Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix [Bug]: models status --json reports missingProvidersInUse: ["codex"] for Codex harness models even when native Codex auth exists [1 pull requests, 1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#66872Fetched 2026-04-16 06:37:29
View on GitHub
Comments
1
Participants
2
Timeline
3
Reactions
0
Author
ash67ash67
Participants
ash67ash67neeravmakwananeeravmakwana
Timeline (top)
commented ×1cross-referenced ×1renamed ×1

Default model is codex/gpt-5.4, Codex CLI is installed (codex-cli 0.120.0), and ~/.codex/auth.json plus ~/.codex/config.toml are present. Running openclaw models status --json still puts "codex" in auth.missingProvidersInUse, which does not match how the harness docs describe native auth.

Root Cause

Default model is codex/gpt-5.4, Codex CLI is installed (codex-cli 0.120.0), and ~/.codex/auth.json plus ~/.codex/config.toml are present. Running openclaw models status --json still puts "codex" in auth.missingProvidersInUse, which does not match how the harness docs describe native auth.

Fix Action

Fixed

PR fix notes

PR #66903: fix(models): honor Codex synthetic auth in status

Description (problem / solution / changelog)

Summary

  • Problem: openclaw models status --json could report auth.missingProvidersInUse: ["codex"] for codex/* models even when the Codex provider had plugin-owned synthetic auth available.
  • Why it matters: the status output incorrectly implied missing Codex auth and sent people debugging a provider that was already usable.
  • What changed: models status now resolves provider-plugin synthetic auth when building auth overviews, surfaces that auth in the provider summary, and treats token/oauth synthetic auth as satisfying the in-use provider check.
  • What did NOT change (scope boundary): no model routing, provider execution, or Codex auth storage behavior changed; this only fixes status reporting and its regression coverage.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor required for the fix
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

  • Closes #66872
  • Related #66872
  • This PR fixes a bug or regression

Root Cause (if applicable)

  • Root cause: src/commands/models/list.status-command.ts only considered auth entries returned from resolveProviderAuthOverview, and that overview only checked auth-store profiles, env keys, and models.json values. It never consulted provider-plugin resolveSyntheticAuth, so codex stayed absent from providerAuthMap and was flagged as missing.
  • Missing detection / guardrail: the closest models status tests covered stored auth, env auth, and CLI backends, but not a provider whose usable auth only exists through plugin-owned synthetic auth.
  • Contributing context (if known): the Codex provider already declared synthetic auth through the provider plugin, but the status path was not using the same seam that runtime auth resolution uses.

Regression Test Plan (if applicable)

  • Coverage level that should have caught this:
    • Unit test
    • Seam / integration test
    • End-to-end test
    • Existing coverage already sufficient
  • Target test or file: src/commands/models/list.status.test.ts and src/commands/models/list.auth-overview.test.ts
  • Scenario the test should lock in: codex/gpt-5.4 should not appear in missingProvidersInUse when the Codex provider resolves plugin-owned synthetic token auth.
  • Why this is the smallest reliable guardrail: the regression is entirely inside the status/auth overview path, so command-level and overview-level tests cover it without needing a broader provider execution harness.
  • Existing test that already covers this (if any): None.
  • If no new test is added, why not: N/A

User-visible / Behavior Changes

  • openclaw models status --json no longer reports codex as missing when the Codex provider resolves plugin-owned synthetic auth.
  • Provider auth summaries now show synthetic auth details for providers that expose them through the plugin runtime.

Diagram (if applicable)

Before:
[codex/* in use] -> [status checks store/env/models.json only] -> [codex missing]

After:
[codex/* in use] -> [status also checks provider synthetic auth] -> [codex synthetic auth found] -> [missingProvidersInUse stays empty]

Security Impact (required)

  • New permissions/capabilities? (Yes/No): No
  • Secrets/tokens handling changed? (Yes/No): No
  • New/changed network calls? (Yes/No): No
  • Command/tool execution surface changed? (Yes/No): No
  • Data access scope changed? (Yes/No): No
  • If any Yes, explain risk + mitigation:

Repro + Verification

Environment

  • OS: macOS 15
  • Runtime/container: local CLI on repo main
  • Model/provider: codex/gpt-5.4, codex/gpt-5.4-mini
  • Integration/channel (if any): N/A
  • Relevant config (redacted): temp OPENCLAW_HOME with codex/* defaults and the Codex plugin enabled

Steps

  1. Create a temp OPENCLAW_HOME with codex/gpt-5.4 as the default model and an openai-codex OAuth profile in auth-profiles.json.
  2. Run pnpm openclaw models status --json against that temp home.
  3. Inspect auth.missingProvidersInUse and the provider auth summary.

Expected

  • missingProvidersInUse is empty for the active codex/* models.
  • The provider summary reflects that Codex auth is available through the provider plugin.

Actual

  • Before this change, the same repro reported missingProvidersInUse: ["codex"].
  • After this change, the repro reports missingProvidersInUse: [] and shows codex with synthetic token auth.

Evidence

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Human Verification (required)

  • Verified scenarios:
    • Ran pnpm test src/commands/models/list.status.test.ts src/commands/models/list.auth-overview.test.ts
    • Ran pnpm build
    • Reproduced the issue with a temp OPENCLAW_HOME before the fix and verified the same repro returns missingProvidersInUse: [] after the fix
  • Edge cases checked:
    • Existing stored/env auth summaries still pass in the targeted tests
    • Codex synthetic auth is surfaced both in the auth overview unit test and the command-level JSON output test
  • What you did not verify:
    • Full pnpm test
    • Other providers with synthetic auth beyond the targeted command tests

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? (Yes/No): Yes
  • Config/env changes? (Yes/No): No
  • Migration needed? (Yes/No): No
  • If yes, exact upgrade steps:

Risks and Mitigations

  • Risk: providers with synthetic auth now appear in the status provider summary where they were previously invisible.
    • Mitigation: coverage was added at both the auth-overview and command JSON layers, and the change is limited to the status-reporting path.

Changed files

  • src/commands/models/list.auth-overview.test.ts (modified, +54/-22)
  • src/commands/models/list.auth-overview.ts (modified, +43/-2)
  • src/commands/models/list.status-command.ts (modified, +31/-8)
  • src/commands/models/list.status.test.ts (modified, +74/-0)
  • src/commands/models/list.types.ts (modified, +2/-1)
  • src/plugins/provider-runtime.runtime.ts (modified, +9/-0)

Code Example

{
  "agents": {
    "defaults": {
      "embeddedHarness": {
        "runtime": "auto",
        "fallback": "pi"
      },
      "model": {
        "primary": "codex/gpt-5.4",
        "fallbacks": [
          "codex/gpt-5.4-mini",
          "google-gemini-cli/gemini-3.1-pro-preview"
        ]
      },
      "models": {
        "codex/gpt-5.4": { "alias": "codex" },
        "codex/gpt-5.4-mini": { "alias": "codex-mini" },
        "google-gemini-cli/gemini-3.1-pro-preview": { "alias": "gemini" }
      }
    },
    "list": [
      {
        "id": "main",
        "default": true,
        "model": "codex/gpt-5.4"
      }
    ]
  },
  "plugins": {
    "entries": {
      "codex": {
        "enabled": true,
        "config": {
          "discovery": {
            "enabled": true
          }
        }
      }
    }
  }
}

---

codex --version
# codex-cli 0.120.0

---

{
  "configPath": "~/.openclaw/openclaw.json",
  "agentDir": "~/.openclaw/agents/main/agent",
  "defaultModel": "codex/gpt-5.4",
  "resolvedDefault": "codex/gpt-5.4",
  "fallbacks": [
    "codex/gpt-5.4-mini",
    "google-gemini-cli/gemini-3.1-pro-preview"
  ],
  "aliases": {
    "codex": "codex/gpt-5.4",
    "codex-mini": "codex/gpt-5.4-mini",
    "gemini": "google-gemini-cli/gemini-3.1-pro-preview"
  },
  "allowed": [
    "codex/gpt-5.4",
    "codex/gpt-5.4-mini",
    "google-gemini-cli/gemini-3.1-pro-preview"
  ],
  "auth": {
    "storePath": "~/.openclaw/agents/main/agent/auth-profiles.json",
    "providersWithOAuth": [
      "google-gemini-cli (1)",
      "openai-codex (2)"
    ],
    "missingProvidersInUse": [
      "codex"
    ],
    "providers": [
      {
        "provider": "google-gemini-cli",
        "profiles": { "count": 1 }
      },
      {
        "provider": "openai",
        "profiles": { "count": 1 }
      },
      {
        "provider": "openai-codex",
        "profiles": { "count": 2 }
      },
      {
        "provider": "openrouter",
        "profiles": { "count": 1 }
      }
    ]
  }
}
RAW_BUFFERClick to expand / collapse

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

Default model is codex/gpt-5.4, Codex CLI is installed (codex-cli 0.120.0), and ~/.codex/auth.json plus ~/.codex/config.toml are present. Running openclaw models status --json still puts "codex" in auth.missingProvidersInUse, which does not match how the harness docs describe native auth.

Steps to reproduce

  1. OpenClaw 2026.4.14-beta.1 from openclaw/openclaw main (pulled 2026-04-15).
  2. Codex CLI installed and logged in; ~/.codex/auth.json and ~/.codex/config.toml both exist and have content.
  3. Config roughly as in Additional provider/model setup details (no keys pasted).
  4. openclaw models status --json
  5. Check auth.missingProvidersInUse.

Expected behavior

The Codex harness docs describe native auth via paths like ~/.codex/auth.json. With that in place and codex/* in use, I would not expect codex to show up as a missing provider—unless the tool deliberately treats native files separately and says so in the output.

Actual behavior

missingProvidersInUse is ["codex"]. Same JSON shows providersWithOAuth including openai-codex (2) and providers listing openai-codex with two profiles. Full shape is in Logs, screenshots, and evidence (home paths normalised to ~/).

OpenClaw version

2026.4.14-beta.1 (main @ 2026-04-15)

Operating system

macOS 15.7.4

Install method

From the GitHub repo (openclaw/openclaw, main).

Model

Primary codex/gpt-5.4; fallbacks codex/gpt-5.4-mini, google-gemini-cli/gemini-3.1-pro-preview.

Provider / routing chain

Codex harness with codex/* models; codex plugin on; native ~/.codex/* auth on disk.

Additional provider/model setup details

{
  "agents": {
    "defaults": {
      "embeddedHarness": {
        "runtime": "auto",
        "fallback": "pi"
      },
      "model": {
        "primary": "codex/gpt-5.4",
        "fallbacks": [
          "codex/gpt-5.4-mini",
          "google-gemini-cli/gemini-3.1-pro-preview"
        ]
      },
      "models": {
        "codex/gpt-5.4": { "alias": "codex" },
        "codex/gpt-5.4-mini": { "alias": "codex-mini" },
        "google-gemini-cli/gemini-3.1-pro-preview": { "alias": "gemini" }
      }
    },
    "list": [
      {
        "id": "main",
        "default": true,
        "model": "codex/gpt-5.4"
      }
    ]
  },
  "plugins": {
    "entries": {
      "codex": {
        "enabled": true,
        "config": {
          "discovery": {
            "enabled": true
          }
        }
      }
    }
  }
}

Logs, screenshots, and evidence

codex --version
# codex-cli 0.120.0

openclaw models status --json (absolute paths swapped for ~/):

{
  "configPath": "~/.openclaw/openclaw.json",
  "agentDir": "~/.openclaw/agents/main/agent",
  "defaultModel": "codex/gpt-5.4",
  "resolvedDefault": "codex/gpt-5.4",
  "fallbacks": [
    "codex/gpt-5.4-mini",
    "google-gemini-cli/gemini-3.1-pro-preview"
  ],
  "aliases": {
    "codex": "codex/gpt-5.4",
    "codex-mini": "codex/gpt-5.4-mini",
    "gemini": "google-gemini-cli/gemini-3.1-pro-preview"
  },
  "allowed": [
    "codex/gpt-5.4",
    "codex/gpt-5.4-mini",
    "google-gemini-cli/gemini-3.1-pro-preview"
  ],
  "auth": {
    "storePath": "~/.openclaw/agents/main/agent/auth-profiles.json",
    "providersWithOAuth": [
      "google-gemini-cli (1)",
      "openai-codex (2)"
    ],
    "missingProvidersInUse": [
      "codex"
    ],
    "providers": [
      {
        "provider": "google-gemini-cli",
        "profiles": { "count": 1 }
      },
      {
        "provider": "openai",
        "profiles": { "count": 1 }
      },
      {
        "provider": "openai-codex",
        "profiles": { "count": 2 }
      },
      {
        "provider": "openrouter",
        "profiles": { "count": 1 }
      }
    ]
  }
}

Impact and severity

Low urgency: nothing crashes. It is mainly confusing when you use models status as a sanity check—reads like Codex auth is absent when the harness is pointed at codex/* and the ~/.codex files are there. Easy to burn time re-checking auth that is already on disk.

Additional information

OpenAI vs Codex provider notes — I am not sure whether codex vs openai-codex in this JSON is intentional; including the link in case it helps whoever triages.

extent analysis

TL;DR

The issue might be resolved by ensuring that the codex provider is properly configured to use the native authentication files.

Guidance

  • Verify that the ~/.codex/auth.json and ~/.codex/config.toml files are correctly formatted and contain the necessary authentication information.
  • Check the OpenClaw documentation to see if there are any specific requirements for configuring the codex provider to use native authentication files.
  • Review the openclaw models status --json output to ensure that the codex provider is listed under providers and that the missingProvidersInUse field does not include codex.
  • Consider checking the differences between codex and openai-codex providers, as mentioned in the OpenAI vs Codex provider notes, to ensure that the correct provider is being used.

Example

No code example is provided as the issue seems to be related to configuration and authentication.

Notes

The issue seems to be related to the configuration of the codex provider and its authentication. The fact that openai-codex is listed under providersWithOAuth and providers suggests that there might be a difference in how codex and openai-codex are handled.

Recommendation

Apply a workaround by verifying the configuration of the codex provider and ensuring that it is properly set up to use the native authentication files. This might involve updating the ~/.codex/auth.json and ~/.codex/config.toml files or modifying the OpenClaw configuration to correctly handle the codex provider.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

The Codex harness docs describe native auth via paths like ~/.codex/auth.json. With that in place and codex/* in use, I would not expect codex to show up as a missing provider—unless the tool deliberately treats native files separately and says so in the output.

#agent setup#task chaining#parallel task#integration issue#index setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING