refactor: unify OpenAI provider identity

[steipete]

Summary

• Unifies the OpenAI provider identity under openai across provider registration, auth/profile selection, model routing, usage polling, image routing, native/UI fixtures, and docs.
• Renames the ChatGPT/Codex OAuth transport from the old Codex-named surface to openai-chatgpt-responses, while leaving legacy names only in doctor/migration compatibility paths.
• Moves old OpenAI-Codex config/auth/session/Hermes state repair into doctor-owned migrations and keeps minimal pre-doctor visibility through generic provider-auth alias handling.
• Generalizes harness selection so custom harness behavior is not OpenAI-specific and can share the same shape as Copilot.
• Fixes review-discovered migration edges around CODEX_API_KEY, API-key usage polling, sidecar OAuth preservation, image auth lookup, OAuth refresh guidance, TLS preflight visibility, and Hermes nested token-pool detection.

Verification

• OPENCLAW_VITEST_FS_MODULE_CACHE_PATH=.artifacts/vitest-cache-openai-unify node scripts/run-vitest.mjs extensions/migrate-hermes/files-and-skills.test.ts extensions/migrate-hermes/secrets.test.ts extensions/migrate-hermes/provider.secret-failure.test.ts src/commands/models/auth-list.test.ts src/commands/doctor-auth.hints.test.ts src/commands/doctor-auth.profile-health.test.ts
• OPENCLAW_VITEST_FS_MODULE_CACHE_PATH=.artifacts/vitest-cache-oauth-tls node scripts/run-vitest.mjs src/commands/oauth-tls-preflight.test.ts src/commands/oauth-tls-preflight.doctor.test.ts
• pnpm tsgo:prod
• pnpm tsgo:test
• git diff --check
• rg -n 'openai-codex' . --glob '!node_modules/**' --glob '!.git/**' --glob '!CHANGELOG.md' --glob '!appcast.xml' --glob '!src/commands/doctor*' --glob '!src/commands/doctor/**' --glob '!docs/gateway/doctor.md' --glob '!docs/cli/doctor.md' --glob '!extensions/codex/doctor-contract-api.ts'; test $? -eq 1
• rg -n 'openai-codex-responses|openai-codex-' . --glob '!node_modules/**' --glob '!.git/**' --glob '!CHANGELOG.md' --glob '!appcast.xml' --glob '!src/commands/doctor*' --glob '!src/commands/doctor/**' --glob '!docs/gateway/doctor.md' --glob '!docs/cli/doctor.md' --glob '!extensions/codex/doctor-contract-api.ts'; test $? -eq 1
• /Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode local clean after fixing the accepted TLS-preflight finding.

Real behavior proof

Behavior addressed: OpenAI and ChatGPT OAuth now share the canonical openai provider identity; legacy OpenAI-Codex state is handled by doctor/migration paths instead of live provider ids.
Real environment tested: Local OpenClaw source checkout on macOS with Node/Vitest/tsgo.
Exact steps or command run after this patch: The verification commands above, including focused auth/migration/provider tests, type checks, strict retired-id scans, and autoreview.
Evidence after fix: Focused Vitest shards passed; tsgo:prod and tsgo:test passed; strict scans found no non-doctor live openai-codex references; autoreview reported no accepted/actionable findings.
Observed result after fix: The tree keeps openai-codex only in doctor/migration/history surfaces, preserves pre-doctor legacy profile visibility where migration diagnostics need it, and uses openai for live OpenAI provider/auth routing.
What was not tested: Live OAuth browser sign-in, live OpenAI API-key calls, and Crabbox/WebVNC were not rerun in this closeout pass.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 30, 2026, 7:19 PM ET / 23:19 UTC.

Summary
The branch canonicalizes OpenAI/Codex provider identity to openai, renames the ChatGPT Responses API id, updates auth/profile/model routing plus docs/tests, and moves legacy state handling toward doctor/migration paths.

Reproducibility: yes. for the PR defects via source inspection: the affected upgrade/setup paths are visible in the PR head without needing live credentials. I did not run live OAuth or doctor migration because this review is read-only and the PR body does not provide that proof.

Review metrics: 2 noteworthy metrics.

• Deprecated auth-choice aliases: 3 removed from replacement allowlist. Existing non-interactive setup snippets using shipped OpenAI/Codex choice ids need a compatible migration path before merge.
• Provider/API identity surfaces: 1 provider id retired, 1 API id renamed. Both identifiers are persisted/configured routing surfaces that affect auth, model selection, and upgrades.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🧂 unranked krab
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Restore backward-compatible handling for dual OpenAI provider configs, deprecated auth choices, and legacy OAuth fallback refresh.
• [P1] Add redacted real behavior proof for one fresh OpenAI auth path and one legacy doctor/upgrade path.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body’s proof is limited to local tests, type checks, static scans, and autoreview, and it explicitly says live OAuth/API-key/Crabbox proof was not rerun; contributor should add redacted real auth and legacy doctor/upgrade evidence. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• [P1] Existing configs with both models.providers.openai and legacy Codex provider settings can silently lose the legacy transport override during validation.
• [P1] Copied non-interactive setup commands using shipped old OpenAI/Codex auth-choice values can stop routing to the canonical OpenAI setup flow.
• [P2] Expired unmigrated legacy OpenAI-Codex OAuth profiles can miss the external CLI fallback refresh path until the user runs doctor or reauths.
• [P1] The PR changes protected provider/auth upgrade behavior without redacted live OAuth, API-key, or legacy doctor/upgrade proof.

Maintainer options:

1. Preserve shipped upgrade inputs (recommended)
   Keep deprecated OpenAI auth-choice aliases, dual-provider config handling, and legacy OAuth fallback routable while doctor performs the permanent migration.
2. Accept a breaking provider/auth cutover
   A maintainer could explicitly accept that copied setup commands and unmigrated legacy profiles may fail until doctor or reauth, but that decision should be recorded before merge.
3. Pause for live upgrade proof
   Hold the refactor until a redacted fresh OpenAI auth path and a legacy doctor/upgrade path have been exercised in a real setup.

Next step before merge

• [P1] Human review remains needed because the PR has a protected provider/auth compatibility decision plus missing contributor real behavior proof that automation cannot supply.

Security
Cleared: No concrete new security or supply-chain issue was found in the inspected diff; the auth/provider concerns are compatibility and upgrade-safety blockers.

Review findings

• [P1] Preserve dual OpenAI provider configs during validation — src/config/validation.ts:114-117
• [P1] Keep deprecated OpenAI auth choices routable — src/commands/auth-choice-legacy.ts:8
• [P1] Restore legacy Codex OAuth fallback refresh — src/agents/auth-profiles/oauth.ts:226

Review details

Best possible solution:

Land a backward-preserving unification that preserves or migrates shipped config/auth/setup inputs through doctor-owned repair, keeps legacy fallback refresh safe until migration, and includes redacted real proof for fresh OpenAI auth plus a legacy upgrade path.

Do we have a high-confidence way to reproduce the issue?

Yes for the PR defects via source inspection: the affected upgrade/setup paths are visible in the PR head without needing live credentials. I did not run live OAuth or doctor migration because this review is read-only and the PR body does not provide that proof.

Is this the best way to solve the issue?

No. Canonicalizing the OpenAI identity may be the right direction, but this implementation still removes shipped compatibility paths and needs real upgrade/auth proof before it is the safest maintainable solution.

Full review comments:

• [P1] Preserve dual OpenAI provider configs during validation — src/config/validation.ts:114-117
  When config has both models.providers.openai and models.providers.openai-codex, this only copies the legacy config if openai is absent and then deletes the legacy entry. That drops shipped ChatGPT/Codex transport overrides such as base URL, API, models, or headers, so upgraded users can silently route through the direct OpenAI settings instead of their legacy Codex transport.
  Confidence: 0.89
• [P1] Keep deprecated OpenAI auth choices routable — src/commands/auth-choice-legacy.ts:8
  The shipped non-interactive choices codex-cli, openai-codex, and openai-codex-device-code were removed from the replacement allowlist, and the OpenAI manifest does not declare them as deprecated choices. Existing copied setup commands using those values no longer normalize to the canonical OpenAI choices before provider setup, which breaks CLI setup compatibility.
  Confidence: 0.88
• [P1] Restore legacy Codex OAuth fallback refresh — src/agents/auth-profiles/oauth.ts:226
  This fallback now only runs for stored credentials whose provider is already openai, while shipped legacy profiles can still persist provider: "openai-codex". Those expired legacy profiles no longer reach readExternalCliFallbackCredential, so they can fail with no API key until doctor migration or manual reauth instead of using the external CLI fallback refresh path.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.88

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8d6a6e9d0325.

Label changes

Label justifications:

• P1: The PR changes provider/auth routing and upgrade behavior that can break existing OpenAI/Codex users now.
• merge-risk: 🚨 compatibility: The diff removes shipped setup aliases and can drop legacy provider config during validation for upgraded users.
• merge-risk: 🚨 auth-provider: The diff changes OAuth profile/provider identity and fallback refresh behavior for OpenAI/Codex credentials.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🧂 unranked krab.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body’s proof is limited to local tests, type checks, static scans, and autoreview, and it explicitly says live OAuth/API-key/Crabbox proof was not rerun; contributor should add redacted real auth and legacy doctor/upgrade evidence. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

What I checked:

• Repository policy applied: Root AGENTS.md says provider routing, auth/session state, persisted preferences, config loading, setup, startup checks, and fallback behavior are compatibility/upgrade-sensitive review surfaces. (AGENTS.md:18, 8d6a6e9d0325)
• Dual provider config is still dropped: On the PR head, validation copies the legacy provider into openai only when no openai provider exists, then deletes the legacy provider entry; configs that contain both ids lose the legacy transport config. (src/config/validation.ts:114, ea4251e562f1)
• OpenAI legacy setup aliases removed: The PR head narrows LEGACY_REPLACEMENT_AUTH_CHOICES to only claude-cli, removing the shipped OpenAI/Codex legacy setup choices from the replacement path. (src/commands/auth-choice-legacy.ts:8, ea4251e562f1)
• OpenAI manifest has no replacement aliases: The PR head OpenAI manifest lists only openai, openai-device-code, and openai-api-key provider auth choices with no deprecatedChoiceIds for the old setup values. (extensions/openai/openclaw.plugin.json:234, ea4251e562f1)
• Current main preserves legacy setup aliases: Current main includes codex-cli, openai-codex, and openai-codex-device-code in the legacy replacement set, so removing them is a behavior change for copied setup commands. (src/commands/auth-choice-legacy.ts:8, 8d6a6e9d0325)
• Legacy OAuth fallback no longer accepts retired provider id: The PR head changes the OAuth fallback gate to only credential.provider === "openai", so an unmigrated stored OAuth profile with the shipped retired provider id does not reach the external CLI fallback refresh path. (src/agents/auth-profiles/oauth.ts:226, ea4251e562f1)

Likely related people:

• Ashd.LW.: Current-main blame and file history for the legacy auth-choice, config validation, and auth-profile surfaces point to commit eb170a0; the trail is shallow but consistent across the central files inspected. (role: current behavior introducer / recent area contributor; confidence: medium; commits: eb170a0adb19; files: src/commands/auth-choice-legacy.ts, src/config/validation.ts, src/agents/auth-profiles/store.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f6e0e90dff

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve legacy OpenAI provider config when both ids exist

When a user already has both models.providers.openai (for direct API-key/OpenAI Platform settings) and a legacy models.providers.openai-codex entry (often carrying ChatGPT/Codex proxy baseUrl, headers, or request options), this normalization deletes the legacy entry without merging or warning because openai is present. The validated runtime config then loses those Codex transport overrides, so upgraded configs with both providers silently route openai/* through the surviving direct OpenAI provider settings instead of the user's legacy ChatGPT/Codex transport.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 06fe882e5b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore legacy Codex fallback refresh

When a stored OAuth profile still has the shipped legacy provider: "openai-codex", the refresh path can no longer recover it: the OpenAI OAuth provider/runtime now resolves under openai, and this predicate skips readExternalCliFallbackCredential for the retired id. In that upgrade state, an expired legacy Codex profile that used to fall back to local Codex CLI auth now resolves to no API key until the user runs doctor/migration, so keep accepting the retired provider id here or normalize it before the check.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ea4251e562

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve the legacy Codex catalog API alias

External or workspace plugin manifests that still publish the shipped api: "openai-codex-responses" now lose their API during normalizeModelCatalogApi() because this enum no longer accepts the old string, and normalizeModelCatalogProviderRows() only emits api when that lookup succeeds. In that upgrade case the row no longer matches the ChatGPT/Codex response hooks, so custom catalog entries silently stop using the intended transport; keep accepting/normalizing the legacy API value here as well as in config validation.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Do not let CODEX_API_KEY shadow direct OpenAI keys

For direct OpenAI Platform paths such as openai-responses or OpenAI image generation, resolveEnvApiKey("openai") iterates these candidates in order, so an environment that has both CODEX_API_KEY and OPENAI_API_KEY now sends the Codex app-server key to the direct OpenAI API and never reaches the valid OPENAI_API_KEY. Keep CODEX_API_KEY scoped to the ChatGPT/Codex transport or prefer OPENAI_API_KEY for the unified openai provider's direct API-key flows.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 88faddf0a8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Treat env OpenAI keys as direct image auth

When isConfigured() is checking a non-public OpenAI image endpoint (for example an Azure/OpenAI-compatible baseUrl) and the only credential is OPENAI_API_KEY from the environment, isProviderApiKeyConfigured({ provider: "openai" }) is true but this helper now returns false because there are no stored profiles. Since the configured check then requires hasDirectOpenAIImageApiKeyAuth() for non-public base URLs, the OpenAI image provider is reported unavailable even though generateImage() can resolve and use the env key; keep the no-profile case as direct API-key auth or pass through the env result explicitly.

Useful? React with 👍 / 👎.

[steipete]

Verification for head 88faddf:

• Autoreview: .agents/skills/autoreview/scripts/autoreview --mode local --prompt "Final follow-up on PR 88451 after CI failures: live-model-filter OpenAI allow logic, stale OpenAI/Codex split test expectations, package acceptance guard. Review for correctness and regressions." -> clean, no accepted/actionable findings.
• Focused red-file proof: OPENCLAW_VITEST_FS_MODULE_CACHE_PATH=.artifacts/vitest-cache-ci-red-3 node scripts/run-vitest.mjs src/agents/auth-profiles.ensureauthprofilestore.test.ts src/agents/live-model-switch.test.ts src/agents/model-auth.profiles.test.ts src/agents/model-compat.test.ts src/agents/openai-transport-stream.test.ts test/scripts/package-acceptance-workflow.test.ts -> 2 shards passed, 377 tests.
• Previous red CI shard reproduced locally: OPENCLAW_VITEST_MAX_WORKERS=2 OPENCLAW_VITEST_SHARD_NAME=agentic-agents-core OPENCLAW_TEST_PROJECTS_PARALLEL=2 NODE_OPTIONS=--max-old-space-size=8192 pnpm exec node scripts/test-projects.mjs test/vitest/vitest.agents-core.config.ts -> 288 files passed, 4465 tests, 4 skipped.
• Previous build-artifacts failure reproduced locally: NODE_OPTIONS=--max-old-space-size=8192 OPENCLAW_VITEST_MAX_WORKERS=2 node scripts/run-vitest.mjs run --config test/vitest/vitest.full-core-support-boundary.config.ts -> 206 files passed, 1 skipped, 2436 tests, 11 skipped.
• Type/format/hygiene: pnpm tsgo:prod, pnpm tsgo:test, pnpm exec oxfmt --check on touched files, git diff --check, and strict non-doctor openai-codex content scan all passed.
• GitHub CI: all PR checks green on head 88faddf; previously failing build-artifacts and checks-node-agentic-agents-core are green.

Known proof gaps: none for the changed surface; live OAuth/API-key Crabbox evidence was already captured earlier in this PR path and this final push only fixes CI follow-through/test expectations plus the OpenAI high-signal filter guard.