Feature request: native Codex quota/auth diagnosis plus brokered reauth execution

[betamod]

Summary

OpenClaw should provide native Codex/ChatGPT OAuth reliability handling by separating quota-window exhaustion from true OAuth credential failure, and by supporting brokered reauth execution when reauthentication is actually required.

User-facing goal

As a user, I want one reliable ChatGPT/Codex OAuth experience:

• if I only hit my rolling usage window, OpenClaw should tell me the quota state and when it renews
• if my OAuth refresh token is actually invalid, OpenClaw should tell me that reauth is required
• if a bounded host-side reauth adapter exists, OpenClaw should be able to invoke it instead of leaving recovery entirely manual

Problem

Today, quota exhaustion and unrecoverable OAuth failure can be confused operationally.
For example:

• rolling usage-window exhaustion should not trigger reauth
• refresh_token_reused should trigger guided reauth
• a normal access-token expiry with a valid refresh token should refresh automatically

These are different states, but they are easy to collapse into a single generic "auth failed" workflow.

Requested feature set

1. Native quota/auth diagnosis in OpenClaw

OpenClaw should distinguish at least:

• ok
• expiring_soon
• quota_wait
• reauth_required

Behavior:

• quota_wait: do not trigger reauth
• reauth_required: prompt for or invoke a bounded reauth adapter
• normal expired access token + valid refresh token: refresh automatically

2. Native Codex quota display

OpenClaw should surface Codex rate-limit state natively, including both the 5-hour and weekly windows.

Recommended display format:

Codex rate limits
5h: 96%, renews 05:45 AM
Weekly: 60%, renews 2026-03-25 3:04 PM

Formatting rules:

• use system local timezone automatically
• 5h window: percent + local time
• weekly window: percent + local date and time

3. Brokered reauth execution

When OpenClaw determines the state is reauth_required, it should support invoking a narrow reauth adapter rather than assuming it must handle browser-based reauth itself.

This is especially important for Docker/sandboxed deployments where:

• the app can diagnose the problem natively
• the actual browser-based OAuth flow needs to run outside the container

Conceptually:

• native decision inside OpenClaw
• bounded external execution via a broker/adapter

Control UI impact

Yes, this should include Control UI changes.

Suggested Control UI behavior:

• show the current Codex rate-limit state in a human-readable form
• when the state is quota_wait, show renewal times instead of suggesting reauth
• when the state is reauth_required, show a clear guided reauth action if a reauth adapter is available
• avoid ambiguous generic auth-failure messaging when the real issue is rolling-window quota exhaustion

Why this matters

For users, this is one feature set: a more reliable ChatGPT/Codex OAuth experience.
Internally, it can still be split into:

• native quota/auth diagnosis
• optional brokered reauth execution

That split keeps the trust boundary clean while delivering one coherent recovery UX.

Additional context

I implemented a local host-side prototype in a Docker-based OpenClaw sandbox that:

• classifies quota_wait separately from reauth_required
• formats local-time 5h/weekly renewal info
• auto-triggers a bounded host-side reauth bridge only for reauth_required

I am not attaching that patch directly here because parts of it are deployment-specific, but it validated the behavior and UX split described above.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Latest ClawSweeper review: 2026-05-24 13:30 UTC / May 24, 2026, 9:30 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main has partial Codex quota visibility and WHAM-aware cooldown handling, but it still lacks the requested quota_wait/reauth_required diagnostic contract and any brokered host-side reauth execution surface.

Reproducibility: not applicable. this is a feature request for a new auth/quota diagnosis contract and brokered reauth flow, not a broken existing behavior with current-main reproduction steps. Source inspection does show current main does not expose the requested states or broker surface.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.
• Include redacted logs or terminal output.

Next step
Manual review is needed because the remaining work defines a provider/Gateway/UI auth-state contract and a security-sensitive host-side reauth broker.

Review details

Best possible solution:

Define a maintainer-approved Codex auth/quota state contract plus a narrow, operator-controlled reauth broker boundary, then wire it through provider usage/auth status and Control UI.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a feature request for a new auth/quota diagnosis contract and brokered reauth flow, not a broken existing behavior with current-main reproduction steps. Source inspection does show current main does not expose the requested states or broker surface.

Is this the best way to solve the issue?

Unclear until maintainers choose the permanent contract: current main’s quota windows and WHAM cooldown bookkeeping are useful partial pieces, but they are not the full requested recovery UX. The maintainable path is an explicit provider/Gateway/UI contract with a security-reviewed broker boundary rather than an ad hoc reauth trigger.

Label changes:

• remove clawsweeper:needs-security-review: Current issue advisory state no longer selects this label.

Label justifications:

• P2: The request is a normal-priority provider/auth UX improvement with security-sensitive design work but no confirmed active outage.
• impact:security: The requested brokered reauth flow crosses OAuth credential, host execution, and container/sandbox trust boundaries.
• impact:auth-provider: The issue is about Codex OAuth state, quota reporting, provider usage, and reauthentication routing.

Acceptance criteria:

• node scripts/run-vitest.mjs src/infra/provider-usage.fetch.codex.test.ts src/infra/provider-usage.load.test.ts src/agents/auth-profiles/usage.test.ts src/gateway/server-methods/models-auth-status.test.ts
• node scripts/run-vitest.mjs ui/src/ui/chat/run-controls.test.ts ui/src/ui/views/overview.render.test.ts
• Crabbox/Testbox Docker proof for a real Codex OAuth quota-wait case and a reauth-required case before landing brokered execution.

What I checked:

• Current main checked: The review inspected current main at 5be62e7. (5be62e779b2e)
• Codex usage windows are partially implemented: fetchCodexUsage calls the ChatGPT WHAM usage endpoint and returns provider usage windows plus plan data for Codex. (src/infra/provider-usage.fetch.codex.ts:55, 5be62e779b2e)
• Auth-status wire type lacks requested diagnostic states: models.authStatus exposes provider status, expiry, profiles, and optional usage windows/plan; it does not expose quota_wait, reauth_required, or equivalent reauth decision state. (src/gateway/server-methods/models-auth-status.ts:61, 5be62e779b2e)
• Control UI quota display is window-only: The chat quota pill is built from provider usage windows and reset times, not from a quota/auth recovery state machine. (ui/src/ui/chat/session-controls.ts:644, 5be62e779b2e)
• WHAM cooldown classification exists but is not the requested contract: Codex failures can trigger WHAM probes that set blockedUntil or cooldown state, but this remains profile usability bookkeeping rather than a native quota_wait/reauth_required user-facing contract. (src/agents/auth-profiles/usage.ts:104, 5be62e779b2e)
• OAuth refresh exists without brokered reauth execution: The OAuth manager refreshes stored credentials and falls back to fresher external credentials after refresh failure, but it does not invoke a bounded host-side reauth adapter. (src/agents/auth-profiles/oauth-manager.ts:537, 5be62e779b2e)

Likely related people:

• steipete: Peter Steinberger introduced provider usage tracking, split/deduped the provider-usage implementation, and added provider usage runtime hooks used by the Codex usage path. (role: provider usage and plugin-hook feature owner; confidence: high; commits: 9bf66843660c, 3e0e608110fc, 14b4c7fd56ae; files: src/infra/provider-usage.fetch.codex.ts, src/infra/provider-usage.load.ts, src/infra/provider-usage.types.ts)
• ryanngit: Auth-profile WHAM cooldown behavior for Codex was added by PR 58625, authored by ryanngit. (role: recent Codex cooldown contributor; confidence: high; commits: 0b3d31c0ce8e; files: src/agents/auth-profiles/usage.ts, src/agents/auth-profiles/usage.test.ts)
• mbelinky: PR 63217 surfaced OAuth reauth failures in reply/doctor flows and added the refresh-failure classifier relevant to refresh_token_reused handling. (role: OAuth reauth failure contributor; confidence: high; commits: b77db8c0b610; files: src/agents/auth-profiles/oauth-refresh-failure.ts, src/commands/doctor-auth.ts, src/auto-reply/reply/agent-runner.ts)
• omarshahine: PRs 66211 and 67253 added and tightened the model auth status gateway/UI surface that currently carries usage windows into Control UI. (role: model auth status and UI contributor; confidence: high; commits: 507b7189177a, f2fdb9d1253c; files: src/gateway/server-methods/models-auth-status.ts, ui/src/ui/views/overview-cards.ts, ui/src/ui/provider-quota-summary.ts)

Remaining risk / open question:

• No live Codex OAuth account or quota-exhausted ChatGPT environment was exercised during this read-only review; the verdict is based on source, tests, history, and issue context.
• Brokered reauth would execute or trigger host-side OAuth work from an OpenClaw decision path, so the trust boundary and operator controls need explicit maintainer design before implementation.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5be62e779b2e.