fix(models): show OAuth delegation marker auth status

[rohitjavvadi]

Summary

Fixes #83732.

openclaw models status now reports an OAuth delegation marker from models.json as configured models.json auth instead of missing, while leaving runtime route health and --check behavior tied to the delegated provider's actual usable auth.

Motivation / root cause

Runtime auth treats values such as oauth:openai-codex as delegation markers, but the status overview asked resolveUsableCustomProviderApiKey for a usable key. That helper intentionally filters marker values out because the marker is not itself a credential. The overview then fell through to effective=missing even when models.json clearly contained the delegation marker and the openai-codex route was usable.

Real behavior proof

Behavior addressed: models status no longer shows openai effective=missing when openai.apiKey is oauth:openai-codex.

Real environment tested: local persisted OpenClaw state fixture under /tmp/openclaw-83732-after-vXrPvD with openai.apiKey = "oauth:openai-codex" and a usable openai-codex OAuth profile in auth-profiles.json.

Exact steps or command run after this patch: OPENCLAW_STATE_DIR=/tmp/openclaw-83732-after-vXrPvD/state OPENCLAW_AGENT_DIR=/tmp/openclaw-83732-after-vXrPvD/state/agents/main/agent OPENAI_API_KEY= OPENAI_OAUTH_TOKEN= pnpm --silent openclaw models status --json --check

Evidence after fix: the command exited 0 and reported:

{
  "missingProvidersInUse": [],
  "openaiEffective": {
    "kind": "models.json",
    "detail": "marker(oauth:openai-codex)"
  },
  "runtimeAuthRoutes": [
    {
      "provider": "openai",
      "runtime": "codex",
      "authProvider": "openai-codex",
      "status": "usable"
    }
  ]
}

Observed result after fix: human output includes openai effective=models.json:marker(oauth:openai-codex) and the runtime auth section still shows openai via codex uses openai-codex ... status=usable.

What was not tested: full suite, cross-OS runs, and live provider network calls. This only exercises persisted local status output and the focused command tests.

Regression tests

• Adds an auth-overview unit test for oauth:openai-codex marker display.
• Adds a status-command regression test proving marker display stays separate from runtime route usability: if the delegated openai-codex auth is absent, the marker is still displayed but runtimeAuthRoutes[].status is missing, missingProvidersInUse contains openai, and --check exits 1.

Commands run

• node scripts/run-vitest.mjs src/commands/models/list.auth-overview.test.ts
• node scripts/run-vitest.mjs src/commands/models/list.status.test.ts
• node scripts/run-vitest.mjs src/commands/models/list.auth-overview.test.ts src/commands/models/list.status.test.ts
• git diff --check
• pnpm check:changed
• real fixture command above, plus pnpm --silent openclaw models status for human output

User-visible behavior

Users with delegated OpenAI Codex auth should see the configured marker source in models status instead of a misleading missing effective auth label.

Compatibility and risks

The change is display-only for models status; it does not make an OAuth marker a usable credential and does not change runtime auth routing. The main risk is status wording around delegation markers, covered by tests for both usable and missing delegated auth.

[rohitjavvadi]

@clawsweeper review

Could you review this now? The PR body includes the real behavior proof and the local regression commands. In particular, please check whether the marker display contract is clear: the OAuth delegation marker is shown as configured models.json auth, but runtime route usability and --check still depend on the delegated provider actually being usable.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26389917466
• Updated: 2026-05-25T08:05:29.135Z

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 25, 2026, 6:28 AM ET / 10:28 UTC.

Summary
The PR updates models status auth overview so oauth:* provider markers display as configured models.json marker auth and adds regression coverage for marker display versus runtime route usability.

PR surface: Source +3, Tests +90. Total +93 across 3 files.

Reproducibility: yes. by source inspection of current main: an oauth:* custom key appears in modelsJson, but effective falls through to missing when the marker is not a usable credential. I did not run local reproduction commands because this review was required to keep the checkout read-only.

Review metrics: 1 noteworthy metric.

• PR surface: 1 runtime file changed, 2 test files changed. The implementation is limited to auth status display while tests cover both direct overview output and command-level runtime route behavior.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• One broad check run was still in progress at inspection time; required CI should finish before merge.

Maintainer options:

1. Decide the mitigation before merge
   Land the focused display-only fix after required checks complete, keeping runtime route health and --check tied to delegated provider usability.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
No automated repair is needed because the branch already contains the narrow code and test changes and review found no blocking findings.

Security
Cleared: No concrete security or supply-chain concern found; the diff changes status display and tests only, with no dependency, workflow, secret-resolution, or credential-routing changes.

Review details

Best possible solution:

Land the focused display-only fix after required checks complete, keeping runtime route health and --check tied to delegated provider usability.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection of current main: an oauth:* custom key appears in modelsJson, but effective falls through to missing when the marker is not a usable credential. I did not run local reproduction commands because this review was required to keep the checkout read-only.

Is this the best way to solve the issue?

Yes, the proposed fix is narrow and maintainable: it changes only status overview display for an existing OAuth marker contract and keeps runtime route usability on the delegated provider's actual auth.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5e944691b7f4.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body provides after-fix command output from a persisted local state fixture showing the marker effective value and unchanged runtime route semantics.

Label justifications:

• P2: This fixes a misleading auth-provider status bug with limited blast radius and no runtime routing change.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body provides after-fix command output from a persisted local state fixture showing the marker effective value and unchanged runtime route semantics.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body provides after-fix command output from a persisted local state fixture showing the marker effective value and unchanged runtime route semantics.

Evidence reviewed

PR surface:

Source +3, Tests +90. Total +93 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	4	1	+3
Tests	2	91	1	+90
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	95	2	+93

What I checked:

• Repository policy applied: Root AGENTS.md and the relevant scoped src/agents/AGENTS.md were read; the auth/config review guidance applied, and the only maintainer note found was Telegram-specific and not relevant to these files. (AGENTS.md:1, 5e944691b7f4)
• Current main still has the display gap: On current main, resolveProviderAuthOverview uses profiles, env auth, usable custom keys, or synthetic auth before falling through to missing; it does not treat an OAuth marker from models.json as effective display evidence. (src/commands/models/list.auth-overview.ts:151, 5e944691b7f4)
• OAuth markers are existing non-secret marker values: The marker contract already defines oauth: markers and includes them in isNonSecretApiKeyMarker, so displaying marker(oauth:openai-codex) follows the existing marker model rather than exposing a new credential class. (src/agents/model-auth-markers.ts:83, 5e944691b7f4)
• Runtime health remains credential-based: Runtime route status still uses hasUsableProviderAuth and resolveUsableCustomProviderApiKey, so the PR's display change does not make the OAuth marker itself a usable credential. (src/commands/models/list.status-command.ts:521, 5e944691b7f4)
• PR patch is narrow: The head patch changes one runtime display branch and two tests, adding the OAuth marker effective-display case plus a status-command test where the marker displays while route status remains missing. (src/commands/models/list.auth-overview.ts:177, 0e76e5e338b0)
• Linked bug and duplicate search: GitHub search found the linked open bug, this active PR, and an older closed PR for the same issue; no other open canonical fix supersedes this PR.

Likely related people:

• obviyus: Recent path history shows refactor(models): simplify codex auth route handling, directly adjacent to the runtime auth route/status behavior this PR preserves. (role: recent area contributor; confidence: high; commits: 6062f90d8b9a; files: src/commands/models/list.status-command.ts)
• pashpashpash: The OpenAI-through-Codex routing work included model listing/status auth routing changes and is central to why openai can delegate auth to openai-codex. (role: feature history owner; confidence: high; commits: 1c3399010815; files: src/commands/models/list.status-command.ts)
• steipete: Recent history includes OAuth read-through, effective model auth health, and dynamic custom env marker work in the same auth/marker surface. (role: recent auth and marker contributor; confidence: high; commits: e6cd90e3fd9c, d479216d929f, 8894dab3c423; files: src/agents/model-auth.ts, src/agents/model-auth-markers.ts, src/commands/models/list.status-command.ts)
• joshavant: Recent path history shows work on the models auth overview and earlier SecretRef/provider secret persistence that shaped the marker-safe display contract. (role: adjacent auth overview contributor; confidence: medium; commits: f29bcff4dad0, 36d2ae2a2235; files: src/commands/models/list.auth-overview.ts, src/commands/models/list.auth-overview.test.ts, src/agents/model-auth.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Moonlit Lint Imp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: sleeps inside passing CI.
Image traits: location flaky test forest; accessory lint brush; palette cobalt, lime, and pearl; mood proud; pose sitting proudly on a smooth stone; shell smooth pearl shell; lighting gentle morning glow; background tiny artifact crates.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Moonlit Lint Imp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.