Legacy Codex OAuth sidecars stored only in macOS Keychain still require doctor for embedded runtime path

[RomneyDa]

Summary

#85074 (and the original #84752) restore runtime auto-migration of legacy oauthRef-backed openai-codex profiles for the embedded runner — but only when the sidecar seed lives in OPENCLAW_AUTH_PROFILE_SECRET_KEY or in a seed file under ~/.openclaw/oauth/.... Users whose legacy seed lives only in macOS Keychain (older onboarding before the file-based sidecar layout) are not self-healed by that PR and still need a one-time openclaw doctor --fix.

This issue tracks closing that remaining gap.

Why it's not in #85074

The embedded runtime path runs with allowKeychainPrompt: false (src/agents/auth-profiles/legacy-oauth-sidecar.ts:233-240) by design — embedded turns happen in Telegram replies, cron-triggered runs, sub-agent dispatch, and other contexts where popping an unexpected macOS Keychain prompt would be confusing or impossible. Simply flipping that flag to true is not acceptable: it would surface Keychain prompts at random times when no user is looking at the terminal.

So the runtime self-heal works for file/env-seed users (the modal case) but not Keychain-only users, who are documented as still needing doctor (docs/gateway/doctor.md section 5).

Affected users

Anyone who:

• Onboarded openai-codex OAuth on a macOS host before the file-based sidecar layout was introduced, AND
• Did not set OPENCLAW_AUTH_PROFILE_SECRET_KEY or write a seed file, AND
• Upgraded with manual npm/pnpm/bun (skipping the openclaw update → doctor flow).

Same surface as #84893 / #85074, narrower bucket.

Two viable approaches

A. Prompt-once-and-cache in the embedded runtime path. Detect Keychain-backed legacy sidecars on first embedded-runtime store load. If the calling context is genuinely interactive (TTY attached, not cron/systemd/Telegram-bot-reply), prompt the user once to unlock the Keychain entry. On approval, read the seed, migrate all sidecar profiles inline via the existing saveAuthProfileStore path, and never need to prompt again. If the context is headless, fail gracefully with a clear message directing the user to run openclaw doctor from a terminal.

B. Auto-trigger the doctor migration on first interactive openclaw <anything> invocation after a detected legacy profile. Cleaner mental model — the migration stays doctor's responsibility, but it's triggered automatically once instead of requiring the user to know about it. Probably ~100-200 LOC in the command dispatch entry point + reuse of existing maybeRepairLegacyOAuthSidecarProfiles.

B is architecturally cleaner — it avoids spreading "when is it safe to prompt for Keychain access?" logic into the embedded runtime. A is more surgical but harder to get right.

Acceptance criteria

• macOS Keychain-only legacy sidecar users self-heal on first interactive openclaw invocation after upgrade (whichever approach is chosen).
• No Keychain prompts fire in headless contexts (cron, systemd, Telegram polling, embedded sub-agent dispatch).
• Headless invocations that detect a Keychain-only profile fail with a clear actionable error directing the user to run from a terminal or run doctor.
• Regression test covers both "interactive: migrate" and "headless: refuse cleanly" paths.

Related

• fix(auth): load legacy Codex OAuth sidecars in embedded secrets-runtime loaders #85074 (closes the file/env-seed bucket; this issue is the remaining Keychain-only bucket).
• fix: self-heal lane wedges + restore openai-codex OAuth on embedded path #84752 (original PR; auth half cherry-picked into fix(auth): load legacy Codex OAuth sidecars in embedded secrets-runtime loaders #85074).
• [Bug]: v2026.5.19 Codex unusable on headless VPS: openai-codex auth binding failure and codex provider Cloudflare 403 #84893 (P1 upgrade regression that surfaced the broader bug; same user audience).
• Keep legacy Codex OAuth sidecar profiles usable #83312 (introduced the runtime auto-migration the runtime path now correctly reaches for file/env seeds).
• docs/gateway/doctor.md section 5 documents Keychain-only as doctor-required today.

Out of scope

• Removing the legacy sidecar code paths entirely. That's a separate cleanup tracked elsewhere and should wait until all legacy users have migrated.
• Changes to openclaw doctor --fix behavior itself; the migration path it runs is already correct.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 24, 2026, 6:43 PM ET / 22:43 UTC.

Summary
Keep open: this is a maintainer-authored, protected-label auth migration gap, and current main plus the latest release still document Keychain-only legacy Codex OAuth sidecars as doctor-required rather than implementing interactive self-heal. The related implementation in #85163 was closed unmerged, so there is no landed fix to close against.

Reproducibility: yes. source inspection gives a high-confidence path: a legacy oauthRef profile encrypted with a seed available only through macOS Keychain will not hydrate through the embedded secrets-runtime loader because allowKeychainPrompt is false. I did not run a live macOS Keychain prompt in this read-only review.

Next step
Protected maintainer-labeled auth work with clawsweeper:no-new-fix-pr should stay in maintainer review until the product/UX decision is made.

Review details

Best possible solution:

Revive or redesign the interactive CLI-triggered doctor migration so macOS Keychain-only legacy profiles migrate once from a terminal while embedded/headless invocations only warn with a clear doctor command.

Do we have a high-confidence way to reproduce the issue?

Yes, source inspection gives a high-confidence path: a legacy oauthRef profile encrypted with a seed available only through macOS Keychain will not hydrate through the embedded secrets-runtime loader because allowKeychainPrompt is false. I did not run a live macOS Keychain prompt in this read-only review.

Is this the best way to solve the issue?

Unclear until maintainer decision: the issue's Approach B fits the existing doctor ownership better than prompting inside embedded runtime, but the prompt/skip policy needs owner approval before implementation.

Remaining risk / open question:

• Any fix must prove Keychain prompts cannot fire in Telegram, cron, systemd, or embedded sub-agent contexts.
• The only known implementation path was closed unmerged, so maintainers need to decide whether to revive that approach or keep doctor-only behavior.
• This read-only review did not run a live macOS Keychain scenario; source proof is strong, but landing should include real macOS upgrade proof.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8ae997749d3a.

Label changes

Label changes:

• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.

Label justifications:

• P2: The remaining affected bucket is a real auth migration gap for legacy macOS Codex users, but it is narrow and has the documented doctor workaround.
• impact:auth-provider: The issue is specifically about OAuth SecretRef/Keychain resolution for the openai-codex auth provider during upgrade.

Evidence reviewed

What I checked:

• Protected maintainer item: The provided GitHub context shows authorAssociation MEMBER and labels including maintainer, clawsweeper:no-new-fix-pr, and clawsweeper:needs-product-decision, which means this item should stay open for explicit maintainer handling.
• Embedded Keychain prompt remains blocked: Current main returns undefined from the legacy macOS Keychain reader when allowKeychainPrompt is false, so Keychain-only seeds are not read on that path. (src/agents/auth-profiles/legacy-oauth-sidecar.ts:233, 8ae997749d3a)
• Secrets runtime passes allowKeychainPrompt false: The embedded secrets-runtime auth loader still calls the runtime store with allowKeychainPrompt: false; it hydrates file/env sidecars but not Keychain-only seeds. (src/agents/auth-profiles/store.ts:589, 8ae997749d3a)
• No landed CLI auto-migration hook: Current main has no src/cli/auto-migrate-legacy-oauth-sidecar.ts file and run-main has no references to the legacy OAuth auto-migration symbols. (src/cli/run-main.ts:452, 8ae997749d3a)
• Latest release documents doctor-required behavior: The v2026.5.22 docs say Keychain-only legacy Codex OAuth profiles are not picked up by the embedded runtime path and require one run of openclaw doctor --fix; diffing v2026.5.22 to HEAD showed no relevant file changes on this surface. Public docs: docs/gateway/doctor.md. (docs/gateway/doctor.md:416, a374c3a5bfd5)
• Related fix attempt is unmerged: Commit efc851e adds the interactive CLI migration path, but it is not an ancestor of HEAD and the GitHub context shows fix(auth): auto-migrate keychain-only legacy Codex OAuth profiles on first interactive CLI run #85163 closed unmerged. (src/cli/auto-migrate-legacy-oauth-sidecar.ts, efc851e7d53b)

Likely related people:

• RomneyDa: Auth-sidecar PR fix(auth): load legacy Codex OAuth sidecars in embedded secrets-runtime loaders #85074 and the unmerged follow-up commit for the interactive Keychain migration both trace to this maintainer-owned workflow. (role: recent area contributor and proposed follow-up owner; confidence: high; commits: 4399eee6e0e4, efc851e7d53b; files: src/agents/auth-profiles/store.ts, docs/gateway/doctor.md, src/cli/run-main.ts)
• joshavant: Merged PR Keep legacy Codex OAuth sidecar profiles usable #83312 introduced the legacy oauthRef sidecar runtime compatibility that this follow-up builds on. (role: introduced legacy sidecar compatibility; confidence: medium; commits: 06f4c97130c6; files: src/agents/auth-profiles/legacy-oauth-sidecar.ts, src/agents/auth-profiles/persisted.ts, src/agents/auth-profiles/store.ts)
• Vincent Koc: Current blame and recent history on the central auth-sidecar files point to later maintenance of the same code paths, though not the original Keychain migration design. (role: recent area contributor; confidence: low; commits: ce48e4c197e5; files: src/agents/auth-profiles/legacy-oauth-sidecar.ts, src/agents/auth-profiles/store.ts, src/commands/doctor-auth-oauth-sidecar.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.