[codex] Fix Codex app-server OAuth harness auth

[jeffjhunter]

Summary

Fixes the Codex app-server OAuth path used by plugin-owned harnesses. The app-server auth bridge now resolves the scoped Codex CLI OAuth provider IDs that the harness creates, and the embedded runner forwards harness auth profile context where plugin-owned transports need it.

The live harness command probe is now opt-in so the OAuth acceptance path can validate auth routing without requiring command-routing behavior in the same run.

Root cause

Plugin-owned Codex harnesses created scoped OAuth profile state, but the Codex app-server auth bridge only looked through the default app-server provider path. That meant the live OAuth harness could have a valid CLI OAuth profile while the app-server side still failed to resolve it.

Real behavior proof

• Behavior or issue addressed: Plugin-owned Codex app-server harnesses can resolve and use the scoped Codex OAuth profile created for the live harness instead of failing app-server OAuth profile lookup.
• Real environment tested: Local OpenClaw checkout on Linux with real Codex OAuth files, plus the Docker live harness lane using staged ~/.codex/auth.json and ~/.codex/config.toml; model codex/gpt-5.5; command probe disabled to isolate app-server OAuth turn execution.
• Exact steps or command run after this patch: Ran the local live Codex OAuth harness and the Docker live Codex OAuth harness with OPENCLAW_LIVE_CODEX_HARNESS_COMMAND_PROBE=0 and OPENCLAW_LIVE_CODEX_HARNESS_AUTH=codex-auth.
• Evidence after fix: Copied live output from the after-fix local and Docker runs:

Local OAuth harness run
[gateway-codex-live] assistant: CODEX-HARNESS-B00A4A
[gateway-codex-live] first-turn {"firstText":"CODEX-HARNESS-B00A4A"}
[gateway-codex-live] assistant: CODEX-HARNESS-RESUME-134067
[gateway-codex-live] second-turn {"secondText":"CODEX-HARNESS-RESUME-134067"}
SKIP: Codex command probe is disabled; app-server OAuth turn assertions completed.

Test Files  1 passed (1)
Tests       1 passed | 1 skipped (2)
Duration    124.82s

Docker OAuth harness run
==> Auth mode: codex-auth
==> Model: codex/gpt-5.5
Prepared staged Codex auth metadata for CI.
[gateway-codex-live] assistant: CODEX-HARNESS-2932B9
[gateway-codex-live] first-turn {"firstText":"CODEX-HARNESS-2932B9"}
[gateway-codex-live] assistant: CODEX-HARNESS-RESUME-B69514
[gateway-codex-live] second-turn {"secondText":"CODEX-HARNESS-RESUME-B69514"}
SKIP: Codex command probe is disabled; app-server OAuth turn assertions completed.

Test Files  1 passed (1)
Tests       1 passed | 1 skipped (2)
Duration    39.32s

Full local evidence paths:

• /home/beau/openclaw-codex-acceptance-20260509-071249/logs/live-codex-harness-local-oauth-command-probe-disabled.log

• /home/beau/openclaw-codex-acceptance-20260509-071249/logs/live-codex-harness-docker-oauth-command-probe-disabled.log

• Observed result after fix: Both real app-server OAuth harness runs completed two Codex-backed turns, emitted the expected CODEX-HARNESS-* and CODEX-HARNESS-RESUME-* assistant tokens, and passed the OAuth turn assertions with 1 passed | 1 skipped.

• What was not tested: The Codex command probe path was intentionally disabled in these proof runs; this PR isolates OAuth profile routing and app-server turn execution.

Validation

• git diff --check upstream/main..HEAD
• Previously passed before rebasing onto current upstream: pnpm vitest run src/gateway/gateway-codex-harness.live-helpers.test.ts
• Previously passed live acceptance logs: local OAuth and Docker OAuth runs under /home/beau/openclaw-codex-acceptance-20260509-071249/logs/

Note: after rebasing onto current upstream/main, the focused vitest command stayed in rolldown build timing output for several minutes and was terminated without reaching test execution. No test failure was observed.

[clawsweeper]

Codex review: needs changes before merge.

Summary
The PR updates Codex app-server OAuth resolution for plugin-owned harnesses, adds native Codex CLI OAuth regression coverage, accepts newer Codex status output in harness helpers, exports an OAuth refresh helper, and adds a changelog entry.

Reproducibility: yes. The current-main source path lacks the external Codex CLI OAuth overlay, and the PR discussion includes before/after live proof showing the pre-fix 401 and post-fix Codex harness turns.

Real behavior proof
Sufficient (live_output): The PR body and comments provide after-fix local, Docker, and Crabbox live output, plus recording links, showing the OAuth harness completing real Codex-backed turns after the fix.

Next step before merge
A narrow mechanical repair can unblock the PR by aligning the SDK runtime barrel with the new Codex auth-bridge import.

Security
Cleared: The diff is auth-sensitive, but I found no concrete security or supply-chain regression beyond the functional SDK export blocker.

Review findings

• [P1] Export the auth-store helper before importing it — extensions/codex/src/app-server/auth-bridge.ts:6

Review details

Best possible solution:

Keep the Codex OAuth routing approach, but repair the SDK runtime export mismatch before merge and then rerun the focused Codex auth tests plus the extension lint/build surface.

Do we have a high-confidence way to reproduce the issue?

Yes. The current-main source path lacks the external Codex CLI OAuth overlay, and the PR discussion includes before/after live proof showing the pre-fix 401 and post-fix Codex harness turns.

Is this the best way to solve the issue?

No, not yet. The functional direction is narrow and appropriate, but the current patch must either export ensureAuthProfileStoreWithoutExternalProfiles from src/plugin-sdk/agent-runtime.ts or switch the auth bridge to an already-exported helper before it is mergeable.

Full review comments:

• [P1] Export the auth-store helper before importing it — extensions/codex/src/app-server/auth-bridge.ts:6
auth-bridge.ts now imports ensureAuthProfileStoreWithoutExternalProfiles from openclaw/plugin-sdk/agent-runtime, but this PR only adds refreshOAuthCredentialForRuntime to that SDK barrel. Since ./plugin-sdk/agent-runtime is an ESM export subpath, loading the Codex app-server auth bridge can throw for the missing named export before the OAuth fix runs. Add the missing SDK export or use an already-exported helper.
  Confidence: 0.96

Overall correctness: patch is incorrect
Overall confidence: 0.92

Acceptance criteria:

• pnpm test extensions/codex/src/app-server/auth-bridge.test.ts extensions/codex/src/app-server/session-binding.test.ts
• pnpm test src/gateway/gateway-codex-harness.live-helpers.test.ts
• pnpm run lint:extensions:bundled
• pnpm build

What I checked:

• PR diff runtime blocker: The head patch adds a named import of ensureAuthProfileStoreWithoutExternalProfiles from openclaw/plugin-sdk/agent-runtime in extensions/codex/src/app-server/auth-bridge.ts, while the same patch only adds refreshOAuthCredentialForRuntime to the SDK barrel; the imported helper is still absent from that subpath. (extensions/codex/src/app-server/auth-bridge.ts:6, 65c7c97237ca)
• Current SDK export contract: Current src/plugin-sdk/agent-runtime.ts exports ensureAuthProfileStore and loadAuthProfileStoreWithoutExternalProfiles, but not ensureAuthProfileStoreWithoutExternalProfiles; package.json maps ./plugin-sdk/agent-runtime to this SDK subpath. (src/plugin-sdk/agent-runtime.ts:46, cd5018b40e47)
• Core helper exists: The core auth-profile barrel already exports ensureAuthProfileStoreWithoutExternalProfiles from ./auth-profiles/store.js, so the blocker is a small SDK barrel/export alignment rather than a missing helper implementation. (src/agents/auth-profiles.ts:50, cd5018b40e47)
• Current-main root cause evidence: Current main's Codex auth bridge uses ensureAuthProfileStore(..., { allowKeychainPrompt: false }) without external CLI provider/profile overlays, matching the reported scoped Codex CLI OAuth lookup gap that the PR is trying to fix. (extensions/codex/src/app-server/auth-bridge.ts:53, cd5018b40e47)
• Real behavior proof supplied: The PR body includes copied after-fix local and Docker live output with two CODEX-HARNESS-* turns and 1 passed | 1 skipped; maintainer comments add Crabbox before/after proof showing a pre-fix 401 and post-fix harness turns, status, and model listing on the PR runtime code. (65c7c97237ca)
• Existing review discussion: Three bot review comments already identify the unresolved SDK import, and the latest comment is attached to final head 65c7c97237ca13e10faea8169e2743d96e6b1e05. (extensions/codex/src/app-server/auth-bridge.ts:6, 65c7c97237ca)

Likely related people:

• steipete: Current-main blame for the Codex app-server auth bridge and SDK barrel points to Peter Steinberger's recent snapshot commit, and PR comments show steipete pushed maintainer fixups plus local and Crabbox proof for this PR. (role: recent area contributor and PR fixup/proof author; confidence: high; commits: 248207daceb1, c3fab3b05644, 65c7c97237ca; files: extensions/codex/src/app-server/auth-bridge.ts, extensions/codex/src/app-server/session-binding.ts, src/plugin-sdk/agent-runtime.ts)
• pashpashpash: Submitted a changes-requested review asking for before/after recordings, which shaped the real behavior proof requirements for this auth fix. (role: reviewer; confidence: medium; commits: f7050a4241fc; files: extensions/codex/src/app-server/auth-bridge.ts)

Remaining risk / open question:

• This read-only review did not rerun the live OAuth lane; it relies on the supplied recordings/live output and maintainer Crabbox proof.

Codex review notes: model gpt-5.5, reasoning high; reviewed against adc3ba45cac0.

[pashpashpash]

Please provide actual screen recordings of the problematic behavior before and the fixed behavior after your patch.

[jeffjhunter]

Added screen recordings here:

Before: https://github.com/jeffjhunter/pr-79877-recordings/blob/main/pr-79877-before-prefix-oauth-profile-missing-repro.mp4
After: https://github.com/jeffjhunter/pr-79877-recordings/blob/main/pr-79877-after-head-oauth-fixed-pass-combined.mp4

The before recording is a focused pre-fix repro with scoped Codex CLI OAuth profile loading disabled, showing the plugin-owned app-server harness failing because openai-codex:default is not visible on that auth path. The after recording runs the same focused live OAuth harness on this PR head and exits 0 with 1 passed | 1 skipped.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4ac0387250

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Stop importing a non-exported SDK runtime symbol

openclaw/plugin-sdk/agent-runtime does not export ensureAuthProfileStoreWithoutExternalProfiles (its export list in src/plugin-sdk/agent-runtime.ts only includes ensureAuthProfileStore and loadAuthProfileStoreWithoutExternalProfiles), so this new named import is unresolved for plugin consumers and can break module load/runtime auth bridging as soon as auth-bridge.ts is imported. Please switch to an exported symbol from the SDK barrel (or add the export there) so the Codex app-server auth path can initialize reliably.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c3fab3b056

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Import only symbols that agent-runtime exports

This adds a named import that is not exported by openclaw/plugin-sdk/agent-runtime, so ESM module loading will fail as soon as this file is evaluated (SyntaxError for missing export), breaking the Codex app-server auth path at runtime. Fresh evidence in this commit: src/plugin-sdk/agent-runtime.ts’s export list (lines 46-72) still does not include ensureAuthProfileStoreWithoutExternalProfiles, while this file now imports it.

Useful? React with 👍 / 👎.

[steipete]

Pushed maintainer fixups + changelog on top of the PR. Final head: 8f745327cc5c6016cb1c87b81e1a10fe2db449e6.

Proof:

• Local targeted tests: pnpm test extensions/codex/src/app-server/auth-bridge.test.ts extensions/codex/src/app-server/session-binding.test.ts (42 tests passed).
• Local diff sanity on final head: git diff --check origin/main...HEAD.
• Crabbox before/after live E2E: Hetzner run_77e9968383fe, lease cbx_86883865a82a / swift-lobster; auth came from local Codex CLI auth.json copied into a temp CODEX_HOME, redacted in output.
• Before (openclaw/openclaw@09fcd1981486a76ee1e0db0e245a7bf1f48899dd): Codex app-server started, then failed with 401 Unauthorized: Missing bearer or basic authentication in header against https://api.openai.com/v1/responses.
• After PR runtime code (c3fab3b05644e6c4ca3eb7830852bd4783401dcd; final head only adds changelog): first turn returned CODEX-HARNESS-5FED70, resume returned CODEX-HARNESS-RESUME-8A11BC, /codex status showed app-server connected with account/rate limits, and /codex models listed the expected GPT/Codex models.

Thanks @jeffjhunter.

[steipete]

Rebased on current origin/main and repushed final head ff6260cda6eba2fc1860a098c03b1657d1744c64.

Additional proof on rebased head:

• git diff --check origin/main...HEAD
• pnpm test extensions/codex/src/app-server/auth-bridge.test.ts extensions/codex/src/app-server/session-binding.test.ts (2 files / 42 tests passed)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ff6260cda6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove unresolved SDK import from auth bridge

This file now imports ensureAuthProfileStoreWithoutExternalProfiles from openclaw/plugin-sdk/agent-runtime, but that barrel still does not export it, so ESM module evaluation will throw before the auth bridge can run. Fresh evidence in this commit: src/plugin-sdk/agent-runtime.ts adds refreshOAuthCredentialForRuntime but its export list (around lines 34-72) still omits ensureAuthProfileStoreWithoutExternalProfiles, leaving this named import unresolved at runtime.

Useful? React with 👍 / 👎.

[steipete]

CI fixup pushed as final head 700e89f677016335a72d96b5f2d6e8f1e5cc9468.

The new extra change is lint-only: extensions/browser/src/cli/browser-cli-state.option-collisions.test.ts avoids oxlint's no-control-regex failure from current origin/main without changing the ANSI stripping behavior.

Additional local proof:

• pnpm lint --threads=8
• pnpm run lint:extensions:bundled
• pnpm test extensions/browser/src/cli/browser-cli-state.option-collisions.test.ts (1 file / 9 tests passed)

[steipete]

Rebased again on current origin/main; final head is now 65c7c97237ca13e10faea8169e2743d96e6b1e05.

The browser lint fix that tripped CI is now already in main, so this PR diff is back to the Codex OAuth harness fix + changelog only.

Proof on this rebased head:

• git diff --check origin/main...HEAD
• pnpm test extensions/codex/src/app-server/auth-bridge.test.ts extensions/codex/src/app-server/session-binding.test.ts (2 files / 42 tests passed)
• pnpm run lint:extensions:bundled