Add OpenAI OAuth TLS preflight and doctor prerequisite check

[alexfilatov]

Summary

Add an OpenAI OAuth TLS preflight to detect local certificate-chain problems early and provide actionable remediation, instead of surfacing only TypeError: fetch failed.

Changes

• Add runOpenAIOAuthTlsPreflight() and remediation formatter in src/commands/oauth-tls-preflight.ts.
• Run TLS preflight before loginOpenAICodex() in src/commands/openai-codex-oauth.ts.
• Add doctor check via noteOpenAIOAuthTlsPrerequisites() in src/commands/doctor.ts.
• Keep doctor fast-path tests deterministic by mocking preflight in src/commands/doctor.fast-path-mocks.ts.

User-visible behavior

• During OpenAI Codex OAuth, TLS trust failures now produce actionable guidance, including:
  • brew postinstall ca-certificates
  • brew postinstall openssl@3
  • expected cert bundle location when Homebrew prefix is detectable.
• openclaw doctor now reports an OAuth TLS prerequisites warning when TLS trust is broken for OpenAI auth calls.

Why

On some Homebrew Node/OpenSSL setups, missing or broken cert bundle links cause OAuth failures like:

• OpenAI OAuth failed
• TypeError: fetch failed
• UNABLE_TO_GET_ISSUER_CERT_LOCALLY

This change turns that failure mode into an explicit prerequisite check with concrete fixes.

Tests

Ran:

corepack pnpm vitest run \
  src/commands/openai-codex-oauth.test.ts \
  src/commands/oauth-tls-preflight.test.ts \
  src/commands/oauth-tls-preflight.doctor.test.ts

All passed.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0c71cd7db8

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Remove generic TLS regex from cert-failure detection

The TLS_CERT_ERROR_PATTERNS entry /tls/i will classify many non-certificate failures as tls-cert (for example, Node fetch errors like ECONNRESET that say "secure TLS connection was established"). That classification is consumed by loginOpenAICodexOAuth, which hard-fails early for tls-cert and shows Homebrew certificate remediation, so transient/proxy transport failures get misreported as cert-chain issues and abort OAuth before a real login attempt. Please keep cert detection limited to certificate-specific codes/messages so generic TLS transport errors stay in the network path.

Useful? React with 👍 / 👎.

[alexfilatov]

Removed the generic /tls/i pattern from TLS_CERT_ERROR_PATTERNS, so only certificate-specific codes/messages map to tls-cert. Added a regression test asserting "secure TLS connection was established" transport failures stay classified as network.

[greptile-apps]

Greptile Summary

This PR adds a TLS preflight check for OpenAI OAuth flows to detect certificate chain issues early. The implementation is well-structured with comprehensive test coverage:

• New oauth-tls-preflight.ts module provides runOpenAIOAuthTlsPreflight() for connectivity checks and formatOpenAIOAuthTlsPreflightFix() for remediation guidance
• Integrates into openai-codex-oauth.ts to fail fast with actionable errors before starting the OAuth flow
• Adds noteOpenAIOAuthTlsPrerequisites() to the openclaw doctor command for proactive health checks
• Includes proper test mocking in doctor.fast-path-mocks.ts to keep fast-path tests deterministic

The error handling correctly distinguishes TLS certificate errors from general network issues, and the remediation messages provide specific Homebrew commands (brew postinstall ca-certificates, brew postinstall openssl@3) with cert bundle path validation.

No issues found - the implementation follows existing patterns, has robust error handling, and provides a clear user experience improvement.

Confidence Score: 5/5

• This PR is safe to merge with no identified risks.
• Score reflects clean implementation, comprehensive test coverage, proper error handling, and clear user benefit. The code follows existing patterns, uses dependency injection for testability, and integrates cleanly into the OAuth and doctor flows. No logical errors, security issues, or edge cases were identified during review.
• No files require special attention

_{Last reviewed commit: 0c71cd7}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 943aba1bbe

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Gate OAuth TLS preflight in doctor to avoid global 4s probe

This new call runs on every doctor execution, even when the user is not using OpenAI OAuth, and it triggers an outbound probe to auth.openai.com; combined with runOpenAIOAuthTlsPreflight({ timeoutMs: 4000 }), blocked/offline environments can now pay an extra ~4s on every run with no actionable output (network errors are intentionally suppressed). Please make this check conditional (for example, only when OpenAI OAuth is configured or in an explicit deep/probe mode) so doctor doesn't add a universal external dependency and latency penalty.

Useful? React with 👍 / 👎.

[grp06]

Landed via temp rebase onto main.

• Gate: pnpm check
• Land commit: a4927ed
• Merge commit: a4927ed
• Cleanup: removed PR_DRAFT_OAUTH_TLS_PREFLIGHT.md from the PR branch before merge.

Thanks @alexfilatov!