[codex plugin 2026.5.16-beta.4] agentRuntime=codex returns 401 "Missing bearer" with profile=- despite OAuth profile registered & Auth: yes

Summary

When agents.defaults.agentRuntime.id = "codex" and a valid openai-codex OAuth profile is registered, model calls to openai-codex/gpt-5.5 and openai-codex/gpt-5.5-pro fail with HTTP 401 "Missing bearer or basic authentication in header". The dispatch logs show profile=- (no profile attached) and the request URL is https://api.openai.com/v1/responses instead of https://chatgpt.com/backend-api/....

The same OAuth tokens work fine in codex CLI directly (so the OAuth flow itself is healthy). openclaw models list --provider openai-codex reports Auth: yes for both models, but at dispatch time the profile is not bound.

Environment

• macOS 14.x (Darwin 25.3.0)
• Node v24.13.0 (nvm)
• OpenClaw: 2026.5.16-beta.4 (38c3a8d) (also reproduced on 2026.5.12)
• Plugin: @openclaw/[email protected]
• Codex CLI: 0.130.0 (separately installed; codex login completed successfully; ~/.codex/auth.json has valid tokens; codex login status → "Logged in")
• ChatGPT subscription: Team plan

Reproduce

1. npm i -g [email protected] --force
2. openclaw plugins install @openclaw/[email protected]
3. openclaw models auth login --provider openai-codex → browser OAuth completes; profile openai-codex:<email> saved in ~/.openclaw/agents/main/agent/auth-profiles.json with type=oauth, provider=openai-codex, expires=<future>.
4. Config:

   openclaw config set plugins.entries.codex '{"enabled":true}' --strict-json --merge
   openclaw config set agents.defaults.agentRuntime '{"id":"codex"}' --strict-json
   openclaw config set agents.defaults.model.primary openai-codex/gpt-5.5-pro
   openclaw config set plugins.allow '["codex"]' --strict-json

5. openclaw plugins list | grep codex → Codex codex enabled 2026.5.16-beta.4 (loads cleanly)
6. openclaw models list --provider openai-codex →

   openai-codex/gpt-5.5-pro    text  195k  no  yes  default
   openai-codex/gpt-5.5        text  195k  no  yes  configured

   Both show Auth: yes.
7. Restart gateway, send any message via Telegram (or trigger any cron).

Expected

Plugin attaches OAuth access token from openai-codex:<email> profile to a request against the codex chatgpt.com/backend-api/... endpoint.

Actual

[agent/embedded] embedded run failover decision: runId=... stage=prompt decision=surface_error
  reason=auth from=openai-codex/gpt-5.5-pro profile=-
  rawError=unexpected status 401 Unauthorized: Missing bearer or basic authentication in header,
  url: https://api.openai.com/v1/responses, cf-ray: ..., request id: sha256:...
[model-fallback/decision] model fallback decision: decision=candidate_failed
  requested=openai-codex/gpt-5.5-pro candidate=openai-codex/gpt-5.5-pro reason=auth next=none
  detail=unexpected status 401 Unauthorized: Missing bearer or basic authentication in header,
  url: https://api.openai.com/v1/responses
Embedded agent failed before reply: unexpected status 401 Unauthorized: Missing bearer or basic
  authentication in header, url: https://api.openai.com/v1/responses

Two issues are visible:

• profile=- — the registered openai-codex:<email> OAuth profile is not bound to the request.
• url: https://api.openai.com/v1/responses — the request goes to the public OpenAI Responses endpoint, not the Codex endpoint (https://chatgpt.com/backend-api) defined in dist/provider-catalog-*.js's CODEX_BASE_URL.

Things tried (no effect)

• Stripped agentHarnessId (all values were pi, not codex) from sessions.json and restarted — same error.
• Upgraded OpenClaw 2026.5.7 → 2026.5.12 → 2026.5.16-beta.4 — 2026.5.7 had a separate Cannot find module 'plugin-sdk/root-alias.cjs/json-schema-runtime' plugin load error that beta resolved, but the auth/endpoint issue persists.
• Toggled plugins.allow = ["codex"] — openclaw models list flipped Auth: yes for gpt-5.5 (was no), but actual dispatch still shows profile=-.
• Switched model.primary between openai-codex/gpt-5.5 and openai-codex/gpt-5.5-pro — same 401 on both.

Suspected root cause

Either:

1. The codex plugin (@openclaw/[email protected]) doesn't register its profile-resolution hook with the embedded model dispatcher (so profile=-), and OpenClaw core falls back to a default OpenAI Responses endpoint without auth; or
2. There is a mismatch between how agents.defaults.agentRuntime.id = "codex" is recognized at dispatch time vs. at models list time (Auth: yes is computed from one code path but the dispatch reads from another).

Either way the user-visible result is that an opt-in ChatGPT-subscription path documented in the changelog cannot complete a single turn end-to-end.

Workarounds

None found in this session. Reverting to a previous provider (litellm proxy / openai/<model> with API key) works as before.

Relevant files

• ~/.openclaw/openclaw.json (after the reproduction config above)
• ~/.openclaw/agents/main/agent/auth-profiles.json (contains the OAuth profile)
• ~/.openclaw/logs/gateway.err.log
• dist/provider-catalog-CtmhLMZO.js (CODEX_BASE_URL constant exists; not reached at runtime)
• dist/pi-embedded-CPEBK2iK.js (harnessId === "codex" && provider === "openai" → "openai-codex" mapping)