Improve stale Codex auth recovery guidance

[pfrederiksen]

Summary

• Clear stale auto-created legacy openai-codex/gpt-* session route pins when the configured primary has migrated to canonical openai/gpt-*
• Preserve explicit user-selected openai-codex overrides while cleaning up stale automatic session state
• Add targeted recovery guidance when an agent run still fails with No API key found for provider "openai-codex"
• Keep openclaw doctor --fix as the first stale-route repair, with openclaw models auth login --provider openai-codex / openclaw configure as fallback guidance
• Cover both the stale session-pin prevention and the missing-key recovery text in regression tests

Fixes #83935.

Real behavior proof

Behavior or issue addressed: A live Telegram group session on a real OpenClaw install failed after an update with the stale provider-auth message Missing API key for provider "openai-codex". The working recovery was openclaw doctor, not configuring a new API key. This PR now does two things for that path: it prevents stale auto-created openai-codex/gpt-* session pins from being reused after migration to openai/gpt-*, and it improves the fallback user-facing error if a missing-key failure still gets through.

Real environment tested: OpenClaw gateway on Linux/systemd user service, Telegram group session, updated from 2026.5.12 to 2026.5.18.

Exact steps or command run after fix:

1. Updated the live OpenClaw install.
2. Sent a Telegram group message to the existing main session.
3. Observed two failed assistant replies with Missing API key for provider "openai-codex".
4. Ran openclaw doctor.
5. Verified the same live install had healthy model auth, active gateway, and responsive dashboard.

Evidence after fix:

Before repair, live Telegram session reply:
⚠️ Missing API key for provider "openai-codex". Configure the gateway auth for that provider, then try again.

After running doctor:

$ openclaw --version
OpenClaw 2026.5.18 (50a2481)

$ openclaw models list | grep -E '^(openai/gpt-5.5|codex/gpt-5.5)'
openai/gpt-5.5   text        195k  no  yes  default,fallback#1,configured
codex/gpt-5.5    text+image  266k  no  yes

$ systemctl --user is-active openclaw-gateway
active

$ curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1:4000/
200

After-patch safe runtime proof from the PR checkout:

$ node --import tsx tmp-proof-stale-codex-message.mjs
⚠️ The session is pointing at a stale OpenAI Codex auth route. Run `openclaw doctor --fix` to repair Codex model/session routes, restart the gateway if doctor asks, then try again. If doctor has nothing to repair or the error persists, re-auth with `openclaw models auth login --provider openai-codex` or run `openclaw configure`.

The proof script imports the patched buildKnownAgentRunFailureReplyPayload and feeds it the exact real failure signature: No API key found for provider "openai-codex".

Observed result after fix: The real setup recovered after doctor, confirming stale openai-codex route state should direct users to doctor repair. The source patch additionally clears matching stale automatic session pins before they can keep routing future turns through the legacy provider.

What was not tested: I did not install this branch into the live gateway and intentionally re-break the active Telegram session, because doing that would interrupt the working production assistant session again.

Validation

• node scripts/run-vitest.mjs src/auto-reply/reply/model-selection.test.ts
• node scripts/run-vitest.mjs src/auto-reply/reply/agent-runner-execution.test.ts -t "points stale openai-codex missing-key failures at doctor repair"
• git diff --check
• GitHub PR checks passed on head 4eaf34e3f5d71679b9d766e249c34a7b27447efa

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This PR clears stale auto-created legacy openai-codex/gpt-* session pins when the primary has migrated to canonical openai/gpt-*, improves the openai-codex missing-key reply, and adds targeted regression tests.

Reproducibility: yes. at source level. Current main maps No API key found for provider "openai-codex" to generic provider-auth guidance, and the linked issue/PR include live Telegram update evidence showing doctor repaired the stale route state.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: Good patch with strong terminal/live proof; the remaining question is maintainer acceptance of the auth-provider/session-state recovery policy.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

PR egg
✨ Hatched: 🥚 common Mossy Merge Sprite

       _..------.._          
    .-'  .-.  .-.  '-.       
   /    ( * )( * )    \      
  |        .--.        |     
  |   <\   ====   />   |     
   \    '.______.'    /      
    '-._   ____   _.-'       
        `-.____.-'           
       __/|_||_|\__          
      /__.'    '.__\         
       .-----------.         
      '-------------'        

Rarity: 🥚 common.
Trait: sparkles near resolved comments.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Mossy Merge Sprite in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• How to hatch it: reach status: 👀 ready for maintainer look or status: 🚀 automerge armed; that usually means sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

Real behavior proof
Sufficient (terminal): The PR body supplies live Linux/systemd Telegram recovery output from the affected install plus after-patch terminal output showing the helper returns the new text for the exact failure signature.

Mantis proof suggestion
A live Telegram transcript would directly show that the observed transport now receives doctor-first recovery guidance with the re-auth fallback preserved. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

telegram live: verify that an openai-codex missing-key agent failure replies with doctor-first recovery guidance and preserves the re-auth fallback.

Risk before merge
Why this matters: - The new guidance applies to every openai-codex missing-key signature, including genuine missing Codex auth cases; the fallback text preserves re-auth/configure recovery, but the doctor-first ordering is an auth-provider policy choice.

• The model-selection change deletes persisted auto-created openai-codex session route pins when they match the canonical openai primary; tests cover stale auto state and explicit user overrides, but maintainers should accept that upgrade/session-state mutation before merge.

Maintainer options:

1. Accept doctor-first recovery order (recommended)
   Merge with the current doctor-first copy because the observed update failure recovered through doctor and the message still preserves supported Codex re-auth/configure fallbacks.
2. Require a stricter stale-route discriminator
   Hold the PR until runtime/session state can distinguish stale migrated Codex routes from ordinary missing openai-codex auth before selecting doctor-first guidance.

Next step before merge
No automated repair is needed; a maintainer should decide whether the doctor-first recovery order and auto-session-pin cleanup are acceptable for upgrade/auth-provider behavior before merge.

Security
Cleared: The diff touches auth/session routing text and model-selection state only; I found no new dependency, CI, secret-handling, permission, or supply-chain surface.

Review details

Best possible solution:

Land the bounded stale-route cleanup and doctor-first guidance after maintainer acceptance of the auth-provider/session-state recovery order; keep the linked issue open until this PR merges.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. Current main maps No API key found for provider "openai-codex" to generic provider-auth guidance, and the linked issue/PR include live Telegram update evidence showing doctor repaired the stale route state.

Is this the best way to solve the issue?

Yes, with maintainer acceptance. Clearing only auto-created same-model legacy pins while preserving explicit user overrides is a bounded fix, and the doctor-first message keeps a supported re-auth/configure fallback for genuine missing auth.

Label justifications:

• P1: The linked report is an urgent post-update auth/session routing failure that broke a real Telegram agent workflow until doctor repaired it.
• merge-risk: 🚨 auth-provider: The PR changes the recovery path for openai-codex missing-key failures and affects provider/auth guidance.
• merge-risk: 🚨 session-state: The PR intentionally clears persisted auto-created session model route pins during model selection.

What I checked:

• Current main generic openai-codex guidance: Current main parses No API key found for provider "..."; because openai-codex is in SAFE_MISSING_API_KEY_PROVIDERS, it returns the generic provider-auth setup text instead of doctor-first stale-route recovery. (src/auto-reply/reply/agent-runner-execution.ts:537, cf235b209f1e)
• Doctor session repair contract: Current main's doctor repair rewrites modelProvider/providerOverride legacy openai-codex session routes to openai, clears stale runtime pins, and reports that it moved stale sessions to openai/* while preserving auth-profile pins. (src/commands/doctor/shared/codex-route-warnings.ts:2650, cf235b209f1e)
• PR missing-key guidance: The PR head adds a specific provider === "openai-codex" branch that points users to openclaw doctor --fix first, with openclaw models auth login --provider openai-codex and openclaw configure as fallbacks. (src/auto-reply/reply/agent-runner-execution.ts:544, 4eaf34e3f5d7)
• PR stale auto pin clearing: The PR head detects session-sourced auto openai-codex overrides whose model matches the canonical openai primary, clears that stored override, updates the active selection to the primary, and skips reapplying the stale stored override. (src/auto-reply/reply/model-selection.ts:186, 4eaf34e3f5d7)
• Regression coverage added: The PR adds one test for doctor-first missing-key guidance and two model-selection tests covering stale auto-created legacy route clearing and preservation of explicit user openai-codex overrides. (src/auto-reply/reply/model-selection.test.ts:949, 4eaf34e3f5d7)
• History provenance: Blame ties the current missing-key helper, model-selection override handling, and Codex session repair code to commit 26bcc9566549e79e9b3b1cf4b41b7790cd32d718; adjacent history shows earlier missing-key sanitization/hardening work in the same reply path. (src/auto-reply/reply/agent-runner-execution.ts:537, 26bcc9566549)

Likely related people:

• brokemac79: git blame points the current missing-key helper, model-selection override handling, and Codex session repair functions to commit 26bcc9566549e79e9b3b1cf4b41b7790cd32d718. (role: introduced current repair/guidance surface; confidence: high; commits: 26bcc9566549; files: src/auto-reply/reply/agent-runner-execution.ts, src/auto-reply/reply/model-selection.ts, src/commands/doctor/shared/codex-route-warnings.ts)
• Peter Steinberger: Commit 26bcc9566549e79e9b3b1cf4b41b7790cd32d718 was committed by Peter Steinberger, and git shortlog --all shows the highest touch count across the affected auth/reply/session files. (role: recent area contributor and committer; confidence: high; commits: 26bcc9566549, 50a2481652b6; files: src/auto-reply/reply/model-selection.ts, src/auto-reply/reply/agent-runner-execution.ts, src/agents/openai-codex-routing.ts)
• Shakker: git log -G shows Shakker authored the earlier missing-key provider sanitization and hardening changes in the same agent-runner failure-reply path. (role: adjacent owner for missing-key reply safety; confidence: medium; commits: 705d2dd03ecb, 4ad9f166e214; files: src/auto-reply/reply/agent-runner-execution.ts)
• Eva H: Commit 3b139862142d71a1fd56e28fdc0a017ad6a44827 fixed fallback persistence clobbering user /models picks, which is directly adjacent to this PR's user-vs-auto override boundary. (role: adjacent owner for user model override persistence; confidence: medium; commits: 3b139862142d; files: src/auto-reply/reply/model-selection.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against cf235b209f1e.

[pfrederiksen]

Adding the relevant doctor repair output from the affected live install. This makes the root cause clearer: the session was not missing a normal API key; the install had legacy openai-codex/* route state plus missing/disabled Codex runtime/plugin wiring, and doctor repaired both.

Redacted/normalized excerpt:

Doctor changes

Repaired Codex model routes:
- agents.defaults.model.primary: openai-codex/gpt-5.5 -> openai/gpt-5.5
- agents.defaults.model.fallbacks.0: openai-codex/gpt-5.5 -> openai/gpt-5.5
- agents.defaults.models.openai-codex/gpt-5.5: openai-codex/gpt-5.5 -> openai/gpt-5.5
- agents.list.researcher.model: openai-codex/gpt-5.4 -> openai/gpt-5.4
- agents.list.email-agent.model: openai-codex/gpt-5.4 -> openai/gpt-5.4
- agents.list.photo-agent.model: openai-codex/gpt-5.4 -> openai/gpt-5.4
- agents.list.career-agent.model: openai-codex/gpt-5.4 -> openai/gpt-5.4
- agents.list.news-agent.model: openai-codex/gpt-5.4 -> openai/gpt-5.4
- agents.list.innovation-agent.model: openai-codex/gpt-5.4 -> openai/gpt-5.4

Set agents.defaults.models.openai/gpt-5.5.agentRuntime.id to "codex" so repaired OpenAI refs keep Codex auth routing.
Set agents.list.<agent>.models.openai/gpt-5.4.agentRuntime.id to "codex" so repaired OpenAI refs keep Codex auth routing.

Doctor changes

Installed missing configured plugin "codex" from @openclaw/codex.

Doctor changes

codex agent runtime configured, enabled automatically.

This supports the PR behavior: when an agent run surfaces No API key found for provider "openai-codex" in this post-update/migration state, telling the user to configure a provider API key is misleading. The working recovery is openclaw doctor --fix, which repairs the Codex route/plugin/runtime state.

[pfrederiksen]

Addressed the PR review proof gap.

After-patch safe runtime proof from the PR checkout:

$ node --import tsx tmp-proof-stale-codex-message.mjs
⚠️ The session is pointing at a stale OpenAI Codex auth route. Run `openclaw doctor --fix` to repair Codex model/session routes, restart the gateway if doctor asks, then try again.

The proof script imports the patched buildKnownAgentRunFailureReplyPayload from src/auto-reply/reply/agent-runner-execution.ts and feeds it the exact real failure signature:

new Error('No API key found for provider "openai-codex".')

This demonstrates the PR branch now produces the new user-facing recovery text without disturbing the production Telegram session.

Additional validation:

• git diff --check passed locally.
• PR CI currently reports 77 success, 23 skipped, 1 neutral, 1 in progress.
• checks-node-auto-reply-reply-agent-runner passed in CI, covering the added regression test shard.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26074222760
• Updated: 2026-05-19T03:29:19.641Z

[pfrederiksen]

@clawsweeper re-review

[pfrederiksen]

@clawsweeper re-review

Addressed the P2 by preserving doctor-first stale-route guidance and adding the supported openai-codex re-auth/configure fallback. Validation: node scripts/run-vitest.mjs src/auto-reply/reply/agent-runner-execution.test.ts -t "points stale openai-codex missing-key failures at doctor repair" and git diff --check.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26077762456
• Updated: 2026-05-19T05:25:17.100Z

[pfrederiksen]

@clawsweeper re-review

Expanded this after Paul’s follow-up: the PR now also prevents stale auto-created legacy openai-codex/gpt-* session pins from being reused when the configured primary has migrated to canonical openai/gpt-*, while preserving explicit user openai-codex choices and keeping the doctor-first + re-auth fallback message.

Validation: node scripts/run-vitest.mjs src/auto-reply/reply/model-selection.test.ts -t "legacy openai-codex|explicit user openai-codex", node scripts/run-vitest.mjs src/auto-reply/reply/agent-runner-execution.test.ts -t "points stale openai-codex missing-key failures at doctor repair", and git diff --check.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26078221627
• Updated: 2026-05-19T05:30:44.460Z

[pfrederiksen]

@clawsweeper re-review

Follow-up after CI: adjusted the new prevention test to match existing auth-profile cleanup semantics when the fixture has no stored profile. Product behavior is unchanged: stale auto-created legacy openai-codex/gpt-* session pins are cleared when primary is canonical openai/gpt-*; explicit user openai-codex choices are preserved.

Validation: full node scripts/run-vitest.mjs src/auto-reply/reply/model-selection.test.ts, focused node scripts/run-vitest.mjs src/auto-reply/reply/agent-runner-execution.test.ts -t "points stale openai-codex missing-key failures at doctor repair", and git diff --check.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26078323349
• Updated: 2026-05-19T05:37:51.208Z

[steipete]

Maintainer fixup pushed in e3c8df7. Thanks @pfrederiksen.

Verification:

• Local: git diff --check
• Local: pnpm exec oxfmt --check --threads=1 src/auto-reply/reply/model-selection.ts src/auto-reply/reply/model-selection.test.ts src/auto-reply/reply/agent-runner-execution.ts src/auto-reply/reply/agent-runner-execution.test.ts
• Local: fnm exec --using 24.15.0 node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core-test.tsbuildinfo
• Autoreview: .agents/skills/autoreview/scripts/autoreview --mode local, clean/no accepted actionable findings
• CI: https://github.com/openclaw/openclaw/actions/runs/26542490863

Known proof gap: local Vitest was not used as proof because the laptop runner stayed silent/spun; GitHub CI covered the affected auto-reply shards.