[Bug]: commitments extractor uses direct OpenAI instead of configured openai-codex model, causing repeated background auth failures

[sene1337]

Bug type

Behavior bug (background task uses wrong model/provider and creates repeated auth/model errors)

Beta release blocker

Possibly — this can silently create repeated background LLM failures after enabling the commitments feature.

Summary

After enabling the commitments feature on an OpenClaw install whose normal/default model is configured for Codex OAuth (openai-codex/gpt-5.5), the commitments extractor spawned repeated background lanes but attempted to use direct OpenAI provider auth (openai) instead of the configured Codex provider (openai-codex).

Because this install has Codex OAuth but no direct OPENAI_API_KEY, every extractor run failed with:

FailoverError: No API key found for provider "openai". You are authenticated with OpenAI Codex OAuth. Use openai-codex/gpt-5.5, or set OPENAI_API_KEY for direct OpenAI API access.

The feature produced repeated background auth/model failures rather than inheriting the agent/default model/provider or circuit-breaking after the first terminal auth/config error.

Steps to reproduce

1. Run OpenClaw with default/main model configured to a Codex OAuth model, e.g. openai-codex/gpt-5.5.
2. Ensure Codex OAuth is authenticated, but no direct OPENAI_API_KEY is configured.
3. Enable commitments / inferred commitment extraction.
4. Send normal chat messages that trigger commitment extraction.
5. Inspect gateway logs.

Expected behavior

Commitment extraction should either:

1. Use the configured agent/default model and provider (openai-codex/gpt-5.5 in this case), or
2. Have an explicit commitments model setting that supports provider-qualified model IDs, or
3. Fail once with a clear configuration error and circuit-break/disable extraction until configuration is fixed.

It should not silently fall back to direct openai when the system is configured for openai-codex OAuth.

Actual behavior

Gateway logs showed repeated commitments lanes failing on direct OpenAI auth:

[diagnostic] lane task error: lane=session:agent:main:commitments:commitments-20254e69-c966-424b-a43a-4042c05f507d durationMs=1317 error="FailoverError: No API key found for provider "openai". You are authenticated with OpenAI Codex OAuth. Use openai-codex/gpt-5.5, or set OPENAI_API_KEY for direct OpenAI API access."
[commitments] commitment extraction failed

[diagnostic] lane task error: lane=session:agent:main:commitments:commitments-07ac6deb-2ec0-4cf6-b3e3-cff0afaf23fb durationMs=1260 error="FailoverError: No API key found for provider "openai". You are authenticated with OpenAI Codex OAuth. Use openai-codex/gpt-5.5, or set OPENAI_API_KEY for direct OpenAI API access."
[commitments] commitment extraction failed

[diagnostic] lane task error: lane=session:agent:main:commitments:commitments-6c3a9bf4-347c-4860-bb1a-f67f0fe428cf durationMs=1236 error="FailoverError: No API key found for provider "openai". You are authenticated with OpenAI Codex OAuth. Use openai-codex/gpt-5.5, or set OPENAI_API_KEY for direct OpenAI API access."
[commitments] commitment extraction failed

This continued across multiple background lanes until commitments were disabled/restarted.

OpenClaw version

2026.4.29

Operating system

macOS arm64

Install method

Global npm / local gateway install

Model

Configured default/main model: openai-codex/gpt-5.5

The commitments extractor appears to use provider openai instead.

Provider / routing chain

Expected:

agent/main -> openai-codex -> gpt-5.5 -> Codex OAuth profile

Observed commitments background lane:

agent/main -> commitments extractor -> openai -> missing OPENAI_API_KEY -> repeated FailoverError

Additional context

This looks related to the broader background-run fragility cluster, but appears to be a distinct commitments-specific provider/model selection bug:

• Heartbeat model leaks into user session status/runtime model #74217 — heartbeat/internal runtime model leakage into user session status
• Feature: Reason-aware cron guardrails (quota/auth/rate-limit aware backoff + circuit breaker) #14376 — reason-aware cron/background guardrails for auth/quota/rate-limit failures
• github-copilot claude-opus-4.7: output_config.effort="low" rejected, poisons auth profile #70322 — provider/model request errors can poison auth profile availability
• [Bug]: abortable(activeSession.prompt()) creates zombie Agent loop when signal is pre-aborted #74859 — zombie background LLM loop after aborted run
• Gateway 7-second event-loop stalls on 2026.4.27 — createOpenClawTools synchronously rebuilds plugin registry + provider-auth env-var resolution per tool-creation pass #74860 — gateway degradation from repeated provider/auth/tool resolution
• [Bug]: Configuring a paid Google Gemini key implicitly turned existing heartbeat traffic into paid background usage #64129 — heartbeat/background work unexpectedly inheriting paid model usage

Impact

• Repeated background LLM/auth failures
• Log noise and potential gateway degradation
• Confusing auth diagnostics because the main model/auth path is healthy
• Users with only Codex OAuth may see commitments fail immediately even though normal chat works

Suggested fix direction

• Ensure commitments extraction resolves model/provider through the same configured model routing path as the owning agent/session, including provider-qualified IDs like openai-codex/gpt-5.5.
• Add a commitments-specific model config only if needed, but make provider family explicit.
• Add a circuit breaker for terminal background auth/config errors (missing_api_key, auth, format) so the extractor does not repeatedly retry an impossible provider path.
• Add regression coverage for Codex OAuth-only installs with no direct OPENAI_API_KEY.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. Current main still lets the commitments extractor start a hidden embedded run without passing any provider/model, so the runner falls back to direct openai/gpt-5.5; that matches the reported Codex OAuth-only failure. The broader circuit-breaker issue remains related context, but this is a distinct commitments model-selection bug with a clear source-level fix path.

Required change / next step:

This is a valid, narrow commitments runtime bug with clear files, source-level reproduction, and focused regression coverage; no protected label, open paired PR, or product decision blocks a repair attempt.

Security review:

Security review: This is a non-PR issue review with no patch or security-sensitive report to assess.

Review details

Best possible solution:

Commitment extraction should receive a concrete provider/model from the owning turn or resolve the same selected default as that agent, preserve provider-qualified refs like openai-codex/gpt-5.5, and stop retrying immediately after terminal auth/config/schema failures until configuration changes or a cooldown expires.

Do we have a high-confidence way to reproduce the issue?

Yes. The issue gives concrete config/log steps, and current-main source gives a high-confidence static reproduction: enable commitments with agents.defaults.model.primary = openai-codex/gpt-5.5; the extractor omits provider/model and the embedded runner defaults that omission to openai/gpt-5.5.

Is this the best way to solve the issue?

Yes. The requested direction is the narrow maintainable fix: route extraction through the configured/selected model path and add a commitment-specific terminal-error guard; a broader shared circuit breaker can remain tracked by #14376.

Acceptance criteria:

• pnpm test src/commitments/runtime.test.ts src/commitments/extraction.test.ts src/commitments/commitments-full-chain.integration.test.ts
• pnpm test src/auto-reply/reply/agent-runner.runreplyagent.e2e.test.ts
• pnpm check:changed in Testbox before handoff because this touches runtime/background behavior

What I checked:

• Extractor omits model routing: defaultExtractBatch calls runEmbeddedPiAgent with config, session, prompt, and safety flags, but no provider or model fields, so the configured agents.defaults.model.primary is not explicitly carried into extraction. (src/commitments/runtime.ts:179, b277ae3f4c40)
• Embedded runner defaults missing provider/model to direct OpenAI: When callers omit params.provider and params.model, runEmbeddedPiAgent initializes them from DEFAULT_PROVIDER and DEFAULT_MODEL; those constants are openai and gpt-5.5. (src/agents/pi-embedded-runner/run.ts:404, b277ae3f4c40)
• Configured Codex OAuth route is supported: The OpenAI provider docs describe openai-codex/gpt-5.5 as the ChatGPT/Codex subscription OAuth route and show setting it as agents.defaults.model.primary. Public docs: docs/providers/openai.md. (docs/providers/openai.md:30, b277ae3f4c40)
• Config contract expects provider-qualified defaults: The agent config docs say model.primary accepts provider/model, explicitly including openai-codex/gpt-5.5 for Codex OAuth. Public docs: docs/gateway/config-agents.md. (docs/gateway/config-agents.md:371, b277ae3f4c40)
• No commitment-local terminal error breaker: The queue logs commitment extraction failed when the drain promise rejects, but there is no stored disabled/cooldown state for terminal auth/model/format failures before later eligible turns enqueue another extraction. (src/commitments/runtime.ts:140, b277ae3f4c40)
• Recent safety change did not address model selection: The latest commitments safety commit added queue overflow bounds and delivery safety coverage, but its runtime diff did not add provider/model resolution to the extractor call. (src/commitments/runtime.ts:106, b277ae3f4c40)

Likely related people:

• Vincent Koc: Prior local ClawSweeper feature-history for adjacent follow-up work ties the commitment runtime and auto-reply integration to the commit that introduced inferred commitments. (role: introduced behavior; confidence: medium; commits: c500b26bb6a3; files: src/commitments/runtime.ts, src/commitments/extraction.ts, src/auto-reply/reply/agent-runner.ts)
• vignesh07: The changelog credits @vignesh07 for the inferred commitments feature, and the latest main commit touching commitment runtime safety is authored by Vignesh. (role: adjacent contributor / recent maintainer; confidence: medium; commits: b277ae3f4c40; files: src/commitments/runtime.ts, src/commitments/runtime.test.ts, src/commitments/commitments-full-chain.integration.test.ts)
• steipete: Current checkout blame attributes the central extractor and embedded-runner defaulting lines to Peter's recent main-history commit, making him a practical maintainer routing candidate. (role: recent maintainer; confidence: low; commits: 165d62b15ff2; files: src/commitments/runtime.ts, src/agents/pi-embedded-runner/run.ts, src/auto-reply/reply/agent-runner.ts)

Remaining risk / open question:

• A fix that only resolves the agent default in defaultExtractBatch would handle the reported Codex default but may still miss session-specific model overrides unless the selected provider/model is threaded from the owning turn into the commitment queue.
• The terminal-error circuit-breaker portion overlaps the broader background guardrail work in Feature: Reason-aware cron guardrails (quota/auth/rate-limit aware backoff + circuit breaker) #14376, so the narrow repair should stay commitment-local and avoid changing shared cron/background policy opportunistically.

Codex review notes: model gpt-5.5, reasoning high; reviewed against b277ae3f4c40.

[vignesh07]

@sene1337 looking at this.