fix: fallback to main agent OAuth credentials when secondary agent refresh fails

When a secondary agent's OAuth token expires and refresh fails, the agent would error out even if the main agent had fresh, valid credentials for the same profile. This fix adds a fallback mechanism that: 1. Detects when OAuth refresh fails for a secondary agent (agentDir is set) 2. Checks if the main agent has fresh credentials for the same profileId 3. If so, copies those credentials to the secondary agent and uses them 4. Logs the inheritance for debugging This prevents the situation where users have to manually copy auth-profiles.json between agent directories when tokens expire at different times. Fixes: Secondary agents failing with 'OAuth token refresh failed' while main agent continues to work fine.
2026-05-09 01:18:28 +00:00 · 2026-01-26 20:03:25 -05:00
parent 86fa9340ae
commit 4b6347459b
2 changed files with 120 additions and 1 deletions
--- a/src/agents/auth-profiles/oauth.ts
+++ b/src/agents/auth-profiles/oauth.ts
@@ -4,7 +4,7 @@ import lockfile from "proper-lockfile";
 import type { ClawdbotConfig } from "../../config/config.js";
 import { refreshChutesTokens } from "../chutes-oauth.js";
 import { refreshQwenPortalCredentials } from "../../providers/qwen-portal-oauth.js";
-import { AUTH_STORE_LOCK_OPTIONS } from "./constants.js";
+import { AUTH_STORE_LOCK_OPTIONS, log } from "./constants.js";
 import { formatAuthDoctorHint } from "./doctor.js";
 import { ensureAuthStoreFile, resolveAuthStorePath } from "./paths.js";
 import { suggestOAuthProfileIdForLegacyDefault } from "./repair.js";
@@ -196,6 +196,32 @@ export async function resolveApiKeyForProfile(params: {
        // keep original error
      }
    }
+
+    // Fallback: if this is a secondary agent, try using the main agent's credentials
+    if (params.agentDir) {
+      try {
+        const mainStore = ensureAuthProfileStore(undefined); // main agent (no agentDir)
+        const mainCred = mainStore.profiles[profileId];
+        if (mainCred?.type === "oauth" && Date.now() < mainCred.expires) {
+          // Main agent has fresh credentials - copy them to this agent and use them
+          refreshedStore.profiles[profileId] = { ...mainCred };
+          saveAuthProfileStore(refreshedStore, params.agentDir);
+          log.info("inherited fresh OAuth credentials from main agent", {
+            profileId,
+            agentDir: params.agentDir,
+            expires: new Date(mainCred.expires).toISOString(),
+          });
+          return {
+            apiKey: buildOAuthApiKey(mainCred.provider, mainCred),
+            provider: mainCred.provider,
+            email: mainCred.email,
+          };
+        }
+      } catch {
+        // keep original error if main agent fallback also fails
+      }
+    }
+
    const message = error instanceof Error ? error.message : String(error);
    const hint = formatAuthDoctorHint({
      cfg,