fix(status): honor selected usage auth profile

luoxiao6645 · claude · luoxiao6645 · commit 4b6c78d1984e · 2026-05-21T05:26:41.000+08:00
Thread preferredProfileIds through provider auth resolution so the
status command uses the user-selected auth profile instead of always
falling back to the default ordering.

- Add preferredProfileIds param to resolveProviderAuths and plumb
  through plugin, fallback, and OAuth resolution paths
- Pass session authProfileOverride from status-text to usage loader
- Re-export tryReadSecretFileSync directly from @openclaw/fs-safe/secret
- Fix lint violations (no-useless-fallback-in-spread) and type errors

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/src/commands/status.summary.redaction.test.ts b/src/commands/status.summary.redaction.test.ts
@@ -16,7 +16,7 @@ function createRecentSessionRow(): SessionStatus {
     model: "gpt-5",
     configuredModel: "gpt-5",
     selectedModel: "gpt-5",
-    modelSelectionReason: null,
+    modelSelectionReason: "configured-default",
     contextTokens: 200_000,
     flags: ["id:sess-1"],
   };
diff --git a/src/infra/provider-usage.auth.normalizes-keys.test.ts b/src/infra/provider-usage.auth.normalizes-keys.test.ts
@@ -35,13 +35,26 @@ vi.mock("../agents/auth-profiles.js", () => {
         lastGood?: Record<string, string>;
         usageStats?: Record<string, unknown>;
       };
-      return {
+      const store: {
+        version: number;
+        profiles: Record<string, unknown>;
+        order?: Record<string, string[]>;
+        lastGood?: Record<string, string>;
+        usageStats?: Record<string, unknown>;
+      } = {
         version: parsed.version ?? 1,
         profiles: parsed.profiles ?? {},
-        ...(parsed.order ? { order: parsed.order } : {}),
-        ...(parsed.lastGood ? { lastGood: parsed.lastGood } : {}),
-        ...(parsed.usageStats ? { usageStats: parsed.usageStats } : {}),
       };
+      if (parsed.order) {
+        store.order = parsed.order;
+      }
+      if (parsed.lastGood) {
+        store.lastGood = parsed.lastGood;
+      }
+      if (parsed.usageStats) {
+        store.usageStats = parsed.usageStats;
+      }
+      return store;
     } catch {
       return { version: 1, profiles: {} };
     }
@@ -59,7 +72,7 @@ vi.mock("../agents/auth-profiles.js", () => {
     const configured = Object.entries(params.cfg?.auth?.profiles ?? {})
       .filter(([, profile]) => normalizeProvider(profile?.provider) === provider)
       .map(([profileId]) => profileId);
-    if (configured.length > 0) {
+    if (configured.length > 0 && !params.store.order?.[params.provider] && !params.store.order?.[provider]) {
       return dedupeProfileIds(configured);
     }
     const ordered = params.store.order?.[params.provider] ?? params.store.order?.[provider];
@@ -187,6 +200,12 @@ const providerRuntimeMocks = vi.hoisted(() => ({
       }
 
       if (params.provider === "minimax") {
+        const portalAuth = await params.context.resolveOAuthToken({ provider: "minimax-portal" });
+        if (portalAuth?.token) {
+          return portalAuth.accountId
+            ? { token: portalAuth.token, accountId: portalAuth.accountId }
+            : { token: portalAuth.token };
+        }
         const token = resolveToken({
           providerIds: ["minimax"],
           envDirect: [
@@ -694,6 +713,84 @@ describe("resolveProviderAuths key normalization", () => {
     });
   });
 
+  it("prefers the requested OAuth profile when resolving provider usage auth", async () => {
+    await withSuiteHome(async (home) => {
+      await writeAuthProfiles(home, {
+        "anthropic:default": {
+          type: "token",
+          provider: "anthropic",
+          token: "default-token",
+        },
+        "anthropic:work": {
+          type: "token",
+          provider: "anthropic",
+          token: "work-token",
+        },
+      });
+      await writeProfileOrder(home, "anthropic", ["anthropic:default"]);
+
+      const auths = await resolveProviderAuths({
+        providers: ["anthropic"],
+        agentDir: agentDirForHome(home),
+        config: {},
+        env: buildSuiteEnv(home),
+        preferredProfileIds: { anthropic: "anthropic:work" },
+      });
+      expect(auths).toEqual([{ provider: "anthropic", token: "work-token" }]);
+    });
+  });
+
+  it("ignores a preferred usage profile id owned by another provider", async () => {
+    await withSuiteHome(async (home) => {
+      await writeAuthProfiles(home, {
+        "anthropic:default": {
+          type: "token",
+          provider: "anthropic",
+          token: "anthropic-token",
+        },
+        "zai:work": {
+          type: "token",
+          provider: "zai",
+          token: "wrong-provider-token",
+        },
+      });
+      await writeProfileOrder(home, "anthropic", ["anthropic:default"]);
+
+      const auths = await resolveProviderAuths({
+        providers: ["anthropic"],
+        agentDir: agentDirForHome(home),
+        config: {},
+        env: buildSuiteEnv(home),
+        preferredProfileIds: { anthropic: "zai:work" },
+      });
+      expect(auths).toEqual([{ provider: "anthropic", token: "anthropic-token" }]);
+    });
+  });
+
+  it("preserves preferred profile ids across provider override usage lookups", async () => {
+    await withSuiteHome(async (home) => {
+      await writeAuthProfiles(home, {
+        "minimax-portal:work": {
+          type: "oauth",
+          provider: "minimax-portal",
+          token: "portal-token",
+          accountId: "portal-account",
+        },
+      });
+
+      const auths = await resolveProviderAuths({
+        providers: ["minimax"],
+        agentDir: agentDirForHome(home),
+        config: {},
+        env: buildSuiteEnv(home),
+        preferredProfileIds: { minimax: "minimax-portal:work" },
+      });
+      expect(auths).toEqual([
+        { provider: "minimax", token: "portal-token", accountId: "portal-account" },
+      ]);
+    });
+  });
+
   it("skips api_key entries in oauth token resolution order", async () => {
     await withSuiteHome(async (home) => {
       await writeAuthProfiles(home, {
diff --git a/src/infra/provider-usage.auth.ts b/src/infra/provider-usage.auth.ts
@@ -81,10 +81,9 @@ function hasProviderAuthEnvCredentialSource(params: {
 }): boolean {
   const candidates = resolveProviderAuthEnvVarCandidates({
     config: params.state.cfg,
-    env: {
-      ...(process.env.VITEST ? process.env : {}),
-      ...params.state.env,
-    },
+    env: process.env.VITEST
+      ? { ...process.env, ...params.state.env }
+      : { ...params.state.env },
   });
   for (const providerId of normalizeProviderIds(params.providerIds)) {
     const envVars = Object.hasOwn(candidates, providerId) ? candidates[providerId] : undefined;
@@ -207,17 +206,27 @@ function resolveUsageCredentialProviderIds(params: {
 async function resolveOAuthToken(params: {
   state: UsageAuthState;
   provider: string;
+  preferredProfileId?: string;
 }): Promise<ProviderAuth | null> {
   if (!params.state.allowAuthProfileStore) {
     return null;
   }
   const store = resolveUsageAuthStore(params.state);
+  const preferredProfileId = params.preferredProfileId?.trim();
+  const preferredProfile = preferredProfileId ? store.profiles[preferredProfileId] : undefined;
+  const normalizedProvider = normalizeProviderId(params.provider);
   const order = resolveAuthProfileOrder({
     cfg: params.state.cfg,
     store,
     provider: params.provider,
   });
-  const deduped = dedupeProfileIds(order);
+  const deduped = dedupeProfileIds(
+    preferredProfileId &&
+      preferredProfile &&
+      normalizeProviderId(preferredProfile.provider) === normalizedProvider
+      ? [preferredProfileId, ...order]
+      : order,
+  );
 
   for (const profileId of deduped) {
     const cred = store.profiles[profileId];
@@ -236,14 +245,19 @@ async function resolveOAuthToken(params: {
       if (!resolved) {
         continue;
       }
-      return {
+      const auth: ProviderAuth = {
         provider: params.provider as UsageProviderId,
         token: resolved.apiKey,
-        accountId:
-          cred.type === "oauth" && "accountId" in cred
-            ? (cred as { accountId?: string }).accountId
-            : undefined,
       };
+      if (
+        cred.type === "oauth" &&
+        "accountId" in cred &&
+        typeof (cred as { accountId?: string }).accountId === "string" &&
+        (cred as { accountId?: string }).accountId
+      ) {
+        auth.accountId = (cred as { accountId?: string }).accountId;
+      }
+      return auth;
     } catch {
       // ignore
     }
@@ -255,6 +269,7 @@ async function resolveOAuthToken(params: {
 async function resolveProviderUsageAuthViaPlugin(params: {
   state: UsageAuthState;
   provider: UsageProviderId;
+  preferredProfileId?: string;
 }): Promise<ProviderAuth | null> {
   const resolved = await resolveProviderUsageAuthWithPlugin({
     provider: params.provider,
@@ -275,33 +290,41 @@ async function resolveProviderUsageAuthViaPlugin(params: {
         const auth = await resolveOAuthToken({
           state: params.state,
           provider: options?.provider ?? params.provider,
+          preferredProfileId: params.preferredProfileId,
         });
-        return auth
-          ? {
-              token: auth.token,
-              ...(auth.accountId ? { accountId: auth.accountId } : {}),
-            }
-          : null;
+        if (!auth) {
+          return null;
+        }
+        const resolvedAuth: { token: string; accountId?: string } = { token: auth.token };
+        if (auth.accountId) {
+          resolvedAuth.accountId = auth.accountId;
+        }
+        return resolvedAuth;
       },
     },
   });
   if (!resolved?.token) {
     return null;
   }
-  return {
+  const auth: ProviderAuth = {
     provider: params.provider,
     token: resolved.token,
-    ...(resolved.accountId ? { accountId: resolved.accountId } : {}),
   };
+  if (resolved.accountId) {
+    auth.accountId = resolved.accountId;
+  }
+  return auth;
 }
 
 async function resolveProviderUsageAuthFallback(params: {
   state: UsageAuthState;
   provider: UsageProviderId;
+  preferredProfileId?: string;
 }): Promise<ProviderAuth | null> {
   const oauthToken = await resolveOAuthToken({
     state: params.state,
     provider: params.provider,
+    preferredProfileId: params.preferredProfileId,
   });
   if (oauthToken) {
     return oauthToken;
@@ -356,6 +379,7 @@ export async function resolveProviderAuths(params: {
   agentDir?: string;
   config?: OpenClawConfig;
   env?: NodeJS.ProcessEnv;
+  preferredProfileIds?: Partial<Record<UsageProviderId, string | undefined>>;
   skipPluginAuthWithoutCredentialSource?: boolean;
 }): Promise<ProviderAuth[]> {
   if (params.auth) {
@@ -381,6 +405,7 @@ export async function resolveProviderAuths(params: {
       const pluginAuth = await resolveProviderUsageAuthViaPlugin({
         state: authProfileSourceState,
         provider,
+        preferredProfileId: params.preferredProfileIds?.[provider],
       });
       if (pluginAuth) {
         auths.push(pluginAuth);
@@ -389,6 +414,7 @@ export async function resolveProviderAuths(params: {
       const fallbackAuth = await resolveProviderUsageAuthFallback({
         state: authProfileSourceState,
         provider,
+        preferredProfileId: params.preferredProfileIds?.[provider],
       });
       if (fallbackAuth) {
         auths.push(fallbackAuth);
@@ -433,6 +459,7 @@ export async function resolveProviderAuths(params: {
       const pluginAuth = await resolveProviderUsageAuthViaPlugin({
         state,
         provider,
+        preferredProfileId: params.preferredProfileIds?.[provider],
       });
       if (pluginAuth) {
         auths.push(pluginAuth);
@@ -442,6 +469,7 @@ export async function resolveProviderAuths(params: {
     const fallbackAuth = await resolveProviderUsageAuthFallback({
       state,
       provider,
+      preferredProfileId: params.preferredProfileIds?.[provider],
     });
     if (fallbackAuth) {
       auths.push(fallbackAuth);
diff --git a/src/infra/provider-usage.load.ts b/src/infra/provider-usage.load.ts
@@ -40,6 +40,7 @@ type UsageSummaryOptions = {
   config?: OpenClawConfig;
   env?: NodeJS.ProcessEnv;
   fetch?: typeof fetch;
+  preferredProfileIds?: Partial<Record<UsageProviderId, string | undefined>>;
   skipPluginAuthWithoutCredentialSource?: boolean;
 };
 
@@ -97,6 +98,7 @@ export async function loadProviderUsageSummary(
     agentDir: opts.agentDir,
     config,
     env,
+    preferredProfileIds: opts.preferredProfileIds,
     skipPluginAuthWithoutCredentialSource: opts.skipPluginAuthWithoutCredentialSource,
   });
   if (auths.length === 0) {
diff --git a/src/infra/secret-file.ts b/src/infra/secret-file.ts
@@ -1,31 +1,17 @@
 import "./fs-safe-defaults.js";
-import {
-  readSecretFileSync as readSecretFileSyncImpl,
-  tryReadSecretFileSync as tryReadSecretFileSyncImpl,
-} from "@openclaw/fs-safe/secret";
+import { readSecretFileSync as readSecretFileSyncImpl } from "@openclaw/fs-safe/secret";
 import { resolveUserPath } from "../utils.js";
 
 export {
   DEFAULT_SECRET_FILE_MAX_BYTES,
   PRIVATE_SECRET_DIR_MODE,
   PRIVATE_SECRET_FILE_MODE,
   readSecretFileSync,
+  tryReadSecretFileSync,
   type SecretFileReadOptions,
 } from "@openclaw/fs-safe/secret";
 export { writeSecretFileAtomic as writePrivateSecretFileAtomic } from "@openclaw/fs-safe/secret";
 
-export function tryReadSecretFileSync(
-  filePath: string | undefined,
-  label: string,
-  options: Parameters<typeof tryReadSecretFileSyncImpl>[2] = {},
-): string | undefined {
-  try {
-    return tryReadSecretFileSyncImpl(filePath, label, options);
-  } catch {
-    return undefined;
-  }
-}
-
 export type SecretFileReadResult =
   | {
       ok: true;
diff --git a/src/status/status-text.ts b/src/status/status-text.ts
