Skip to content

fix(doctor): warn when stale Codex overrides shadow OAuth#40143

Merged
steipete merged 4 commits intoopenclaw:mainfrom
briandevans:codex/doctor-warn-stale-codex-override
Apr 8, 2026
Merged

fix(doctor): warn when stale Codex overrides shadow OAuth#40143
steipete merged 4 commits intoopenclaw:mainfrom
briandevans:codex/doctor-warn-stale-codex-override

Conversation

@briandevans
Copy link
Copy Markdown
Contributor

@briandevans briandevans commented Mar 8, 2026
edited by steipete
Loading

Summary

Describe the problem and fix in 2–5 bullets:

  • Problem: legacy models.providers.openai-codex overrides can keep shadowing the built-in Codex OAuth provider path after users upgrade.
  • Why it matters: affected users can keep seeing Codex OAuth failures or fallback behavior even after the underlying runtime fixes landed.
  • What changed: openclaw doctor now warns when it finds a legacy models.providers.openai-codex transport override alongside a configured or stored Codex OAuth profile; docs and regression coverage were added.
  • What did NOT change (scope boundary): this PR does not rewrite runtime provider selection and does not auto-remove config.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

User-visible / Behavior Changes

openclaw doctor now warns when a legacy models.providers.openai-codex transport override is present at the same time as Codex OAuth, and points users to remove the stale override if they want the built-in Codex OAuth path back.

Security Impact (required)

  • New permissions/capabilities? (Yes/No) No
  • Secrets/tokens handling changed? (Yes/No) No
  • New/changed network calls? (Yes/No) No
  • Command/tool execution surface changed? (Yes/No) No
  • Data access scope changed? (Yes/No) No
  • If any Yes, explain risk + mitigation:

Repro + Verification

Environment

  • OS: macOS
  • Runtime/container: local checkout via pnpm / Node
  • Model/provider: Codex OAuth (openai-codex)
  • Integration/channel (if any): none
  • Relevant config (redacted): models.providers.openai-codex override plus auth.profiles["openai-codex:<email>"] = { provider: "openai-codex", mode: "oauth" }

Steps

  1. Configure a legacy models.providers.openai-codex transport override.
  2. Configure or store a Codex OAuth profile.
  3. Run openclaw doctor.

Expected

  • Doctor warns that the legacy models.providers.openai-codex transport override can shadow the built-in Codex OAuth path.

Actual

  • Before this PR, doctor emitted no targeted warning for that stale override.
  • After this PR, doctor emits the warning only when Codex OAuth is actually configured/stored.

Evidence

Attach at least one:

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

  • Verified scenarios: added a failing doctor e2e regression first, then confirmed it passes once the warning is wired in; verified the warning does not appear for supported custom proxy/header-only overrides or when no Codex OAuth exists.
  • Edge cases checked: configured OAuth profile, stored OAuth profile, and no-OAuth false-positive case.
  • What you did not verify: I did not perform a live Codex OAuth login against a real account; verification here is config/store + doctor-flow based.

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? (Yes/No) Yes
  • Config/env changes? (Yes/No) No
  • Migration needed? (Yes/No) No
  • If yes, exact upgrade steps:

Failure Recovery (if this breaks)

  • How to disable/revert this change quickly: revert this commit or remove the new doctor warning call.
  • Files/config to restore: src/commands/doctor-auth.ts, src/commands/doctor.ts, docs/gateway/doctor.md, and the added regression cases.
  • Known bad symptoms reviewers should watch for: unexpected Codex OAuth warnings when no Codex OAuth profile exists.

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

  • Risk: false-positive warning for users who intentionally keep a legacy openai-codex transport override.
    • Mitigation: the warning is gated on an actual configured or stored Codex OAuth profile, states that the override may be intentional, and does not auto-mutate config.

AI Assistance

  • AI-assisted: Yes (Codex)
  • Testing degree: Fully tested
  • Prompt/session summary: triaged current open issues for overlap and freshness, rejected stale/overlapping candidates, selected Legacy manual openai-codex provider override breaks Codex OAuth after #37558 / #38026; doctor should detect and fix #40066 as the strongest unclaimed fix, wrote failing doctor regression tests first, implemented the smallest warning-only fix, then ran targeted tests, docs checks, pnpm build, and the full pnpm test suite.
  • Understanding confirmation: I understand this change only adds a doctor warning/docs/tests for stale Codex overrides; it does not change runtime auth resolution or provider behavior.

Verification Commands

  • pnpm exec vitest run src/commands/doctor-auth.deprecated-cli-profiles.test.ts
  • pnpm exec vitest run --config vitest.e2e.config.ts src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts
  • pnpm check:docs
  • git diff --check
  • pnpm build
  • pnpm test

@openclaw-barnacle openclaw-barnacle bot added docs Improvements or additions to documentation gateway Gateway runtime commands Command implementations size: S labels Mar 8, 2026
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 8, 2026

Greptile Summary

This PR adds a targeted openclaw doctor warning when a legacy models.providers.openai-codex config override is found alongside a configured or stored Codex OAuth profile. The implementation is minimal and correct: it adds a read-only diagnostic in doctor-auth.ts, wires it into doctor.ts in the right place, adds two E2E regression tests, and updates the docs.

Key points:

  • The implementation is warning-only and does not mutate config or change runtime provider resolution, keeping the change scope tightly bounded.
  • Short-circuit evaluation in noteLegacyCodexProviderOverride correctly avoids unnecessary keychain/disk I/O when the config-level check already confirms an OAuth profile is present.
  • The two helper functions correctly distinguish between config-level (mode: "oauth") and store-level (type: "oauth") profile shapes, matching the existing conventions in doctor-auth.ts.
  • The "warns" E2E test sets up both a configured and stored OAuth profile simultaneously. Due to short-circuit evaluation, hasStoredCodexOAuthProfile is never actually called in that test path, leaving the store-only trigger untested (see inline comment).

Confidence Score: 4/5

  • Safe to merge — warning-only change with no runtime behavior mutations and a low false-positive risk.
  • The implementation is small, read-only, and well-gated (no warning fires unless an actual Codex OAuth profile is present). The main gap is that the store-only code path in hasStoredCodexOAuthProfile is not independently exercised by the tests, so a regression there would go undetected. Everything else — logic, placement, docs — is solid.
  • src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts — the stored-only OAuth trigger path is untested.

Last reviewed commit: e329868

greptile-apps[bot]
greptile-apps bot reviewed Mar 8, 2026
View reviewed changes
Comment thread src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts Outdated
@steipete steipete force-pushed the codex/doctor-warn-stale-codex-override branch from db2737b to c41cfa3 Compare April 8, 2026 02:07
@steipete steipete merged commit 5050017 into openclaw:main Apr 8, 2026
9 checks passed
@steipete
Copy link
Copy Markdown
Contributor

steipete commented Apr 8, 2026

Landed via temp rebase onto main.

  • Gate: pnpm check; pnpm build; OPENCLAW_LOCAL_CHECK=0 pnpm test src/commands/doctor.warns-state-directory-is-missing.e2e.test.ts; OPENCLAW_LOCAL_CHECK=0 pnpm test test/scripts/check-extension-package-tsc-boundary.test.ts
  • Note: broad pnpm test on this machine hit unrelated load-sensitive contract/tooling reds; isolated reruns of the touched surface and reported unrelated files passed, and clean origin/main also reproduced unrelated contract-suite noise under the same load.
  • Land commit: c41cfa3
  • Merge commit: 5050017

Thanks @bde1!

@github-actions github-actions bot mentioned this pull request Apr 8, 2026
Open
eleqtrizit pushed a commit that referenced this pull request Apr 8, 2026
@briandevans @steipete @eleqtrizit
fix(doctor): warn when stale Codex overrides shadow OAuth (#40143)
b63e593 
* fix(doctor): warn on stale codex provider overrides

* test(doctor): cover stored codex oauth warning path

* fix: narrow codex override doctor warning (#40143) (thanks @bde1)

* test: sync doctor e2e mocks after health-flow move (#40143) (thanks @bde1)

---------

Co-authored-by: bde1 <[email protected]>
Co-authored-by: Peter Steinberger <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

commands Command implementations docs Improvements or additions to documentation gateway Gateway runtime size: M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@briandevans @steipete