fix(lmstudio): resolve env-template API keys

[MonkeyLeeT]

Summary

• Resolve LM Studio configured apiKey strings through the standard SecretInput path before falling back to known env-marker handling.
• Fix arbitrary env-template keys like ${LMSTUDIO_API_KEY} being treated as literal API keys.
• Preserve higher-precedence auth when an optional configured apiKey env template is unset, including headers.Authorization and resolved discovery/profile auth.
• Add LM Studio runtime and discovery regressions for custom env-template API keys, unresolved-template errors, header-auth precedence, and discovery-key precedence.

Refs #80495. This addresses the auth-resolution portion only; native /api/v1/chat inference fallback remains separate provider/API scope.

Reported Repro

• [Bug]: LM Studio Provider Fails: Environment Variable Expansion + API Endpoint Mismatch #80495 reports an LM Studio config using an env-backed API key where OpenClaw sent the env var marker/name as the bearer token instead of the resolved value.
• Source inspection matched that report: arbitrary ${ENV} apiKey templates did not go through the generic SecretInput resolution path unless the env var name was a registered provider marker.

After-Fix Proof

• pnpm test extensions/lmstudio/src/runtime.test.ts extensions/lmstudio/src/setup.test.ts -- --reporter=verbose passed: 2 files, 53 tests.
• The focused regressions prove ${LMSTUDIO_API_KEY} resolves to the configured env value before auth header construction.
• The regressions prove unresolved ${LMSTUDIO_API_KEY} still reports a path-specific error when no other auth satisfies the provider.
• The regressions prove headers.Authorization continues to satisfy auth when ${LMSTUDIO_API_KEY} is unset, covering both runtime auth and discovery/setup behavior.
• The regressions prove a resolved discoveryApiKey continues to take precedence over a stale unset configured apiKey template during provider discovery.

No live LM Studio server verification was run for this branch.

Verification

• pnpm test extensions/lmstudio/src/runtime.test.ts extensions/lmstudio/src/setup.test.ts -- --reporter=verbose
• pnpm tsgo:extensions
• pnpm tsgo:test:extensions
• pnpm format:check -- extensions/lmstudio/src/setup.ts extensions/lmstudio/src/setup.test.ts extensions/lmstudio/src/runtime.ts extensions/lmstudio/src/runtime.test.ts CHANGELOG.md
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.extensions.json extensions/lmstudio/src/setup.ts extensions/lmstudio/src/setup.test.ts extensions/lmstudio/src/runtime.ts extensions/lmstudio/src/runtime.test.ts
• git diff --check

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8bf224d209

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[clawsweeper]

Codex review: needs real behavior proof before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR resolves LM Studio configured apiKey strings through SecretInput/env-template resolution, preserves header/discovery auth precedence when templates are unset, adds runtime/setup regressions, and updates the changelog.

Reproducibility: yes. at source level: current main returns arbitrary LM Studio $ENV/${ENV} string templates as literal configured keys unless they match a known marker. I did not establish a live LM Studio server reproduction in this read-only review.

PR rating
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🐚 platinum hermit
Summary: The patch is focused and regression-tested, but missing real behavior proof keeps overall readiness below the merge gate.

Rank-up moves:

• Add redacted real LM Studio request proof for an env-template API key, or get an explicit maintainer proof override recorded.
• Clarify the changelog wording if the linked endpoint fallback remains open.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

PR egg
🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature, rarity, or ASCII portrait is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

Real behavior proof
Needs real behavior proof before merge: Missing: the PR body lists tests and explicitly says no live LM Studio server verification was run; add redacted terminal output, logs, screenshot, recording, or linked artifact proof and update the PR body for automatic re-review, or have a maintainer record an explicit proof override.

Risk before merge
Why this matters: - The PR body explicitly says no live LM Studio server verification was run; a reviewer accepts tests as sufficient for this client-side change, but the automated real-behavior-proof gate still has no redacted runtime artifact or explicit override marker.

• The patch intentionally changes LM Studio direct-string auth semantics for exact SecretInput shorthands such as $ENV and ${ENV}, so unusual literal API keys in that shape would no longer be sent literally.
• The linked LM Studio report also includes native endpoint fallback; the changelog should avoid implying that the endpoint portion is fixed unless maintainers intend to close that whole report when this lands.

Maintainer options:

1. Require real LM Studio auth proof (recommended)
   Keep the PR unmerged until redacted terminal output, logs, screenshot, recording, or linked artifact shows a real LM Studio request using an env-template API key.
2. Accept maintainer-owned proof override
   A maintainer can intentionally merge on the source-level fix and targeted tests if they own the proof gap for this pure client-side auth resolution change.
3. Scope the release note to auth only
   Before landing, change the changelog to reference the linked LM Studio report or explicitly say this fixes only the env-template auth portion if the endpoint fallback remains open.

Next step before merge
Remaining action is maintainer judgment on the proof gate and release-note scope; automation cannot supply contributor-side real LM Studio proof.

Security
Cleared: No concrete security or supply-chain regression was found; the diff stays within provider-local auth resolution, focused tests, and changelog text.

Review findings

• [P3] Clarify the linked issue scope in the changelog — CHANGELOG.md:53

Review details

Best possible solution:

Land the provider-local SecretInput auth fix after redacted real-request proof or an explicit maintainer proof override, while keeping the native endpoint fallback tracked separately and scoping release notes to auth resolution.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level: current main returns arbitrary LM Studio $ENV/${ENV} string templates as literal configured keys unless they match a known marker. I did not establish a live LM Studio server reproduction in this read-only review.

Is this the best way to solve the issue?

Yes, mostly: resolving configured LM Studio apiKey strings through the standard SecretInput path is the narrow provider-owned fix, and the branch preserves header/discovery precedence. The release-note wording should stay scoped to the auth portion because the endpoint fallback remains separate.

Label justifications:

• P2: This is a normal-priority LM Studio provider auth bug fix with limited blast radius but real user impact for env-backed local inference setups.
• merge-risk: 🚨 compatibility: Merging changes exact SecretInput-shaped apiKey strings from literal bearer tokens into env-template resolution or unresolved-template errors.
• merge-risk: 🚨 auth-provider: The diff changes LM Studio API-key, header-auth, and discovery-key precedence in provider runtime/setup paths.

Full review comments:

• [P3] Clarify the linked issue scope in the changelog — CHANGELOG.md:53
  The PR body says this only addresses LM Studio auth resolution and leaves the native endpoint fallback from [Bug]: LM Studio Provider Fails: Environment Variable Expansion + API Endpoint Mismatch #80495 separate, but this changelog line says the linked report is fixed. That would overstate release scope unless maintainers intend to close the endpoint half too; use Refs or explicitly say it fixes only the env-template auth portion.
  Confidence: 0.88

Overall correctness: patch is correct
Overall confidence: 0.86

What I checked:

• Current-main bug path: On current main, resolveLmstudioConfiguredApiKey handles direct string apiKey values before the generic SecretInput resolver and returns non-marker strings literally, so arbitrary $ENV or ${ENV} templates can become bearer tokens instead of env values. (extensions/lmstudio/src/runtime.ts:84, 4af590a5f88e)
• SecretInput contract: The shared SecretInput parser recognizes exact $ENV and ${ENV} shorthands, and the public secrets docs list those forms for SecretInput fields. (src/config/types.secrets.ts:70, 4af590a5f88e)
• PR auth fix: The PR head resolves direct string LM Studio apiKey values through resolveConfiguredSecretInputString, preserves known marker handling, and allows unresolved templates only when a higher-precedence auth path is present. (extensions/lmstudio/src/runtime.ts:89, 03224c8c2734)
• PR discovery precedence: The PR head resolves LM Studio headers first, then lets unresolved configured API-key templates defer to Authorization header auth or an already resolved discovery key. (extensions/lmstudio/src/setup.ts:763, 03224c8c2734)
• Regression coverage added: The PR adds focused runtime/setup tests for unresolved env-template plus header auth and discovery-key precedence cases. (extensions/lmstudio/src/runtime.test.ts:143, 03224c8c2734)
• Maintainer review context: A reviewer noted that the missing live LM Studio request proof is acceptable from their perspective because the change is pure client-side string resolution and the targeted tests cover the relevant paths; that is useful maintainer context, but the PR still has no posted real setup artifact or explicit proof: override marker.

Likely related people:

• Peter Steinberger: Available local blame attributes the current LM Studio auth and discovery functions to commit d1fa0f9, so he is a routing candidate for current-main behavior history, with limited confidence from the local history depth. (role: current-main provenance candidate; confidence: low; commits: d1fa0f96287a; files: extensions/lmstudio/src/runtime.ts, extensions/lmstudio/src/setup.ts)
• hxy91819: They were requested for review, provided the current maintainer review context on proof/compatibility, and authored the final changelog commits on this PR branch. (role: reviewer and adjacent PR owner; confidence: medium; commits: 7ffb42c73657, 03224c8c2734; files: CHANGELOG.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4af590a5f88e.

[MonkeyLeeT]

Codex review: needs real behavior proof before merge.

Summary Review failed before ClawSweeper could summarize the requested change.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Real behavior proof Not applicable: Real behavior proof was not assessed because the Codex review failed.

Next step before merge Review did not complete, so no work-lane recommendation was made.

Review details

Thanks, this is addressed in fcd53a7b46.

The functional regression is fixed by preserving header-only auth when an optional configured apiKey env template is unresolved. Runtime auth now allows unresolved configured API-key templates only when headers.Authorization is already configured, and discovery/setup now resolves headers before deciding whether an unresolved configured API key is fatal.

Added regressions for:

• ${LMSTUDIO_API_KEY} resolving through SecretInput
• unresolved ${LMSTUDIO_API_KEY} still erroring when no alternate auth is present
• headers.Authorization satisfying auth when ${LMSTUDIO_API_KEY} is unset, in both runtime auth and discovery/setup

PR body now separates reporter repro from after-fix proof. No live LM Studio server verification was run for this branch.

[MonkeyLeeT]

@hxy91819 Mind taking a look?

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 96adad8216

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[hxy91819]

/clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26039396984
• Updated: 2026-05-18T14:27:51.110Z

[hxy91819]

Merged via squash.

• Prepared head SHA: 03224c8c2734f4e69ff6dd7815f76f3db395a62b
• Merge commit: fffb8c9e2c46216854a6955290080e0fd92e86db

Thanks @MonkeyLeeT!