Thanks @WinnCook — appreciate the detailed review and LGTM.\n\nAgree on the explicit path: this keeps onboarding intent deterministic for , and the note gating via before/after primary comparison avoids noisy messaging.\n\nI also re-checked against project style conventions (existing helper usage, import order, and test structure) and kept the change scoped to the explicit auth-choice path only.

Greptile Summary

This PR fixes a silent provider mismatch during openai-codex onboarding by replacing the conservative applyOpenAICodexModelDefault helper with an unconditional applyPrimaryModel call. The core fix is correct: when the user explicitly picks openai-codex during onboarding with setDefaultModel: true, the primary model is now properly set to openai-codex/gpt-5.3-codex, and the "model configured" note is only shown if the primary actually changed.

Key changes:

• auth-choice.apply.openai.ts: replaces applyOpenAICodexModelDefault with applyPrimaryModel for explicit model setting.
• auth-choice.test.ts: adds a regression test starting from anthropic/claude-sonnet-4-6 and verifying the switch to openai-codex/gpt-5.3-codex.
• Unmentioned side effect: applyPrimaryModel also injects the model into cfg.agents.defaults.models (the model allowlist), which the old helper never did. Whether this is intentional or an undesired side effect should be clarified and tested.

Confidence Score: 4/5

• Safe to merge; the core fix is correct and well-tested, with one minor unresolved question about an allowlist side effect.
• The fix correctly addresses the stated issue with a targeted, unconditional model-setting approach and solid regression test. The primary-model switch logic is correct, and the note is properly gated on actual change. The only concern is that applyPrimaryModel silently adds the model to the allowlist as a side effect, differing from the old helper—this is not tested, not mentioned in the PR, and its intentionality is unclear. However, this side effect is unlikely to cause breakage in practice and may even be desirable (making the model available in the picker). A clarification and optional test assertion would be prudent but not blocking.
• src/commands/auth-choice.apply.openai.ts — verify whether the models-allowlist side effect from applyPrimaryModel is intentional; if so, add a test assertion.

_{Last reviewed commit: dd08097}

Reviewer note:

This PR intentionally updates extension peer dependency specifiers from "openclaw >=2026.3.1" to ">=2026.3.2" in:

• extensions/googlechat/package.json
• extensions/memory-core/package.json

and refreshes pnpm-lock.yaml accordingly.

Reason: CI secrets job runs pnpm-audit-prod, which was resolving [email protected] via extension peer resolution and failing on advisories patched in 2026.3.2.

So this is a deliberate minimum-version floor bump to keep dependency-audit CI green.

Ready for review ✅ (fixes #33290)

• Fixes onboarding auth-choice so selecting openai-codex is actually applied as the primary/default model.
• Added/updated auth-choice tests (src/commands/auth-choice.test.ts) for regression coverage.
• CI is green on latest commit.
• Included required audit fix (tar bumped to 7.5.10, lockfile refreshed).

Update on the recurring secrets CI failure:

• This failure is not caused by the auth-choice code change in this PR.
• Root cause is in shared workflow logic on main (.github/workflows/ci.yml): PR secrets scan diffs against github.event.pull_request.base.sha while checkout is shallow (fetch-depth: 1). When the base SHA is missing locally, it falls back to full-repo detect-secrets scan.

Tracking + fix are now split out as requested:

• Issue: CI secrets PR fast-path can fallback to full scan when base SHA missing in shallow checkout #38481
• Dedicated CI fix PR: fix(ci): ensure PR base commit before secrets diff; avoid full-scan fallback #38482

Expect the wait the secrets CI failure fixed by upstream

Ready for review ✅ (fixes #33290)

CI follow-up after conflict resolution:\n\nTwo checks are currently failing, and they appear to be upstream/baseline issues rather than specific to this PR's changes:

• Fails on src/cli/daemon-cli/lifecycle.test.ts formatting drift.
  • Already tracked by open PRs: fix: format daemon lifecycle test #40450 and fix(ci): Fix checkstyle error in lifecycle.test.ts #40417.\n\n2) checks-windows shard 6\n- Fails in src/secrets/runtime.test.ts with Windows ACL verification errors:
  • keeps active secrets runtime snapshots resolved after config writes
  • clears active secrets runtime state and throws when refresh fails after a write
• Error signature: SecretProviderResolutionError ... path ACL verification unavailable on Windows ...`
  • I couldn't find a clear dedicated tracking PR/issue for this exact failure yet and wait for upstream fixed.

Given this, the issue is not introduced by this PR, and we are ready to review

Closing this as stale/superseded by upstream changes.

I re-checked main and the underlying onboarding behavior is already covered there in the newer provider-plugin flow:

• extensions/openai/openai-codex-provider.ts returns defaultModel: OPENAI_CODEX_DEFAULT_MODEL for the openai-codex OAuth path
• src/plugins/provider-auth-choice.ts applies that default when setDefaultModel=true

So the original intent of this PR (making explicit openai-codex onboarding select the Codex primary/default model) is already handled upstream, just in the refactored implementation rather than the old src/commands/auth-choice.apply.openai.ts path.

Since this branch is now conflicted and no longer needed to land the fix, closing it.