Telegram /model status reports misleading auth for Codex runtime

[Patrick-Erichsen]

Observed behavior

When testing Telegram against a Codex-backed OpenClaw gateway, Telegram /status shows the active session is working through OAuth:

Model: openai/gpt-5.5
Runtime: OpenAI Codex
OAuth: openai-codex:<account>

But Telegram /model status reports the browseable providers as unauthenticated:

Current: openai/gpt-5.5
Default: openai/gpt-5.5

[codex] endpoint: default auth: missing
• codex/gpt-5.5

[openai] endpoint: default auth: missing
• openai/gpt-5.5

This is confusing because normal Telegram agent replies work, and /status correctly shows usable OAuth via the Codex runtime.

Expected behavior

Telegram /model status should report effective runtime auth for Codex-backed models, or otherwise make clear that provider auth is missing only for direct provider use. For example, with agentRuntime.id=codex and an openai-codex OAuth profile, the command should avoid implying the active openai/gpt-5.5 path is unauthenticated.

Possible acceptable output:

[openai] auth: via codex runtime / openai-codex OAuth

or a separate runtime-auth line that explains the current model is served through Codex OAuth.

Local evidence

From ~/.openclaw/openclaw.json:

{
  "agents": {
    "defaults": {
      "model": {
        "primary": "openai/gpt-5.5"
      },
      "models": {
        "codex/gpt-5.5": {},
        "openai/gpt-5.5": {}
      },
      "agentRuntime": {
        "id": "codex"
      }
    }
  }
}

From ~/.openclaw/agents/main/agent/auth-profiles.json:

• auth profile provider: openai-codex
• auth type: oauth
• access/refresh token present

CLI openclaw models status --json sees the richer auth picture:

• providersWithOAuth: includes openai-codex (1)
• Codex effective auth is synthetic/plugin-owned

Root cause hypothesis

Telegram /model status appears to use the model-picker/provider surface rather than the effective runtime-auth surface:

• src/auto-reply/reply/directive-handling.model.ts builds model status from picker providers.
• It calls resolveAuthLabel(provider, ...) for each picker provider.
• src/auto-reply/reply/directive-handling.auth.ts resolves auth by the exact provider name, e.g. openai or codex.
• The Telegram output then prints auth: missing for those provider labels.

In this setup, the actual usable auth is under openai-codex, while the model picker lists openai/gpt-5.5 and codex/gpt-5.5. So the command reports direct provider auth as missing even though the active Codex runtime can execute successfully.

Acceptance criteria

• Telegram /model status distinguishes direct provider auth from effective runtime auth.
• For agentRuntime.id=codex with an openai-codex OAuth profile, it no longer reports the active model path as simply auth: missing.
• Output remains truthful if direct openai API-key auth is absent.
• Add or update tests for the Codex-runtime + openai-codex OAuth case.
• Existing direct-provider auth status behavior remains covered.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main still appears to report provider-picker auth for /model status while /status already maps OpenAI under the Codex harness to openai-codex auth, and the protected maintainer label prevents automated cleanup.

Reproducibility: yes. source inspection gives a high-confidence reproduction path by using a Codex-runtime openai/gpt-5.5 setup with only an openai-codex auth profile, then invoking Telegram /model status; the command currently resolves auth against picker providers such as openai and codex, not the effective Codex auth provider.

Next step
Protected maintainer label makes this human-only for cleanup and automation routing, so no ClawSweeper repair lane should be queued from this review.

Review details

Best possible solution:

Update the /model status implementation to report effective runtime auth for OpenAI models served by the Codex harness while preserving truthful direct-provider auth status.

Do we have a high-confidence way to reproduce the issue?

Yes: source inspection gives a high-confidence reproduction path by using a Codex-runtime openai/gpt-5.5 setup with only an openai-codex auth profile, then invoking Telegram /model status; the command currently resolves auth against picker providers such as openai and codex, not the effective Codex auth provider.

Is this the best way to solve the issue?

Yes: the narrow maintainable fix is to reuse or mirror the existing /status runtime-auth mapping in /model status, then add regression coverage for the Codex-runtime plus openai-codex OAuth case.

What I checked:

• Protected label: The issue has the maintainer label, which requires explicit maintainer handling and prevents auto-close cleanup.
• Model status auth source: /model status builds authByProvider from the picker catalog and calls resolveAuthLabel(provider, ...) for each visible provider before printing [provider] ... auth: .... (src/auto-reply/reply/directive-handling.model.ts:299, 029ca8c26884)
• Exact-provider auth lookup: resolveAuthLabel resolves profile order using the exact provider passed in and falls back to missing when there is no matching provider profile, env key, or config key. (src/auto-reply/reply/directive-handling.auth.ts:66, 029ca8c26884)
• Status command has runtime auth mapping: /status uses resolveStatusAuthProvider, which maps provider=openai plus effectiveHarness=codex to openai-codex before resolving auth. (src/status/status-text.ts:155, 029ca8c26884)
• Documented OpenAI/Codex contract: The OpenAI docs state that openai/* agent models run through the Codex runtime and use openai-codex auth for ChatGPT/Codex subscription use. Public docs: docs/providers/openai.md. (docs/providers/openai.md:14, 029ca8c26884)
• Current tests cover generic status auth, not this runtime case: The /model status tests cover catalog auth labels and workspace-scoped auth evidence, but the inspected block has no Codex-runtime plus openai-codex OAuth regression case. (src/auto-reply/reply/directive-handling.model.test.ts:479, 029ca8c26884)

Likely related people:

• Vincent Koc: Current available blame for the central /model status provider-auth formatting, exact-provider auth label helper, /status runtime-auth mapping, and OpenAI/Codex docs points to the same recent commit by this maintainer. (role: recent maintainer / likely follow-up owner; confidence: medium; commits: 3a89e20b7b5f; files: src/auto-reply/reply/directive-handling.model.ts, src/auto-reply/reply/directive-handling.auth.ts, src/status/status-text.ts)

Remaining risk / open question:

• No live Telegram run was performed during this read-only review; the source path is clear, but the fix should still add a focused regression test and preferably verify the chat command output.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 029ca8c26884.

[ai-hpc]

This looks already fixed on main by #79135 (31a710c5a6), which landed shortly after this issue was filed.

The fix adds resolveStatusAuthLabel in src/auto-reply/reply/directive-handling.model.ts that:

1. Tries direct provider auth first (resolveAuthLabel(provider, ...)).
2. On missing, resolves the effective harness runtime via resolveAgentHarnessPolicy and buildAgentRuntimeAuthPlan.
3. If the effective auth provider differs (e.g. openai + codex runtime → openai-codex), resolves auth against that and returns via <runtime> runtime / <effectiveProvider> <auth>.

So for the configuration in this report (agentRuntime.id=codex + openai-codex OAuth), /model status now prints something like:

[openai] endpoint: default auth: via codex runtime / openai-codex <profile>=OAuth

instead of auth: missing. Direct-provider auth labels are preserved when an openai API key exists.

Regression tests for the Codex-runtime + openai-codex OAuth case (and the direct-openai-API-key preservation case) live in src/auto-reply/reply/directive-handling.model.test.ts.

The clawsweeper review at the top of this issue is reviewing against 029ca8c26884, which is before the fix at 31a710c5a6, so its "still reproducible" call is stale.

Looks like a duplicate of #79133, which #79135 already linked-closed. Probably safe to close this one too.