Fix acpx Codex auth env var mismatch

[lolipopshock]

Summary

Sepo's Codex-backed agent runs can fail because the repository secret is passed as OPENAI_API_KEY, but acpx uses a separate ACP auth env convention for authenticate handshakes: ACPX_AUTH_<METHOD_ID>.

Evidence

Failed run/job:
https://github.com/CodeShaping/annotate-edit/actions/runs/26533704395/job/78156826704

Relevant log excerpt:

Resolved agent provider for dispatch: codex (OPENAI_API_KEY is configured).
...
acpx run failed
session setup failed: Authentication required
hint: run `acpx config show` to locate the active config, then add the required credential under `auth` and retry.

acpx documentation

The acpx README says ACP authenticate handshakes require either config auth entries or ACPX_AUTH_<METHOD_ID> environment variables, e.g. ACPX_AUTH_OPENAI_API_KEY. It also states ambient provider env vars like OPENAI_API_KEY are passed to child agents but do not trigger ACP auth-method selection on their own:

https://github.com/openclaw/acpx/blob/main/README.md#L291-L294

Proposed fix

When INPUT_OPENAI_API_KEY / secrets.OPENAI_API_KEY is configured for Codex, also export it for acpx auth selection:

env.OPENAI_API_KEY = process.env.INPUT_OPENAI_API_KEY;
env.ACPX_AUTH_OPENAI_API_KEY = process.env.INPUT_OPENAI_API_KEY;

Optionally also set ACPX_AUTH_CODEX_API_KEY if Codex advertises that method in some environments.