fix(policy): normalize model provider conformance

giodl73-repo · giodl73-repo · commit 84998bfea9ae · 2026-05-21T06:59:24.000-07:00
diff --git a/extensions/policy/src/doctor/register.test.ts b/extensions/policy/src/doctor/register.test.ts
@@ -914,6 +914,81 @@ describe("registerPolicyDoctorChecks", () => {
     ]);
   });
 
+  it("normalizes model provider refs before deny policy comparison", async () => {
+    const configPath = join(workspaceDir, "openclaw.jsonc");
+    const cfg = {
+      ...cfgWithPolicy(),
+      models: {
+        providers: {
+          "aws-bedrock": {},
+        },
+      },
+      agents: {
+        defaults: {
+          model: "OpenRouter/openai/gpt-5.5",
+        },
+      },
+    } as unknown as OpenClawConfig;
+    await fs.writeFile(configPath, "{}", "utf-8");
+    await fs.writeFile(
+      join(workspaceDir, "policy.jsonc"),
+      JSON.stringify({
+        models: {
+          providers: { deny: ["openrouter", "amazon-bedrock"] },
+        },
+      }),
+      "utf-8",
+    );
+
+    const result = await runPolicyDoctorLint(ctx(configPath, cfg));
+
+    expect(result.findings).toEqual([
+      expect.objectContaining({
+        checkId: "policy/models-denied-provider",
+        severity: "error",
+        ocPath: "oc://openclaw.config/models/providers/aws-bedrock",
+        requirement: "oc://policy.jsonc/models/providers/deny",
+      }),
+      expect.objectContaining({
+        checkId: "policy/models-denied-provider",
+        severity: "error",
+        ocPath: "oc://openclaw.config/agents/defaults/model",
+        requirement: "oc://policy.jsonc/models/providers/deny",
+      }),
+    ]);
+  });
+
+  it("normalizes model provider refs before allow policy comparison", async () => {
+    const configPath = join(workspaceDir, "openclaw.jsonc");
+    const cfg = {
+      ...cfgWithPolicy(),
+      models: {
+        providers: {
+          "aws-bedrock": {},
+        },
+      },
+      agents: {
+        defaults: {
+          model: "OpenRouter/openai/gpt-5.5",
+        },
+      },
+    } as unknown as OpenClawConfig;
+    await fs.writeFile(configPath, "{}", "utf-8");
+    await fs.writeFile(
+      join(workspaceDir, "policy.jsonc"),
+      JSON.stringify({
+        models: {
+          providers: { allow: ["openrouter", "amazon-bedrock"] },
+        },
+      }),
+      "utf-8",
+    );
+
+    const result = await runPolicyDoctorLint(ctx(configPath, cfg));
+
+    expect(result.findings).toEqual([]);
+  });
+
   it("reports model refs outside the policy allowlist", async () => {
     const configPath = join(workspaceDir, "openclaw.jsonc");
     const cfg = {
diff --git a/extensions/policy/src/doctor/register.ts b/extensions/policy/src/doctor/register.ts
@@ -1,5 +1,6 @@
 import { basename, isAbsolute, resolve } from "node:path";
 import JSON5 from "json5";
+import { normalizeProviderId } from "openclaw/plugin-sdk/provider-model-shared";
 import {
   registerHealthCheck as registerPluginHealthCheck,
   type HealthCheck,
@@ -871,8 +872,8 @@ function modelProviderFindings(
   policyDocName: string,
   evidence: PolicyEvidence,
 ): readonly HealthFinding[] {
-  const denied = new Set(readStringList(policy, ["models", "providers", "deny"]));
-  const allowed = readStringList(policy, ["models", "providers", "allow"]);
+  const denied = new Set(readModelProviderPolicyList(policy, ["models", "providers", "deny"]));
+  const allowed = readModelProviderPolicyList(policy, ["models", "providers", "allow"]);
   const allowedSet = new Set(allowed);
   const findings: HealthFinding[] = [];
 
@@ -886,6 +887,10 @@ function modelProviderFindings(
   return findings;
 }
 
+function readModelProviderPolicyList(policy: unknown, path: readonly string[]): readonly string[] {
+  return readStringList(policy, path).map((provider) => normalizeProviderId(provider));
+}
+
 function modelProviderConformanceFindings(
   provider: PolicyEvidence["modelProviders"][number],
   denied: ReadonlySet<string>,
diff --git a/extensions/policy/src/policy-state.ts b/extensions/policy/src/policy-state.ts
@@ -1,4 +1,5 @@
 import { createHash } from "node:crypto";
+import { normalizeProviderId } from "openclaw/plugin-sdk/provider-model-shared";
 
 export type PolicyAttestation = {
   readonly checkedAt: string;
@@ -208,7 +209,7 @@ export function scanPolicyModelProviders(
   return Object.keys(configuredModelProviders(cfg))
     .toSorted((a, b) => a.localeCompare(b))
     .map((id) => ({
-      id,
+      id: normalizeProviderId(id),
       source: `oc://openclaw.config/models/providers/${id}`,
     }));
 }
@@ -586,7 +587,7 @@ function parseModelRef(
     return undefined;
   }
   return {
-    provider: trimmed.slice(0, slash),
+    provider: normalizeProviderId(trimmed.slice(0, slash)),
     model: trimmed.slice(slash + 1),
   };
 }
