Legacy manual openai-codex provider override breaks Codex OAuth after #37558 / #38026; doctor should detect and fix

[sene1337]

Summary

Users who manually configured models.providers.openai-codex before the recent Codex OAuth fixes can remain broken even after upgrading to a version that includes:

• fix(auth): remove bogus codex oauth responses probe #37558 — remove bogus codex oauth responses probe
• fix(openai): Enable gpt-5.4 support via Chat Completions fallback on scope error #38026 — enable GPT-5.4 support via Chat Completions fallback on scope error

In our case, Codex OAuth continued failing until we manually removed the legacy openai-codex provider override from openclaw.json.

Once that override was removed, openai-codex/gpt-5.4 worked immediately.

This appears to be a stale manual-config shadowing problem, not a fresh OAuth bug.

Why this matters

A lot of users likely manually set up Codex weeks ago during the period when people were experimenting with:

• ChatGPT/Codex OAuth
• custom models.providers.openai-codex
• explicit baseUrl
• explicit api
• manually defined gpt-5.3-codex / related model entries

Those manual overrides can survive upgrades and silently block the newer built-in Codex OAuth provider behavior.

So the upstream fixes may be present, but affected users still stay broken.

Environment

• macOS
• local gateway
• openai-codex:default auth profile with mode: "oauth"
• primary model set to openai-codex/gpt-5.4
• upgraded from an older manual-Codex-config era setup

Symptoms

Before removing the override:

• Codex appeared configured correctly
• requests failed with 401 / scope-related behavior
• model often fell through to fallback providers
• behavior looked like “Codex OAuth still broken”

After removing the override:

• same auth profile
• same account
• same target model
• openai-codex/gpt-5.4 worked immediately

Root cause

We had a legacy manual config block under:

models.providers.openai-codex

That override was still forcing the old explicit provider shape, instead of letting the built-in Codex OAuth provider synthesize the correct behavior after the recent fixes.

Repro sketch

1. On an older OpenClaw version, manually configure models.providers.openai-codex
2. Add explicit base URL / API / model entries for Codex
3. Upgrade OpenClaw to a version containing fix(auth): remove bogus codex oauth responses probe #37558 and fix(openai): Enable gpt-5.4 support via Chat Completions fallback on scope error #38026
4. Re-auth Codex OAuth
5. Try openai-codex/gpt-5.4
6. Observe failure / fallback behavior
7. Remove the manual models.providers.openai-codex override
8. Retry
9. Observe success

Expected behavior

OpenClaw should detect that a legacy manual openai-codex provider override may be shadowing the built-in OAuth provider and do one of:

1. Warn loudly

   • “Legacy manual models.providers.openai-codex override detected. This may break built-in Codex OAuth behavior after recent fixes.”

2. Offer an automatic migration

   • remove or rewrite stale openai-codex provider config to the supported modern form

3. Teach openclaw doctor to catch this

   • detect manual models.providers.openai-codex
   • check whether an OAuth profile exists for openai-codex
   • warn if the manual override is likely shadowing the built-in provider
   • suggest or optionally apply a fix

Strong suggestion: update openclaw doctor

This feels like exactly the kind of thing doctor should catch.

Suggested doctor check:

• if auth.profiles contains an OAuth profile for openai-codex
• and config also contains a manual models.providers.openai-codex
• then warn that the manual override may be stale and may block the built-in Codex OAuth provider

Suggested output:

Detected manual models.providers.openai-codex override alongside Codex OAuth auth profile.
This may be a legacy configuration that shadows the built-in Codex OAuth provider.
Recent Codex OAuth fixes may not apply until this override is removed or migrated.

Even better: doctor --fix could offer to back up config and remove the stale override automatically.

Related fixes / context

This issue looks like a downstream / legacy-config follow-up to:

• fix(auth): remove bogus codex oauth responses probe #37558
• fix(openai): Enable gpt-5.4 support via Chat Completions fallback on scope error #38026

Those fixes appear to solve the runtime/provider logic, but users with older manual Codex config can still be stuck because their config shadows the repaired built-in path.

Workaround

Remove the manual models.providers.openai-codex override from config and restart OpenClaw.

In our case, that was the key step that made openai-codex/gpt-5.4 start working.

[sene1337]

Related context: this looks like a downstream legacy-config follow-up to #37558 and #38026. Those fixes seem right, but older manual overrides can still shadow the repaired built-in Codex OAuth path after upgrade.

[sene1337]

Formatting correction + extra context:

The stale key is models.providers.openai-codex.

If a user manually configured that provider in the pre-fix era, it can keep shadowing the built-in Codex OAuth provider after upgrade until removed.

[dougbtv]

I've been wrestling my codex auth in 2026.03.06 and 2026.03.08.

I did indeed have models.providers.openai-codex -- I tried clearing it, re-authing, no dice, still getting some scope errors.

my agent wanted to tell you that:

  ---                                                                                                                                                                                                            
  Update: Tested cleanup + re-auth on 2026.3.8
                                                                                                                                                                                                                 
  Following the guidance from this issue, we cleaned up the legacy models.providers.openai-codex override and re-authenticated with fresh Codex OAuth on 2026.3.8. Results:

  What we did:
  1. ✅ Removed legacy models.providers.openai-codex from ~/.openclaw/openclaw.json
  2. ✅ Deleted and regenerated ~/.openclaw/agents/main/agent/models.json (removed cached cruft)
  3. ✅ Backed up and removed existing Codex OAuth credentials from auth-profiles.json
  4. ✅ Re-authenticated via openclaw login openai-codex (fresh OAuth flow)
  5. ✅ Upgraded to OpenClaw 2026.3.8

  Current behavior:
  - Gateway starts with openai-codex/gpt-5.4 configured
  - All requests silently fall back to openai/gpt-5.4 via API key
  - No errors logged, but Codex provider never used

  Root cause:
  The fresh OAuth token is still missing the model.request scope:
  "scp": ["openid", "profile", "email", "offline_access"]

  Decoded the JWT from the fresh OAuth flow - it only has identity scopes, not API scopes. This matches the original symptom from earlier reports.

  Conclusion:
  - Removing the legacy override fixed the shadowing issue (good!)
  - But Codex OAuth still doesn't work because the OAuth flow itself doesn't request the right scopes
  - PR #38026 (Chat Completions fallback on scope error) was closed, not merged
  - Current workaround: use openai/gpt-5.4 via API key (automatic fallback)

  Suggestion:
  PR #40143 will help detect stale overrides, but there's a deeper issue: the built-in Codex OAuth flow needs to request model.request scope during the authorization URL construction.

[steipete]

Closing this as implemented after Codex review.

Current main already teaches openclaw doctor to detect legacy models.providers.openai-codex transport overrides that shadow Codex OAuth, emits a targeted warning, covers both configured and stored OAuth profiles in tests, and documents the behavior. The changelog tracks this as PR #40143 under Unreleased, so it is implemented on main but not yet in a tagged release.

What I checked:

• Doctor warning implementation: noteLegacyCodexProviderOverride detects legacy openai-responses / openai-completions transport overrides under models.providers.openai-codex, checks for configured or stored Codex OAuth, and emits a warning telling users to remove or rewrite the stale override. (src/commands/doctor-auth.ts:32, 86fa8eeb68c6)
• Doctor flow wiring: The doctor health flow imports and calls noteLegacyCodexProviderOverride(ctx.cfg) during normal doctor execution. (src/flows/doctor-health-contributions.ts:90, bfa6708c03f2)
• Regression coverage: E2E-style doctor tests cover warnings for configured OAuth, stored OAuth, inline model-level legacy transport overrides, and non-warning cases for custom proxies. (src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts:178, 86fa8eeb68c6)
• Docs + changelog: Doctor docs now describe the Codex OAuth provider-override warning, and the changelog records the exact behavior as #40143 under Unreleased, which means it has not shipped in a tagged release yet. Public docs: docs/gateway/doctor.md. (docs/gateway/doctor.md:249, 86fa8eeb68c6)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against bfa6708c03f2; fix evidence: commit 86fa8eeb68c6.