From eb328a85e3aa44835f71c68336537ec616cbb6db Mon Sep 17 00:00:00 2001
From: Lyle Hopkins <cosmicnet@cpan.org>
Date: Thu, 26 Mar 2026 20:42:38 +0000
Subject: [PATCH] fix(agents): classify "Failed to extract accountId from
 token" as auth error for failover (#27055) (#55206)

Co-authored-by: Lyle Hopkins <55105+cosmicnet@users.noreply.github.com>
---
 CHANGELOG.md                                                 | 1 +
 src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts | 1 +
 src/agents/pi-embedded-helpers/failover-matches.ts           | 1 +
 3 files changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e64dc686147..e1330a47ced 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -57,6 +57,7 @@ Docs: https://docs.openclaw.ai
 - Agents/sandbox: make blocked-tool guidance glob-aware again, redact/sanitize session-specific explain hints for safer copy-paste, and avoid leaking control-character session keys in those hints. (#54684) Thanks @ngutman.
 - Agents/compaction: trigger timeout recovery compaction before retrying high-context LLM timeouts so embedded runs stop repeating oversized requests. (#46417) thanks @joeykrug.
 - Agents/compaction: reconcile `sessions.json.compactionCount` after a late embedded auto-compaction success so persisted session counts catch up once the handler reports completion. (#45493) Thanks @jackal092927.
+- Agents/failover: classify Codex accountId token extraction failures as auth errors so model fallback continues to the next configured candidate. (#55206) Thanks @cosmicnet.
 
 ## 2026.3.24
 
diff --git a/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts b/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts
index 13f3ea1d388..30190c818c8 100644
--- a/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts
+++ b/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts
@@ -104,6 +104,7 @@ describe("isAuthErrorMessage", () => {
     "No API key found for profile openai.",
     "OAuth token refresh failed for anthropic: Failed to refresh OAuth token for anthropic. Please try again or re-authenticate.",
     "Please re-authenticate to continue.",
+    "Failed to extract accountId from token",
   ])("matches auth errors for %j", (sample) => {
     expect(isAuthErrorMessage(sample)).toBe(true);
   });
diff --git a/src/agents/pi-embedded-helpers/failover-matches.ts b/src/agents/pi-embedded-helpers/failover-matches.ts
index 9f6e83e9461..1770a58a989 100644
--- a/src/agents/pi-embedded-helpers/failover-matches.ts
+++ b/src/agents/pi-embedded-helpers/failover-matches.ts
@@ -91,6 +91,7 @@ const ERROR_PATTERNS = {
     /\b403\b/,
     "no credentials found",
     "no api key found",
+    /\bfailed to (?:extract|parse|validate|decode)\b.*\btoken\b/,
   ],
   format: [
     "string should match pattern",