fix(configure): allow pruning stale provider models

[jbetala7]

Summary

• include same-provider configured allowlist entries that are missing from the current model catalog in provider-scoped configure picker options
• include those stale configured entries in the scoped write set, so unselecting them prunes only that provider's dead entries while preserving unrelated providers
• add a regression test covering the OpenRouter stale-model shape from configure wizard: models block is append-only — stale/delisted model entries never pruned #80347

Fixes #80347.

Real behavior proof (required for external PRs)

Behavior or issue addressed: Provider-scoped openclaw configure allowlist cleanup omitted same-provider configured model keys that disappeared from the current provider catalog, so stale delisted entries stayed in agents.defaults.models forever.

Real environment tested: Local OpenClaw checkout on branch fix/80347-configure-stale-models, running the real promptModelAllowlist and applyModelAllowlist code paths with a local config matching the OpenRouter stale-model shape from #80347. The API key in the proof config/output is a redacted test value and no provider request was sent.

Exact steps or command run after this patch: node --import tsx /private/tmp/openclaw-80347-proof.mjs

Evidence after fix: Terminal output from the command above:

picker options: openrouter/meta-llama/llama-3.3-70b:free [Llama 3.3 70B · ctx 125k · alias: llama] | openrouter/elephant-alpha [configured (not in catalog)]
initial values: openrouter/meta-llama/llama-3.3-70b:free | openrouter/elephant-alpha
operator selection: openrouter/meta-llama/llama-3.3-70b:free
selection result: {"models":["openrouter/meta-llama/llama-3.3-70b:free"],"scopeKeys":["openrouter/meta-llama/llama-3.3-70b:free","openrouter/elephant-alpha"]}
models after configure: anthropic/claude-sonnet-4-6 | openrouter/meta-llama/llama-3.3-70b:free
stale model present after configure: false

Observed result after fix: The stale same-provider key openrouter/elephant-alpha is shown in the picker as configured (not in catalog), is included in scopeKeys, and is removed after the operator leaves it unselected. The unrelated Anthropic allowlist entry remains present.

What was not tested: I did not run an interactive terminal openclaw configure session against a live OpenRouter account; the proof exercises the underlying configure picker/apply path directly with a local config and redacted credentials.

Verification

• pnpm test src/commands/model-picker.test.ts src/commands/configure.gateway-auth.prompt-auth-config.test.ts
• pnpm exec oxfmt --check --threads=1 src/flows/model-picker.ts src/commands/model-picker.test.ts CHANGELOG.md
• git diff --check
• pnpm check:changed

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 1, 2026, 4:06 PM ET / 20:06 UTC.

Summary
The branch expands provider-scoped configure model allowlist cleanup to include stale same-provider configured model keys and adds a regression test for that pruning behavior.

PR surface: Source +13, Tests +59. Total +72 across 2 files.

Reproducibility: Do we have a high-confidence way to reproduce the issue? Yes by source inspection: current main scopes cleanup to live filtered catalog keys, so a same-provider configured key missing from the catalog is omitted from scopeKeys and survives applyModelAllowlist.

Review metrics: 1 noteworthy metric.

• Scoped config write set: 1 changed provider-scoped write set. The PR changes which agents.defaults.models keys configure may prune, so maintainers should notice the operator-visible config-write behavior before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none.

Next step before merge

• [P2] No repair job is needed because this PR is already the focused implementation path and this review found no actionable patch defects.

Security
Cleared: The diff only changes configure model selection logic and a regression test; it does not add dependency, workflow, secret-handling, or supply-chain risk.

Review details

Best possible solution:

Land this focused configure-picker change after normal CI and maintainer review, keeping pruning limited to same-provider scopeKeys while preserving unrelated provider entries.

Do we have a high-confidence way to reproduce the issue?

Do we have a high-confidence way to reproduce the issue? Yes by source inspection: current main scopes cleanup to live filtered catalog keys, so a same-provider configured key missing from the catalog is omitted from scopeKeys and survives applyModelAllowlist.

Is this the best way to solve the issue?

Is this the best way to solve the issue? Yes; extending the existing picker scopeKeys is narrower than adding a new cleanup command or config option, and it reuses the existing scoped apply behavior that preserves unrelated providers.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against eb58c88598f3.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix terminal output from the real prompt/apply code path showing the stale OpenRouter key displayed, scoped, and pruned while an unrelated Anthropic entry remains.

Label justifications:

• P2: This is a normal-priority configure bug fix with limited blast radius: stale model allowlist entries persist until the operator can prune them.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes after-fix terminal output from the real prompt/apply code path showing the stale OpenRouter key displayed, scoped, and pruned while an unrelated Anthropic entry remains.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix terminal output from the real prompt/apply code path showing the stale OpenRouter key displayed, scoped, and pruned while an unrelated Anthropic entry remains.

Evidence reviewed

PR surface:

Source +13, Tests +59. Total +72 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	14	1	+13
Tests	1	59	0	+59
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	73	1	+72

What I checked:

• Repository policy read: Read the full root AGENTS.md and applied its config-compatibility, whole-path PR review, scoped-AGENTS, proof, and changelog guidance; no scoped AGENTS.md owns the touched paths. (AGENTS.md:1, eb58c88598f3)
• Current main gap: Current main builds provider-scoped scopeKeys only from filtered catalog rows, so a configured same-provider key that has disappeared from the catalog is not in the write scope and cannot be pruned by the later apply step. (src/flows/model-picker.ts:1223, eb58c88598f3)
• Patch implementation: The PR head collects visible configured keys for the preferred provider and appends them to the normalized scopeKeys alongside live catalog rows. (src/flows/model-picker.ts:1222, fe00512b9295)
• Apply path preserves unrelated providers: applyModelAllowlist deletes only keys in scopeKeys, then restores selected normalized keys, which matches the PR's same-provider pruning boundary. (src/flows/model-picker.ts:1315, fe00512b9295)
• Caller path: openclaw configure passes promptModelAllowlist scopeKeys into both fallback and allowlist apply helpers, so the picker write scope is the right boundary for this behavior. (src/commands/configure.gateway-auth.ts:275, eb58c88598f3)
• Regression coverage: The added test covers a live OpenRouter row, a stale OpenRouter configured key, and an unrelated Anthropic configured key; it expects the stale key to appear in options/scopeKeys and be removed while Anthropic remains. (src/commands/model-picker.test.ts:1428, fe00512b9295)

Likely related people:

• eleqtrizit: Authored the recent provider-scoped catalog/picker work that introduced and tested the same configure-model surfaces this PR adjusts. (role: feature-history contributor; confidence: high; commits: 6fd4aa8a2765; files: src/flows/model-picker.ts, src/commands/model-picker.test.ts, src/commands/configure.gateway-auth.ts)
• steipete: Recent commits repeatedly touched model catalog normalization, OpenAI provider identity, and model-picker tests around this surface. (role: recent area contributor; confidence: medium; commits: 49e9382cc05a, 4c33aaa86c16, b374505e7a8c; files: src/flows/model-picker.ts, src/commands/model-picker.test.ts)
• obviyus: Authored an earlier configure provider-scope preservation commit in the caller path that feeds the allowlist picker. (role: adjacent configure-scope contributor; confidence: medium; commits: 17d05269f970; files: src/commands/configure.gateway-auth.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Mossy Crabkin

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: watches the merge queue.
Image traits: location CI tidepool; accessory commit compass; palette plum, gold, and soft gray; mood calm; pose leaning over a miniature review desk; shell polished stone shell; lighting soft studio lighting; background small review tokens.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Mossy Crabkin in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[jbetala7]

Rebased onto current main (fe00512b92) to clear the merge conflict.

Two conflicts came from main refactors, both resolved without changing this PR's behavior:

• src/flows/model-picker.ts: main now declares the provider hasAuth checker earlier in promptModelAllowlist and replaced the standalone isModelPickerVisibleModelRef usage with the function-local, config/env-aware isVisibleModelRef predicate. I dropped the duplicate hasAuth declaration and switched scopedConfiguredKeys to the local isVisibleModelRef, matching how initialKeys/supplementalKeys already filter in this function.
• src/commands/model-picker.test.ts: NormalizedModelCatalogRow now imports from @openclaw/model-catalog-core/model-catalog-types on main; I dropped the stale duplicate import and kept the WizardMultiSelectParams/WizardPrompter import the new test uses.

Verified on the rebased head:

• node scripts/run-vitest.mjs src/commands/model-picker.test.ts -> 63 passed
• node scripts/run-oxlint.mjs src/flows/model-picker.ts src/commands/model-picker.test.ts -> clean
• pnpm tsgo:core and pnpm check:test-types (core) -> clean

[steipete]

Thanks for the PR. I landed the current-source version of this fix in #89347 / commit 732d697, with exact-head CI and focused provider/model proof recorded there.

Closing this as superseded by the merged maintainer batch.