openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/agents/agent-command.ts‎
Lines changed: 1 addition & 0 deletions b/‎src/agents/agent-command.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/agents/auth-profiles/order.test.ts‎
Lines changed: 34 additions & 0 deletions b/‎src/agents/auth-profiles/order.test.ts‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎src/agents/btw.ts‎
Lines changed: 1 addition & 0 deletions b/‎src/agents/btw.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/agents/command/attempt-execution.ts‎
Lines changed: 7 additions & 1 deletion b/‎src/agents/command/attempt-execution.ts‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎src/agents/model-auth-label.ts‎
Lines changed: 29 additions & 7 deletions b/‎src/agents/model-auth-label.ts‎
Lines changed: 29 additions & 7 deletions
diff --git a/‎src/agents/openai-codex-routing.test.ts‎
Lines changed: 91 additions & 0 deletions b/‎src/agents/openai-codex-routing.test.ts‎
Lines changed: 91 additions & 0 deletions
diff --git a/‎src/agents/openai-codex-routing.ts‎
Lines changed: 44 additions & 5 deletions b/‎src/agents/openai-codex-routing.ts‎
Lines changed: 44 additions & 5 deletions
@@ -43,6 +43,7 @@ Docs: https://docs.openclaw.ai
 - Telegram: persist polling updates through restart replay so queued same-topic messages resume in order instead of losing context after a gateway restart. (#82256) Thanks @VACInc.
 - Gateway/Gmail: abort in-flight Gmail watcher startup and hot-reload restarts before shutdown so reloads cannot spawn `gog serve` after the Gateway is closing. Thanks @frankekn.
 - Agents/Codex: fall back to the embedded PI runner when OpenAI's implicit Codex harness preference cannot find a registered Codex plugin, preventing OpenAI-compatible gateway requests from failing with an unregistered harness error. Fixes #82437.
+- Agents/OpenAI: honor `openai-codex:*` entries placed ahead of API-key backups in `auth.order.openai` for explicit OpenAI PI runs, and accept `models auth login --provider openai-codex --device-code` for headless sign-in. Fixes #82521.
 - CLI/channels: install missing externalized same-id channel plugins during `channels add --channel <id>`, so recovery for WhatsApp and other externalized stock channels does not require a separate `plugins enable` step. Fixes #82533.
 - MCP plugin tools: forward host MCP `tools/call` `AbortSignal` through `createPluginToolsMcpHandlers().callTool` into plugin `tool.execute`, so host cancellation actually cancels in-flight plugin tool calls instead of letting them run to completion. Fixes #82424. (#82443) Thanks @joshavant.
 - Plugins: accept deprecated `api.on("deactivate")` registrations as a dated compatibility alias for `gateway_stop`, so external plugin cleanup handlers run on Gateway shutdown while authors get migration guidance.
 
@@ -894,6 +894,7 @@ async function agentCommandInternal(
         const acceptedAuthProviders = listOpenAIAuthProfileProvidersForAgentRuntime({
           provider: providerForAuthProfileValidation,
           harnessRuntime: validationHarnessPolicy.runtime,
+          config: cfg,
         }).map((candidateProvider) =>
           resolveProviderIdForAuth(candidateProvider, { config: cfg, workspaceDir }),
         );
 
@@ -337,6 +337,40 @@ describe("resolveAuthProfileOrder", () => {
     expect(order).toEqual(["openai-codex:personal", "openai:default"]);
   });
 
+  it("keeps Codex profiles listed in the friendly OpenAI order for Codex auth", async () => {
+    const store: AuthProfileStore = {
+      version: 1,
+      profiles: {
+        "openai-codex:personal": {
+          type: "oauth",
+          provider: "openai-codex",
+          access: "access",
+          refresh: "refresh",
+          expires: Date.now() + 60_000,
+        },
+        "openai:backup": {
+          type: "api_key",
+          provider: "openai",
+          key: "sk-platform",
+        },
+      },
+    };
+
+    const order = resolveAuthProfileOrder({
+      cfg: {
+        auth: {
+          order: {
+            openai: ["openai-codex:personal", "openai:backup"],
+          },
+        },
+      },
+      store,
+      provider: "openai-codex",
+    });
+
+    expect(order).toEqual(["openai-codex:personal", "openai:backup"]);
+  });
+
   it("keeps direct OpenAI Codex auth order ahead of the friendly OpenAI alias", async () => {
     const store: AuthProfileStore = {
       version: 1,
 
@@ -256,6 +256,7 @@ async function resolveRuntimeModel(params: {
         agentId: params.agentId,
         sessionKey: params.sessionKey,
       }).runtime,
+      config: params.cfg,
     }),
     agentDir: params.agentDir,
     sessionEntry: params.sessionEntry,
 
@@ -463,6 +463,11 @@ export function runAgentAttempt(params: {
     config: params.cfg,
     workspaceDir: params.workspaceDir,
   });
+  const embeddedPiHarnessOverride =
+    requestedAgentHarnessId ??
+    (agentHarnessPolicy.runtime === "pi" && embeddedPiProvider !== params.providerOverride
+      ? "pi"
+      : undefined);
   if (!isRawModelRun && isCliProvider(cliExecutionProvider, params.cfg)) {
     const cliSessionBinding = getCliSessionBinding(params.sessionEntry, cliExecutionProvider);
     const resolveReusableCliSessionBinding = async () => {
@@ -609,7 +614,8 @@ export function runAgentAttempt(params: {
     sessionFile: params.sessionFile,
     workspaceDir: params.workspaceDir,
     config: params.cfg,
-    agentHarnessId: requestedAgentHarnessId,
+    agentHarnessId: embeddedPiHarnessOverride,
+    agentHarnessRuntimeOverride: embeddedPiHarnessOverride,
     skillsSnapshot: params.skillsSnapshot,
     prompt: effectivePrompt,
     images: params.isFallbackRetry ? undefined : params.opts.images,
 
@@ -7,6 +7,7 @@ import {
   resolveAuthProfileDisplayLabel,
   resolveAuthProfileOrder,
 } from "./auth-profiles.js";
+import { isStoredCredentialCompatibleWithAuthProvider } from "./auth-profiles/order.js";
 import {
   readClaudeCliCredentialsCached,
   readCodexCliCredentialsCached,
@@ -21,6 +22,7 @@ export function resolveModelAuthLabel(params: {
   agentDir?: string;
   workspaceDir?: string;
   includeExternalProfiles?: boolean;
+  acceptedProviderIds?: readonly string[];
 }): string | undefined {
   const resolvedProvider = params.provider?.trim();
   if (!resolvedProvider) {
@@ -39,17 +41,37 @@ export function resolveModelAuthLabel(params: {
           }),
         });
   const profileOverride = params.sessionEntry?.authProfileOverride?.trim();
-  const order = resolveAuthProfileOrder({
-    cfg: params.cfg,
-    store,
-    provider: providerKey,
-    preferredProfile: profileOverride,
-  });
+  const acceptedProviderKeys = [
+    ...new Set(
+      [...(params.acceptedProviderIds ?? []).map(normalizeProviderId), providerKey].filter(Boolean),
+    ),
+  ];
+  const order = [
+    ...new Set(
+      acceptedProviderKeys.flatMap((acceptedProvider) =>
+        resolveAuthProfileOrder({
+          cfg: params.cfg,
+          store,
+          provider: acceptedProvider,
+          preferredProfile: profileOverride,
+        }),
+      ),
+    ),
+  ];
   const candidates = [profileOverride, ...order].filter(Boolean) as string[];
 
   for (const profileId of candidates) {
     const profile = store.profiles[profileId];
-    if (!profile || normalizeProviderId(profile.provider) !== providerKey) {
+    if (
+      !profile ||
+      !acceptedProviderKeys.some((acceptedProvider) =>
+        isStoredCredentialCompatibleWithAuthProvider({
+          cfg: params.cfg,
+          provider: acceptedProvider,
+          credential: profile,
+        }),
+      )
+    ) {
       continue;
     }
     const label = resolveAuthProfileDisplayLabel({
 
@@ -5,6 +5,7 @@ import {
   modelSelectionShouldEnsureCodexPlugin,
   openAIProviderUsesCodexRuntimeByDefault,
   resolveOpenAIRuntimeProviderForPi,
+  resolveSelectedOpenAIPiRuntimeProvider,
 } from "./openai-codex-routing.js";
 
 describe("OpenAI Codex routing policy", () => {
@@ -51,6 +52,96 @@ describe("OpenAI Codex routing policy", () => {
     ).toBe("openai-codex");
   });
 
+  it("keeps explicit OpenAI PI Codex auth order ahead of API-key backups", () => {
+    const config = {
+      auth: {
+        order: {
+          openai: ["openai-codex:work", "openai:backup"],
+        },
+      },
+    } satisfies OpenClawConfig;
+
+    expect(
+      listOpenAIAuthProfileProvidersForAgentRuntime({
+        provider: "openai",
+        harnessRuntime: "pi",
+        config,
+      }),
+    ).toEqual(["openai-codex", "openai"]);
+    expect(
+      resolveSelectedOpenAIPiRuntimeProvider({
+        provider: "openai",
+        harnessRuntime: "pi",
+        config,
+      }),
+    ).toBe("openai-codex");
+    expect(
+      resolveOpenAIRuntimeProviderForPi({
+        provider: "openai",
+        harnessRuntime: "pi",
+        config,
+      }),
+    ).toBe("openai");
+  });
+
+  it("keeps explicit OpenAI PI API-key auth order ahead of Codex backups", () => {
+    const config = {
+      auth: {
+        order: {
+          openai: ["openai:backup", "openai-codex:work"],
+        },
+      },
+    } satisfies OpenClawConfig;
+
+    expect(
+      listOpenAIAuthProfileProvidersForAgentRuntime({
+        provider: "openai",
+        harnessRuntime: "pi",
+        config,
+      }),
+    ).toEqual(["openai", "openai-codex"]);
+    expect(
+      resolveSelectedOpenAIPiRuntimeProvider({
+        provider: "openai",
+        harnessRuntime: "pi",
+        config,
+      }),
+    ).toBe("openai");
+  });
+
+  it("does not route custom OpenAI-compatible PI configs through Codex auth order", () => {
+    const config = {
+      models: {
+        providers: {
+          openai: {
+            baseUrl: "https://proxy.example.test/v1",
+            models: [],
+          },
+        },
+      },
+      auth: {
+        order: {
+          openai: ["openai-codex:work", "openai:backup"],
+        },
+      },
+    } satisfies OpenClawConfig;
+
+    expect(
+      listOpenAIAuthProfileProvidersForAgentRuntime({
+        provider: "openai",
+        harnessRuntime: "pi",
+        config,
+      }),
+    ).toEqual(["openai", "openai-codex"]);
+    expect(
+      resolveSelectedOpenAIPiRuntimeProvider({
+        provider: "openai",
+        harnessRuntime: "pi",
+        config,
+      }),
+    ).toBe("openai");
+  });
+
   it("validates Codex harness auth through the Codex provider contract", () => {
     expect(
       listOpenAIAuthProfileProvidersForAgentRuntime({
 
@@ -2,7 +2,7 @@ import type { OpenClawConfig } from "../config/types.openclaw.js";
 import { normalizeOptionalLowercaseString } from "../shared/string-coerce.js";
 import { normalizeEmbeddedAgentRuntime } from "./pi-embedded-runner/runtime.js";
 import { resolveProviderIdForAuth } from "./provider-auth-aliases.js";
-import { normalizeProviderId } from "./provider-id.js";
+import { findNormalizedProviderValue, normalizeProviderId } from "./provider-id.js";
 
 export const OPENAI_PROVIDER_ID = "openai";
 export const OPENAI_CODEX_PROVIDER_ID = "openai-codex";
@@ -78,6 +78,20 @@ export function hasOpenAICodexAuthProfileOverride(value: unknown): boolean {
   );
 }
 
+function configuredOpenAIAuthOrderStartsWithCodexProfile(config: OpenClawConfig | undefined) {
+  if (!openAIProviderUsesCodexRuntimeByDefault({ provider: OPENAI_PROVIDER_ID, config })) {
+    return false;
+  }
+  const configuredOpenAIOrder = findNormalizedProviderValue(
+    config?.auth?.order,
+    OPENAI_PROVIDER_ID,
+  );
+  const firstProfile = configuredOpenAIOrder?.find(
+    (profileId) => typeof profileId === "string" && profileId.trim().length > 0,
+  );
+  return hasOpenAICodexAuthProfileOverride(firstProfile);
+}
+
 export function shouldRouteOpenAIPiThroughCodexAuthProvider(params: {
   provider: string;
   harnessRuntime?: string;
@@ -87,16 +101,16 @@ export function shouldRouteOpenAIPiThroughCodexAuthProvider(params: {
   config?: OpenClawConfig;
   workspaceDir?: string;
 }): boolean {
-  if (
-    !isOpenAIProvider(params.provider) ||
-    !hasOpenAICodexAuthProfileOverride(params.authProfileId)
-  ) {
+  if (!isOpenAIProvider(params.provider)) {
     return false;
   }
   const runtime = normalizeEmbeddedAgentRuntime(params.agentHarnessId ?? params.harnessRuntime);
   if (runtime !== "pi") {
     return false;
   }
+  if (!hasOpenAICodexAuthProfileOverride(params.authProfileId)) {
+    return false;
+  }
   const aliasLookupParams = {
     config: params.config,
     workspaceDir: params.workspaceDir,
@@ -112,6 +126,7 @@ export function listOpenAIAuthProfileProvidersForAgentRuntime(params: {
   provider: string;
   harnessRuntime?: string;
   agentHarnessId?: string;
+  config?: OpenClawConfig;
 }): string[] {
   if (!isOpenAIProvider(params.provider)) {
     return [params.provider];
@@ -123,6 +138,9 @@ export function listOpenAIAuthProfileProvidersForAgentRuntime(params: {
     return [OPENAI_CODEX_PROVIDER_ID];
   }
   if (runtime === "pi") {
+    if (configuredOpenAIAuthOrderStartsWithCodexProfile(params.config)) {
+      return [OPENAI_CODEX_PROVIDER_ID, OPENAI_PROVIDER_ID];
+    }
     return [OPENAI_PROVIDER_ID, OPENAI_CODEX_PROVIDER_ID];
   }
   return [params.provider];
@@ -150,6 +168,27 @@ export function resolveOpenAIRuntimeProviderForPi(params: {
     : params.provider;
 }
 
+export function resolveSelectedOpenAIPiRuntimeProvider(params: {
+  provider: string;
+  harnessRuntime?: string;
+  agentHarnessId?: string;
+  authProfileProvider?: string;
+  authProfileId?: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+}): string {
+  if (shouldRouteOpenAIPiThroughCodexAuthProvider(params)) {
+    return OPENAI_CODEX_PROVIDER_ID;
+  }
+  const runtime = normalizeEmbeddedAgentRuntime(params.agentHarnessId ?? params.harnessRuntime);
+  return isOpenAIProvider(params.provider) &&
+    runtime === "pi" &&
+    !params.authProfileId?.trim() &&
+    configuredOpenAIAuthOrderStartsWithCodexProfile(params.config)
+    ? OPENAI_CODEX_PROVIDER_ID
+    : params.provider;
+}
+
 export function resolveContextConfigProviderForRuntime(params: {
   provider: string;
   runtimeId?: string;