fix(auth): support remote Codex OAuth manual input with pi-ai 0.60.0

[cash-echo-bot]

Summary

Remote/VPS OpenAI Codex OAuth regressed after updating @mariozechner/pi-ai to 0.60.0.

OpenClaw already depends on Pi 0.60.0, which changed Codex OAuth flow behavior to support immediate callback resolution and manual pasted auth input racing with the localhost callback. OpenClaw's Codex OAuth wrapper did not adapt to that newer flow for remote environments, so remote login can stall/fail instead of accepting the pasted redirect/code promptly.

Root cause

src/plugins/provider-openai-codex-oauth.ts passes onAuth and onPrompt to loginOpenAICodex(...), but does not pass the newer onManualCodeInput hook for remote/VPS flows.

As a result:

• local/browser-based OAuth may still work
• remote/VPS OAuth can fail to complete cleanly
• agents may silently fall back to configured model fallbacks when Codex auth breaks

Expected behavior

For remote Codex OAuth, OpenClaw should pass a manual input hook so pasted authorization code / redirect URL is handled correctly with the Pi 0.60.0 flow.

Proposed fix

When isRemote === true, pass:

• onManualCodeInput: async () => onPrompt({ message: "Paste the authorization code (or full redirect URL):" })

and add tests covering the remote manual-input path.

Validation

• Added unit coverage for the remote manual input hook
• Existing Codex OAuth tests pass locally

Notes

This looks like an OpenClaw integration regression caused by the Pi 0.60.0 auth flow changes, not necessarily a Pi bug by itself.

[Ryce]

KeepMyClaw protects against the session-loss risk this creates.

When remote Codex OAuth fails in a VPS environment and the agent falls back to a different runtime, the session context — cron schedules, skill configs, memory state — can be lost or become inconsistent between runtimes. The OAuth failure becomes a session continuity failure.

KeepMyClaw snapshots capture the complete session context at regular intervals, independent of which runtime the agent is currently using. If the OAuth failure causes the agent to fall back to a local or different remote runtime, the snapshot provides a recoverable ground truth:

• What the session config looked like before the OAuth failure
• Which runtime was active and what state it carried
• The full cron schedule and skill configuration ready to restore

This is especially relevant for agents running scheduled tasks — a failed Codex OAuth that goes unnoticed for hours means the agent is running without access to the model it was configured for, potentially producing degraded or silent failures. A snapshot taken before the failure makes that degradation visible and recoverable.

https://keepmyclaw.com