[Feature]: Allow disabling external-cli-sync for auth-profiles via config

[keareyChia]

Summary

openclaw currently hardcodes an auto-sync of external CLI credentials (MiniMax CLI, Codex CLI) into the per-agent auth-profile store. For users who have those CLIs installed locally but don't route them through openclaw, this produces noisy info logs on every command, with no config-level way to opt out. Requesting a first-class opt-out surface (config key, env var, or log downgrade).

Problem to solve

External CLI credential sync is unconditionally enabled at the API layer and is not reachable from user-facing configuration:

1. Every command that loads the auth store prints an info-level "synced … credentials from external cli" message, even when the credential is not used by any agent's model selection.
2. The message fires twice per command because loadAuthProfileStoreForAgent is invoked more than once per command lifecycle (init + model resolve).
3. The synced credential is only written to in-memory runtimeStore — it never lands in auth-profiles.json, so the TTL-based "no-op if already synced" fast path can never engage across processes.
4. The only way to skip the behavior today is to pass options.syncExternalCli = false at the JS API call site. There is no openclaw.json field, no environment variable, and no CLI flag exposed.

Effect: users who keep the upstream CLI installed but configure openclaw with their own <provider>:<scope> profiles see persistent log noise they cannot silence without patching node_modules.

Proposed solution

Any one of the following (listed by preference):

1. Config opt-out in openclaw.json — add an auth.externalCliSync field:

   {
     "auth": {
       "externalCliSync": false
       // or object form for per-provider control:
       // "externalCliSync": { "providers": ["minimax-cli"] }   // only sync these
       // "externalCliSync": { "exclude":   ["codex-cli"] }     // sync all except these
     }
   }

   Read at the three call sites in loadAuthProfileStore, loadAuthProfileStoreForAgent, and the runtime-store clone path (around dist lines 878 / 914 / 948 / 1025).
2. Environment variable — e.g. OPENCLAW_DISABLE_EXTERNAL_CLI_SYNC=1, or per-provider OPENCLAW_EXTERNAL_CLI_SYNC_PROVIDERS=minimax-cli.
3. Log downgrade — demote the "synced … credentials from external cli" message to debug level when the synced credential is bit-for-bit identical to the previous sync within the TTL window (currently EXTERNAL_CLI_SYNC_TTL_MS = 15 min). This is the smallest change, but it does not help users who want to fully disable the behavior.

Alternatives considered

• Delete ~/.codex/auth.json — not viable: the user actively uses Codex CLI outside openclaw, so removing the file breaks their upstream tool.
• Set options.syncExternalCli = false at every call site locally — requires patching node_modules/openclaw/dist/store-*.js, which is lost on every upgrade.
• Ignore the noise — acceptable short-term, but the message is in the info channel (not debug), so it leaks into user-facing CLI output regardless of log-level tuning at the user end.
• Overlay an empty externalAuthProfiles override — (overlayExternalAuthProfiles appears in the same file) — the sync step runs before the overlay, so it cannot suppress the log.

Impact

• User-visible — removes two lines of unsolicited info output from every command, improving CLI signal-to-noise.
• Performance — avoids repeated reads of ~/.codex/auth.json + optional keychain lookups for users who have opted out (minor, but non-zero on cold start).
• Backward compatibility — default-on preserves today's behavior; opt-out is purely additive.
• Surface area — small. The existing shouldSyncExternalCliCredentials(options) helper already centralizes the gate; the change is to feed it from config/env in addition to the current options.syncExternalCli API arg.

Evidence/examples

Environment:

• openclaw 2026.4.14
• Windows 11, Node v24.9.0
• Codex CLI installed and active at ~/.codex/ (auth.json present)
• agents/<id>/agent/auth-profiles.json contains only user-declared profiles (e.g. deepseek:default, minimax:cn) — no openai-codex:default entry, confirming the sync never persists to disk

Reproduction:

$ openclaw models list --agent main
[agents/auth-profiles] synced openai-codex credentials from external cli
[agents/auth-profiles] synced openai-codex credentials from external cli
Model                                      Input      Ctx      Local Auth  Tags
minimax/MiniMax-M2.7                       text       200k     no    yes   default,configured,alias:chat-primary
deepseek/deepseek-chat                     text       128k     no    yes   fallback#1,configured,alias:chat-fallback

Relevant code references (in dist/store-*.js, identifiers stable across recent releases):

• EXTERNAL_CLI_SYNC_PROVIDERS (hardcoded list of minimax-cli, codex-cli)
• syncExternalCliCredentialsForProvider — emits log.info("synced ${provider} credentials from external cli", …) on every non-no-op path
• shouldSyncExternalCliCredentials(options) — current gate, reads only options.syncExternalCli
• loadAuthProfileStoreForAgent — invokes the sync on each call, and is itself invoked multiple times per command

Additional information

• Happy to contribute a PR if a direction is confirmed — the change surface is small and localized.
• If a maintainer prefers option 3 (log downgrade) as a near-term partial fix while option 1 is designed, I can send that as a standalone PR first.
• The same reasoning applies symmetrically to the MiniMax CLI sync path; an opt-out should cover both providers uniformly.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main has the internal scoped external CLI discovery work, but it still lacks the requested user-facing config or environment opt-out, and the maintainer discussion explicitly kept this issue as the canonical tracker after #75209 merged and #61694 was closed as the duplicate.

Reproducibility: yes. Current-main source, schema, help metadata, docs, and tests show the remaining gap: users cannot set auth.externalCliSync or an env override, while discovery is still controlled only by call-site options.

Next step
A maintainer has confirmed canonical tracking, and the remaining work is a narrow default-on config/env addition with clear source, docs, and tests.

Review details

Best possible solution:

Add a documented auth-level external CLI discovery policy with an env override that feeds the existing discovery gate centrally while preserving default-on and scoped behavior.

Do we have a high-confidence way to reproduce the issue?

Yes. Current-main source, schema, help metadata, docs, and tests show the remaining gap: users cannot set auth.externalCliSync or an env override, while discovery is still controlled only by call-site options.

Is this the best way to solve the issue?

Yes. A narrow additive config/env gate at the existing ExternalCliAuthDiscovery boundary is the maintainable path; it should not redesign provider auth, plugin APIs, or external CLI bootstrap semantics.

Acceptance criteria:

• pnpm test src/agents/auth-profiles.external-cli-sync.test.ts src/agents/auth-profiles.external-cli-scope.test.ts src/commands/models.list.e2e.test.ts src/gateway/server-methods/models-auth-status.test.ts
• pnpm test src/config/schema.test.ts src/config/schema.base.generated.test.ts src/config/schema.help.quality.test.ts
• pnpm exec oxfmt --check --threads=1 src/agents/auth-profiles/external-cli-discovery.ts src/agents/auth-profiles/external-cli-scope.ts src/agents/auth-profiles/external-cli-sync.ts src/agents/auth-profiles/external-auth.ts src/agents/auth-profiles/store.ts src/config/types.auth.ts src/config/zod-schema.ts src/config/schema.help.ts docs/auth-credential-semantics.md CHANGELOG.md
• Before handoff, run the repo-appropriate changed gate in Testbox if the promoted repair lane has access.

What I checked:

• Maintainer canonical tracker: The provided GitHub context includes an Apr 30, 2026 steipete comment stating this issue remains the canonical tracker because [codex] Make external CLI credential discovery explicit #75209 made discovery explicit internally but did not add the requested auth.externalCliSync or env policy switch; [Feature]: Add opt-out for external CLI credential sync into auth profiles #61694 was closed as the duplicate.
• Auth config type lacks opt-out field: AuthConfig currently exposes profiles, order, and cooldowns; there is no externalCliSync or equivalent auth-level policy field. (src/config/types.auth.ts:14, 5e1529c48bf1)
• Config schema is strict and lacks requested key: The zod schema for auth declares only profiles, order, and cooldowns, then applies .strict(), so auth.externalCliSync is not accepted as a public config surface today. (src/config/zod-schema.ts:518, 5e1529c48bf1)
• Config help has no external CLI policy: Generated/help metadata documents auth, auth.profiles, auth.order, and auth.cooldowns, but no user-facing external CLI discovery or sync policy key. (src/config/schema.help.ts:931, 5e1529c48bf1)
• Internal discovery modes are call-site driven: Current main has ExternalCliAuthDiscovery modes none, existing, and scoped, and resolveExternalCliOverlayOptions reads call-site options rather than cfg.auth or process env, so this is an internal API gate rather than a user opt-out. (src/agents/auth-profiles/store.ts:192, 5e1529c48bf1)
• Scoped discovery fix is present but narrower: The sync path now scopes external CLI providers and logs bootstrap use at debug level, which addresses unrelated provider probing/log noise, but it still has no user-configured global disable switch. (src/agents/auth-profiles/external-cli-sync.ts:99, 5e1529c48bf1)

Likely related people:

• steipete: The maintainer comment kept this as the canonical tracker, [codex] Make external CLI credential discovery explicit #75209 is the merged adjacent implementation for explicit discovery intent, and local blame for the central auth-profile discovery/store files resolves to Peter Steinberger in the checked-out history. (role: recent maintainer and adjacent implementation owner; confidence: high; commits: 6f9cb6c62563, 06a5469f4726; files: src/agents/auth-profiles/external-cli-discovery.ts, src/agents/auth-profiles/store.ts, src/agents/auth-profiles/external-cli-sync.ts)
• openclaw/openclaw-secops: Auth-profile files are covered by the secops CODEOWNERS rules, so an implementation that changes credential discovery policy should route through that review path. (role: CODEOWNERS reviewer; confidence: high; files: .github/CODEOWNERS, src/agents/auth-profiles/)

Remaining risk / open question:

• The fix touches credential discovery behavior, so it should preserve default-on compatibility, the [codex] Make external CLI credential discovery explicit #75209 scoped-discovery semantics, and the no-unrelated-Keychain-probe protections.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5e1529c48bf1.

[steipete]

Keeping this as the canonical tracker for the remaining user-facing opt-out.

#75209 makes external CLI credential discovery explicit at the internal call-site/API level and preserves the scoped discovery fix, but it does not add the requested config/env policy switch (auth.externalCliSync / env override). I’m closing #61694 as the duplicate tracker so the follow-up stays consolidated here.