docs: document auth profile store helpers

steipete · steipete · commit ef17cecca945 · 2026-06-03T22:51:20.000-04:00
diff --git a/src/agents/auth-profiles.runtime.ts b/src/agents/auth-profiles.runtime.ts
@@ -1,7 +1,10 @@
 import { ensureAuthProfileStore as ensureAuthProfileStoreImpl } from "./auth-profiles/store.js";
 
+// Runtime seam for auth-profile store loading. Tests can stub this facade without
+// importing the full auth profile store implementation.
 type EnsureAuthProfileStore = typeof import("./auth-profiles/store.js").ensureAuthProfileStore;
 
+/** Ensure an auth-profile store using the production store implementation. */
 export function ensureAuthProfileStore(
   ...args: Parameters<EnsureAuthProfileStore>
 ): ReturnType<EnsureAuthProfileStore> {
diff --git a/src/agents/auth-profiles/external-cli-auth-selection.ts b/src/agents/auth-profiles/external-cli-auth-selection.ts
@@ -8,8 +8,12 @@ import { resolveProviderIdForAuth } from "../provider-auth-aliases.js";
 import { CLAUDE_CLI_PROFILE_ID } from "./constants.js";
 import type { AuthProfileStore } from "./types.js";
 
+// Resolves which external CLI auth overlays are relevant for the currently
+// selected provider/model/profile. This keeps runtime discovery scoped to the
+// selected auth path instead of scanning every CLI profile.
 const CLAUDE_CLI_PROVIDER_ID = "claude-cli";
 
+/** Resolve external CLI overlay scope from the user's auth/model selection. */
 export function resolveExternalCliAuthOverlayScopeFromSelection(params: {
   provider: string;
   cfg?: OpenClawConfig;
@@ -49,6 +53,8 @@ export function resolveExternalCliAuthOverlayScopeFromSelection(params: {
   return {
     ...(providerIds.length > 0 ? { providerIds } : {}),
     ignoreAutoPreferredProfile:
+      // Claude CLI should not auto-prefer a profile when runtime selection has
+      // already chosen Claude CLI and the user did not lock a profile.
       !params.userLockedAuthProfileId && selectedProvider === CLAUDE_CLI_PROVIDER_ID,
   };
 }
@@ -64,6 +70,8 @@ function resolveExternalCliAuthScopeFromAuthSelection(params: {
   selectedProviderId?: string;
 } {
   if (params.userLockedAuthProfileId) {
+    // Locked profile id means discovery should be scoped to that exact profile's
+    // compatible external CLI provider, if any.
     const providerId = resolveExternalCliProviderIdForCompatibleAuthProfile({
       ...params,
       profileId: params.userLockedAuthProfileId,
@@ -124,7 +132,8 @@ function resolveExternalCliAuthScopeFromAuthSelection(params: {
   return {
     providerIds: uniqueProviderIds,
     ...(compatibleProfileCount === 1 && uniqueProviderIds[0]
-      ? { selectedProviderId: uniqueProviderIds[0] }
+      ? // Without explicit order, select only when compatibility is unambiguous.
+        { selectedProviderId: uniqueProviderIds[0] }
       : {}),
   };
 }
diff --git a/src/agents/auth-profiles/legacy-oauth-ref.ts b/src/agents/auth-profiles/legacy-oauth-ref.ts
@@ -1,5 +1,7 @@
 import { isRecord } from "@openclaw/normalization-core/record-coerce";
 
+// Legacy OAuth references used by older Codex/OpenClaw credential files. Keep
+// this recognizer strict so migration code only preserves known legacy refs.
 export const LEGACY_OAUTH_REF_SOURCE = "openclaw-credentials";
 export const LEGACY_OAUTH_REF_PROVIDER = "openai-codex";
 
@@ -9,6 +11,7 @@ export type LegacyOAuthRef = {
   id: string;
 };
 
+/** Return true for the legacy OAuth reference shape persisted by older stores. */
 export function isLegacyOAuthRef(value: unknown): value is LegacyOAuthRef {
   if (!isRecord(value)) {
     return false;
diff --git a/src/agents/auth-profiles/oauth-refresh-failure.ts b/src/agents/auth-profiles/oauth-refresh-failure.ts
@@ -2,6 +2,8 @@ import { normalizeProviderId } from "@openclaw/model-catalog-core/provider-id";
 import { sanitizeForLog } from "../../../packages/terminal-core/src/ansi.js";
 import { formatCliCommand } from "../../cli/command-format.js";
 
+// OAuth refresh failure classifiers for status/help text. Providers and reasons
+// are sanitized before being used in logs or suggested commands.
 export type OAuthRefreshFailureReason =
   | "refresh_token_reused"
   | "invalid_grant"
@@ -14,6 +16,7 @@ export type OAuthRefreshFailure = {
   reason: OAuthRefreshFailureReason | null;
 };
 
+/** Error type that carries provider and classified OAuth refresh failure reason. */
 export class OAuthRefreshFailureError extends Error {
   readonly provider: string;
   readonly reason: OAuthRefreshFailureReason | null;
@@ -44,11 +47,13 @@ function extractOAuthRefreshFailureProvider(message: string): string | null {
 }
 
 function sanitizeOAuthRefreshFailureProvider(provider: string | null | undefined): string | null {
+  // Only return normalized provider ids that are safe to embed in shell guidance.
   const sanitized = provider ? sanitizeForLog(provider).replaceAll("`", "").trim() : "";
   const normalized = normalizeProviderId(sanitized);
   return normalized && SAFE_PROVIDER_ID_RE.test(normalized) ? normalized : null;
 }
 
+/** Classify a raw OAuth refresh failure message into a stable reason code. */
 export function classifyOAuthRefreshFailureReason(
   message: string,
 ): OAuthRefreshFailureReason | null {
@@ -71,6 +76,7 @@ export function classifyOAuthRefreshFailureReason(
   return null;
 }
 
+/** Classify provider/reason from a user-facing OAuth refresh failure message. */
 export function classifyOAuthRefreshFailure(message: string): OAuthRefreshFailure | null {
   if (!isOAuthRefreshFailureMessage(message)) {
     return null;
@@ -81,6 +87,7 @@ export function classifyOAuthRefreshFailure(message: string): OAuthRefreshFailur
   };
 }
 
+/** Classify provider/reason from the structured OAuth refresh failure error. */
 export function classifyOAuthRefreshFailureError(err: unknown): OAuthRefreshFailure | null {
   if (!(err instanceof OAuthRefreshFailureError)) {
     return null;
@@ -91,6 +98,7 @@ export function classifyOAuthRefreshFailureError(err: unknown): OAuthRefreshFail
   };
 }
 
+/** Build the login command operators should run after OAuth refresh failure. */
 export function buildOAuthRefreshFailureLoginCommand(provider: string | null | undefined): string {
   const sanitizedProvider = sanitizeOAuthRefreshFailureProvider(provider);
   return sanitizedProvider
diff --git a/src/agents/auth-profiles/store.ts b/src/agents/auth-profiles/store.ts
@@ -43,6 +43,9 @@ import {
 } from "./state.js";
 import type { AuthProfileStore } from "./types.js";
 
+// Auth profile store orchestration. This module merges persisted stores,
+// runtime snapshots, inherited main-agent OAuth profiles, and external CLI
+// overlays while keeping save paths local and secret-safe.
 type LoadAuthProfileStoreOptions = {
   allowKeychainPrompt?: boolean;
   config?: OpenClawConfig;
@@ -108,6 +111,8 @@ function preserveLegacyOAuthRefsOnSave(params: {
     ) {
       continue;
     }
+    // Preserve legacy oauthRef ownership when current save data did not replace
+    // inline OAuth material; otherwise older credential references would be lost.
     nextProfiles ??= { ...params.payload.profiles };
     nextProfiles[profileId] = {
       ...credential,
@@ -159,6 +164,8 @@ function isInheritedMainOAuthCredential(params: {
     return false;
   }
 
+  // Local agent stores can inherit main OAuth credentials. Do not persist the
+  // inherited copy unless the local store actually owns or improves it.
   const mainCredential = loadPersistedAuthProfileStore()?.profiles[params.profileId];
   return (
     mainCredential?.type === "oauth" &&
@@ -308,6 +315,8 @@ function maybeSyncPersistedExternalCliAuthProfiles(params: {
   }
 
   try {
+    // External CLI sync writes only profiles that still match the loaded
+    // baseline, avoiding overwrite of concurrent local auth changes.
     return runAuthProfileWriteTransaction(params.agentDir, (database) => {
       const latestStore = loadPersistedAuthProfileStore(params.agentDir, {
         ...resolvePersistedLoadOptions(params.options),
@@ -373,6 +382,8 @@ function shouldKeepProfileInLocalStore(params: {
     return true;
   }
   if (params.store.runtimeExternalProfileIds?.includes(params.profileId)) {
+    // Runtime external profiles are normally overlays. Persist only when they
+    // have explicit local state or differ from the runtime snapshot.
     const persistedCredential = loadPersistedAuthProfileStore(params.agentDir)?.profiles[
       params.profileId
     ];
@@ -702,6 +713,7 @@ function mergeRuntimeExternalProfileState(params: {
   return merged;
 }
 
+/** Apply an auth store update inside the SQLite write lock. */
 export async function updateAuthProfileStoreWithLock(params: {
   agentDir?: string;
   saveOptions?: SaveAuthProfileStoreOptions;
@@ -725,6 +737,7 @@ export async function updateAuthProfileStoreWithLock(params: {
   }
 }
 
+/** Load the main auth profile store with runtime external profiles overlaid. */
 export function loadAuthProfileStore(): AuthProfileStore {
   const asStore = loadPersistedAuthProfileStore();
   if (asStore) {
@@ -797,6 +810,7 @@ export function loadAuthProfileStoreForRuntime(
   );
 }
 
+/** Load auth profiles for secret resolution without keychain prompts or writes. */
 export function loadAuthProfileStoreForSecretsRuntime(
   agentDir?: string,
   options?: Pick<
@@ -811,6 +825,7 @@ export function loadAuthProfileStoreForSecretsRuntime(
   });
 }
 
+/** Load auth profiles with runtime external profiles removed from the result. */
 export function loadAuthProfileStoreWithoutExternalProfiles(
   agentDir?: string,
   loadOptions?: Pick<LoadAuthProfileStoreOptions, "allowKeychainPrompt">,
@@ -832,6 +847,7 @@ export function loadAuthProfileStoreWithoutExternalProfiles(
   });
 }
 
+/** Ensure an auth store is available, including runtime/external profile overlays. */
 export function ensureAuthProfileStore(
   agentDir?: string,
   options?: {
@@ -862,6 +878,7 @@ export function ensureAuthProfileStore(
   });
 }
 
+/** Ensure an auth store is available without external profile overlays. */
 export function ensureAuthProfileStoreWithoutExternalProfiles(
   agentDir?: string,
   options?: {
@@ -894,6 +911,7 @@ export function ensureAuthProfileStoreWithoutExternalProfiles(
   });
 }
 
+/** Find a persisted credential in the scoped store, falling back to the main store. */
 export function findPersistedAuthProfileCredential(params: {
   agentDir?: string;
   profileId: string;
@@ -913,6 +931,7 @@ export function findPersistedAuthProfileCredential(params: {
   return loadPersistedAuthProfileStore()?.profiles[params.profileId];
 }
 
+/** Resolve which agent dir owns a persisted profile, accounting for inherited OAuth. */
 export function resolvePersistedAuthProfileOwnerAgentDir(params: {
   agentDir?: string;
   profileId: string;
@@ -941,6 +960,7 @@ export function resolvePersistedAuthProfileOwnerAgentDir(params: {
   return mainStore?.profiles[params.profileId] ? undefined : params.agentDir;
 }
 
+/** Load the store shape used when applying local-only auth updates. */
 export function ensureAuthProfileStoreForLocalUpdate(agentDir?: string): AuthProfileStore {
   const options: LoadAuthProfileStoreOptions = { syncExternalCli: false };
   const store = loadAuthProfileStoreForAgent(agentDir, options);
@@ -961,22 +981,26 @@ export function ensureAuthProfileStoreForLocalUpdate(agentDir?: string): AuthPro
 
 export { hasAnyAuthProfileStoreSource, hasLocalAuthProfileStoreSource } from "./source-check.js";
 
+/** Return the current runtime auth-profile snapshot for an agent dir. */
 export function getRuntimeAuthProfileStoreSnapshot(
   agentDir?: string,
 ): AuthProfileStore | undefined {
   return getRuntimeAuthProfileStoreSnapshotImpl(agentDir);
 }
 
+/** Replace runtime auth-profile snapshots, used by tests and prepared runtimes. */
 export function replaceRuntimeAuthProfileStoreSnapshots(
   entries: Array<{ agentDir?: string; store: AuthProfileStore }>,
 ): void {
   replaceRuntimeAuthProfileStoreSnapshotsImpl(entries);
 }
 
+/** Clear all runtime auth-profile snapshots. */
 export function clearRuntimeAuthProfileStoreSnapshots(): void {
   clearRuntimeAuthProfileStoreSnapshotsImpl();
 }
 
+/** Save the auth profile store plus sidecar state, preserving runtime overlay metadata. */
 export function saveAuthProfileStore(
   store: AuthProfileStore,
   agentDir?: string,
