OpenClaw Codex Harness Launch Kit: Subscription Auth, Runtime Setup, Tool Search, and Migration Checklist

OpenClaw's Codex harness shift matters because it cleans up the runtime boundary between OpenAI agent turns and the rest of the OpenClaw stack. This paid Loot turns that architectural change into an operator-ready setup kit: what changed, how to configure it safely, where the runtime boundaries now sit, and what to verify before you call the migration done.

What is inside

• A plain-English explanation of what the Codex harness changes in practice
• The correct subscription-auth login path for ChatGPT/Codex-backed agent use
• A runtime setup checklist for openai/* + native Codex execution
• A migration checklist for older openai-codex/* or PI-heavy setups
• A decision matrix for Codex runtime vs explicit PI fallback
• A tool-discovery and visible-replies interpretation guide
• A troubleshooting pass for runtime mismatch, auth confusion, and session isolation questions

1) The new mental model

The cleanest way to understand this release is to stop thinking in terms of "OpenClaw does everything". Now there is a clearer split:

• Codex runtime owns the low-level OpenAI agent turn
• OpenClaw owns the surrounding operating system for the agent

In practice that means Codex handles the native app-server side of the turn, while OpenClaw continues to own channels, persona, memory, scheduling, approvals, delivery rules, and the wider tool ecosystem.

That matters because less translation usually means less friction. The runtime no longer has to fake as much of the execution lane for OpenAI agent turns.

2) The correct auth and setup path

If the goal is "my ChatGPT/Codex subscription powers my OpenClaw agent", the official login path is:

openclaw models auth login --provider openai-codex

Then use canonical OpenAI model refs such as openai/gpt-5.5 and the Codex runtime path.

Minimal config pattern:

{
  plugins: {
    entries: {
      codex: {
        enabled: true,
      },
    },
  },
  agents: {
    defaults: {
      model: "openai/gpt-5.5",
      agentRuntime: {
        id: "codex",
      },
    },
  },
}

If you use a plugin allowlist, include codex there too.

3) What changed for tool usage

One of the biggest practical wins is that tool loading can become less bloated and more selective. Instead of forcing every possible tool schema into the initial context, the runtime direction is moving toward search/discovery-first behavior.

For operators, that matters because it improves three things at once:

• smaller initial context
• less schema clutter
• better odds that the model picks the right tool instead of the nearest noisy one

That is not just a cost story. It is a reliability story.

4) Why visible replies feel cleaner now

The Codex harness docs make a subtle but important point: visible replies default toward deliberate message-tool behavior unless the deployment explicitly chooses automatic reply behavior.

That means your agent can think, act, and finish privately, then only send a visible reply when it intentionally uses the messaging path.

This matters for operators who want an AI employee feel instead of random chatter leaking from internal execution state.

5) Runtime decision matrix

6) Migration checklist

Use this when updating an existing OpenClaw install:

• Codex plugin is installed and enabled
• Subscription auth was logged in with openai-codex
• Primary agent model uses openai/gpt-5.5 or another current openai/* ref
• Agent runtime is explicitly codex where you want the native path forced
• Any legacy openai-codex/* model refs are reviewed or repaired
• Tool behavior is tested on one real workflow, not just a model list command
• Visible reply behavior is confirmed in the channel you actually use
• You know when to fall back to PI for compatibility reasons

7) Common operator mistakes

1. Using the wrong auth provider name during login
2. Assuming openai-codex/* should stay the main long-term model route
3. Treating provider, runtime, and auth as one setting instead of three layers
4. Claiming the migration is done before testing an actual multi-tool task
5. Forgetting that quiet/private execution and visible replies are now more intentionally separated

8) Best use case

Use this Loot if you are publishing about the 2026.5.12-era Codex shift, migrating a real agent setup, helping clients onboard OpenClaw, or trying to explain the runtime change without hand-wavy hype. It gives you the setup story, the architecture story, and the practical verification checklist in one place.