CI: stabilize live release lanes (#67838)

* CI: stabilize live release lanes

* CI: widen codex live exclusions

* Gateway: stop live config/auth lazy re-imports

* CI: mount writable live Docker homes

* Live: tighten retry and provider filter overrides

* CI: use API-key auth for codex live lanes

* CI: fix remaining live lanes

* CI: stop forwarding live OpenAI base URLs

* Gateway: fix live startup loader regression

* CI: stop expanding OpenAI keys in live Docker lanes

* CI: stop expanding installer secrets in Docker

* CI: tighten live secret boundaries

* Gateway: pin Codex harness base URL

* CI: fix reusable workflow runner label

* CI: avoid template expansion in live ref guard

* CI: tighten live trust gate

* Gateway: ignore empty Codex harness base URL

* CI: stabilize remaining live lanes

* CI: harden live retries and canvas auth test

* CI: extend cron live probe budget

* CI: keep codex harness lane on api-key auth

* CI: stage live Docker OpenAI auth via env files

* CI: bootstrap codex login for Docker API-key lanes

* CI: accept hosted-runner codex fallback responses

* CI: accept additional codex sandbox fallback text

* CI: accept hosted-runner live fallback variants

* CI: accept codex current-model fallback

* CI: broaden codex sandbox model fallbacks

* CI: cover extra codex sandbox wording

* CI: extend cli backend cron retry budget

* CI: match codex models fallbacks by predicate

* CI: accept configured-models live fallback

* CI: relax OpenAI websocket warmup timeout

* CI: accept extra codex model fallback wording

* CI: generalize codex model fallback matching

* CI: retry cron verify cancellation wording

* CI: accept interactive codex model entrypoint fallback

* Agents: stabilize Claude bundle skill command test

* CI: prestage live Docker auth homes

* Tests: accept current Codex models wording

* CI: stabilize remaining live lanes

* Tests: widen CLI backend live timeout

* Tests: accept current Codex model summary wording

* CI: disable codex-cli image probe in Docker lane

* Tests: respect CLI override for Codex Docker login

* Tests: accept current Codex session models header

* CI: stabilize remaining live validation lanes

* CI: preserve Gemini ACP coverage in auth fallback

* CI: fix final live validation blockers

* CI: restore Codex auth for CLI backend lane

* CI: drop local Codex config in live Docker lane

* Tests: tolerate Codex cron and model reply drift

* Tests: accept current Codex live replies

* Tests: retry more Codex cron retry wording

* Tests: accept environment-cancelled Codex cron retries

* Tests: retry blank Codex cron probe replies

* Tests: broaden Codex cron retry wording

* Tests: require explicit Codex cron retry replies

* Tests: accept current Codex models environment wording

* CI: restore trusted Codex config in live lane

* CI: bypass nested Codex sandbox in docker

* CI: instrument live codex cron lane

* CI: forward live CLI resume args

* Tests: accept interactive Codex model selection

* Tests: bound websocket warm-up live lane

* CI: close live lane review gaps

* Tests: lazy-load gateway live server

* Tests: avoid gateway live loader regression

* CI: scope reusable workflow secrets

* Tests: tighten codex models live assertion

* Tests: normalize OpenAI speech live text

scripts/lib/live-docker-auth.sh

@@ -18,12 +18,31 @@ openclaw_live_trim() {
   printf '%s' "$value"
 }
 
+openclaw_live_validate_relative_home_path() {
+  local value
+  value="$(openclaw_live_trim "${1:-}")"
+  [[ -n "$value" ]] || {
+    echo "ERROR: empty auth path." >&2
+    return 1
+  }
+  case "$value" in
+    /* | *..* | *\\* | *:*)
+      echo "ERROR: invalid auth path '$value'." >&2
+      return 1
+      ;;
+  esac
+  printf '%s' "$value"
+}
+
 openclaw_live_normalize_auth_dir() {
   local value
   value="$(openclaw_live_trim "${1:-}")"
   [[ -n "$value" ]] || return 1
-  value="${value#.}"
-  printf '.%s' "$value"
+  if [[ "$value" != .* ]]; then
+    value=".$value"
+  fi
+  value="$(openclaw_live_validate_relative_home_path "$value")" || return 1
+  printf '%s' "$value"
 }
 
 openclaw_live_should_include_auth_dir_for_provider() {
@@ -143,3 +162,44 @@ openclaw_live_join_csv() {
     fi
   done
 }
+
+openclaw_live_stage_auth_into_home() {
+  local dest_home="${1:?destination home directory required}"
+  shift
+
+  local mode="dirs"
+  local relative_path source_path dest_path
+
+  mkdir -p "$dest_home"
+  chmod u+rwx "$dest_home" || true
+
+  while (($# > 0)); do
+    case "$1" in
+      --files)
+        mode="files"
+        shift
+        continue
+        ;;
+    esac
+
+    relative_path="$(openclaw_live_validate_relative_home_path "$1")" || return 1
+    source_path="$HOME/$relative_path"
+    dest_path="$dest_home/$relative_path"
+
+    if [[ "$mode" == "dirs" ]]; then
+      if [[ -d "$source_path" ]]; then
+        mkdir -p "$dest_path"
+        cp -R "$source_path"/. "$dest_path"
+        chmod -R u+rwX "$dest_path" || true
+      fi
+    else
+      if [[ -f "$source_path" ]]; then
+        mkdir -p "$(dirname "$dest_path")"
+        cp "$source_path" "$dest_path"
+        chmod u+rw "$dest_path" || true
+      fi
+    fi
+
+    shift
+  done
+}