PR #71907: fix(models): honor --agent for auth login

• Repository: openclaw/openclaw
• Author: chen-zhang-cs-code
• State: closed | merged: False
• Link: https://github.com/openclaw/openclaw/pull/71907

Description (problem / solution / changelog)

Summary

• Problem: openclaw models auth --agent <id> login accepted a parent --agent flag, but the login flow still resolved and wrote auth profiles through the configured default agent.
• Why it matters: users with separate agent stores could not refresh a stale token for a specific agent without manually copying auth-profiles.json entries.
• What changed: auth login now carries the resolved parent --agent into the provider auth context, so provider auth methods and persisted profiles use the selected agent's agentDir and workspace.
• What did NOT change (scope boundary): paste-token, setup-token, auth order commands, provider auth methods, and default-agent behavior when no --agent is supplied are unchanged.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #71864
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: the models auth parent command had an --agent option, but login and login-github-copilot did not read parent command options before calling modelsAuthLoginCommand.
• Missing detection / guardrail: CLI tests covered models status --agent, but not auth login's parent --agent propagation or the downstream auth persistence context.
• Contributing context (if known): models auth order already used resolveOptionFromCommand() for parent --agent; login missed that same pattern.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/cli/models-cli.test.ts, src/commands/models/auth.test.ts
• Scenario the test should lock in: models auth --agent coder login --provider openai-codex passes agent: "coder", resolves the coder agentDir/workspaceDir, and persists the profile to the coder store.
• Why this is the smallest reliable guardrail: it covers both the Commander parent-option seam and the auth context used by provider login without requiring a live OAuth browser flow.
• Existing test that already covers this (if any): none.
• If no new test is added, why not: N/A, regression tests added.

User-visible / Behavior Changes

openclaw models auth --agent <id> login ... and openclaw models auth --agent <id> login-github-copilot ... now target the selected agent's auth store instead of always using the configured default agent.

Diagram (if applicable)

Before:
models auth --agent coder login -> default agentDir -> main auth-profiles.json

After:
models auth --agent coder login -> coder agentDir/workspaceDir -> coder auth-profiles.json

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (Yes)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation: OAuth/token material is written to the user-selected existing agent store rather than the default store. The agent id is validated with the existing resolveKnownAgentId() path before resolving agentDir.

Repro + Verification

Environment

• OS: Windows local dev for tests
• Runtime/container: local pnpm/vitest
• Model/provider: mocked OpenAI Codex provider auth flow
• Integration/channel (if any): models auth CLI
• Relevant config (redacted): test config with main and coder agents

Steps

1. Configure two agents, main and coder.
2. Run openclaw models auth --agent coder login --provider openai-codex.
3. Complete the provider auth flow.

Expected

• Login context uses the coder agent directory and writes the auth profile to the coder auth store.

Actual

• Before this fix, login ignored the parent --agent flag and used the default agent auth store.

Evidence

• Passing regression coverage: pnpm exec vitest run src\cli\models-cli.test.ts -> 1 file passed, 6 tests passed
• Passing regression coverage: pnpm exec vitest run src\commands\models\auth.test.ts -> 1 file passed, 11 tests passed
• Changed-file gate: pnpm check:changed passed
• Whitespace check: git diff --check passed

Human Verification (required)

• Verified scenarios: parent --agent propagation for models auth login and login-github-copilot; auth login context resolves and writes through the selected agent directory.
• Edge cases checked: default-agent behavior remains covered when no --agent is supplied; unknown-agent validation stays on the existing shared resolver path.
• What you did not verify: live OAuth browser/device flow against a real provider, because the regression is in local CLI option routing and auth context selection.

Review Conversations

N/A, no review conversations on this PR yet.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: users may now write credentials to a non-default agent store when they intentionally pass --agent.
  • Mitigation: this is the documented/expected behavior for the flag, and the agent id is validated before any auth context is built.

Changed files

• src/cli/models-cli.test.ts (modified, +19/-0)
• src/cli/models-cli.ts (modified, +6/-2)
• src/commands/models/auth.test.ts (modified, +44/-0)
• src/commands/models/auth.ts (modified, +9/-4)

PR #71933: fix: honor agent for models auth writes

• Repository: openclaw/openclaw
• Author: neeravmakwana
• State: closed | merged: True
• Link: https://github.com/openclaw/openclaw/pull/71933

Description (problem / solution / changelog)

Summary

• Treat the parent models auth --agent <id> option as the target agent for all auth write commands: add, login, setup-token, paste-token, and login-github-copilot.
• Resolve the requested configured agent through the existing known-agent validation path before choosing auth-profile storage and provider workspace context.
• Update docs/changelog and expand regression coverage for CLI forwarding, provider auth writes, token writes, and the interactive add paste fallback.

Root cause

models auth exposed a parent --agent option, but only part of the auth surface consumed it. login originally ignored it, and token-oriented helpers still resolved the default agent internally. That meant OAuth/API-key/token results could be persisted to the default agent store even when the caller requested a specific configured agent.

Why this is the right fix

This keeps the behavior at the auth-command boundary instead of adding provider-specific special cases. The implementation reuses the existing resolveKnownAgentId + resolveAgentDir/resolveAgentWorkspaceDir flow already used by related per-agent auth commands, so unknown agent IDs are handled by the existing validation contract. When --agent is omitted, behavior still falls back to the configured default agent.

Security/runtime behavior is unchanged: OAuth handlers, token formats, provider plugin loading controls, secret-ref policy, config patching, stale lockout clearing, and auth-profile persistence all continue to use the existing helpers. They now receive the same resolved agent directory/workspace for the requested agent.

Tests

• pnpm docs:list
• pnpm test src/cli/models-cli.test.ts src/commands/models/auth.test.ts
• pnpm docs:check-mdx
• pnpm check:changed

Fixes #71864.

Made with Cursor

Changed files

• CHANGELOG.md (modified, +1/-0)
• docs/cli/models.md (modified, +3/-0)
• src/cli/models-cli.test.ts (modified, +58/-7)
• src/cli/models-cli.ts (modified, +18/-7)
• src/commands/models/auth.test.ts (modified, +218/-11)
• src/commands/models/auth.ts (modified, +25/-11)