fix(ci): restore codex oauth refresh fallback

extensions/openai/openai-codex-provider.runtime.ts

@@ -1,4 +1,7 @@
-import { getOAuthApiKey as getOAuthApiKeyFromPi } from "@mariozechner/pi-ai/oauth";
+import {
+  getOAuthApiKey as getOAuthApiKeyFromPi,
+  refreshOpenAICodexToken as refreshOpenAICodexTokenFromPi,
+} from "@mariozechner/pi-ai/oauth";
 import { ensureGlobalUndiciEnvProxyDispatcher } from "openclaw/plugin-sdk/infra-runtime";
 
 export async function getOAuthApiKey(
@@ -7,3 +10,10 @@ export async function getOAuthApiKey(
   ensureGlobalUndiciEnvProxyDispatcher();
   return await getOAuthApiKeyFromPi(...args);
 }
+
+export async function refreshOpenAICodexToken(
+  ...args: Parameters<typeof refreshOpenAICodexTokenFromPi>
+): Promise<Awaited<ReturnType<typeof refreshOpenAICodexTokenFromPi>>> {
+  ensureGlobalUndiciEnvProxyDispatcher();
+  return await refreshOpenAICodexTokenFromPi(...args);
+}

extensions/openai/openai-codex-provider.ts

@@ -139,16 +139,11 @@ function resolveCodexForwardCompatModel(
 
 async function refreshOpenAICodexOAuthCredential(cred: OAuthCredential) {
   try {
-    const { getOAuthApiKey } = await import("./openai-codex-provider.runtime.js");
-    const refreshed = await getOAuthApiKey("openai-codex", {
-      "openai-codex": cred,
-    });
-    if (!refreshed) {
-      throw new Error("OpenAI Codex OAuth refresh returned no credentials.");
-    }
+    const { refreshOpenAICodexToken } = await import("./openai-codex-provider.runtime.js");
+    const refreshed = await refreshOpenAICodexToken(cred.refresh);
     return {
       ...cred,
-      ...refreshed.newCredentials,
+      ...refreshed,
       type: "oauth" as const,
       provider: PROVIDER_ID,
       email: cred.email,

extensions/openai/openai-provider.test.ts

@@ -3,10 +3,10 @@ import { describe, expect, it, vi } from "vitest";
 import { buildOpenAICodexProviderPlugin } from "./openai-codex-provider.js";
 import { buildOpenAIProvider } from "./openai-provider.js";
 
-const getCodexOAuthApiKeyMock = vi.hoisted(() => vi.fn());
+const refreshOpenAICodexTokenMock = vi.hoisted(() => vi.fn());
 
 vi.mock("./openai-codex-provider.runtime.js", () => ({
-  getOAuthApiKey: getCodexOAuthApiKeyMock,
+  refreshOpenAICodexToken: refreshOpenAICodexTokenMock,
 }));
 
 const OPENAI_API_KEY = process.env.OPENAI_API_KEY ?? "";
@@ -239,8 +239,8 @@ describe("buildOpenAIProvider", () => {
       expires: Date.now() - 60_000,
     };
 
-    getCodexOAuthApiKeyMock.mockReset();
-    getCodexOAuthApiKeyMock.mockRejectedValueOnce(
+    refreshOpenAICodexTokenMock.mockReset();
+    refreshOpenAICodexTokenMock.mockRejectedValueOnce(
       new Error("Failed to extract accountId from token"),
     );