[Bug]: models status shows oauth:openai-codex marker as effective=missing

[5toCode]

Summary

openclaw models status still reports the openai provider auth overview as effective=missing when the provider is configured with the non-secret delegated OAuth marker apiKey: "oauth:openai-codex".

This is narrower than #83654. The important health signal is now correct: auth.missingProvidersInUse=[] and --check exits 0. But the human-readable provider row still says openai effective=missing:missing, which makes a healthy Codex-runtime setup look partially broken.

Environment

• OpenClaw: 2026.5.12 (f066dd2)
• Install: pnpm
• OS: macOS 26.5 arm64
• Runtime: native Codex app-server / agentRuntime.id="codex"
• Default model: openai/gpt-5.5
• Auth profile: openai-codex:<account> OAuth, healthy

Current config shape

Sanitized ~/.openclaw/agents/main/agent/models.json provider entry:

{
  "providers": {
    "openai": {
      "baseUrl": "https://api.openai.com/v1",
      "apiKey": "oauth:openai-codex",
      "api": "openai-responses",
      "models": [
        {
          "id": "gpt-5.5",
          "name": "GPT-5.5",
          "api": "openai-responses"
        }
      ]
    },
    "openai-codex": {
      "baseUrl": "https://chatgpt.com/backend-api",
      "api": "openai-codex-responses"
    }
  }
}

Auth profile store contains a valid openai-codex:<account> OAuth profile.

Observed output

openclaw models status --check exits 0 and correctly omits the old Missing auth section, but the auth overview includes:

Auth overview
Providers w/ OAuth/tokens (1): openai-codex (1)
- openai effective=missing:missing | models.json=marker(oauth:openai-codex) | source=models.json: ~/.openclaw/agents/main/agent/models.json
- openai-codex effective=profiles:~/.openclaw/agents/main/agent/auth-profiles.json | profiles=1 (oauth=1, token=0, api_key=0) | openai-codex:<account>=OAuth (<account>)

openclaw models status --json similarly reports:

{
  "defaultModel": "openai/gpt-5.5",
  "auth": {
    "missingProvidersInUse": [],
    "providers": [
      {
        "provider": "openai",
        "effective": {
          "kind": "missing",
          "detail": "missing"
        },
        "modelsJson": {
          "value": "marker(oauth:openai-codex)",
          "source": "models.json: ~/.openclaw/agents/main/agent/models.json"
        }
      },
      {
        "provider": "openai-codex",
        "effective": {
          "kind": "profiles",
          "detail": "~/.openclaw/agents/main/agent/auth-profiles.json"
        }
      }
    ]
  }
}

Expected behavior

The openai provider overview should not say effective=missing when the configured provider auth is an explicit non-secret OAuth delegation marker.

Possible output:

- openai effective=models.json:marker(oauth:openai-codex) | models.json=marker(oauth:openai-codex) | source=...

or:

- openai effective=delegated:openai-codex OAuth | models.json=marker(oauth:openai-codex) | source=...

The key requirement is that the display remains truthful: direct OpenAI API key auth is absent, but the configured auth marker is intentional delegated auth evidence, not simply missing.

Root cause notes

In the built dist for 2026.5.12, resolveProviderAuthOverview in list.status-command-*.js builds:

• customKey from getCustomProviderApiKey(cfg, provider)
• usableCustomKey from resolveUsableCustomProviderApiKey(...)

For non-secret markers like oauth:openai-codex, isNonSecretApiKeyMarker(customKey) is true, but resolveUsableCustomProviderApiKey returns null unless it can resolve a concrete env/local key. The status display then falls through to:

return {
  kind: "missing",
  detail: "missing"
};

even though the same provider row also includes:

models.json=marker(oauth:openai-codex)

Local hotfix that resolved the display

I locally patched the status overview to treat OAuth markers as effective models.json auth evidence for display:

if (typeof customKey === "string" && customKey.trim().startsWith("oauth:")) return {
  kind: "models.json",
  detail: formatMarkerOrSecret(customKey)
};

After that, the CLI reports:

- openai effective=models.json:marker(oauth:openai-codex) | models.json=marker(oauth:openai-codex) | source=models.json: ~/.openclaw/agents/main/agent/models.json
- openai-codex effective=profiles:~/.openclaw/agents/main/agent/auth-profiles.json | profiles=1 (oauth=1, token=0, api_key=0) | openai-codex:<account>=OAuth (<account>)

and --json reports:

{
  "provider": "openai",
  "effective": {
    "kind": "models.json",
    "detail": "marker(oauth:openai-codex)"
  },
  "modelsJson": {
    "value": "marker(oauth:openai-codex)"
  }
}

Acceptance criteria

• openclaw models status no longer prints openai effective=missing:missing when models.json contains apiKey: "oauth:openai-codex".
• openclaw models status --json exposes an effective value that reflects the delegated marker, or otherwise distinguishes delegated marker auth from missing auth.
• Direct OpenAI API-key absence remains clear, so users are not misled into thinking a direct OPENAI_API_KEY exists.
• auth.missingProvidersInUse=[] and --check behavior remain unchanged for healthy Codex-runtime setups.
• Add a regression test for an openai provider with apiKey: "oauth:openai-codex" and a valid openai-codex OAuth profile.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main fixed the broader health-check false positive, but the auth overview still reports a configured oauth:openai-codex marker as effective=missing, so this is a valid narrow CLI display bug.

Reproducibility: yes. source-reproducible: current main records the OAuth marker in modelsJson but cannot make it the effective value unless resolveUsableCustomProviderApiKey returns a concrete credential. I did not run a live CLI repro in the reported macOS/Codex environment.

Next step
The source path is narrow, the expected behavior is already defined by the status command's auth overview contract, and a focused test can cover the reported marker without a product decision.

Review details

Best possible solution:

Update the CLI auth overview display layer to distinguish delegated OAuth markers from truly missing credentials, with focused regression coverage and no runtime auth routing changes.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible: current main records the OAuth marker in modelsJson but cannot make it the effective value unless resolveUsableCustomProviderApiKey returns a concrete credential. I did not run a live CLI repro in the reported macOS/Codex environment.

Is this the best way to solve the issue?

Yes. A narrow display-layer fix in resolveProviderAuthOverview, plus a regression test for the OAuth marker case, is the most maintainable path and should leave runtime auth resolution and --check semantics alone.

Label justifications:

• P2: This is a normal user-facing diagnostics bug with limited blast radius in openclaw models status output.
• impact:auth-provider: The issue concerns provider auth status rendering for OpenAI/Codex OAuth routing.

Acceptance criteria:

• node scripts/run-vitest.mjs src/commands/models/list.auth-overview.test.ts src/commands/models/list.status.test.ts

What I checked:

• Current overview falls through to missing: resolveProviderAuthOverview reads customKey, but effective only uses usableCustomKey; without profiles, env, usable custom key, or synthetic auth, it returns { kind: "missing", detail: "missing" }. (src/commands/models/list.auth-overview.ts:148, 1fb09069c342)
• OAuth markers are intentionally non-secret: The marker helper treats values starting with oauth: as non-secret API-key markers, so oauth:openai-codex is display-safe marker evidence rather than a secret to mask as a real key. (src/agents/model-auth-markers.ts:83, 1fb09069c342)
• Usable custom-key resolution rejects unresolved markers: resolveUsableCustomProviderApiKey returns a value for plaintext keys and resolvable env/local markers, but otherwise returns null for non-secret markers; that explains why the overview falls through for oauth:openai-codex. (src/agents/model-auth.ts:169, 1fb09069c342)
• Related broader health signal is already covered: Current status logic allows official OpenAI text routes to use openai-codex auth for missingProvidersInUse, and a focused test asserts the broader Codex-runtime false positive stays fixed; this issue is narrower than [Bug]: openclaw models status reports missing openai auth for Codex-runtime openai/gpt-5.5 #83654. (src/commands/models/list.status-command.ts:550, 1fb09069c342)
• Existing regression coverage does not cover marker display: The current tests cover missingProvidersInUse for OpenAI routed through Codex auth, but I found no regression for an openai provider row with apiKey: "oauth:openai-codex" and effective display semantics. (src/commands/models/list.status.test.ts:472, 1fb09069c342)
• History for current status overview surface: Current checkout blame attributes the auth overview decision path and adjacent status tests to commit 6a5a135, authored by Yao. (src/commands/models/list.auth-overview.ts:151, 6a5a1353c7f0)

Likely related people:

• Yao: Available git blame and git log --follow for list.auth-overview.ts, list.status-command.ts, and status tests point the current status overview implementation to commit 6a5a135. (role: current status implementation contributor; confidence: medium; commits: 6a5a1353c7f0; files: src/commands/models/list.auth-overview.ts, src/commands/models/list.status-command.ts, src/commands/models/list.status.test.ts)
• Colin: The existing ClawSweeper comment on [Bug]: openclaw models status reports missing openai auth for Codex-runtime openai/gpt-5.5 #83654 routes the broader missingProvidersInUse fix for the same CLI status surface to Colin's status-command work. (role: prior related CLI status fix contributor; confidence: medium; commits: 6e8029407919; files: src/commands/models/list.status-command.ts, src/commands/models/list.status.test.ts)
• Takhoffman: The adjacent OpenAI/Codex picker-auth label fix was approved by Takhoffman and touched nearby auth display behavior, but not this exact CLI overview row. (role: adjacent auth-display reviewer; confidence: low; commits: bf9329486b94; files: src/agents/model-auth-label.test.ts, src/auto-reply/reply/commands-models.ts, src/auto-reply/reply/commands-models.test.ts)

Remaining risk / open question:

• No live macOS/Codex app-server CLI command was run during this read-only review; the conclusion is based on deterministic current-main source inspection and the reporter's concrete output.
• The final wording should keep direct OpenAI API-key absence clear so users do not mistake the marker for a direct OPENAI_API_KEY.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1fb09069c342.