refactor(core): remove user-facing secrets backend config

codex-rs/core/config.schema.json

@@ -881,26 +881,6 @@
       },
       "type": "object"
     },
-    "SecretsBackendKind": {
-      "enum": [
-        "local"
-      ],
-      "type": "string"
-    },
-    "SecretsConfigToml": {
-      "additionalProperties": false,
-      "properties": {
-        "backend": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/SecretsBackendKind"
-            }
-          ],
-          "default": null
-        }
-      },
-      "type": "object"
-    },
     "ShellEnvironmentPolicyInherit": {
       "oneOf": [
         {
@@ -1511,15 +1491,6 @@
       ],
       "description": "Sandbox configuration to apply if `sandbox` is `WorkspaceWrite`."
     },
-    "secrets": {
-      "allOf": [
-        {
-          "$ref": "#/definitions/SecretsConfigToml"
-        }
-      ],
-      "default": null,
-      "description": "Secrets configuration. Defaults to a local encrypted file backend."
-    },
     "shell_environment_policy": {
       "allOf": [
         {

codex-rs/core/src/config/mod.rs

@@ -13,7 +13,6 @@ use crate::config::types::OtelConfig;
 use crate::config::types::OtelConfigToml;
 use crate::config::types::OtelExporterKind;
 use crate::config::types::SandboxWorkspaceWrite;
-use crate::config::types::SecretsConfigToml;
 use crate::config::types::ShellEnvironmentPolicy;
 use crate::config::types::ShellEnvironmentPolicyToml;
 use crate::config::types::SkillsConfig;
@@ -43,7 +42,6 @@ use crate::project_doc::DEFAULT_PROJECT_DOC_FILENAME;
 use crate::project_doc::LOCAL_PROJECT_DOC_FILENAME;
 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;
-use crate::secrets::SecretsBackendKind;
 use crate::windows_sandbox::WindowsSandboxLevelExt;
 use codex_app_server_protocol::Tools;
 use codex_app_server_protocol::UserSavedConfig;
@@ -237,9 +235,6 @@ pub struct Config {
     /// auto: Use the OS-specific keyring service if available, otherwise use a file.
     pub cli_auth_credentials_store_mode: AuthCredentialsStoreMode,
 
-    /// Active secrets backend. Defaults to the local encrypted file backend.
-    pub secrets_backend: SecretsBackendKind,
-
     /// Definition for MCP servers that Codex can reach out to for tool calls.
     pub mcp_servers: Constrained<HashMap<String, McpServerConfig>>,
 
@@ -859,10 +854,6 @@ pub struct ConfigToml {
     #[serde(default)]
     pub cli_auth_credentials_store: Option<AuthCredentialsStoreMode>,
 
-    /// Secrets configuration. Defaults to a local encrypted file backend.
-    #[serde(default)]
-    pub secrets: Option<SecretsConfigToml>,
-
     /// Definition for MCP servers that Codex can reach out to for tool calls.
     #[serde(default)]
     // Uses the raw MCP input shape (custom deserialization) rather than `McpServerConfig`.
@@ -1523,11 +1514,6 @@ impl Config {
             });
 
         let forced_login_method = cfg.forced_login_method;
-        let secrets_backend = cfg
-            .secrets
-            .as_ref()
-            .and_then(|secrets| secrets.backend)
-            .unwrap_or_default();
 
         let model = model.or(config_profile.model).or(cfg.model);
 
@@ -1617,7 +1603,6 @@ impl Config {
             // The config.toml omits "_mode" because it's a config file. However, "_mode"
             // is important in code to differentiate the mode from the store implementation.
             cli_auth_credentials_store_mode: cfg.cli_auth_credentials_store.unwrap_or_default(),
-            secrets_backend,
             mcp_servers,
             // The config.toml omits "_mode" because it's a config file. However, "_mode"
             // is important in code to differentiate the mode from the store implementation.
@@ -3848,7 +3833,6 @@ model_verbosity = "high"
                 notify: None,
                 cwd: fixture.cwd(),
                 cli_auth_credentials_store_mode: Default::default(),
-                secrets_backend: SecretsBackendKind::Local,
                 mcp_servers: Constrained::allow_any(HashMap::new()),
                 mcp_oauth_credentials_store_mode: Default::default(),
                 mcp_oauth_callback_port: None,
@@ -3934,7 +3918,6 @@ model_verbosity = "high"
             notify: None,
             cwd: fixture.cwd(),
             cli_auth_credentials_store_mode: Default::default(),
-            secrets_backend: SecretsBackendKind::Local,
             mcp_servers: Constrained::allow_any(HashMap::new()),
             mcp_oauth_credentials_store_mode: Default::default(),
             mcp_oauth_callback_port: None,
@@ -4035,7 +4018,6 @@ model_verbosity = "high"
             notify: None,
             cwd: fixture.cwd(),
             cli_auth_credentials_store_mode: Default::default(),
-            secrets_backend: SecretsBackendKind::Local,
             mcp_servers: Constrained::allow_any(HashMap::new()),
             mcp_oauth_credentials_store_mode: Default::default(),
             mcp_oauth_callback_port: None,
@@ -4122,7 +4104,6 @@ model_verbosity = "high"
             notify: None,
             cwd: fixture.cwd(),
             cli_auth_credentials_store_mode: Default::default(),
-            secrets_backend: SecretsBackendKind::Local,
             mcp_servers: Constrained::allow_any(HashMap::new()),
             mcp_oauth_credentials_store_mode: Default::default(),
             mcp_oauth_callback_port: None,

codex-rs/core/src/config/service.rs

@@ -817,7 +817,7 @@ remote_compaction = true
             LoaderOverrides {
                 managed_config_path: Some(managed_path.clone()),
                 #[cfg(target_os = "macos")]
-                managed_preferences_base64: None,
+                managed_preferences_base64: Some(String::new()),
                 macos_managed_config_requirements_base64: None,
             },
             CloudRequirementsLoader::default(),
@@ -900,7 +900,7 @@ remote_compaction = true
             LoaderOverrides {
                 managed_config_path: Some(managed_path.clone()),
                 #[cfg(target_os = "macos")]
-                managed_preferences_base64: None,
+                managed_preferences_base64: Some(String::new()),
                 macos_managed_config_requirements_base64: None,
             },
             CloudRequirementsLoader::default(),
@@ -1005,7 +1005,7 @@ remote_compaction = true
             LoaderOverrides {
                 managed_config_path: Some(managed_path.clone()),
                 #[cfg(target_os = "macos")]
-                managed_preferences_base64: None,
+                managed_preferences_base64: Some(String::new()),
                 macos_managed_config_requirements_base64: None,
             },
             CloudRequirementsLoader::default(),
@@ -1054,7 +1054,7 @@ remote_compaction = true
             LoaderOverrides {
                 managed_config_path: Some(managed_path.clone()),
                 #[cfg(target_os = "macos")]
-                managed_preferences_base64: None,
+                managed_preferences_base64: Some(String::new()),
                 macos_managed_config_requirements_base64: None,
             },
             CloudRequirementsLoader::default(),
@@ -1102,7 +1102,7 @@ remote_compaction = true
             LoaderOverrides {
                 managed_config_path: Some(managed_path.clone()),
                 #[cfg(target_os = "macos")]
-                managed_preferences_base64: None,
+                managed_preferences_base64: Some(String::new()),
                 macos_managed_config_requirements_base64: None,
             },
             CloudRequirementsLoader::default(),

codex-rs/core/src/config/types.rs

@@ -4,7 +4,6 @@
 // definitions that do not contain business logic.
 
 use crate::config_loader::RequirementSource;
-use crate::secrets::SecretsBackendKind;
 pub use codex_protocol::config_types::AltScreenMode;
 pub use codex_protocol::config_types::ModeKind;
 pub use codex_protocol::config_types::Personality;
@@ -25,13 +24,6 @@ use serde::de::Error as SerdeError;
 
 pub const DEFAULT_OTEL_ENVIRONMENT: &str = "dev";
 
-#[derive(Serialize, Deserialize, Debug, Clone, Default, PartialEq, Eq, JsonSchema)]
-#[schemars(deny_unknown_fields)]
-pub struct SecretsConfigToml {
-    #[serde(default)]
-    pub backend: Option<SecretsBackendKind>,
-}
-
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub enum McpServerDisabledReason {
     Unknown,

codex-rs/core/src/config_loader/tests.rs

@@ -178,7 +178,7 @@ extra = true
     let overrides = LoaderOverrides {
         managed_config_path: Some(managed_path),
         #[cfg(target_os = "macos")]
-        managed_preferences_base64: None,
+        managed_preferences_base64: Some(String::new()),
         macos_managed_config_requirements_base64: None,
     };
 
@@ -215,7 +215,7 @@ async fn returns_empty_when_all_layers_missing() {
     let overrides = LoaderOverrides {
         managed_config_path: Some(managed_path),
         #[cfg(target_os = "macos")]
-        managed_preferences_base64: None,
+        managed_preferences_base64: Some(String::new()),
         macos_managed_config_requirements_base64: None,
     };