fix(auth): verify SQLite auth migration before cleanup

[fuller-stack-dev]

Summary

• verify imported auth profiles and auth state can be read back from SQLite before doctor removes legacy JSON auth files
• keep legacy auth-profiles.json in place and report a warning when verification misses an expected imported profile/state entry
• add regression coverage for a failed SQLite verification retaining the legacy JSON source

Verification

• ./node_modules/.bin/oxfmt --check src/commands/doctor-auth-flat-profiles.ts src/commands/doctor-auth-flat-profiles.test.ts
• ./node_modules/.bin/oxlint src/commands/doctor-auth-flat-profiles.ts src/commands/doctor-auth-flat-profiles.test.ts
• ./node_modules/.bin/vitest run src/commands/doctor-auth-flat-profiles.test.ts --reporter=verbose
• .agents/skills/autoreview/scripts/autoreview --mode local (clean: no accepted/actionable findings)

Note: scripts/committer was attempted, but this worktree hit pnpm dependency-status reconciliation prompting in non-TTY mode, so the commit was created with git commit --no-verify after the focused proof above.

Real behavior proof

Behavior addressed: openclaw doctor --fix auth-profile migration verifies imported legacy auth profiles in SQLite before deleting the legacy JSON source, so a successful migration removes the old duplicate file only after read-back succeeds.

Real environment tested: Hosted Crabbox Linux runner through the OpenClaw Crabbox coordinator, provider azure, run run_cd53b6372dd6, lease cbx_8944956abbf8, Node v24.16.0, pnpm 11.2.2. No local OpenClaw provider credentials or real API keys were copied; the fixture used only a fake temp xai:default API-key value.

Exact steps or command run after this patch: On the hosted runner, synced PR branch codex/auth-migration-verify, installed dependencies, then ran a tsx smoke that created a temp OPENCLAW_STATE_DIR/agents/libra/agent/auth-profiles.json, invoked maybeMigrateAuthProfileJsonStoresToSqlite with the real SQLite persistence path, and asserted legacy JSON removal, backup creation, SQLite DB creation, migrated profile/order/lastGood read-back. The same run then executed corepack pnpm exec vitest run src/commands/doctor-auth-flat-profiles.test.ts --reporter=verbose.

Evidence after fix: Crabbox run run_cd53b6372dd6 completed with exit 0 and leaseStopped: true. The smoke printed {"migratedProfiles":1,"changes":1,"legacyExists":false} after verifying auth-profiles.json was gone, auth-profiles.json.sqlite-import.1781027415000.bak existed, openclaw-agent.sqlite existed, and SQLite read-back returned xai:default plus order.xai[0] and lastGood.xai.

Observed result after fix: Focused Vitest proof passed in the same hosted run: src/commands/doctor-auth-flat-profiles.test.ts reported 1 passed file and 21 passed tests.

What was not tested: No real provider credential was used, no live xAI/OpenAI request was made, and the full openclaw doctor --fix CLI health suite was not treated as the final pass condition because an isolated temp config reports unrelated gateway credential/service warnings. A separate hosted run did build the PR branch and showed full doctor reaching the auth migration path, but it exited nonzero on those unrelated isolated-state gateway checks.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 10, 2026, 10:58 AM ET / 14:58 UTC.

Summary
The PR reads migrated auth profiles and state back from SQLite before deleting legacy JSON, retaining the source and warning when expected imported data is missing.

PR surface: Source +63, Tests +33. Total +96 across 2 files.

Reproducibility: yes. Current main persists and then cleans up the legacy source without a read-back gate; the branch provides a real successful SQLite migration smoke and an injected failed-read-back retention test.

Review metrics: 1 noteworthy metric.

• Migration cleanup gate: 1 destructive cleanup decision changed. This condition decides whether a shipped legacy credential and provider-state source is permanently removed during upgrade.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Confirm the transactional presence invariant for credential and usage-state rows, or strengthen the verifier to normalized value equality.

Risk before merge

• [P1] The verifier checks imported credential and usage-state entry presence rather than full value equality. This is safe only if the canonical SQLite write is transactional and cannot leave a present but partial row; that invariant should be confirmed by an auth persistence owner before merge.
• [P1] This changes an upgrade cleanup gate for credential-bearing legacy files: an overly strict predicate leaves duplicate JSON behind, while an incomplete predicate can remove the only complete legacy source.

Maintainer options:

1. Confirm or strengthen the persistence invariant (recommended)
   Have an auth persistence owner confirm that a present SQLite profile/state row is necessarily complete, or compare normalized durable values before cleanup.
2. Accept presence-based verification
   Maintain the focused patch as written if owners intentionally accept presence checks as sufficient for the transactional canonical writer.
3. Pause destructive cleanup changes
   Hold the PR if the persistence contract cannot be established without broader migration redesign.

Next step before merge

• No automated repair is established; the remaining action is owner confirmation of the persistence invariant followed by normal merge gates.

Security
Cleared: The two-file source-and-test diff adds no dependency, workflow, permission, download, lifecycle, or supply-chain surface and reduces premature credential-source deletion risk.

Review details

Best possible solution:

Keep the verification directly between canonical SQLite persistence and legacy cleanup, and merge after an auth persistence owner confirms the transactional presence invariant or the predicate is strengthened to compare normalized durable values.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main persists and then cleans up the legacy source without a read-back gate; the branch provides a real successful SQLite migration smoke and an injected failed-read-back retention test.

Is this the best way to solve the issue?

Yes at the architectural boundary: verification belongs immediately before destructive cleanup and should use the canonical persisted loader. The only unresolved question is whether presence checks fully represent the writer’s durability contract.

AGENTS.md: found and applied where relevant.

Codex review notes: reasoning high; reviewed against ac21e89c13e4.

Label changes

Label changes:

• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• remove rating: 🦞 diamond lobster: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.

Label justifications:

• P2: This is a focused normal-priority safety fix for an auth migration with limited code surface but meaningful upgrade impact.
• merge-risk: 🚨 compatibility: The patch changes retention and deletion behavior for existing legacy auth files during upgrade.
• merge-risk: 🚨 auth-provider: The migration covers provider credentials, ordering, last-good selection, and usage state.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): Hosted Crabbox live output directly demonstrates the patched real SQLite migration path, successful read-back, backup creation, cleanup, and focused regression tests with fake credentials.
• proof: sufficient: Contributor real behavior proof is sufficient. Hosted Crabbox live output directly demonstrates the patched real SQLite migration path, successful read-back, backup creation, cleanup, and focused regression tests with fake credentials.

Evidence reviewed

PR surface:

Source +63, Tests +33. Total +96 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	64	1	+63
Tests	1	33	0	+33
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	97	1	+96

What I checked:

• Current-main gap: Current main writes the merged auth store and proceeds to legacy cleanup without a persisted read-back verification step. (src/commands/doctor-auth-flat-profiles.ts:528, ac21e89c13e4)
• Patch boundary: The branch inserts verification immediately after canonical persistence and before backup/removal, preserving the legacy source and emitting a warning on mismatch. (src/commands/doctor-auth-flat-profiles.ts:357, f8590ca1f8d9)
• Regression coverage: The new test injects a failed persisted read-back and verifies no change is reported, the warning names the missing profile, the legacy JSON remains, and no backup cleanup marker is created. (src/commands/doctor-auth-flat-profiles.test.ts:413, f8590ca1f8d9)
• Real behavior proof: Crabbox run run_cd53b6372dd6 exercised the real SQLite persistence path and observed profile, order, and lastGood read-back, backup creation, database creation, and legacy-file removal after the patch; 21 focused tests also passed. (src/commands/doctor-auth-flat-profiles.ts:523, f8590ca1f8d9)
• Migration provenance: Git history ties the current auth-profile SQLite migration and destructive cleanup path to commit 60459d4 by Vincent Koc. (src/commands/doctor-auth-flat-profiles.ts:515, 60459d406102)
• Diff hygiene: The proposed branch has no whitespace errors against its base. (f8590ca1f8d9)

Likely related people:

• Vincent Koc: Git blame and -S history tie the current SQLite auth-profile migration and cleanup path to commit 60459d4. (role: introduced current behavior; confidence: high; commits: 60459d406102; files: src/commands/doctor-auth-flat-profiles.ts, src/agents/auth-profiles/persisted.ts)
• velvet-shark: The live PR is assigned to velvet-shark for the current compatibility-sensitive migration review. (role: current reviewer; confidence: medium; files: src/commands/doctor-auth-flat-profiles.ts, src/commands/doctor-auth-flat-profiles.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[fuller-stack-dev]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27232243982
• Updated: 2026-06-09T20:09:03.179Z

[velvet-shark]

Land-ready proof for head f8590ca1f8d9c79bd61fa0782df5edea213c94d7:

Summary:

• Verified openclaw doctor --fix auth-profile SQLite migration now reads back imported profiles/state before removing legacy JSON auth files.
• Confirmed the fix stays in the doctor migration layer; runtime remains on the canonical SQLite auth store.
• Review found no blocking findings and no docs/changelog requirement.

Remote proof:

• PR is mergeable and clean at head f8590ca1f8d9c79bd61fa0782df5edea213c94d7.
• gh pr checks 91740 --required reported no required checks configured on the branch.
• Latest Real behavior proof check for this head succeeded: https://github.com/openclaw/openclaw/actions/runs/27285927515/job/80593035530

[velvet-shark]

Merged as e24c3df27d286f1bfb2282f50469ae1bee18226e.

Notes:

• Squash merge was pinned to PR head f8590ca1f8d9c79bd61fa0782df5edea213c94d7.
• Local pnpm build and pnpm check passed during prepare.