fix: The one-line picker change hides unauthenticated catalog rows in

[clawsweeper]

Summary

The one-line picker change hides unauthenticated catalog rows in promptDefaultModel / promptModelAllowlist, but it leaves the issue’s named /models and Web chat dropdown paths on the existing full-catalog behavior. It also makes the picker auth predicate stricter than runtime auth, hiding valid keyless/AWS-SDK providers.

What ClawSweeper Is Fixing

• Medium: Web chat and /models still use the full catalog path (bug)
  • File: src/gateway/server-methods/models.ts:52
  • Evidence: The issue fixed by this commit names /models and the Web chat dropdown. Web chat requests models.list with { view: "configured" } in ui/src/ui/controllers/models.ts:13, then renders every returned catalog entry in ui/src/ui/chat-model-select-state.ts:71. The Gateway handler still falls back to allowed.allowedCatalog or catalog, and buildAllowedModelSetWithFallbacks returns the full catalog when agents.defaults.models is empty at src/agents/model-selection-shared.ts:586. Text /models separately loads the full catalog in src/auto-reply/reply/commands-models.ts:72 and adds every allowed.allowedCatalog row.
  • Impact: The user-reported 900+ unauthenticated model list remains for the primary reported surfaces unless the user also has explicit configured provider models or an allowlist. The commit can close [Bug]: /models and Web chat model dropdown show full catalog (900+ models) instead of only configured providers #74423 without fixing the bug it claims to fix.
  • Suggested fix: Move the “default-visible models” policy into a shared helper used by Gateway models.list, Web chat, text /models, and the interactive picker. Keep a separate explicit all path for full-catalog discovery.
  • Confidence: high
• Medium: Picker now hides runtime-valid auth modes (regression)
  • File: src/flows/model-picker.ts:297
  • Evidence: The new early return depends on hasAuthForProvider, which only checks auth profiles, env API keys, and usable custom API keys at src/flows/model-picker.ts:76. Runtime’s broader auth availability helper accepts additional valid cases: auth: "aws-sdk", synthetic local provider auth, and implicit amazon-bedrock AWS SDK auth at src/agents/model-auth.ts:717. Bedrock docs explicitly say no apiKey is required when configured with auth: "aws-sdk".
  • Impact: Valid Bedrock and local keyless providers can disappear from model selection and allowlist prompts even though runtime can call them. That is a direct behavior regression from changing “auth missing” from a hint into a hard filter.
  • Suggested fix: Reuse or align with hasAvailableAuthForProvider, including AWS SDK and synthetic local auth semantics, and add targeted tests for amazon-bedrock and local no-key custom providers.
  • Confidence: high
• Medium: Focused model-picker test suite is red (reliability)
  • File: src/commands/model-picker.test.ts:162
  • Evidence: After installing missing dependencies, pnpm test src/commands/model-picker.test.ts fails 15 of 41 tests. Failures show catalog options becoming empty or missing after the new early return, including default model picker, allowlist, static manifest rows, configured provider rows, and router filtering cases.
  • Impact: The commit leaves the focused test gate failing on the touched surface, so CI or changed-lane validation should reject it.
  • Suggested fix: Update the implementation and tests together: mock configured auth where tests expect selectable providers, add explicit unauthenticated-hidden coverage, and keep valid runtime-auth providers visible.
  • Confidence: high

Expected Repair Surface

• src/gateway/server-methods/models.ts
• src/flows/model-picker.ts
• src/commands/model-picker.test.ts

Source And Review Context

• ClawSweeper report: https://github.com/openclaw/clawsweeper/blob/main/records/openclaw-openclaw/commits/2bb16f771bb192a150bb7ca2e9a82db461b07ac6.md

• Commit under review: 2bb16f7

• Latest main at intake: 2a7d83b

• Original commit author: jindongfu

• GitHub author: @SymbolStar

• Highest severity: medium

• Review confidence: high

• Diff: e3af6fb3c884336d5cd4a15aec4e0dfe3e267b5c..2bb16f771bb192a150bb7ca2e9a82db461b07ac6

• Changed files: src/flows/model-picker.ts

• Code read: full changed file, auth resolution helpers, Gateway model listing, Web chat model loading/rendering, text /models command, model allowlist resolution, related tests/docs.

• Issue context: gh issue view 74423 --repo openclaw/openclaw

Expected validation

• pnpm check:changed

ClawSweeper already ran:

• pnpm docs:list succeeded.
• pnpm test src/commands/model-picker.test.ts failed initially because node_modules was missing.
• pnpm install succeeded.
• pnpm test src/commands/model-picker.test.ts failed: 15 failed, 26 passed.
• pnpm test src/gateway/server.models-voicewake-misc.test.ts src/auto-reply/reply/commands-models.test.ts ui/src/ui/controllers/models.test.ts ui/src/ui/chat-model-select-state.test.ts passed, but those tests still encode the unfixed Gateway/UI/chat-command behavior.
• git diff --check e3af6fb3c884336d5cd4a15aec4e0dfe3e267b5c..2bb16f771bb192a150bb7ca2e9a82db461b07ac6 passed.

Known review limits:

• I did not run the full changed gate. The focused model-picker suite already fails, and the other focused surface tests passed with existing behavior.

ClawSweeper Guardrails

• Re-check the finding against latest main before changing code.
• Keep the patch to the narrowest behavior change and matching regression coverage.
• Do not merge automatically; this PR stays for maintainer review.

ClawSweeper 🐠 replacement reef notes:

• Cluster: clawsweeper-commit-openclaw-openclaw-2bb16f771bb1
• Source PRs: none
• Credit: Detected by ClawSweeper commit review for 2bb16f7.; Original commit author: jindongfu.
• Validation: pnpm check:changed

fish notes: model gpt-5.5, reasoning medium; reviewed against 23fa618.

[clawsweeper]

Codex review: needs maintainer review before merge.

What this changes:

The PR adds a synchronous runtime auth availability helper, routes model-provider visibility through it, and adds regression coverage for implicit Bedrock AWS SDK auth and local no-key custom providers in model picker and allowlist flows.

Maintainer follow-up before merge:

This is already an open implementation PR with a plausible narrow fix; the remaining action is maintainer review, rebase/merge judgment, and validation rather than a separate automated repair branch.

Security review:

Security review cleared: The diff changes local model-auth availability logic and tests only; it does not touch dependencies, CI, package metadata, downloads, release scripts, or secret material storage.

Review details

Best possible solution:

Land a narrow fix that makes provider visibility reuse runtime-valid auth semantics for Bedrock AWS SDK and synthetic local providers, while keeping current main’s shared configured/auth-available catalog policy and explicit full-catalog browse paths intact.

Acceptance criteria:

• pnpm test src/commands/model-picker.test.ts src/agents/model-provider-auth.test.ts
• pnpm test src/gateway/server.models-voicewake-misc.test.ts src/auto-reply/reply/commands-models.test.ts ui/src/ui/controllers/models.test.ts ui/src/ui/chat-model-select-state.test.ts
• pnpm check:changed

What I checked:

• Current main still has narrower provider visibility auth: hasAuthForModelProvider on current main only accepts auth profiles, env API keys, and usable custom provider API keys; it does not accept auth: "aws-sdk", synthetic local provider auth, or implicit amazon-bedrock auth. (src/agents/model-provider-auth.ts:23, f05b78973600)
• Runtime auth already accepts the missing modes: The runtime helper accepts auth: "aws-sdk", env credentials, custom provider keys, synthetic local auth, and implicit amazon-bedrock AWS SDK auth before checking profile order. (src/agents/model-auth.ts:737, f05b78973600)
• Local no-key provider semantics exist in current runtime code: hasSyntheticLocalProviderAuthConfig treats local custom provider configs without explicit API keys as runtime-auth-available, which the current model-provider visibility checker does not mirror. (src/agents/model-auth.ts:280, f05b78973600)
• Shared catalog policy is already on current main: Current main uses resolveVisibleModelCatalog to combine allowlists, configured provider models, and auth-backed catalog rows, reserving view: "all" for full catalog discovery. (src/agents/model-catalog-visibility.ts:28, f05b78973600)
• Gateway and text /models use the shared catalog helper: models.list calls resolveVisibleModelCatalog, and /models builds provider data from that same helper, so the older picker-only concern has been superseded by current main behavior. (src/gateway/server-methods/models.ts:38, f05b78973600)
• PR diff aligns checker with runtime auth cases: The PR adds hasRuntimeAvailableProviderAuth, calls it from hasAuthForModelProvider, and adds tests for Bedrock AWS SDK and local no-key custom providers. (src/agents/model-auth.ts:304, 23fa6187afd5)

Likely related people:

• steipete: Auth-backed visible catalog behavior and the shared Gateway/Web /models policy appear tied to commit 8a06db0, and that commit also closed the original report this PR builds on. (role: recent maintainer; confidence: high; commits: 8a06db084d8a, 2bb16f771bb1; files: src/agents/model-catalog-visibility.ts, src/agents/model-provider-auth.ts, src/gateway/server-methods/models.ts)
• SymbolStar: The picker hard-filter change that made missing auth a row-hiding condition was authored in commit 2bb16f7, which this PR is explicitly repairing. (role: introduced behavior under repair; confidence: medium; commits: 2bb16f771bb1; files: src/flows/model-picker.ts)
• shakkernerd: Commit 87bd12b introduced the synthetic local provider auth helper that the PR mirrors for visibility decisions. (role: adjacent auth maintainer; confidence: medium; commits: 87bd12b2d39d; files: src/agents/model-auth.ts, src/commands/models/list.auth-index.ts)

Remaining risk / open question:

• Targeted tests were not rerun in this read-only review; the PR still needs focused validation before merge.
• The PR head predates the current main SHA, so maintainer review should confirm it rebases cleanly while preserving the shared visible-catalog policy already on main.

Codex review notes: model gpt-5.5, reasoning high; reviewed against f05b78973600.