[Bug]: Codex OAuth relogin creates fresh named profile but lastGood keeps selecting stale default on 2026.5.18

[wangwllu]

Bug type

Authentication / profile selection regression

Summary

This appears to be the same failure mode as #57286, but that issue is locked so I cannot add the requested current-build reproduction there.

On OpenClaw 2026.5.18, running openclaw models auth login --provider openai-codex successfully created a fresh named OAuth profile, and models auth order set was used to put that fresh profile first. However, auth-state.json still moved/kept lastGood.openai-codex on the older openai-codex:default profile. Since the installed selection path prefers lastGood before the first ordered profile, runtime/status can continue selecting stale default credentials unless the operator manually edits/copies auth profiles.

Environment

• OpenClaw: 2026.5.18 (50a2481)
• Codex CLI: codex-cli 0.130.0
• OS: macOS / Apple Silicon
• Auth flow: openclaw models auth login --provider openai-codex
• OAuth completion: mobile browser login, then manual localhost callback URL/code entry into the CLI prompt

Steps to reproduce

1. Start with an existing openai-codex:default OAuth profile near expiry.

2. Run:

   openclaw models auth login --provider openai-codex

3. Complete OAuth. In this case the login wrote a fresh named profile:

   openai-codex:<email>
   

4. Set provider auth order to prefer the fresh named profile:

   openclaw models auth order set --provider openai-codex --agent main openai-codex:<email> openai-codex:default

5. Check ~/.openclaw/agents/main/agent/auth-state.json.

Expected behavior

After successful reauth and explicit auth-order selection, OpenClaw should either:

• update lastGood.openai-codex to the fresh profile,
• clear stale lastGood for that provider,
• or make explicit auth order override lastGood when choosing an active profile.

The fresh profile should be the effective profile without manual auth-store edits.

Actual behavior

After successful login, the agent had two profiles:

- openai-codex:default (same ChatGPT account) [openai-codex/oauth; expires 2026-05-22T15:07:22.131Z]
- openai-codex:<email> (same ChatGPT account) [openai-codex/oauth; expires 2026-05-30T01:09:04.729Z]

The order was set correctly:

{
  "order": {
    "openai-codex": [
      "openai-codex:<email>",
      "openai-codex:default"
    ]
  }
}

But lastGood still selected the old default profile:

{
  "lastGood": {
    "openai-codex": "openai-codex:default"
  }
}

The installed 2026.5.18 bundle appears to prefer lastGood ahead of the first ordered profile when the lastGood profile is present in the order and not currently marked unusable/cooldowned:

const lastGood = [
  params.store.lastGood?.[OPENAI_PROVIDER_ID],
  params.store.lastGood?.[OPENAI_CODEX_PROVIDER_ID],
].find((profileId) =>
  !!profileId &&
  params.order.includes(profileId) &&
  isActiveProfileCandidate(params, profileId)
);
if (lastGood) return lastGood;

Workaround

The robust local workaround was to copy the fresh named OAuth credential material into openai-codex:default as well. After that, both profile ids reported the new expiry:

openai-codex:default        expires 2026-05-30T01:09:04.729Z
openai-codex:<email>        expires 2026-05-30T01:09:04.729Z

Then this verification passed:

openclaw infer model run --model openai/gpt-5.5 --prompt 'Reply with exactly: CODEX_STATUS_OK' --json
# returned CODEX_STATUS_OK

Why this is worth tracking

This is not only a UI/status issue. The operator-visible recovery path after OAuth renewal still required manual auth-store surgery, even after:

• successful models auth login --provider openai-codex,
• explicit models auth order set,
• and a passing model-run after manually aligning the stale default profile.

The closest existing issue is #57286, but it is locked and cannot receive the requested current-build reproduction comment.

Redaction

No tokens, auth codes, account ids, hostnames, chat ids, or personal identifiers are included here. The email-bearing profile id is redacted as openai-codex:<email>.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main still has a Codex account/status active-profile path that can prefer lastGood over an explicit Codex auth order, while the core auth-order resolver and docs make explicit order the supported recovery path.

Reproducibility: yes. at source level: construct Codex auth state with order [fresh, default] and lastGood.openai-codex = default; the current Codex active-profile helper can return lastGood before the first ordered profile. I did not exercise a live OAuth login in this read-only review.

Next step
A focused repair can target the Codex active-profile/order-state path with source-level reproduction and narrow tests, without adding a new config policy.

Review details

Best possible solution:

Make explicit Codex auth order authoritative over stale provider lastGood in the affected active-profile/status path, and add a regression test that preserves current failover behavior when no explicit order is set.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: construct Codex auth state with order [fresh, default] and lastGood.openai-codex = default; the current Codex active-profile helper can return lastGood before the first ordered profile. I did not exercise a live OAuth login in this read-only review.

Is this the best way to solve the issue?

Yes, the narrow maintainable fix is to make explicit auth order override stale lastGood for the Codex active-profile/status path, or clear provider lastGood when setting a conflicting explicit order. A new primary-first policy mode belongs to the separate broader feature discussion, not this bug fix.

Label changes:

• add P1: The report affects the latest released Codex OAuth recovery path and can keep real users on stale credentials after successful re-login.
• add impact:session-state: The failure depends on persisted auth-state.json order and lastGood state drifting after reauth.
• add impact:auth-provider: The issue is about which OpenAI/Codex auth profile is selected for model/runtime use.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P1: The report affects the latest released Codex OAuth recovery path and can keep real users on stale credentials after successful re-login.
• impact:auth-provider: The issue is about which OpenAI/Codex auth profile is selected for model/runtime use.
• impact:session-state: The failure depends on persisted auth-state.json order and lastGood state drifting after reauth.

Acceptance criteria:

• node scripts/run-vitest.mjs extensions/codex/src/commands.test.ts
• node scripts/run-vitest.mjs src/agents/auth-profiles/profiles.test.ts src/agents/auth-profiles/order.test.ts
• git diff --check

What I checked:

• Current Codex account active-profile path still prefers lastGood: resolveActiveProfileId checks live account first, then returns store.lastGood.openai or store.lastGood.openai-codex when that id is still present in the display order and not cooldowned, before falling back to the first resolved auth profile order entry. (extensions/codex/src/command-account.ts:178, 6048cd43a5ab)
• Explicit Codex display order keeps the stale default eligible: resolveDisplayAuthOrder returns a stored or configured openai-codex order directly, so an order like fresh-profile then default still leaves stale default available for the later lastGood branch to pick. (extensions/codex/src/command-account.ts:138, 6048cd43a5ab)
• Auth order setter does not reconcile lastGood: setAuthProfileOrder writes the per-agent provider order but does not update or clear the provider's lastGood, matching the reported state where order changed but stale lastGood stayed behind. (src/agents/auth-profiles/profiles.ts:44, 6048cd43a5ab)
• Core resolver already treats explicit order as authoritative: resolveAuthProfileOrder respects explicit store/config order and only applies cooldown sorting; its default path explicitly does not prioritize lastGood, so the likely fix boundary is the stale Codex active-profile display/status helper and order-state reconciliation rather than a new core policy mode. (src/agents/auth-profiles/order.ts:312, 6048cd43a5ab)
• Existing regression coverage is adjacent but not exact: Tests cover clearing lastGood after refresh_token_reused and avoiding a blocked last-good account, but I did not find coverage for explicit Codex auth order overriding a still-eligible stale lastGood profile. (src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts:744, 6048cd43a5ab)
• Docs support explicit order as the recovery contract: The public auth docs describe models auth order set as an explicit per-agent auth profile order override, and the OpenAI docs say auth order tries the subscription profile first, then the backup, while staying on the Codex harness. Public docs: docs/gateway/authentication.md. (docs/gateway/authentication.md:202, 6048cd43a5ab)

Likely related people:

• Peter Steinberger: History shows repeated work on Codex app-server controls, command tests, provider auth aliases, and auth-profile persistence/order surfaces that frame this behavior. (role: feature owner and recent area contributor; confidence: high; commits: 31a0b7bd42a5, 8d72aafdbb8d, 9e4f478f866c; files: extensions/codex/src/command-account.ts, extensions/codex/src/commands.test.ts, src/agents/auth-profiles/order.ts)
• Vincent Koc: Auth-order history includes the explicit profile-order cooldown helper, and Vincent closed the earlier stale named-profile report with the requested current-build follow-up condition. (role: adjacent owner and reviewer; confidence: medium; commits: f1d5c1a31f3e; files: src/agents/auth-profiles/order.ts, https://github.com/openclaw/openclaw/issues/57286)
• BunsDev: The earlier duplicate was closed as covered by the OAuth hardening PR authored by BunsDev, which touched the same Codex OAuth recovery family even though this report identifies a remaining selection-state edge. (role: related OAuth hardening contributor; confidence: medium; commits: f45bc0920662; files: src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts, src/plugins/provider-openai-codex-oauth.test.ts, extensions/openai/openai-codex-cli-auth.test.ts)
• Glucksberg: Prior auth/session work repaired OAuth profile-id drift and auth-order behavior, which is directly adjacent to stale default versus named profile selection. (role: adjacent contributor; confidence: medium; commits: 38b4fb5d55bb; files: src/agents/auth-profiles/order.ts, src/agents/auth-profiles/session-override.ts)

Remaining risk / open question:

• I did not run a live Codex OAuth round trip, so the exact runtime failure beyond the source-visible selection path still needs regression proof.
• A fix should stay scoped to explicit auth-order semantics; changing global lastGood or multi-account rotation behavior would overlap the broader product-policy request in [Feature]: Add primary-first Codex auth profile mode for stable Pro + backup account setups #83496.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6048cd43a5ab.

[NianJiuZst]

mark