[Bug]: `store: false` is still sent in embedded agent runs despite `compat.supportsStore: false`, and custom headers are dropped

[wonderful259]

Bug type

Behavior bug (incorrect output/state without crash)

Summary

When using Google AI Studio (Gemini) via an OpenAI-compatible endpoint (like Cloudflare AI Gateway), OpenClaw throws 400 Bad Request or 401 Unauthorized errors.

After deep debugging via a local proxy, I found two distinct issues in OpenClaw 2026.3.2 during embedded agent runs:

1. The store parameter is still hardcoded: Even when explicitly configuring the model with "compat": { "supportsStore": false }, the embedded agent (agent/embedded) still injects "store": false into the JSON payload. This causes Gemini (and other strict compatible APIs) to reject the payload with a 400 error: Unknown name "store": Cannot find field.
2. Custom headers are dropped: When routing traffic through Cloudflare AI Gateway, custom headers defined in the provider config (e.g., "cf-aig-authorization": "...") are occasionally stripped or not passed through correctly by the underlying openai-completions client. This results in a 401 Unauthorized error from Cloudflare.

Steps to reproduce

1. Configure an OpenAI-compatible provider pointing to Google AI Studio via Cloudflare AI Gateway.
2. Add custom headers for Cloudflare auth (cf-aig-authorization).
3. Set "compat": { "supportsStore": false } on the models.
4. Run openclaw agent --message "test".
5. Observe the agent fail with either 400 status code (due to the store field) or 401 Unauthorized (due to missing headers).

Expected behavior

1. The compat.supportsStore: false setting should be strictly respected across all API calls (including embedded agent paths), completely omitting the store property from the payload.
2. Custom headers defined in the provider configuration should be reliably attached to every outbound HTTP request.

Actual behavior

Workaround Used

Currently, the only way to bypass this is by running a local Node.js proxy server that intercepts OpenClaw's requests, forcefully deletes store from the body, manually injects the missing cf-aig-authorization header, and then forwards the request to Cloudflare.

OpenClaw version

2026.3.2

Operating system

Linux

Install method

npm

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

[newcodebook]

For production traffic, I would treat this as a relay-path compatibility bug with a known operator workaround.

1. If you need this working now, avoid sending embedded-agent traffic through the strict OpenAI-compatible relay path for this provider: either keep the local proxy you already built (strip store, add cf-aig-authorization) or bypass Cloudflare AI Gateway and hit the upstream Gemini-compatible endpoint directly.
2. If you stay on the relay path, keep the provider config minimal and expect this embedded path to remain fragile until a fix lands — especially for requests that depend on provider-level custom headers.

Why this helps: your repro points to two separate compatibility breaks in the embedded path — store: false still being injected even with compat.supportsStore: false, and relay-auth headers not being forwarded consistently. Both are enough to trigger the exact 400 / 401 pattern you’re seeing.

If you want to help narrow it further, the most useful follow-up is a sanitized models.providers.<name> block plus one failing request log that shows whether the failure is the unexpected store field, missing cf-aig-authorization, or both.

Recommended reading:

• OpenClaw Relay & API Proxy Troubleshooting (NewAPI/OneAPI/AnyRouter): Fix 403s, 404s, and Empty Replies
• OpenClaw Configuration Guide: openclaw.json, Models, Gateway, Channels, and Plugins

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[steipete]

Closing this as implemented after Codex review.

Current main already implements both reported fixes: embedded/OpenAI-compatible runs strip the store field when compat.supportsStore is false, and configured provider headers are merged into resolved model headers and forwarded to the OpenAI-compatible clients. The changelog shows both fixes shipped in v2026.3.7.

What I checked:

• Responses payload policy strips unsupported store: resolveOpenAIResponsesPayloadPolicy marks shouldStripStore when compat.supportsStore is false, and applyOpenAIResponsesPayloadPolicy deletes payloadObj.store. (src/agents/openai-responses-payload-policy.ts:134, 4d7c4b329892)
• Embedded runner regression coverage for non-OpenAI proxy routes: Embedded-runner tests cover a Cloudflare-style OpenAI-compatible base URL and assert that store is removed when compat.supportsStore is false. (src/agents/pi-embedded-runner-extraparams.test.ts:3158, 4d7c4b329892)
• WebSocket embedded path regression coverage: WebSocket stream tests explicitly assert that response.create omits store when compat.supportsStore is false, matching the issue title and linked PR trail. (src/agents/openai-ws-stream.test.ts:1841, 4d7c4b329892)
• Provider headers preserved through embedded model resolution: Embedded model resolution now feeds merged provider/model/request headers into requestConfig.headers, and the resolved model carries those headers forward. (src/agents/pi-embedded-runner/model.ts:373, 4d7c4b329892)
• OpenAI-compatible client sends resolved headers: The OpenAI completions transport builds client defaultHeaders from model.headers, so configured proxy headers are forwarded on outbound requests. (src/agents/openai-transport-stream.ts:1014, 4d7c4b329892)
• Shipped release evidence: The changelog for 2026.3.7 includes both Models/custom provider headers and Agents/OpenAI-responses compatibility entries covering the two reported behaviors. (CHANGELOG.md:3008, 4d7c4b329892)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 4d7c4b329892; fix evidence: release v2026.3.7.