fix(codex/command-account): respect explicit auth order over lastGood (#84386) by openperf · Pull Request #84412 · openclaw/openclaw

openperf · 2026-05-20T03:14:29Z

Summary

Problem: After models auth login --provider openai-codex writes a fresh named OAuth profile and models auth order set puts that fresh profile first, the Codex /codex account display still reports the stale openai-codex:default profile as "active now". The status display silently disagrees with what the runtime resolver actually picks, leading operators to believe their re-login did not take effect and to perform unnecessary manual auth-store edits.
Root Cause: The Codex extension's display helper resolveActiveProfileId in extensions/codex/src/command-account.ts short-circuits to store.lastGood[openai] / store.lastGood[openai-codex] whenever the lastGood profile is still in the order and not in cooldown, ignoring where that profile is ranked. This directly contradicts the core resolver resolveAuthProfileOrder (in src/agents/auth-profiles/order.ts), which explicitly does not let lastGood outrank an explicit operator order ("lastGood is NOT prioritized — that would defeat round-robin"). The two paths drift after a re-login: runtime picks the first explicit-order profile (the fresh one), the display picks lastGood (the stale one).
Fix: Track whether the resolved order originates from an explicit operator source (store.order set via models auth order set, or config.auth.order). When the order is explicit, resolveActiveProfileId returns the first profile in that order that is both not in cooldown (isActiveProfileCandidate) and credential-eligible (resolveAuthProfileEligibility). The lastGood/usage-stat heuristics still apply in the absence of an explicit order, so existing default-order behavior is preserved. This aligns the display path with the runtime resolver's already-correct precedence and contains the change entirely inside the Codex extension, without touching the secops-owned src/agents/auth-profiles/ surface.
What changed:
- extensions/codex/src/command-account.ts: resolveDisplayAuthOrder now returns { order, explicit }; a new hasExplicitOpenAiAuthOrder helper inspects both store.order and config.auth.order (for both openai-codex and the openai alias key); resolveActiveProfileId gains an explicitOrder parameter and an explicit-order-first branch placed after the live-account check and before the legacy lastGood/mostRecent/api-key inference heuristics.
- extensions/codex/src/commands.test.ts: adds a regression test respects explicit Codex auth order over stale lastGood after OAuth re-login that reproduces the post-relogin store shape (order = [fresh, default], lastGood = default, no live Codex session) and asserts the fresh profile is shown as "active now" and that no isolated subscription-usage probe is sent for the stale profile.
What did NOT change (scope boundary):
- No edits to src/agents/auth-profiles/** (CODEOWNERS secops surface). The fix relies on the core resolver's existing already-correct policy rather than mutating lastGood from a different code path.
- No new config keys, no migration, no doctor/repair behavior, no public SDK surface change.
- resolveAuthProfileOrder semantics and the runtime auth-profile selection (extensions/codex/src/app-server/auth-bridge.ts resolveCodexAppServerAuthProfileId) are unchanged.
- Default-order behavior (no explicit store.order / config.auth.order entry for openai-codex or openai) is unchanged: lastGood, mostRecent, and API-key inference still apply.
- No changes to provider IDs, profile shapes, eligibility logic, cooldown handling, or label/format strings.

Reproduction

Start with an existing openai-codex:default OAuth profile near expiry.
Run openclaw models auth login --provider openai-codex and complete OAuth; the login writes a new named profile, e.g. openai-codex:<email>.
Run openclaw models auth order set --provider openai-codex --agent main openai-codex:<email> openai-codex:default.
Without restarting the Codex app-server, run openclaw /codex account.

Before the fix, the auth-order table shows openai-codex:default as "active now" and the fresh openai-codex:<email> profile as merely "available if needed", even though the runtime resolver already prefers the fresh profile.

After the fix, the fresh openai-codex:<email> profile is shown as "active now" and the stale openai-codex:default profile is shown as "available if needed", matching the runtime resolver.

Risk / Mitigation

Risk: Changing the display selection could mask a profile that is currently working but transiently misordered, or hide useful failover signal.
Mitigation: The explicit-order branch is strictly narrower than the prior lastGood short-circuit:
- It only activates when an explicit operator order exists (store.order or config.auth.order). The default round-robin path still consults lastGood/mostRecent/api-key inference.
- Within the explicit-order branch, the candidate must pass both isActiveProfileCandidate (not in cooldown / unusable) and resolveAuthProfileEligibility (credential present, mode and provider compatible). Ineligible or cooldowned explicit-order entries are skipped and the loop falls through to the legacy heuristics, preserving existing failover behavior. The existing test does not report a blocked last-good subscription as active continues to pass, demonstrating the fall-through path is intact.
- The runtime selection path (resolveCodexAppServerAuthProfileId -> resolveAuthProfileOrder()[0]) is untouched, so this PR cannot change which profile a real model run uses; it only stops the status command from disagreeing with that selection.
- Full Codex extension test file (extensions/codex/src/commands.test.ts, 89 tests) passes locally, including the four pre-existing order/lastGood interaction tests. src/agents/auth-profiles/{order,profiles,display}.test.ts and the format / lint / tsgo:extensions / tsgo:extensions:test gates are clean.

Change Type (select all)

Bug fix

Scope (select all touched areas)

Codex extension (extensions/codex/)
Auth / provider routing (display path only; runtime path unchanged)

Linked Issue/PR

Fixes #84386

…openclaw#84386)

clawsweeper · 2026-05-20T03:15:53Z

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

ClawSweeper keeps one durable marker-backed review comment per issue or PR.
Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
Maintainers can also comment @clawsweeper review to request a fresh review only.
Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The branch makes Codex /codex account display respect explicit OpenAI/Codex auth order over stale lastGood, adds command regression tests for direct order, OpenAI alias order, and all-ineligible explicit-order cases, and updates the changelog.

Reproducibility: yes. Current main checks lastGood before the resolver fallback in the Codex account display path, so the linked store shape with explicit order [fresh, default] and stale lastGood=default reproduces the mismatch by source inspection.

PR rating
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Summary: Targeted auth-status fix with focused regression coverage and no blocking source-level findings, pending ordinary maintainer validation.

Rank-up moves:

Confirm focused Codex command/auth-profile tests and CI on the latest PR head before merge.

What the crustacean ranks mean

🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: This is a MEMBER-authored PR with the protected maintainer label, so the external contributor real-behavior proof gate does not apply.

Risk before merge

The PR changes auth-provider status display precedence for explicit OpenAI/Codex orders; if an alias, cooldown, or all-ineligible edge is wrong, /codex account could still mislead operators about the active credential.
The latest PR head still had queued checks at inspection time, and this read-only review did not execute focused Codex command/auth-profile tests.

Maintainer options:

Verify and land display alignment (recommended)
Confirm the focused Codex command/auth-profile tests and PR-head CI on the latest force-pushed head, then merge if the auth display still matches resolver behavior.
Pause for broader auth policy
If maintainers want to change runtime lastGood mutation or global resolver semantics instead of display alignment, pause this PR and move that broader policy choice back to the linked bug.

Next step before merge
No automated repair is indicated; this protected auth-provider PR needs maintainer review and latest-head validation rather than a replacement fix.

Security
Cleared: The diff is limited to Codex auth-status display logic, tests, and changelog text, with no new dependency, workflow, install, secret-storage, or code-execution surface.

Review details

Best possible solution:

Land the display-only Codex fix after maintainer review and focused PR-head auth/Codex validation confirm explicit-order, alias-order, cooldown, and all-ineligible behavior.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main checks lastGood before the resolver fallback in the Codex account display path, so the linked store shape with explicit order [fresh, default] and stale lastGood=default reproduces the mismatch by source inspection.

Is this the best way to solve the issue?

Yes. Keeping the change inside Codex display logic and filtering explicit-order candidates through existing eligibility and cooldown helpers is the narrow maintainable fix without changing runtime resolver semantics.

Label justifications:

P1: The PR addresses a current Codex auth-status regression that can make operators believe a successful relogin and explicit auth-order change did not take effect.
merge-risk: 🚨 auth-provider: The diff changes how Codex reports the active OpenAI/Codex credential, so an edge-case mistake could mislead auth-provider operations even though runtime routing is intended to remain unchanged.
rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and Targeted auth-status fix with focused regression coverage and no blocking source-level findings, pending ordinary maintainer validation.
status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a MEMBER-authored PR with the protected maintainer label, so the external contributor real-behavior proof gate does not apply.

What I checked:

Live PR state: GitHub API reports this PR open, unmerged, mergeable, authored by a MEMBER, and labeled maintainer, so cleanup auto-close is not appropriate. (d30830c3505d)
Current-main display mismatch: Current main resolves the /codex account display order, then checks lastGood before falling back to the resolver order, so an explicit order containing a stale lastGood profile can be displayed as active. (extensions/codex/src/command-account.ts:178, 110042d840bb)
Runtime resolver contract: The core resolver handles explicit auth order before round-robin behavior and documents that lastGood is not prioritized, which supports the PR's display-alignment approach. (src/agents/auth-profiles/order.ts:312, 110042d840bb)
PR implementation shape: The diff adds an explicit-order flag to Codex account display and selects the first explicit-order profile that is active and credential-eligible before legacy lastGood and usage heuristics. (extensions/codex/src/command-account.ts:201, d30830c3505d)
Regression coverage in PR: The diff adds focused Codex command tests for stale lastGood after OAuth relogin, OpenAI alias explicit order, and all-expired explicit-order credentials showing no active profile. (extensions/codex/src/commands.test.ts:1327, d30830c3505d)
Existing auth-order docs: The credential semantics docs say explicit auth order limits which profiles are probed for a provider, matching the policy that omitted or ineligible profiles should not silently become active. Public docs: docs/auth-credential-semantics.md. (docs/auth-credential-semantics.md:77, 110042d840bb)

Likely related people:

steipete: GitHub path history shows several recent Codex account/auth-order commits, including fix(codex): preserve codex auth order, fix(codex): prefer direct codex auth order, and related account display work. (role: recent area contributor; confidence: high; commits: 3f05165c47d7, 95cee42b5b2c, 10c43aefd8f2; files: extensions/codex/src/command-account.ts, src/agents/auth-profiles/order.ts)
pashpashpash: GitHub path history shows adjacent Codex account display and auth-profile work, including account fallback display changes and the core friendly OpenAI order support for Codex profiles. (role: adjacent Codex account/auth contributor; confidence: medium; commits: e31082482844, 1877c600ea8c, 7f5a10e0e49a; files: extensions/codex/src/command-account.ts, src/agents/auth-profiles/order.ts)
vincentkoc: History on src/agents/auth-profiles/order.ts includes explicit-profile-order cooldown handling, and app-server history includes Codex auth-order routing work. (role: adjacent auth resolver contributor; confidence: medium; commits: f1d5c1a31f3e, eb1a0aa574b5, 74e7b8d47b18; files: src/agents/auth-profiles/order.ts, extensions/codex/src/app-server/auth-bridge.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 110042d840bb.

clawsweeper · 2026-05-20T03:21:17Z

ClawSweeper PR egg

✨ Hatched: 🌱 uncommon Gilded Test Hopper

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

Merged PRs are hatchable.
Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🌱 uncommon.
Trait: watches the merge queue.
Image traits: location review cove; accessory proof snapshot camera; palette violet, aqua, and starlight; mood proud; pose sitting proudly on a smooth stone; shell woven fiber shell; lighting calm overcast light; background soft code-shaped tiles.
Share on X: post this hatch
Copy: My PR egg hatched a 🌱 uncommon Gilded Test Hopper in ClawSweeper.

What is this egg doing here?

Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

…cit-order paths

… all explicit-order profiles are ineligible

openperf · 2026-05-20T12:02:46Z

Landed as 5d77512.

…026.5.20) (#615) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/openclaw/openclaw](https://openclaw.ai) ([source](https://github.com/openclaw/openclaw)) | patch | `2026.5.19` → `2026.5.20` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/567) for more information. --- ### Release Notes <details> <summary>openclaw/openclaw (ghcr.io/openclaw/openclaw)</summary> ### [`v2026.5.20`](https://github.com/openclaw/openclaw/blob/HEAD/CHANGELOG.md#2026520) [Compare Source](openclaw/openclaw@v2026.5.19...v2026.5.20) ##### Changes - Exec approvals: remove the old `cat SKILL.md && printf ... && <skill-wrapper>` allowlist compatibility path so skill files must be loaded with the read tool and only the real skill executable is auto-allowed. - Discord: let voice sessions follow configured Discord users into voice channels, with allowed-channel checks, multi-user handoff, bounded reconciliation, and DAVE recovery preservation. ([#84264](openclaw/openclaw#84264)) Thanks [@fuller-stack-dev](https://github.com/fuller-stack-dev). - Discord/voice: include bounded `IDENTITY.md`, `USER.md`, and `SOUL.md` profile context in realtime voice session instructions by default, with `voice.realtime.bootstrapContextFiles: []` available to disable it. ([#84499](openclaw/openclaw#84499)) Thanks [@fuller-stack-dev](https://github.com/fuller-stack-dev). - Dependencies: bump the bundled Codex harness to `@openai/codex` `0.132.0` and refresh the app-server model-list docs for the new catalog. - CLI/policy: add the bundled Policy plugin for policy-backed channel conformance checks, doctor lint findings, and opt-in workspace repair. ([#80407](openclaw/openclaw#80407)) Thanks [@giodl73-repo](https://github.com/giodl73-repo). - Agents/config: allow `agents.list[].experimental.localModelLean` so lean local-model mode can be enabled for one configured agent instead of globally. - Providers/xAI: add device-code OAuth login so remote and headless setups can authorize xAI without a localhost browser callback. ([#84005](openclaw/openclaw#84005)) Thanks [@fuller-stack-dev](https://github.com/fuller-stack-dev). - Providers/OpenRouter: honor provider-level `params.provider` routing policy for OpenRouter requests, with model and agent params overriding the defaults. Thanks [@amknight](https://github.com/amknight). ##### Fixes - CLI/tasks: include stale-running task maintenance decisions in `openclaw tasks maintenance --json` so retained and reconcile candidates explain backing-session, cron, CLI, and wedged-subagent state. ([#84691](openclaw/openclaw#84691)) Thanks [@efpiva](https://github.com/efpiva). - Codex app-server: keep system-prompt reports working when bootstrap hooks provide workspace files with only a path and content, so hook-supplied SOUL/IDENTITY/TOOLS/USER context still reports injected characters correctly. ([#84736](openclaw/openclaw#84736)) Thanks [@JARVIS-Glasses](https://github.com/JARVIS-Glasses). - Providers/MiniMax music: stop advertising `durationSeconds` control and remove prompt-injected duration hints, so `music_generate` reports MiniMax duration as an unsupported override instead of suggesting MiniMax can enforce track length. Fixes [#84508](openclaw/openclaw#84508). Thanks [@neeravmakwana](https://github.com/neeravmakwana). - Doctor: warn when sandbox tool policy hides configured MCP server tools before provider requests. ([#84699](openclaw/openclaw#84699)) Thanks [@nxmxbbd](https://github.com/nxmxbbd). - WhatsApp: update Baileys to `7.0.0-rc12`. - Build: suppress per-locale `rolldown-plugin-dts:fake-js` CommonJS dts warnings emitted while bundling the intentionally-inlined `zod/v4/locales/*.d.cts` files, so `pnpm build` output stays readable after the 0.25.1 plugin bump. Thanks [@romneyda](https://github.com/romneyda). - CLI/nodes: route lazy plugin-registration logs to stderr for JSON-mode `openclaw nodes` commands so stdout stays parseable. ([#84684](openclaw/openclaw#84684)) Thanks [@TurboTheTurtle](https://github.com/TurboTheTurtle). - Approvals: route manual `/approve` decisions through the trusted approval runtime so active exec and plugin approvals no longer look unknown or expired. - Mac app: update the About settings copyright year to 2026. ([#84385](openclaw/openclaw#84385)) Thanks [@pejmanjohn](https://github.com/pejmanjohn). - Dependencies: update `@openclaw/fs-safe` to `0.2.7` so OpenClaw's default Python-helper-off policy keeps best-effort Node write fallbacks for private stores, secret writes, run logs, and media attachments on Linux/macOS. - Infra/secrets: restore the fail-closed contract for `tryReadSecretFileSync` so credential loaders that pass `rejectSymlink: true` (Telegram, LINE, Zalo, IRC, Nextcloud Talk tokens) refuse symlinked credential files instead of silently accepting them, and the infra-state CI shard's secret-file symlink test passes again. Thanks [@romneyda](https://github.com/romneyda). - Browser: honor the configured image sanitization limit for screenshots and labeled snapshots so browser-captured images follow the same resize policy as other image results. ([#84595](openclaw/openclaw#84595)) - Doctor: remove unrecognized `models.providers.*.models[*].compat.thinkingFormat` values during `doctor --fix` so stale provider model config can validate after upgrade. Fixes [#77803](openclaw/openclaw#77803). - Doctor: warn when `openclaw.json` stores plaintext secret-bearing config fields, including model provider API keys and sensitive provider headers. ([#84718](openclaw/openclaw#84718)) Thanks [@lukaIvanic](https://github.com/lukaIvanic). - Status: show the configured default, session-selected model, reason, clear hint, and docs link when a session remains pinned to a model that differs from `agents.defaults.model.primary`. - WebChat: clear stale typing indicators when session change events mark the active chat run complete. - Mac app: keep local packaging signed with a stable app identity for permission testing and fix Control UI production builds under current Vite/Highlight.js exports. - macOS app: update the embedded Peekaboo bridge to 3.2.1 so OpenClaw-hosted UI automation works with current Peekaboo CLI capture flows. - Cron: deliver preferred final assistant output for successful scheduled runs when trailing plain tool warnings remain in diagnostics instead of marking the run failed. - fix(mattermost): fail closed on missing channel type \[AI]. ([#84091](openclaw/openclaw#84091)) Thanks [@pgondhi987](https://github.com/pgondhi987). - Recheck rebuilt system.run argv \[AI]. ([#84090](openclaw/openclaw#84090)) Thanks [@pgondhi987](https://github.com/pgondhi987). - CLI: keep the private QA subcommand out of exported command descriptors unless `OPENCLAW_ENABLE_PRIVATE_QA_CLI=1`, so root help and subcommand markers match runtime registration. ([#84519](openclaw/openclaw#84519)) - CLI/cron: bound `openclaw cron show` job lookup pagination so non-advancing or unbounded `cron.list` responses fail instead of hanging the command. Fixes [#83856](openclaw/openclaw#83856). ([#83989](openclaw/openclaw#83989)) - Agents/messages: stop message-tool-only turns after a successful source-channel `message` send while keeping transcript mirrors under the session write lock. ([#84289](openclaw/openclaw#84289)) - Agents: filter silent heartbeat response-tool transcript artifacts out of embedded context snapshots so later user turns are not polluted by heartbeat no-op messages. ([#83477](openclaw/openclaw#83477)) Thanks [@fuller-stack-dev](https://github.com/fuller-stack-dev). - Agents/OpenAI: log repeated strict tool-schema downgrade diagnostics once per provider/model/tool signature, reducing duplicate debug noise while preserving `strict=false` fallback behavior. Fixes [#82930](openclaw/openclaw#82930). ([#82933](openclaw/openclaw#82933)) Thanks [@galiniliev](https://github.com/galiniliev). - Agents/code mode: spell out the `exec` tool's JavaScript/TypeScript, no Node module, and catalog-bridge constraints in model-visible schema text so agents can use enabled tools without trial-and-error. ([#84269](openclaw/openclaw#84269)) Thanks [@Kaspre](https://github.com/Kaspre). - Codex: give `image_generate` dynamic-tool calls a 120s default watchdog when no per-call or configured image timeout is set, so image generation no longer falls back to the generic 30s bridge timeout. ([#84254](openclaw/openclaw#84254)) Thanks [@moritzmmayerhofer](https://github.com/moritzmmayerhofer). - Codex: avoid duplicate dynamic tool terminal diagnostics while large diagnostic backlogs drain without blocking tool responses. ([#82937](openclaw/openclaw#82937)) Thanks [@galiniliev](https://github.com/galiniliev). - CLI/message: include a stable top-level `messageId` in `openclaw message --json` output when channel sends return one. ([#84191](openclaw/openclaw#84191)) Thanks [@100menotu001](https://github.com/100menotu001). - Cron: preserve legacy top-level array `jobs.json` stores when loading or adding scheduled jobs so old cron jobs are no longer treated as an empty store during upgrade. Fixes [#60799](openclaw/openclaw#60799). ([#84433](openclaw/openclaw#84433)) Thanks [@IWhatsskill](https://github.com/IWhatsskill). - Gateway/agents: use an agent's `identity.name` in Gateway agent summaries when `agents.list[].name` is unset, so configured agent labels remain visible in clients. ([#84355](openclaw/openclaw#84355); refs [#57835](openclaw/openclaw#57835)) Thanks [@luoyanglang](https://github.com/luoyanglang). - Channels/replies: keep normal `/verbose` failed-tool progress compact in message-tool replies and prevent late text-only tool output from appearing after the final answer. ([#84303](openclaw/openclaw#84303)) Thanks [@VACInc](https://github.com/VACInc). - Plugins/hooks: apply a default 30-second timeout to `before_compaction` and `after_compaction` hooks so a hung plugin handler no longer blocks compaction completion. ([#84153](openclaw/openclaw#84153)) - Discord: preserve disabled presentation buttons when adapting and rendering Discord message controls. ([#84188](openclaw/openclaw#84188)) Thanks [@100menotu001](https://github.com/100menotu001). - Twitch: add a test-only client-manager registry reset helper so non-isolated Twitch tests can clear cached managers between cases. Fixes [#83887](openclaw/openclaw#83887). ([#84244](openclaw/openclaw#84244)) Thanks [@hclsys](https://github.com/hclsys). - Cron: run main-session scheduled work on a cron-owned wake lane while preserving reply delivery context, so background cron turns no longer block human main-session chat. Fixes [#82766](openclaw/openclaw#82766). ([#82767](openclaw/openclaw#82767)) Thanks [@galiniliev](https://github.com/galiniliev). - Cron: use structured embedded-run denial metadata for isolated scheduled tasks so blocked exec requests fail the job without treating ordinary assistant prose as a denial. ([#84067](openclaw/openclaw#84067)) Thanks [@abnershang](https://github.com/abnershang). - Cron: keep recovered tool warnings diagnostic for successful scheduled runs so final cron output is delivered instead of being replaced by a post-processing warning. ([#84045](openclaw/openclaw#84045)) Thanks [@abnershang](https://github.com/abnershang). - Plugins/perf: thread explicit plugin discovery results through `loadBundledCapabilityRuntimeRegistry`, `resolveBundledPluginSources`, and `listChannelCatalogEntries` so callers that already hold a discovery result skip redundant filesystem walks. Thanks [@SebTardif](https://github.com/SebTardif). - harden update restart script creation \[AI]. ([#84088](openclaw/openclaw#84088)) Thanks [@pgondhi987](https://github.com/pgondhi987). - Docker: keep the bundled Codex plugin in official release image keep lists so the default OpenAI agent harness remains available after Docker pruning. Fixes [#83613](openclaw/openclaw#83613). ([#83626](openclaw/openclaw#83626)) Thanks [@YuanHanzhong](https://github.com/YuanHanzhong). - CLI/channels: preserve the first line of `openclaw channels logs` output when the rolling tail window starts exactly on a line boundary, mirroring the already-fixed `readLogSlice` behavior in `src/logging/log-tail.ts`. - Control UI: treat terminal session status as authoritative over stale active-run flags so completed terminal runs stop showing abort/live UI. ([#84057](openclaw/openclaw#84057)) - CLI: preserve embedded equals signs in inline root option values instead of truncating after the second separator. ([#83995](openclaw/openclaw#83995)) Thanks [@ThiagoCAltoe](https://github.com/ThiagoCAltoe). - Matrix/config: accept `messages.queue.byChannel.matrix` queue overrides and keep queue provider schema/type keys aligned for Matrix, Google Chat, and Mattermost. Thanks [@bdjben](https://github.com/bdjben). - CLI: format `openclaw acp client` failures through the shared error formatter so object-shaped errors stay readable instead of printing `[object Object]`. Fixes [#83904](openclaw/openclaw#83904). ([#84080](openclaw/openclaw#84080)) - Providers/Ollama: default unknown-capabilities models to tool-capable so discovered native Ollama models can use tools when `/api/show` omits capabilities. ([#84055](openclaw/openclaw#84055)) Thanks [@dutifulbob](https://github.com/dutifulbob). - Installer/Windows: launch `install.ps1` onboarding as an attached child process so fresh native Windows installs do not freeze visibly at `Starting setup...` or corrupt the wizard's terminal rendering. - CLI/update: keep restart health checks working across one-version CLI/Gateway protocol skew and use the managed Gateway service Node for all follow-up commands even when the package root is unchanged, so `openclaw update` no longer silently switches the gateway to a different Node binary when multiple Node installations are present. Thanks [@amknight](https://github.com/amknight). - CLI/gateway: include the running Gateway version in `gateway status` JSON output, preserving existing server metadata while falling back to status RPC data for read probes. Fixes [#56222](openclaw/openclaw#56222). Thanks [@galiniliev](https://github.com/galiniliev). - Memory/search: close local embedding providers when active-memory searches time out so pending local model loads and embedding contexts are aborted and released. ([#83858](openclaw/openclaw#83858)) Thanks [@brokemac79](https://github.com/brokemac79). - CLI/nodes: request pending node surface approval scopes before `openclaw nodes approve` so exec-capable node approval can use admin-scoped Gateway credentials instead of failing with `missing scope: operator.admin`. ([#84392](openclaw/openclaw#84392)) Thanks [@joshavant](https://github.com/joshavant). - Gateway: reject slow node event sends before outbound buffers grow unbounded and log the rejected payload diagnostic. ([#84387](openclaw/openclaw#84387)) Thanks [@samzong](https://github.com/samzong). - Agents: include bounded trajectory queued-writer diagnostics in `pi-trajectory-flush` timeout warnings so flush stalls show pending writes, queued bytes, and append state. Fixes [#82961](openclaw/openclaw#82961). ([#82962](openclaw/openclaw#82962)) Thanks [@galiniliev](https://github.com/galiniliev). - Agents/subagents: recover stale completion announces by retrying unsupported transcript-wait wakes without transcript waiting and forcing a message-tool handoff when the requester run is already stale. Fixes [#83699](openclaw/openclaw#83699). ([#83700](openclaw/openclaw#83700)) Thanks [@galiniliev](https://github.com/galiniliev). - Agents/subagents: constrain wildcard subagent target allowlists to configured agents while preserving explicitly listed compatibility targets. Fixes [#84040](openclaw/openclaw#84040). ([#84357](openclaw/openclaw#84357)) Thanks [@joshavant](https://github.com/joshavant). - Providers/Anthropic: route Anthropic model refs selected with Claude CLI auth through the Claude CLI runtime so shorthand refs such as `anthropic/opus-4.7` no longer fall back to embedded Anthropic billing. Fixes [#84222](openclaw/openclaw#84222). ([#84374](openclaw/openclaw#84374)) Thanks [@joshavant](https://github.com/joshavant). - Agents: honor explicit `models.providers.<id>.timeoutSeconds` values above the default idle watchdog for cloud and self-hosted providers, so long first-token waits no longer fall back at \~120s when the provider timeout is higher. ([#83979](openclaw/openclaw#83979)) Thanks [@yujiawei](https://github.com/yujiawei). - Agents/Codex: keep encrypted Responses reasoning replay provenance-bound so stale mirrored Codex transcripts drop invalid encrypted content before request assembly while preserving matching same-session replay. Fixes [#83836](openclaw/openclaw#83836). ([#84367](openclaw/openclaw#84367)) Thanks [@joshavant](https://github.com/joshavant). - Agents/subagents: skip stale embedded-run wake probes for dormant completion requesters, so late subagent completions go straight to requester-agent/direct handoff instead of producing `reason=no_active_run` queue noise. ([#82964](openclaw/openclaw#82964)) Thanks [@galiniliev](https://github.com/galiniliev). - CLI: retry config snapshot reads after a transient failure so one rejected read no longer poisons later commands in the same process. ([#83931](openclaw/openclaw#83931)) Thanks [@honor2030](https://github.com/honor2030). - Media: decode URL path basenames before using them as remote media fallback filenames, so files like `My%20Report.pdf` are surfaced as `My Report.pdf`. Fixes [#84050](openclaw/openclaw#84050). ([#84052](openclaw/openclaw#84052)) Thanks [@jbetala7](https://github.com/jbetala7). - WhatsApp: clarify inbound group diagnostics so observed but unregistered groups point to `channels.whatsapp.groups` without changing routing or sender authorization. ([#83846](openclaw/openclaw#83846)) Thanks [@neeravmakwana](https://github.com/neeravmakwana). - WhatsApp: drain pending outbound deliveries on a 30s periodic timer in addition to the reconnect handler, so messages enqueued while the provider is already connected no longer wait for the next reconnect to send. ([#79083](openclaw/openclaw#79083)) Thanks [@Oviemudiaga](https://github.com/Oviemudiaga). - CLI/TUI: include gateway plugin slash commands in TUI autocomplete, so connected sessions can suggest plugin-owned commands exposed by the running Gateway. ([#83640](openclaw/openclaw#83640)) Thanks [@se7en-agent](https://github.com/se7en-agent). - Gateway/mobile: restore QR setup-code handoff of bounded operator tokens for iOS and Android onboarding while keeping admin and pairing scopes out of bootstrap. ([#83684](openclaw/openclaw#83684)) Thanks [@ngutman](https://github.com/ngutman). - iOS: repair Release archive compilation for the TestFlight build. ([#84255](openclaw/openclaw#84255)) Thanks [@ngutman](https://github.com/ngutman). - Agents/compaction: bound plugin-owned CLI transcript compaction with the host safety timeout so a hung context engine can no longer stall post-turn cleanup. ([#84083](openclaw/openclaw#84083)) Thanks [@100yenadmin](https://github.com/100yenadmin). - Control UI/usage: truncate long context skill, tool, and file names in the usage panel while keeping the full name available on hover. ([#42197](openclaw/openclaw#42197)) Thanks [@Rain120](https://github.com/Rain120). - Codex: respect explicit `models auth order set` and `config.auth.order` precedence over stale `lastGood` in `/codex account`, and show `no working credential` when every explicit-order profile is ineligible instead of marking a lower-ranked profile as active. Fixes [#84386](openclaw/openclaw#84386). ([#84412](openclaw/openclaw#84412)) Thanks [@openperf](https://github.com/openperf). - Agents: honor `messages.suppressToolErrors` for mutating tool failures so configured chat surfaces do not receive separate warning payloads. ([#81561](openclaw/openclaw#81561)) Thanks [@moeedahmed](https://github.com/moeedahmed). - Agents/fallback: surface billing guidance for mixed rate-limit plus billing fallback exhaustion instead of generic failure copy. Fixes [#79396](openclaw/openclaw#79396). ([#79489](openclaw/openclaw#79489)) Thanks [@aayushprsingh](https://github.com/aayushprsingh). </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://git.erwanleboucher.dev/eleboucher/homelab/pulls/615

…openclaw#84412) Fixes openclaw#84386. resolveActiveProfileId in extensions/codex/src/command-account.ts returned store.lastGood whenever that profile was still in the resolved order, ignoring rank, so /codex account marked the stale openai-codex:default profile as active after models auth login + models auth order set. Tracks whether the order came from an explicit operator source (store.order / config.auth.order, including the openai alias key), picks the first usable explicit-order profile, and returns undefined when no candidate is eligible so the display surfaces "no working credential" instead of marking a lower-ranked profile active. Runtime selection via resolveCodexAppServerAuthProfileId is unchanged.

fix(codex/command-account): respect explicit auth order over lastGood (…

5bcec86

…openclaw#84386)

openclaw-barnacle Bot added extensions: codex size: S maintainer Maintainer-authored PR labels May 20, 2026

clawsweeper Bot mentioned this pull request May 20, 2026

Fix stale Codex lastGood after explicit auth order relogin #84403

Closed

openperf added 2 commits May 20, 2026 15:44

fix(codex/command-account): cover openai-alias + all-ineligible expli…

88b87f6

…cit-order paths

chore(changelog): move openclaw#84412 entry to end of Fixes section

5837187

openclaw-barnacle Bot added size: M and removed size: S labels May 20, 2026

fix(codex/command-account): return undefined instead of order[0] when…

3dbfa66

… all explicit-order profiles are ineligible

openperf added a commit to openperf/moltbot that referenced this pull request May 20, 2026

docs(changelog): update openclaw#84412 entry to reflect final behavior

c262fac

docs(changelog): update openclaw#84412 entry to reflect final behavior

d30830c

openperf force-pushed the fix/codex-display-explicit-auth-order-84386 branch from c262fac to d30830c Compare May 20, 2026 09:34

openperf merged commit 5d77512 into openclaw:main May 20, 2026
92 checks passed

luoyanglang mentioned this pull request May 20, 2026

fix(codex): respect explicit auth order before stale lastGood #84543

Closed

github-actions Bot mentioned this pull request May 20, 2026

📡 Upstream Digest — 2026-05-20 14:40 UTC curtismercier/openclaw-mods#903

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(codex/command-account): respect explicit auth order over lastGood (#84386)#84412

fix(codex/command-account): respect explicit auth order over lastGood (#84386)#84412
openperf merged 5 commits into
openclaw:mainfrom
openperf:fix/codex-display-explicit-auth-order-84386

openperf commented May 20, 2026

Uh oh!

clawsweeper Bot commented May 20, 2026 •

edited

Loading

Uh oh!

clawsweeper Bot commented May 20, 2026 •

edited

Loading

Uh oh!

Uh oh!

openperf commented May 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

openperf commented May 20, 2026

Summary

Reproduction

Risk / Mitigation

Change Type (select all)

Scope (select all touched areas)

Linked Issue/PR

Uh oh!

clawsweeper Bot commented May 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

clawsweeper Bot commented May 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Hatch command

Uh oh!

Uh oh!

openperf commented May 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

clawsweeper Bot commented May 20, 2026 •

edited

Loading

clawsweeper Bot commented May 20, 2026 •

edited

Loading