feat: add bundled Chutes extension

[steipete]

Summary

• add bundled Chutes provider extension with plugin-owned OAuth and API-key auth
• move bundled-provider default enablement + auth discovery onto generic extension seams
• add coverage for default-on bundled loading, provider auth discovery, and Chutes implicit discovery

Notes

• Supersedes feat(chutes): add OAuth and API key authentication for Chutes provider #41416 because that PR head is cross-repo and maintainer edits are disabled.
• Keeps the history split into:
  • refactor: generalize bundled provider discovery seams
  • feat: land chutes extension via plugin-owned auth (#41416) (thanks @Veightor)

Verification

• pnpm build
• pnpm check
• pnpm tsgo
• OPENCLAW_TEST_PROFILE=low OPENCLAW_TEST_SERIAL_GATEWAY=1 pnpm test -- src/plugins/providers.test.ts src/plugins/provider-catalog.test.ts src/plugins/config-state.test.ts src/plugins/manifest-registry.test.ts src/plugins/provider-discovery.test.ts src/plugins/contracts/discovery.contract.test.ts src/plugins/contracts/registry.contract.test.ts src/plugins/contracts/loader.contract.test.ts src/plugins/loader.test.ts src/agents/model-auth-markers.test.ts src/commands/auth-choice.test.ts src/agents/chutes-models.test.ts
• live Chutes discovery with real CHUTES_API_KEY from shell: implicit bundled provider resolved, 47 models returned
• manual regression script covering the Chutes implicit-discovery assertions from src/agents/models-config.providers.chutes.test.ts

[cursor]

PR Summary

Medium Risk
Adds a new default-on provider plugin and changes how bundled providers are enabled and how OAuth vs API-key credentials are surfaced to provider catalog discovery, which could affect provider loading and model discovery behavior across plugins.

Overview
Adds a new bundled, enabled-by-default chutes provider extension with plugin-owned OAuth and API-key auth flows, plus dynamic model discovery that falls back to a static catalog and applies Chutes-specific onboarding config/aliases.

Generalizes provider discovery/auth plumbing by introducing resolveProviderAuth (mode/source + optional OAuth marker) and a new oauth:<provider> marker, and wiring this through runProviderCatalog/implicit provider resolution so catalogs can use OAuth access tokens for discovery without treating them as persisted API keys.

Updates bundled plugin loading to honor enabledByDefault from openclaw.plugin.json (and adds compat shims to auto-enable bundled provider plugins during allowlist/vitest compat), and refactors provider contract registry building to derive bundled provider entries from the plugin loader instead of a hardcoded list. Removes the legacy Chutes OAuth handling from auth-choice.apply.oauth.ts and adds/adjusts tests accordingly.

^{Written by Cursor Bugbot for commit 7255cb9. This will update automatically on new commits. Configure here.}

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 3 potential security issue(s) in this PR:

#	Severity	Title
1	🟡 Medium	Overbroad oauth: API key marker classification can bypass masking/auditing and leak secrets
2	🔵 Low	Cleartext storage of Chutes access tokens in in-memory cache key
3	🔵 Low	OAuth state validation bypass via code-only paste in Chutes manual login flow

---

1. 🟡 Overbroad oauth: API key marker classification can bypass masking/auditing and leak secrets

Property	Value
Severity	Medium
CWE	CWE-532
Location	src/agents/model-auth-markers.ts:45-86

Description

The new OAuth API key marker scheme treats any value beginning with "oauth:" as a non-secret marker. This can misclassify real secrets/tokens that happen to start with that prefix, leading to disclosure and audit bypass.

Impact:

• Masking bypass / disclosure in CLI output: commands/models/list.auth-overview.ts prints non-secret markers verbatim as marker(<value>). If a real token is set to e.g. apiKey: "oauth:REALSECRET...", the command will output the full token instead of masking it.
• Secret audit bypass: secrets/audit.ts uses isNonSecretApiKeyMarker() to decide whether an apiKey is plaintext. Any oauth:* value will be treated as non-secret and will not be flagged as plaintext even if it is a real credential.

Vulnerable code (marker classification):

export function isOAuthApiKeyMarker(value: string): boolean {
  return value.trim().startsWith(OAUTH_API_KEY_MARKER_PREFIX);
}
...
trimmed === QWEN_OAUTH_MARKER ||
isOAuthApiKeyMarker(trimmed) ||
...

Vulnerable sink example (verbatim output):

return isNonSecretApiKeyMarker(value, { includeEnvVarName: false })
  ? `marker(${value.trim()})`
  : maskApiKey(value);

Concrete scenario:

1. User (or a malicious config/template) sets models.json provider apiKey to "oauth:..." where ... is an actual secret.
2. Running models list --auth-overview will print marker(oauth:...) revealing the secret.
3. Running the secrets audit will not warn about plaintext storage because the value is treated as a marker.

This is a regression compared to enumerating only specific marker constants (e.g., qwen-oauth) and makes the marker namespace trivially collidable with real secrets.

Recommendation

Narrow marker recognition so arbitrary oauth:* strings are not automatically treated as non-secret.

Recommended changes:

• Validate providerId and only recognize markers that match the exact canonical form for known providers (or a strict allowed-id regex).
• Consider parsing as oauth:<providerId> and ensuring <providerId> is in the provider catalog (or allowlist).
• At minimum, do not print marker values verbatim; print a generic label (e.g. marker(oauth) or marker(oauth:<provider>)) and/or mask the remainder.

Example hardening:

const OAUTH_MARKER_RE = /^oauth:([a-z0-9][a-z0-9-]{0,62})$/i;

export function isOAuthApiKeyMarker(value: string, knownProviders?: Set<string>): boolean {
  const m = value.trim().match(OAUTH_MARKER_RE);
  if (!m) return false;
  const providerId = m[1].toLowerCase();
  return knownProviders ? knownProviders.has(providerId) : true;
}

export function resolveOAuthApiKeyMarker(providerId: string): string {
  const normalized = providerId.trim().toLowerCase();
  if (!OAUTH_MARKER_RE.test(`oauth:${normalized}`)) {
    throw new Error("Invalid providerId for oauth marker");
  }
  return `oauth:${normalized}`;
}

Also update sinks like formatMarkerOrSecret() to avoid echoing untrusted marker strings verbatim.

---

2. 🔵 Cleartext storage of Chutes access tokens in in-memory cache key

Property	Value
Severity	Low
CWE	CWE-316
Location	src/agents/chutes-models.ts:492-496

Description

discoverChutesModels(accessToken?) stores the raw (trimmed) access token string as the key in a process-wide Map cache.

• Input: accessToken (API key / OAuth access token)
• Issue: token is retained in memory as a map key for up to 5 minutes (TTL) and potentially longer if not pruned immediately, increasing exposure risk via heap dumps, crash reports, debugging/profiling tools, or accidental serialization/inspection.
• Impact: unintended disclosure of bearer tokens can allow account/API impersonation.

Vulnerable code:

​// Keyed by trimmed access token (empty string = unauthenticated).
const modelCache = new Map<string, CacheEntry>();

Recommendation

Avoid keeping raw bearer tokens in long-lived data structures. Instead, derive a non-reversible cache key.

Example (SHA-256 hash as cache key):

import { createHash } from "node:crypto";

function tokenToCacheKey(token: string | undefined): string {
  const trimmed = token?.trim() ?? "";
  if (!trimmed) return "";
  return createHash("sha256").update(trimmed, "utf8").digest("hex");
}

export async function discoverChutesModels(accessToken?: string) {
  const cacheKey = tokenToCacheKey(accessToken);
  const rawToken = accessToken?.trim() ?? "";

  const cached = modelCache.get(cacheKey);
  if (cached) return cached.models;

  const headers: Record<string, string> = {};
  if (rawToken) headers.Authorization = `Bearer ${rawToken}`;
  ​// ...
}

This preserves token scoping without retaining the token itself in the cache key. Also consider minimizing TTL and ensuring cache entries are promptly cleared on shutdown or auth revocation.

---

3. 🔵 OAuth state validation bypass via code-only paste in Chutes manual login flow

Property	Value
Severity	Low
CWE	CWE-352
Location	src/commands/chutes-oauth.ts:18-44

Description

The Chutes OAuth "manual" (copy/paste) flow accepts a raw authorization code without requiring or validating the OAuth state value.

• loginChutes() uses parseManualOAuthInput() when manual: true (remote/VPS flow)
• If the pasted input does not "look like" a URL/querystring, it is treated as a raw authorization code and the function silently injects the expected state rather than validating a returned state
• This weakens CSRF protection / login integrity for the manual flow and can enable account substitution if an attacker can obtain a valid authorization code for the in-progress PKCE challenge and trick the user into pasting it

Vulnerable code:

​// Support pasting either:
​// - Full redirect URL (preferred; validates state)
​// - Raw authorization code (legacy/manual copy flows)
const looksLikeRedirect =
  ​/^https?:\/\//i.test(trimmed) || trimmed.includes("://") || trimmed.includes("?");
if (!looksLikeRedirect) {
  return { code: trimmed, state: expectedState };
}

Even though parseOAuthCallbackInput() correctly rejects code-only input, this wrapper reintroduces code-only acceptance and bypasses state validation.

Recommendation

Require state verification for all manual paste inputs.

• Remove support for code-only pastes (or gate it behind an explicit --allow-insecure-code-paste debug flag)
• Parse querystring-only input robustly (including inputs like code=...&state=... without a leading ?)

Suggested fix:

function parseManualOAuthInput(input: string, expectedState: string) {
  const trimmed = String(input ?? "").trim();
  if (!trimmed) throw new Error("Missing OAuth redirect URL.");

  ​// Always require state-bearing redirect URL or querystring.
  const parsed = parseOAuthCallbackInput(trimmed, expectedState);
  if ("error" in parsed) throw new Error(parsed.error);
  return parsed;
}

This ensures the manual flow cannot proceed unless the pasted content includes a matching state.

---

Analyzed PR: #49136 at commit 7255cb9

_{Last updated on: 2026-03-17T17:10:29Z}

[steipete]

Landed via squash onto main.

• Gate: pnpm build; pnpm check; pnpm tsgo; OPENCLAW_TEST_PROFILE=low OPENCLAW_TEST_SERIAL_GATEWAY=1 pnpm test -- src/plugins/providers.test.ts src/plugins/provider-catalog.test.ts src/plugins/config-state.test.ts src/plugins/manifest-registry.test.ts src/plugins/provider-discovery.test.ts src/plugins/contracts/discovery.contract.test.ts src/plugins/contracts/registry.contract.test.ts src/plugins/contracts/loader.contract.test.ts src/plugins/loader.test.ts src/agents/model-auth-markers.test.ts src/commands/auth-choice.test.ts src/agents/chutes-models.test.ts; live Chutes implicit-discovery check with real CHUTES_API_KEY; manual regression script for src/agents/models-config.providers.chutes.test.ts
• Refactor commit: 597d38f
• Chutes commit: 7255cb9
• Merge commit: a724bbc

Thanks @Veightor!

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Overly broad substring match misclassifies reasoning models

Low Severity

The dynamic discovery reasoning heuristic uses id.toLowerCase().includes("r1") and id.toLowerCase().includes("tee") which are overly broad substring checks. "r1" matches any model ID containing that substring anywhere (e.g., "provider1/some-model", "gpt4-mar1-release"), and "tee" matches words like "committee" or "guarantee". This can incorrectly flag non-reasoning models as reasoning-capable during live API discovery, affecting model selection and routing.

 

[cursor]

Exported applyChutesConfig function is never imported

Low Severity

applyChutesConfig is exported from extensions/chutes/onboard.ts but is never imported or referenced anywhere in the codebase. The function applyChutesProviderConfig and applyChutesApiKeyConfig are both used, but applyChutesConfig (which sets the default model and image model to Chutes) is dead code.

 

[greptile-apps]

Greptile Summary

This PR adds a bundled Chutes.ai provider extension with plugin-owned OAuth and API-key authentication, while simultaneously generalizing the enablement and provider-auth discovery seams so future bundled plugins can declare enabledByDefault: true in their manifest and expose rich auth context (env, api-key profile, or OAuth profile) to their catalog hooks.

Key changes:

• New extensions/chutes/ plugin with OAuth flow, API-key auth, dynamic model discovery with a token-scoped, TTL-bounded cache, and a 47-model static fallback catalog.
• Chutes-specific OAuth code removed from the core auth-choice.apply.oauth.ts (now a no-op stub).
• New resolveProviderAuth resolver added to ImplicitProviderContext / ProviderCatalogContext, exposing auth mode (env, api_key, oauth) and a discoveryApiKey separate from the API-key marker — enabling authenticated model discovery for OAuth users.
• enabledByDefault field threaded from PluginManifest → PluginManifestRecord → resolveEnableState, allowing any bundled plugin to opt into default-on behaviour without touching BUNDLED_ENABLED_BY_DEFAULT.
• src/plugins/contracts/registry.ts refactored to derive its provider registry from resolvePluginProviders rather than a hard-coded import list.
• Comprehensive test coverage across model catalog, caching, implicit discovery, auth precedence, and plugin loading.

Minor issues flagged:

• CHUTES_DEFAULT_COST is exported from chutes-models.ts but is not used internally, not re-exported through the plugin SDK, and not referenced in the catalog or discovery paths — it is dead code.
• The id.toLowerCase().includes("tee") heuristic for reasoning classification is broader than the TEE suffix pattern it intends to capture, and could silently misclassify future models whose IDs contain the substring for unrelated reasons.

Confidence Score: 5/5

• Safe to merge — no runtime errors, security issues, or breaking logic changes found; the two flagged items are style-level concerns.
• The PR is well-structured with clear separation of concerns, comprehensive test coverage for all new paths (caching, auth precedence, discovery, plugin loading), and a clean removal of the old hardcoded Chutes OAuth block. The two flagged issues (CHUTES_DEFAULT_COST dead export and the broad tee heuristic) are minor quality concerns that do not affect correctness in the current Chutes model namespace.
• No files require special attention for correctness; src/agents/chutes-models.ts has the two style-level findings noted above.

Comments Outside Diff (2)

1. src/agents/chutes-models.ts, line 1298-1303 (link)

   tee substring may produce false-positive reasoning classifications

   The heuristic marks any model whose ID contains the lowercase substring "tee" as a reasoning model:

   id.toLowerCase().includes("tee")

   While Chutes uses TEE (Trusted Execution Environment) exclusively for reasoning-capable models today, this substring can inadvertently match unrelated model IDs (e.g., "committee", "attestation", any vendor name containing the three letters in sequence). If Chutes ever lists a non-reasoning model whose ID happens to contain "tee", it will be silently misclassified, potentially leading to unexpected prompting behavior.

   Consider tightening the check to match only a word-boundary or suffix pattern, e.g.:

   /-tee$/i.test(id) || id.toUpperCase().endsWith("-TEE")

   or simply rely solely on entry.supported_features?.includes("reasoning") and the explicit r1 / thinking / reason checks, treating TEE as a naming annotation that the API should report through supported_features.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: src/agents/chutes-models.ts
   Line: 1298-1303
   
   Comment:
   **`tee` substring may produce false-positive reasoning classifications**
   
   The heuristic marks any model whose ID contains the lowercase substring `"tee"` as a reasoning model:
   
   ```ts
   id.toLowerCase().includes("tee")
   ```
   
   While Chutes uses `TEE` (Trusted Execution Environment) exclusively for reasoning-capable models today, this substring can inadvertently match unrelated model IDs (e.g., `"committee"`, `"attestation"`, any vendor name containing the three letters in sequence). If Chutes ever lists a non-reasoning model whose ID happens to contain `"tee"`, it will be silently misclassified, potentially leading to unexpected prompting behavior.
   
   Consider tightening the check to match only a word-boundary or suffix pattern, e.g.:
   
   ```ts
   /-tee$/i.test(id) || id.toUpperCase().endsWith("-TEE")
   ```
   
   or simply rely solely on `entry.supported_features?.includes("reasoning")` and the explicit `r1` / `thinking` / `reason` checks, treating TEE as a naming annotation that the API should report through `supported_features`.
   
   How can I resolve this? If you propose a fix, please make it concise.

2. src/agents/chutes-models.ts, line 710-715 (link)

   CHUTES_DEFAULT_COST is exported but never used

   CHUTES_DEFAULT_COST is exported from this file but is neither consumed within chutes-models.ts itself nor re-exported through src/plugin-sdk/provider-models.ts. The static model catalog entries each define their own explicit costs, and the dynamic discovery path builds cost objects inline (entry.pricing?.prompt || 0, etc.). As a result, this constant is dead code.

   If it is intended as a convenience export for plugin authors, it should be added to the provider-models.ts SDK re-exports. Otherwise it can be removed to avoid confusion.

   (Remove lines 710–715 if unused, or add CHUTES_DEFAULT_COST to the src/plugin-sdk/provider-models.ts export list if it is meant to be part of the public SDK surface.)

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: src/agents/chutes-models.ts
   Line: 710-715
   
   Comment:
   **`CHUTES_DEFAULT_COST` is exported but never used**
   
   `CHUTES_DEFAULT_COST` is exported from this file but is neither consumed within `chutes-models.ts` itself nor re-exported through `src/plugin-sdk/provider-models.ts`. The static model catalog entries each define their own explicit costs, and the dynamic discovery path builds cost objects inline (`entry.pricing?.prompt || 0`, etc.). As a result, this constant is dead code.
   
   If it is intended as a convenience export for plugin authors, it should be added to the `provider-models.ts` SDK re-exports. Otherwise it can be removed to avoid confusion.
   
   
   (Remove lines 710–715 if unused, or add `CHUTES_DEFAULT_COST` to the `src/plugin-sdk/provider-models.ts` export list if it is meant to be part of the public SDK surface.)
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/agents/chutes-models.ts
Line: 1298-1303

Comment:
**`tee` substring may produce false-positive reasoning classifications**

The heuristic marks any model whose ID contains the lowercase substring `"tee"` as a reasoning model:

```ts
id.toLowerCase().includes("tee")
```

While Chutes uses `TEE` (Trusted Execution Environment) exclusively for reasoning-capable models today, this substring can inadvertently match unrelated model IDs (e.g., `"committee"`, `"attestation"`, any vendor name containing the three letters in sequence). If Chutes ever lists a non-reasoning model whose ID happens to contain `"tee"`, it will be silently misclassified, potentially leading to unexpected prompting behavior.

Consider tightening the check to match only a word-boundary or suffix pattern, e.g.:

```ts
/-tee$/i.test(id) || id.toUpperCase().endsWith("-TEE")
```

or simply rely solely on `entry.supported_features?.includes("reasoning")` and the explicit `r1` / `thinking` / `reason` checks, treating TEE as a naming annotation that the API should report through `supported_features`.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/agents/chutes-models.ts
Line: 710-715

Comment:
**`CHUTES_DEFAULT_COST` is exported but never used**

`CHUTES_DEFAULT_COST` is exported from this file but is neither consumed within `chutes-models.ts` itself nor re-exported through `src/plugin-sdk/provider-models.ts`. The static model catalog entries each define their own explicit costs, and the dynamic discovery path builds cost objects inline (`entry.pricing?.prompt || 0`, etc.). As a result, this constant is dead code.

If it is intended as a convenience export for plugin authors, it should be added to the `provider-models.ts` SDK re-exports. Otherwise it can be removed to avoid confusion.

```suggestion
```
(Remove lines 710–715 if unused, or add `CHUTES_DEFAULT_COST` to the `src/plugin-sdk/provider-models.ts` export list if it is meant to be part of the public SDK surface.)

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: 7255cb9}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7255cb9eb5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Handle unresolved Chutes OAuth choice explicitly

This function now always returns null, so applyAuthChoice has no fallback behavior when authChoice is "chutes" but the Chutes plugin is not loaded (for example, it is denylisted/disabled or failed to load). Because chutes is still exposed as a core auth choice, that selection can silently no-op and leave auth/config unchanged instead of completing OAuth or surfacing an actionable error.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Avoid force-enabling all bundled provider plugins in compat mode

This branch now injects plugins.entries.<id>.enabled = true for every bundled provider whenever either compat flag is set, which changes semantics from allowlist/Vitest compatibility into unconditional enablement. In practice, paths that call resolvePluginProviders(..., { bundledProviderAllowlistCompat: true }) will activate bundled providers that were intentionally default-off (for example provider plugins not in BUNDLED_ENABLED_BY_DEFAULT), expanding runtime provider surface unexpectedly.

Useful? React with 👍 / 👎.