fix(sessions): preserve compatible auth overrides

[TurboTheTurtle]

Summary

• Preserve an existing session auth profile when sessions.patch switches to another model for the same provider.
• Continue clearing provider-prefixed auth profiles when the patched model changes to a different provider.
• Add gateway regression coverage for both same-provider preservation and cross-provider cleanup.

Fixes #81837.

Real behavior proof

• Behavior or issue addressed: Dashboard/Control UI model switches call sessions.patch with only a model ref; that path no longer drops a compatible authProfileOverride and no longer forces the selected model into an auth failure/fallback path.
• Real environment tested: Local OpenClaw checkout on macOS using the real applySessionsPatchToStore implementation from src/gateway/sessions-patch.ts.
• Exact steps or command run after this patch: Ran PATH=/Users/andy/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH node --import tsx --input-type=module with a local proof harness that applies two sessions.patch model updates to real session entries: Anthropic-to-Anthropic and Anthropic-to-OpenAI.
• Evidence after fix: Console output from the local OpenClaw sessions.patch proof harness:

{
  "sameProvider": {
    "providerOverride": "anthropic",
    "modelOverride": "claude-sonnet-4-6",
    "authProfileOverride": "anthropic:default",
    "authProfileOverrideSource": "user",
    "authProfileOverrideCompactionCount": 3,
    "liveModelSwitchPending": true
  },
  "providerChange": {
    "providerOverride": "openai",
    "modelOverride": "gpt-5.4",
    "authProfileOverride": null,
    "authProfileOverrideSource": null,
    "authProfileOverrideCompactionCount": null,
    "liveModelSwitchPending": true
  }
}

• Observed result after fix: A same-provider model patch from anthropic/claude-opus-4-6 to anthropic/claude-sonnet-4-6 preserved authProfileOverride: "anthropic:default", while a patch from Anthropic to OpenAI cleared the provider-prefixed auth profile.
• What was not tested: Live browser Dashboard interaction against a running gateway; the proof exercises the server-side sessions.patch RPC implementation used by the Dashboard.

Validation

• PATH=/Users/andy/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH pnpm test src/gateway/sessions-patch.test.ts src/sessions/model-overrides.test.ts src/auto-reply/reply/directive-handling.model.test.ts src/agents/auth-profiles/session-override.test.ts
• PATH=/Users/andy/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH pnpm exec oxfmt --check --threads=1 src/gateway/sessions-patch.ts src/gateway/sessions-patch.test.ts
• git diff --check
• PATH=/Users/andy/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH pnpm check:changed -- --base upstream/main --head HEAD

Notes

Local Homebrew Node is currently missing libsimdjson.31.dylib, so validation and proof commands used the bundled Node runtime path shown above. If this PR is squashed or reworked, please preserve author attribution or include:

Co-authored-by: Andy Ye 35905412+TurboTheTurtle@users.noreply.github.com

[clawsweeper]

Codex review: passed.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The branch updates gateway sessions.patch model handling to preserve compatible authProfileOverride values, adds same-provider/alias/cross-provider regressions, and includes small doctor/Mantis test assertion updates.

Reproducibility: yes. by source inspection: current main reaches the sessions.patch model branch without passing a profile override or preserve flag, and the current gateway test expects the auth override to be cleared. I did not execute tests because this was a read-only review.

PR rating
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Summary: Good focused bug-fix PR with server-side real behavior proof and targeted regressions; remaining confidence is maintainer auth-provider review and latest-head checks.

Rank-up moves:

• Confirm the focused gateway/auth tests and changed checks on the latest head before merge.
• Optionally request a live Dashboard model-switch smoke if maintainers want UI-level proof.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (terminal): Sufficient terminal proof: the PR body shows after-fix output from a local harness exercising the real applySessionsPatchToStore path for same-provider preservation and provider-change cleanup.

Risk before merge

• This intentionally changes when a persisted authProfileOverride survives a model patch; latest-head checks and maintainer acceptance should gate merge because a bad compatibility decision could route auth to the wrong provider.
• The supplied proof exercises the real server-side sessions.patch helper, but there is no live Dashboard smoke showing the UI-to-gateway flow end to end.

Maintainer options:

1. Land After Auth Review And Latest Checks (recommended)
   If maintainers accept the server-side proof, merge after current focused gateway/auth checks are green because the patch uses the canonical alias helper and covers preserve/clear cases.
2. Request A Live Dashboard Smoke
   Ask for a short redacted Dashboard model-switch run if maintainers want UI-to-gateway confirmation before accepting the auth-provider behavior change.

Next step before merge
Human review remains appropriate because ClawSweeper already paused automerge on this auth-provider behavior change, and there is no narrow automated repair left after the alias-aware fix and tests.

Security
Cleared: Cleared: the diff is scoped to session auth override compatibility and tests, with no dependency, workflow, install, package, or secret-handling changes.

Review details

Best possible solution:

Land the alias-aware preservation path after maintainer auth-provider review and latest-head checks; request a live Dashboard smoke only if UI-level assurance is required.

Do we have a high-confidence way to reproduce the issue?

Yes by source inspection: current main reaches the sessions.patch model branch without passing a profile override or preserve flag, and the current gateway test expects the auth override to be cleared. I did not execute tests because this was a read-only review.

Is this the best way to solve the issue?

Yes. The PR uses the existing model override preservation hook plus the canonical provider-auth alias resolver, which is the narrow maintainable path; latest-head validation should still gate the auth-provider merge risk.

Label changes:

• add status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (terminal): Sufficient terminal proof: the PR body shows after-fix output from a local harness exercising the real applySessionsPatchToStore path for same-provider preservation and provider-change cleanup.
• remove status: 👀 ready for maintainer look: Current PR status label is status: 🚀 automerge armed.

Label justifications:

• P1: The PR fixes a real Dashboard/session model-switch auth failure that can break selected provider/profile routing for users.
• merge-risk: 🚨 auth-provider: The diff changes when persisted auth profile overrides are retained or cleared during model switching, which directly affects provider credential routing.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🐚 platinum hermit, patch quality is 🐚 platinum hermit, and Good focused bug-fix PR with server-side real behavior proof and targeted regressions; remaining confidence is maintainer auth-provider review and latest-head checks.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (terminal): Sufficient terminal proof: the PR body shows after-fix output from a local harness exercising the real applySessionsPatchToStore path for same-provider preservation and provider-change cleanup.
• proof: sufficient: Contributor real behavior proof is sufficient. Sufficient terminal proof: the PR body shows after-fix output from a local harness exercising the real applySessionsPatchToStore path for same-provider preservation and provider-change cleanup.

What I checked:

• Current main clears auth on model-only patch: On current main, the sessions.patch model branch calls applyModelOverrideToSessionEntry without either profileOverride or preserveAuthProfileOverride, so the helper clears auth override fields. (src/gateway/sessions-patch.ts:454, 1b1580cbc3f5)
• Current regression expectation documents old behavior: The current-main gateway test named clears auth overrides when model patch changes expects authProfileOverride, source, and compaction count to become undefined after an Anthropic-to-Anthropic model patch. (src/gateway/sessions-patch.test.ts:274, 1b1580cbc3f5)
• PR uses alias-aware preservation: The PR adds shouldPreserveSessionAuthProfileOverride, comparing the selected provider and profile prefix through resolveProviderIdForAuth, and passes the result to model reset and model set calls. (src/gateway/sessions-patch.ts:74, 66856da71397)
• PR adds focused gateway coverage: The PR tests same-provider preservation, provider-auth alias preservation, unprefixed same-provider preservation, and clearing when the provider changes. (src/gateway/sessions-patch.test.ts:276, 66856da71397)
• Provider auth alias contract exists: resolveProviderIdForAuth normalizes providers through the plugin alias map, and the BytePlus plugin declares byteplus-plan as an auth alias of byteplus, matching the PR's alias regression. (src/agents/provider-auth-aliases.ts:191, 1b1580cbc3f5)
• Real behavior proof supplied: The PR body includes after-fix terminal JSON from a local harness using the real applySessionsPatchToStore implementation, showing same-provider preservation and cross-provider cleanup. (66856da71397)

Likely related people:

• Peter Steinberger: Blame and history point to Peter for the shared model override auth handling and provider auth alias support used by this fix, and shortlog shows the heaviest history across the central files sampled. (role: introduced behavior and adjacent owner; confidence: high; commits: 1e05925e47b2, 9e4f478f866c, 7fd6e2ec4c7c; files: src/gateway/sessions-patch.ts, src/sessions/model-overrides.ts, src/agents/provider-auth-aliases.ts)
• Vincent Koc: Vincent has recent main-branch history in gateway/session-adjacent files and authored the latest PR branch guard/test commits while also being assigned in the PR timeline. (role: recent area contributor and likely follow-up owner; confidence: medium; commits: 46a332385d11, f7cf3d0dad89, befcb111e2ab; files: src/gateway/sessions-patch.ts, src/gateway/sessions-patch.test.ts, src/commands/doctor-legacy-config.migrations.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1b1580cbc3f5.

[TurboTheTurtle]

Rebased this branch onto current upstream/main and resolved the conflict. I also added the current persistedHash field to the update CLI mutation mocks so the rebased branch satisfies the current ConfigMutationResult shape.

Validation run:

• pnpm test src/gateway/sessions-patch.test.ts src/sessions/model-overrides.test.ts src/auto-reply/reply/directive-handling.model.test.ts src/agents/auth-profiles/session-override.test.ts
• pnpm exec oxfmt --check --threads=1 src/gateway/sessions-patch.ts src/gateway/sessions-patch.test.ts src/commands/doctor/shared/legacy-config-core-normalizers.ts
• git diff --check
• pnpm check:changed -- --base upstream/main --head HEAD got through typecheck after the mock fix; the remaining full-run failure was a local timeout preparing plugin-sdk boundary artifacts, and rerunning the resulting core oxlint command with prepared artifacts skipped passed with 0 warnings/errors.

Author attribution verified with git log --format=%h\ %an\ <%ae>\ %s upstream/main..HEAD before pushing.

[TurboTheTurtle]

Merged current origin/main into this branch to clear the merge conflict and pick up the Telegram grammy/types boundary fix that was causing the current CI type failures.

Validation run locally on b22c36f8e6:

• pnpm tsgo:extensions
• pnpm test src/gateway/sessions-patch.test.ts src/sessions/model-overrides.test.ts src/auto-reply/reply/directive-handling.model.test.ts src/agents/auth-profiles/session-override.test.ts test/scripts/mantis-build-telegram-desktop-proof-evidence.test.ts
• pnpm exec oxfmt --check --threads=1 src/gateway/sessions-patch.ts src/gateway/sessions-patch.test.ts src/commands/doctor/shared/legacy-config-core-normalizers.test.ts test/scripts/mantis-build-telegram-desktop-proof-evidence.test.ts src/cli/update-cli.test.ts

[TurboTheTurtle]

Rebased this onto current upstream/main and resolved the Telegram proof evidence test conflict by keeping the newer raw QA image-table behavior while preserving the stronger marker/header/baseline/candidate assertions from this branch.

Validation:

• pnpm test src/gateway/sessions-patch.test.ts src/sessions/model-overrides.test.ts src/auto-reply/reply/directive-handling.model.test.ts src/agents/auth-profiles/session-override.test.ts test/scripts/mantis-build-telegram-desktop-proof-evidence.test.ts
• pnpm exec oxfmt --check --threads=1 src/gateway/sessions-patch.ts src/gateway/sessions-patch.test.ts src/commands/doctor/shared/legacy-config-core-normalizers.ts test/scripts/mantis-build-telegram-desktop-proof-evidence.test.ts
• git diff --check

I also verified every commit on the PR branch uses Andy Ye <35905412+TurboTheTurtle@users.noreply.github.com> as author.

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞🔧
ClawSweeper automerge is enabled.

• Head: 66856da71397
• Label: clawsweeper:automerge
• Action: repair worker queued. Run: https://github.com/openclaw/clawsweeper/actions/runs/26234334209
• Flow: review this head, repair/rebase only if needed, then re-review the exact repaired head before merge.

Draft PRs stay fix-only until GitHub marks them ready for review. Pause with /clawsweeper stop.

Automerge progress:

• 2026-05-19 17:54:07 UTC review queued 62c1a04239d0 (queued)

• 2026-05-19 17:56:19 UTC repair queued 62c1a04239d0 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26115363431

• 2026-05-19 20:36:43 UTC repair started (running) in 0s Run: https://github.com/openclaw/clawsweeper/actions/runs/26123587773 automerge-openclaw-openclaw-81886

• 2026-05-19 20:37:04 UTC validation plan (passed) in 21s Run: https://github.com/openclaw/clawsweeper/actions/runs/26123587773 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-19 20:37:19 UTC Codex write preflight (passed) in 36s Run: https://github.com/openclaw/clawsweeper/actions/runs/26123587773 danger-full-access

• 2026-05-19 20:37:23 UTC repair completed (no branch change) in 40s Run: https://github.com/openclaw/clawsweeper/actions/runs/26123587773 source PR fix(sessions): preserve compatible auth overrides #81886 is paused by clawsweeper:human-review; refusing to mutate the PR branch

• 2026-05-19 20:37:25 UTC repair finished (blocked) in 42s Run: https://github.com/openclaw/clawsweeper/actions/runs/26123587773 source PR fix(sessions): preserve compatible auth overrides #81886 is paused by clawsweeper:human-review; refusing to mutate the PR branch

• 2026-05-21 15:02:34 UTC review passed 66856da71397 (structured ClawSweeper verdict: pass (sha=66856da71397fb534e3a4ea058678de207d85...)

• 2026-05-21 15:03:10 UTC repair queued 66856da71397 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26234334209

• 2026-05-21 15:44:59 UTC review queued 66856da71397 (queued)

• 2026-05-21 15:57:08 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26234334209 automerge-openclaw-openclaw-81886

• 2026-05-21 15:57:24 UTC validation plan (passed) in 17s Run: https://github.com/openclaw/clawsweeper/actions/runs/26234334209 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-21 15:57:37 UTC Codex write preflight (passed) in 30s Run: https://github.com/openclaw/clawsweeper/actions/runs/26234334209 danger-full-access

• 2026-05-21 16:03:15 UTC Codex edit 1 41b14c6faffa (complete) in 6m 8s Run: https://github.com/openclaw/clawsweeper/actions/runs/26234334209 exit 0

• 2026-05-21 16:07:27 UTC validation and review 1 64a07393d5d6 (complete) in 10m 20s Run: https://github.com/openclaw/clawsweeper/actions/runs/26234334209 already-current

• 2026-05-21 16:08:54 UTC repair finished 64a07393d5d6 (opened) in 11m 47s Run: https://github.com/openclaw/clawsweeper/actions/runs/26234334209 open_fix_pr

[clawsweeper]

🦞✅
ClawSweeper is pausing this repair loop for human review.

Source: clawsweeper[bot]
Reason: No automated repair lane is indicated; the remaining action is maintainer merge review, latest-head checks, and optional UI-level proof for an auth-provider behavior change.; Cleared: Cleared: the diff is scoped to session auth override preservation and tests, with no dependency, workflow, package, install, or release-script changes. (sha=62c1a04239d021a2decacc06db56018747d7a4cc)

Why human review is needed:
ClawSweeper found a blocker that should be resolved or accepted by a maintainer before the repair or automerge loop continues.

Recommended next action:
Review the reason above, resolve the blocker or explicitly accept the risk, then ask ClawSweeper to continue if automation is still appropriate.

I added clawsweeper:human-review and left the final call with a maintainer.

[TurboTheTurtle]

@Takhoffman Could you make the final maintainer call here or route this to the right auth/provider owner?

The earlier merge gate from @stielemans called out the merge conflict plus alias-aware auth compatibility. The current head is clean, includes the resolveProviderIdForAuth-based compatibility path with focused alias regression coverage, and ClawSweeper now marks proof sufficient / ready for maintainer look. CI looks green apart from older cancelled superseded runs.

Since ClawSweeper paused automerge for human review on this auth-provider path, I’m leaving the final risk/merge decision with maintainers.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Mossy Branchling

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: watches the merge queue.
Image traits: location branch lighthouse; accessory miniature diff map; palette amber, ink, and glacier blue; mood watchful; pose peeking out from the egg shell; shell soft speckled shell; lighting cool dashboard glow; background little resolved-comment flags.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Mossy Branchling in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[clawsweeper]

ClawSweeper 🐠 reef update

Thanks for the work on this. ClawSweeper did not have permission to update this branch directly, so it opened a narrow replacement PR instead. that's a branch access thing, not a knock on the contribution.

Why replacement: ClawSweeper could not update the source PR branch directly; GitHub did not grant sufficient push rights to the bot for that branch.
Replacement PR: #85014
Why close: this run explicitly closes the superseded source PR after the credited replacement PR is open, so review continues in one place.
Closing this one because the run was configured to close superseded source PRs after opening the replacement.
Credit follows the fix over to the replacement PR. no sneaky treasure grab.
Co-author credit kept:

• @TurboTheTurtle: Co-authored-by: Andy Ye 35905412+TurboTheTurtle@users.noreply.github.com

fish notes: model gpt-5.5, reasoning high; reviewed against 64a0739.