[FEATURE] Support OAuth token migration and lifecycle management

[SWSAmor]

Description

Feature Request: Support OAuth token migration and lifecycle management in openfang migrate

Problem

When migrating from OpenClaw, auth-profiles are skipped entirely with:

[Config] auth-profiles — Auth profiles (API keys, OAuth tokens) not migrated for security — set env vars manually

This is reasonable for API keys (which can simply be re-entered into the vault), but OAuth-authenticated providers cannot be handled this way. OAuth tokens have a lifecycle (access token expiration, refresh token rotation) that a simple key-value vault entry does not cover.

Real-world example

In my OpenClaw setup, the default primary model for most agents is openai-codex/gpt-5.3-codex, configured with OAuth authentication:

"auth": {
  "profiles": {
    "openai-codex:default": {
      "provider": "openai-codex",
      "mode": "oauth"
    }
  }
}

After migration, this provider is referenced in config.toml and all agent manifests, but there is no way to restore the OAuth session. The openfang vault set command stores static strings — it cannot handle token refresh, expiration, or re-authentication flows.

This means the most-used provider in the setup is effectively dead on arrival after migration, with no documented recovery path.

Proposed solution

Minimum viable (migration)

1. During openfang migrate --from openclaw, detect OAuth auth profiles
2. Emit a clear warning (not just "skipped for security") explaining:
   • Which providers use OAuth and will need re-authentication
   • The specific command or flow to re-authenticate in OpenFang
3. If OpenFang does not yet support OAuth for that provider, say so explicitly — don't leave users guessing

Ideal (runtime)

1. openfang auth login <provider> — interactive OAuth flow (browser-based PKCE) to obtain and store tokens
2. Vault-integrated token storage with automatic refresh on expiry
3. Credential resolver chain: vault (static key) → OAuth token manager (dynamic) → env var fallback

Migration report improvement

The current skip message groups API keys and OAuth tokens together. They have fundamentally different migration paths. Suggested separation:

Skipped:
  [Auth] anthropic:manual — API key auth. Run: openfang vault set ANTHROPIC_API_KEY <key>
  [Auth] openai-codex:default — OAuth auth. Run: openfang auth login openai-codex

Environment

• OpenFang v0.4.4
• Source: OpenClaw 2026.3.2 with openai-codex OAuth profile as default provider
• 6 agents, 4 of which depend on the OAuth-authenticated provider as primary model

Related

• Issue [Feature]: Platform-native secret storage (Keychain, secret-service) for API keys #613 — Credential vault (v0.4.4, resolved — but vault is key-value only, no OAuth lifecycle)
• openfang-extensions crate mentions OAuth2 PKCE — but this appears to be for extension/marketplace auth, not LLM provider auth

Alternatives Considered

No response

Additional Context

No response

[loydccc]

yes. we need it