fix(auth): harden Codex auth probes (#87559)

nxmxbbd · steipete · web-flow · commit 37c5003ed966 · 2026-05-29T01:58:48.000+01:00
* fix(auth): harden Codex auth probes * fix: preserve Codex probe auth overlay (#87559) --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
diff --git a/src/agents/embedded-agent-runner/run.ts b/src/agents/embedded-agent-runner/run.ts
@@ -781,17 +781,26 @@ export async function runEmbeddedAgent(
         pluginHarnessOwnsTransport &&
         provider === OPENAI_CODEX_PROVIDER_ID &&
         effectiveModel.api === "openai-codex-responses";
+      const openClawNativeCodexResponsesNeedsAuthBootstrap =
+        !pluginHarnessOwnsTransport &&
+        provider === OPENAI_CODEX_PROVIDER_ID &&
+        effectiveModel.api === "openai-codex-responses";
       let piExternalCliAuthScope = pluginHarnessOwnsTransport
         ? { ignoreAutoPreferredProfile: false }
-        : resolveExternalCliAuthOverlayScopeFromSelection({
-            provider,
-            cfg: params.config,
-            agentId: params.agentId,
-            modelId,
-            workspaceDir: resolvedWorkspace,
-            userLockedAuthProfileId:
-              params.authProfileIdSource === "user" ? params.authProfileId : undefined,
-          });
+        : openClawNativeCodexResponsesNeedsAuthBootstrap
+          ? {
+              providerIds: [OPENAI_CODEX_PROVIDER_ID],
+              ignoreAutoPreferredProfile: false,
+            }
+          : resolveExternalCliAuthOverlayScopeFromSelection({
+              provider,
+              cfg: params.config,
+              agentId: params.agentId,
+              modelId,
+              workspaceDir: resolvedWorkspace,
+              userLockedAuthProfileId:
+                params.authProfileIdSource === "user" ? params.authProfileId : undefined,
+            });
       let noExternalAuthStore: AuthProfileStore | undefined;
       if (
         !pluginHarnessOwnsTransport &&
diff --git a/src/agents/openai-transport-stream.test.ts b/src/agents/openai-transport-stream.test.ts
@@ -2293,6 +2293,65 @@ describe("openai transport stream", () => {
     expect(params.prompt_cache_key).toBeUndefined();
   });
 
+  it("adds fallback instructions for raw native Codex responses probes", () => {
+    const params = buildOpenAIResponsesParams(
+      {
+        id: "gpt-5.5",
+        name: "GPT-5.5",
+        api: "openai-codex-responses",
+        provider: "openai-codex",
+        baseUrl: "https://chatgpt.com/backend-api/codex",
+        reasoning: true,
+        input: ["text"],
+        cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+        contextWindow: 400000,
+        maxTokens: 128000,
+      } satisfies Model<"openai-codex-responses">,
+      {
+        systemPrompt: "",
+        messages: [{ role: "user", content: "Reply OK", timestamp: 1 }],
+        tools: [],
+      } as never,
+      {
+        maxTokens: 16,
+        sessionId: "session-123",
+      },
+    ) as Record<string, unknown>;
+
+    expect(params.instructions).toBe("Follow the user request.");
+    expect(params.max_output_tokens).toBeUndefined();
+    expect(params.prompt_cache_retention).toBeUndefined();
+  });
+
+  it("does not add fallback instructions for custom Codex-compatible responses backends", () => {
+    const params = buildOpenAIResponsesParams(
+      {
+        id: "gpt-5.5",
+        name: "GPT-5.5",
+        api: "openai-codex-responses",
+        provider: "openai-codex",
+        baseUrl: "https://proxy.example.com/v1",
+        reasoning: true,
+        input: ["text"],
+        cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+        contextWindow: 400000,
+        maxTokens: 128000,
+      } satisfies Model<"openai-codex-responses">,
+      {
+        systemPrompt: "",
+        messages: [{ role: "user", content: "Reply OK", timestamp: 1 }],
+        tools: [],
+      } as never,
+      {
+        maxTokens: 16,
+        sessionId: "session-123",
+      },
+    ) as Record<string, unknown>;
+
+    expect(params.instructions).toBeUndefined();
+    expect(params.max_output_tokens).toBe(16);
+  });
+
   it("uses top-level instructions for Codex responses and preserves prompt cache identity", () => {
     const params = buildOpenAIResponsesParams(
       {
diff --git a/src/agents/openai-transport-stream.ts b/src/agents/openai-transport-stream.ts
@@ -79,6 +79,7 @@ import {
 
 const DEFAULT_AZURE_OPENAI_API_VERSION = "preview";
 const OPENAI_CODEX_RESPONSES_EMPTY_INPUT_TEXT = " ";
+const OPENAI_CODEX_RESPONSES_DEFAULT_INSTRUCTIONS = "Follow the user request.";
 const GEMINI_THOUGHT_SIGNATURE_VALIDATOR_SKIP = "skip_thought_signature_validator";
 const AZURE_RESPONSES_FIRST_EVENT_TIMEOUT_MS = 30_000;
 const MODEL_STREAM_COOPERATIVE_YIELD_INTERVAL_MS = 12;
@@ -1992,6 +1993,19 @@ function buildOpenAICodexResponsesInstructions(context: Context): string | undef
   return sanitizeTransportPayloadText(stripSystemPromptCacheBoundary(context.systemPrompt));
 }
 
+function resolveOpenAICodexResponsesInstructions(
+  model: Model,
+  context: Context,
+): string | undefined {
+  const instructions = buildOpenAICodexResponsesInstructions(context);
+  if (instructions && instructions.trim().length > 0) {
+    return instructions;
+  }
+  return usesNativeOpenAICodexResponsesBackend(model)
+    ? OPENAI_CODEX_RESPONSES_DEFAULT_INSTRUCTIONS
+    : undefined;
+}
+
 function ensureOpenAICodexResponsesInput(messages: ResponseInput, context: Context): void {
   if (messages.length > 0 || !context.systemPrompt) {
     return;
@@ -2063,7 +2077,9 @@ export function buildOpenAIResponsesParams(
     stream: true,
     prompt_cache_key: promptCacheKey,
     prompt_cache_retention: getPromptCacheRetention(model.baseUrl, cacheRetention),
-    ...(isCodexResponses ? { instructions: buildOpenAICodexResponsesInstructions(context) } : {}),
+    ...(isCodexResponses
+      ? { instructions: resolveOpenAICodexResponsesInstructions(model, context) }
+      : {}),
     ...(metadata ? { metadata } : {}),
   };
   const effectiveMaxTokens = options?.maxTokens || model.maxTokens;
diff --git a/src/commands/models/list.probe.test.ts b/src/commands/models/list.probe.test.ts
@@ -38,3 +38,75 @@ describe("mapFailoverReasonToProbeStatus", () => {
     expect(mapFailoverReasonToProbeStatus("something_else")).toBe("unknown");
   });
 });
+
+describe("runAuthProbes", () => {
+  it("runs Codex auth probes through raw OpenClaw model-run mode", async () => {
+    const runEmbeddedAgent = vi.fn(async () => ({ text: "OK" }));
+    vi.doMock("../../agents/embedded-agent.js", () => ({ runEmbeddedAgent }));
+    vi.doMock("../../agents/auth-profiles.js", () => ({
+      externalCliDiscoveryScoped: () => undefined,
+      ensureAuthProfileStore: () => ({
+        version: 1,
+        profiles: {
+          "openai-codex:profile": {
+            type: "oauth",
+            provider: "openai-codex",
+            access: "access-token",
+            refresh: "refresh-token",
+            expires: Date.now() + 60_000,
+          },
+        },
+        order: {},
+      }),
+      listProfilesForProvider: () => ["openai-codex:profile"],
+      resolveAuthProfileDisplayLabel: ({ profileId }: { profileId: string }) => profileId,
+      resolveAuthProfileEligibility: () => ({ eligible: true }),
+      resolveAuthProfileOrder: () => ["openai-codex:profile"],
+    }));
+    vi.doMock("../../agents/model-auth.js", () => ({
+      hasUsableCustomProviderApiKey: () => false,
+      resolveEnvApiKey: () => null,
+    }));
+    vi.doMock("../../agents/model-catalog.js", () => ({
+      loadModelCatalog: async () => [{ provider: "openai-codex", id: "gpt-5.5" }],
+    }));
+    try {
+      const module = await importFreshModule<typeof import("./list.probe.js")>(
+        import.meta.url,
+        `./list.probe.js?scope=${Math.random().toString(36).slice(2)}`,
+      );
+      const result = await module.runAuthProbes({
+        cfg: {} as never,
+        agentId: "probe-agent",
+        agentDir: "/tmp/openclaw-probe-agent",
+        workspaceDir: "/tmp/openclaw-probe-workspace",
+        providers: ["openai-codex"],
+        modelCandidates: ["openai-codex/gpt-5.5"],
+        options: {
+          provider: "openai-codex",
+          profileIds: ["openai-codex:profile"],
+          timeoutMs: 5_000,
+          concurrency: 1,
+          maxTokens: 8,
+        },
+      });
+
+      expect(result.results[0]?.status).toBe("ok");
+      expect(runEmbeddedAgent).toHaveBeenCalledWith(
+        expect.objectContaining({
+          agentHarnessId: "openclaw",
+          agentHarnessRuntimeOverride: "openclaw",
+          modelRun: true,
+          disableTools: true,
+          authProfileId: "openai-codex:profile",
+          authProfileIdSource: "user",
+        }),
+      );
+    } finally {
+      vi.doUnmock("../../agents/embedded-agent.js");
+      vi.doUnmock("../../agents/auth-profiles.js");
+      vi.doUnmock("../../agents/model-auth.js");
+      vi.doUnmock("../../agents/model-catalog.js");
+    }
+  });
+});
diff --git a/src/commands/models/list.probe.ts b/src/commands/models/list.probe.ts
@@ -522,6 +522,9 @@ async function probeTarget(params: {
       model: target.model.model,
       authProfileId: target.profileId,
       authProfileIdSource: target.profileId ? "user" : undefined,
+      ...(target.provider === "openai-codex"
+        ? { agentHarnessId: "openclaw", agentHarnessRuntimeOverride: "openclaw" }
+        : {}),
       timeoutMs,
       runId: `probe-${crypto.randomUUID()}`,
       lane: `auth-probe:${target.provider}:${target.profileId ?? target.source}`,
@@ -530,6 +533,7 @@ async function probeTarget(params: {
       verboseLevel: "off",
       streamParams: { maxTokens },
       disableTools: true,
+      modelRun: true,
       cleanupBundleMcpOnRunEnd: true,
     });
     return buildResult("ok");
