Critique Welcomes Codex: Review Here, Execute on Your OpenAI Account
Critique builds the scoped fix blueprint. Codex runs it on your OpenAI key—queued through the Responses API or exported as a deterministic JSON envelope for Codex cloud and CLI. Execution bills to you, not to Critique.
Critique × Codex
Blueprint in. Your key out.
critique.sh
Critique welcomes Codex.
Queue server-side OpenAI Responses runs with your platform key, or download the handoff JSON for Codex cloud and CLI — Critique stays the review layer either way.
The BYOA thesis for OpenAI Codex
Most engineering orgs that adopted Codex did not adopt it to replace their review process. They adopted it to write and fix code faster. The mistake the market keeps making is treating review and execution as one purchase—forcing teams to standardize on a single vendor for two genuinely different jobs.
Critique’s position is the opposite. We build the **decision layer**: what failed, why it matters, what the safe scope of a fix is. Codex is the **execution layer**: it takes a bounded task and produces a diff. BYOA—Bring Your Own Agent—is how those two layers compose without you paying twice for the same thinking. **Review here. Execute on the OpenAI account you already own.**
Two jobs, one pull request
A single agent that reviews and fixes tends to rationalize its own diff. Splitting the jobs keeps the verdict honest and the patch bounded.
| Question | Critique | OpenAI Codex |
|---|---|---|
| Primary question | Should this merge as-is? | How do we implement the scoped fix? |
| Success metric | Fewer false positives, clear verdict, auditable findings. | Compliant diff inside allowed paths, validation passes. |
| Context it owns | Repo graph, call sites, tests, security surface, policy. | The deterministic envelope Critique exports—nothing more. |
| Billing | Critique review credits. | Your OpenAI account (tokens or Codex usage). |
| Where it runs | GitHub App checks, sandbox review, dashboard artifact. | Responses API worker, or Codex cloud / CLI from the export. |
How Critique exports and queues to your OpenAI account
There are two ways to get a Critique blueprint into Codex, and they answer different needs. **Queue** runs a real, billed Responses API call so you get an automated summary and an audit row inside Critique. **Export** downloads the deterministic JSON envelope so you can run the full Codex sandbox or CLI workflow on your own terms.
The queue path is honest about what OpenAI exposes today. OpenAI does not yet offer a public REST surface identical to Cursor’s single “agent on a PR” contract for full sandbox repair. So Critique’s queue worker calls the **documented Responses API** (`POST /v1/responses`) with your platform key and the scoped handoff prompt—default model `codex-mini-latest`, overridable via `CRITIQUE_CODEX_AGENT_MODEL_ID`. That means the worker is a **real billed API invocation**, not a fake progress spinner. For full repo checkout in an isolated sandbox, use export plus your existing Codex workflow.
Real Responses API call on your key. Best for an automated summary plus an audit row in Critique.
POST /v1/responses · codex-mini-latestDeterministic envelope for Codex cloud, CLI, or internal orchestration. You own where it runs.
GET /api/review-runs/{id}/byoa/codexThe deterministic handoff envelope
The export artifact is the machine-readable source of truth, and it is intentionally boring: a **versioned JSON envelope** (`kind: critique.codex_handoff`) so the format can evolve without breaking older exports. The human-readable prompt is derived from the same data—never hand-authored separately, so the two can never drift.
- reviewRunId and repositoryFullName
- pullRequestNumber, headSha, headRef
- headRepositoryFullName + headCloneUrl (fork-aware)
- Pinned to the exact commit Critique reviewed
- allowedWriteFiles — the explicit write set
- validationCommands — ordered (e.g. pnpm test, pnpm lint)
- maxLoops — the fix-loop ceiling
- stopConditions — “do not widen scope; stop if files insufficient”
The envelope also carries a `task` block (`title`, `prompt`, and terse `doneMeans`), a trimmed `context` block (review summary and the findings worth acting on—not the full evidence pack dump), and a `handoff` block telling the client which surfaces apply (`codex-cli`, `codex-cloud`). The derived prompt follows a fixed order: goal, repo and PR context, exact constraints, validation commands, stop conditions, expected output. Short enough to paste into the CLI without friction; explicit enough that Codex behaves like a constrained fix agent, not a free-roaming refactorer.
Remedy vs Codex BYOA vs Fix Prompt
Critique runs three fix contracts, and they are intentionally distinct. **Remedy** is Critique-managed execution in an isolated E2B sandbox, paid in Critique credits—right when you want one vendor to own the runtime and the validation loop. **Codex BYOA** hands the same blueprint to your OpenAI account—right when you already pay OpenAI and want execution there. **Fix Prompt** is the universal paste path for any agent when you do not need queueing or a structured envelope.
| Contract | Executor | Billing | Best for |
|---|---|---|---|
| Remedy | Critique E2B sandbox | Critique credits | Fix this PR inside Critique |
| Codex BYOA | Your OpenAI account | Your OpenAI usage | You already pay OpenAI |
| Fix Prompt | Any agent you paste into | Small Critique call to generate | Quick manual handoff, no queueing |
Security and scope discipline
BYOA only works if the security model is honest, so here it is. The **export path requires no OpenAI key at all**—Critique just prepares the handoff, and your ChatGPT login or Codex auth stays entirely outside Critique. The **queue path** uses a key you save in Settings, encrypted at rest with `CRITIQUE_SECRETS_ENCRYPTION_KEY` and decrypted only server-side when a run fires. The key is never returned to the browser after save.
- No OpenAI key in the browser for the export path
- No OpenAI key echoed back after save on the queue path
- No secrets or tokens embedded in the prompt or JSON
- No ChatGPT login proxied through Critique
- Diff scope constrained to allowedWriteFiles
- maxLoops ceiling carried in the envelope
- Stop conditions block scope creep
- Run authorization matches the review-run access model
A developer day, end to end
A backend engineer opens a PR touching the payments retry logic. Critique reviews on sync and returns a fail verdict: one finding about an unbounded retry, one about a missing idempotency test. The engineer agrees, adds an operator note—“keep changes inside `payments/` and its tests”—and chooses their path.
Because the team standardizes on Codex CLI for local execution, they hit **Download JSON.** They get the envelope and the derived prompt, drop into their terminal, and run Codex against the repo at the exact head SHA. Codex respects the allowlist, writes a narrow diff, runs `pnpm test` and `pnpm lint` in order, and stops cleanly. The engineer reviews the diff, pushes to the PR branch, and Critique re-runs to confirm the verdict flips to pass.
A teammate on the same PR prefers a quick automated summary instead, so they hit **Queue Codex run**—a Responses API call on the team’s OpenAI key, logged as an audit row in Critique. Two engineers, two execution styles, one blueprint. Neither re-explained the repo. Neither spent a Critique execution credit on the fix.
Turn it on in five minutes
- 11. Want export only?No key needed. Open a completed review run and hit Download JSON or Copy prompt—Critique just builds the handoff.
- 22. Want server-side queueing?Set CRITIQUE_SECRETS_ENCRYPTION_KEY on the server so the OpenAI key can be stored encrypted.
- 33. OpenAI key created?Create a key at platform.openai.com (a project-scoped key is recommended for least privilege).
- 44. Key saved in Critique?Settings → OpenAI Codex (BYOA) → paste the key. Encrypted server-side, never returned to the browser.
- 55. Queue from a review?Open a completed run → Codex section → optional operator instructions → Queue Codex run. Override the model with CRITIQUE_CODEX_AGENT_MODEL_ID if needed.
For automation, `GET /api/review-runs/{reviewRunId}/byoa/codex` returns the handoff JSON (add `?download=1` for an attachment). Wire it into CI, an internal bot, or a script that fans the envelope out to Codex cloud tasks.
What we will not pretend
“Open in Codex” does not mean Critique is controlling Codex. The export path is user-owned execution by design—Critique prepares a complete, constrained package and you run it. We will not auto-invoke Codex behind your back, proxy your OpenAI login, or keep a long-running Codex session alive on your behalf.
We also will not claim the Responses queue path is a full sandbox repair loop—it is a documented, billed API call that returns a summary, and the export exists precisely for the cases that need the real Codex sandbox. Honest contracts beat impressive-sounding ones.
The bigger bet
The 2026 stack is heterogeneous and will stay that way. Teams will pay for Codex, Claude, Cursor, and Copilot in different mixes, and they will not rip out their review process to match. The durable products are the composable layers—the ones you can route work through without renegotiating your whole toolchain every quarter.
Critique welcoming Codex is that bet made concrete. Review on Critique. Execute on Codex when you live on OpenAI. Reach for Remedy when you want Critique to run the fix, and Fix Prompt when you just want a clean paste. One blueprint, the executor of your choice.
Hand your first blueprint to Codex
Install Critique on your repo, finish a review, then export the handoff JSON or connect your OpenAI key and queue a run on the PR you already have open.
Add OpenAI key