Route OpenAI agents through Codex by default

[pashpashpash]

Summary

OpenAI-Codex used to be both a public model prefix and the way the old PI path knew to use Codex/ChatGPT auth instead of a plain OpenAI API key. That naming collapsed two different concepts into one label, then became especially confusing once OpenClaw gained the native Codex app-server runtime.

This PR keeps openai/* as the only public OpenAI model route and makes OpenAI agent turns use the Codex runtime by default when runtime config is omitted or set to auto. Legacy openai-codex/* model refs are repaired back to openai/*, while openai-codex remains the auth/profile provider for ChatGPT/Codex OAuth and subscription credentials.

Explicit PI is still available as an opt-in compatibility route. If a user sets agentRuntime.id: "pi" and selects an openai-codex auth profile, OpenClaw keeps the public model ref as openai/* but routes the PI transport internally through the legacy Codex-auth provider so subscription auth keeps working. Normal openai API-key profiles still work for explicit PI as before.

The Codex plugin is also installed or repaired when users select an OpenAI route that needs the native Codex runtime, so the default path does not depend on a separately installed plugin state.

Real behavior proof

Behavior or issue addressed: A config with canonical openai/gpt-5.5 and only an openai-codex OAuth profile should be treated as authenticated for OpenAI agent routing. models status should not report OpenAI as missing, and models list should show the configured canonical OpenAI row as available through Codex auth.

Real environment tested: Local OpenClaw CLI from this branch on macOS, using a throwaway OPENCLAW_CONFIG_PATH and OPENCLAW_STATE_DIR. The auth profile contained redacted synthetic OAuth token values so no real token was printed or used.

Exact steps or command run after this patch: Created a temporary OpenClaw config with agents.defaults.model.primary = "openai/gpt-5.5" and a temporary main-agent auth-profiles.json containing only openai-codex:default. Ran openclaw models status --json and openclaw models list --provider openai --json with OPENAI_API_KEY and OPENAI_OAUTH_TOKEN unset.

Evidence after fix:

$ env -u OPENAI_API_KEY -u OPENAI_OAUTH_TOKEN OPENCLAW_CONFIG_PATH=/tmp/openclaw-codex-proof/openclaw.json OPENCLAW_STATE_DIR=/tmp/openclaw-codex-proof/state pnpm openclaw models status --json
{
  "defaultModel": "openai/gpt-5.5",
  "providersWithOAuth": ["openai-codex (1)"],
  "missingProvidersInUse": []
}

$ env -u OPENAI_API_KEY -u OPENAI_OAUTH_TOKEN OPENCLAW_CONFIG_PATH=/tmp/openclaw-codex-proof/openclaw.json OPENCLAW_STATE_DIR=/tmp/openclaw-codex-proof/state pnpm openclaw models list --provider openai --json
{
  "key": "openai/gpt-5.5",
  "available": true,
  "tags": ["default", "configured"],
  "count": 41
}

Observed result after fix: The CLI resolved canonical openai/gpt-5.5 with only openai-codex OAuth present. models status reported no missing provider in use, and models list marked the configured openai/gpt-5.5 row available.

What was not tested: A live paid model inference call with a real ChatGPT/Codex account was not run in this proof; the runtime and auth bridge behavior is covered by the targeted tests and PR CI.

[clawsweeper]

Codex review: needs changes before merge.

Summary
The PR makes canonical openai/* agent models select the native Codex runtime by default, bridges openai-codex auth/profile handling into that path, repairs Codex plugin installation, and updates related docs and tests.

Reproducibility: yes. for the review finding: source inspection shows models status builds providersInUse from both text and image model refs, then the new provider-level fallback accepts openai-codex auth for any openai use. I did not run tests because this review was required to keep the checkout read-only.

Real behavior proof
Sufficient (terminal): The PR body includes terminal output from a local CLI setup after the patch showing the changed models status and models list behavior with redacted synthetic Codex OAuth credentials.

Next step before merge
A focused repair can adjust the models status availability fallback and tests on the PR branch; the broader default-runtime policy still needs normal maintainer review before merge.

Security
Cleared: No concrete security or supply-chain regression was found; the new Codex install path uses the existing official @openclaw/codex plugin installer, and exact-head Security High plugin/action boundary checks completed successfully.

Review findings

• [P2] Keep Codex auth fallback scoped to agent models — src/commands/models/list.status-command.ts:355-358

Review details

Best possible solution:

Land only after Codex-auth availability is scoped to agent text routes while images, embeddings, speech, realtime, and other non-agent OpenAI surfaces continue to require direct OpenAI API-key auth, with regression coverage for both paths.

Do we have a high-confidence way to reproduce the issue?

Yes for the review finding: source inspection shows models status builds providersInUse from both text and image model refs, then the new provider-level fallback accepts openai-codex auth for any openai use. I did not run tests because this review was required to keep the checkout read-only.

Is this the best way to solve the issue?

No: the proposed route normalization is not yet the narrowest maintainable implementation because the status command applies an agent-runtime auth fallback at provider scope. The safer fix is to make models status surface-aware so only OpenAI agent text routes can use Codex auth as OpenAI availability.

Full review comments:

• [P2] Keep Codex auth fallback scoped to agent models — src/commands/models/list.status-command.ts:355-358
  This fallback treats an openai-codex profile as satisfying openai anywhere providersInUse contains openai. That set is built from both the text agent model and agents.defaults.imageModel/image fallbacks, while the PR docs still say non-agent OpenAI APIs such as images require direct API-key auth. With only Codex OAuth and agents.defaults.imageModel: "openai/gpt-image-2", models status --check can report no missing OpenAI provider even though image generation has no usable OpenAI API credentials. Please make the Codex-auth fallback apply only when the OpenAI provider is in use by the agent text route.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.84

Acceptance criteria:

• pnpm test src/commands/models/list.status.test.ts src/commands/models/list.auth-index.test.ts src/commands/models/list.rows.test.ts
• pnpm exec oxfmt --check --threads=1 src/commands/models/list.status-command.ts src/commands/models/list.status.test.ts src/commands/models/list.auth-index.ts src/commands/models/list.auth-index.test.ts src/commands/models/list.rows.ts src/commands/models/list.rows.test.ts

What I checked:

• Protected PR scope: The live PR is open, non-draft, labeled maintainer, and changes 60 files across agent runtime selection, OpenAI/Codex provider auth, model commands, doctor repair, docs, and tests. (f17e1211c1fb)
• Provider-level fallback introduced: The new hasUsableAuthForProviderInUse helper treats openai-codex auth as usable for the openai provider whenever the provider default routes through Codex. (src/commands/models/list.status-command.ts:351, f17e1211c1fb)
• Status command mixes agent and image providers: providersInUse is populated from the default text model, text fallbacks, agents.defaults.imageModel, and image fallbacks before missing auth is computed. (src/commands/models/list.status-command.ts:225, f17e1211c1fb)
• Docs preserve non-agent API-key boundary: The PR docs state that embedded OpenAI agent turns use Codex by default, while non-agent OpenAI APIs such as images, embeddings, speech, and realtime still use direct OpenAI API-key auth. Public docs: docs/providers/openai.md. (docs/providers/openai.md:14, f17e1211c1fb)
• Real behavior proof supplied: The PR body includes terminal output from a local branch run showing models status --json and models list --provider openai --json with only an openai-codex auth profile and no missing provider for the canonical OpenAI agent route. (f17e1211c1fb)
• Relevant current-main history: Recent current-main history for the OpenAI/Codex routing files includes the original Codex plugin selection attempt and its revert, plus nearby model-status auth work. (e1fec3c892a0)

Likely related people:

• pashpashpash: Authored the recently merged Install Codex plugin on OpenAI model selection change and its revert across the same Codex routing, provider, and doctor files before this PR. (role: recent maintainer of OpenAI/Codex runtime routing; confidence: high; commits: c8f3fecad6fe, 3a901b5e9539; files: src/agents/harness/selection.ts, src/commands/doctor/shared/codex-route-warnings.ts, extensions/openai/openai-codex-provider.ts)
• Peter Steinberger: Recently changed src/commands/models/list.status-command.ts around auth-profile metadata and provider status handling on current main. (role: recent maintainer of model auth status behavior; confidence: medium; commits: 8e179101914e, 2e78fc57af09; files: src/commands/models/list.status-command.ts)
• Kevin Lin: Recent current-main work touched the agent/model diagnostic surface that this PR extends, including model rejection diagnostics. (role: adjacent agent/model diagnostic owner; confidence: medium; commits: 5b9672b4bbfb; files: src/agents/harness/selection.ts, src/commands/models/list.status-command.ts)

Remaining risk / open question:

• Exact-head CI currently has failing core/additional check-runs, so normal CI log triage is still required before merge.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e1fec3c892a0.