openclaw - 💡(How to fix) Fix [Feature]: Add opt-out for external CLI credential sync into auth profiles [1 participants]

Summary

Add a supported global opt-out for external CLI credential sync into OpenClaw auth profiles.

Problem to solve

OpenClaw currently syncs some external CLI credentials into the auth-profile store at runtime, including Codex CLI credentials. That is convenient in some setups, but it causes the wrong behavior when a user intentionally wants OpenClaw to use a different auth profile than the one configured in a local CLI.

A concrete case is Codex CLI: the local machine may already be authenticated for one account/profile, but OpenClaw should use a separate auth profile for a different account, org, or billing setup. Today, OpenClaw can still auto-import the local CLI credentials into the auth-profile store, which makes local CLI auth and OpenClaw auth feel coupled by default.

Existing behavior like OPENCLAW_AUTH_STORE_READONLY=1 is not sufficient because it only prevents persistence to disk. It does not disable the in-memory sync behavior.

Proposed solution

Add a generic auth-level opt-out for external CLI sync.

Recommended config:

{
  "auth": {
    "externalCliSync": {
      "enabled": false
    }
  }
}

Recommended env override:

OPENCLAW_AUTH_EXTERNAL_CLI_SYNC=0

Recommended precedence:

1. env override
2. config
3. default true

This seems best implemented centrally in the auth-profile store load/hydration path rather than through provider-specific flags.

Alternatives considered

A provider-specific flag such as openai-codex.disableCliSync would solve one immediate case, but this behavior is not provider-specific. It is a generic auth-store hydration mechanism that already applies to multiple external CLIs, so the control belongs under auth, not under a specific provider.

Using plugin hooks or resolveSyntheticAuth also seems like the wrong seam, because the main behavior comes from auth-store external CLI sync rather than provider-specific fallback logic.

Relying on OPENCLAW_AUTH_STORE_READONLY=1 is also insufficient because it does not stop the sync from affecting runtime behavior.

Impact

Affected users/systems/channels: Users who run OpenClaw alongside local CLIs such as Codex CLI and want OpenClaw to use a different account, org, or auth profile than the local CLI.

Severity: Medium. It does not always break immediately, but it causes confusing and surprising auth behavior.

Frequency: Whenever external CLI sync runs and local CLI credentials are present.

Consequence: Unexpected credential coupling, wrong auth profile selection, stale or undesired credentials appearing in runtime behavior, and extra debugging after restarts or re-auth flows.

Evidence/examples

Concrete example:

• Codex CLI is authenticated locally on the machine
• OpenClaw is intended to use a different auth profile
• OpenClaw auto-syncs external CLI credentials into the auth-profile store
• there is no supported global way to disable that behavior

This request is specifically about the auth-profile external CLI sync path, not the separate provider-plugin resolveSyntheticAuth seam.

Additional information

This request is not asking to remove the feature entirely. Default-enabled behavior is probably fine for backward compatibility, but there should be a supported global opt-out so users can keep OpenClaw auth isolated from local CLI auth state.

If useful, a low-risk implementation would be:

• add auth.externalCliSync.enabled
• add OPENCLAW_AUTH_EXTERNAL_CLI_SYNC
• gate the existing external CLI sync call sites through one helper in the auth-profile store