[Bug]: doctor --fix silently migrates intentional openai-codex/ config to openai/, breaking PI+OAuth runtime and causing 3-4x token inflation

[danielsan1]

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

The native Codex runtime produces 3–4× higher token usage compared to the
OpenClaw PI runtime for the same GPT-5.x requests. This is a known upstream
issue that OpenClaw cannot fix — but doctor --fix silently forces users onto
the broken runtime by migrating intentional openai-codex/ configs to
openai/, removing the agentRuntime: { id: "pi" } override in the process.
Users have no way to opt out of this migration short of manually reverting
after every doctor run.

Steps to reproduce

1. Configure an explicit PI-runtime setup to avoid the broken Codex runtime:

   {
     "agents": {
       "defaults": {
         "model": {
           "primary": "openai-codex/gpt-5.4"
         },
         "models": {
           "openai-codex/gpt-5.4": {
             "agentRuntime": { "id": "pi" }
           }
         }
       }
     },
     "auth": {
       "order": {
         "openai-codex": ["openai-codex:user@example.com"]
       }
     },
     "plugins": {
       "entries": { "codex": { "enabled": false } }
     }
   }

2. Run openclaw doctor --fix (e.g. as part of a version update)
3. Observe doctor output:
   Repaired Codex model routes:

• agents.defaults.model.primary: openai-codex/gpt-5.4 -> openai/gpt-5.4
• agents.defaults.models.openai-codex/gpt-5.4: openai-codex/gpt-5.4 -> openai/gpt-5.4

4. Restart the gateway
5. Send any message to the agent and observe token usage or check
   openclaw models status

Expected behavior

- Doctor respects an explicitly configured openai-codex/ primary and
agentRuntime: { id: "pi" } override. If the user has deliberately opted
out of the native Codex runtime (because buggy/token-burn), doctor should not re-enroll them.

• If doctor must migrate model references, it should at minimum preserve the
  agentRuntime config from the old entry and copy it to the new one.
• Ideally: doctor warns and asks before applying breaking model-route changes,
  similar to how it already shows interactive summaries for other migrations.

Actual behavior

• primary is silently changed to openai/gpt-5.4
• The models["openai-codex/gpt-5.4"] entry — including agentRuntime: { id: "pi" } —
  is removed entirely
• All model aliases pointing to openai-codex/gpt-5.4 are dropped
• The gateway starts with the native Codex runtime active
• Token usage per turn is 3–4× higher than before the migration
  (observed with GPT-5.4; even worse with GPT-5.5)
• openclaw models status shows openai/gpt-5.4 · api-key (env: OPENAI_API_KEY)
  instead of openai-codex/gpt-5.4 · oauth — auth path also silently switched

OpenClaw version

from 2026.5.12 onwards

Operating system

macOS 26.5

Install method

No response

Model

openai-codex/gpt-5.x

Provider / routing chain

Desired (PI runtime, working): User message → openai-codex/gpt-5.4 → auth: oauth (openai-codex:user@example.com) → runtime: OpenClaw PI → tokens_prompt: baseline (1×)

Additional provider/model setup details

Provider / Routing Chain

Desired (PI runtime, working):
User message
→ openai-codex/gpt-5.4
→ auth: oauth (openai-codex:user@example.com)
→ runtime: OpenClaw PI
→ tokens_prompt: baseline (1×)

Actual after doctor (native Codex runtime, broken):
User message
→ openai/gpt-5.4
→ auth: api-key (env: OPENAI_API_KEY) ← wrong auth path
→ runtime: native Codex harness ← broken runtime
→ tokens_prompt: 3–4× baseline ← token inflation

The OPENAI_API_KEY is present in this environment for unrelated features
(Talk/Voice). With primary: openai/gpt-5.4, OpenClaw silently prefers the
direct API key path even when auth.order.openai-codex is configured — this
auth-path ambiguity is the original reason for adopting the explicit
openai-codex/ namespace

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

Proposed Fix / Feature Request

The root issue is the native Codex runtime itself — it is producing
significantly inflated token counts compared to the PI runtime for equivalent
workloads. This appears to be an upstream Codex issue that OpenClaw cannot
directly fix at the provider level.

Until that is resolved, users need a stable way to opt out. Specifically:

1. Respect agentRuntime: { id: "pi" } as an explicit opt-out signal.
   Doctor should not overwrite a model entry that carries this key without
   at minimum a warning.
2. Surface the Codex runtime as experimental / opt-in, not the default
   path that doctor steers users toward. Users should be able to choose
   whether they want the native Codex harness or the PI runtime — and that
   choice should survive doctor --fix.
3. If migration is unavoidable, carry agentRuntime and alias config
   forward to the new model ref automatically.

Workaround

Manually reapply after every doctor --fix:

openclaw config set agents.defaults.model.primary "openai-codex/gpt-5.4"
openclaw config set agents.defaults.models["openai-codex/gpt-5.4"].agentRuntime.id "pi"
openclaw gateway restart --force

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main still has a source-visible doctor --fix config-migration bug, and two open PRs already reference this issue with closing syntax. The issue should close only after the chosen fix merges.

Reproducibility: yes. Source inspection on current main shows the combined model.primary plus legacy model-map entry can synthesize a canonical codex runtime before the legacy pi entry is merged; I did not run doctor because this review was read-only.

Next step
Do not queue another repair because two open PRs already close this issue; the next action is to review and land the best fix PR.

Review details

Best possible solution:

Preserve explicit model-map agentRuntime metadata during legacy route migration while keeping the documented openai-codex/* to openai/* canonicalization intact.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection on current main shows the combined model.primary plus legacy model-map entry can synthesize a canonical codex runtime before the legacy pi entry is merged; I did not run doctor because this review was read-only.

Is this the best way to solve the issue?

Yes for the narrow bug. The maintainable fix is to preserve explicit concrete runtime policy while still performing the documented canonical route migration; changing Codex to opt-in by default is a separate product decision.

Label justifications:

• P1: A normal doctor repair path can switch an explicitly configured PI/OAuth route back to the Codex runtime for real users during update cleanup.
• impact:data-loss: The issue is about doctor --fix overwriting or dropping user config metadata during migration.
• impact:auth-provider: The affected config controls provider, runtime, model, and OAuth/API-key route selection.

What I checked:

• Current repair order: rewriteAgentModelRefs rewrites agents.defaults.model and calls ensureCodexRuntimePolicy for new hits before the legacy models map is rewritten later in the same function. (src/commands/doctor/shared/codex-route-warnings.ts:1555, b7ba7c3f2a1e)
• Codex policy synthesis: ensureCodexRuntimePolicy creates the canonical model entry and writes agentRuntime.id: "codex" unless that canonical entry already has a concrete non-auto/default runtime. (src/commands/doctor/shared/codex-route-warnings.ts:2000, b7ba7c3f2a1e)
• Legacy merge precedence: rewriteModelsMap merges { ...legacyRecord, ...canonicalRecord }, so a synthesized canonical codex runtime can overwrite the legacy entry's explicit pi runtime. (src/commands/doctor/shared/codex-route-warnings.ts:1314, b7ba7c3f2a1e)
• Current coverage gap: The existing preservation test covers a legacy model-map key without the combined model.primary case from this report; the current main tree has no matching regression helper for the combined scenario. (src/commands/doctor/shared/codex-route-warnings.test.ts:2974, b7ba7c3f2a1e)
• Documented runtime contract: The docs say explicit PI for an OpenAI model should use openai/<model> plus provider/model agentRuntime.id: "pi", while legacy openai-codex/* refs are repaired to openai/* with Codex intent only where implied. Public docs: docs/concepts/agent-runtimes.md. (docs/concepts/agent-runtimes.md:92, b7ba7c3f2a1e)
• Runtime policy contract: resolveModelRuntimePolicy prioritizes agent model-map runtime policy, and resolveAgentHarnessPolicy returns a concrete runtime for OpenAI instead of defaulting to Codex when one is set. (src/agents/model-runtime-policy.ts:190, b7ba7c3f2a1e)

Likely related people:

• pashpashpash: Recent commits moved OpenAI agent runs toward Codex-by-default routing and provider/model runtime policy, which is the policy boundary implicated by this migration bug. (role: feature-history contributor; confidence: high; commits: 1c3399010815, 02fe0d8978db; files: src/commands/doctor/shared/codex-route-warnings.ts, src/commands/doctor/shared/codex-route-warnings.test.ts, docs/concepts/agent-runtimes.md)
• steipete: Recent commits updated Codex route repair, tests, and agent runtime docs around preserving Codex auth and runtime policy during migration. (role: recent area contributor; confidence: high; commits: a39c05559ba7, 628c753f3bff; files: src/commands/doctor/shared/codex-route-warnings.ts, src/commands/doctor/shared/codex-route-warnings.test.ts, docs/concepts/agent-runtimes.md)
• vincentkoc: The GitHub history shows the initial doctor legacy Codex route config repair in this file, making them relevant for intended migration behavior. (role: introduced adjacent behavior; confidence: medium; commits: bca670920362; files: src/commands/doctor/shared/codex-route-warnings.ts, src/commands/doctor/shared/codex-route-warnings.test.ts)
• joshavant: Recent doctor repair work for disabled Codex runtime plugin touched the same repair file and tests, adjacent to the plugin auto-enable side effect described here. (role: recent adjacent contributor; confidence: medium; commits: c5b33523266c; files: src/commands/doctor/shared/codex-route-warnings.ts, src/commands/doctor/shared/codex-route-warnings.test.ts)

Remaining risk / open question:

• The source proof covers the PI runtime-policy overwrite; it does not independently live-verify the reported 3-4x token inflation magnitude or exact models status auth display.
• Two open fix PRs take different shapes, so maintainers should choose the narrow preservation path and avoid expanding this into a Codex-default product-policy change.

Codex review notes: model gpt-5.5, reasoning high; reviewed against b7ba7c3f2a1e.

[minifi]

I've been experiencing the same problem after updating to 2025.5.12 and 2025.5.18 today.

Before the update and before the change to runtime Open AI Codex I could send several Telegram messages to my GPT-5.5 powered OpenClaw and it barely used 1% of the 5h limit.

Now with the new runtime a single Telegram message drains 3% of the 5h limit. This is not a viable solution tbh.

[danielsan1]

I've been experiencing the same problem after updating to 2025.5.12 and 2025.5.18 today.

Before the update and before the change to runtime Open AI Codex I could send several Telegram messages to my GPT-5.5 powered OpenClaw and it barely used 1% of the 5h limit.

Now with the new runtime a single Telegram message drains 3% of the 5h limit. This is not a viable solution tbh.

Exact behaviour, unfortunately. I tried to briefly analyse the issue via Openclaw and like 2-3 tool calls cost me 10% (!) plus session window. (so I needed to use Codex external to roll me back to Pi Runtime) - With Pi it feels normal again.

[minifi]

Question is if it's a bug or if we just have to accept that the new (and preferred/default) Open AI Codex runtime (for whatever reason) is just severely more costly.

I'm not against the new approach per se, but a 3-5x cost inflation is not sustainable.

[danielsan1]

Oh interesting thought... let's see if we will get an answer :) But if this is the case it's even more important to let people easily choose between Pi and Codex runtime.

[danielsan1]

This might be (one/the/a) root cause for me #84110

[SolomonWise-G]

@danielsan1 will try this today! I'll let you know. This has been my problem on both .5.12 and now .5.18 version. @steipete send help! :)