fix(codex): keep auth read diagnostics off stdout (#66451)

* fix(codex): keep auth read diagnostics off stdout * docs(changelog): fix codex auth entry * fix(codex): sanitize auth read diagnostics * Update CHANGELOG.md
2026-05-06 18:10:45 +00:00 · 2026-04-14 11:13:57 +01:00
parent 82364e901a
commit 3587e0ef95
4 changed files with 91 additions and 5 deletions
--- a/extensions/openai/openai-codex-cli-auth.test.ts
+++ b/extensions/openai/openai-codex-cli-auth.test.ts
@@ -1,5 +1,16 @@
 import fs from "node:fs";
-import { afterEach, describe, expect, it, vi } from "vitest";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+const runtimeMocks = vi.hoisted(() => ({
+  debug: vi.fn(),
+}));
+
+vi.mock("openclaw/plugin-sdk/runtime-env", () => ({
+  createSubsystemLogger: () => ({
+    debug: runtimeMocks.debug,
+  }),
+}));
+
 import {
  OPENAI_CODEX_DEFAULT_PROFILE_ID,
  readOpenAICodexCliOAuthProfile,
@@ -12,6 +23,10 @@ function buildJwt(payload: Record<string, unknown>) {
 }

 describe("readOpenAICodexCliOAuthProfile", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
  afterEach(() => {
    vi.restoreAllMocks();
  });
@@ -80,4 +95,54 @@ describe("readOpenAICodexCliOAuthProfile", () => {

    expect(parsed).toBeNull();
  });
+
+  it("returns null without logging when the Codex CLI auth file is missing", () => {
+    const error = Object.assign(new Error("missing"), {
+      code: "ENOENT",
+    });
+    vi.spyOn(fs, "readFileSync").mockImplementation(() => {
+      throw error;
+    });
+
+    const parsed = readOpenAICodexCliOAuthProfile({
+      store: { version: 1, profiles: {} },
+    });
+
+    expect(parsed).toBeNull();
+    expect(runtimeMocks.debug).not.toHaveBeenCalled();
+  });
+
+  it("logs a sanitized code for invalid auth JSON", () => {
+    vi.spyOn(fs, "readFileSync").mockReturnValue("{");
+
+    const parsed = readOpenAICodexCliOAuthProfile({
+      store: { version: 1, profiles: {} },
+    });
+
+    expect(parsed).toBeNull();
+    expect(runtimeMocks.debug).toHaveBeenCalledWith(
+      "Failed to read Codex CLI auth file (code=INVALID_JSON)",
+    );
+  });
+
+  it("does not leak auth file paths in debug logs for filesystem failures", () => {
+    const error = Object.assign(
+      new Error("EACCES: permission denied, open '/Users/alice/.codex/auth.json'"),
+      {
+        code: "EACCES",
+      },
+    );
+    vi.spyOn(fs, "readFileSync").mockImplementation(() => {
+      throw error;
+    });
+
+    const parsed = readOpenAICodexCliOAuthProfile({
+      store: { version: 1, profiles: {} },
+    });
+
+    expect(parsed).toBeNull();
+    expect(runtimeMocks.debug).toHaveBeenCalledWith(
+      "Failed to read Codex CLI auth file (code=EACCES)",
+    );
+  });
 });