openclaw
diff --git a/‎docs/concepts/model-failover.md‎
Lines changed: 7 additions & 7 deletions b/‎docs/concepts/model-failover.md‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎docs/gateway/authentication.md‎
Lines changed: 5 additions & 5 deletions b/‎docs/gateway/authentication.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎scripts/deadcode-unused-files.allowlist.mjs‎
Lines changed: 0 additions & 3 deletions b/‎scripts/deadcode-unused-files.allowlist.mjs‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎src/agents/agent-auth-discovery-core.ts‎
Lines changed: 0 additions & 47 deletions b/‎src/agents/agent-auth-discovery-core.ts‎
Lines changed: 0 additions & 47 deletions
diff --git a/‎src/agents/agent-auth-discovery.external-cli.test.ts‎
Lines changed: 0 additions & 1 deletion b/‎src/agents/agent-auth-discovery.external-cli.test.ts‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎src/agents/agent-auth-discovery.ts‎
Lines changed: 1 addition & 4 deletions b/‎src/agents/agent-auth-discovery.ts‎
Lines changed: 1 addition & 4 deletions
@@ -108,10 +108,10 @@ These notices are operational messages, not assistant content. They are delivere
 
 OpenClaw uses **auth profiles** for both API keys and OAuth tokens.
 
-- Secrets live in `~/.openclaw/agents/<agentId>/agent/auth-profiles.json` (legacy: `~/.openclaw/agent/auth-profiles.json`).
-- Runtime auth-routing state lives in `~/.openclaw/agents/<agentId>/agent/auth-state.json`.
+- Secrets and runtime auth-routing state live in `~/.openclaw/agents/<agentId>/agent/openclaw-agent.sqlite`.
 - Config `auth.profiles` / `auth.order` are **metadata + routing only** (no secrets).
-- Legacy import-only OAuth file: `~/.openclaw/credentials/oauth.json` (imported into `auth-profiles.json` on first use).
+- Legacy import-only OAuth file: `~/.openclaw/credentials/oauth.json` (imported into the per-agent auth store on first use).
+- Legacy `auth-profiles.json`, `auth-state.json`, and per-agent `auth.json` files are imported by `openclaw doctor --fix`.
 
 More detail: [OAuth](/concepts/oauth)
 
@@ -127,7 +127,7 @@ OAuth logins create distinct profiles so multiple accounts can coexist.
 - Default: `provider:default` when no email is available.
 - OAuth with email: `provider:<email>` (for example `google-antigravity:user@gmail.com`).
 
-Profiles live in `~/.openclaw/agents/<agentId>/agent/auth-profiles.json` under `profiles`.
+Profiles live in the per-agent `openclaw-agent.sqlite` auth profile store.
 
 ## Rotation order
 
@@ -141,7 +141,7 @@ When a provider has multiple profiles, OpenClaw chooses an order like this:
     `auth.profiles` filtered by provider.
   </Step>
   <Step title="Stored profiles">
-    Entries in `auth-profiles.json` for the provider.
+    Per-agent SQLite auth profile entries for the provider.
   </Step>
 </Steps>
 
@@ -229,7 +229,7 @@ Cooldowns use exponential backoff:
 - 25 minutes
 - 1 hour (cap)
 
-State is stored in `auth-state.json` under `usageStats`:
+State is stored in the per-agent SQLite auth state under `usageStats`:
 
 ```json
 {
@@ -253,7 +253,7 @@ Not every billing-shaped response is `402`, and not every HTTP `402` lands here.
 Meanwhile temporary `402` usage-window and organization/workspace spend-limit errors are classified as `rate_limit` when the message looks retryable (for example `weekly usage limit exhausted`, `daily limit reached, resets tomorrow`, or `organization spending limit exceeded`). Those stay on the short cooldown/failover path instead of the long billing-disable path.
 </Note>
 
-State is stored in `auth-state.json`:
+State is stored in the per-agent SQLite auth state:
 
 ```json
 {
 
@@ -87,13 +87,13 @@ This is a two-step setup:
 If `claude` is not on `PATH`, either install Claude Code first or set
 `agents.defaults.cliBackends.claude-cli.command` to the real binary path.
 
-Manual token entry (any provider; writes `auth-profiles.json` + updates config):
+Manual token entry (any provider; writes the per-agent SQLite auth store + updates config):
 
 ```bash
 openclaw models auth paste-token --provider openrouter
 ```
 
-`auth-profiles.json` stores credentials only. The canonical shape is:
+The auth profile store keeps credentials only. Legacy `auth-profiles.json` files used this canonical shape:
 
 ```json
 {
@@ -108,9 +108,9 @@ openclaw models auth paste-token --provider openrouter
 }
 ```
 
-OpenClaw expects the canonical `version` + `profiles` shape at runtime. If an older install still has a flat file such as `{ "openrouter": { "apiKey": "..." } }`, run `openclaw doctor --fix` to rewrite it as an `openrouter:default` API-key profile; doctor keeps a `.legacy-flat.*.bak` copy beside the original. Endpoint details such as `baseUrl`, `api`, model ids, headers, and timeouts belong under `models.providers.<id>` in `openclaw.json` or `models.json`, not in `auth-profiles.json`.
+OpenClaw now reads auth profiles from each agent's `openclaw-agent.sqlite`. If an older install still has `auth-profiles.json`, `auth-state.json`, or a flat auth profile file such as `{ "openrouter": { "apiKey": "..." } }`, run `openclaw doctor --fix` to import it into SQLite; doctor keeps timestamped backups beside the original JSON files. Endpoint details such as `baseUrl`, `api`, model ids, headers, and timeouts belong under `models.providers.<id>` in `openclaw.json` or `models.json`, not in auth profiles.
 
-External auth routes such as Bedrock `auth: "aws-sdk"` are also not credentials. If you want a named Bedrock route, put `auth.profiles.<id>.mode: "aws-sdk"` in `openclaw.json`; do not write `type: "aws-sdk"` into `auth-profiles.json`. `openclaw doctor --fix` moves legacy AWS SDK markers from the credential store into config metadata.
+External auth routes such as Bedrock `auth: "aws-sdk"` are also not credentials. If you want a named Bedrock route, put `auth.profiles.<id>.mode: "aws-sdk"` in `openclaw.json`; do not write `type: "aws-sdk"` into the auth profile store. `openclaw doctor --fix` moves legacy AWS SDK markers from the credential store into config metadata.
 
 Auth profile refs are also supported for static credentials:
 
@@ -225,7 +225,7 @@ Use `/model` (or `/model list`) for a compact picker; use `/model status` for th
 
 ### Per-agent (CLI override)
 
-Set an explicit auth profile order override for an agent (stored in that agent's `auth-state.json`):
+Set an explicit auth profile order override for an agent (stored in that agent's SQLite auth state):
 
 ```bash
 openclaw models auth order get --provider anthropic
 
@@ -6,9 +6,6 @@ export const KNIP_UNUSED_FILE_ALLOWLIST = [
   // The pending SQLite session/runtime branch wires these files into production.
   "src/agents/cache/agent-cache-store.sqlite.ts",
   "src/agents/cache/agent-cache-store.ts",
-  "src/state/openclaw-agent-db.paths.ts",
-  "src/state/openclaw-agent-db.ts",
-  "src/state/openclaw-agent-schema.generated.ts",
 ];
 
 // Knip can disagree across supported local/CI platforms for files that are
 
@@ -1,8 +1,4 @@
-import fs from "node:fs";
 import type { OpenClawConfig } from "../config/types.openclaw.js";
-import { tryReadJsonSync } from "../infra/json-files.js";
-import { replaceFileAtomicSync } from "../infra/replace-file.js";
-import { isRecord } from "../utils.js";
 import type { AgentCredentialMap } from "./agent-auth-credentials.js";
 import {
   listProviderEnvAuthLookupKeys,
@@ -56,46 +52,3 @@ export function addEnvBackedAgentCredentials(
   }
   return next;
 }
-
-export function scrubLegacyStaticAuthJsonEntriesForDiscovery(pathname: string): void {
-  if (process.env.OPENCLAW_AUTH_STORE_READONLY === "1") {
-    return;
-  }
-  if (!fs.existsSync(pathname)) {
-    return;
-  }
-
-  const parsed = tryReadJsonSync(pathname);
-  if (!isRecord(parsed)) {
-    return;
-  }
-
-  let changed = false;
-  for (const [provider, value] of Object.entries(parsed)) {
-    if (!isRecord(value)) {
-      continue;
-    }
-    if (value.type !== "api_key") {
-      continue;
-    }
-    delete parsed[provider];
-    changed = true;
-  }
-
-  if (!changed) {
-    return;
-  }
-
-  if (Object.keys(parsed).length === 0) {
-    fs.rmSync(pathname, { force: true });
-    return;
-  }
-
-  replaceFileAtomicSync({
-    filePath: pathname,
-    content: `${JSON.stringify(parsed, null, 2)}\n`,
-    dirMode: 0o700,
-    mode: 0o600,
-    tempPrefix: ".agent-auth",
-  });
-}
@@ -15,7 +15,6 @@ const credentialMocks = vi.hoisted(() => ({
 
 const discoveryCoreMocks = vi.hoisted(() => ({
   addEnvBackedAgentCredentials: vi.fn((credentials: unknown) => credentials),
-  scrubLegacyStaticAuthJsonEntriesForDiscovery: vi.fn(),
 }));
 
 const syntheticAuthMocks = vi.hoisted(() => ({
 
@@ -82,7 +82,4 @@ export function resolveAgentCredentialsForDiscovery(
   return credentials;
 }
 
-export {
-  addEnvBackedAgentCredentials,
-  scrubLegacyStaticAuthJsonEntriesForDiscovery,
-} from "./agent-auth-discovery-core.js";
+export { addEnvBackedAgentCredentials } from "./agent-auth-discovery-core.js";
Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,4 @@ export function resolveAgentCredentialsForDiscovery(`
`82`	`82`	`return credentials;`
`83`	`83`	`}`
`84`	`84`
`85`		`-export {`
`86`		`- addEnvBackedAgentCredentials,`
`87`		`- scrubLegacyStaticAuthJsonEntriesForDiscovery,`
`88`		`-} from "./agent-auth-discovery-core.js";`
	`85`	`+export { addEnvBackedAgentCredentials } from "./agent-auth-discovery-core.js";`