fix(doctor): preserve explicit agentRuntime pin during codex model migration [AI-assisted]

[clawsweeper]

Makes #84142 merge-ready for the ClawSweeper automerge loop.
The edit pass should inspect the live PR diff, review comments, and failing checks; rebase if needed; keep the contributor branch credited; and stop only when validation is green or an external blocker is proven.

ClawSweeper 🐠 replacement reef notes:

• Cluster: automerge-openclaw-openclaw-84142
• Source PRs: fix(doctor): preserve explicit agentRuntime pin during codex model migration [AI-assisted] #84142
• Credit: Source PR: fix(doctor): preserve explicit agentRuntime pin during codex model migration [AI-assisted] #84142
• Validation: pnpm check:changed
• Replacement reason: ClawSweeper could not update the source PR branch directly, so it opened a writable replacement PR instead.
• Automerge requested by: @Takhoffman

• Repair fallback: GitHub rejected the repair branch push because it updates workflow files and the ClawSweeper app token does not have workflows permission

Inherited issue-closing references from the source PR:
Closes #84038

Co-author credit kept:

• @nxmxbbd: Co-authored-by: David 32288+nxmxbbd@users.noreply.github.com

fish notes: model gpt-5.5, reasoning high; reviewed against 41e5043.

[clawsweeper]

Codex review: passed. Reviewed May 29, 2026, 8:22 AM ET / 12:22 UTC.

Summary
The PR updates Codex doctor route repair to preserve explicit non-default agentRuntime pins across agent model maps and provider policies, adds regression coverage, and tightens a live-gateway test helper type guard.

PR surface: Source +240, Tests +574. Total +814 across 3 files.

Reproducibility: yes. The source path is clear from current main's model-map merge behavior and the PR's before/after terminal proof exercises maybeRepairCodexRoutes with the reported config, though this read-only review did not execute the test suite.

Review metrics: 1 noteworthy metric.

• Runtime-pin carriers: 3 preserved. The patch changes doctor migration semantics for agent model maps, provider-level policy, and provider catalog model policy, which are upgrade-sensitive runtime/auth config carriers.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦀 challenger crab
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P1] This intentionally changes upgrade-sensitive doctor --fix behavior for persisted runtime/auth routing, so exact-head checks should remain the merge gate even though the patch direction is correct.
• [P1] The proof is focused config-repair/runtime-resolution terminal output and regression tests; this read-only review did not rerun a live OAuth/provider request.

Maintainer options:

1. Land the exact reviewed head (recommended)
   Once required checks stay green, maintainers can accept the compatibility/auth-provider risk because this head preserves explicit non-default runtime pins and covers the known persisted-policy carriers.
2. Ask for a live OAuth smoke first
   If maintainers want stronger runtime proof, pause automerge for a live gateway/OAuth run showing the repaired config still selects the intended non-Codex runtime path.

Next step before merge

• [P2] No repair lane is needed; the exact head has no blocking findings, and the remaining action is normal required-check/automerge gating.

Security
Cleared: The diff changes local config-repair logic and tests only; it does not add dependencies, workflow permissions, network calls, or secret handling.

Review details

Best possible solution:

Land the reviewed exact head once required checks are green so doctor preserves explicit runtime pins during Codex route repair without adding a new config surface.

Do we have a high-confidence way to reproduce the issue?

Yes. The source path is clear from current main's model-map merge behavior and the PR's before/after terminal proof exercises maybeRepairCodexRoutes with the reported config, though this read-only review did not execute the test suite.

Is this the best way to solve the issue?

Yes. Preserving explicit pins at the doctor migration boundary and materializing scoped canonical runtime policy for provider-owned pins is the narrow maintainable fix; no new config option or product decision is needed.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 2644f26a3514.

Label changes

Label justifications:

• P1: The PR fixes a real doctor migration regression that can silently change users' runtime and auth-provider path.
• merge-risk: 🚨 compatibility: Merging changes doctor --fix behavior for persisted model/runtime configuration during upgrades.
• merge-risk: 🚨 auth-provider: The preserved agentRuntime pin controls whether repaired OpenAI routes use Codex/native auth or the intended OpenClaw/PI runtime path.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦀 challenger crab and patch quality is 🦞 diamond lobster.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (terminal): The linked source proof and related runtime-pin matrix provide before/after terminal output for the doctor repair behavior, and the current PR is labeled proof: sufficient for this exact replacement path.
• proof: sufficient: Contributor real behavior proof is sufficient. The linked source proof and related runtime-pin matrix provide before/after terminal output for the doctor repair behavior, and the current PR is labeled proof: sufficient for this exact replacement path.

Evidence reviewed

PR surface:

Source +240, Tests +574. Total +814 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	252	12	+240
Tests	2	578	4	+574
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	830	16	+814

What I checked:

• Repository policy read: Read the full root AGENTS.md and the scoped gateway AGENTS.md; their config/auth compatibility guidance is relevant to the merge-risk treatment. (AGENTS.md:1)
• Current main still has the overwrite-prone merge: Current main's rewriteModelsMap still merges legacy and canonical records with canonical fields last, which is the source-level path that can drop a legacy explicit runtime pin. (src/commands/doctor/shared/codex-route-warnings.ts:1306, 2644f26a3514)
• PR head preserves pre-repair runtime pins: The PR head derives a target runtime from pinned, legacy, and pre-repair provider/runtime policy and writes a canonical model-scoped policy for provider-owned pins instead of defaulting everything to Codex. (src/commands/doctor/shared/codex-route-warnings.ts:2216, c142ec1ef802)
• Regression coverage covers the important carriers: The PR adds tests for inherited default pins, provider-level pins, provider catalog model pins, listed-agent shielding, and the reported legacy model entry migration case. (src/commands/doctor/shared/codex-route-warnings.test.ts:3153, c142ec1ef802)
• Patch hygiene check: The PR diff against its merge base has no whitespace errors from git diff --check. (c142ec1ef802)
• Proof and review context: The provided GitHub context reports this exact head as mergeable clean with proof: sufficient; the related source PR includes before/after terminal output for the reported doctor repair path, and the previous ClawSweeper review at this SHA passed with no blocking findings. (c142ec1ef802)

Likely related people:

• @steipete: Recent current-main history and blame on the doctor/gateway live-test surfaces show Peter Steinberger carrying adjacent release/live-gate hardening and the existing route-repair code context. (role: recent area contributor; confidence: medium; commits: 0ad43bbf3d45, 5102e0cabeb2; files: src/commands/doctor/shared/codex-route-warnings.ts, src/gateway/gateway-models.profiles.live.test.ts)
• @nxmxbbd: The source PR and branch commits add the initial failing repro and focused fix, and the discussion supplied the provider-level/runtime-pin follow-up cases now present in this replacement branch. (role: source fix author and reproduction owner; confidence: medium; commits: 640dcfb0731b, 8f8bd84091da; files: src/commands/doctor/shared/codex-route-warnings.ts, src/commands/doctor/shared/codex-route-warnings.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=c142ec1ef802748e759da3a9e103117a11967ac5)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-29T12:22:36Z
Merge commit: 468b971fbad5

What merged:

• The PR updates Codex doctor route repair to preserve explicit non-default agentRuntime pins across agent model maps and provider policies, adds regression coverage, and tightens a live-gateway test helper type guard.
• PR surface: Source +240, Tests +574. Total +814 across 3 files.
• Reproducibility: yes. The source path is clear from current main's model-map merge behavior and the PR's bef ... beRepairCodexRoutes` with the reported config, though this read-only review did not execute the test suite.

Automerge notes:

• PR branch already contained follow-up commit before automerge: fix(doctor): preserve explicit non-default agentRuntime pin during le…
• PR branch already contained follow-up commit before automerge: fix(clawsweeper): address review for automerge-openclaw-openclaw-8414…

The automerge loop is complete.

Automerge progress:

• 2026-05-29 10:41:17 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26632565603 automerge-openclaw-openclaw-84142

• 2026-05-29 10:41:37 UTC validation plan (passed) in 20s Run: https://github.com/openclaw/clawsweeper/actions/runs/26632565603 pnpm check:changed; node scripts/run-vitest.mjs src/commands/doctor/shared/codex-route-warnings.test.ts; pnpm lint; pnpm check:test-types

• 2026-05-29 10:41:59 UTC Codex write preflight (passed) in 42s Run: https://github.com/openclaw/clawsweeper/actions/runs/26632565603 danger-full-access

• 2026-05-29 10:50:13 UTC Codex edit 1 e5fdb47df469 (complete) in 8m 56s Run: https://github.com/openclaw/clawsweeper/actions/runs/26632565603 exit 0

• 2026-05-29 10:58:24 UTC validation and review 1 c142ec1ef802 (base moved) in 17m 7s Run: https://github.com/openclaw/clawsweeper/actions/runs/26632565603 rebased

• 2026-05-29 10:58:29 UTC repair completed c142ec1ef802 (branch updated) in 17m 12s Run: https://github.com/openclaw/clawsweeper/actions/runs/26632565603 initial automerge rebase is delegated to Codex repair

• 2026-05-29 10:58:29 UTC review queued c142ec1ef802 (after repair)

• 2026-05-29 11:08:32 UTC automerge wait c142ec1ef802 (waiting) in 27m 15s Run: https://github.com/openclaw/clawsweeper/actions/runs/26632565603 waiting for exact-head ClawSweeper review pass

• 2026-05-29 12:15:32 UTC review queued c142ec1ef802 (queued)

• 2026-05-29 11:08:34 UTC repair finished c142ec1ef802 (pushed) in 27m 17s Run: https://github.com/openclaw/clawsweeper/actions/runs/26632565603 repair_contributor_branch

• 2026-05-29 12:22:24 UTC review passed c142ec1ef802 (structured ClawSweeper verdict: pass (sha=c142ec1ef802748e759da3a9e103117a11967...)

• 2026-05-29 11:10:27 UTC repair queued c142ec1ef802 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26633913391

• 2026-05-29 11:13:47 UTC repair started (running) in 0s Run: https://github.com/openclaw/clawsweeper/actions/runs/26633913391 automerge-openclaw-openclaw-84142

• 2026-05-29 11:13:51 UTC repair completed c142ec1ef802 (no branch change) in 5s Run: https://github.com/openclaw/clawsweeper/actions/runs/26633913391 no planned fix actions

• 2026-05-29 11:13:51 UTC merge check queued c142ec1ef802 (checks and exact-head review are ready)

• 2026-05-29 12:22:40 UTC merged c142ec1ef802 (merged by ClawSweeper automerge)

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Frosted Branchling

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: polishes edge cases.
Image traits: location release reef; accessory proof snapshot camera; palette charcoal, cyan, and signal green; mood proud; pose guarding a tiny green check; shell matte ceramic shell; lighting cool dashboard glow; background delicate sparkle particles.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Frosted Branchling in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[Takhoffman]

@clawsweeper automerge

[nxmxbbd]

@Takhoffman Heads up: from the visible state, #84362 looks automerge-armed but idle rather than actively repairing/merging.

It still has clawsweeper:automerge / status: 🚀 automerge armed, but the later maintainer automerge comment appears to have been treated as already-enabled/idempotent, and I do not see a newer visible repair worker for #84142/#84362 after the last related worker. The PR still shows P1 and DIRTY.

While checking this, I also found and locally tested a small follow-up for the remaining runtime-pin cases if useful. I’ve kept that patch local and can provide it as a fork branch or patch if helpful. Could you trigger/restart the ClawSweeper review/repair path here, or let me know what route you prefer?

[nxmxbbd]

@Takhoffman This workstream currently looks circular.

This PR (#84362) is the ClawSweeper replacement branch for our earlier PR, but it still appears stuck: it is DIRTY, automerge-armed, and the durable review currently rates it rating: 🧂 unranked krab with a blocking provider-level runtime-pin preservation gap. I also cannot push directly to this upstream bot branch.

#84862 was opened as a clean contributor-controlled path because this PR appeared stuck, not as an unrelated duplicate. ClawSweeper has now closed #84862 as superseded by this PR, which routes the work back into the still-stuck branch.

I re-checked #84862 against current main locally. The actual merge is clean:

$ git fetch --filter=blob:none origin main pull/84862/head:pr84862
$ git checkout -b review-84862 origin/main
$ git merge --no-commit --no-ff pr84862
Auto-merging src/commands/doctor/shared/codex-route-warnings.test.ts
Auto-merging src/commands/doctor/shared/codex-route-warnings.ts
Automatic merge went well; stopped before committing as requested

$ git diff --name-only origin/main --
src/commands/doctor/shared/codex-route-warnings.test.ts
src/commands/doctor/shared/codex-route-warnings.ts

The current-main app-server inline-argument warning/test that #84862 was said to drop is still present in the post-merge snapshot:

src/commands/doctor/shared/codex-route-warnings.ts:2672
  collectCodexAppServerCommandWarnings(...)

src/commands/doctor/shared/codex-route-warnings.ts:2688
  "- Codex app-server command override includes inline arguments."

src/commands/doctor/shared/codex-route-warnings.test.ts:137
  it("warns when Codex app-server command includes inline arguments", ...)

The provider-level/runtime-pin cases missing from this PR's current review are also covered in #84862's post-merge snapshot:

src/commands/doctor/shared/codex-route-warnings.test.ts:3155
  preserves provider-level legacy runtime pins while repairing default legacy refs

src/commands/doctor/shared/codex-route-warnings.test.ts:3203
  preserves legacy provider catalog runtime pins while repairing default legacy refs

src/commands/doctor/shared/codex-route-warnings.test.ts:3253
  preserves legacy provider catalog runtime pins while repairing listed-agent legacy refs

src/commands/doctor/shared/codex-route-warnings.test.ts:3308
  shields listed canonical refs when provider-level legacy default pins migrate

src/commands/doctor/shared/codex-route-warnings.test.ts:3386
  preserves provider-level legacy runtime pins while repairing listed-agent legacy refs

src/commands/doctor/shared/codex-route-warnings.ts:2261
  reason: "so legacy provider runtime pins survive Codex route repair"

Could you choose the intended path here?

Either:

1. reopen/use fix(doctor): preserve runtime pins during codex route repair [AI-assisted] #84862 as the clean contributor path, or
2. have ClawSweeper apply the fix(doctor): preserve runtime pins during codex route repair [AI-assisted] #84862 fix onto this PR and resolve the DIRTY/blocking state.

Happy to provide the local merge-simulation branch/details if useful.