Codex harness migration: agentRuntime.fallback="none" doesn't keep non-codex fallbacks off codex; canonical openai/* ref doesn't broker openai-codex OAuth profile

[mogglemoss]

Summary

When migrating to the canonical codex-harness setup documented at https://docs.openclaw.ai/plugins/codex-harness, two related runtime-routing bugs surface together on 2026.4.29:

1. Primary openai/gpt-5.5 + agentRuntime: { id: "codex" } does not broker an existing openai-codex:<email> OAuth profile. The request hits https://api.openai.com/v1/responses directly with no Authorization header → 401 Unauthorized: Missing bearer or basic authentication in header.
2. agentRuntime.fallback: "none" does not keep non-codex fallbacks off the codex runtime. When the primary fails, a fallback like moonshot/kimi-k2.5 is still routed through the codex harness (harnessId: "codex", provider: "moonshot") and dies with failed to load configuration: Model provider 'moonshot' not found. With fallback: "none" set, I would expect non-codex fallbacks to use their normal provider runtimes (PI runner, etc.), not be forced through codex.

Net effect: an agent following the official codex-harness migration goes silent across its entire fallback chain.

Repro

Working baseline (legacy config, fully operational on the same box):

{
  "auth": { "profiles": {
    "openai-codex:<email>": { "provider": "openai-codex", "mode": "oauth", "email": "<email>" }
  }},
  "agents": { "defaults": {
    "model": {
      "primary": "openai-codex/gpt-5.5",
      "fallbacks": ["moonshot/kimi-k2.5", "anthropic/claude-sonnet-4-6"]
    },
    "models": { "openai-codex/gpt-5.4": {}, "openai-codex/gpt-5.5": {} }
  }}
}

Migrate to the docs' canonical pattern (https://docs.openclaw.ai/plugins/codex-harness):

{
  "auth": { /* unchanged — kept openai-codex:<email> OAuth profile */ },
  "plugins": { "entries": { "codex": { "enabled": true } } },
  "agents": { "defaults": {
    "model": {
      "primary": "openai/gpt-5.5",
      "fallbacks": ["moonshot/kimi-k2.5", "anthropic/claude-sonnet-4-6"]
    },
    "agentRuntime": { "id": "codex", "fallback": "none" },
    "models": {
      "openai/gpt-5.4": {}, "openai/gpt-5.5": {},
      "openai-codex/gpt-5.4": {}, "openai-codex/gpt-5.5": {}
    }
  }}
}

openclaw gateway restart. Send any DM to a configured channel (Discord/Telegram).

Observed

Gateway logs (sanitized; runId and request hashes preserved):

gateway: agent model: openai/gpt-5.5
gateway: http server listening (10 plugins: acpx, browser, codex, device-pair, discord,
         file-transfer, memory-core, phone-control, talk-voice, telegram; 8.8s)
plugins: file-transfer staging bundled runtime deps (51 specs): ... @openai/codex@0.125.0 ...

agent/embedded {"event":"embedded_run_failover_decision","stage":"prompt",
  "decision":"fallback_model","failoverReason":"auth","profileFailureReason":"auth",
  "provider":"openai","model":"gpt-5.5","status":401,
  "rawErrorPreview":"unexpected status 401 Unauthorized: Missing bearer or basic
   authentication in header, url: https://api.openai.com/v1/responses, ..."}

diagnostic: lane task error: lane=main durationMs=26103
  error="FailoverError: unexpected status 401 Unauthorized: Missing bearer or basic
  authentication in header, url: https://api.openai.com/v1/responses"

model-fallback/decision {"decision":"candidate_failed",
  "candidateProvider":"openai","candidateModel":"gpt-5.5","reason":"auth",
  "fallbackStepFromModel":"openai/gpt-5.5",
  "fallbackStepToModel":"moonshot/kimi-k2.5", ...}

agents/harness {"harnessId":"codex","provider":"moonshot","modelId":"kimi-k2.5",
  "error":"failed to load configuration: Model provider `moonshot` not found"}
  Codex agent harness failed; not falling back to embedded PI backend

diagnostic: lane task error: lane=main durationMs=8480
  error="CodexAppServerRpcError: failed to load configuration:
  Model provider `moonshot` not found"

model-fallback/decision {"decision":"candidate_failed",
  "candidateProvider":"moonshot","candidateModel":"kimi-k2.5",
  "fallbackStepToModel":"anthropic/claude-sonnet-4-6", ...}

Expected

• (1) With agentRuntime: { id: "codex" } and the model ref openai/gpt-5.5, the codex harness should bind the existing openai-codex:<email> OAuth profile by virtue of agent-binding (per https://docs.openclaw.ai/concepts/oauth: "An explicit OpenClaw openai-codex auth profile bound to the agent.") and use Codex's OAuth flow rather than hitting api.openai.com unauthenticated. If a separate config block is required to bind the profile to the codex plugin, the migration docs should say so explicitly — currently they don't mention any auth wiring beyond keeping the existing profile.
• (2) With agentRuntime.fallback: "none", fallback candidates whose providers aren't supported by codex (moonshot, anthropic) should run via their own provider runtimes (the embedded PI backend), not be forced through the codex harness. The current behavior makes the codex harness an all-or-nothing trap for any agent that has cross-provider fallbacks.

Notes

• openclaw doctor --fix does not auto-migrate legacy openai-codex/* model refs to canonical openai/* refs, despite the migration docs implying it does ("Doctor compatibility migration rewrites legacy primary runtime refs to canonical model refs and records the runtime policy separately." — https://docs.openclaw.ai/plugins/codex-harness). Worth a separate look or a doc clarification.
• Reverting model.primary back to openai-codex/gpt-5.5 (and removing the agentRuntime and plugins.entries.codex blocks) restores the working OAuth-via-PI-runner path immediately.

Environment

• openclaw 2026.4.29 (Homebrew)
• Node.js (Homebrew)
• macOS Darwin 25.2.0 (Apple Silicon)
• Channels: Discord + Telegram, both configured and connected pre-migration
• Auth profiles: openai-codex:<email> (oauth), anthropic:default (token), moonshot:default (api_key), google:default (api_key)

Possibly related

• [Bug]: Bug: GPT-5.4 via openai-codex OAuth uses wrong API (responses vs codex-responses) #38706 — openai-codex OAuth hits /v1/responses instead of /v1/codex-responses (same 401 symptom on the legacy ref)
• Fallback not used when primary provider is in cooldown after adding Codex #1815 — Fallback not used when primary in cooldown after adding Codex (related fallback-routing regression)
• [Bug]: v2026.4.26 ships coding-agent skill + codex provider with openai/gpt-5.5 as silent default — breaks stacks without OpenAI configured #73358 — openai/gpt-5.5 silently injected as fallback default in 2026.4.26 (same era)
• [Bug]: Track Codex harness stability work #66251 — Codex harness stability tracker

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 30, 2026, 1:01 AM ET / 05:01 UTC.

Summary
Codex review failed: codex execution failed.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Include the exact command, prompt, or workflow that triggered it.
• Add expected vs actual behavior.

Next step
Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Remaining risk / open question:

• No close action taken because the review did not complete.

Codex review notes: model gpt-5.5, reasoning high; reviewed against b352cb2d8e7f.

Label changes

Label changes:

• add issue-rating: 🦪 silver shellfish: Current issue advisory state selects this label.
• add clawsweeper:needs-info: Current issue advisory state selects this label.

Evidence reviewed

What I checked:

• failure reason: codex execution failed.
• codex failure detail: Codex review failed for this issue with exit 1.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[steipete]

Current-main triage after the Codex OAuth/model-routing landing:

• The OAuth/profile-routing half is covered now: canonical openai/* with agentRuntime.id: "codex" auto-selects an available openai-codex:* OAuth profile and forwards it into the Codex harness. The regression coverage is src/agents/command/attempt-execution.cli.test.ts (auto-forwards OpenAI Codex auth profiles to configured Codex harness runs), which asserts authProfileId: "openai-codex:work" and agentHarnessId: "codex".
• The doctor migration note is covered by fix(doctor): repair legacy Codex route config #77731, which rewrites legacy openai-codex/* route config/session pins to canonical openai/* plus runtime policy.
• Keeping this open: the fallback-runtime half is still a separate current-main issue. src/agents/harness/selection.ts still returns a forced plugin harness before consulting supports() for the fallback candidate provider/model, so agentRuntime.id: "codex" can still send non-Codex fallbacks to the Codex harness. fix(agents/harness): validate forced plugin harness support before pinning #74341 is the active fix path for that remaining bug.

[islandpreneur007]

Related additional surface — PI runtime + compaction-fallback inherits Codex runtime context across openai-codex/* → ollama/* transitions on 2026.5.5

Adding empirical evidence for a related but separate surface from the forced-runtime fallback half this issue tracks. We hit it on 2026.5.5 (Linux/VPS) twice in ~51 minutes today. We are not claiming this is the same bug as the original report — different config shape, different code path — but the user-visible symptom converges (ollama/* fallback request reaching chatgpt.com/backend-api/codex with codex auth context).

Existing context this report does not duplicate:

• #75739 (this issue) — forced agentRuntime: { id: "codex", fallback: "none" } + non-Codex fallbacks routed through Codex harness. OAuth-forwarding half landed; fallback-runtime half remains open.
• #74341 — fix path for the forced-plugin selector branch of selectAgentHarnessDecision().
• #77731 — doctor --fix migration of legacy openai-codex/* refs to canonical openai/*, landed in 2026.5.5.
• #78407 — open docs-policy conflict on whether openai-codex/* is a valid intentional config under PI.

The surface evidenced below appears to be a distinct fourth surface — auto-mode (PI runtime) + openai-codex/* primary + cross-provider fallback, where the compaction-internal fallback path inherits the parent run's runtime/transport context across the failover transition.

Our config

{
  "agents": {
    "list": [{
      "id": "trent",
      "model": {
        "primary": "openai-codex/gpt-5.5",
        "fallbacks": ["ollama/kimi-k2.6"]
      },
      // agentRuntime UNSET → defaults via:
      "heartbeat": { "model": "ollama/nemotron-3-nano:30b" }
    }],
    "defaults": {
      "agentRuntime": { "id": "pi" }
    }
  }
}

Codex and Ollama plugins both enabled. openai-codex:<email> OAuth profile bound and verified working on the primary path. Ollama healthy under PI runtime in this same agent's heartbeat (ollama/nemotron-3-nano:30b) and in an isolated cron-only sibling identity using ollama/kimi-k2.6. The misroute only fires on the openai-codex/* primary → ollama/* fallback transition during compaction.

Two occurrences ~51 minutes apart, same gateway PID, both during compaction

Occurrence 1 — 2026-05-06T15:22:20Z

[agent/embedded] codex app-server turn idle timed out (~269s primary)
[model-fallback/decision] decision=candidate_failed
  requested=openai-codex/gpt-5.5 candidate=openai-codex/gpt-5.5
  reason=timeout next=ollama/kimi-k2.6
  detail="codex app-server attempt timed out"
[agent/embedded] embedded run failover decision: stage=prompt
  decision=surface_error reason=none
  from=ollama/kimi-k2.6 profile=sha256:0661306c7e86
  rawError="The 'kimi-k2.6' model is not supported when using Codex with a ChatGPT account."

Occurrence 2 — 2026-05-06T16:13:44Z (same gateway PID, ~51min later)

[agent/embedded] codex app-server turn idle timed out (~353549ms primary)
[agent/embedded] Profile openai-codex:<email> timed out. Trying next account...
[agent/embedded] embedded run failover decision: stage=assistant
  decision=fallback_model reason=timeout from=openai-codex/gpt-5.5
  rawError="codex app-server attempt timed out"
[diagnostic] lane task error: lane=main durationMs=353549
  error="FailoverError: LLM request timed out."
[model-fallback/decision] decision=candidate_failed
  requested=openai-codex/gpt-5.5 candidate=openai-codex/gpt-5.5
  reason=timeout next=ollama/kimi-k2.6
[agent/embedded] embedded run failover decision: stage=prompt
  decision=surface_error reason=none from=ollama/kimi-k2.6
  rawError="Error running remote compact task: {\"detail\":\"The 'kimi-k2.6' model is not supported when using Codex with a ChatGPT account.\"}"

The Error running remote compact task prefix in occurrence 2 is structurally important — it confirms the failover fired during a compaction RPC, not a normal turn.

Code-path observation — src/agents/pi-embedded-runner/compact.ts

#74470 (merged 2026-05-01) added implicit compaction model fallback. The compaction fallback path passes a per-candidate run callback into runWithModelFallback() that only resets provider, model, and authProfileId per candidate; the rest of the per-candidate runtime context (including runtimePlan) is inherited from the parent compaction call:

// src/agents/pi-embedded-runner/compact.ts
return (await runWithModelFallback({
    cfg: params.config,
    provider: primaryProvider,
    model: primaryModel,
    runId: params.runId ?? params.sessionId,
    agentDir: params.agentDir,
    fallbacksOverride,
    classifyResult: ({ result, provider, model }) =>
        classifyCompactionFallbackResult(result, provider, model),
    run: async (provider, model) => {
        const authProfileId = provider === primaryProvider ? params.authProfileId : void 0;
        return await compactEmbeddedPiSessionDirectOnce({
            ...params,        // ← spreads parent's runtime context
            provider,         // ← only resets this
            model,            // ← only resets this
            authProfileId     // ← only resets this (unset for non-primary)
        });
    }
})).result;

And inside compactEmbeddedPiSessionDirectOnce():

const runtimePlan = params.runtimePlan ?? buildAgentRuntimePlan(...);

Result: when the parent compaction call carries a runtimePlan resolved against the primary's openai-codex/* provider (so harness = Codex, transport = Codex app-server, auth = openai-codex:* OAuth), the fallback candidate's compactEmbeddedPiSessionDirectOnce(...) reuses that cached runtimePlan instead of rebuilding for ollama/kimi-k2.6. Provider name on the request becomes ollama/kimi-k2.6 but the transport/auth context is still Codex. The Codex/ChatGPT backend then rejects the unknown model name.

For same-provider-family compaction fallbacks (Azure-OpenAI → another OpenAI variant — the original #74470 motivating case), this is benign because the cached runtimePlan is correct. For cross-provider fallback (Codex/openai-codex/* → Ollama/ollama/*), the cached plan is wrong.

Suggested fix shape

Scoped to this surface: in the compaction fallback run callback, clear or rebuild the per-candidate runtimePlan (and any other harness/transport/session-manager fields cached from the primary attempt) before invoking compactEmbeddedPiSessionDirectOnce. The simplest version omits runtimePlan from the spread and lets compactEmbeddedPiSessionDirectOnce rebuild via buildAgentRuntimePlan(...) for the new candidate.

Broader option: introduce a resetPerCandidate hook on runWithModelFallback so other heavy-context callers can opt into per-candidate runtime/auth/transport reset without each consumer reimplementing the discipline.

Suggested regression coverage: openai-codex/* primary compaction times out → ollama/* fallback executes through Ollama provider plugin (not Codex app-server), with the candidate's resolved harness/auth/transport recorded matching the candidate's provider prefix.

Note on related forced-runtime exposure (separate surface)

Tangentially, this deployment also has 20 agents on forced agentRuntime: { id: "codex" } with ollama/* in their fallback chains. Those agents are exposed to the forced-plugin selector surface tracked by #75739/#74341, not to the PI-runtime compaction surface evidenced here. They have not triggered the bug operationally, but the deployment shape for that distinct surface is real.

Local mitigation

Not removing the ollama/kimi-k2.6 fallback. Two timeouts in ~51min on a single gateway PID is a low-frequency failure mode that's livable while upstream lands; removing the local Ollama fallback would cost more in degraded resilience than the rare-turn-error tradeoff.

Environment

• openclaw 2026.5.5 (b1abf9d) — verified after a successful 2026.5.4 → 2026.5.5 cutover earlier today
• Linux (Ubuntu, VPS)
• Channels: Telegram (configured and connected)
• Auth: openai-codex:<email> OAuth (working on primary path during normal operation), Ollama provider plugin (working on heartbeat + cron lanes)
• Plugins enabled: codex, telegram, memory-core, memory-wiki, lobster, llm-task, voice-call, talk-voice, elevenlabs, phone-control, webhooks, device-pair, acpx

[jimdawdy-hub]

Reproduced on Linux (openclaw 2026.5.6, Node 24.14.1)

Hit this exact issue today after enabling the Codex plugin and setting agentRuntime: { id: "codex" } as a global default. Same cascade as described — primary times out, fallback to moonshot/kimi-k2.5 gets forced through the Codex harness, dies with Model provider 'moonshot' not found.

Additional finding: cron jobs with non-openai models make it significantly worse.

Had a cron job (sessionTarget: isolated, model: moonshot/kimi-k2.5 in payload) running every 15 minutes. The Codex harness rejection caused a massive event loop spike that disrupted the main session's Codex connection too:

liveness warning: reasons=event_loop_delay,cpu interval=30s
  eventLoopDelayP99Ms=1522.5 eventLoopDelayMaxMs=18689.8
  eventLoopUtilization=0.874 cpuCoreRatio=0.919
  work=[active=agent:main:cron:30ad25dd(processing,q=1,age=28s)]

After that spike, the main session started timing out at ~80s and then hitting the same moonshot rejection on its fallback:

codex app-server turn idle timed out waiting for completion
Profile openai-codex:jim.dawdy@gmail.com timed out. Trying next account...
lane task error: lane=main durationMs=80389 error="FailoverError: LLM request timed out."
agents/harness: Codex agent harness failed; not falling back to embedded PI backend
lane task error: lane=main durationMs=5290
  error="CodexAppServerRpcError: failed to load configuration: Model provider 'moonshot' not found"

Net result: complete gateway failure across all sessions, not just the cron job.

Workaround: Removed agentRuntime from global defaults entirely. Cross-provider fallbacks work normally again. Subscription routing via legacy openai-codex/* model refs still functions as noted in the issue.

Possibly related PRs open against this:

• fix(agents/harness): validate forced plugin harness support before pinning #74341 — fix(agents/harness): validate forced plugin harness support before pinning
• fix(config): guard legacy agentRuntime regression #73257 — fix(config): guard legacy agentRuntime regression
• test(doctor): reproduce #78407 openai-codex model-ref rewrite without auth #78512 — test(doctor): reproduce #78407 openai-codex model-ref rewrite without auth

[vliuyt]

Additional data point from 2026.5.6 (c97b9f7) on macOS:

The documented route still appears inconsistent with the current harness support behavior.

Docs currently state in docs/plugins/codex-harness.md:

| `openai/gpt-5.5` + `agentRuntime.id: "codex"` | Codex app-server harness | ... |

But the harness source still defaults to claiming only the codex provider:

const DEFAULT_CODEX_HARNESS_PROVIDER_IDS = new Set(["codex"]);
...
supports: (ctx) => {
  const provider = ctx.provider.trim().toLowerCase();
  if (providerIds.has(provider)) {
    return { supported: true, priority: 100 };
  }
  return {
    supported: false,
    reason: `provider is not one of: ${[...providerIds].toSorted().join(", ")}`,
  };
}

Observed behavior in a fresh isolated smoke test:

• codex/gpt-5.5 + agentRuntime.id = "codex" works and selects the native Codex harness:

{
  "status": "ok",
  "provider": "codex",
  "model": "gpt-5.5",
  "agentHarnessId": "codex",
  "runner": "embedded",
  "winnerProvider": "codex"
}

• The previously attempted openai/gpt-5.5 + agentRuntime.id = "codex" route did not activate the same native Codex path in the affected channel/agent setup; it behaved like the normal OpenAI provider path and required OPENAI_API_KEY.

Environment:

• OpenClaw 2026.5.6 (c97b9f7)
• macOS Darwin 25.4.0 / macOS 26.4.1 status label
• Node v25.6.1
• Codex plugin enabled

This seems to confirm the same core migration mismatch on a newer build: the docs describe openai/* + agentRuntime.id=codex as the native Codex app-server route, while the current harness support gate only claims codex/* unless something else explicitly expands providerIds.

[islandpreneur007]

Post-2026.5.6 reproduction (operator: @islandpreneur007)

Following up on the comment dated 2026-05-06T16:54:01Z. Cut over to OpenClaw 2026.5.6 today (gateway PID active 2026-05-07T17:16:58Z UTC). The compaction-fallback runtimePlan inheritance bug surfaced in that prior comment is still active post-5.6 with two new operational findings.

Repro #1 — 19:30:59 UTC: same surface, post-5.6

• 19:30:19.359Z: codex app-server timeout (durationMs=265665); fallback decision fired
• 19:30:19.372Z: model fallback requested=openai-codex/gpt-5.5, next=ollama/kimi-k2.6, detail=codex app-server attempt timed out
• 19:30:59.150Z: fallback attempt with auth profile sha256:0661306c7e86 returned status=400 invalid_request_error: 'kimi-k2.6 not supported when using Codex with a ChatGPT account'

The 5.6 release notes do not document a fix for this surface (release-notes-confirmed via 2026-05-06 maintainer comment: "OAuth/profile-routing half is covered now... fallback-runtime half remains open"). The compaction-fallback path identified in the prior comment (compactEmbeddedPiSessionDirectOnce reusing cached runtimePlan across cross-provider fallback) is still firing.

Repro #2 — 20:38:27 UTC: agent-level fallback-empty mitigation does NOT clear cached plan

At 2026-05-07T20:14Z UTC we applied a local mitigation: removed the cross-provider ollama/* fallback from agents.list[].model.fallbacks, leaving the list []. openclaw config validate passed; openclaw models status --agent <name> confirmed empty fallback list.

A subsequent compaction at 20:38:27Z STILL fired the same 'kimi-k2.6' not supported when using Codex with a ChatGPT account error.

This indicates the runtime caches the runtimePlan at session start; agent-level config changes don't propagate into in-flight sessions. The native /new slash command flushes the cached plan, after which the new fallback-empty plan is honored.

Operator implication

The practical recovery for this bug class is currently two-step: edit agents.list[].model.fallbacks to remove cross-provider candidates, AND issue /new against the affected agent's session. Either step alone is insufficient mid-session.

This is consistent with the prior comment's code-path identification (compactEmbeddedPiSessionDirectOnce not resetting runtimePlan) and adds a finding that the cached plan is durable across mid-session config edits.

Cross-references

• fix(agents/harness): validate forced plugin harness support before pinning #74341 (forced-plugin selector branch — open)
• fix: add compaction model fallback #74470 (PR that added implicit compaction model fallback — merged 2026-05-01)

A reproducible test bed is available; happy to validate any fix candidate.

[gorkem2020]

Still reproduces in 2026.5.7

Hit this exact gap on 2026.5.7 today. The docs claim at https://docs.openclaw.ai/plugins/codex-harness ("OpenAI agent turns now select the Codex runtime by default") is still ahead of the implementation. Confirming the two bugs in this issue, plus one new wrinkle.

Bug 1 (canonical openai/* ref doesn't broker openai-codex OAuth) reproduces

Same auth-failure shape as the original report. Setting model: "openai/gpt-5.5" with agentRuntime: { id: "codex" } on a fresh agent does not auto-bind the existing openai-codex:<email> OAuth profile. Request hits api.openai.com/v1/responses unauthenticated, returns 401.

Bug 2 (agentRuntime.fallback="none" routes non-codex fallbacks through codex anyway) not retested

Skipping because we use a single primary model for this agent. No new data.

New finding: which plugin entry actually owns the openai-codex provider

If a user attempting the canonical migration removes the bundled openai plugin entry from plugins.allow and plugins.entries (intuitive: openai-codex is a separate provider id, so why keep both?), oc models auth login --provider openai-codex then fails with:

Error: No provider plugins found. Install one via openclaw plugins install.

This is misleading because the plugin IS bundled at /app/dist/extensions/openai/. The bundled @openclaw/openai-provider package owns BOTH the openai AND openai-codex provider IDs (its directory contains openai-codex-auth-identity.js, openai-codex-device-code.js, openai-codex-provider.js, openai-codex-provider.runtime.js). Removing the openai plugin entry kills openai-codex auth too. The error message could be clearer ("no plugin claims provider id 'openai-codex'") to help users recover.

Working path (consistent with the original report's "revert" workaround)

Going back to openai-codex/gpt-5.5 model ref via pi runtime, keeping the bundled openai plugin entry enabled, no codex plugin installed, no agentRuntime override. OAuth profile resolves cleanly, requests authenticate, subscription quota tracker shows up in /status.

Suggestions

1. Update the codex-harness migration docs to reflect that auto-runtime-selection for openai/* is not yet wired in shipping releases (or specify the version it lands).
2. Either implement the doctor `--fix` migration the docs describe, or remove that promise from the docs.
3. Make the "No provider plugins found" error mention which provider id failed to resolve, so users can map it back to the plugin that owns it.