[aw-failures] AI Moderator — codex engine persistent 401 auth failure (OPENAI_API_KEY invalid or expired)

[github-actions]

4 consecutive failures of the AI Moderator workflow since 17:16 UTC on 2026-04-17, all with the same fatal codex engine error.

Problem

The codex engine exits immediately with:

unexpected status 401 Unauthorized: Missing bearer or basic authentication in header
url: (api.openai.com/redacted)

This is a persistent auth failure, not a transient network issue. The secret OPENAI_API_KEY is visible in the runner env (masked), but is being rejected by the OpenAI API on every run.

Affected Runs

Run	Started	Duration
§24575674483	17:16 UTC (original #26911)	9.5m
§24577634319	17:16 UTC	9.5m
§24579500430	18:02 UTC	10.3m
§24579781734	18:08 UTC	9.7m

Secondary firewall signal: chatgpt.com:443 was also blocked in the last run, but this is unrelated to the primary 401 failure.

Root Cause

OPENAI_API_KEY secret is set in the repository/org but is invalid, revoked, or lacks permissions for the /v1/responses endpoint. The Codex reconnect loop (Reconnecting... 1/5 through 5/5) exhausts retries and exits with 401.

Proposed Remediation

1. Rotate OPENAI_API_KEY in repository or org secrets (Settings → Secrets → Actions)
2. Verify the new key has access to POST /v1/responses (requires "Responses" API scope or a standard chat-completions key if the endpoint changed)
3. Re-run AI Moderator manually to confirm recovery

Success Criteria

AI Moderator workflow completes without 401 Unauthorized errors on the next issue-triggered run. Codex engine reaches agent activation.

References:

• Parent analysis: [aw-failures] [aw-fi] 6h Failure Analysis: 2026-04-17 07:20–13:20 UTC #26874
• Symptom issue: [aw] AI Moderator failed #26911

Generated by [aw] Failure Investigator (6h) · ● 498.9K · ◷

• expires on Apr 24, 2026, 7:18 PM UTC