RFC: treat models.providers-injected models as first-class forward-compat models

[Sapientropic]

Summary

OpenClaw already has the core pieces for forward-compat model support:

• models.providers.<provider>.models can inject model definitions from config
• runtime can resolve some newer models via forward-compat fallbacks
• models status can often resolve models that are not yet present in the underlying pi-ai registry

The gap is that this still behaves like a partial capability rather than a first-class system concept.

This RFC proposes that config-injected provider models should be treated as first-class forward-compat models across the whole product, not only in isolated code paths.

Why this matters

This is not just about one model.

It is a recurring class of issue whenever:

• a provider releases a new model before OpenClaw updates ship
• upstream runtime support lands on main before stable packages include it
• users need a safe local bridge instead of waiting for the next release

In practice, models.providers is already the natural escape hatch for this. The problem is that support is currently uneven across surfaces.

Recent examples

These recent issues are all symptoms of the same broader design gap:

• #37623 runtime / provider semantics around openai-codex/gpt-5.4
• #6820 and follow-up discussion about xhigh whitelist drift for newer OpenAI Codex models
• #37635 display-layer inconsistency where models list --all omitted config-injected models

Proposed design direction

If a model is defined under models.providers.<provider>.models, and OpenClaw can resolve it into a usable runtime model, then that model should be treated as a first-class forward-compat model across all relevant surfaces:

1. models status
   • should resolve it consistently
2. models list
   • especially --all, should include it consistently
3. runtime execution
   • should use the resolved provider transport semantics, not only raw registry presence
4. availability / auth heuristics
   • should degrade gracefully for config-only models
5. thinking / reasoning capability gates
   • should not silently drift behind known forward-compat models
6. docs / validation
   • should clearly describe this as a supported compatibility path, with expected limits

Non-goal

This RFC is not proposing that arbitrary fake model IDs should always be accepted without checks.

The proposal is narrower:

• if a config-injected model can be resolved into a coherent model definition using existing provider semantics and forward-compat logic, OpenClaw should handle it consistently across config, listing, status, and runtime
• if it cannot, OpenClaw should fail clearly and early

Why an RFC instead of another one-off fix

Individual fixes are already happening, and they are helpful.

But without an explicit design stance, the same pattern will keep reappearing in different layers:

• runtime works but list output lags
• list works but availability is misleading
• runtime works but capability gates lag
• stable release behavior diverges from main

Treating models.providers-injected models as an official forward-compat path would give maintainers and contributors a clearer target for future fixes.

Concrete outcome that would help users

A simple rule of thumb could become true:

If I define a model under models.providers, and OpenClaw can resolve it, then status, list, and runtime should agree about that model.

That one invariant would eliminate a lot of confusion.

Reference implementation / field notes

We built a local external workflow around this idea here:

• https://github.com/Sapientropic/openclaw-shadow-model-registry

That repository is not meant as a request to upstream the whole external toolkit verbatim. It is just evidence that this is a reusable problem class, not a one-off patch.

Question for maintainers

Would you be open to explicitly recognizing models.providers-based forward-compat injection as a supported design pattern, and then gradually aligning status, list, runtime, capability gates, and docs around that invariant?

[Sapientropic]

One more concrete way to frame this RFC, based on the recent bug pattern:

I do not think the missing piece is “more allowlist entries” or “more one-off forward-compat patches.”

I think the missing piece is a single shared resolved model descriptor that every surface consumes.

Right now, different layers answer slightly different questions in slightly different ways:

• runtime asks: “can I build a usable transport/model for this ref?”
• models status asks: “can I resolve this ref from config + runtime logic?”
• models list --all has historically asked: “is this in the discovered registry?”
• thinking / capability gates ask: “is this model in a separate hard-coded capability set?”

That is why the same class of bug keeps reappearing.

A smaller, more actionable version of this RFC could be:

1. For any configured model ref, OpenClaw computes one canonical resolution result.

   • Inputs: discovered registry, models.providers, forward-compat logic, provider semantics
   • Output: either
     • resolved with transport/capability metadata, or
     • unsupported with a clear reason

2. status, list, runtime, and capability gates consume that same result.

   • not four separate approximations of the same concept

3. If a model is resolved, product surfaces should agree on three things:

   • identity: what model/provider is this?
   • transport: how is it actually called?
   • capabilities: what gates/features apply to it?

4. If a model is unsupported, fail early and explicitly.

   • do not let config accept it, then let runtime/list/capabilities disagree later

To me, this keeps the RFC scoped and practical:

• it does not require arbitrary model IDs to work
• it does not require upstreaming an external shadow-registry toolkit verbatim
• it just says: once OpenClaw can resolve a configured model coherently, every surface should share that answer

That seems like the smallest design invariant that would stop this exact issue family from recurring.

[who96]

I want to take this on incrementally, but not as a single XL PR.

After reading the current code, my take is that the real problem is not just models list --all or one more forward-compat patch. The real problem is that OpenClaw currently has multiple partial sources of truth for model identity / transport / capabilities:

• catalog loading
• runtime forward-compat resolution
• config/default/allowlist parsing
• CLI registry/list surfaces
• auto-reply / model-picker consumers
• capability gates

So the invariant I want to implement is:

If OpenClaw can resolve a configured model coherently, then runtime, list/status, and capability gates should all consume the same canonical resolution result.

Planned delivery:

1. Small PR: extract a shared canonical registry/resolution layer in src/agents that unifies catalog + runtime forward-compat facts.
2. Medium PR: migrate CLI / auto-reply / picker / status consumers onto that shared result.
3. Small PR: remove duplicate compatibility glue and remaining raw-registry direct consumers.

For phase 1, I do not plan to change user-visible behavior beyond making the underlying fact source consistent.

[Sapientropic]

This phased plan makes sense. One concrete design detail from local field-testing that may help phase 1 stay sharp:

I think it is useful to treat resolution and registry visibility / availability as separate axes.

A configured model can be coherently resolved even when it is not present in the discovered registry. In that case, product surfaces should usually not hide it; they should surface it as resolved-with-provenance rather than silently dropping it.

That distinction is what bit us in the recent bug family:

• runtime / models status could often resolve config-injected models coherently
• but models list --all historically tended to ask a narrower registry-membership question

So one small addition that might make the canonical result more durable is to include something like:

• identity
• transport
• capabilities
• provenance (discovered, configured, forward-compat synthetic, etc.)
• availability / visibility state

That would let list/status surfaces show config-only or synthetic rows explicitly instead of either pretending they are fully discovered models or hiding them.

If phase 1 gets tests, a tiny regression matrix around that distinction would probably go a long way:

• discovered model
• config-injected but not discovered model
• forward-compat synthetic model

and then assert that runtime, status, list --all, and capability gates consume the same canonical answer in each case.

That feels complementary to your plan without making phase 1 much bigger.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Current main and the shipped v2026.5.3 tag already implement the RFC's central invariant: configured provider models now flow through catalog/list/runtime/auth-visibility/thinking surfaces instead of remaining an isolated config escape hatch.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review details

Best possible solution:

Keep the generic configured-catalog, runtime fallback, and provider-owned compat hooks, and track any future provider-specific drift as narrow follow-up issues rather than keeping this broad RFC open.

Do we have a high-confidence way to reproduce the issue?

Not applicable. This is an RFC/design-alignment request, and source, tests, docs, and release-tag inspection show the requested invariant is now represented in current main and v2026.5.3.

Is this the best way to solve the issue?

Yes. The current solution is the narrow maintainable direction: configured provider metadata feeds generic catalog/list/runtime paths, while provider-owned hooks and catalog compat metadata handle transport and capability differences without expanding hard-coded core allowlists.

Security review:

Security review: No patch is under review for this issue, and the issue does not report a security-sensitive defect.

What I checked:

• Configured models are merged into the model catalog: loadModelCatalog and read-only catalog paths append buildConfiguredModelCatalog({ cfg }), so provider-configured models become catalog entries available to downstream surfaces. (src/agents/model-catalog.ts:281, feb9a5af6a41)
• Runtime resolves configured fallback models: resolveModelWithRegistry falls through to resolveConfiguredFallbackModel, which builds a runnable model from configured provider transport, headers, params, context, token, reasoning, and input metadata. (src/agents/pi-embedded-runner/model.ts:796, feb9a5af6a41)
• Model list rows include configured and synthetic/catalog-supplement rows: The list row source cascade appends configured provider rows, configured entries, manifest/index rows, and catalog supplements; row building allows provider-auth availability fallback for entries absent from discovered availability results. (src/commands/models/list.row-sources.ts:76, feb9a5af6a41)
• Gateway/model-picker visibility includes configured providers: resolveVisibleModelCatalog returns configured provider catalog entries when no explicit allowlist constrains the view, and the Gateway models.list handler uses that resolver for default/configured views. (src/agents/model-catalog-visibility.ts:55, feb9a5af6a41)
• Thinking gates consume configured compat metadata: Thinking resolution reads catalog compat.supportedReasoningEfforts and provider-owned thinking hooks before exposing xhigh, and docs describe the configured-model compat opt-in path. (src/auto-reply/thinking.ts:80, feb9a5af6a41)
• Regression coverage exists for the requested behavior family: Tests cover configured provider rows in models list, configured models missing from discovery in the catalog, configured metadata/alias overlays, Gateway configured views, runtime fallback metadata, and catalog compat xhigh handling. (src/commands/models/list.list-command.forward-compat.test.ts:453, feb9a5af6a41)

Likely related people:

• Peter Steinberger: Recent history shows broad ownership across model selection, catalog metadata, configured xhigh compat, provider fallback behavior, and adjacent Gateway/model-picker fixes central to this invariant. (role: recent maintainer and major model-surface owner; confidence: high; commits: 93d5cd10151f, 3eed32108187, 310d2db31241; files: src/agents/model-selection-shared.ts, src/auto-reply/thinking.ts, src/agents/pi-embedded-runner/model.ts)
• Shakker: Recent commits split and hardened model-list row sources and specifically added configured provider rows to all-model listing paths. (role: models-list implementation maintainer; confidence: high; commits: 19f9b69586d3, 0af56c8ba66f, f049d9dec2e8; files: src/commands/models/list.rows.ts, src/commands/models/list.row-sources.ts, src/commands/models/list.list-command.forward-compat.test.ts)
• Vincent Koc: Recent work kept Gateway model listing read-only/fast and refactored provider runtime model seams that the configured-provider compatibility path depends on. (role: provider/runtime and catalog-adjacent maintainer; confidence: medium; commits: b74401074b6e, 61da711b1a7e, b90d4ea3d73e; files: src/agents/model-catalog.ts, src/agents/pi-embedded-runner/model.ts, src/plugins/types.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against feb9a5af6a41; fix evidence: release v2026.5.3, commit 06d46f7cf638.