fix: update api-proxy health check to allow OpenAI/Codex placeholder keys

The health check was blocking startup when OPENAI_API_KEY or CODEX_API_KEY
contained the placeholder value 'sk-placeholder-for-api-proxy', treating it
as a credential isolation failure.

Update the check to allow the known placeholder value while still rejecting
any real (non-placeholder) keys. This mirrors the Anthropic pattern where
ANTHROPIC_AUTH_TOKEN is allowed to hold its placeholder value.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: lpcox

containers/agent/api-proxy-health-check.sh

@@ -63,16 +63,36 @@ if [ -n "$OPENAI_BASE_URL" ]; then
   API_PROXY_CONFIGURED=true
   echo "[health-check] Checking OpenAI API proxy configuration..."
 
-  # Verify credentials are NOT in agent environment
-  if [ -n "$OPENAI_API_KEY" ] || [ -n "$CODEX_API_KEY" ] || [ -n "$OPENAI_KEY" ]; then
+  # Verify credentials are NOT in agent environment (real keys must stay in api-proxy sidecar).
+  # A placeholder value is intentionally injected so clients like Codex v0.121+ (which bypass
+  # OPENAI_BASE_URL when no key is present) still route through the sidecar. The placeholder
+  # is never sent upstream — the api-proxy replaces it with the real key before forwarding.
+  AWF_PLACEHOLDER="sk-placeholder-for-api-proxy"
+  REAL_KEY_PRESENT=false
+  if [ -n "$OPENAI_API_KEY" ] && [ "$OPENAI_API_KEY" != "$AWF_PLACEHOLDER" ]; then
+    REAL_KEY_PRESENT=true
+  fi
+  if [ -n "$CODEX_API_KEY" ] && [ "$CODEX_API_KEY" != "$AWF_PLACEHOLDER" ]; then
+    REAL_KEY_PRESENT=true
+  fi
+  if [ -n "$OPENAI_KEY" ] && [ "$OPENAI_KEY" != "$AWF_PLACEHOLDER" ]; then
+    REAL_KEY_PRESENT=true
+  fi
+
+  if [ "$REAL_KEY_PRESENT" = "true" ]; then
     echo "[health-check][ERROR] OpenAI/Codex API key found in agent environment!"
     echo "[health-check][ERROR] Credential isolation failed - keys should only be in api-proxy container"
     echo "[health-check][ERROR] OPENAI_API_KEY=${OPENAI_API_KEY:+<present>}"
     echo "[health-check][ERROR] CODEX_API_KEY=${CODEX_API_KEY:+<present>}"
     echo "[health-check][ERROR] OPENAI_KEY=${OPENAI_KEY:+<present>}"
     exit 1
   fi
-  echo "[health-check] ✓ OpenAI/Codex credentials NOT in agent environment (correct)"
+
+  if [ -n "$OPENAI_API_KEY" ] || [ -n "$CODEX_API_KEY" ]; then
+    echo "[health-check] ✓ OpenAI/Codex placeholder key in agent environment (credential isolation active)"
+  else
+    echo "[health-check] ✓ OpenAI/Codex credentials NOT in agent environment (correct)"
+  fi
 
   # Perform health check using BASE_URL
   echo "[health-check] Testing connectivity to OpenAI API proxy at $OPENAI_BASE_URL..."