fix(codex): classify app-server auth refresh failures

[vincentkoc]

Summary

• classify Codex app-server token-refresh logout/account-switch messages as auth refresh failures
• surface app-server relogin error.data.detail on JSON-RPC errors before the generic failed to load configuration text hides it
• add regression coverage and an unreleased changelog entry

Root Cause

OpenAI Codex exposes this failure in more than one shape. Native managed auth can surface the raw Your access token could not be refreshed... message, while app-server startup/config paths can put the actionable relogin text in JSON-RPC error.data.detail. OpenClaw only classified the wrapped OAuth refresh path and mostly formatted app-server RPC errors from error.message, so users could see a generic runtime/config failure instead of re-auth guidance.

Verification

Behavior addressed: Codex app-server auth refresh/logout/relogin failures now classify as auth_refresh and format as re-authentication guidance.

Real environment tested: Blacksmith Testbox tbx_01krj782ckry3qkyd747va5n1x (quick-krill) plus local targeted Vitest through scripts/test-projects.mjs.

Exact steps or command run after this patch: node scripts/test-projects.mjs extensions/codex/src/app-server/client.test.ts src/agents/pi-embedded-helpers.formatassistanterrortext.test.ts src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts -- --reporter=dot; git diff --check origin/main...HEAD; node scripts/crabbox-wrapper.mjs run --provider blacksmith-testbox --blacksmith-org openclaw --blacksmith-workflow .github/workflows/ci-check-testbox.yml --blacksmith-job check --blacksmith-ref main --idle-timeout 90m --ttl 240m --timing-json --shell -- "env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 OPENCLAW_TESTBOX=1 OPENCLAW_TESTBOX_REMOTE_RUN=1 pnpm check:changed".

Evidence after fix: targeted tests passed, git diff --check passed, and Testbox pnpm check:changed completed with exit 0 in 3m25.921s; backing run: https://github.com/openclaw/openclaw/actions/runs/25839278713.

Observed result after fix: exact Codex logout/account-switch and app-server relogin-detail payloads produce the existing Authentication refresh failed. Re-authenticate this provider and try again. user-facing path instead of falling through as raw runtime/config errors.

What was not tested: a live expired/logged-out Codex account against OpenAI production, because reproducing that safely would require mutating a real auth session. The regression is based on current OpenAI Codex source behavior and app-server protocol/error shapes.

[clawsweeper]

Codex review: needs maintainer review before merge.

Summary
The PR updates Codex app-server JSON-RPC error formatting and OAuth refresh failure classification so Codex relogin/token-refresh failures map to OpenClaw's existing auth-refresh guidance, with regression tests and a changelog entry.

Reproducibility: Do we have a high-confidence way to reproduce the issue? Partially: the PR adds source-level regression cases for the known Codex app-server JSON-RPC error shapes, but no live expired/logged-out Codex production account reproduction was performed.

Real behavior proof
Not applicable: The external contributor proof gate does not apply to this member-authored PR, though the body includes targeted tests and Testbox proof for the patched paths.

Next step before merge
Protected maintainer-labeled draft PR; the next action is normal maintainer review/undraft handling, not cleanup or automated repair.

Security
Cleared: The diff only changes local error classification/formatting, tests, and changelog text; I found no concrete security or supply-chain regression.

Review details

Best possible solution:

Let maintainers finish normal review for the draft PR and land it only if they accept the Codex app-server auth-refresh classification behavior.

Do we have a high-confidence way to reproduce the issue?

Do we have a high-confidence way to reproduce the issue? Partially: the PR adds source-level regression cases for the known Codex app-server JSON-RPC error shapes, but no live expired/logged-out Codex production account reproduction was performed.

Is this the best way to solve the issue?

Is this the best way to solve the issue? Yes, based on the provided diff: it reuses the existing OpenClaw auth-refresh classification and only extracts actionable Codex relogin detail from the app-server error payload instead of adding a new user-facing mode.

Acceptance criteria:

• Review the existing PR proof: targeted scripts/test-projects.mjs command, git diff --check, and Testbox pnpm check:changed linked in the PR body.

What I checked:

• Protected review state: GitHub context shows author association MEMBER, draft state true, and labels including maintainer; repository cleanup policy requires such PRs to remain open for explicit maintainer handling. (0d70c0b70671)
• PR diff scope: The diff touches extensions/codex/src/app-server/client.ts, auth refresh classification, two agent helper test files, the Codex app-server client test, and CHANGELOG.md; the changed behavior is narrowly scoped to Codex app-server/auth-refresh error presentation. (extensions/codex/src/app-server/client.ts:42, 0d70c0b70671)
• Real behavior proof in PR body: The PR body reports targeted Vitest through scripts/test-projects.mjs, git diff --check, and Blacksmith Testbox pnpm check:changed exit 0 with a linked GitHub Actions run; it also states the live expired-account path was not tested because it would mutate a real auth session. (0d70c0b70671)

Likely related people:

• vincentkoc: The PR author is a repository member and authored both commits in this PR; the touched Codex/auth-refresh paths are the relevant routing surface for review. (role: current PR author and recent Codex/auth error contributor; confidence: medium; commits: 835e7181e9b2, 0d70c0b70671; files: extensions/codex/src/app-server/client.ts, src/agents/auth-profiles/oauth-refresh-failure.ts, src/agents/pi-embedded-helpers.formatassistanterrortext.test.ts)

Remaining risk / open question:

• The PR is draft and protected by maintainer, so merge/close disposition needs explicit maintainer handling rather than cleanup automation.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 256377c029f6.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/25840738828
• Updated: 2026-05-14T03:58:31.099Z

[vincentkoc]

Verification before merge:

Behavior addressed: Codex native/app-server token-refresh logout and relogin failures now classify as authentication refresh failures instead of surfacing as raw runtime errors.
Real environment tested: local OpenClaw checkout plus Blacksmith Testbox.
Exact steps or command run after this patch: node scripts/test-projects.mjs extensions/codex/src/app-server/client.test.ts src/agents/pi-embedded-helpers.formatassistanterrortext.test.ts src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts -- --reporter=dot; git diff --check origin/main...HEAD; pnpm check:changed through Testbox.
Evidence after fix: targeted tests passed 2 Vitest shards, 228 tests total; diff check passed; Testbox tbx_01krj782ckry3qkyd747va5n1x / https://github.com/openclaw/openclaw/actions/runs/25839278713 passed pnpm check:changed with exit 0.
Observed result after fix: exact Codex logout/account-switch text formats as Authentication refresh failed. Re-authenticate this provider and try again., generic app-server relogin detail is preserved in the RPC error message, and both paths classify as auth_refresh.
What was not tested: no live mutation of an expired OpenAI account session; regression coverage is based on the current Codex harness source and app-server RPC error shape.