fix(auth): add PKCE to installed-app OAuth

[TurboTheTurtle]

Summary

• Add S256 PKCE to local browser installed-app OAuth authorization and token exchange.
• Persist the short-lived PKCE verifier for manual two-step auth and clear it with manual state.
• Add PKCE verifier handling to account-manager auth start, upgrade, and callback flows.
• Update focused auth tests.

Fixes #693.

Compatibility note

Manual authorization-code exchange now requires a current gog-generated state/verifier pair. Stale pre-PKCE manual state and bare raw-code exchanges without a matching verifier fail instead of falling back to a non-PKCE exchange; that is intentional because PKCE binds the code exchange to the original authorization request.

Validation

• make ci

Proof

Local tests verify auth URLs include code_challenge/code_challenge_method=S256, do not expose code_verifier, and token exchange sends the verifier. I did not run a live Google OAuth browser flow in this environment.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 11, 2026, 3:34 AM ET / 07:34 UTC.

Summary
Review failed before ClawSweeper could summarize the requested change.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Review metrics: none identified.

Merge readiness
Overall: 🌊 off-meta tidepool
Proof: 🌊 off-meta tidepool
Patch quality: 🌊 off-meta tidepool
Result: rating does not apply to this item.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P1] No close action taken because the review did not complete.

Maintainer options:

1. Decide the mitigation before merge
   Retry the Codex review after fixing the execution failure.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P1] Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Codex review notes: model internal, reasoning high; reviewed against 97c0448b155d.

Label changes

Label changes:

• add rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.
• remove P2: Current review triage priority is none.
• remove merge-risk: 🚨 compatibility: Current PR review selected no merge-risk labels.
• remove merge-risk: 🚨 auth-provider: Current PR review selected no merge-risk labels.
• remove status: 📣 needs proof: Current PR status no longer selects a status label.
• remove rating: 🦪 silver shellfish: Current PR rating is rating: 🌊 off-meta tidepool, so this older rating label is no longer current.

Label justifications:

• rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.

Evidence reviewed

What I checked:

• failure reason: codex execution failed.
• codex failure detail: Codex review failed for this PR with exit 1.
• Review mode (PR link only): read gh pr view/diff; do not switch branches; do not change code.
• Landing mode: temp branch from main; bring in PR (squash default; rebase/merge when needed); fix; update CHANGELOG.md (PR #/issue + thanks); run make ci; final commit; merge to main; delete temp; end on main.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[TurboTheTurtle]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27259683700
• Updated: 2026-06-10T07:19:05.779Z

[TurboTheTurtle]

Sanitized proof for this PR:

• PR head tested: e4aef4d
• GitHub checks are green: test, image, worker, windows, and darwin-cgo-build
• Focused local PKCE tests passed:

go test -v ./internal/googleauth -run 'TestAuthorize_ServerFlow_Success|TestManualAuthURL_UsesPKCEAndPersistsVerifier|TestAuthorize_Manual_AuthURL_UsesStoredPKCEVerifier' -count=1

• Sanitized installed-app/browser-loopback evidence from the local test flow:

Opening browser for authorization...
Auth URL included: code_challenge=<redacted>&code_challenge_method=S256
Auth URL did not include code_verifier
Authorization received. Finishing...
PASS

This verifies the installed-app OAuth URL includes an S256 PKCE challenge, keeps the verifier out of the browser URL, and completes the callback/exchange path with the verifier.

[TurboTheTurtle]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27331281039
• Updated: 2026-06-11T07:35:31.078Z

[steipete]

Landed as bfe980d.

Verified before merge:

• exact-head GitHub CI green: test, Windows, Darwin CGO, worker, and image
• local make ci green
• autoreview clean
• live Google OAuth authorization for clawdbot@gmail.com: authorization URL included code_challenge_method=S256, consent completed, token exchange succeeded, and authenticated Gmail/Drive reads passed

Thanks @TurboTheTurtle.