[Bug]: `/model` picker auth label ignores `auth.order` resolution

[aaajiao]

Summary

The /model picker in Telegram (and presumably other channels) labels the OpenAI provider entry with 🔑 api-key (env: OPENAI_API_KEY) even when auth.order.openai is configured to route exclusively through an OAuth (Codex) profile and no openai:default API-key profile is declared in auth.profiles.

This is misleading: users who have explicitly removed the API-key fallback to avoid silent per-token billing still see the picker advertise api-key auth as if it were the active mode. It undercuts the cost-control intent of trimming auth.order.

Environment

• OpenClaw v2026.5.16-beta.7
• Channel surface: Telegram /model

Configuration (relevant excerpt)

"auth": {
  "profiles": {
    "opencode:default": { "provider": "opencode", "mode": "api_key" },
    "anthropic:manual": { "provider": "anthropic", "mode": "token" },
    "openai-codex:aaajiao@gmail.com": { "provider": "openai-codex", "mode": "oauth" }
    // No `openai:default` profile is declared
  },
  "order": {
    "openai": ["openai-codex:aaajiao@gmail.com"]
    // Only the OAuth profile — no api-key fallback
  }
},
"models": {
  "providers": {
    "openai": {
      "baseUrl": "https://api.openai.com/v1",
      "models": [
        { "id": "gpt-5.5", ... },
        { "id": "gpt-5.4", ... },
        { "id": "gpt-5.4-mini", ... }
      ]
    },
    "openai-codex": { ... }
  }
}

Observed

/model in Telegram displays:

Models (openai · 🔑 api-key (env: OPENAI_API_KEY)) — 3 available

The openai provider entry is labeled with api-key auth even though auth.order.openai references only the OAuth profile and no openai:default profile exists.

Expected

Either:

1. The picker label should reflect the auth that auth.order.openai actually resolves to (here: 🔑 oauth (openai-codex:aaajiao@gmail.com)), or
2. If the openai provider has no resolvable profile in the configured order, the entry should be hidden or labeled with an explicit "no configured auth" warning rather than implying api-key is available.

Why it matters

Users trim auth.order deliberately to prevent silent fallback to per-token billed paths. When the picker label contradicts the configured order, there is no channel-surface way to verify the cost-control change took effect. It also creates an "is this a label bug or did my config not apply?" diagnostic ambiguity.

Verified: display-only mismatch

Manual selection of an openai/* model from this picker dispatches via the OAuth (Codex) profile as expected — /status after the pick shows 🔑 oauth (openai-codex:aaajiao@gmail.com). Routing correctly honors auth.order. The bug is purely on the picker's display side: the label rendering reads the provider's intrinsic default auth mode (api-key for the openai provider catalog with baseUrl: https://api.openai.com/v1) instead of the auth that auth.order.<provider> actually resolves to for that user.

Fix target: the channel /model picker's per-provider auth label rendering should resolve through auth.order.<provider> (and the configured auth.profiles) before falling back to the provider's intrinsic default auth mode.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open. Current main still has the model-picker header resolving auth labels with only the displayed provider, while /status has the OpenAI/Codex accepted-provider path; the reported display-only auth.order mismatch is source-reproducible and narrowly fixable.

Reproducibility: yes. from source inspection, but not from a live Telegram run. The picker header calls resolveModelAuthLabel without acceptedProviderIds, while the status path passes the OpenAI/Codex accepted-provider set that makes the reported OAuth label work.

Next step
Safe repair candidate: the display bug is isolated to shared model-picker auth labeling and has clear adjacent tests; live Telegram proof can be added after the patch.

Review details

Best possible solution:

Update the shared /models picker header to use the same effective accepted auth providers as runtime/status for OpenAI/Codex auth.order, with regression coverage and no routing changes.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection, but not from a live Telegram run. The picker header calls resolveModelAuthLabel without acceptedProviderIds, while the status path passes the OpenAI/Codex accepted-provider set that makes the reported OAuth label work.

Is this the best way to solve the issue?

Yes. Reusing the existing acceptedProviderIds/OpenAI-Codex routing semantics in the shared picker header is the narrow maintainable fix; changing selection routing or adding a new config knob would be unnecessary.

Label justifications:

• P2: This is a concrete auth-provider display bug with limited blast radius but real user cost-control ambiguity.
• impact:auth-provider: The report is about OpenAI/Codex auth profile resolution and misleading provider-auth labeling.

Acceptance criteria:

• node scripts/run-vitest.mjs src/auto-reply/reply/commands-models.test.ts
• node scripts/run-vitest.mjs src/agents/model-auth-label.test.ts
• node scripts/run-vitest.mjs src/auto-reply/reply/commands-status.test.ts

What I checked:

• Picker header omits accepted auth providers: formatModelsAvailableHeader builds the provider label through resolveModelAuthLabel with provider/cfg/session/dirs only; it does not pass acceptedProviderIds, so the OpenAI picker header cannot prefer the Codex OAuth provider set that /status uses. (src/auto-reply/reply/commands-models.ts:394, 57c952f67985)
• Telegram callback uses the shared header: The Telegram model-list callback calls formatModelsAvailableHeader for the provider page text, so the shared /models header path is also the Telegram /model picker display path described in the report. (extensions/telegram/src/bot-handlers.runtime.ts:2351, 57c952f67985)
• Auth label falls back to env when no compatible profile is found: resolveModelAuthLabel only searches the provider plus optional acceptedProviderIds; after no compatible profile is selected it falls back to resolveEnvApiKey, which can produce api-key (env: OPENAI_API_KEY). (src/agents/model-auth-label.ts:44, 57c952f67985)
• Status path already carries the right provider set: /status computes listOpenAIAuthProfileProvidersForAgentRuntime and passes the result as acceptedProviderIds to resolveModelAuthLabel, which explains why the reporter sees correct OAuth labeling there. (src/status/status-text.ts:253, 46bad8676c00)
• Existing regression coverage covers status only: The status test covers explicit OpenAI PI auth order resolving to oauth (openai-codex:status) and not the API-key backup, but there is no equivalent picker-header coverage. (src/auto-reply/reply/commands-status.test.ts:719, 46bad8676c00)
• Auth order contract: The docs state that explicit auth.order.<provider> exclusions are respected in auth probing and document /model//model status as the model auth control surface. Public docs: docs/gateway/authentication.md. (docs/gateway/authentication.md:135, 57c952f67985)

Likely related people:

• @steipete: Blame and git history show this person introduced the current shared /models header, model auth label helper, OpenAI/Codex routing helper, and status auth-label coverage in commit 46bad86. (role: current implementation introducer; confidence: high; commits: 46bad8676c00; files: src/auto-reply/reply/commands-models.ts, src/agents/model-auth-label.ts, src/agents/openai-codex-routing.ts)
• @Glucksberg: Earlier history on the same model command/auth-order surface modified commands-models.ts and auth-profiles/order.ts for OAuth profile-id drift and auth/session behavior. (role: adjacent auth-order contributor; confidence: medium; commits: 38b4fb5d55bb; files: src/auto-reply/reply/commands-models.ts, src/agents/auth-profiles/order.ts)

Remaining risk / open question:

• No live Telegram capture was run in this read-only pass; the reproduction is high-confidence source analysis of the shared picker header path.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 57c952f67985.

[aaajiao]

Small acceptance/diagnostic suggestion:

A useful regression assertion would be that the /model provider row label is derived from the same resolver used for actual dispatch, not from the provider catalog's intrinsic/default auth mode.

For a config with:

"auth": {
  "profiles": {
    "openai-codex:user@example.com": { "provider": "openai-codex", "mode": "oauth" }
  },
  "order": {
    "openai": ["openai-codex:user@example.com"]
  }
}

and no openai:default profile, the picker should not render the openai row as api-key (env: OPENAI_API_KEY). Ideally it should display the resolved profile/mode (oauth, openai-codex:user@example.com) or at least avoid implying an API-key fallback exists.

The important invariant for users is: if selection dispatches through auth-order/OAuth, the picker label should reflect that same effective auth path. Otherwise the UI becomes unreliable for cost-control verification.