#21884: feat(models): auth improvements — status command, heuristics, multi-account login

## Summary Three improvements to the models/auth workflow: ### 1. `openclaw models auth status` command New subcommand to show authentication status for all configured providers at a glance. ### 2. Prefer auth heuristics over registry availability Model listing now uses auth heuristics to determine provider availability, providing better accuracy for custom providers that may not be in the model registry. ### 3. `--add` flag for multi-account login `openclaw models auth login --add` now supports adding additional accounts to a provider without replacing the existing one. ## Changes - `src/commands/models/auth.ts` — multi-account `--add` flag handler - `src/cli/models-cli.ts` — CLI registration for `--add` flag and `auth status` - `src/commands/models/auth-status.ts` — new auth status command - `src/commands/models/list.registry.ts` — auth heuristics preference ## Testing - Build passes (`pnpm build`) - Manual testing of all three features <!-- greptile_comment --> <h3>Greptile Summary</h3> Added three auth workflow improvements: `auth status` command for viewing provider accounts, `--add` flag for multi-account login, and auth heuristics preference for model listing. ### Key Changes - **`auth status` command** shows authentication status, token expiry, and usage quotas for configured providers - **`--add` flag** enables adding multiple accounts to a provider without replacing existing ones (profile IDs auto-incremented on collision) - **Auth heuristics** now preferred over registry availability for model listing accuracy ### Issues Found - **Critical:** PKCE implementation in `openclaw-codex-auth` is broken—challenge should be SHA256 of verifier, not independent random bytes (security vulnerability) - **Bug:** Date comparison in `formatResetTime` only checks day-of-month, breaking across month boundaries - **Note:** PR includes unrelated files (SOUL.md, USER.md, memory-hybrid-bridge extension, memory_builder_prompt.txt) not mentioned in description <h3>Confidence Score: 2/5</h3> - Contains critical OAuth security vulnerability and date comparison bug that must be fixed before merge - Core auth logic (`--add` flag, status command) appears sound, but `openclaw-codex-auth` PKCE implementation breaks OAuth2 spec (challenge must be SHA256 of verifier). Additionally, date comparison bug will cause incorrect "resets today" detection across month boundaries. PR also includes many unrelated files not mentioned in description. - extensions/openclaw-codex-auth/index.ts (critical PKCE bug), src/commands/models/auth-status.ts (date comparison bug) _{Last reviewed commit: 210b1fa} <!-- greptile_other_comments_section --> _{(4/5) You can add custom instructions or style guidelines for the agent [here](https://app.greptile.com/review/github)!} <!-- /greptile_comment -->