[codex] Make external CLI credential discovery explicit

[steipete]

Summary

Refactors external CLI credential discovery into an explicit auth-store intent instead of loose allowKeychainPrompt and provider/profile options.

Why

The previous auth-store API made it easy for generic auth-store reads to accidentally trigger external CLI credential discovery. That was the root cause behind Claude CLI credential reads showing up while running non-Claude models: callers were loading broad runtime auth overlays instead of saying which external CLI provider was actually in scope.

What changed

• Added ExternalCliAuthDiscovery modes: none, existing, and scoped.
• Added helper builders for provider auth, config-status reads, and fallback provider sets.
• Wired model auth, model fallback, Codex native search, auth labels, CLI runner prep, PI runner setup, model probes, auth-order, and gateway auth status to pass explicit discovery intent.
• Updated models.authStatus tests to assert the new intent object.
• Documented the discovery modes in the auth credential semantics doc.

Validation

• pnpm test src/agents/auth-profiles.external-cli-sync.test.ts src/agents/auth-profiles.external-cli-scope.test.ts src/agents/model-auth.profiles.test.ts src/gateway/server-methods/models-auth-status.test.ts
• pnpm exec oxfmt --check --threads=1 <touched files>
• git diff --check
• Testbox OPENCLAW_TESTBOX=1 pnpm check:changed passed for core, coreTests, and docs.

[steipete]

@clawsweeper automerge

[clawsweeper]

Codex review: passed for ClawSweeper automerge.

What this changes:

The PR adds an ExternalCliAuthDiscovery intent API, routes model/gateway/auth-store consumers through explicit none, existing, or scoped discovery modes, updates tests, and documents the credential-discovery modes.

Automerge follow-up:

No automated repair lane is appropriate: this PR already contains the intended implementation, touches sensitive credential routing, has a protected maintainer label, and needs maintainer/security review plus final green checks rather than a new fix PR.

Security review:

Security review cleared: The diff narrows credential discovery intent and touches TypeScript auth routing, tests, and docs without adding dependencies, CI execution paths, package hooks, downloads, or secret-output expansion.

Review details

Best possible solution:

Have an auth/security maintainer review and land this PR once the latest checks are green if the explicit discovery-intent API is the desired direction, while keeping #70055 as the canonical follow-up for a user-facing global opt-out.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a refactor PR rather than a standalone bug report. The behavior is statically checkable by comparing current main's loose auth-store options with the PR's explicit discovery-intent helpers and updated gateway/model assertions.

Is this the best way to solve the issue?

Yes for the scoped credential-discovery problem: the none/existing/scoped discriminated intent is a narrow maintainable replacement for loose option combinations. It is not the complete solution for a global external CLI sync opt-out, which remains separate in #70055.

What I checked:

• Protected label: The GitHub API for this PR shows the protected maintainer label, so this PR must stay open for explicit maintainer handling. (6f9cb6c62563)
• Current main loose options: Current main exposes allowKeychainPrompt, externalCliProviderIds, and externalCliProfileIds directly on auth-store load options, which is the loose contract this PR refactors. (src/agents/auth-profiles/store.ts:38, bb3a0c954505)
• Current main scoped reader behavior: Current main already skips external CLI readers when provider/profile scope is out of scope and only refreshes existing stored external CLI profiles when no explicit scope is supplied. (src/agents/auth-profiles/external-cli-sync.ts:202, bb3a0c954505)
• PR intent API: The PR adds the ExternalCliAuthDiscovery discriminated union with none, existing, and scoped modes plus helper builders for provider auth, config status, and provider sets. (src/agents/auth-profiles/external-cli-discovery.ts:7, 6f9cb6c62563)
• PR store integration: The PR centralizes conversion from explicit discovery intent back into existing overlay options with resolveExternalCliOverlayOptions, preserving compatibility for unmigrated callers. (src/agents/auth-profiles/store.ts:192, 6f9cb6c62563)
• Gateway status coverage: The PR updates models.authStatus tests to assert scoped discovery when config has provider/profile signals and none when config has no provider signal. (src/gateway/server-methods/models-auth-status.test.ts:225, 6f9cb6c62563)

Likely related people:

• steipete: The related current-main auth scoping behavior appears to date to fix(auth): scope external CLI credential discovery, and this PR continues work on the same auth-routing surface. (role: recent maintainer and likely follow-up owner; confidence: high; commits: 581fbea1d653; files: src/agents/auth-profiles/external-cli-sync.ts, src/agents/auth-profiles/external-cli-scope.ts, src/agents/model-auth.ts)
• @openclaw/openclaw-secops: CODEOWNERS assigns auth-related files under src/agents/** and src/gateway/** to the secops team, matching the credential-routing files touched here. (role: CODEOWNERS reviewer; confidence: medium; files: .github/CODEOWNERS, src/agents/auth-profiles/store.ts, src/gateway/server-methods/models-auth-status.ts)
• Alex Knight: Current-line blame in the shallow checkout points to this author on the generic auth-store option plumbing and gateway status call-site lines that the PR refactors, though the feature history is stronger for the auth scoping commit above. (role: recent adjacent maintainer; confidence: low; commits: 4aa08e9d; files: src/agents/auth-profiles/store.ts, src/gateway/server-methods/models-auth-status.ts, docs/auth-credential-semantics.md)

Remaining risk / open question:

• The protected maintainer label requires explicit maintainer handling before merge.
• Latest-head check-runs were not fully complete at inspection time, so final merge should wait for the required checks to finish green.
• This PR narrows caller intent for credential discovery but does not replace the open global external CLI sync opt-out request tracked by [Feature]: Allow disabling external-cli-sync for auth-profiles via config #70055.

Codex review notes: model gpt-5.5, reasoning high; reviewed against bb3a0c954505.

[clawsweeper]

🦞🦞
ClawSweeper automerge is enabled for this PR.

I added clawsweeper:automerge and asked ClawSweeper to review this head. If ClawSweeper emits a repair marker or requests changes, I will repair/rebase the branch and ask for another review, up to the configured round limit.

Draft PRs stay fix-only until GitHub marks them ready for review. A maintainer can pause this with /clawsweeper stop.

[clawsweeper]

🦞🦞
Thanks, ClawSweeper. ClawSweeper saw the passing review, but current checks are failing.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=ec48bda063a3cb55ef0309868bd9909f213bcdce); current checks are failing: Run the OpenAI / Opus 4.6 parity gate against the qa-lab mock:FAILURE
Action: dispatched repair-cluster-worker.yml for jobs/openclaw/inbox/automerge-openclaw-openclaw-75209.md in autonomous mode.
Model: gpt-5.5

I will update this PR branch, or open a safe credited replacement, if the repair worker finds a narrow CI fix.

[clawsweeper]

ClawSweeper 🐠 reef update

Thanks for the contribution here. ClawSweeper gave the branch a tidy little reef repair and kept this PR as the main lane.

Source PR: #75209
Validation: pnpm check:changed
Credit stays anchored to this PR. ClawSweeper is just moving the fix along, not stealing the shiny bits.

fish notes: model gpt-5.5, reasoning medium; reviewed against 6f9cb6c.

[steipete]

@clawsweeper approve

[clawsweeper]

🦞🦞
Thanks, ClawSweeper. ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=6f9cb6c62563db1faeb88aad82db6228687c7685)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-04-30T20:32:56Z

The automerge loop is complete.