Fix Claude CLI runtime migration for gateway turns

[amknight]

Summary

Fixes #82344 by moving the Claude CLI auth migration onto the runtime-selection contract the gateway actually uses.

The regression was that the Anthropic Claude CLI migration wrote agents.defaults.agentRuntime.id = "claude-cli", but current runtime selection intentionally ignores that legacy whole-agent field. Gateway-mediated turns from Telegram and Dashboard could therefore resolve an Anthropic model without a model/provider-scoped runtime policy and fall through to Anthropic API billing, while direct Claude CLI use still worked.

This PR:

• writes agentRuntime: { id: "claude-cli" } onto migrated canonical Anthropic model entries during Claude CLI auth migration;
• backfills the same model-scoped policy through Anthropic config defaults for already-upgraded configs;
• preserves explicit non-auto model runtime policies;
• updates the gateway CLI backend live smoke config to exercise model-scoped runtime selection;
• adds regression coverage and a changelog entry.

Reproduction

I reproduced the issue on Blacksmith before the fix with a source-level migration/resolver harness. The migrated config had the legacy default runtime, but the canonical model entry lacked agentRuntime, so resolveModelRuntimePolicy({ provider: "anthropic", modelId: "claude-opus-4-7" }) returned no runtime.

Pre-fix Testbox: tbx_01krr54ntaqd1hxqsad1ygmw82

Observed pre-fix output shape:

{
  "migratedEntry": { "alias": "Opus" },
  "defaultRuntime": { "id": "claude-cli" }
}

The assertion expected claude-cli but failed because the gateway resolver ignored the legacy whole-agent runtime.

Verification

Behavior addressed: upgraded Claude CLI auth configs keep Telegram and Dashboard gateway turns on the local Claude CLI runtime instead of falling through to Anthropic API billing.

Real environment tested: Blacksmith Testbox Linux, post-rebase branch content, tbx_01krr7e0pqfbw4az114zcwyg0s, GitHub Actions run https://github.com/openclaw/openclaw/actions/runs/25960349269.

Exact steps or command run after this patch: Blacksmith command ran a migration/resolver assertion, then pnpm check:changed, then pnpm test extensions/anthropic/cli-migration.test.ts extensions/anthropic/index.test.ts src/agents/command/attempt-execution.cli.test.ts src/commands/models/auth.test.ts.

Evidence after fix:

{
  "migratedEntry": {
    "alias": "Opus",
    "agentRuntime": { "id": "claude-cli" }
  },
  "defaultRuntime": { "id": "claude-cli" },
  "resolved": "claude-cli",
  "source": "model"
}

Observed result after fix: pnpm check:changed passed, focused tests passed across 3 Vitest shards, and the Blacksmith run exited 0.

What was not tested: live Claude account billing/auth was not exercised; the proof validates the config migration/defaulting path and the gateway runtime resolver contract that selects the CLI backend before any provider billing path.

I also attempted the default AWS Crabbox route during investigation. The raw AWS lease lacked Node, and Actions hydration was blocked by GitHub runner-registration permissions (403); a manually prepared AWS lease reproduced the resolver result but later lost SSH on the configured port, so final proof uses Blacksmith Testbox as requested.

[clawsweeper]

Codex review: passed.

Summary
The PR adds model-scoped claude-cli runtime policy to Anthropic CLI migration/default backfill, updates the gateway CLI live-smoke config, tests, and changelog.

Reproducibility: yes. source inspection gives a high-confidence reproduction path: current main writes claude-cli only to legacy whole-agent runtime metadata, while gateway runtime selection requires model/provider-scoped runtime policy. I did not run a live Telegram/Dashboard repro in this read-only review.

Real behavior proof
Not applicable: The external contributor proof gate does not apply to this protected MEMBER PR; the body nevertheless includes Blacksmith/Testbox after-fix resolver output and focused verification details.

Next step before merge
No repair job is needed: the automerge path can continue through exact-head rebase, mergeability, and check gates, and this review found no actionable code defect.

Security
Cleared: The diff changes config migration/defaulting, tests, a live-smoke config, and changelog without adding dependencies, workflows, lifecycle scripts, secret exposure, or broader permissions.

Review details

Best possible solution:

Land this patch or an equivalent model-scoped runtime migration after exact-head gates, while keeping legacy whole-agent runtime ignored.

Do we have a high-confidence way to reproduce the issue?

Yes, source inspection gives a high-confidence reproduction path: current main writes claude-cli only to legacy whole-agent runtime metadata, while gateway runtime selection requires model/provider-scoped runtime policy. I did not run a live Telegram/Dashboard repro in this read-only review.

Is this the best way to solve the issue?

Yes. The patch fixes the narrow contract mismatch by writing model-scoped claude-cli policy where the resolver and docs already expect it; re-enabling legacy whole-agent runtime selection would be broader and contrary to current tests/docs.

What I checked:

• Protected live PR state: The PR is open, ready for review, authored by amknight, labeled maintainer and clawsweeper:automerge, and its head is 62cf54484ff7d5dcee8774033dfcb188573fb77a; cleanup should not close it before the opted-in merge flow finishes. (62cf54484ff7)
• Current main migration gap: On current main, Claude CLI auth migration seeds canonical Anthropic model entries with plain objects and writes agentRuntime only at agents.defaults, leaving model entries without a resolver-visible runtime policy. (extensions/anthropic/cli-migration.ts:190, 9b560b8a41f4)
• Current main default backfill gap: The OAuth/Claude CLI config defaulting path currently backfills default allowlist entries as {} instead of adding agentRuntime: { id: "claude-cli" }. (extensions/anthropic/config-defaults.ts:290, 9b560b8a41f4)
• Runtime policy contract: The active resolver checks exact model entries, provider catalog model entries, provider wildcards, and provider-wide runtime policy; it does not read legacy whole-agent agents.defaults.agentRuntime. (src/agents/model-runtime-policy.ts:176, 9b560b8a41f4)
• Documented runtime contract: The public gateway config docs say whole-agent runtime keys are ignored and Claude CLI deployments should use canonical Anthropic model refs plus model-scoped agentRuntime.id: "claude-cli". Public docs: docs/gateway/config-agents.md. (docs/gateway/config-agents.md:477, 9b560b8a41f4)
• Patch implementation: The PR head changes allowlist seeding/default backfill to write agentRuntime: { id: "claude-cli" } onto canonical Anthropic model entries while preserving explicit non-auto model runtime policies. (extensions/anthropic/cli-migration.ts:132, 62cf54484ff7)

Likely related people:

• steipete: Recent commits define effective runtime choice behavior and model-runtime-policy handling that this PR relies on. (role: adjacent runtime-policy contributor; confidence: high; commits: 6171b4254d41, 638bfc0bf576; files: src/agents/model-runtime-policy.ts, src/agents/model-runtime-policy.test.ts, src/agents/harness/selection.test.ts)
• vincentkoc: History for the Anthropic CLI migration/defaulting area includes Claude CLI model-switch seeding and the current checkout attributes the central migration/defaulting lines to recent work by this contributor. (role: Anthropic CLI migration contributor; confidence: medium; commits: 9efc03343477, 2bcb0abbb8f4, aa27e27f3606; files: extensions/anthropic/cli-migration.ts, extensions/anthropic/config-defaults.ts, extensions/anthropic/index.test.ts)
• pashpashpash: Commit 02fe0d8978db scoped runtime policy to providers/models and moved stale whole-agent runtime pins toward doctor/compat handling, which is the contract boundary behind this fix. (role: runtime-policy scope contributor; confidence: medium; commits: 02fe0d8978db; files: src/agents/model-runtime-policy.ts, src/agents/harness/selection.test.ts, docs/gateway/config-agents.md)
• neeravmakwana: Prior provider-auth changes touched the Anthropic CLI migration and config-patch merge semantics that determine how model allowlists survive auth login. (role: provider-auth migration contributor; confidence: medium; commits: 14d1c9c4f00a, ad27e0069db0; files: extensions/anthropic/cli-migration.ts, extensions/anthropic/register.runtime.ts, src/commands/models/auth.ts)

Remaining risk / open question:

• The PR head is behind current main, so exact-head rebase/mergeability gates still need to run before landing.
• The PR body does not exercise a live Claude account billing/auth flow; the proof covers the migration/defaulting path and runtime resolver contract before billing would occur.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9b560b8a41f4.

[amknight]

/clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=62cf54484ff7d5dcee8774033dfcb188573fb77a)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-16T11:54:49Z
Merge commit: c438dadc5c65

What merged:

• The PR adds model-scoped claude-cli runtime policy to Anthropic CLI migration/default backfill, updates the gateway CLI live-smoke config, tests, and changelog.
• Reproducibility: yes. source inspection gives a high-confidence reproduction path: current main writes `clau ... del/provider-scoped runtime policy. I did not run a live Telegram/Dashboard repro in this read-only review.

Automerge notes:

• No ClawSweeper repair was needed after automerge opt-in.

The automerge loop is complete.

Automerge progress:

• 2026-05-16 11:45:54 UTC review queued 62cf54484ff7 (queued)

• 2026-05-16 11:54:36 UTC review passed 62cf54484ff7 (structured ClawSweeper verdict: pass (sha=62cf54484ff7d5dcee8774033dfcb188573fb...)

• 2026-05-16 11:54:51 UTC merged 62cf54484ff7 (merged by ClawSweeper automerge)