sbx: document codex auth prompt before sandbox launch

[dvdksn]

Summary

sbx now prompts you to authenticate to Codex on the host before launching the sandbox when no OpenAI credential is stored. Updated the Codex agent page and the credentials best practices to describe this flow, and reordered the Codex auth methods so OAuth (the host-side prompted flow) leads.

Generated by Claude Code

[netlify]

✅ Deploy Preview for docsdocker ready!

Name	Link
🔨 Latest commit	0271101
🔍 Latest deploy log	https://app.netlify.com/projects/docsdocker/deploys/6a2807cb93eaa800071b62c5
😎 Deploy Preview	https://deploy-preview-25315--docsdocker.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[docker-agent]

Assessment: 🟡 NEEDS ATTENTION

[docker-agent]

[MEDIUM] Bold lead-in **OAuth**: violates STYLE.md — bold only for UI elements

**OAuth**: uses bold as a section/method label, which STYLE.md explicitly disallows. Bold is reserved for UI elements (buttons, menus, field labels) only. The **Term**: description format is called out as "marketing-style list formatting" that should be avoided.

Consider restructuring without the bold lead-in, for example:

To authenticate using OAuth, run:

```console
$ sbx secret set -g openai --oauth

Or use a sub-heading if the section warrants one.

<!-- cagent-review -->

[docker-agent]

[MEDIUM] Bold lead-in **API key**: violates STYLE.md — bold only for UI elements

Same issue as the **OAuth**: lead-in above: **API key**: uses bold as a term label rather than for a UI element. Per STYLE.md, the **Term**: description pattern in lists is disallowed.

Consider plain prose, for example:

To store your OpenAI API key using [stored secrets](../security/credentials.md#stored-secrets), run: