feat(models): add oauth auth health

docs/concepts/models.md

@@ -71,7 +71,14 @@ Shows configured models by default. Useful flags:
 ### `models status`
 
 Shows the resolved primary model, fallbacks, image model, and an auth overview
-of configured providers. `--plain` prints only the resolved primary model.
+of configured providers. It also surfaces OAuth expiry status for profiles found
+in the auth store (warns within 24h by default). `--plain` prints only the
+resolved primary model.
+OAuth status is always shown (and included in `--json` output). If a configured
+provider has no credentials, `models status` prints a **Missing auth** section.
+JSON includes `auth.oauth` (warn window + profiles) and `auth.providers`
+(effective auth per provider).
+Use `--check` for automation (exit `1` when missing/expired, `2` when expiring).
 
 ## Scanning (OpenRouter free models)
 

docs/concepts/oauth.md

@@ -49,10 +49,13 @@ If you already signed in with the external CLIs *on the gateway host*, Clawdbot
 - Codex CLI: reads `~/.codex/auth.json` → profile `openai-codex:codex-cli`
 
 Sync happens when Clawdbot loads the auth store (so it stays up-to-date when the CLIs refresh tokens).
+On macOS, the first read may trigger a Keychain prompt; run `clawdbot models status`
+in a terminal once if the Gateway runs headless and can’t access the entry.
 
 How to verify:
 
 ```bash
+clawdbot models status
 clawdbot providers list
 ```