[Bug]: Anthropic OAuth credentials desync between ~/.claude/.credentials.json and auth-profiles.json — silent subagent failures

[IIIyban]

Environment

• Version: OpenClaw 2026.3.11 (29dc654)
• OS: Ubuntu 24.04 (linux 6.8.0-101-generic x64)
• Provider: Anthropic (claude-opus-4-6, claude-sonnet-4-6) via OAuth
• Setup: Multi-topic Telegram bot with subagent orchestration

Describe the bug

OpenClaw maintains OAuth credentials for Anthropic in auth-profiles.json, but these credentials desync from ~/.claude/.credentials.json (the source of truth updated by openclaw models auth login and Claude CLI). When the token in auth-profiles.json expires and its refresh token has been invalidated (because ~/.claude/ already used a newer refresh), all subagent completions fail silently.

The gateway stays alive, openclaw status looks healthy, but subagent announce calls fail with:

OAuth token refresh failed for anthropic: Failed to refresh OAuth token for anthropic. Please try again or re-authenticate.

This is particularly insidious because:

1. The main session may work fine (using a different auth path or cached token)
2. Subagent spawns succeed (task is accepted)
3. Only the completion announce fails — the result is computed but never delivered
4. The subagent is then pruned as orphan: Subagent orphan run pruned ... reason=missing-session-entry
5. From user perspective: subagent "silently disappears" with no error message

Steps to reproduce

1. Authenticate Anthropic via OAuth (openclaw models auth login)
2. Tokens saved in both ~/.claude/.credentials.json AND auth-profiles.json
3. Wait for token expiry (~2-10 hours depending on grant)
4. ~/.claude/.credentials.json gets refreshed (by CLI or auto-refresh)
5. auth-profiles.json still has the OLD refresh token (now invalidated by Anthropic)
6. Spawn a subagent via sessions_spawn
7. Subagent completes the task successfully
8. Announce back to parent session fails with OAuth 401
9. After retries, system gives up: Subagent announce give up (retry-limit)
10. No user-visible error. Result is lost.

Root cause

Two independent credential stores with no automatic sync:

• ~/.claude/.credentials.json — updated on login/refresh
• ~/.openclaw/agents/<id>/agent/auth-profiles.json — used by gateway for model calls

When Anthropic rotates the refresh token (standard OAuth behavior — old refresh is invalidated when a new one is issued), the auth-profiles.json copy becomes permanently broken until manual intervention.

Additional context

Multiple agents (main, hr-bp, etc.) each have their own auth-profiles.json, all needing sync. With N agents, the desync probability multiplies.

Workaround

We wrote a systemd timer that syncs ~/.claude/.credentials.json → all auth-profiles.json every 30 minutes and alerts when expiry < 1 hour. Happy to share the script.

Proposed fix

1. Single source of truth: auth-profiles.json should be the canonical store, and refreshOAuthTokenWithLock should update it atomically on every refresh
2. Cross-store sync: When ~/.claude/.credentials.json is updated, propagate to all agent auth-profiles.json (or read from a single location)
3. Announce resilience: If OAuth fails during subagent announce, surface the error to the parent session instead of silently pruning
4. Health alert: When OAuth refresh fails, emit a user-visible warning (relates to [Bug]: No notification when all models fail auth — gateway silently dead for hours #20036)

Related issues

• Bug: Anthropic OAuth refresh intermittently fails across chats/topics #44616 — Anthropic OAuth refresh intermittently fails across chats/topics
• [Bug]: Anthropic OAuth refresh token discarded by configure; auto-refresh always fails, requires manual re-auth every ~8h #34117 — Anthropic OAuth refresh token discarded by configure
• [Bug]: No notification when all models fail auth — gateway silently dead for hours #20036 — No notification when all models fail auth
• OAuth renewal doesn't update auth-profiles.provisioned.json, causing recovery loops #38336 — OAuth renewal does not update auth-profiles.provisioned.json
• Add retry logic to OAuth token refresh #8673 — Add retry logic to OAuth token refresh

[IIIyban]

Update: Root cause identified and proven with inotify audit in #48153 — gateway serializes stale in-memory OAuth state back to disk, overwriting fresh credentials. See #48153 for full chain of 9 related issues.

[clawsweeper]

Closing this as implemented after Codex automated review.

Current main covers the reported OAuth credential desync/root-cause path: locked auth-profile writers reload from disk instead of stale runtime snapshots, OAuth refreshes are mirrored/adopted across main and subagent stores, Claude CLI OAuth refresh sync is documented in v2026.4.24, and regression tests cover stale-snapshot overwrite and cross-agent refresh behavior.

What I checked:

• Reporter identified canonical root cause: The issue's own follow-up comment says the root cause was proven in Bug: Gateway periodically overwrites agent auth-profiles.json with stale OAuth token, causing persistent auth failures #48153: gateway stale in-memory OAuth state overwrote fresh auth-profiles credentials. The current source directly addresses that failure mode.
• Locked writes reload from disk: updateAuthProfileStoreWithLock explicitly reloads from disk inside the file lock rather than using a runtime snapshot, with an inline note that this prevents live gateway writes from overwriting fresher CLI/config-auth credentials with stale in-memory auth state. (src/agents/auth-profiles/store.ts:135, 1531123d3547)
• OAuth refreshes are shared across agents: OAuth refresh now mirrors refreshed credentials into the main store and subagents adopt fresher main-store credentials under the refresh lock, preventing per-agent stale refresh-token divergence. (src/agents/auth-profiles/oauth-manager.ts:274, 1531123d3547)
• Regression coverage for stale overwrite: The regression test verifies that marking auth-profile failure does not overwrite fresher on-disk credentials with a stale runtime snapshot. (src/agents/auth-profiles.markauthprofilefailure.test.ts:77, 1531123d3547)
• Regression coverage for cross-agent refresh: Cross-agent OAuth tests cover a race where multiple agents share one expired OAuth profile and assert only one refresh occurs while other agents adopt the refreshed credentials. (src/agents/auth-profiles/oauth.concurrent-agents.test.ts:69, 1531123d3547)
• Release note for Claude CLI OAuth sync: The v2026.4.24 changelog includes: Auth/Claude CLI syncs refreshed Claude CLI OAuth credentials into the managed auth profile so long-running Claude CLI runs stop falling back to stale OpenClaw snapshots. (CHANGELOG.md:284, 1531123d3547)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against 1531123d3547; fix evidence: release v2026.4.24, commit cbcfdf62c729.