refactor: unify OpenAI provider identity

[steipete]

Summary

This refactor collapses OpenAI and legacy OpenAI Codex model identity onto the canonical openai provider id.

• Removes the openai-codex provider registration surface from the OpenAI plugin manifest and contract tests. openai-codex-responses remains only as the internal API/transport backend for Codex/ChatGPT OAuth turns.
• Keeps legacy openai-codex as doctor/compat input, not a normal provider namespace for new state. Setup choices, auth choice normalization, provider ownership, public artifacts, provider policy lookup, and plugin registry normalization now resolve that alias to openai.
• Makes OpenAI auth transport-aware: direct OpenAI Platform models require API-key auth, while GPT 5.4/5.5 canonical openai/* rows can remain visible and route through Codex OAuth when that auth is selected.
• Adds openclaw doctor --fix migration for legacy OpenAI Codex auth/profile state. It rewrites openai-codex:* profile ids, auth.order.openai-codex, scoped authProfileId refs, usage stats, and old model refs, with backups and collision-safe canonical ids.
• Cleans older import/migration paths so Codex CLI, Hermes, and OpenCode OAuth imports now mint openai:* profiles and auth:openai migration items while still reading legacy source files that used openai-codex.
• Updates docs, plugin schema text, and examples so openai-codex appears as legacy doctor-repaired state rather than recommended config.

Migration notes

openclaw doctor --fix migrates old state instead of carrying the old provider identity forward:

• openai-codex/<model> and codex-cli/<model> model refs become openai/<model> where the route is known to be canonical.
• openai-codex:* profile ids become openai:*; if a canonical profile already exists, doctor allocates a safe openai:chatgpt-* id rather than overwriting it.
• auth.order.openai-codex folds into auth.order.openai while preserving usable order.
• Auth store files are backed up with .openai-provider-unification.<timestamp>.bak before rewrite.
• Generic retired-model doctor migration deliberately leaves legacy openai-codex/* prefixes in place so the dedicated Codex route repair can preserve Codex runtime policy before canonicalizing.

Behavior addressed

OpenAI has one model provider identity (openai) regardless of API-key vs OAuth auth. Legacy Codex names are compatibility inputs and doctor migration targets, not a second provider namespace.

Real environment tested

Local macOS checkout plus Blacksmith Testbox changed-gate run.

Exact steps or command run after this patch

• OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test src/agents/auth-profiles/usage.test.ts src/agents/auth-profiles.markauthprofilefailure.test.ts src/agents/auth-profiles/order.test.ts src/commands/doctor/shared/codex-route-warnings.test.ts src/commands/doctor-auth-flat-profiles.test.ts extensions/openai/openai-provider.test.ts extensions/openai/openai-codex-provider.test.ts extensions/openai/image-generation-provider.test.ts extensions/openai/video-generation-provider.test.ts extensions/openai/openclaw.plugin.test.ts extensions/openai/index.test.ts extensions/openai/setup-api.test.ts extensions/openai/plugin-registration.contract.test.ts src/plugins/contracts/plugin-registration.openai.contract.test.ts extensions/openai/provider-auth.contract.test.ts extensions/openai/provider-runtime.contract.test.ts extensions/openai/provider-catalog.contract.test.ts extensions/openai/provider-policy-api.test.ts src/agents/auth-profiles/external-oauth.test.ts src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts src/agents/openai-codex-routing.test.ts src/agents/model-auth.profiles.test.ts src/agents/model-catalog-visibility.test.ts src/agents/model-provider-auth.test.ts src/agents/embedded-agent-runner/model.inline-provider.test.ts src/plugin-sdk/provider-tools.test.ts src/commands/auth-choice.test.ts src/commands/auth-choice-legacy.test.ts src/commands/onboard-non-interactive/local/auth-choice.test.ts src/infra/provider-usage.shared.test.ts src/gateway/server-methods/models-auth-status.test.ts src/commands/models/list.status.test.ts src/agents/provider-attribution.test.ts src/agents/openai-transport-stream.test.ts src/agents/prompt-overlay-runtime-contract.test.ts src/plugins/providers.test.ts src/plugins/plugin-lookup-table.test.ts src/plugins/plugin-registry.test.ts src/plugins/provider-runtime.test.ts src/plugins/provider-public-artifacts.test.ts src/plugin-sdk/test-helpers/provider-auth-contract.ts src/plugin-sdk/test-helpers/provider-runtime-contract.ts src/plugin-sdk/test-helpers/plugin-registration-contract-cases.ts src/test-utils/plugin-registration.ts && pnpm check:test-types
• node scripts/crabbox-wrapper.mjs run --provider blacksmith-testbox --label openai-unification-check-changed-final --shell -- "git fetch origin main --deepen=1000 || git fetch origin main --unshallow || git fetch origin main --depth=5000; corepack pnpm check:changed"
• OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test extensions/llm-task/src/llm-task-tool.test.ts extensions/codex/src/migration/provider.test.ts extensions/migrate-hermes/provider.secret-failure.test.ts extensions/migrate-hermes/secrets.test.ts src/commands/migrate.test.ts src/commands/doctor/shared/legacy-config-migrate.test.ts src/commands/doctor/shared/codex-route-warnings.test.ts && pnpm check:test-types
• pnpm docs:list
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode local

Evidence after fix

• Focused OpenAI/auth/doctor/provider suite: 11 Vitest shards passed, 154 tests in the OpenAI extension shard plus related core/gateway/plugin tests, followed by pnpm check:test-types.
• Follow-up migration/docs focused suite: 4 Vitest shards passed across LLM Task, Codex migration, Hermes migration, migrate command, and doctor route tests, followed by pnpm check:test-types.
• Testbox tbx_01ksvf9cp94721hbx0f6z7s2gv: pnpm check:changed passed core, core tests, extensions, extension tests, docs lanes; typecheck, lint, import cycles, and guards clean.
• git diff --check: clean.
• Autoreview final pass: autoreview clean: no accepted/actionable findings reported.
• Commits: b6b80dfdc7, c80d0b6c94.

Observed result after fix

Legacy OpenAI Codex references are normalized/migrated into openai; OpenAI OAuth remains usable for Codex-routable canonical GPT rows; direct OpenAI Platform models still require API-key auth; doctor preserves existing canonical profiles instead of overwriting them during migration. Codex CLI, Hermes, and OpenCode imports now create canonical openai auth profiles instead of creating fresh openai-codex state.

What was not tested

No live OpenAI/Codex OAuth turn or live OpenAI Platform API-key call was run from this branch.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 30, 2026, 4:10 AM ET / 08:10 UTC.

Summary
The PR collapses legacy OpenAI Codex provider/profile/model identity into canonical openai, adds doctor/import migration paths, and updates OpenAI/Codex docs and tests across provider, agent, gateway, and plugin surfaces.

Reproducibility: yes. source-level reproduction is high confidence: a legacy openai-codex/* media generation ref reaches capability provider lookup unchanged, and OAuth-only OpenAI setup with ignoreAllowlist can still pass provider-only picker auth. I did not execute runtime commands because this review is read-only.

Review metrics: 2 noteworthy metrics.

• Provider identity migration surfaces: 1 provider id collapsed, 1 providerAuthAliases entry added, doctor rewrites legacy auth/profile/model refs. Provider identity and persisted auth/config rewrites are upgrade-sensitive and need compatibility proof before merge.
• Legacy capability aliases: 3 capability surfaces affected: media understanding, image generation, video generation. Those registries use capability provider aliases rather than providerAuthAliases, so alias removal is a concrete merge risk.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🧂 unranked krab
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Restore or automatically migrate legacy openai-codex capability refs for media understanding and image/video generation.
• Make setup/model-picker auth checks pass catalog API metadata so OAuth-only users cannot pick direct OpenAI API rows.
• [P1] Add redacted terminal/log proof for openclaw doctor --fix plus one OpenAI/Codex OAuth or OpenAI API-key runtime path; redact private information before posting.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body contains tests, Testbox, typecheck, diff-check, and autoreview evidence, but it explicitly lacks a live OpenAI/Codex OAuth turn or live OpenAI API-key call after the auth/provider rewrite. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• [P1] Existing configs, active media defaults, or persisted model refs that still name openai-codex for media understanding or image/video generation can fail at runtime because those capability registries do not consume providerAuthAliases.
• [P1] Setup and configure model-picking flows can still offer direct OpenAI API catalog rows to OAuth-only users, which are later rejected by model API-aware auth resolution at runtime.
• [P1] The PR rewrites provider ids, auth profile ids, auth order, usage stats, session refs, setup choices, and docs, but live doctor migration plus OpenAI/Codex OAuth or OpenAI API-key behavior remains unproven.

Maintainer options:

1. Fix alias and picker compatibility first (recommended)
   Preserve or automatically migrate legacy openai-codex capability refs and pass catalog API metadata into picker auth checks before merge.
2. Accept a breaking provider cleanup deliberately
   Maintainers can intentionally own the compatibility break only with explicit release-note/migration proof and a clear decision that doctor-only repair is enough.
3. Pause for live upgrade proof
   Hold the PR until the author posts redacted terminal/log proof for openclaw doctor --fix plus one OpenAI/Codex OAuth or OpenAI API-key runtime path.

Next step before merge

• [P1] Human review is needed because the PR has a protected maintainer label, auth/provider compatibility blockers, and missing live behavior proof that automation cannot supply.

Security
Cleared: No new dependency, workflow, secret-permission, or artifact-download concern was found, but the auth/provider compatibility issues remain functional merge blockers.

Review findings

• [P1] Keep legacy OpenAI Codex capability aliases — extensions/openai/index.ts:49-50
• [P2] Pass model API through model picker auth checks — src/flows/model-picker.ts:338

Review details

Best possible solution:

Keep the canonical openai direction only after preserving or automatically migrating shipped openai-codex capability refs, making picker filtering model-API-aware, and adding redacted live upgrade/runtime proof.

Do we have a high-confidence way to reproduce the issue?

Yes, source-level reproduction is high confidence: a legacy openai-codex/* media generation ref reaches capability provider lookup unchanged, and OAuth-only OpenAI setup with ignoreAllowlist can still pass provider-only picker auth. I did not execute runtime commands because this review is read-only.

Is this the best way to solve the issue?

No, not yet: unifying on openai is maintainable, but the branch should keep shipped capability aliases or migrate them automatically and make picker auth API-aware before merge.

Full review comments:

• [P1] Keep legacy OpenAI Codex capability aliases — extensions/openai/index.ts:49-50
  Existing users can still have media/image/video capability refs such as openai-codex/*, and doctor is opt-in. This PR now registers only the openai media-understanding provider here and removes the image/video provider aliases, but those capability registries look at their own provider alias maps rather than providerAuthAliases, so legacy refs fail with no provider instead of routing to OpenAI. Keep a runtime alias or automatic migration before dropping the shipped id.
  Confidence: 0.9
• [P2] Pass model API through model picker auth checks — src/flows/model-picker.ts:338
  Setup/configure paths call promptDefaultModel with ignoreAllowlist: true, which bypasses the API-aware resolveVisibleModelCatalog filtering. addModelSelectOption still checks only hasAuth(provider), so an OAuth-only openai profile can expose direct OpenAI API rows that resolveApiKeyForProvider later rejects because their API is not openai-codex-responses. Thread entry.api into this check or apply the same API-aware filtering in this path.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.88

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 915f88a0a3ed.

Label changes

Label justifications:

• P2: This is a normal-priority refactor with bounded but meaningful provider/auth compatibility blockers before merge.
• merge-risk: 🚨 compatibility: The PR removes shipped openai-codex capability/provider surfaces and rewrites persisted config/state through doctor migration.
• merge-risk: 🚨 auth-provider: The PR changes OpenAI OAuth/API-key routing and auth-profile/provider identity across setup, model selection, runtime, and doctor paths.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🧂 unranked krab.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body contains tests, Testbox, typecheck, diff-check, and autoreview evidence, but it explicitly lacks a live OpenAI/Codex OAuth turn or live OpenAI API-key call after the auth/provider rewrite. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

What I checked:

• Repository policy read and applied: Root AGENTS.md and scoped guides for docs, extensions, plugins, plugin SDK, gateway, agents, agent tools, channels, and tests were read; the root policy marks provider routing, auth/session state, config loading, migrations, setup, and fallback behavior as compatibility/upgrade-sensitive. (AGENTS.md:18, 915f88a0a3ed)
• PR removes the legacy media-understanding registration: At PR head, the OpenAI plugin registers only openaiMediaUnderstandingProvider; the old openai-codex media-understanding provider registration is gone. (extensions/openai/index.ts:49, ab521a8606b8)
• PR removes image/video capability provider aliases: At PR head, the OpenAI image and video generation providers expose only id: "openai"; there is no aliases: ["openai-codex"] on those capability providers. (extensions/openai/image-generation-provider.ts:648, ab521a8606b8)
• Capability registries do not consume providerAuthAliases: Image/video provider lookup is keyed by each capability provider's aliases, and media-understanding lookup is a direct normalized registry map lookup, so manifest providerAuthAliases does not repair openai-codex capability refs. (src/image-generation/provider-registry.ts:44, ab521a8606b8)
• Explicit legacy capability refs can reach lookup unchanged: resolveCapabilityModelRefForProviders returns the parsed provider/model ref even when no provider alias matches, and the runtime then calls getProvider(candidate.provider), which fails for openai-codex after the aliases are removed. (packages/media-generation-core/src/capability-model-ref.ts:71, ab521a8606b8)
• Model picker still has a provider-only auth check: addModelSelectOption still calls hasAuth(normalizedRef.provider) without the catalog entry API, while setup/configure paths call promptDefaultModel with ignoreAllowlist: true and bypass the API-aware resolveVisibleModelCatalog filtering. (src/flows/model-picker.ts:338, ab521a8606b8)

Likely related people:

• steipete: Current-main blame and git log for the OpenAI provider/Codex routing/model-auth surface point to Peter Steinberger's recent OpenAI provider/auth work, and this PR's commits are also by steipete. (role: recent area contributor; confidence: high; commits: cd07d013bafa, 45cabee4a8c5, 00827a057916; files: extensions/openai/openai-provider.ts, extensions/openai/openai-codex-provider.ts, src/agents/openai-codex-routing.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b6b80dfdc7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve the OpenAI Codex media provider alias

Existing configs and persisted active-model state can still name the media-understanding provider as openai-codex (for example tools.media.audio/image or a legacy openai-codex/* active model). After this manifest now declares only openai, the media registry has no aliasing path for openai-codex—getMediaUnderstandingProvider() just normalizes the id and does a map lookup—so those requests return no provider and audio/image understanding is skipped instead of using the unified OpenAI provider. Keep a registered/metadata alias or migrate these media provider ids before dropping the contract entry.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c80d0b6c94

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pass model API into auth checks for OpenAI OAuth

When a user has only the new ChatGPT/Codex OAuth profile under openai, adding these auth methods makes provider-level checks report that openai is authenticated, but the model picker still calls params.hasAuth(normalizedRef.provider) without entry.api (src/flows/model-picker.ts:338). As a result, direct OpenAI API catalog rows such as o1/o3 are offered even though getApiKeyForModel now rejects OAuth for non-openai-codex-responses models, so selecting one fails at run time instead of being filtered or requiring an API-key profile.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3239362b87

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore the legacy media-generation alias

Existing configs can still store generation defaults as openai-codex/gpt-image-1 or openai-codex/sora-2 (the doctor migration is opt-in). After this provider no longer advertises the openai-codex alias, resolveCapabilityModelCandidates preserves those explicit provider/model refs and getImageGenerationProvider/getVideoGenerationProvider only resolve registered aliases, so configured image/video requests fail with “No ... provider registered” instead of using OpenAI. Keep the runtime alias until the shipped refs are migrated or repaired automatically.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 411c1681a5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Filter store auth by OAuth/token for Codex native search

When the agent auth store contains only an openai API-key profile, this check still treats Codex auth as available because it only checks for any openai/openai-codex profile. For an openai model resolved to openai-codex-responses, resolveCodexNativeSearchActivation then returns native_active, which suppresses the managed web_search tool and injects the Codex-native web_search even though there is no ChatGPT/Codex OAuth/token credential. The config-side check above already filters to oauth/token; the store-side check needs the same type filter.

Useful? React with 👍 / 👎.