fix(codex): gate migration on app readiness

[kevinslin]

Summary

• Gate Codex plugin migration on source plugin/read plus a fresh source app/list readiness snapshot so unavailable app-backed plugins become manual skipped items instead of migrated config.
• Preserve source/destination auth isolation during source readiness discovery: source plugin/list, plugin/read, and app/list run against the source Codex home with native source auth and isolated app-server probes.
• Reuse the shared Codex plugin app cache key for runtime, source migration refreshes, and target apply invalidation; apply now invalidates only the target app inventory cache key.

Verification

• pnpm test extensions/codex/src/migration/provider.test.ts extensions/codex/src/app-server/auth-bridge.test.ts extensions/codex/src/app-server/shared-client.test.ts
• pnpm test extensions/codex/src/migration/provider.test.ts after the latest docs-only follow-up
• git diff --check
• Live copied-profile dry-run: pnpm openclaw --profile codex-migration-readiness migrate codex --dry-run --json --from $HOME/.codex
• Live native-source-auth dry-run: pnpm openclaw --profile codex-migration-readiness-native migrate codex --dry-run --json --from $HOME/.codex

Real behavior proof

Behavior addressed: Codex migration source readiness now uses isolated source Codex app-server probes instead of logging that source app-server into the destination OpenClaw auth profile, and app-backed plugins are only planned when the fresh source app inventory reports their backing apps as available.

Real environment tested: Local OpenClaw checkout on macOS. Live migration dry-runs were run at PR head d803b8c50e3638643694b0a273443c6369bae6e5; latest PR head 404cb5c03564b837a6d33c67c0410c5ea602ccd2 is a docs-only follow-up validated with the focused provider test and git diff --check. The codex-migration-readiness profile is a copied dev OpenClaw auth profile. The codex-migration-readiness-native profile is the same copied setup with OpenClaw auth removed so the source Codex app server uses native $HOME/.codex auth.

Exact steps or command run after the patch: Ran the focused Vitest files, then ran both migration dry-runs with --dry-run --json against $HOME/.codex; after the latest docs-only follow-up, reran pnpm test extensions/codex/src/migration/provider.test.ts and git diff --check.

Evidence after fix:

$ pnpm test extensions/codex/src/migration/provider.test.ts extensions/codex/src/app-server/auth-bridge.test.ts extensions/codex/src/app-server/shared-client.test.ts
Test Files  3 passed (3)
Tests  64 passed (64)

$ pnpm openclaw --profile codex-migration-readiness migrate codex --dry-run --json --from $HOME/.codex
returncode=0 timedOut=false stdoutBytes=46563 stderrBytes=1027
summary total=99 planned=88 skipped=11 errors=0
plugin:gmail:7            gmail            skipped app_missing
plugin:google-calendar:8  google-calendar  skipped app_missing
plugin:readwise:11        readwise         skipped app_missing
stderr did not contain refresh_token_reused

$ pnpm openclaw --profile codex-migration-readiness-native migrate codex --dry-run --json --from $HOME/.codex
returncode=0 timedOut=false stdoutBytes=46570 stderrBytes=1034
summary total=99 planned=88 skipped=11 errors=0
plugin:gmail:7            gmail            skipped app_missing
plugin:google-calendar:8  google-calendar  skipped app_missing
plugin:readwise:11        readwise         skipped app_missing
stderr did not contain refresh_token_reused

$ pnpm test extensions/codex/src/migration/provider.test.ts
Test Files  1 passed (1)
Tests  18 passed (18)

$ git diff --check
No whitespace errors reported.

Observed result after fix: The copied dev-auth profile run no longer fails source plugin inventory with Codex OAuth refresh_token_reused, and both dry-runs exit cleanly after emitting complete migration plans. In the current live Codex app inventory snapshot, Gmail, Google Calendar, and Readwise app ids are all reported missing, so migration leaves them as manual skipped items instead of planning plugin activation.

What was not tested: No apply/write migration was run; both live runs were dry-runs only.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5a2cbc174f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep source readiness on the source account

When the source Codex home is logged in as one account but the target OpenClaw agent config selects a different Codex auth profile, passing ctx.config and the target agentDir into source discovery causes the source app-server requests to apply the target auth profile before plugin/list/plugin/read/app/list. The readiness gate then evaluates the target account's app access instead of the migrated Codex home's source account, so ready source plugins can be skipped (or the opposite) based solely on the destination agent auth. Source discovery should let the app-server use the source CODEX_HOME credentials rather than the target agent auth profile.

Useful? React with 👍 / 👎.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
The PR updates Codex migration to read source plugin details, gate app-backed plugin activation on source account and optional app readiness checks, isolate source app-server auth from target profiles, reuse plugin app cache keys, and update CLI docs and tests.

Reproducibility: yes. source-reproducible: current main discovers source-installed Codex plugins through plugin/list and plans them without plugin/read, account/read, or source app/list eligibility checks. I did not run a live current-main migration in this read-only review.

Real behavior proof
Needs stronger real behavior proof before merge: Copied terminal dry-run output is useful but predates current head and omits --verify-plugin-apps; the contributor should update the PR body with redacted current-head terminal output, logs, or linked artifacts, which should trigger a fresh ClawSweeper review or can be followed by @clawsweeper re-review.

Next step before merge
Protected maintainer label plus insufficient current-head real behavior proof require human/contributor follow-up; I did not find a narrow code repair for ClawSweeper to queue.

Security
Cleared: The diff touches Codex auth/profile and migration probing paths but adds no dependencies, workflows, lockfile changes, downloaded code, broader permissions, or concrete secret-handling regression.

Review details

Best possible solution:

Land through maintainer review after refreshing current-head live dry-run proof for both default and --verify-plugin-apps Codex migration paths while preserving source-auth isolation and typed skipped items.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible: current main discovers source-installed Codex plugins through plugin/list and plans them without plugin/read, account/read, or source app/list eligibility checks. I did not run a live current-main migration in this read-only review.

Is this the best way to solve the issue?

Yes for the code direction: source-auth-isolated probes plus plugin detail, account gating, optional strict app-list verification, and target-scoped app-cache invalidation are a maintainable fix. Merge should wait for current-head proof and maintainer handling.

Acceptance criteria:

• pnpm test extensions/codex/src/migration/provider.test.ts extensions/codex/src/app-server/auth-bridge.test.ts extensions/codex/src/app-server/shared-client.test.ts
• pnpm test src/commands/migrate.test.ts
• git diff --check
• Current-head live openclaw migrate codex --dry-run --json --from <redacted-source> proof with and without --verify-plugin-apps

What I checked:

• Protected live PR state: GitHub API shows this PR is open at head 1e7ea10 and carries the protected maintainer label; the earlier proof: sufficient label is no longer present in the live label set. (1e7ea10f8786)
• Current main lacks source plugin readiness gates: Current main calls source Codex app-server plugin/list and immediately maps installed curated plugins to migratable: true without plugin/read, account/read, or source app/list eligibility checks. (extensions/codex/src/migration/source.ts:145, 7c5b3283d6d9)
• Current main plans those plugins directly: Current main builds the Codex migration plan from discoverCodexSource(ctx.source) and then passes source.plugins into buildPluginItems, so installed curated plugins become planned install items without the PR's source readiness evaluation. (extensions/codex/src/migration/plan.ts:348, 7c5b3283d6d9)
• Maintainer review context: A maintainer-side triage comment identified the blocking feedback as source readiness being evaluated under the target auth profile instead of the source CODEX_HOME account, matching the account-boundary fix in the branch. (1e7ea10f8786)
• PR isolates source app-server auth: At PR head, source app-server requests use source CODEX_HOME start options with authProfileId: null and isolated: true, which avoids applying the target OpenClaw auth profile during source plugin/list, plugin/read, account/read, and app/list probes. (extensions/codex/src/migration/source.ts:265, 1e7ea10f8786)
• PR adds readiness gates and typed skips: At PR head, source discovery reads plugin detail, checks source account subscription state for app-backed plugins, plans them without app-list only when verification is off, and converts verification failures into skipped manual items with typed reasons. (extensions/codex/src/migration/source.ts:300, 1e7ea10f8786)

Likely related people:

• kevinslin: Prior merged history introduced native Codex plugin app support and recently changed Codex plugin migration selection/default behavior in the same migration, docs, and app-cache surface; this is relevant beyond authoring this PR. (role: feature introducer and recent Codex migration contributor; confidence: high; commits: a1ac559ed7e6, d922edd86190, 8954c03231aa; files: extensions/codex/src/migration/source.ts, extensions/codex/src/migration/plan.ts, extensions/codex/src/migration/apply.ts)
• pashpashpash: Prior merged commits worked on isolating Codex app-server state per agent, preserving auth handoff, and rotating auth profiles inside the harness, which overlaps the source/destination auth boundary changed here. (role: adjacent app-server isolation and auth contributor; confidence: medium; commits: 027ea5f08bd9, cc95d4dd28eb, 401ae38f13a3; files: extensions/codex/src/app-server/auth-bridge.ts, extensions/codex/src/app-server/shared-client.ts, extensions/codex/src/app-server/run-attempt.ts)
• steipete: Recent history shows repeated maintenance of Codex app-server auth, shared-client, lifecycle, and runtime boundary code adjacent to the auth and cache behavior touched by the PR. (role: recent Codex app-server/auth contributor; confidence: medium; commits: 2fc429dfbf0e, 35da7d2c992c, 089a3063ee5f; files: extensions/codex/src/app-server/auth-bridge.ts, extensions/codex/src/app-server/shared-client.ts, extensions/codex/src/app-server/run-attempt.ts)
• sjf: Recent merged history on extensions/codex/src/migration/source.ts changed Codex migration detection to use isolated one-shot source app-server clients, adjacent to the same source discovery path. (role: recent exact-file migration discovery contributor; confidence: medium; commits: c8998b71e246; files: extensions/codex/src/migration/source.ts)

Remaining risk / open question:

• The real behavior proof in the PR body predates current head and does not show the --verify-plugin-apps path added by later commits.
• No apply/write migration proof is shown; the live evidence is dry-run only.
• At review time, one relevant GitHub check-run was still in progress, so final merge readiness depends on completed checks.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7c5b3283d6d9.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25758377165
• Updated: 2026-05-12T19:58:13.707Z