Remove OAuth sidecar credential runtime support

[joshavant]

Summary

• Remove runtime support for oauthRef sidecar-backed Codex OAuth credentials and persist OAuth credentials inline with the existing auth-profiles.json pattern.
• Add a doctor-only migration for legacy sidecar-backed Codex OAuth profiles, including comments that OS-level keychain integration must not be expanded in this project.
• Keep agent-copy, stale OAuth shadow cleanup, and Codex auth bridge behavior aligned with the inline-only runtime contract.

Verification

• .agents/skills/codex-review/scripts/codex-review --mode local exited clean with no accepted/actionable findings.
• node scripts/run-vitest.mjs src/commands/doctor-auth-oauth-sidecar.test.ts src/commands/doctor/repair-sequencing.test.ts src/commands/doctor/shared/stale-oauth-profile-shadows.test.ts src/commands/agents.add.test.ts src/agents/auth-profiles/portability.test.ts src/agents/auth-profiles.store.save.test.ts src/agents/auth-profiles/credential-state.test.ts src/agents/auth-profiles/persisted-boundary.test.ts src/agents/auth-profiles/profiles.test.ts extensions/codex/src/app-server/auth-bridge.test.ts
• git diff --check
• node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --incremental false --pretty false
• Live OpenAI Codex OAuth browser login through AWS Crabbox WebVNC/Chrome, provider aws, id cbx_c9433cd7114f (jade-prawn). The OAuth exchange completed successfully, and redacted inspection showed an openai-codex OAuth profile with inline access and refresh credential material, account metadata present, and no oauthRef.
• Local manual onboarding verification from this branch confirmed ChatGPT/Codex auth works through device pairing, browser login, and API key setup. No secrets or credential values were included in this PR description.

Real behavior proof

Behavior addressed: legacy Codex OAuth profiles that used oauthRef sidecar credentials are no longer readable by broad runtime code; openclaw doctor --fix migrates affected profiles back to inline credentials and removes only sidecar files it successfully migrated. Normal ChatGPT/Codex onboarding and auth setup continue to persist credentials through the inline auth-profiles.json pattern instead of the removed sidecar/keychain path.

Real environment tested: Blacksmith Testbox through Crabbox, provider blacksmith-testbox, id tbx_01krsh6ah3v9sk9h5g7vrq64a7, Actions run 25975545206; AWS Crabbox WebVNC live OAuth proof, provider aws, id cbx_c9433cd7114f (jade-prawn); and local manual onboarding verification from this branch.

Exact steps or command run after this patch: git diff --check, core test typecheck via node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --incremental false --pretty false, and the focused Vitest command covering doctor migration, auth persistence, agent-copy behavior, stale OAuth shadow cleanup, and Codex auth bridge behavior. For live proof, ran pnpm openclaw models auth login openai-codex in the remote desktop session, completed the OpenAI browser OAuth flow, then inspected only redacted auth profile shape and credential-presence booleans. For local manual proof, ran the onboarding/auth flows for ChatGPT/Codex device pairing, browser login, and API key setup.

Evidence after fix: remote Testbox proof passed 12 test files and 112 tests, including repro coverage for migrating encrypted legacy sidecars back to inline OAuth credentials, leaving undecryptable sidecars in place with a warning, avoiding unsafe deletion of unreferenced sidecars, and removing only successfully migrated sidecar files. The live Codex OAuth proof produced an openai-codex OAuth profile with inline access and refresh credential material, expected account metadata, and oauthRef absent. Local manual validation confirmed the three expected ChatGPT/Codex setup paths completed successfully: device pairing, browser login, and API key.

Observed result after fix: the runtime path no longer treats oauthRef as usable credential material, copied OAuth profiles require inline token material, doctor owns the one-time migration off of the sidecar/keychain pattern, and fresh ChatGPT/Codex onboarding/auth setup still succeeds without writing a sidecar reference.

What was not tested: full repository test suite. CI has run for this PR; current remaining failures outside Real behavior proof match failures observed on latest main and were not caused by this branch.

[clawsweeper]

Codex review: needs maintainer review before merge.

Summary
The PR removes Codex OAuth oauthRef sidecar runtime support, persists Codex OAuth material inline, and adds doctor-only migration/cleanup for legacy sidecar-backed profiles.

Reproducibility: not applicable. This PR is an auth-storage cleanup rather than a standalone bug report. Current-main and PR-head source inspection show the before/after oauthRef behavior, and the PR body reports focused Testbox plus live OAuth proof.

Real behavior proof
Sufficient (live_output): The PR body includes after-fix real-environment proof from Testbox and a live AWS Crabbox/WebVNC OpenAI Codex OAuth login with redacted credential-shape inspection.

Next step before merge
Protected-label auth storage migration with failing CI and a security-sensitive storage tradeoff needs human maintainer handling, not an automated repair lane.

Security
Cleared: No supply-chain or code-execution issue was found; the diff is security-sensitive because it changes OAuth token at-rest storage, which needs maintainer acceptance.

Review details

Best possible solution:

Keep this PR open for human maintainer/security review, green or accepted CI, and explicit acceptance of the inline Codex OAuth credential contract before landing.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR is an auth-storage cleanup rather than a standalone bug report. Current-main and PR-head source inspection show the before/after oauthRef behavior, and the PR body reports focused Testbox plus live OAuth proof.

Is this the best way to solve the issue?

Yes, with maintainer sign-off: moving compatibility into openclaw doctor --fix while making broad runtime paths inline-only is a maintainable way to retire sidecar support. The remaining decision is whether maintainers accept the credential-storage tradeoff and CI state.

What I checked:

• Protected PR metadata: The live PR is open, non-draft, head 4d10c46cd212984158ec515adacc187d09000449, and labeled maintainer, P1, agents, commands, extensions: codex, and size: XL. (4d10c46cd212)
• Current-main sidecar runtime contract: Current main still has Codex OAuth sidecar constants and buildPersistedAuthProfileSecretsStore omits inline Codex OAuth secrets by writing oauthRef sidecar metadata. (src/agents/auth-profiles/persisted.ts:1085, c2e90914b735)
• PR inline-only persistence contract: At PR head, buildPersistedAuthProfileSecretsStore persists OAuth credentials inline and only preserves legacy oauthRef raw metadata when needed for doctor migration. (src/agents/auth-profiles/persisted.ts:644, 4d10c46cd212)
• Doctor migration implementation: The new doctor repair scans agent auth stores, decrypts legacy Codex sidecars, writes inline OAuth material with backups, removes only migrated sidecars, and leaves unresolved sidecars in place with warnings. (src/commands/doctor-auth-oauth-sidecar.ts:492, 4d10c46cd212)
• Doctor repair sequencing: The PR runs legacy sidecar migration before stale OAuth shadow cleanup, which preserves sidecar-backed profiles long enough for migration to inspect them. (src/commands/doctor/repair-sequencing.ts:135, 4d10c46cd212)
• Real behavior proof in PR body: The PR body includes focused Testbox proof over 12 files/112 tests plus live AWS Crabbox WebVNC OAuth login proof showing inline access/refresh credential material and no oauthRef. (4d10c46cd212)

Likely related people:

• @vincentkoc: Recent auth-profile persistence commits adjusted OAuth profile secret/keychain behavior immediately before this PR's storage change. (role: recent area contributor; confidence: high; commits: deaf46a07d3c, b0daf992b247; files: src/agents/auth-profiles/persisted.ts)
• @pgondhi987: The sidecar-backed OAuth redaction behavior appears related to the merged Redact persisted secret-shaped payloads [AI] change. (role: introduced behavior; confidence: medium; commits: 17ceca86d698; files: src/agents/auth-profiles/persisted.ts, src/agents/auth-profiles/types.ts)
• @steipete: Recent history and blame show work in auth persistence, doctor sequencing, and adjacent repair paths touched by this migration. (role: recent adjacent contributor; confidence: medium; commits: 80eeb688c1c2, 9558b2c22239, 2e983e47dfdd; files: src/agents/auth-profiles/persisted.ts, src/commands/doctor/repair-sequencing.ts, src/commands/agents.commands.add.ts)
• @jeffjhunter: The existing PR discussion identifies recent Codex app-server OAuth bridge work in the area this PR updates through runtime expectations and tests. (role: adjacent owner; confidence: medium; commits: 850d685d4bec; files: extensions/codex/src/app-server/auth-bridge.ts, extensions/codex/src/app-server/auth-bridge.test.ts)

Remaining risk / open question:

• The PR intentionally moves Codex OAuth access/refresh material from encrypted sidecars back into auth-profiles.json; that storage contract should be explicitly accepted by maintainers.
• CI currently has failing checks on the PR head, so merge should wait for green reruns or maintainer confirmation that the failures are unrelated.
• This was a read-only review, so I did not run local tests in the checkout.

Codex review notes: model gpt-5.5, reasoning high; reviewed against c2e90914b735.

[aaajiao]

This was helpful refactoring, but the "leaving undecryptable sidecars in place with a warning" behavior caught us silently on upgrade — the legacy oauthRef-backed openai-codex profile got its sidecar stripped, couldn't be inlined, and was left invalid. Routing then fell through auth.order.openai to the next profile (API key) with no surfacing — looked clean, except /status quietly switched from oauth (openai-codex:…) to api-key (openai:default). Subscription quota stopped being consumed but the API-key billing path picked up.

Suggestion: when migration cannot inline a legacy sidecar, openclaw doctor --fix could either (a) prompt for re-authentication interactively, or (b) exit non-zero so operators must acknowledge before continuing. The current warning is correct but easy to miss inside a longer doctor output, and the silent fall-through to the next auth profile means users only notice via a downstream billing surprise.

Repro: a profile authored via openclaw models auth login --provider openai-codex --device-code on v2026.5.16-beta.1 → upgrade to v2026.5.16-beta.4 → doctor --fix runs → migration logs Could not decrypt legacy OAuth sidecar … re-authenticate this profile. → gateway restart → /status shows api-key (openai:default). Recovery is openclaw models auth login --provider openai-codex --device-code again, which is trivial once you know to look — but only if you look.