fix(onboard): accept Codex auth in model check

[rubencu]

Summary

• Problem: after OpenAI Codex onboarding, the model check resolved the canonical model as openai/gpt-5.5 but only looked for direct openai auth profiles.
• Why it matters: a successful Codex login writes an openai-codex:* profile, so onboarding could warn that openai auth was missing even though the selected Codex runtime route was usable.
• What changed: the model check now uses the existing OpenAI/Codex runtime routing contract to include valid Codex auth profile providers for the selected model/runtime, and it short-circuits once any usable auth source is found.
• What did NOT change (scope boundary): no auth storage format, OAuth flow, provider config, runtime execution, or new config surface changed.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related #
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior or issue addressed: onboarding model check should not warn No auth configured for provider "openai" when the selected canonical model is openai/gpt-5.5 and the agent has a usable openai-codex OAuth profile for the default Codex runtime route.
• Real environment tested: local OpenClaw checkout at head 7ae4f38478001707e7d6cde09119521c2c315acf, Node 22 via repo scripts, temporary isolated OPENCLAW_STATE_DIR, temporary agent auth store with redacted fake OAuth token material.
• Exact steps or command run after this patch: timeout 30s node --import tsx with a small harness that writes agent/auth-profiles.json containing openai-codex:default, calls warnIfModelConfigLooksOff for openai/gpt-5.5, and captures prompter notes.
• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output): terminal capture:

temporary state dir: state
temporary agent auth store: agent/auth-profiles.json
model: openai/gpt-5.5
stored profile provider: openai-codex
model-check notes emitted: 0

• Observed result after fix: the actual model-check helper emitted zero notes, so the erroneous warning is suppressed when Codex OAuth auth is present for the canonical OpenAI model route.
• What was not tested: live browser OAuth against a real OpenAI account; the changed behavior is the post-auth local profile check, so the proof uses a temporary local auth store with redacted credential material and no network access.
• Before evidence (optional but encouraged): regression test locks the previous failure shape by exercising openai/gpt-5.5 with only an openai-codex profile.

Root Cause (if applicable)

• Root cause: the onboarding model check treated the model provider prefix as the only auth profile provider to inspect, but OpenAI agent model refs can use the Codex runtime and openai-codex auth profiles.
• Missing detection / guardrail: there was no regression coverage for canonical openai/* model refs backed by Codex OAuth profiles during onboarding warning checks.
• Contributing context (if known): other model list/status paths already had OpenAI/Codex runtime fallback logic; this helper had not been updated to use that contract.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/commands/auth-choice.model-check.test.ts
• Scenario the test should lock in: openai/gpt-5.5 with a stored openai-codex:default OAuth profile emits no model-check warning when Codex runtime is selected.
• Why this is the smallest reliable guardrail: it covers the exact helper that emits the onboarding warning without requiring live OAuth or gateway startup.
• Existing test that already covers this (if any): none.
• If no new test is added, why not: N/A; new tests were added.

User-visible / Behavior Changes

The onboarding model check no longer warns that OpenAI auth is missing after successful Codex OAuth setup for the canonical openai/gpt-5.5 route. No new config surface.

Diagram (if applicable)

Before:
[Codex login] -> [openai-codex profile saved] -> [model check only inspects openai] -> [false warning]

After:
[Codex login] -> [openai-codex profile saved] -> [model check uses runtime auth candidates] -> [no false warning]

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: Linux dev worktree
• Runtime/container: Node 22, pnpm 11.1.0 after rebase
• Model/provider: openai/gpt-5.5 with openai-codex auth profile
• Integration/channel (if any): onboarding command helper only
• Relevant config (redacted): agents.defaults.model.primary = "openai/gpt-5.5"; temp auth profile provider openai-codex

Steps

1. Create a temporary agent auth store with an openai-codex:default OAuth profile.
2. Run warnIfModelConfigLooksOff against agents.defaults.model.primary = "openai/gpt-5.5" with catalog validation disabled, matching onboarding's post-auth warning path.
3. Capture model-check notes from the prompter.

Expected

• No Model check warning is emitted when Codex OAuth auth is present for the Codex runtime route.

Actual

• model-check notes emitted: 0

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Verification run:

pnpm test src/commands/auth-choice.model-check.test.ts
Test Files  1 passed (1)
Tests  4 passed (4)

node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/commands/auth-choice.model-check.ts src/commands/auth-choice.model-check.test.ts
Found 0 warnings and 0 errors.

pnpm check:test-types
completed successfully

Manual live onboarding test (2026-05-12)
Tester completed the OpenAI Codex onboarding/auth flow against this PR branch. After Codex auth succeeded, the follow-up Model check did not show `No auth configured for provider "openai"`.

pnpm changed:lanes --json
"core": true, "coreTests": true, "all": false

codex review --base origin/main
No actionable correctness issues were found in the changed model auth warning path or its regression tests.

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: temporary local auth-store proof for openai/gpt-5.5 plus openai-codex:default; targeted regression tests; targeted lint; post-rebase focused test; local Codex review loop; manual live onboarding/auth test on this PR branch. Local test typecheck was also run after the typed mock fix.
• Edge cases checked: custom OpenAI-compatible models.providers.openai.baseUrl does not borrow Codex OAuth auth and still warns for missing direct OpenAI auth.
• What you did not verify: live browser OAuth against OpenAI, gateway startup, or channel delivery; the touched surface is the local post-auth model-check helper.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: accepting Codex auth too broadly could hide missing direct OpenAI auth for custom OpenAI-compatible endpoints.
  • Mitigation: the helper uses the existing runtime policy, and a regression test verifies custom OpenAI-compatible base URLs remain separate.

[clawsweeper]

Codex review: needs maintainer review before merge.

Summary
The PR updates onboarding model-auth checks so canonical OpenAI model refs can be satisfied by Codex auth profiles, with tests for Codex OAuth and custom OpenAI-compatible base URLs.

Reproducibility: yes. Source inspection of current main shows warnIfModelConfigLooksOff checks only ref.provider, so an openai-codex profile cannot satisfy the openai/gpt-5.5 post-auth model check; the PR body also provides after-fix terminal output showing zero notes.

Real behavior proof
Sufficient (terminal): The PR body includes after-fix terminal output from an isolated helper run and a manual live onboarding note showing the false warning is gone.

Next step before merge
No repair lane is needed because the PR already contains a focused fix, regression tests, and sufficient real behavior proof; the remaining action is normal maintainer review and CI gating.

Security
Cleared: The diff only changes local auth-source detection and tests; it adds no dependencies, workflows, network calls, permissions, or credential-storage behavior.

Review details

Best possible solution:

Land this focused helper/test change once required checks and maintainer review are satisfied, keeping onboarding auth warnings aligned with runtime routing.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection of current main shows warnIfModelConfigLooksOff checks only ref.provider, so an openai-codex profile cannot satisfy the openai/gpt-5.5 post-auth model check; the PR body also provides after-fix terminal output showing zero notes.

Is this the best way to solve the issue?

Yes. Reusing resolveAgentHarnessPolicy and listOpenAIAuthProfileProvidersForAgentRuntime is the narrow maintainable fix, and the custom base-url regression protects against accepting Codex auth too broadly.

What I checked:

• Current main warning path: Current main resolves the default model and checks only the canonical provider for stored profiles, env auth, and custom provider keys before warning, so openai/gpt-5.5 cannot be satisfied by an openai-codex:* profile in this helper. (src/commands/auth-choice.model-check.ts:36, 75f5d6d9b5f1)
• Runtime auth-provider contract: The existing helper returns openai-codex for OpenAI models on the Codex runtime and both openai and openai-codex for explicit PI runtime, matching the PR's candidate-provider direction. (src/agents/openai-codex-routing.ts:111, 75f5d6d9b5f1)
• Default OpenAI runtime policy: Current main routes official OpenAI provider agent models through the Codex runtime by default unless a custom OpenAI base URL is configured. (src/agents/harness/policy.ts:38, 75f5d6d9b5f1)
• User-facing route contract: The OpenAI provider docs describe openai/gpt-5.5 with omitted/Codex runtime as the native Codex app-server route and direct users to Codex sign-in while keeping the canonical OpenAI model ref. Public docs: docs/providers/openai.md. (docs/providers/openai.md:241, 75f5d6d9b5f1)
• PR implementation diff: The PR derives auth candidates from resolveAgentHarnessPolicy and listOpenAIAuthProfileProvidersForAgentRuntime, then short-circuits once any candidate has a usable profile, env key, or custom provider key. (src/commands/auth-choice.model-check.ts:59, b38886914959)
• Regression coverage: The PR adds coverage for openai/gpt-5.5 with an openai-codex:default OAuth profile emitting no note, and for custom OpenAI-compatible base URLs checking only direct openai auth. (src/commands/auth-choice.model-check.test.ts:59, b38886914959)

Likely related people:

• pashpashpash: Auth-provider routing and default OpenAI-to-Codex runtime behavior are central to this PR and were introduced in the merged route-defaulting work. (role: OpenAI/Codex routing feature contributor; confidence: high; commits: 1c3399010815; files: src/agents/openai-codex-routing.ts, src/agents/harness/policy.ts, docs/providers/openai.md)
• shakkernerd: The model-check helper and colocated tests were introduced/refined in recent onboarding cold-path work, and later command-output test maintenance touched the same test file. (role: recent onboarding model-check contributor; confidence: high; commits: 2f81c5f5803d, 8a8cb6fb308d; files: src/commands/auth-choice.model-check.ts, src/commands/auth-choice.model-check.test.ts)
• steipete: Local blame on current main attributes the current helper and routing files to a recent broad source snapshot commit; this is a weaker routing signal than the feature-specific commits above. (role: recent area contributor; confidence: low; commits: 2ec1a27c9fba; files: src/commands/auth-choice.model-check.ts, src/agents/openai-codex-routing.ts, src/agents/harness/policy.ts)

Remaining risk / open question:

• The copied terminal harness proof names an earlier PR head, while the latest head includes a small candidate-list refactor; source review shows the covered behavior unchanged, but required CI should still gate merge.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 75f5d6d9b5f1.

[obviyus]

Landed via rebase onto main.

• Scoped tests: pnpm test src/commands/auth-choice.model-check.test.ts; node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/commands/auth-choice.model-check.ts src/commands/auth-choice.model-check.test.ts; pnpm check:test-types; git diff --check
• Changelog: CHANGELOG.md updated
• Land commit: f316a3e
• Merge commit: f506ced

Thanks @rubencu!