Add Codex multi-agent config migration coverage

[ooiuuii]

Summary

• add regression coverage for a live 6.1 upgrade shape where agents.defaults.model and multiple agents.list[].model entries still use openai-codex/gpt-5.5
• assert doctor repair rewrites those routes to openai/gpt-5.5, preserves Codex intent via per-agent agentRuntime.id = "codex", and enables/allows the codex plugin when an allowlist is present

Context

This is PR1 from the Codex/OpenAI migration follow-up. It focuses only on config migration coverage and does not touch session-store repair or route re-persistence.

Refs #90047. Related to #90036 because stale config defaults/list entries can keep Telegram/direct sessions resolving through the legacy openai-codex/* route after upgrade.

Verification

• pnpm tsx .tmp-check-codex-pr1.mts behavior check: PR1_BEHAVIOR_OK
• git diff --check

Note: targeted Vitest (pnpm vitest run src/commands/doctor/shared/codex-route-warnings.test.ts -t "repairs live multi-agent Codex upgrade configs" --pool=forks --maxWorkers=1) was attempted locally, but the first-run build stayed in repeated Rolldown PLUGIN_TIMINGS output without reaching test execution in a reasonable time. The added test mirrors the behavior check above.

Real behavior proof (redacted, Windows official 6.1)

• Behavior or issue addressed: openclaw doctor --fix must repair a live 6.1 upgrade shape where agents.defaults.model and multiple agents.list[].model entries still point at openai-codex/gpt-5.5, while preserving Codex runtime intent and repairing restrictive plugin allowlists.
• Real environment tested: Windows official OpenClaw 2026.6.1 (2e08f0f) package, using an isolated temporary config instead of the live .openclaw config/token state.
• Exact steps or command run after this patch: Ran openclaw doctor --fix --yes --non-interactive against the redacted upgrade config shown below.
• Evidence after fix: Terminal output / copied live output from the real run:

OpenClaw 2026.6.1 (2e08f0f)
openclaw doctor --fix --yes --non-interactive
DOCTOR_EXIT=0

Input config used a restrictive allowlist and multiple legacy Codex routes:

{
  "agents": {
    "defaults": {
      "model": "openai-codex/gpt-5.5",
      "models": {
        "openai-codex/gpt-5.5": { "agentRuntime": { "id": "codex" } }
      }
    },
    "list": [
      { "id": "main", "model": "openai-codex/gpt-5.5" },
      { "id": "telegram", "model": "openai-codex/gpt-5.5" }
    ]
  },
  "plugins": { "allow": ["openai"], "entries": {} }
}

After doctor repair:

{
  "agents": {
    "defaults": {
      "model": "openai/gpt-5.5",
      "models": {
        "openai/gpt-5.5": { "agentRuntime": { "id": "codex" } }
      }
    },
    "list": [
      {
        "id": "main",
        "model": "openai/gpt-5.5",
        "models": { "openai/gpt-5.5": { "agentRuntime": { "id": "codex" } } }
      },
      {
        "id": "telegram",
        "model": "openai/gpt-5.5",
        "models": { "openai/gpt-5.5": { "agentRuntime": { "id": "codex" } } }
      }
    ]
  },
  "plugins": {
    "allow": ["openai", "codex", "memory-core", "telegram"],
    "entries": { "codex": { "enabled": true } },
    "bundledDiscovery": "compat"
  }
}

• Observed result after fix: The real doctor run exited 0, canonicalized legacy openai-codex/* config refs to openai/*, preserved Codex runtime metadata, enabled plugins.entries.codex, and extended the restrictive allowlist to include codex.
• What was not tested: No additional gaps for this regression; unrelated session-store repair is intentionally covered by a separate PR.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 4, 2026, 9:09 PM ET / 01:09 UTC.

Summary
Adds a Vitest regression case for maybeRepairCodexRoutes covering multiple legacy openai-codex agent refs plus restrictive plugins.allow repair.

PR surface: Tests +48. Total +48 across 1 file.

Reproducibility: not applicable. as a test-only PR. The behavior under coverage is source-auditable through maybeRepairCodexRoutes, and the PR body supplies redacted Windows 2026.6.1 doctor --fix output for the upgrade-shaped config.

Review metrics: none identified.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Have CI or Testbox run the codex-route-warnings.test.ts shard containing the new regression before merge.

Risk before merge

• [P1] The PR body's targeted Vitest attempt stalled before test execution, so CI or Testbox still needs to prove the added regression case actually runs before merge.

Maintainer options:

1. Decide the mitigation before merge
   Land the focused regression test after CI/Testbox executes the relevant doctor test shard; keep the session-store and forward write-boundary work in the related PRs.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• No ClawSweeper repair lane is needed because I found no discrete patch defect; maintainers should rely on CI/Testbox for the added test execution gate.

Security
Cleared: The diff only adds a regression test and does not change runtime code, dependency resolution, CI, scripts, credentials, or supply-chain surfaces.

Review details

Best possible solution:

Land the focused regression test after CI/Testbox executes the relevant doctor test shard; keep the session-store and forward write-boundary work in the related PRs.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a test-only PR. The behavior under coverage is source-auditable through maybeRepairCodexRoutes, and the PR body supplies redacted Windows 2026.6.1 doctor --fix output for the upgrade-shaped config.

Is this the best way to solve the issue?

Yes. A focused regression in the existing doctor shared test suite is the narrowest maintainable layer for this config-repair invariant, while the related session-store and write-boundary behaviors remain split into separate PRs.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4fa5092cdc39.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes redacted copied live output from a Windows official 2026.6.1 openclaw doctor --fix run showing exit 0 and the repaired config shape for the behavior under test.

Label justifications:

• P2: This is normal-priority regression coverage for Codex/OpenAI migration repair with a limited test-only surface.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes redacted copied live output from a Windows official 2026.6.1 openclaw doctor --fix run showing exit 0 and the repaired config shape for the behavior under test.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes redacted copied live output from a Windows official 2026.6.1 openclaw doctor --fix run showing exit 0 and the repaired config shape for the behavior under test.

Evidence reviewed

PR surface:

Tests +48. Total +48 across 1 file.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	1	48	0	+48
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	1	48	0	+48

What I checked:

• PR diff: The PR adds one regression test asserting default and listed-agent legacy Codex refs migrate to openai/gpt-5.5, per-agent/default Codex runtime policy is preserved, plugins.entries.codex is enabled, and codex is appended to an existing allowlist. (src/commands/doctor/shared/codex-route-warnings.test.ts:2929, 906e342e7d2c)
• Current repair entry point: maybeRepairCodexRoutes rewrites config model refs, then re-collects disabled Codex-plugin hits and applies plugin repair before returning warnings and changes. (src/commands/doctor/shared/codex-route-warnings.ts:2821, 4fa5092cdc39)
• Allowlist repair source: enableCodexPluginForRequiredRoutes enables plugins.entries.codex and appends codex to a non-empty restrictive plugins.allow that does not already include it. (src/commands/doctor/shared/codex-route-warnings.ts:1209, 4fa5092cdc39)
• Runtime policy preservation source: ensureCodexRuntimePolicy writes agentRuntime.id: "codex" onto repaired canonical model refs when no explicit non-default runtime pin should be preserved. (src/commands/doctor/shared/codex-route-warnings.ts:2242, 4fa5092cdc39)
• Product contract docs: The OpenAI provider docs define openai/* as the canonical OpenAI route and say legacy Codex model refs are repaired by openclaw doctor --fix to openai/* plus the Codex runtime. Public docs: docs/providers/openai.md. (docs/providers/openai.md:14, 4fa5092cdc39)
• Codex dependency contract: The sibling Codex app-server protocol has explicit model and model_provider thread fields, and session setup persists config.model_provider_id, supporting OpenClaw's separation of canonical model provider from runtime/auth handling. (../codex/codex-rs/app-server-protocol/src/protocol/v2/thread.rs:95, ecae41274091)

Likely related people:

• steipete: Current-line blame for collectDisabledCodexPluginRouteHits and maybeRepairCodexRoutes points at Peter Steinberger's recent commit covering the doctor Codex route repair module and its tests. (role: recent area contributor; confidence: medium; commits: f5b6a977d743; files: src/commands/doctor/shared/codex-route-warnings.ts, src/commands/doctor/shared/codex-route-warnings.test.ts)
• vincentkoc: The latest shipped v2026.6.1 release baseline commit touched the same Codex route repair source and test files, making this a useful routing candidate for shipped-migration context. (role: release baseline contributor; confidence: low; commits: 2e08f0f4221f; files: src/commands/doctor/shared/codex-route-warnings.ts, src/commands/doctor/shared/codex-route-warnings.test.ts, src/agents/openai-routing.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[ooiuuii]

@clawsweeper re-review after adding redacted Windows 6.1 doctor --fix proof to the PR body.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26954912598
• Updated: 2026-06-04T13:39:15.745Z