#19217: fix(auth): route openai-codex to built-in OAuth in models auth login

## Summary - **Problem**: `openclaw models auth login --provider openai-codex` fails with "Unknown provider" because `modelsAuthLoginCommand` resolves providers exclusively from the plugin registry, but openai-codex uses a built-in OAuth flow (`loginOpenAICodexOAuth`) that bypasses plugins entirely. Found this after `openclaw doctor` told me to re-authenticate and the exact command it suggested was a dead end. - **Root cause**: The onboarding wizard calls `loginOpenAICodexOAuth` directly, but the `models auth login` command path has no equivalent early-return for built-in OAuth providers. When `openclaw doctor` suggests re-authenticating via `models auth login`, users hit a dead end. - **Solution**: Add an early-return check in `modelsAuthLoginCommand` that intercepts `--provider openai-codex` before plugin resolution, calling the same `loginOpenAICodexOAuth` + `writeOAuthCredentials` functions already used by the onboarding wizard. - **Scope boundary**: No changes to existing plugin-based provider paths — other providers work exactly as before. ## Change Type - [x] Bug fix ## Scope - [x] Auth / tokens - [x] UI / DX (CLI) ## Linked Issue Fixes #19124 ## User-visible Changes - `openclaw models auth login --provider openai-codex` now triggers the OAuth flow (same as onboarding), allowing users to refresh expired codex tokens without re-running `openclaw onboard`. ## Security Impact - New permissions/capabilities? `No` - Secrets/tokens handling changed? `No` — reuses existing `loginOpenAICodexOAuth` + `writeOAuthCredentials` functions - New/changed network calls? `No` — same OAuth flow already used by onboarding - Command/tool execution surface changed? `No` - Data access scope changed? `No` ## Repro + Verification ### Environment - OS: Ubuntu 24.04 (Linux 6.8.0) - Runtime: Node 22.x + pnpm - OpenClaw: v2026.2.x ### Steps 1. Set up openai-codex provider via `openclaw onboard` 2. Wait for OAuth token to expire 3. Run `openclaw models auth login --provider openai-codex` ### Expected OAuth flow triggers and token is refreshed. ### Actual (before fix) Fails with "Unknown provider" — no way to re-authenticate without re-running onboarding. ## Evidence - [x] Failing test/log before + passing after ``` ✓ src/commands/models.auth.openai-codex.test.ts (4 tests) ✓ successful OAuth login writes credentials and applies auth profile ✓ cancelled OAuth flow exits without writing credentials ✓ --set-default flag sets openai-codex as default model ✓ without --set-default does not modify default model ✓ src/commands/models.auth.provider-resolution.test.ts (4 tests) — no regression ``` ## Compatibility - Backward compatible: `Yes` — early-return only activates for `openai-codex`; all other providers use existing plugin path unchanged - Config changes: `None` - Migration: `None` ## Failure Recovery - Revert: `git revert <sha>` — single commit - Symptom to watch: `models auth login --provider openai-codex` returning to "Unknown provider" would indicate revert needed ## Risks - Risk: Future built-in OAuth providers would need similar early-return blocks. - Mitigation: Pattern is explicit and localized (3 imports + 1 block). If more providers are added, the pattern can be extracted into a registry. Current scope is surgical. AI-assisted: Yes (Claude Code). Fully tested — all tests pass.