[Bug]: cron preflight normalizes LiteLLM-backed Gemini model allowlist entries to Google preview IDs

[pigfoot]

Triage note

This report is intentionally structured for automated/model triage: the reproduction is deterministic, the observed/expected behavior is explicit, and the suspected code path is called out separately from the observed evidence.

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

After upgrading from OpenClaw 2026.5.7 to 2026.5.18, cron agentTurn payloads using a configured non-Google provider model such as litellm/gemini-3-flash are rejected by cron preflight because the runtime allowlist is normalized to litellm/gemini-3-flash-preview.

Steps to reproduce

1. Configure a custom/provider-backed model catalog entry under a non-Google LiteLLM-backed provider, for example models.providers.litellm.models[].id = "gemini-3-flash".
2. Add the same model to agents.defaults.models as litellm/gemini-3-flash.
3. Create a cron job with sessionTarget = "isolated" and payload.kind = "agentTurn", setting payload.model = "litellm/gemini-3-flash".
4. Force-run the cron job.
5. Observe cron preflight rejecting the payload model because the effective allowlist contains litellm/gemini-3-flash-preview instead of litellm/gemini-3-flash.

Expected behavior

A cron payload model should be accepted when it exactly matches a configured provider catalog entry and an agents.defaults.models allowlist entry for that same provider/model key.

In the observed setup, litellm/gemini-3-flash should remain litellm/gemini-3-flash because the configured provider is a custom LiteLLM-backed OpenAI-compatible provider. Google preview model-id normalization should not rewrite the model id unless the provider is Google/Google Gemini CLI/Google Vertex, or the configured provider explicitly opts into such normalization.

Actual behavior

On OpenClaw 2026.5.18, a delivery-none smoke cron using payload.model = "litellm/gemini-3-flash" failed at preflight. The diagnostic reported that litellm/gemini-3-flash was not in the allowlist, while the effective allowlist contained litellm/gemini-3-flash-preview and litellm/gemini-3.1-pro-preview.

This also affected real cron jobs that used litellm/gemini-3-flash as their payload model. Rolling back to OpenClaw 2026.5.7 made the same cron jobs run successfully without changing the cron jobs or the source config.

OpenClaw version

First known bad: 2026.5.12 / 2026.5.13 family; reproduced again on 2026.5.18.

Last known good: 2026.5.7.

Operating system

Linux 6.12.68+ x64, container/GKE-style runtime.

Install method

Containerized OpenClaw gateway runtime.

Model

litellm/gemini-3-flash as cron payload.model.

Provider / routing chain

OpenClaw cron isolated agent -> custom LiteLLM-backed provider -> OpenAI-compatible completions endpoint.

Additional provider/model setup details

Relevant source config uses non-preview model ids:

{
  "models": {
    "providers": {
      "litellm": {
        "api": "openai-completions",
        "models": [
          { "id": "gemini-3-flash", "name": "Gemini 3 Flash" },
          { "id": "gemini-3.1-pro", "name": "Gemini 3.1 Pro" }
        ]
      }
    }
  },
  "agents": {
    "defaults": {
      "models": {
        "litellm/gemini-3-flash": {},
        "litellm/gemini-3.1-pro": {}
      }
    }
  }
}

The issue is not that the provider cannot serve the model. The failure happens before dispatch, during cron model allowlist/preflight validation.

Logs, screenshots, and evidence

Observed timeline:

• On 2026.5.12/2026.5.13, source config and cron payloads both used non-preview litellm/gemini-3-flash, but runtime cron preflight rejected payload.model = "litellm/gemini-3-flash" because the effective allowlist contained preview-normalized entries such as litellm/gemini-3-flash-preview and litellm/gemini-3.1-pro-preview.
• Rolling back to 2026.5.7 resolved the same cron jobs without changing cron/openclaw.json.
• On 2026.5.18, the regression reproduced again with a temporary delivery-none smoke cron using payload.model = "litellm/gemini-3-flash".

Representative diagnostic, redacted/abridged:

cron payload.model 'litellm/gemini-3-flash' rejected by agents.defaults.models allowlist:
litellm/gemini-3-flash is not in [..., litellm/gemini-3-flash-preview, litellm/gemini-3.1-pro-preview, ...]

Likely code path from current openclaw/openclaw source (cd019cfa when checked):

• src/plugin-sdk/provider-model-id-normalize.ts defines Google preview normalization, including gemini-3-flash -> gemini-3-flash-preview and gemini-3.1-pro -> gemini-3.1-pro-preview.
• src/agents/model-ref-shared.ts is provider-scoped for this normalization in normalizeBuiltInProviderModelId(), applying it only for google, google-gemini-cli, and google-vertex.
• But src/config/model-input.ts currently has normalizeAgentModelRefForConfig(model) split provider/model and then call normalizeGooglePreviewModelId() on the suffix regardless of provider:

const provider = normalizeProviderId(trimmed.slice(0, slash));
const normalizedModel = normalizeGooglePreviewModelId(trimmed.slice(slash + 1));
return modelKeyForConfig(provider, normalizedModel);

This can rewrite litellm/gemini-3-flash into litellm/gemini-3-flash-preview while preserving the non-Google provider prefix, which matches the observed runtime allowlist mismatch.

Cron then rejects the original payload model in src/cron/isolated-agent/model-selection.ts via resolveAllowedModelRef() / allowlist validation, producing the observed cron payload.model ... rejected by agents.defaults.models allowlist error.

Impact and severity

Affected: cron jobs that use payload.model with custom/non-Google LiteLLM-backed provider ids whose model ids happen to match Google Gemini preview-normalization aliases, e.g. litellm/gemini-3-flash.

Severity: High for affected installations because scheduled jobs fail before model dispatch.

Frequency: Always for the affected cron preflight path on 2026.5.18 in the observed setup.

Consequence: scheduled jobs silently accumulate cron preflight failures until the user changes the payload model, updates config, rolls back, or the normalization bug is fixed.

Additional information

Temporary workaround: migrate affected cron payloads away from litellm/gemini-3-flash to a non-affected configured model such as litellm/minimax-m2.5-aws or another model id that does not trigger Gemini preview normalization.

Interactive agent primary model paths may not fail the same way: in the observed setup, an interactive agent configured with litellm/gemini-3-flash was runtime-normalized and could still execute, but the effective model differed from source config. The hard failure was specifically reproduced in cron payload preflight.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep this open: current main still has a source-level path that can normalize non-Google agents.defaults.models entries through the Google preview-id helper, and cron preflight then validates the original payload model against the mutated allowlist. I did not find an exact open fix PR for this LiteLLM/Gemini cron case.

Reproducibility: yes. for source-level reproduction: current main shows litellm/gemini-3-flash can be normalized to litellm/gemini-3-flash-preview in config while cron checks the original payload against the allowed set. I did not run a live cron job in this read-only review.

Next step
The bug is narrow, current source points to the likely fix boundary, and no product or security decision is needed before attempting a regression-fix PR.

Review details

Best possible solution:

Fix config model-ref normalization to apply Google preview aliases only for Google-owned providers or explicit provider normalization policy, then add regression coverage for the LiteLLM cron allowlist path and retain existing Google alias behavior.

Do we have a high-confidence way to reproduce the issue?

Yes for source-level reproduction: current main shows litellm/gemini-3-flash can be normalized to litellm/gemini-3-flash-preview in config while cron checks the original payload against the allowed set. I did not run a live cron job in this read-only review.

Is this the best way to solve the issue?

Yes, the best fix is narrow: make normalizeAgentModelRefForConfig() provider-scoped or reuse the existing provider-aware normalization helper, while preserving Google provider alias normalization and adding a cron regression test.

Label changes:

• add P1: The report describes a regression that can stop configured cron agent jobs before dispatch for affected real installations.
• add impact:auth-provider: The affected path is provider/model allowlist normalization and model-choice routing for cron payloads.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P1: The report describes a regression that can stop configured cron agent jobs before dispatch for affected real installations.
• impact:auth-provider: The affected path is provider/model allowlist normalization and model-choice routing for cron payloads.

Acceptance criteria:

• node scripts/run-vitest.mjs src/config/model-input.test.ts src/agents/model-selection-resolve.test.ts src/cron/isolated-agent.model-overrides.test.ts
• git diff --check

What I checked:

• Current config normalization rewrites any provider suffix: normalizeAgentModelRefForConfig() splits provider/model, normalizes the provider, then calls normalizeGooglePreviewModelId() on the model suffix without checking whether the provider is Google-owned. (src/config/model-input.ts:70, cd019cfa412b)
• Google preview helper rewrites the reported model IDs: The helper maps gemini-3-flash to gemini-3-flash-preview and gemini-3.1-pro to gemini-3.1-pro-preview, which matches the issue's observed effective allowlist entries. (src/plugin-sdk/provider-model-id-normalize.ts:13, cd019cfa412b)
• Runtime provider normalization is correctly scoped elsewhere: normalizeBuiltInProviderModelId() only applies Google preview normalization for google, google-gemini-cli, and google-vertex, supporting the issue's claim that config normalization is the inconsistent path. (src/agents/model-ref-shared.ts:54, cd019cfa412b)
• Cron payload model preflight uses the allowlist resolver: Cron agentTurn payload models are passed to resolveAllowedModelRef() and failures are formatted as the reported cron payload.model ... rejected by agents.defaults.models allowlist diagnostic. (src/cron/isolated-agent/model-selection.ts:132, cd019cfa412b)
• Allowlist checking compares exact normalized model keys: The allowlist builder parses exact model refs into allowed keys and resolveAllowedModelRefFromAliasIndex() rejects a payload when the resolved key is not in that set, explaining why litellm/gemini-3-flash fails against a normalized litellm/gemini-3-flash-preview key. (src/agents/model-selection-shared.ts:731, cd019cfa412b)
• Docs support exact custom provider model registration: The docs say agents.defaults.models["provider/model"] controls model visibility and that custom provider models also need a matching models.providers.<provider>.models[] entry, matching the reporter's expected config shape. Public docs: docs/concepts/model-providers.md. (docs/concepts/model-providers.md:351, cd019cfa412b)

Likely related people:

• Ayaan Zaidi: git blame attributes the central config normalization, provider-scoped runtime normalization, cron model-selection file, and adjacent resolver tests to commit 989e53c20d395d3c8bf47efc21fdb9d56e7227b0. (role: introduced current implementation; confidence: high; commits: 989e53c20d39; files: src/config/model-input.ts, src/agents/model-ref-shared.ts, src/cron/isolated-agent/model-selection.ts)
• Vincent Koc: Recent history on adjacent model-selection and cron/session test surfaces includes OpenRouter compat alias and cron/runtime alignment work, which overlaps the allowlist resolver area. (role: recent adjacent model-selection contributor; confidence: medium; commits: d13869aab94d, a16331c36e29; files: src/agents/model-selection-resolve.test.ts, src/cron/isolated-agent.model-overrides.test.ts)
• Shakker: Recent cron isolated-agent coverage was split in commit deb70e7e2563e062d90120deb0e8be8e22ce0296, making this a useful routing candidate for regression-test placement. (role: adjacent cron test contributor; confidence: low; commits: deb70e7e2563; files: src/cron/isolated-agent.model-overrides.test.ts)

Remaining risk / open question:

• I did not execute a live cron force-run in this read-only sweep, so the reproduction proof is source-level rather than runtime proof.

Codex review notes: model gpt-5.5, reasoning high; reviewed against cd019cfa412b.