PR #73462: fix: add auth profile listing

• Repository: openclaw/openclaw
• Author: IshanG97
• State: open | merged: False
• Link: https://github.com/openclaw/openclaw/pull/73462

Description (problem / solution / changelog)

Summary

• Problem: openclaw auth list is currently unavailable for users trying to inspect saved model auth profiles.
• Why it matters: scripts and troubleshooting flows need a read-only way to confirm configured auth profile ids without reading auth-profiles.json directly.
• What changed: added openclaw auth list plus openclaw models auth list, with text, JSON, and plain output that does not print raw API keys, tokens, or OAuth access tokens.
• What did NOT change (scope boundary): no auth creation, refresh, login, secret resolution, or provider probing behaviour changed.

Fixes #73305.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #73305
• Related #
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: the model auth CLI had login/setup/order helpers but no read-only list subcommand, and there was no top-level auth command registered.
• Missing detection / guardrail: command-registration tests did not cover the expected auth list affordance.
• Contributing context (if known): users had to read the auth store JSON directly to inspect saved profiles.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/cli/auth-cli.test.ts, src/cli/models-cli.test.ts, src/commands/models/auth-list.test.ts
• Scenario the test should lock in: both CLI surfaces route to the same read-only list command, and formatted output does not include stored secret values.
• Why this is the smallest reliable guardrail: the bug is command wiring plus output sanitisation, so command-level and formatter unit tests cover the regression without provider/network setup.
• Existing test that already covers this (if any): none.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

openclaw auth list and openclaw models auth list now print configured model auth profile metadata. --json emits structured metadata and --plain emits profile ids only.

Diagram (if applicable)

N/A

Before:
openclaw auth list -> unknown command

After:
openclaw auth list -> read auth profile store -> redacted profile summary

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) Yes
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: this adds a read-only CLI command for existing local auth profile metadata. Output intentionally reports credential kind/status only and tests assert raw API keys and OAuth token values are not printed.

Repro + Verification

Environment

• OS: macOS
• Runtime/container: local checkout
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): N/A

Steps

1. Run openclaw auth list.
2. Run openclaw models auth list --json.

Expected

• Commands print auth profile metadata without raw secret values.

Actual

• Current release reports auth as unavailable or leaves users without a read-only profile-listing command.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Local command evidence:

• git diff --check HEAD~1..HEAD passed.
• pnpm install was attempted twice but blocked before tests by Corepack registry timeouts while downloading pnpm 10.33.0 (UND_ERR_CONNECT_TIMEOUT).

Human Verification (required)

• Verified scenarios: source-level command wiring for auth list and models auth list; formatter tests cover redaction of API key, token, and OAuth values.
• Edge cases checked: missing credential marker, OAuth expiry display, cooldown status precedence.
• What you did not verify: local Vitest/typecheck/format, because this machine could not download pnpm through Corepack. CI should run the new test files.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: auth metadata output could accidentally reveal secret material.
  • Mitigation: the formatter reports only credential kind and status, and unit coverage asserts raw key/token values are absent.

Changed files

• CHANGELOG.md (modified, +1/-0)
• docs/cli/index.md (modified, +5/-3)
• docs/cli/models.md (modified, +6/-1)
• src/cli/auth-cli.test.ts (added, +43/-0)
• src/cli/auth-cli.ts (added, +39/-0)
• src/cli/command-catalog.ts (modified, +4/-0)
• src/cli/models-cli.test.ts (modified, +13/-0)
• src/cli/models-cli.ts (modified, +22/-0)
• src/cli/program/register.subclis-core.ts (modified, +5/-0)
• src/cli/program/subcli-descriptors.ts (modified, +5/-0)
• src/commands/models.ts (modified, +1/-0)
• src/commands/models/auth-list.test.ts (added, +101/-0)
• src/commands/models/auth-list.ts (added, +180/-0)