fix(auth): support remote Codex OAuth manual input

[cash-echo-bot]

Summary

Fix remote/VPS OpenAI Codex OAuth after the @mariozechner/pi-ai@0.60.0 auth flow changes.

This wires OpenClaw's remote Codex OAuth wrapper into Pi's newer manual-input path by passing onManualCodeInput when isRemote is true.

Closes #51630.

What changed

• pass onManualCodeInput through src/plugins/provider-openai-codex-oauth.ts for remote flows
• add/update tests to cover the remote manual input hook
• keep local authorize URL handling coverage intact

Why

Pi 0.60.0 changed Codex OAuth behavior around callback/manual input handling. OpenClaw had updated the dependency, but the wrapper code was still using the older integration pattern.

That meant remote OAuth could stall/fail instead of cleanly accepting the pasted authorization code or redirect URL.

Testing

• pnpm -C /home/cash/src/clawdis test src/commands/openai-codex-oauth.test.ts

[greptile-apps]

Greptile Summary

This PR correctly fixes remote/VPS Codex OAuth by wiring the onManualCodeInput callback introduced in @mariozechner/pi-ai@0.60.0, ensuring that Pi's newer manual-input path receives a handler for remote flows instead of stalling.

Key changes:

• src/plugins/provider-openai-codex-oauth.ts: Passes onManualCodeInput (delegating to onPrompt) when isRemote === true, and undefined for local flows — matching Pi's new API contract.
• src/commands/openai-codex-oauth.test.ts: Removes the createVpsAwareOAuthHandlers mock (now using the real implementation), adds prompter.text to the test fixture, and adds a new integration-style test that verifies the full remote onManualCodeInput → onPrompt → prompter.text round-trip.

One minor note: The message: "Paste the authorization code (or full redirect URL):" string passed inside onManualCodeInput is effectively dead code in normal operation — onPrompt short-circuits with the cached manualCodePromise started by onAuth, so the actual prompt users see is "Paste the redirect URL" from createVpsAwareOAuthHandlers. No user-facing impact, but worth aligning for clarity.

Confidence Score: 5/5

• Safe to merge — the fix is correct and well-tested with no regressions introduced.
• The core change is minimal and targeted: a single onManualCodeInput field added for remote flows. The integration tests cover the new path end-to-end using the real createVpsAwareOAuthHandlers, the existing local-flow tests continue to pass, and the only open comment is a P2 style suggestion about a dead message string with no user-visible impact.
• No files require special attention.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/plugins/provider-openai-codex-oauth.ts
Line: 56-59

Comment:
**Dead message string in `onManualCodeInput`**

The `message: "Paste the authorization code (or full redirect URL):"` passed to `onPrompt` here is never shown to users in the normal remote OAuth flow.

In `createVpsAwareOAuthHandlers`, when `isRemote === true`, `onAuth` eagerly fires `prompter.text({ message: "Paste the redirect URL", ... })` and caches the result in `manualCodePromise`. When `onManualCodeInput` later calls `onPrompt(...)`, `onPrompt` short-circuits — it returns `manualCodePromise` immediately without consuming the `message` parameter (see `provider-oauth-flow.ts:42-43`).

This string would only surface if Pi called `onManualCodeInput` before `onAuth` (which the tests don't cover and the normal flow doesn't do). Consider passing the desired prompt text through `createVpsAwareOAuthHandlers` via its existing `manualPromptMessage` option instead, so there's a single source of truth for what users see.

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: "fix(auth): support r..."}

[greptile-apps]

Dead message string in onManualCodeInput

The message: "Paste the authorization code (or full redirect URL):" passed to onPrompt here is never shown to users in the normal remote OAuth flow.

In createVpsAwareOAuthHandlers, when isRemote === true, onAuth eagerly fires prompter.text({ message: "Paste the redirect URL", ... }) and caches the result in manualCodePromise. When onManualCodeInput later calls onPrompt(...), onPrompt short-circuits — it returns manualCodePromise immediately without consuming the message parameter (see provider-oauth-flow.ts:42-43).

This string would only surface if Pi called onManualCodeInput before onAuth (which the tests don't cover and the normal flow doesn't do). Consider passing the desired prompt text through createVpsAwareOAuthHandlers via its existing manualPromptMessage option instead, so there's a single source of truth for what users see.

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/plugins/provider-openai-codex-oauth.ts
Line: 56-59

Comment:
**Dead message string in `onManualCodeInput`**

The `message: "Paste the authorization code (or full redirect URL):"` passed to `onPrompt` here is never shown to users in the normal remote OAuth flow.

In `createVpsAwareOAuthHandlers`, when `isRemote === true`, `onAuth` eagerly fires `prompter.text({ message: "Paste the redirect URL", ... })` and caches the result in `manualCodePromise`. When `onManualCodeInput` later calls `onPrompt(...)`, `onPrompt` short-circuits — it returns `manualCodePromise` immediately without consuming the `message` parameter (see `provider-oauth-flow.ts:42-43`).

This string would only surface if Pi called `onManualCodeInput` before `onAuth` (which the tests don't cover and the normal flow doesn't do). Consider passing the desired prompt text through `createVpsAwareOAuthHandlers` via its existing `manualPromptMessage` option instead, so there's a single source of truth for what users see.

How can I resolve this? If you propose a fix, please make it concise.

[obviyus]

Landed on main.

• Landed source commit: 9d04a0a
• Merge commit: 11aff6e

Thanks @cash-echo-bot.