feat: support CLAWSWEEPER_CODEX_LOGIN_METHOD for local OAuth runs

[anagnorisis2peripeteia]

Summary

• Add CLAWSWEEPER_CODEX_LOGIN_METHOD env var to override the hardcoded forced_login_method="api" Codex config
• Default remains "api" for CI/production (no behavioral change)
• Set to "chatgpt" for local runs with ChatGPT Pro OAuth subscriptions

Motivation

forced_login_method="api" requires an OpenAI platform API key, which is correct for CI where API keys are stored as repository secrets. However, local deployments with ChatGPT Pro subscriptions authenticate via OAuth (codex login), and the hardcoded "api" override causes Codex to log users out with "API key login is required, but ChatGPT is currently being used."

Proof

Tested on Windows 11 with CLAWSWEEPER_CODEX_LOGIN_METHOD=chatgpt:

[review] shard=0/1 start #89834 (1/1)
[review] shard=0/1 done #89834 (1/1) decision=keep_open confidence=medium
[review] shard=0/1 complete reviewed=1

review_codex_elapsed_ms: 411103
review_status: complete

Full 7-minute Codex review completed using ChatGPT Pro OAuth. 119k char prompt consumed. Structured review output with actionable findings produced.

Without the env var (default "api"):

API key login is required, but ChatGPT is currently being used. Logging out.

Files changed

• src/clawsweeper.ts -- both runCodex() and runCodexAssist(): read CLAWSWEEPER_CODEX_LOGIN_METHOD env var

Test plan

• chatgpt login: full review completed with OAuth auth
• Default (api): no behavioral change for CI/production
• Structured review output produced with actionable findings

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 3, 2026, 5:39 PM ET / 21:39 UTC.

Summary
The PR adds a validated CLAWSWEEPER_CODEX_LOGIN_METHOD env override and routes four Codex subprocess config sites through a shared helper, with unit tests for default, accepted, rejected, and emitted config behavior.

Reproducibility: yes. for the source-level failure mode: current main hardcodes forced_login_method="api" in all four core Codex subprocess configs, matching the PR body's before-error for local ChatGPT OAuth. I did not run a live OAuth flow, but the PR body provides terminal after-proof for the local Windows run.

Review metrics: 3 noteworthy metrics.

• Codex config sites covered: 4 changed. The helper covers every current hardcoded forced_login_method="api" site found in the main review, assist, commit-sweeper, and PR-close proof paths.
• Login-method tests added: 4 added. The tests cover the default, accepted override, invalid fallback, and emitted Codex config string for the new auth selector.
• Patch size: 5 files, +72/-8. The diff is narrow but touches auth-provider configuration used by several automation paths.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Have a maintainer explicitly accept or reject the opt-in auth-provider env surface before merge.

Risk before merge

• [P1] The PR intentionally introduces an auth-provider control: when set to chatgpt, Codex subprocesses use local OAuth credentials instead of the API-key-only path, so maintainers should explicitly accept that supported local-run surface before merge.
• [P1] The new environment variable is not documented in README.md; this may be acceptable for an internal/local override, but maintainers should decide whether it needs user-facing or operator-facing documentation.

Maintainer options:

1. Accept the opt-in OAuth override (recommended)
   Merge after maintainer review confirms CLAWSWEEPER_CODEX_LOGIN_METHOD=chatgpt is an acceptable local-run auth-provider control while api remains the default.
2. Document before merge
   Add a short local-operations note explaining that only api and chatgpt are accepted and invalid values fall back to api.
3. Keep API-only runtime
   Close or pause this branch if maintainers do not want local ChatGPT OAuth to be a supported ClawSweeper runtime mode.

Next step before merge

• No automated repair is needed; the remaining action is maintainer review of the new auth-provider env surface and whether it should be documented.

Security
Cleared: The diff validates the new env value against a two-item allowlist and leaves credential stripping unchanged, so I found no concrete security or supply-chain regression.

Review details

Best possible solution:

Land the focused helper if maintainers accept the opt-in local OAuth auth-provider surface, keeping api as the default and normal CI behavior unchanged.

Do we have a high-confidence way to reproduce the issue?

Yes for the source-level failure mode: current main hardcodes forced_login_method="api" in all four core Codex subprocess configs, matching the PR body's before-error for local ChatGPT OAuth. I did not run a live OAuth flow, but the PR body provides terminal after-proof for the local Windows run.

Is this the best way to solve the issue?

Yes, assuming maintainers want the new env surface: the patch is narrow, allowlists api and chatgpt, falls back to api, and centralizes the config across the existing hardcoded sites. If local OAuth is out of scope, the safer solution is to keep API-only behavior rather than merge the new control.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 74f63a090af7.

Label changes

Label justifications:

• P2: This is a scoped improvement for local OAuth runs with limited blast radius because the default remains API login.
• merge-risk: 🚨 auth-provider: The PR adds an opt-in Codex login-method control, which changes auth-provider routing when operators set the new environment variable.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes terminal output showing an after-fix full local review with the chatgpt override and the prior API-login failure without it.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes terminal output showing an after-fix full local review with the chatgpt override and the prior API-login failure without it.

Evidence reviewed

What I checked:

• Repository policy read: AGENTS.md was read fully; its conservative guidance for ClawSweeper automation and auth-sensitive workflow changes applies to this review. (AGENTS.md:1, 74f63a090af7)
• Current main hardcodes API login: Current main still passes forced_login_method="api" in the core review and assist Codex configs, so the requested local OAuth behavior is not already implemented on main. (src/clawsweeper.ts:6177, 74f63a090af7)
• All existing hardcoded sites found: Search found the four current hardcoded forced_login_method="api" sites in review, assist, commit-sweeper, and PR-close proof paths, matching the PR's changed surface. (src/clawsweeper.ts:6177, 74f63a090af7)
• PR diff is focused: The public PR diff adds an allowlisted resolveCodexLoginMethod()/codexLoginMethodConfig() helper, replaces the four hardcoded config strings, and adds focused tests. (src/codex-env.ts:1, dae6f0974eba)
• Real behavior proof in PR body: The PR body includes terminal output for a Windows 11 local run completing a full review with CLAWSWEEPER_CODEX_LOGIN_METHOD=chatgpt, plus the prior API-login failure without the override. (dae6f0974eba)
• Feature history provenance: Blame ties the current review/assist and commit-sweeper forced API-login config to f2ec021e, and PR-close coverage proof config to 2af278ebe. (src/clawsweeper.ts:6177, f2ec021eb55c)

Likely related people:

• brokemac79: Blame shows the current review, assist, and commit-sweeper forced_login_method="api" lines date to f2ec021e, the safe canonical PR-close work. (role: introduced current config behavior; confidence: high; commits: f2ec021eb55c; files: src/clawsweeper.ts, src/commit-sweeper.ts, src/codex-env.ts)
• Jesse Merhi: Blame shows the PR-close coverage proof Codex config line was added in 2af278ebe, the recent coverage-proof gate work. (role: recent area contributor; confidence: high; commits: 2af278ebe246; files: src/pr-close-coverage-proof.ts)
• Tak Hoffman: Blame shows recent nearby assist-prompt option work adjacent to the Codex assist subprocess path, so this person is a secondary routing candidate for the assist surface. (role: recent adjacent contributor; confidence: medium; commits: 1ff140ff45c6; files: src/clawsweeper.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[anagnorisis2peripeteia]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26914054203
• Updated: 2026-06-03T21:32:40.352Z