Fix OpenAI Codex runtime provider routing

[ragesaq]

Summary

• Route explicit OpenAI Codex harness runtime selections through the openai-codex provider.
• Keep non-OpenAI providers unchanged when their runtime is codex.
• Add regression coverage for provider: "openai" plus harnessRuntime: "codex".

Root Cause

OpenAI model selections can resolve to the Codex harness, but resolveSelectedOpenAIPiRuntimeProvider only switched openai to openai-codex for the PI runtime plus Codex auth-order case. That left explicit codex runtime selections on the plain openai provider path, which can miss the Codex OAuth provider contract.

Real behavior proof

Behavior or issue addressed: Explicit OpenAI Codex harness selections such as openai/gpt-5.5 with agentRuntime.id: "codex" should use the openai-codex provider and Codex OAuth path, not the plain openai API-key path.

Real environment tested: openclaw-prod, OpenClaw gateway logs from /tmp/openclaw/openclaw-2026-05-16.log, with auth details redacted.

Exact steps or command run after this patch: Patched production gateway was restarted, then Forge was run on openai/gpt-5.5 with Runtime: OpenAI Codex. The production gateway log was checked with redacted rg searches for openai/gpt-5.5, Runtime: OpenAI Codex, openai-codex, agentRuntime.id: "codex", and 401/API-key-path failures.

Evidence after fix: Redacted runtime log excerpt from openclaw-prod:

/tmp/openclaw/openclaw-2026-05-16.log:57104
When agentRuntime.id: "codex" was explicitly set, resolveSelectedOpenAIPiRuntimeProvider()
fell through to plain "openai", which used the API-key path. Forge only had OAuth credentials. 401.

/tmp/openclaw/openclaw-2026-05-16.log:56769
Verified: this session is now on openai/gpt-5.5 with Runtime: OpenAI Codex
and OAuth profile openai-codex:[EMAIL-REDACTED].

Gateway fallback logs also showed openai/gpt-5.5 routed as candidateProvider: "openai" with status: 401 and an incorrect API-key-path failure before the routing fix.

Observed result after fix: The live production session reported openai/gpt-5.5 running with Runtime: OpenAI Codex and an openai-codex OAuth profile. The focused regression test also proves the routing helper now maps provider: "openai" plus harnessRuntime: "codex" to openai-codex, while non-OpenAI providers remain unchanged.

What was not tested: Full npx tsc --noEmit did not complete because Node exhausted an 8 GB heap before type diagnostics. The repo-local pnpm check:changed gate passed.

Verification

node scripts/run-vitest.mjs src/agents/openai-codex-routing.test.ts
Test Files  1 passed (1)
Tests       9 passed (9)

pnpm check:changed
passed

codex review -c 'model_reasoning_effort="xhigh"' --base origin/main
No actionable correctness issues were identified in the changed routing logic or its focused tests.

Note: a direct npx tsc --noEmit run was attempted with an 8 GB Node heap and still failed with a Node heap OOM before reporting type diagnostics. The repo-local pnpm check:changed gate passed.

AI-assisted disclosure

AI-assisted: yes.

Tools/models used:

• OpenAI Codex CLI v0.130.0 using gpt-5.5 with model_reasoning_effort="xhigh" for code review.
• Forge/OpenClaw assistant session for patch preparation, validation, and PR packet assembly.

Prompt/session logs are not included in this PR body. Local review artifacts are available from the contributor environment if maintainers request them.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
The PR routes explicit OpenAI Codex harness runtime selections from openai to openai-codex, bootstraps OpenClaw OAuth auth for openai-codex-responses plugin-harness runs, refreshes credentials during profile rotation, updates regression tests, and adds Codex harness troubleshooting docs.

Reproducibility: yes. Source inspection on current main shows provider: "openai" plus Codex runtime falls through to the plain OpenAI provider while the adjacent auth-provider helper already selects openai-codex; I did not run the gateway in this read-only review.

Real behavior proof
Needs stronger real behavior proof before merge: Insufficient: supplied logs cover the initial routing fix and an intermediate failure, but not a successful live run at head e40d8ccd; add redacted terminal/log proof to the PR body so ClawSweeper can re-review, or ask a maintainer to comment @clawsweeper re-review if it does not trigger automatically. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, ask a maintainer to comment @clawsweeper re-review.

Next step before merge
Human handling is needed because this draft external PR needs current-head live proof and maintainer validation, not an automated code repair.

Security
Cleared: No concrete security or supply-chain regression was found; the diff changes existing auth routing/tests/docs and adds no dependencies, workflows, lifecycle scripts, or new secret sinks.

Review details

Best possible solution:

Land the narrow routing, OAuth-bootstrap, profile-rotation, regression-test, and troubleshooting-doc updates after the contributor or maintainer adds redacted live proof from the current head and the focused checks are green.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection on current main shows provider: "openai" plus Codex runtime falls through to the plain OpenAI provider while the adjacent auth-provider helper already selects openai-codex; I did not run the gateway in this read-only review.

Is this the best way to solve the issue?

Yes, with a validation gate. Centralizing the routing fix in the selected-runtime helper plus a narrow openai-codex-responses auth-bootstrap path is maintainable, but the final branch head still needs real after-fix runtime proof before merge.

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/openai-codex-routing.test.ts src/agents/pi-embedded-runner/run.overflow-compaction.test.ts
• pnpm check:changed or the equivalent Testbox changed gate
• Redacted live gateway proof at PR head for openai/gpt-5.5 or openai/gpt-5.4 with Runtime: OpenAI Codex using an openai-codex OAuth profile, with private IPs, API keys, phone numbers, non-public endpoints, and account details redacted

What I checked:

• current-main routing gap: On current main, resolveSelectedOpenAIPiRuntimeProvider normalizes the selected runtime but only returns openai-codex for PI/Codex-auth-order cases; provider: "openai" plus runtime "codex" still falls through to params.provider. (src/agents/openai-codex-routing.ts:183, 421b9e281942)
• adjacent auth contract: The adjacent auth-profile helper already maps OpenAI plus runtime codex to ["openai-codex"], so the PR aligns selected-runtime provider routing with the existing auth contract. (src/agents/openai-codex-routing.ts:125, 421b9e281942)
• active runner call site: The embedded runner calls resolveSelectedOpenAIPiRuntimeProvider before model resolution and switches provider when a runtime-specific model resolves, making this helper the active path for explicit Codex runtime selections. (src/agents/pi-embedded-runner/run.ts:612, 421b9e281942)
• PR routing diff: The PR adds a runtime === "codex" branch for OpenAI providers and preserves non-OpenAI provider routing when the selected runtime is Codex. (src/agents/openai-codex-routing.ts:181, c46f0e524989)
• PR OAuth bootstrap diff: The PR adds a narrow pluginHarnessNeedsOpenClawAuthBootstrap exception for plugin harnesses using openai-codex plus openai-codex-responses, causing the runner to load OpenClaw auth profiles and call initializeAuthProfile(). (src/agents/pi-embedded-runner/run.ts:673, 349ee4a18ea0)
• PR profile-rotation diff: The latest PR commit routes profile rotation through advanceAuthProfile for the OpenClaw-auth-bootstrap case so rotated Codex OAuth credentials are refreshed into the harness auth storage. (src/agents/pi-embedded-runner/run.ts:937, e40d8ccd6912)

Likely related people:

• @steipete: Current-main blame owns the selected-runtime helper body, and the latest PR commit also adjusts the same embedded-runner auth/profile-rotation path. (role: recent area contributor; confidence: high; commits: b328f57bc3f7, e40d8ccd6912; files: src/agents/openai-codex-routing.ts, src/agents/pi-embedded-runner/run.ts, src/agents/pi-embedded-runner/run.overflow-compaction.test.ts)
• @pashpashpash: Commit history shows the OpenAI agents through Codex default-routing feature landed through this area, which is the policy the PR is aligning with explicit runtime selections. (role: feature history contributor; confidence: medium; commits: 1c3399010815; files: src/agents/openai-codex-routing.ts, src/agents/openai-codex-routing.test.ts)
• @joshavant: Recent history on the embedded runner includes adjacent assistant payload/runtime work, making this a useful routing candidate for runner-side review if ownership is shared. (role: recent adjacent contributor; confidence: medium; commits: 7d1317634e5b; files: src/agents/pi-embedded-runner/run.ts, src/agents/pi-embedded-runner/run.overflow-compaction.test.ts)

Remaining risk / open question:

• The latest head has no successful live gateway proof after the OAuth-bootstrap and profile-rotation changes; existing production evidence covers the earlier routing attempt and an intermediate failure mode.
• Tests were not rerun in this read-only review, so verification relies on the PR-supplied focused test output and source inspection.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 421b9e281942.

[PsiClawOps]

Superseded. Reposted by @ragesaq here: #82864 (comment)

[ragesaq]

Extended PR #82864 with commit 349ee4a18e: fix(agents): bootstrap OAuth credentials for Codex harness with openai/* model refs.

Additional production evidence after the first patch showed a second failure mode:

2026-05-17T04:19:43Z agent/embedded
provider="openai-codex"
sourceProvider="openai-codex"
model="gpt-5.5"
rawErrorPreview="No API key found for openai-codex"

That means the original routing fix was necessary but not complete. Routing reached openai-codex, but the embedded plugin harness path still skipped OpenClaw auth bootstrap. The new commit keeps the plugin-harness transport ownership rule, with a narrow exception for api: "openai-codex-responses", so Codex OAuth profiles are materialized before dispatch.

Verification:

node scripts/run-vitest.mjs src/agents/pi-embedded-runner/run.overflow-compaction.test.ts src/agents/openai-codex-routing.test.ts
Test Files  3 passed (3)
Tests       59 passed (59)

PATH=/tmp/openclaw-pnpm-shim:$PATH node scripts/check-changed.mjs
ok: conflict markers, changelog attributions, wildcard re-export guards, duplicate coverage,
dependency pin guard, package patch guard, typecheck core, typecheck core tests,
typecheck extensions, typecheck extension tests, lint core, lint extensions, lint scripts
failed: lint apps, because swiftlint is not installed in this environment

I could not update the PR body from this integration token: GitHub returned 403 Resource not accessible by integration.

[ragesaq]

Current steering status from prod validation:

• PR head: e40d8ccd69127f4b55072fe3ff699bb60563cd65
• Focused local validation at this head passed:

node scripts/run-vitest.mjs src/agents/pi-embedded-runner/run.overflow-compaction.test.ts src/agents/openai-codex-routing.test.ts
Test Files  3 passed (3)
Tests       61 passed (61)

• openclaw-prod has now been hotfixed to this head. Installed bundle marker:

/home/lumadmin/.npm-global/lib/node_modules/openclaw/dist/pi-embedded-BkQLKIkH.js
pluginHarnessNeedsOpenClawAuthBootstrap
advanceAttemptAuthProfile
if (!pluginHarnessOwnsTransport || pluginHarnessNeedsOpenClawAuthBootstrap) await initializeAuthProfile()

• Gateway restart verification on openclaw-prod:

openclaw-gateway: active
clawdash: active
control-ui/index.html: present
protocol mismatches after ClawDash bridge restart: none observed

Remaining proof gap: we still need one fresh live OpenAI Codex turn on openclaw-prod at this deployed head showing openai/gpt-5.5 or openai/gpt-5.4 with Runtime: OpenAI Codex completes without the prior No API key found for openai-codex failure or fallback to Opus. Once that log excerpt exists, I will update the PR body with the redacted proof.

[steipete]

Verification before merge:

• Behavior addressed: forced openai/gpt-5.x plus agentRuntime.id: "codex" now routes through openai-codex, bootstraps Codex OAuth for plugin-harness transport, and refreshes OAuth credentials during auth-profile failover.
• Real environment tested: GitHub Real behavior proof run 25982272554, job 76373012242, success.
• Exact steps or command run after this patch:
  • node scripts/run-vitest.mjs src/agents/openai-codex-routing.test.ts src/agents/pi-embedded-runner/run.overflow-compaction.test.ts
  • git diff --check
  • codex-review --mode branch
• Evidence after fix: focused Vitest passed 3 files / 61 tests; diff whitespace clean; Codex review reported no actionable correctness issues; PR status checks show Real behavior proof, actionlint, no-tabs, and Socket checks green.
• Observed result after fix: Codex harness attempts receive provider openai-codex, a forwarded auth profile id, and refreshed runtime credentials when rotating from openai-codex:sub to openai-codex:backup.
• What was not tested: full local pnpm check; Testbox pnpm check:changed run 25982135127 failed on an unrelated current-tree export mismatch in src/auto-reply/reply/followup-runner.ts.