Add Codex session route migration coverage

[ooiuuii]

Summary

• add regression coverage for repairing a stale Telegram direct session route from openai-codex to canonical openai
• assert session-store repair preserves canonical OpenAI OAuth/auth-profile pins such as openai:work
• assert stale Codex runtime/session overrides are cleared after route repair

Context

This is PR2 from the Codex/OpenAI migration follow-up and is scoped only to persisted session-store route state. It intentionally does not change config migration coverage (PR #90317) or model-selection re-persistence behavior.

Related to #90036.

Verification

• pnpm tsx .tmp-check-codex-pr2.mts behavior check: PR2_BEHAVIOR_OK
• git diff --check

Note: this repository's targeted Vitest startup was very slow locally due repeated Rolldown PLUGIN_TIMINGS output during first-run compilation, so I used a direct behavior check for the repaired helper path and left the regression in the Vitest suite for CI.

Real behavior proof (redacted, Windows official 6.1)

Read-only probe from the real upgraded Windows/Telegram direct session after the 6.1 migration and Telegram smoke test:

{
  "key": "agent:main:telegram:default:direct:<redacted-direct-id>",
  "modelProvider": "openai",
  "model": "gpt-5.5",
  "providerOverride": null,
  "modelOverride": null,
  "authProfileOverride": null,
  "agentHarnessId": null,
  "agentRuntimeOverride": null
}

The same upgraded setup successfully completed a real Telegram direct-session smoke (TELEGRAM_SESSION_SMOKE_OK) using canonical openai/gpt-5.5 plus Codex runtime routing, not the stale openai-codex/* route.

For the auth-pin preservation edge covered by this test-only PR, the focused helper proof remains:

repairCodexSessionStoreRoutes(...)
modelProvider: "openai-codex" -> "openai"
providerOverride: "openai-codex" -> "openai"
model/modelOverride: "openai-codex/gpt-5.5" -> "gpt-5.5"
authProfileOverride: "openai:work" preserved
agentHarnessId / agentRuntimeOverride cleared
PR2_BEHAVIOR_OK

So the real upgraded Telegram session proves the stale route is gone in a live session, while the focused regression proves canonical OpenAI auth pins are preserved when present.

Real behavior proof (structured for gate)

• Behavior or issue addressed: stale persisted Telegram direct-session Codex routes are repaired from openai-codex/* to canonical openai / gpt-* while preserving canonical OpenAI OAuth auth-profile pins.
• Real environment tested: real upgraded Windows/ROG OpenClaw 2026.6.1 Telegram direct session plus this PR branch on macOS source checkout.
• Exact steps or command run after this patch: inspected the redacted real Telegram session store after the Windows 6.1 migration and smoke, then ran node scripts/run-vitest.mjs src/commands/doctor/shared/codex-route-warnings.test.ts --testNamePattern="repairs Telegram direct session routes" on this PR head.
• Evidence after fix: copied live terminal/session output:

Real Windows/Telegram direct session after migration:
key: agent:main:telegram:default:direct:<redacted-direct-id>
modelProvider: openai
model: gpt-5.5
providerOverride: null
modelOverride: null
authProfileOverride: null
agentHarnessId: null
agentRuntimeOverride: null
TELEGRAM_SESSION_SMOKE_OK

$ node scripts/run-vitest.mjs src/commands/doctor/shared/codex-route-warnings.test.ts --testNamePattern="repairs Telegram direct session routes"
[test] starting test/vitest/vitest.commands.config.ts
✓ commands src/commands/doctor/shared/codex-route-warnings.test.ts (109 tests | 108 skipped) 130ms
Tests 1 passed | 108 skipped (109)
[test] passed 1 Vitest shard in 18.29s

• Observed result after fix: the live Telegram session no longer persisted openai-codex/*; the focused regression passed and preserves canonical auth pins while clearing stale Codex runtime/session overrides.
• What was not tested: no OAuth token reset/re-login was performed; unrelated config migration coverage remains in PR Add Codex multi-agent config migration coverage #90317 and forward write-boundary protection remains in PR Normalize legacy Codex session runtime state #90321.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 4, 2026, 12:14 PM ET / 16:14 UTC.

Summary
This PR adds a regression test for repairing a Telegram direct session route from legacy openai-codex state to canonical openai while preserving an openai:work auth pin and clearing stale Codex runtime pins.

PR surface: Tests +39. Total +39 across 1 file.

Reproducibility: yes. at the helper level: source inspection shows the stale session entry shape is repaired by repairCodexSessionStoreRoutes, and the PR body supplies targeted Vitest output. I did not rerun tests because this review is read-only.

Review metrics: none identified.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Next step before merge

• No automated repair lane is needed; the remaining action is ordinary maintainer review and CI for a narrow test-only PR.

Security
Cleared: The diff is test-only, uses a synthetic Telegram direct id, and the PR body proof is redacted; I found no concrete security or supply-chain concern.

Review details

Best possible solution:

Land the focused regression test after normal CI and maintainer review, while keeping the related config-migration and forward write-boundary work in their separate PRs.

Do we have a high-confidence way to reproduce the issue?

Yes, at the helper level: source inspection shows the stale session entry shape is repaired by repairCodexSessionStoreRoutes, and the PR body supplies targeted Vitest output. I did not rerun tests because this review is read-only.

Is this the best way to solve the issue?

Yes. A focused regression in the doctor session-store route tests is the narrow maintainable place for this edge; config migration and forward write-boundary protection are intentionally separate follow-ups.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against c0b3c8cdb9dc.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes redacted real Windows/Telegram upgraded-session output plus targeted terminal test output for the added regression.
• add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• remove rating: 🐚 platinum hermit: Current PR rating is rating: 🦞 diamond lobster, so this older rating label is no longer current.

Label justifications:

• P2: The PR adds regression coverage for a real session-route migration bug with limited, test-only blast radius.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes redacted real Windows/Telegram upgraded-session output plus targeted terminal test output for the added regression.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes redacted real Windows/Telegram upgraded-session output plus targeted terminal test output for the added regression.

Evidence reviewed

PR surface:

Tests +39. Total +39 across 1 file.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	1	39	0	+39
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	1	39	0	+39

What I checked:

• Repository policy read and applied: The full root policy was read, including the review-depth, Codex-contract, session-state, and Telegram proof guidance that apply to this PR. (AGENTS.md:12, c0b3c8cdb9dc)
• Maintainer note checked: The Telegram maintainer note requires real Telegram proof for transport-visible Telegram behavior; this PR is test-only and does not change Telegram transport code, but the body includes a redacted real Telegram session smoke. (.agents/maintainer-notes/telegram.md:1, c0b3c8cdb9dc)
• PR diff is narrow test coverage: The live PR diff adds one Vitest case using synthetic Telegram direct key 5550100999; it asserts provider/model canonicalization, openai:work auth pin preservation, and Codex runtime pin clearing. (src/commands/doctor/shared/codex-route-warnings.test.ts:3830, 127722fdb41f)
• Current helper supports the asserted behavior: rewriteSessionModelPair rewrites openai-codex provider fields to openai, converts legacy model refs, and repairCodexSessionStoreRoutes clears stale runtime pins only after route/fallback repair; the code path does not overwrite an unrelated canonical authProfileOverride. (src/commands/doctor/shared/codex-route-warnings.ts:2882, c0b3c8cdb9dc)
• Current main lacks the exact new regression: Current main already has adjacent session-route tests and a canonical OpenAI preservation test, but an exact search found no Telegram direct synthetic session test or matching title, so the PR still adds unique coverage. (src/commands/doctor/shared/codex-route-warnings.test.ts:3907, c0b3c8cdb9dc)
• Codex app-server contract checked: The sibling Codex source documents and types modelProvider on thread start/resume/list responses, and its processor returns session_configured.model_provider_id; this supports treating provider identity as a real route field rather than a cosmetic string. (../codex/codex-rs/app-server/README.md:271, 4ae7930f58c9)

Likely related people:

• Peter Steinberger: Current-main blame and history tie the session-route repair helper and adjacent regression tests to recent work by this author. (role: recent area contributor; confidence: high; commits: cc73ef8ba59a, 6a6da54062fb; files: src/commands/doctor/shared/codex-route-warnings.ts, src/commands/doctor/shared/codex-route-warnings.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[ooiuuii]

@clawsweeper re-review after adding redacted Windows 6.1 Telegram session-route proof to the PR body.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26954905674
• Updated: 2026-06-04T13:37:00.434Z

[ooiuuii]

Follow-up 127722fdb4 addresses the privacy/security-boundary review note: the Telegram direct-session id in the regression fixture is now synthetic (5550100999), and the PR body proof has been redacted as <redacted-direct-id>.

Verification performed:

• rg -n '8589344021' src/commands/doctor/shared/codex-route-warnings.test.ts returns no matches.
• git diff --check passed before the local targeted Vitest attempt.
• Local targeted Vitest again stalled with no output in this environment, so CI remains the authoritative execution gate.

The test still covers the same route shape: a Telegram direct session with legacy openai-codex provider/model state is repaired to canonical openai / gpt-5.5 while preserving canonical OpenAI auth pins.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26963128755
• Updated: 2026-06-04T16:01:16.772Z