openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 3 additions & 2 deletions b/‎CHANGELOG.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎docs/configuration.md‎
Lines changed: 63 additions & 41 deletions b/‎docs/configuration.md‎
Lines changed: 63 additions & 41 deletions
diff --git a/‎docs/doctor.md‎
Lines changed: 5 additions & 0 deletions b/‎docs/doctor.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/faq.md‎
Lines changed: 12 additions & 14 deletions b/‎docs/faq.md‎
Lines changed: 12 additions & 14 deletions
diff --git a/‎docs/models.md‎
Lines changed: 23 additions & 23 deletions b/‎docs/models.md‎
Lines changed: 23 additions & 23 deletions
diff --git a/‎docs/onboarding.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/onboarding.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/proposals/model-config.md‎
Lines changed: 10 additions & 9 deletions b/‎docs/proposals/model-config.md‎
Lines changed: 10 additions & 9 deletions
diff --git a/‎docs/tools.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/tools.md‎
Lines changed: 1 addition & 1 deletion
@@ -6,6 +6,7 @@
 
 ### Breaking
 - Timestamps in agent envelopes are now UTC (compact `YYYY-MM-DDTHH:mmZ`); removed `messages.timestampPrefix`. Add `agent.userTimezone` to tell the model the user’s local time (system prompt only).
+- Model config schema changes (auth profiles + model lists); doctor auto-migrates and the gateway rewrites legacy configs on startup.
 
 ### Fixes
 - Onboarding: resolve CLI entrypoint when running via `npx` so gateway daemon install works without a build step.
@@ -16,10 +17,10 @@
 - macOS: local gateway now connects via tailnet IP when bind mode is `tailnet`/`auto`.
 - macOS: Connections settings now use a custom sidebar to avoid toolbar toggle issues, with rounded styling and full-width row hit targets.
 - macOS: drop deprecated `afterMs` from agent wait params to match gateway schema.
-- Auth: add OpenAI Codex OAuth support and migrate legacy oauth.json into auth.json.
+- Auth: add OpenAI Codex OAuth support and migrate legacy oauth.json into auth-profiles.json.
 - Model: `/model` list shows auth source (masked key or OAuth email) per provider.
 - Model: `/model list` is an alias for `/model`.
-- Model: `/model` output now includes auth source location (env/auth.json/models.json).
+- Model: `/model` output now includes auth source location (env/auth-profiles.json/models.json).
 - Model: avoid duplicate `missing (missing)` auth labels in `/model` list output.
 - Docs: clarify auth storage, migration, and OpenAI Codex OAuth onboarding.
 - Sandbox: copy inbound media into sandbox workspaces so agent tools can read attachments.
 
@@ -91,18 +91,40 @@ Env var equivalent:
 
 ### Auth storage (OAuth + API keys)
 
-Clawdbot stores **OAuth credentials** in:
+Clawdbot stores **auth profiles** (OAuth + API keys) in:
+- `~/.clawdbot/agent/auth-profiles.json`
+
+Legacy OAuth imports:
 - `~/.clawdbot/credentials/oauth.json` (or `$CLAWDBOT_STATE_DIR/credentials/oauth.json`)
 
-Clawdbot stores **API keys** in the agent auth store:
-- `~/.clawdbot/agent/auth.json`
+The embedded Pi agent maintains a runtime cache at:
+- `~/.clawdbot/agent/auth.json` (managed automatically; don’t edit manually)
 
 Overrides:
-- OAuth dir: `CLAWDBOT_OAUTH_DIR`
+- OAuth dir (legacy import only): `CLAWDBOT_OAUTH_DIR`
 - Agent dir: `CLAWDBOT_AGENT_DIR` (preferred), `PI_CODING_AGENT_DIR` (legacy)
 
-On first use, Clawdbot imports `oauth.json` entries into `auth.json` so the embedded
-agent can use them. `oauth.json` remains the source of truth for OAuth refresh.
+On first use, Clawdbot imports `oauth.json` entries into `auth-profiles.json`.
+
+### `auth`
+
+Optional metadata for auth profiles. This does **not** store secrets; it maps
+profile IDs to a provider + mode (and optional email) and defines the provider
+rotation order used for failover.
+
+```json5
+{
+  auth: {
+    profiles: {
+      "anthropic:default": { provider: "anthropic", mode: "oauth", email: "me@example.com" },
+      "anthropic:work": { provider: "anthropic", mode: "api_key" }
+    },
+    order: {
+      anthropic: ["anthropic:default", "anthropic:work"]
+    }
+  }
+}
+```
 
 ### `identity`
 
@@ -494,14 +516,12 @@ Defaults for Talk mode (macOS/iOS/Android). Voice IDs fall back to `ELEVENLABS_V
 ### `agent`
 
 Controls the embedded agent runtime (model/thinking/verbose/timeouts).
-`allowedModels` lets `/model` list/filter and enforce a per-session allowlist
-(omit to show the full catalog).
-`modelAliases` adds short names for `/model` (alias -> provider/model).
-`modelFallbacks` lists ordered fallback models to try when the default fails.
-`imageModel` selects an image-capable model for the `image` tool.
-`imageModelFallbacks` lists ordered fallback image models for the `image` tool.
+`agent.models` defines the configured model catalog (and acts as the allowlist for `/model`).
+`agent.model.primary` sets the default model; `agent.model.fallbacks` are global failovers.
+`agent.imageModel` is optional and is **only used if the primary model lacks image input**.
 
-Clawdbot also ships a few built-in `modelAliases` shorthands (when an `agent` section exists):
+Clawdbot also ships a few built-in alias shorthands. Defaults only apply when the model
+is already present in `agent.models`:
 
 - `opus` -> `anthropic/claude-opus-4-5`
 - `sonnet` -> `anthropic/claude-sonnet-4-5`
@@ -515,23 +535,24 @@ If you configure the same alias name (case-insensitive) yourself, your value win
 ```json5
 {
   agent: {
-    model: "anthropic/claude-opus-4-5",
-    allowedModels: [
-      "anthropic/claude-opus-4-5",
-      "anthropic/claude-sonnet-4-1"
-    ],
-    modelAliases: {
-      Opus: "anthropic/claude-opus-4-5",
-      Sonnet: "anthropic/claude-sonnet-4-1"
+    models: {
+      "anthropic/claude-opus-4-5": { alias: "Opus" },
+      "anthropic/claude-sonnet-4-1": { alias: "Sonnet" },
+      "openrouter/deepseek/deepseek-r1:free": {}
+    },
+    model: {
+      primary: "anthropic/claude-opus-4-5",
+      fallbacks: [
+        "openrouter/deepseek/deepseek-r1:free",
+        "openrouter/meta-llama/llama-3.3-70b-instruct:free"
+      ]
+    },
+    imageModel: {
+      primary: "openrouter/qwen/qwen-2.5-vl-72b-instruct:free",
+      fallbacks: [
+        "openrouter/google/gemini-2.0-flash-vision:free"
+      ]
     },
-    modelFallbacks: [
-      "openrouter/deepseek/deepseek-r1:free",
-      "openrouter/meta-llama/llama-3.3-70b-instruct:free"
-    ],
-    imageModel: "openrouter/qwen/qwen-2.5-vl-72b-instruct:free",
-    imageModelFallbacks: [
-      "openrouter/google/gemini-2.0-flash-vision:free"
-    ],
     thinkingDefault: "low",
     verboseDefault: "off",
     elevatedDefault: "on",
@@ -566,8 +587,8 @@ Block streaming:
   }
   ```
 
-`agent.model` should be set as `provider/model` (e.g. `anthropic/claude-opus-4-5`).
-If `modelAliases` is configured, you may also use the alias key (e.g. `Opus`).
+`agent.model.primary` should be set as `provider/model` (e.g. `anthropic/claude-opus-4-5`).
+Aliases come from `agent.models.*.alias` (e.g. `Opus`).
 If you omit the provider, CLAWDBOT currently assumes `anthropic` as a temporary
 deprecation fallback.
 Z.AI models are available as `zai/<model>` (e.g. `zai/glm-4.7`) and require
@@ -729,11 +750,16 @@ When `models.providers` is present, Clawdbot writes/merges a `models.json` into
 - default behavior: **merge** (keeps existing providers, overrides on name)
 - set `models.mode: "replace"` to overwrite the file contents
 
-Select the model via `agent.model` (provider/model).
+Select the model via `agent.model.primary` (provider/model).
 
 ```json5
 {
-  agent: { model: "custom-proxy/llama-3.1-8b" },
+  agent: {
+    model: { primary: "custom-proxy/llama-3.1-8b" },
+    models: {
+      "custom-proxy/llama-3.1-8b": {}
+    }
+  },
   models: {
     mode: "merge",
     providers: {
@@ -766,14 +792,10 @@ via **LM Studio** using the **Responses API**.
 ```json5
 {
   agent: {
-    model: "Minimax",
-    allowedModels: [
-      "anthropic/claude-opus-4-5",
-      "lmstudio/minimax-m2.1-gs32"
-    ],
-    modelAliases: {
-      Opus: "anthropic/claude-opus-4-5",
-      Minimax: "lmstudio/minimax-m2.1-gs32"
+    model: { primary: "lmstudio/minimax-m2.1-gs32" },
+    models: {
+      "anthropic/claude-opus-4-5": { alias: "Opus" },
+      "lmstudio/minimax-m2.1-gs32": { alias: "Minimax" }
     }
   },
   models: {
 
@@ -27,8 +27,13 @@ Doctor will:
 - Show the migration it applied.
 - Rewrite `~/.clawdbot/clawdbot.json` with the updated schema.
 
+The Gateway also auto-runs doctor migrations on startup when it detects a legacy
+config format, so stale configs are repaired without manual intervention.
+
 Current migrations:
 - `routing.allowFrom` → `whatsapp.allowFrom`
+- `agent.model`/`allowedModels`/`modelAliases`/`modelFallbacks`/`imageModelFallbacks`
+  → `agent.models` + `agent.model.primary/fallbacks` + `agent.imageModel.primary/fallbacks`
 
 ## Usage
 
 
@@ -15,7 +15,8 @@ Everything lives under `~/.clawdbot/`:
 |------|---------|
 | `~/.clawdbot/clawdbot.json` | Main config (JSON5) |
 | `~/.clawdbot/credentials/oauth.json` | OAuth credentials (Anthropic/OpenAI, etc.) |
-| `~/.clawdbot/agent/auth.json` | API key store |
+| `~/.clawdbot/agent/auth-profiles.json` | Auth profiles (OAuth + API keys) |
+| `~/.clawdbot/agent/auth.json` | Runtime API key cache (managed automatically) |
 | `~/.clawdbot/credentials/` | WhatsApp/Telegram auth tokens |
 | `~/.clawdbot/sessions/` | Conversation history & state |
 | `~/.clawdbot/sessions/sessions.json` | Session metadata |
@@ -576,21 +577,16 @@ List available models with `/model`, `/model list`, or `/model status`.
 Clawdbot ships a few default model shorthands (you can override them in config):
 `opus`, `sonnet`, `gpt`, `gpt-mini`, `gemini`, `gemini-flash`.
 
-**Setup:** Configure allowed models and aliases in `clawdbot.json`:
+**Setup:** Configure models and aliases in `clawdbot.json`:
 
 ```json
 {
   "agent": {
-    "model": "anthropic/claude-opus-4-5",
-    "allowedModels": [
-      "anthropic/claude-opus-4-5",
-      "anthropic/claude-sonnet-4-5",
-      "anthropic/claude-haiku-4-5"
-    ],
-    "modelAliases": {
-      "opus": "anthropic/claude-opus-4-5",
-      "sonnet": "anthropic/claude-sonnet-4-5",
-      "haiku": "anthropic/claude-haiku-4-5"
+    "model": { "primary": "anthropic/claude-opus-4-5" },
+    "models": {
+      "anthropic/claude-opus-4-5": { "alias": "opus" },
+      "anthropic/claude-sonnet-4-5": { "alias": "sonnet" },
+      "anthropic/claude-haiku-4-5": { "alias": "haiku" }
     }
   }
 }
@@ -606,7 +602,8 @@ If you don't want to use Anthropic directly, you can use alternative providers:
 ```json5
 {
   agent: {
-    model: "openrouter/anthropic/claude-sonnet-4",
+    model: { primary: "openrouter/anthropic/claude-sonnet-4" },
+    models: { "openrouter/anthropic/claude-sonnet-4": {} },
     env: { OPENROUTER_API_KEY: "sk-or-..." }
   }
 }
@@ -616,7 +613,8 @@ If you don't want to use Anthropic directly, you can use alternative providers:
 ```json5
 {
   agent: {
-    model: "zai/glm-4.7",
+    model: { primary: "zai/glm-4.7" },
+    models: { "zai/glm-4.7": {} },
     env: { ZAI_API_KEY: "..." }
   }
 }
 
@@ -16,35 +16,32 @@ that prefers tool-call + image-capable models and maintains ordered fallbacks.
   - default: configured models only
   - flags: `--all` (full catalog), `--local`, `--provider <name>`, `--json`, `--plain`
 - `clawdbot models status`
-  - show default model + aliases + fallbacks + allowlist
+  - show default model + aliases + fallbacks + configured models
 - `clawdbot models set <modelOrAlias>`
-  - writes `agent.model` in config
+  - writes `agent.model.primary` and ensures `agent.models` entry
 - `clawdbot models set-image <modelOrAlias>`
-  - writes `agent.imageModel` in config
+  - writes `agent.imageModel.primary` and ensures `agent.models` entry
 - `clawdbot models aliases list|add|remove`
-  - writes `agent.modelAliases`
+  - writes `agent.models.*.alias`
 - `clawdbot models fallbacks list|add|remove|clear`
-  - writes `agent.modelFallbacks`
+  - writes `agent.model.fallbacks`
 - `clawdbot models image-fallbacks list|add|remove|clear`
-  - writes `agent.imageModelFallbacks`
+  - writes `agent.imageModel.fallbacks`
 - `clawdbot models scan`
   - OpenRouter :free scan; probe tool-call + image; interactive selection
 
 ## Config changes
 
-- Add `agent.modelFallbacks: string[]` (ordered list of provider/model IDs).
-- Add `agent.imageModel?: string` (optional image-capable model for image tool).
-- Add `agent.imageModelFallbacks?: string[]` (ordered list for image tool).
-- Keep existing:
-  - `agent.model` (default)
-  - `agent.allowedModels` (list filter)
-  - `agent.modelAliases` (shortcut names)
+- `agent.models` (configured model catalog + aliases).
+- `agent.model.primary` + `agent.model.fallbacks`.
+- `agent.imageModel.primary` + `agent.imageModel.fallbacks` (optional).
+- `auth.profiles` + `auth.order` for per-provider auth failover.
 
 ## Scan behavior (models scan)
 
 Input
 - OpenRouter `/models` list (filter `:free`)
-- Requires `OPENROUTER_API_KEY` (or stored OpenRouter key in auth storage)
+- Requires OpenRouter API key from auth profiles or `OPENROUTER_API_KEY`
 - Optional filters: `--max-age-days`, `--min-params`, `--provider`, `--max-candidates`
 - Probe controls: `--timeout`, `--concurrency`
 
@@ -66,17 +63,20 @@ Interactive selection (TTY)
 - Non-TTY: auto-select; require `--yes`/`--no-input` to apply.
 
 Output
-- Writes `agent.modelFallbacks` ordered.
-- Writes `agent.imageModelFallbacks` ordered (image-capable models).
-- Optional `--set-default` to set `agent.model`.
-- Optional `--set-image` to set `agent.imageModel`.
+- Writes `agent.model.fallbacks` ordered.
+- Writes `agent.imageModel.fallbacks` ordered (image-capable models).
+- Ensures `agent.models` entries exist for selected models.
+- Optional `--set-default` to set `agent.model.primary`.
+- Optional `--set-image` to set `agent.imageModel.primary`.
 
 ## Runtime fallback
 
-- On model failure: try `agent.modelFallbacks` in order.
-- Ignore fallback entries not in `agent.allowedModels` (if allowlist set).
-- Persist last successful provider/model to session entry.
-- `/status` shows last used model (not just default).
+- On model failure: try `agent.model.fallbacks` in order.
+- Per-provider auth failover uses `auth.order` (or stored profile order) **before**
+  moving to the next model.
+- Image routing uses `agent.imageModel` **only when configured** and the primary
+  model lacks image input.
+- Persist last successful provider/model to session entry; auth profile success is global.
 
 ## Tests
 
@@ -86,5 +86,5 @@ Output
 
 ## Docs
 
-- Update `docs/configuration.md` with `agent.modelFallbacks`.
+- Update `docs/configuration.md` with `agent.models` + `agent.model` + `agent.imageModel`.
 - Keep this doc current when CLI surface or scan logic changes.
@@ -41,7 +41,7 @@ The macOS app should:
   - `~/.clawdbot/credentials/oauth.json` (file mode `0600`, directory mode `0700`)
 
 Why this location matters: it’s the Clawdbot-owned OAuth store.
-Clawdbot also imports `oauth.json` into the agent auth store (`~/.clawdbot/agent/auth.json`) on first use.
+Clawdbot also imports `oauth.json` into the agent auth profile store (`~/.clawdbot/agent/auth-profiles.json`) on first use.
 
 ### Recommended: OAuth (OpenAI Codex)
 
@@ -148,7 +148,7 @@ If the Gateway runs on another machine, OAuth credentials must be created/stored
 
 For now, remote onboarding should:
 - explain why OAuth isn't shown
-- point the user at the credential location (`~/.clawdbot/credentials/oauth.json`) and the workspace location on the gateway host
+- point the user at the credential location (`~/.clawdbot/credentials/oauth.json`) and the auth profile store (`~/.clawdbot/agent/auth-profiles.json`) on the gateway host
 - mention that the **bootstrap ritual happens on the gateway host** (same BOOTSTRAP/IDENTITY/USER files)
 
 ### Manual credential setup
 
@@ -87,7 +87,7 @@ Model listing
   - alias
   - provider
   - auth order (from `auth.order`)
-  - auth source for the current provider (env/auth.json/models.json)
+  - auth source for the current provider (auth-profiles.json/env/shell env/models.json)
 
 ## Fallback behavior (global)
 
@@ -121,19 +121,20 @@ Support detection
 ## Migration (doctor + gateway auto-run)
 
 Inputs
-- `agent.model` (string)
-- `agent.modelFallbacks` (string[])
-- `agent.imageModel` (string)
-- `agent.imageModelFallbacks` (string[])
-- `agent.allowedModels` (string[])
-- `agent.modelAliases` (record)
+- Legacy keys (pre-migration):
+  - `agent.model` (string)
+  - `agent.modelFallbacks` (string[])
+  - `agent.imageModel` (string)
+  - `agent.imageModelFallbacks` (string[])
+  - `agent.allowedModels` (string[])
+  - `agent.modelAliases` (record)
 
 Outputs
 - `agent.models` map with keys for all referenced models
 - `agent.model.primary/fallbacks`
 - `agent.imageModel.primary/fallbacks`
-- `auth.profiles` seeded from current auth.json + env (as `provider:default`)
-- `auth.order` seeded with `["provider:default"]`
+- Auth profile store seeded from current auth-profiles.json/auth.json + oauth.json + env (as `provider:default`)
+- `auth.order` seeded with `["provider:default"]` when config is updated
 
 Auto-run
 - Gateway start detects legacy keys and runs doctor migration.
 
@@ -126,7 +126,7 @@ Core parameters:
 - `maxBytesMb` (optional size cap)
 
 Notes:
-- Only available when `agent.imageModel` or `agent.imageModelFallbacks` is set.
+- Only available when `agent.imageModel` is configured (primary or fallbacks).
 - Uses the image model directly (independent of the main chat model).
 
 ### `cron`
Original file line number	Diff line number	Diff line change
@@ -15,7 +15,8 @@ Everything lives under `~/.clawdbot/`:
`15`	`15`	`\|------\|---------\|`
`16`	`16`	\| `~/.clawdbot/clawdbot.json` \| Main config (JSON5) \|
`17`	`17`	\| `~/.clawdbot/credentials/oauth.json` \| OAuth credentials (Anthropic/OpenAI, etc.) \|
`18`		-\| `~/.clawdbot/agent/auth.json` \| API key store \|
	`18`	+\| `~/.clawdbot/agent/auth-profiles.json` \| Auth profiles (OAuth + API keys) \|
	`19`	+\| `~/.clawdbot/agent/auth.json` \| Runtime API key cache (managed automatically) \|
`19`	`20`	\| `~/.clawdbot/credentials/` \| WhatsApp/Telegram auth tokens \|
`20`	`21`	\| `~/.clawdbot/sessions/` \| Conversation history & state \|
`21`	`22`	\| `~/.clawdbot/sessions/sessions.json` \| Session metadata \|
@@ -576,21 +577,16 @@ List available models with `/model`, `/model list`, or `/model status`.
`576`	`577`	`Clawdbot ships a few default model shorthands (you can override them in config):`
`577`	`578`	`opus`, `sonnet`, `gpt`, `gpt-mini`, `gemini`, `gemini-flash`.
`578`	`579`
`579`		-Setup: Configure allowed models and aliases in `clawdbot.json`:
	`580`	+Setup: Configure models and aliases in `clawdbot.json`:
`580`	`581`
`581`	`582`	```json
`582`	`583`	`{`
`583`	`584`	`"agent": {`
`584`		`- "model": "anthropic/claude-opus-4-5",`
`585`		`- "allowedModels": [`
`586`		`- "anthropic/claude-opus-4-5",`
`587`		`- "anthropic/claude-sonnet-4-5",`
`588`		`- "anthropic/claude-haiku-4-5"`
`589`		`- ],`
`590`		`- "modelAliases": {`
`591`		`- "opus": "anthropic/claude-opus-4-5",`
`592`		`- "sonnet": "anthropic/claude-sonnet-4-5",`
`593`		`- "haiku": "anthropic/claude-haiku-4-5"`
	`585`	`+ "model": { "primary": "anthropic/claude-opus-4-5" },`
	`586`	`+ "models": {`
	`587`	`+ "anthropic/claude-opus-4-5": { "alias": "opus" },`
	`588`	`+ "anthropic/claude-sonnet-4-5": { "alias": "sonnet" },`
	`589`	`+ "anthropic/claude-haiku-4-5": { "alias": "haiku" }`
`594`	`590`	`}`
`595`	`591`	`}`
`596`	`592`	`}`
`@@ -606,7 +602,8 @@ If you don't want to use Anthropic directly, you can use alternative providers:`
`606`	`602`	```json5
`607`	`603`	`{`
`608`	`604`	`agent: {`
`609`		`- model: "openrouter/anthropic/claude-sonnet-4",`
	`605`	`+ model: { primary: "openrouter/anthropic/claude-sonnet-4" },`
	`606`	`+ models: { "openrouter/anthropic/claude-sonnet-4": {} },`
`610`	`607`	`env: { OPENROUTER_API_KEY: "sk-or-..." }`
`611`	`608`	`}`
`612`	`609`	`}`
`@@ -616,7 +613,8 @@ If you don't want to use Anthropic directly, you can use alternative providers:`
`616`	`613`	```json5
`617`	`614`	`{`
`618`	`615`	`agent: {`
`619`		`- model: "zai/glm-4.7",`
	`616`	`+ model: { primary: "zai/glm-4.7" },`
	`617`	`+ models: { "zai/glm-4.7": {} },`
`620`	`618`	`env: { ZAI_API_KEY: "..." }`
`621`	`619`	`}`
`622`	`620`	`}`