openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/codex/src/app-server/run-attempt.ts‎
Lines changed: 8 additions & 1 deletion b/‎extensions/codex/src/app-server/run-attempt.ts‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎extensions/matrix/src/actions.ts‎
Lines changed: 1 addition & 0 deletions b/‎extensions/matrix/src/actions.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/msteams/src/actions.ts‎
Lines changed: 1 addition & 0 deletions b/‎extensions/msteams/src/actions.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/msteams/src/channel.ts‎
Lines changed: 1 addition & 0 deletions b/‎extensions/msteams/src/channel.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/openai/speech-provider.test.ts‎
Lines changed: 1 addition & 0 deletions b/‎extensions/openai/speech-provider.test.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/openai/tts.test.ts‎
Lines changed: 1 addition & 0 deletions b/‎extensions/openai/tts.test.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/openai/tts.ts‎
Lines changed: 57 additions & 63 deletions b/‎extensions/openai/tts.ts‎
Lines changed: 57 additions & 63 deletions
diff --git a/‎src/agents/agent-command.live-model-switch.test.ts‎
Lines changed: 69 additions & 4 deletions b/‎src/agents/agent-command.live-model-switch.test.ts‎
Lines changed: 69 additions & 4 deletions
diff --git a/‎src/agents/agent-command.ts‎
Lines changed: 9 additions & 1 deletion b/‎src/agents/agent-command.ts‎
Lines changed: 9 additions & 1 deletion
@@ -36,6 +36,7 @@ Docs: https://docs.openclaw.ai
 
 - Plugins/onboarding: record local plugin install source metadata without duplicating raw absolute local paths in persisted `plugins.installs`, while preserving linked load-path cleanup. (#70970) Thanks @vincentkoc.
 - Browser/tool: tell agents not to pass per-call `timeoutMs` on existing-session type, evaluate, and other Chrome MCP actions that reject timeout overrides.
+- Codex/GPT-5.4: harden fallback, auth-profile, tool-schema, and replay edge cases across native and embedded runtime paths. (#70743) Thanks @100yenadmin.
 - Voice-call/Telnyx: preserve inbound/outbound callback metadata and read transcription text from Telnyx's current `transcription_data` payload.
 - Codex harness: send verbose tool progress to chat channels for native app-server runs, matching the Pi harness `/verbose on` and `/verbose full` behavior. (#70966) Thanks @jalehman.
 - Codex models: fetch paginated Codex app-server model catalogs, mark truncated `/codex models` output, and keep ChatGPT OAuth defaults on the `openai-codex/gpt-5.5` route instead of the OpenAI API-key route.
 
@@ -70,6 +70,10 @@ import { mirrorCodexAppServerTranscript } from "./transcript-mirror.js";
 import { createCodexUserInputBridge } from "./user-input-bridge.js";
 import { filterToolsForVisionInputs } from "./vision-tools.js";
 
+type OpenClawCodingToolsOptions = NonNullable<
+  Parameters<(typeof import("openclaw/plugin-sdk/agent-harness"))["createOpenClawCodingTools"]>[0]
+>;
+
 let clientFactory = defaultCodexAppServerClientFactory;
 
 function emitCodexAppServerEvent(
@@ -709,7 +713,10 @@ async function buildDynamicTools(input: DynamicToolBuildParams) {
     abortSignal: input.runAbortController.signal,
     modelProvider: params.model.provider,
     modelId: params.modelId,
-    modelCompat: params.model.compat,
+    modelCompat:
+      params.model.compat && typeof params.model.compat === "object"
+        ? (params.model.compat as OpenClawCodingToolsOptions["modelCompat"])
+        : undefined,
     modelApi: params.model.api,
     modelContextWindowTokens: params.model.contextWindow,
     modelAuthMode: resolveModelAuthMode(params.model.provider, params.config),
 
@@ -99,6 +99,7 @@ function createMatrixExposedActions(params: {
 
 function buildMatrixProfileToolSchema(): NonNullable<ChannelMessageToolDiscovery["schema"]> {
   return {
+    actions: ["set-profile"],
     properties: {
       displayName: Type.Optional(
         Type.String({
 
@@ -274,6 +274,7 @@ export function describeMSTeamsMessageTool({
     capabilities: enabled ? ["presentation"] : [],
     schema: enabled
       ? {
+          actions: ["unpin"],
           properties: {
             pinnedMessageId: Type.Optional(
               Type.String({
 
@@ -388,6 +388,7 @@ function describeMSTeamsMessageTool({
     capabilities: enabled ? ["presentation"] : [],
     schema: enabled
       ? {
+          actions: ["unpin"],
           properties: {
             pinnedMessageId: Type.Optional(
               Type.String({
 
@@ -12,6 +12,7 @@ vi.mock("openclaw/plugin-sdk/ssrf-runtime", () => ({
     response: await globalThis.fetch(url, init),
     release: vi.fn(async () => {}),
   }),
+  ssrfPolicyFromHttpBaseUrlAllowedHostname: () => undefined,
 }));
 
 function isSpeechRequestBody(value: unknown): value is { response_format?: string } {
 
@@ -24,6 +24,7 @@ vi.mock("openclaw/plugin-sdk/ssrf-runtime", () => ({
     response: await globalThis.fetch(url, init),
     release: vi.fn(async () => {}),
   }),
+  ssrfPolicyFromHttpBaseUrlAllowedHostname: () => undefined,
 }));
 
 describe("openai tts", () => {
 
@@ -3,7 +3,10 @@ import {
   isDebugProxyGlobalFetchPatchInstalled,
 } from "openclaw/plugin-sdk/proxy-capture";
 import { extractProviderErrorDetail, trimToUndefined } from "openclaw/plugin-sdk/speech";
-import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
+import {
+  fetchWithSsrFGuard,
+  ssrfPolicyFromHttpBaseUrlAllowedHostname,
+} from "openclaw/plugin-sdk/ssrf-runtime";
 
 export const DEFAULT_OPENAI_BASE_URL = "https://api.openai.com/v1";
 
@@ -91,72 +94,63 @@ export async function openaiTTS(params: {
     throw new Error(`Invalid voice: ${voice}`);
   }
 
-  const controller = new AbortController();
-  const timeout = setTimeout(() => controller.abort(), timeoutMs);
-
+  const requestHeaders = {
+    Authorization: `Bearer ${apiKey}`,
+    "Content-Type": "application/json",
+  };
+  const requestBody = JSON.stringify({
+    model,
+    input: text,
+    voice,
+    response_format: responseFormat,
+    ...(speed != null && { speed }),
+    ...(effectiveInstructions != null && { instructions: effectiveInstructions }),
+  });
+  const requestUrl = `${baseUrl}/audio/speech`;
+  const debugProxyFetchPatchInstalled = isDebugProxyGlobalFetchPatchInstalled();
+  const { response, release } = await fetchWithSsrFGuard({
+    url: requestUrl,
+    init: {
+      method: "POST",
+      headers: requestHeaders,
+      body: requestBody,
+    },
+    timeoutMs,
+    policy: ssrfPolicyFromHttpBaseUrlAllowedHostname(baseUrl),
+    capture: false,
+    pinDns: debugProxyFetchPatchInstalled ? false : undefined,
+    auditContext: "openai-tts",
+  });
   try {
-    const requestHeaders = {
-      Authorization: `Bearer ${apiKey}`,
-      "Content-Type": "application/json",
-    };
-    const requestBody = JSON.stringify({
-      model,
-      input: text,
-      voice,
-      response_format: responseFormat,
-      ...(speed != null && { speed }),
-      ...(effectiveInstructions != null && { instructions: effectiveInstructions }),
-    });
-    const requestUrl = `${baseUrl}/audio/speech`;
-    const isGlobalFetchPatchInstalled = isDebugProxyGlobalFetchPatchInstalled();
-    const guardedFetchImpl = isGlobalFetchPatchInstalled
-      ? globalThis.fetch.bind(globalThis)
-      : undefined;
-    const { response, release } = await fetchWithSsrFGuard({
-      url: requestUrl,
-      init: {
+    if (!debugProxyFetchPatchInstalled) {
+      captureHttpExchange({
+        url: requestUrl,
         method: "POST",
-        headers: requestHeaders,
-        body: requestBody,
-        signal: controller.signal,
-      },
-      ...(guardedFetchImpl ? { fetchImpl: guardedFetchImpl } : {}),
-      capture: false,
-      auditContext: "openai-tts",
-    });
-    try {
-      if (!isGlobalFetchPatchInstalled) {
-        captureHttpExchange({
-          url: requestUrl,
-          method: "POST",
-          requestHeaders,
-          requestBody,
-          response,
-          transport: "http",
-          meta: {
-            provider: "openai",
-            capability: "tts",
-          },
-        });
-      }
-
-      if (!response.ok) {
-        const detail = await extractOpenAiErrorDetail(response);
-        const requestId =
-          trimToUndefined(response.headers.get("x-request-id")) ??
-          trimToUndefined(response.headers.get("request-id"));
-        throw new Error(
-          `OpenAI TTS API error (${response.status})` +
-            (detail ? `: ${detail}` : "") +
-            (requestId ? ` [request_id=${requestId}]` : ""),
-        );
-      }
+        requestHeaders,
+        requestBody,
+        response,
+        transport: "http",
+        meta: {
+          provider: "openai",
+          capability: "tts",
+        },
+      });
+    }
 
-      return Buffer.from(await response.arrayBuffer());
-    } finally {
-      await release();
+    if (!response.ok) {
+      const detail = await extractOpenAiErrorDetail(response);
+      const requestId =
+        trimToUndefined(response.headers.get("x-request-id")) ??
+        trimToUndefined(response.headers.get("request-id"));
+      throw new Error(
+        `OpenAI TTS API error (${response.status})` +
+          (detail ? `: ${detail}` : "") +
+          (requestId ? ` [request_id=${requestId}]` : ""),
+      );
     }
+
+    return Buffer.from(await response.arrayBuffer());
   } finally {
-    clearTimeout(timeout);
+    await release();
   }
 }
@@ -10,6 +10,10 @@ const state = vi.hoisted(() => ({
   clearAgentRunContextMock: vi.fn(),
   updateSessionStoreAfterAgentRunMock: vi.fn(),
   deliverAgentCommandResultMock: vi.fn(),
+  clearSessionAuthProfileOverrideMock: vi.fn(),
+  authProfileStoreMock: { profiles: {} } as { profiles: Record<string, unknown> },
+  sessionEntryMock: undefined as unknown,
+  sessionStoreMock: undefined as unknown,
 }));
 
 vi.mock("./model-fallback.js", () => ({
@@ -57,12 +61,12 @@ vi.mock("./command/session.js", () => ({
   resolveSession: () => ({
     sessionId: "session-1",
     sessionKey: "agent:main",
-    sessionEntry: {
+    sessionEntry: state.sessionEntryMock ?? {
       sessionId: "session-1",
       updatedAt: Date.now(),
       skillsSnapshot: { prompt: "", skills: [], version: 0 },
     },
-    sessionStore: undefined,
+    sessionStore: state.sessionStoreMock,
     storePath: undefined,
     isNewSession: false,
     persistedThinking: undefined,
@@ -250,8 +254,13 @@ vi.mock("./auth-profiles.js", () => ({
   ensureAuthProfileStore: () => ({ profiles: {} }),
 }));
 
+vi.mock("./auth-profiles/store.js", () => ({
+  ensureAuthProfileStore: () => state.authProfileStoreMock,
+}));
+
 vi.mock("./auth-profiles/session-override.js", () => ({
-  clearSessionAuthProfileOverride: vi.fn(),
+  clearSessionAuthProfileOverride: (...args: unknown[]) =>
+    state.clearSessionAuthProfileOverrideMock(...args),
 }));
 
 vi.mock("./defaults.js", () => ({
@@ -269,7 +278,12 @@ vi.mock("./model-catalog.js", () => ({
 
 vi.mock("./model-selection.js", () => ({
   buildAllowedModelSet: () => ({
-    allowedKeys: new Set<string>(["anthropic/claude", "openai/claude", "openai/gpt-5.4"]),
+    allowedKeys: new Set<string>([
+      "anthropic/claude",
+      "codex-cli/gpt-5.4",
+      "openai/claude",
+      "openai/gpt-5.4",
+    ]),
     allowedCatalog: [],
     allowAny: false,
   }),
@@ -281,6 +295,12 @@ vi.mock("./model-selection.js", () => ({
   resolveThinkingDefault: () => "low",
 }));
 
+vi.mock("./provider-auth-aliases.js", () => ({
+  resolveProviderAuthAliasMap: () => ({}),
+  resolveProviderIdForAuth: (provider: string) =>
+    provider.trim().toLowerCase() === "codex-cli" ? "openai-codex" : provider.trim().toLowerCase(),
+}));
+
 vi.mock("./skills.js", () => ({
   buildWorkspaceSkillSnapshot: () => ({}),
 }));
@@ -376,6 +396,9 @@ function expectFallbackOverrideCalls(first: boolean, second: boolean) {
 describe("agentCommand – LiveSessionModelSwitchError retry", () => {
   beforeEach(() => {
     vi.clearAllMocks();
+    state.authProfileStoreMock = { profiles: {} };
+    state.sessionEntryMock = undefined;
+    state.sessionStoreMock = undefined;
     state.deliverAgentCommandResultMock.mockResolvedValue(undefined);
     state.updateSessionStoreAfterAgentRunMock.mockResolvedValue(undefined);
   });
@@ -450,6 +473,48 @@ describe("agentCommand – LiveSessionModelSwitchError retry", () => {
     expect(state.runWithModelFallbackMock).toHaveBeenCalledTimes(2);
   });
 
+  it("keeps aliased session auth profiles for codex-cli runs", async () => {
+    let capturedAuthProfileProvider: string | undefined;
+    const sessionEntry = {
+      sessionId: "session-1",
+      updatedAt: Date.now(),
+      providerOverride: "codex-cli",
+      modelOverride: "gpt-5.4",
+      authProfileOverride: "openai-codex:work",
+      authProfileOverrideSource: "user",
+      skillsSnapshot: { prompt: "", skills: [], version: 0 },
+    };
+    state.sessionEntryMock = sessionEntry;
+    state.authProfileStoreMock = {
+      profiles: {
+        "openai-codex:work": {
+          type: "api_key",
+          provider: "openai-codex",
+          key: "sk-test",
+        },
+      },
+    };
+    state.runWithModelFallbackMock.mockImplementation(async (params: FallbackRunnerParams) => {
+      const result = await params.run(params.provider, params.model);
+      return {
+        result,
+        provider: params.provider,
+        model: params.model,
+        attempts: [],
+      };
+    });
+    state.runAgentAttemptMock.mockImplementation(async (...args: unknown[]) => {
+      const attemptParams = args[0] as { authProfileProvider?: string } | undefined;
+      capturedAuthProfileProvider = attemptParams?.authProfileProvider;
+      return makeSuccessResult("codex-cli", "gpt-5.4");
+    });
+
+    await runBasicAgentCommand();
+
+    expect(capturedAuthProfileProvider).toBe("codex-cli");
+    expect(state.clearSessionAuthProfileOverrideMock).not.toHaveBeenCalled();
+  });
+
   it("updates hasSessionModelOverride for fallback resolution after switch", async () => {
     setupModelSwitchRetry({
       provider: "openai",
 
@@ -58,6 +58,7 @@ import {
   resolveDefaultModelForAgent,
   resolveThinkingDefault,
 } from "./model-selection.js";
+import { resolveProviderIdForAuth } from "./provider-auth-aliases.js";
 import { normalizeSpawnedRunMetadata } from "./spawned-context.js";
 import { resolveAgentTimeoutMs } from "./timeout.js";
 import { ensureAgentWorkspace } from "./workspace.js";
@@ -756,7 +757,14 @@ async function agentCommandInternal(
         const entry = sessionEntry;
         const store = ensureAuthProfileStore();
         const profile = store.profiles[authProfileId];
-        if (!profile || profile.provider !== providerForAuthProfileValidation) {
+        const profileAuthProvider = profile
+          ? resolveProviderIdForAuth(profile.provider, { config: cfg, workspaceDir })
+          : undefined;
+        const validationAuthProvider = resolveProviderIdForAuth(providerForAuthProfileValidation, {
+          config: cfg,
+          workspaceDir,
+        });
+        if (!profile || profileAuthProvider !== validationAuthProvider) {
           if (sessionStore && sessionKey) {
             await clearSessionAuthProfileOverride({
               sessionEntry: entry,