diff --git a/.github/workflows/sync-frontend-mirror.yml b/.github/workflows/sync-frontend-mirror.yml
index 6779d5e..5c1a707 100644
--- a/.github/workflows/sync-frontend-mirror.yml
+++ b/.github/workflows/sync-frontend-mirror.yml
@@ -26,10 +26,16 @@ jobs:
       SOURCE_PREFIX: frontend
       SYNC_TOKEN: ${{ secrets.GUARDEX_FRONTEND_MIRROR_PAT }}
     steps:
+      - name: Skip when mirror PAT is missing
+        if: ${{ env.SYNC_TOKEN == '' }}
+        run: echo "GUARDEX_FRONTEND_MIRROR_PAT is not configured; skipping frontend mirror sync."
+
       - name: Checkout
+        if: ${{ env.SYNC_TOKEN != '' }}
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Sync frontend subtree to mirror repo
+        if: ${{ env.SYNC_TOKEN != '' }}
         run: bash scripts/sync-frontend-mirror.sh
diff --git a/openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/.openspec.yaml b/openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/.openspec.yaml
new file mode 100644
index 0000000..4b8c565
--- /dev/null
+++ b/openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/.openspec.yaml
@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-04-21
diff --git a/openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/notes.md b/openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/notes.md
new file mode 100644
index 0000000..8bea3e8
--- /dev/null
+++ b/openspec/changes/agent-codex-skip-mirror-sync-when-pat-missing-2026-04-21-13-00/notes.md
@@ -0,0 +1,5 @@
+# T1 Notes
+
+- Make the frontend mirror workflow skip cleanly when `GUARDEX_FRONTEND_MIRROR_PAT` is unset instead of failing the whole job.
+- Keep the secret wired through `env.SYNC_TOKEN` and gate workflow steps on `env` checks rather than direct `secrets.*` expressions.
+- Add a metadata regression so future mirror-link changes keep the skip behavior and the canonical mirror token wiring aligned.
diff --git a/test/metadata.test.js b/test/metadata.test.js
index a293d07..667fabf 100644
--- a/test/metadata.test.js
+++ b/test/metadata.test.js
@@ -75,6 +75,16 @@ test('code review workflow does not gate startup on secrets context', () => {
   assert.match(workflow, /if:\s+\$\{\{\s*env\.OPENAI_API_KEY != ''\s*\}\}/);
 });
 
+test('frontend mirror workflow skips cleanly when the mirror PAT is missing', () => {
+  const workflowPath = path.join(repoRoot, '.github', 'workflows', 'sync-frontend-mirror.yml');
+  const workflow = fs.readFileSync(workflowPath, 'utf8');
+  assert.doesNotMatch(workflow, /if:\s+\$\{\{\s*secrets\.GUARDEX_FRONTEND_MIRROR_PAT/);
+  assert.match(workflow, /SYNC_TOKEN:\s+\$\{\{\s*secrets\.GUARDEX_FRONTEND_MIRROR_PAT\s*\}\}/);
+  assert.match(workflow, /name:\s+Skip when mirror PAT is missing/);
+  assert.match(workflow, /if:\s+\$\{\{\s*env\.SYNC_TOKEN == ''\s*\}\}/);
+  assert.match(workflow, /if:\s+\$\{\{\s*env\.SYNC_TOKEN != ''\s*\}\}/);
+});
+
 test('critical runtime helper scripts stay in sync with templates', () => {
   const pairs = [
     ['templates/scripts/codex-agent.sh', 'scripts/codex-agent.sh'],