fix(agents): preserve Codex auth for compaction fallback

[steipete]

Summary

Fixes #86820.

OpenAI compaction now preserves the selected Codex runtime route when the session actually ran under the Codex harness. Codex OAuth sessions load compaction models through openai-codex instead of falling back to direct openai API-key auth.

The fix is selected-runtime scoped. Direct OpenAI API-key sessions, OpenClaw-pinned sessions, implicit-only Codex defaults, and custom OpenAI-compatible base URLs stay on their direct OpenAI path. Explicit model/provider runtime policy is honored when no concrete session pin exists, sandbox-scoped policy keys are used for preflight compaction, and the selected harness plugin is cold-loaded before routed model/context lookup.

Delegated context-engine compaction now carries agentHarnessId back into the runtime bridge so timeout/overflow recovery keeps the same selected harness.

Verification

• node scripts/run-vitest.mjs src/agents/embedded-agent-runner/compact.hooks.test.ts src/agents/harness/selection.test.ts src/agents/harness/runtime-plugin.test.ts
• pnpm tsgo:prod
• pnpm check:test-types
• pnpm lint --threads=8
• git diff --check origin/main...HEAD
• git diff --check
• /Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode branch --base origin/main

Real behavior proof

Behavior addressed: Codex OAuth-backed OpenAI compaction no longer drops the selected Codex runtime route or asks for direct OpenAI API-key auth during manual, queued, delegated timeout, or delegated overflow compaction.

Real environment tested: Local source checkout with focused regression tests, production/test type checks, lint, whitespace checks, and Codex autoreview; no live Codex OAuth account flow was executed from this checkout.

Exact steps or command run after this patch: focused Vitest command above; pnpm tsgo:prod; pnpm check:test-types; pnpm lint --threads=8; git diff --check origin/main...HEAD; git diff --check; branch autoreview command above.

Evidence after fix: Regression tests cover selected Codex runtime routing through openai-codex, OpenClaw/direct OpenAI preservation when Codex was only implicit, explicit runtime policy without a persisted pin, concrete session pin preservation, sandbox/runtime-policy key handling, custom OpenAI-compatible base URL preservation, queued context-engine runtime context, selected native harness compaction, and delegated runtime context carrying agentHarnessId.

Observed result after fix: Focused Vitest passed 6 files and 236 tests; production and test type checks exited cleanly; oxlint exited cleanly; whitespace checks exited cleanly; branch autoreview reported no accepted/actionable findings.

What was not tested: A live installed OpenClaw gateway with real Codex OAuth compaction and no OPENAI_API_KEY.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 29, 2026, 8:24 PM ET / 00:24 UTC.

Summary
Threads the selected Codex/native harness runtime through direct, queued, and delegated compaction so OpenAI compaction can route through openai-codex OAuth while preserving direct OpenAI, custom-base, and OpenClaw-pinned paths.

PR surface: Source +163, Tests +604. Total +767 across 15 files.

Reproducibility: yes. for source-level reproduction: the linked issue gives concrete release steps, and current main still resolves compaction routing through the OpenClaw/direct OpenAI path in the implicated helper. I did not run a live Codex OAuth gateway flow in this read-only review.

Review metrics: 2 noteworthy metrics.

• Runtime context fields: 1 added (agentHarnessId). Context-engine compaction can now observe the selected harness, which is relevant to plugin/runtime compatibility before merge.
• Context provider resolver inputs: 1 helper signature changed (config added). The resolver now uses config to keep custom OpenAI-compatible endpoints off the Codex context path.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted live proof from an installed gateway or Crabbox/Testbox run showing Codex OAuth compaction succeeds with no OPENAI_API_KEY.
• Include the command or transcript/log excerpt used for the direct OpenAI or custom-base preservation check, with private endpoints and credentials redacted.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body includes extensive tests and checks but explicitly says no live Codex OAuth account flow was executed, so contributor action is still needed unless a maintainer overrides the proof gate. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• [P1] No live installed OpenClaw/Codex OAuth proof is present; the PR body explicitly says the real OAuth account flow with no OPENAI_API_KEY was not tested.
• [P1] The PR changes OpenAI compaction provider/context routing and adds agentHarnessId to context-engine runtime context, so maintainers should be comfortable that direct OpenAI, custom-base, OpenClaw-pinned, and Codex OAuth upgrade paths keep their intended auth route.

Maintainer options:

1. Prove OAuth compaction before merge (recommended)
   Run a live installed gateway or Crabbox/Testbox scenario with Codex OAuth and no OPENAI_API_KEY, then include redacted output showing compaction succeeds and the direct/custom-base paths still route correctly.
2. Accept test-only proof deliberately
   A maintainer may decide the focused regression suite is enough for this protected auth-routing fix and record that acceptance before merge.
3. Pause until linked bug can be live-verified
   If no maintainer can supply OAuth credentials or packaged-gateway proof, keep the PR open rather than merging an auth-provider change on mocked coverage alone.

Next step before merge

• [P1] Human maintainer review is needed because the PR has a protected maintainer label, changes auth/provider routing, and its proof explicitly excludes a live Codex OAuth gateway run.

Security
Cleared: No concrete security or supply-chain regression was found in the reviewed diff; auth-provider compatibility risk is tracked separately as merge risk.

Review details

Best possible solution:

Land the auth-routing fix after maintainer acceptance or live proof that Codex OAuth compaction works without OPENAI_API_KEY and the direct OpenAI/custom-base/pinned paths remain intact.

Do we have a high-confidence way to reproduce the issue?

Yes for source-level reproduction: the linked issue gives concrete release steps, and current main still resolves compaction routing through the OpenClaw/direct OpenAI path in the implicated helper. I did not run a live Codex OAuth gateway flow in this read-only review.

Is this the best way to solve the issue?

Mostly yes: the PR targets the compaction runtime/auth boundary and adds focused coverage for the important variants. The remaining gap is merge-readiness proof, not an obvious code-shape blocker.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 43658872d90b.

Label changes

Label changes:

• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body includes extensive tests and checks but explicitly says no live Codex OAuth account flow was executed, so contributor action is still needed unless a maintainer overrides the proof gate. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.
• remove rating: 🌊 off-meta tidepool: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.

Label justifications:

• P1: The linked regression breaks Codex OAuth-backed compaction for users who intentionally do not have a direct OpenAI API key.
• merge-risk: 🚨 compatibility: The diff changes fallback/provider routing for existing OpenAI compaction sessions, including direct API-key, custom-base, and pinned runtime setups.
• merge-risk: 🚨 auth-provider: The fix changes whether compaction loads auth through openai or openai-codex, so an incorrect route can surface missing credentials or use the wrong auth mode.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body includes extensive tests and checks but explicitly says no live Codex OAuth account flow was executed, so contributor action is still needed unless a maintainer overrides the proof gate. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +163, Tests +604. Total +767 across 15 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	11	223	60	+163
Tests	4	628	24	+604
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	15	851	84	+767

What I checked:

• Repository policy read: Full root AGENTS.md and scoped agents/embedded-runner AGENTS.md were read; provider routing, auth/session state, fallback behavior, and real behavior proof are treated as compatibility-sensitive review surfaces. (AGENTS.md:12, 43658872d90b)
• Current main still has the reported routing shape: On current main, compaction target resolution calls resolveSelectedOpenAIRuntimeProvider with harnessRuntime: "openclaw", so source inspection supports the linked issue's direct-OpenAI fallback path. (src/agents/embedded-agent-runner/compaction-runtime-context.ts:68, 43658872d90b)
• PR routes by selected harness runtime: The PR head adds harnessRuntime to compaction target resolution and only produces openai-codex runtime/context providers when the selected runtime is Codex and the OpenAI provider is the official endpoint. (src/agents/embedded-agent-runner/compaction-runtime-context.ts:50, ac6f93de4ab7)
• Queued compaction preserves the selected runtime: The queued path computes a selected harness runtime, ensures the selected plugin before routed model lookup, resolves the context budget against the routed context provider, and passes the runtime into the context-engine runtime context. (src/agents/embedded-agent-runner/compact.queued.ts:180, ac6f93de4ab7)
• Regression coverage is broad but mocked: PR-head tests cover selected Codex runtime routing, custom OpenAI-compatible preservation, queued context-engine runtime context, concrete OpenClaw/Codex pins, and sandbox/policy handling. (src/agents/embedded-agent-runner/compact.hooks.test.ts:634, ac6f93de4ab7)
• Real behavior proof gap: The PR body's proof section explicitly says no live Codex OAuth account flow was executed, so the after-fix evidence is focused tests, type checks, lint, whitespace checks, and autoreview rather than a real installed gateway run. (ac6f93de4ab7)

Likely related people:

• @vincentkoc: Current-main blame on the relevant OpenAI/Codex routing, harness selection, and compaction functions points to commit dfe99e9; the checkout history is shallow, so older feature provenance could not be established locally. (role: recent area contributor; confidence: low; commits: dfe99e9cd79d; files: src/agents/openai-codex-routing.ts, src/agents/harness/selection.ts, src/agents/embedded-agent-runner/compact.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 49d1941401

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Route Codex runtime without a provider config entry

When a Codex-backed agent follows the documented quickstart config (enable the codex plugin, use openai/gpt-*, and sign in with openai-codex OAuth, without adding models.providers.openai-codex), this new guard returns false even though the active harness runtime is Codex. That sends compaction back through the direct openai provider, so OAuth-only installs still hit the missing OPENAI_API_KEY path this patch is meant to fix; resolveModelAsync("openai-codex", ...) already supports built-in Codex model fallback without requiring this config entry.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6b60113bcc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Thread the policy runtime into queued compaction

When the OpenAI/Codex route is selected by the harness policy rather than an explicit agentHarnessId, this still passes only params.params.agentHarnessId into buildEmbeddedCompactionRuntimeContext. The surrounding queued path computes ceHarnessPolicy.runtime and uses it for model loading/token budget, but the runtimeContext handed to contextEngine.compact() keeps harnessRuntime undefined, so resolveEmbeddedCompactionTarget() falls back to the OpenClaw route and leaves runtimeProvider unset. In the default Codex-OAuth OpenAI session, plugin-owned/context-engine fallback compaction therefore still receives openai without the openai-codex runtime provider and can hit the direct OPENAI_API_KEY failure this patch is meant to avoid.

Useful? React with 👍 / 👎.

[github-actions]

Dependency graph guard cleared

This PR no longer has blocked dependency graph changes. A future dependency graph change requires a fresh /allow-dependencies-change comment after the guard blocks that new head SHA.

• Current SHA: ac6f93de4ab77ccb05a552a500986a9812b82c7e

[steipete]

/allow-dependencies-change removal-only root shrinkwrap sync after tokenjuice left the root dependency graph on current main

[steipete]

/allow-dependencies-change removal-only root shrinkwrap sync after tokenjuice left the root dependency graph on current main

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d0129adabc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Honor the compaction model runtime before routing

When agents.defaults.compaction.model switches to a different OpenAI model that has a provider/model agentRuntime.id: "openclaw", this still feeds resolveEmbeddedCompactionTarget() the harness policy resolved from the pre-override model. In an OpenAI session that defaults to Codex and has openai-codex configured, compaction is therefore routed through openai-codex even though the configured compaction model explicitly opted back into the OpenClaw runtime; the queued path repeats the same preliminary-policy pattern. Resolve the harness policy from the final compaction provider/model before using it for runtime-provider selection.

Useful? React with 👍 / 👎.

[steipete]

/allow-dependencies-change removal-only root shrinkwrap sync after tokenjuice left the root dependency graph on current main

[steipete]

/allow-dependencies-change removal-only root shrinkwrap sync after tokenjuice left the root dependency graph on current main