[Bug]: `openclaw models status` reports missing openai auth for Codex-runtime `openai/gpt-5.5`

[lilesjtu]

Summary

openclaw models status --json reports missingProvidersInUse: ["openai"] when the active/default model is openai/gpt-5.5, even though the model is intentionally served through the Codex runtime and openai-codex OAuth is valid.

This is confusing because the active model path works. The status output makes it look like the current model is missing auth, when the missing auth only applies to direct OpenAI API/provider usage.

This looks related to #79131 and #83574, but this report is for the CLI openclaw models status surface rather than Telegram /model status or the picker label.

Environment

• OpenClaw: 2026.5.12 (f066dd2)
• Default model: openai/gpt-5.5
• Runtime/auth path: Codex runtime via openai-codex OAuth

Observed

A sanitized summary of openclaw models status --json shows:

{
  "defaultModel": "openai/gpt-5.5",
  "resolvedDefault": "openai/gpt-5.5",
  "imageModel": "openai/gpt-5.5",
  "allowed": [
    "qwen/qwen3.6-plus",
    "qwen/glm-5",
    "openrouter/xiaomi/mimo-v2-pro",
    "openai/gpt-5.5"
  ],
  "missingProvidersInUse": [
    "openai"
  ],
  "oauthProviders": [
    {
      "provider": "openai-codex",
      "status": "ok",
      "effectiveProfileCount": 1
    }
  ]
}

But a gateway smoke test of the same model succeeds and shows that the effective provider is openai-codex:

openclaw infer model run --gateway --model openai/gpt-5.5 --prompt 'Reply with exactly: OK' --json

Sanitized result:

{
  "ok": true,
  "provider": "openai-codex",
  "model": "gpt-5.5",
  "text": "OK"
}

Expected

models status should distinguish direct provider auth from effective runtime auth.

For a Codex-runtime setup where openai/gpt-5.5 is served via openai-codex OAuth, the command should not imply that the active model path is broken or unauthenticated.

Possible output semantics:

openai: direct OpenAI API auth missing; available via codex runtime / openai-codex OAuth

or omit openai from missingProvidersInUse when the configured runtime/auth plan can successfully serve the selected model.

Why it matters

After migration or setup, models status is a natural health-check command. Seeing missingProvidersInUse: ["openai"] sends users toward configuring a direct OPENAI_API_KEY, even when they deliberately use ChatGPT/Codex OAuth instead of direct API billing.

The current behavior creates a false-positive diagnostic path: the runtime is healthy, but the status command reports the canonical model provider as missing without explaining that the effective Codex runtime auth is available.

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Current main already handles the CLI false-positive: canonical openai/gpt-* text routes are allowed to use openai-codex runtime auth before missingProvidersInUse is populated, and the release tag source contains the same regression coverage.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review details

Best possible solution:

Keep the existing CLI runtime-auth status behavior and leave the Telegram/picker display fixes to their separate open reports.

Do we have a high-confidence way to reproduce the issue?

No. I did not run a live command in this read-only review, but current main and the release tag contain a focused source-level fixture for openai/gpt-5.5 plus only openai-codex auth that asserts the reported failure does not occur.

Is this the best way to solve the issue?

Yes. The implemented solution keeps direct-provider auth truthful while allowing the CLI health check to account for the effective Codex runtime auth route.

Security review:

Security review: This is a non-PR diagnostic issue; no patch security review applies.

What I checked:

• Current main source handles Codex runtime auth: hasUsableAuthForProviderInUse returns true for official OpenAI text routes when openai-codex auth is usable, before adding providers to missingProvidersInUse. (src/commands/models/list.status-command.ts:550, 27c7e1e07bcb)
• Current main JSON distinguishes runtime auth: models status --json includes runtimeAuthRoutes alongside missingProvidersInUse, so the CLI can report the openai model route using openai-codex auth. (src/commands/models/list.status-command.ts:565, 27c7e1e07bcb)
• Focused regression coverage exists: The status test configures openai/gpt-5.5 with only openai-codex:default auth and expects auth.missingProvidersInUse to be [] with no --check exit 1. (src/commands/models/list.status.test.ts:472, 27c7e1e07bcb)
• Git history provenance: Line blame ties the current CLI status runtime-auth handling and regression test to commit 6e80294, authored by Colin and committed by Peter Steinberger. (src/commands/models/list.status-command.ts:408, 6e8029407919)
• Release provenance: The release tag v2026.5.12 points at f066dd2, and that tag's source contains the same openai-codex fallback and regression test. (src/commands/models/list.status.test.ts:472, f066dd2f31c2)
• Related reports are separate channel surfaces: The linked reports cover Telegram /model status and picker-label behavior, while this item is specifically about the CLI openclaw models status JSON surface.

Likely related people:

• Colin: Line blame for the current CLI status implementation and regression test points to commit 6e80294. (role: recent area contributor; confidence: high; commits: 6e8029407919; files: src/commands/models/list.status-command.ts, src/commands/models/list.status.test.ts)
• steipete: The same blamed commit was committed by Peter Steinberger, and the release provenance for v2026.5.12 is the release commit f066dd2. (role: committer and release preparer; confidence: medium; commits: 6e8029407919, f066dd2f31c2; files: src/commands/models/list.status-command.ts, src/commands/models/list.status.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 27c7e1e07bcb; fix evidence: release v2026.5.12, commit f066dd2f31c2.