Skip to content

Commit 58f1db1

Browse files
ragesaqPsiClawOpssteipete
authored
Fix OpenAI Codex runtime provider routing (#82864)
* fix: route Codex OpenAI runtime through Codex provider * docs: add Codex routing evidence collection * fix(agents): bootstrap OAuth credentials for Codex harness with openai/* model refs When a plugin harness (e.g. Codex) owns its transport but the runtime plan resolved to openai-codex via agentRuntime.id: codex, the auth profile store was left empty because pluginHarnessOwnsTransport short- circuited initializeAuthProfile(). This caused 'No API key found for openai-codex' at runtime even though the OAuth profile existed in OpenClaw's store. - Add pluginHarnessNeedsOpenClawAuthBootstrap flag when harness owns transport but the provider is openai-codex and the API is openai-codex- responses - Populate authStore and attemptAuthProfileStore from OpenClaw's profile store in this case - Run initializeAuthProfile() to forward the OAuth token into the harness - Update overflow-compaction tests to expect 'openai-codex' provider and add dedicated test for OAuth bootstrap path * fix(agents): refresh Codex OAuth credentials on profile rotation --------- Co-authored-by: PsiClawOps <267826480+PsiClawOps@users.noreply.github.com> Co-authored-by: Peter Steinberger <steipete@gmail.com>
1 parent 451563b commit 58f1db1

5 files changed

Lines changed: 352 additions & 25 deletions

File tree

docs/plugins/codex-harness.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -658,6 +658,36 @@ installed and enabled. If you need strict proof while testing, set provider or
658658
model `agentRuntime.id: "codex"`. A forced Codex runtime fails instead of
659659
falling back to PI.
660660

661+
**OpenAI Codex runtime falls back to the API-key path:** collect a redacted
662+
gateway excerpt that shows the model, runtime, selected provider, and failure.
663+
Ask affected collaborators to run this read-only command on their OpenClaw host:
664+
665+
```bash
666+
(
667+
pattern='openai/gpt-5\.[45]|agentRuntime(\.id)?|harnessRuntime|Runtime: OpenAI Codex|openai-codex|resolveSelectedOpenAIPiRuntimeProvider|candidateProvider[": ]+openai|status[": ]+401|Incorrect API key|No API key|api-key path|API-key path|OAuth'
668+
669+
if ls /tmp/openclaw/openclaw-*.log >/dev/null 2>&1; then
670+
grep -E -i -n "$pattern" /tmp/openclaw/openclaw-*.log 2>/dev/null || true
671+
else
672+
journalctl --user -u openclaw-gateway --since today --no-pager 2>/dev/null \
673+
| grep -E -i "$pattern" || true
674+
fi
675+
) | sed -E \
676+
-e 's/(Authorization: Bearer )[A-Za-z0-9._~+\/-]+/\1[REDACTED]/Ig' \
677+
-e 's/(Bearer )[A-Za-z0-9._~+\/-]+/\1[REDACTED]/Ig' \
678+
-e 's/(api[_ -]?key[=: ]+)[^ ,}"]+/\1[REDACTED]/Ig' \
679+
-e 's/(OPENAI_API_KEY[=: ]+)[^ ,}"]+/\1[REDACTED]/Ig' \
680+
-e 's/sk-[A-Za-z0-9_-]{12,}/sk-[REDACTED]/g' \
681+
-e 's/[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}/[EMAIL-REDACTED]/g' \
682+
| tail -200
683+
```
684+
685+
Useful excerpts usually include `openai/gpt-5.5` or `openai/gpt-5.4`,
686+
`Runtime: OpenAI Codex`, `agentRuntime.id` or `harnessRuntime`,
687+
`candidateProvider: "openai"`, and a `401`, `Incorrect API key`, or
688+
`No API key` result. A corrected run should show the `openai-codex` OAuth
689+
path instead of a plain OpenAI API-key failure.
690+
661691
**Legacy `openai-codex/*` config remains:** run `openclaw doctor --fix`.
662692
Doctor rewrites legacy model refs to `openai/*`, removes stale session and
663693
whole-agent runtime pins, and preserves existing auth-profile overrides.

src/agents/openai-codex-routing.test.ts

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -150,4 +150,22 @@ describe("OpenAI Codex routing policy", () => {
150150
}),
151151
).toEqual(["openai-codex"]);
152152
});
153+
154+
it("routes openai provider to openai-codex when harness runtime is codex", () => {
155+
expect(
156+
resolveSelectedOpenAIPiRuntimeProvider({
157+
provider: "openai",
158+
harnessRuntime: "codex",
159+
}),
160+
).toBe("openai-codex");
161+
});
162+
163+
it("does not route non-OpenAI providers when runtime is codex", () => {
164+
expect(
165+
resolveSelectedOpenAIPiRuntimeProvider({
166+
provider: "anthropic",
167+
harnessRuntime: "codex",
168+
}),
169+
).toBe("anthropic");
170+
});
153171
});

src/agents/openai-codex-routing.ts

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -181,8 +181,13 @@ export function resolveSelectedOpenAIPiRuntimeProvider(params: {
181181
return OPENAI_CODEX_PROVIDER_ID;
182182
}
183183
const runtime = normalizeEmbeddedAgentRuntime(params.agentHarnessId ?? params.harnessRuntime);
184-
return isOpenAIProvider(params.provider) &&
185-
runtime === "pi" &&
184+
if (!isOpenAIProvider(params.provider)) {
185+
return params.provider;
186+
}
187+
if (runtime === "codex") {
188+
return OPENAI_CODEX_PROVIDER_ID;
189+
}
190+
return runtime === "pi" &&
186191
!params.authProfileId?.trim() &&
187192
configuredOpenAIAuthOrderStartsWithCodexProfile(params.config)
188193
? OPENAI_CODEX_PROVIDER_ID

0 commit comments

Comments
 (0)