comments}

_{Edit Code Review Agent Settings | Greptile}

[zreigz]

@copilot

[Copilot]

@zreigz I've opened a new pull request, #692, to work on those changes. Once the pull request is ready, I'll request review from you.

[maciaszczykm]

@greptileai

[Copilot]

Pull request overview

Adds support for the OpenAI Codex CLI as a new AI agent runtime, following the existing patterns for Claude, Gemini, and OpenCode runtimes.

Changes:

• New codex tool package with CLI integration, config generation (TOML), model selection, and stream event parsing.
• CRD, API types, controller, Dockerfile, CI workflow, and Makefile updates to wire Codex as a first-class runtime option.
• Sample agentRuntime.yaml updated (partially) to reference Codex.

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
pkg/agentrun-harness/tool/codex/codex.go	Main Codex tool: configure, run, stream parsing
pkg/agentrun-harness/tool/codex/codex_types.go	Types for Codex config, stream events, MCP
pkg/agentrun-harness/tool/codex/codex_templates.go	Build and write TOML config for Codex
pkg/agentrun-harness/tool/codex/model.go	Model constants and default selection
pkg/agentrun-harness/tool/tool.go	Register codex in tool factory
pkg/agentrun-harness/tool/v1/tool.go	Add Codex system prompt dir
api/v1alpha1/agentruntime_types.go	CodexConfig/CodexConfigRaw types and conversion
api/v1alpha1/zz_generated.deepcopy.go	Generated deepcopy for new types
internal/controller/agentrun_controller.go	Env vars and secret handling for Codex
internal/controller/agentrun_pod.go	Codex image version mapping
config/crd/bases/…_agentruntimes.yaml	CRD schema for codex config
charts/…_agentruntimes.yaml	Helm CRD schema for codex config
dockerfiles/agent-harness/codex.Dockerfile	Multi-stage Dockerfile for Codex CLI
dockerfiles/agent-harness/base.Dockerfile	Create .codex dir in base image
config/samples/agentRuntime.yaml	Sample updated (incompletely) for Codex
Makefile	Build/run targets for Codex
.github/workflows/publish-agent-harness.yaml	CI matrix entries for Codex

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[maciaszczykm]

@greptileai

[Copilot]

Pull request overview

This PR adds support for the OpenAI Codex CLI as a new AI agent runtime type alongside existing Claude, Gemini, and OpenCode runtimes.

Changes:

• Adds a new codex package implementing the Tool interface for running Codex CLI, including config generation (TOML), model selection, and stream event parsing.
• Extends CRDs, API types, controller logic, and deep copy functions to support the new CODEX runtime type with its configuration (API key, model).
• Adds Dockerfile, CI workflow entries, and Makefile targets for building and publishing the Codex agent harness image.

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/agentrun-harness/tool/codex/codex.go	Main Codex tool implementation: configure, run, stream parsing
pkg/agentrun-harness/tool/codex/codex_types.go	Type definitions for Codex config, stream events, MCP inputs
pkg/agentrun-harness/tool/codex/codex_templates.go	Config building and TOML writing helpers
pkg/agentrun-harness/tool/codex/model.go	Codex model enum and default model resolution
pkg/agentrun-harness/tool/tool.go	Register Codex in the tool factory
pkg/agentrun-harness/tool/v1/tool.go	Add Codex provider directory for system prompts
api/v1alpha1/agentruntime_types.go	Add CodexConfig/CodexConfigRaw types and enum update
api/v1alpha1/zz_generated.deepcopy.go	Generated deep copy for new Codex types
internal/controller/agentrun_controller.go	Add Codex env constants and secret data handling
internal/controller/agentrun_pod.go	Add Codex image version mapping
config/crd/bases/deployments.plural.sh_agentruntimes.yaml	CRD schema for Codex config
charts/deployment-operator/crds/deployments.plural.sh_agentruntimes.yaml	Helm chart CRD mirror
dockerfiles/agent-harness/codex.Dockerfile	Multi-stage Dockerfile for Codex CLI
dockerfiles/agent-harness/base.Dockerfile	Create .codex directory in base image
.github/workflows/publish-agent-harness.yaml	CI matrix entries for Codex builds
Makefile	Docker build and run targets for Codex
config/samples/agentRuntime.yaml	Sample updated to Codex

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.