feat(cli): add codex secrets commands (#10551)

## Summary

Builds on PR B’s core secrets config wiring by adding a user-facing CLI:

- `codex secrets set`
- `codex secrets edit`
- `codex secrets list`
- `codex secrets delete`

Uses `Config.secrets_backend` and supports scopes:

- `--global`
- `--env <id>`
- default env scope from cwd

Values can be provided via `--value`, stdin, or interactive masked
prompt.

## Notes

- `list` never prints secret values
- `edit` errors if secret is missing
- `delete` is no-op if missing

codex-rs/cli/src/main.rs

@@ -36,10 +36,12 @@ mod app_cmd;
 #[cfg(target_os = "macos")]
 mod desktop_app;
 mod mcp_cmd;
+mod secrets_cmd;
 #[cfg(not(windows))]
 mod wsl_paths;
 
 use crate::mcp_cmd::McpCli;
+use crate::secrets_cmd::SecretsCli;
 
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
@@ -93,6 +95,9 @@ enum Subcommand {
     /// Remove stored authentication credentials.
     Logout(LogoutCommand),
 
+    /// [experimental] Manage secrets.
+    Secrets(SecretsCli),
+
     /// [experimental] Run Codex as an MCP server and manage MCP servers.
     Mcp(McpCli),
 
@@ -594,6 +599,16 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
             prepend_config_flags(&mut mcp_cli.config_overrides, root_config_overrides.clone());
             mcp_cli.run().await?;
         }
+        Some(Subcommand::Secrets(mut secrets_cli)) => {
+            eprintln!(
+                "Warning: `codex secrets` is experimental and may change in future releases."
+            );
+            prepend_config_flags(
+                &mut secrets_cli.config_overrides,
+                root_config_overrides.clone(),
+            );
+            secrets_cli.run().await?;
+        }
         Some(Subcommand::AppServer(app_server_cli)) => match app_server_cli.subcommand {
             None => {
                 let transport = app_server_cli.listen;