fix(openai-codex): bootstrap proxy on oauth refresh (#53078)

Takhoffman · web-flow · commit 8670f2ceadb2 · 2026-03-23T14:08:04.000-05:00
Verified:
- pnpm install --frozen-lockfile
- pnpm exec vitest run extensions/openai/openai-codex-provider.runtime.test.ts extensions/openai/openai-provider.test.ts
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -30,6 +30,7 @@ Docs: https://docs.openclaw.ai
 - Telegram/auto-reply: preserve same-chat inbound debounce order without stranding stale busy-session followups, and keep same-key overflow turns ordered when tracked debounce keys are saturated. (#52998) Thanks @osolmaz.
 - ClawHub/macOS: read the local ClawHub login from the macOS Application Support path and still honor XDG config on macOS, so skill browsing uses the logged-in token on both default and XDG-style setups. Fixes #52949. Thanks @scoootscooob.
 - Discord/commands: return an explicit unauthorized reply for privileged native slash commands instead of falling through to Discord's misleading generic completion when auth gates reject the sender. Fixes #53041. Thanks @scoootscooob.
+- Models/OpenAI Codex OAuth: bootstrap the env-configured HTTP/HTTPS proxy dispatcher on the stored-credential refresh path before token renewal runs, so expired Codex OAuth profiles can refresh successfully in proxy-required environments instead of locking users out after the first token expiry.
 
 ## 2026.3.22
 
diff --git a/extensions/openai/openai-codex-provider.runtime.test.ts b/extensions/openai/openai-codex-provider.runtime.test.ts
@@ -0,0 +1,51 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const mocks = vi.hoisted(() => ({
+  ensureGlobalUndiciEnvProxyDispatcher: vi.fn(),
+  getOAuthApiKey: vi.fn(),
+}));
+
+vi.mock("openclaw/plugin-sdk/infra-runtime", () => ({
+  ensureGlobalUndiciEnvProxyDispatcher: mocks.ensureGlobalUndiciEnvProxyDispatcher,
+}));
+
+vi.mock("@mariozechner/pi-ai/oauth", () => ({
+  getOAuthApiKey: mocks.getOAuthApiKey,
+}));
+
+import { getOAuthApiKey } from "./openai-codex-provider.runtime.js";
+
+describe("openai-codex-provider.runtime", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("bootstraps the env proxy dispatcher before refreshing oauth credentials", async () => {
+    const refreshed = {
+      newCredentials: {
+        access: "next-access",
+        refresh: "next-refresh",
+        expires: Date.now() + 60_000,
+      },
+    };
+    mocks.getOAuthApiKey.mockResolvedValue(refreshed);
+
+    await expect(
+      getOAuthApiKey("openai-codex", {
+        "openai-codex": {
+          provider: "openai-codex",
+          type: "oauth",
+          access: "access-token",
+          refresh: "refresh-token",
+          expires: Date.now(),
+        },
+      }),
+    ).resolves.toBe(refreshed);
+
+    expect(mocks.ensureGlobalUndiciEnvProxyDispatcher).toHaveBeenCalledOnce();
+    expect(mocks.getOAuthApiKey).toHaveBeenCalledOnce();
+    expect(mocks.ensureGlobalUndiciEnvProxyDispatcher.mock.invocationCallOrder[0]).toBeLessThan(
+      mocks.getOAuthApiKey.mock.invocationCallOrder[0],
+    );
+  });
+});
diff --git a/extensions/openai/openai-codex-provider.runtime.ts b/extensions/openai/openai-codex-provider.runtime.ts
@@ -1 +1,9 @@
-export { getOAuthApiKey } from "@mariozechner/pi-ai/oauth";
+import { getOAuthApiKey as getOAuthApiKeyFromPi } from "@mariozechner/pi-ai/oauth";
+import { ensureGlobalUndiciEnvProxyDispatcher } from "openclaw/plugin-sdk/infra-runtime";
+
+export async function getOAuthApiKey(
+  ...args: Parameters<typeof getOAuthApiKeyFromPi>
+): Promise<Awaited<ReturnType<typeof getOAuthApiKeyFromPi>>> {
+  ensureGlobalUndiciEnvProxyDispatcher();
+  return await getOAuthApiKeyFromPi(...args);
+}
