fix: model ref normalization, Vertex transport routing, symlink workspace dirs

[cropsgg]

Summary

Fixes three unrelated bugs (Closes #84887, #84804, #84696):

• Runtime LLM allowlist diagnostics can double-prefix provider-qualified model refs #84887 — Plugin runtime LLM allowlist diagnostics use modelKey() so provider-qualified refs are not double-prefixed in policy errors (e.g. stays openrouter/gpt-5.4-mini, not openrouter/openrouter/...). Scoped to runtime/gateway allowlist paths only; does not change NVIDIA preserveLiteralProviderPrefix display (nvidia/nvidia/... in model picker).
• [Bug]: google-vertex provider returns 404 from Google when models are accessed via openclaw agent, but direct curl with same URL + ADC token works #84804 — google-vertex models route to Vertex transport when provider, api, or parsed hostname matches the manifest Vertex endpoint contract (aiplatform.googleapis.com or {region}-aiplatform.googleapis.com), not raw URL substring matching.
• [Bug]: write tool intermittently fails to follow symlinks — "directory component must be a directory" #84696 — ensureAbsoluteDirectory uses fs.stat so symlinked workspace directories are accepted.

Motivation

• Runtime LLM allowlist diagnostics can double-prefix provider-qualified model refs #84887: allowlist denial messages were misleading when modelId already contained a provider segment.
• [Bug]: google-vertex provider returns 404 from Google when models are accessed via openclaw agent, but direct curl with same URL + ADC token works #84804: Vertex models with google-generative-ai API could hit Generative AI transport and 404.
• [Bug]: write tool intermittently fails to follow symlinks — "directory component must be a directory" #84696: write tool failed when workspace memory was a symlink to a real directory.

Change Type

• Bug fix

Scope

• Gateway / orchestration
• Integrations

Linked Issue/PR

• Closes Runtime LLM allowlist diagnostics can double-prefix provider-qualified model refs #84887
• Closes [Bug]: google-vertex provider returns 404 from Google when models are accessed via openclaw agent, but direct curl with same URL + ADC token works #84804
• Closes [Bug]: write tool intermittently fails to follow symlinks — "directory component must be a directory" #84696

Real behavior proof

Behavior or issue addressed: Runtime LLM allowlist diagnostics double-prefix (#84887); Google Vertex transport mis-routing (#84804); write tool rejecting symlinked workspace dirs (#84696).

Real environment tested: macOS arm64, local checkout cropsgg/openclaw branch fix/model-ref-vertex-fs-symlink, Node 22, repo dev dependencies installed.

Exact steps or command run after this patch:

openclaw doctor --non-interactive 2>&1 | head -5 || true
cd /Users/crops/Projects/openclaw
node scripts/run-vitest.mjs src/commands/model-picker.test.ts -t 'literal double-prefix'
node scripts/run-vitest.mjs extensions/google/provider-registration.test.ts
node scripts/run-vitest.mjs src/infra/fs-safe.ensure-absolute-directory.test.ts
node scripts/run-vitest.mjs src/plugins/runtime/runtime-llm.runtime.test.ts -t 'double-prefix'

Evidence after fix (terminal transcript):

$ node scripts/run-vitest.mjs src/commands/model-picker.test.ts -t 'literal double-prefix'
 Test Files  1 passed (1)
      Tests  2 passed | 48 skipped (50)

$ node scripts/run-vitest.mjs extensions/google/provider-registration.test.ts
 Test Files  1 passed (1)
      Tests  7 passed (7)

$ node scripts/run-vitest.mjs src/infra/fs-safe.ensure-absolute-directory.test.ts
 Test Files  1 passed (1)
      Tests  1 passed (1)

$ node scripts/run-vitest.mjs src/plugins/runtime/runtime-llm.runtime.test.ts -t 'double-prefix'
 Test Files  1 passed (1)
      Tests  1 passed | 23 skipped (24)

Observed result after fix: Literal-prefix picker labels still show nvidia/nvidia/... as intended; Vertex proxy/lookalike base URLs are not classified as Vertex; symlinked dirs return { ok: true }; allowlist denial uses openrouter/gpt-5.5 not openrouter/openrouter/....

What was not tested: Live gateway run with production Vertex ADC/API keys or full Lossless plugin overflow recovery end-to-end.

Before evidence (optional): Issue reports and ClawSweeper review on prior head documented failing picker expectation when formatLiteralProviderPrefixedModelRef was changed; reverted in ac960cb7.

Root Cause

• Runtime LLM allowlist diagnostics can double-prefix provider-qualified model refs #84887: Runtime policy built refs with `${provider}/${model}` after normalizeModelRef, duplicating an already-qualified modelId.
• [Bug]: google-vertex provider returns 404 from Google when models are accessed via openclaw agent, but direct curl with same URL + ADC token works #84804: createStreamFn preferred google-generative-ai branch and gated Vertex on ADC preflight.
• [Bug]: write tool intermittently fails to follow symlinks — "directory component must be a directory" #84696: ensureAbsoluteDirectory used lstat and rejected symlinks to directories.

Regression Test Plan

• Unit test
• Target tests: runtime-llm.runtime.test.ts, provider-registration.test.ts, fs-safe.ensure-absolute-directory.test.ts, model-picker.test.ts (literal-prefix)
• Scenario: Allowlist diagnostic canonical ref; Vertex host parsing negatives; symlink dir; NVIDIA display unchanged

User-visible / Behavior Changes

• Clearer plugin LLM allowlist error messages.
• Vertex-configured models route to Vertex transport without ADC preflight gate.
• Write tool works when workspace path is a symlink to a directory.
• NVIDIA model picker "Keep current" label unchanged (nvidia/nvidia/...).

Test plan

• node scripts/run-vitest.mjs src/commands/model-picker.test.ts -t 'literal double-prefix'
• node scripts/run-vitest.mjs extensions/google/provider-registration.test.ts
• node scripts/run-vitest.mjs src/infra/fs-safe.ensure-absolute-directory.test.ts
• node scripts/run-vitest.mjs src/plugins/runtime/runtime-llm.runtime.test.ts -t 'double-prefix'

@clawsweeper re-review

[clawsweeper]

Codex review: needs real behavior proof before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The branch switches runtime/gateway allowlist model-ref formatting to modelKey(), changes Google provider Vertex transport detection, and accepts symlinked absolute directories with focused regression tests.

Reproducibility: yes. The linked bugs are source-reproducible on current main from the ad hoc model-ref concatenation, Google stream selection order, and ensureAbsoluteDirectory symlink rejection; I did not run tests because this review is constrained to read-only inspection.

PR rating
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🧂 unranked krab
Summary: The PR has useful source-plausible pieces, but a blocking Vertex compatibility regression and mock-only proof keep it below merge-ready quality.

Rank-up moves:

• Fix the Vertex predicate so explicit api: "openai-completions" google-vertex endpoint configs remain on the OpenAI-compatible transport.
• Add a regression test for a google-vertex /endpoints/openapi config so the existing compatibility contract cannot be broken again.
• Add redacted real behavior proof for the Vertex route and symlink write path; terminal output, logs, recordings, or linked artifacts are acceptable.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Needs real behavior proof before merge: The PR body supplies focused unit-test terminal output only, not redacted real Vertex/gateway logs or an OpenClaw write-tool run; after adding proof with private details redacted, updating the PR body should trigger re-review, or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• The PR can reroute existing google-vertex configurations that explicitly use api: "openai-completions" and a Vertex /endpoints/openapi baseUrl into the native Vertex transport, changing URL shape and auth handling during upgrade.
• Contributor proof is still focused test output; no live or runtime OpenClaw proof demonstrates the post-fix Vertex route or a write-tool path through a symlinked workspace directory.
• The model-ref change overlaps narrower open PRs at fix(plugins): dedupe provider-prefixed model refs in runtime LLM allowlist policy #84940 and fix #84887: avoid duplicate provider prefix in runtime LLM allowlist diagnostics #84946, though this PR still has unique Vertex and fs-safe work.

Maintainer options:

1. Preserve OpenAI-Compatible Vertex Routes (recommended)
   Change the Vertex transport predicate so api: "openai-completions" google-vertex configs fall through to the generic OpenAI-compatible transport, and add regression coverage for the existing /endpoints/openapi contract.
2. Require Real Vertex And Symlink Proof
   Before merge, require redacted terminal output, logs, or a recording showing a real google-vertex request on the intended route and an OpenClaw write through a symlinked workspace directory.
3. Split If Verification Stalls
   If Vertex proof or compatibility repair takes longer, maintainers can land the narrower model-ref or fs-safe work separately and keep native Vertex routing in a dedicated follow-up.

Next step before merge
Human review remains appropriate because the external PR has a concrete P1 route-compatibility defect and still needs contributor-owned real behavior proof before merge.

Security
Cleared: No supply-chain or secret-handling regression was found; the Google auth-route concern is tracked as a functional compatibility blocker.

Review findings

• [P1] Preserve OpenAI-compatible google-vertex routes — extensions/google/provider-registration.ts:58-60

Review details

Best possible solution:

Preserve explicit OpenAI-compatible google-vertex configs, keep the model-ref and symlink fixes scoped, and land only after redacted real route/write proof or maintainer-run equivalent proof covers the changed runtime behavior.

Do we have a high-confidence way to reproduce the issue?

Yes. The linked bugs are source-reproducible on current main from the ad hoc model-ref concatenation, Google stream selection order, and ensureAbsoluteDirectory symlink rejection; I did not run tests because this review is constrained to read-only inspection.

Is this the best way to solve the issue?

No. The modelKey() and fs.stat() directions are narrow, but the Vertex transport predicate is too broad because it overrides explicit OpenAI-compatible google-vertex configs that current tests preserve.

Label changes:

• add P2: This is a normal bug-fix PR for provider routing, allowlist diagnostics, and symlink workspace behavior with limited blast radius but real user impact.
• add merge-risk: 🚨 compatibility: The Vertex predicate can change existing google-vertex OpenAI-compatible endpoint configs during upgrade.
• add merge-risk: 🚨 auth-provider: The PR changes Google provider transport selection and can switch requests from configured OpenAI-compatible routing to native Vertex auth/URL handling.
• add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body supplies focused unit-test terminal output only, not redacted real Vertex/gateway logs or an OpenClaw write-tool run; after adding proof with private details redacted, updating the PR body should trigger re-review, or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.
• remove status: 🔁 re-review loop: Current PR status label is status: 📣 needs proof.

Label justifications:

• P2: This is a normal bug-fix PR for provider routing, allowlist diagnostics, and symlink workspace behavior with limited blast radius but real user impact.
• merge-risk: 🚨 compatibility: The Vertex predicate can change existing google-vertex OpenAI-compatible endpoint configs during upgrade.
• merge-risk: 🚨 auth-provider: The PR changes Google provider transport selection and can switch requests from configured OpenAI-compatible routing to native Vertex auth/URL handling.
• rating: 🧂 unranked krab: Current PR rating is 🧂 unranked krab because proof is 🧂 unranked krab, patch quality is 🧂 unranked krab, and The PR has useful source-plausible pieces, but a blocking Vertex compatibility regression and mock-only proof keep it below merge-ready quality.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body supplies focused unit-test terminal output only, not redacted real Vertex/gateway logs or an OpenClaw write-tool run; after adding proof with private details redacted, updating the PR body should trigger re-review, or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Full review comments:

• [P1] Preserve OpenAI-compatible google-vertex routes — extensions/google/provider-registration.ts:58-60
  The new predicate routes every model.provider === "google-vertex" model into the native Vertex stream function before the generic OpenAI-compatible transport can handle it. Current main explicitly preserves google-vertex configs with api: "openai-completions" and a Vertex /endpoints/openapi baseUrl, but this branch would rebuild those calls as native /v1/projects/.../publishers/google/models/...:streamGenerateContent requests with Vertex auth instead of honoring the configured OpenAI-compatible route. Please gate native Vertex on the resolved API/transport intent, and add a regression for the existing api: "openai-completions" google-vertex endpoint shape.
  Confidence: 0.89

Overall correctness: patch is incorrect
Overall confidence: 0.89

What I checked:

• PR Vertex routing diff: The PR head routes any model whose provider is google-vertex, whose api is google-vertex, or whose baseUrl has a Vertex hostname to createGoogleVertexTransportStreamFn() before the existing google-generative-ai branch. (extensions/google/provider-registration.ts:57, edc04d7bd3fd)
• Existing OpenAI-compatible google-vertex contract: Current main has explicit coverage that a google-vertex provider with api: "openai-completions" and a Vertex /endpoints/openapi baseUrl keeps that OpenAI-compatible baseUrl unchanged during Google provider normalization. (extensions/google/api.test.ts:109, 66dcc4ee8fd1)
• Native Vertex transport rebuilds request URL: The native Vertex transport keeps only the configured origin and then rebuilds the request as /v1/projects/.../publishers/google/models/...:streamGenerateContent, which is not the OpenAI-compatible /endpoints/openapi route preserved by current tests. (extensions/google/transport-stream.ts:374, 66dcc4ee8fd1)
• Current modelKey contract: modelKey() already dedupes a model id that starts with the provider prefix, matching the PR's allowlist-normalization direction. (src/agents/model-ref-shared.ts:17, 66dcc4ee8fd1)
• Current fs-safe symlink rejection path: Current main uses fs.lstat() and explicitly rejects symbolic links in ensureAbsoluteDirectory, so the symlink-directory bug is source-reproducible. (src/infra/fs-safe.ts:81, 66dcc4ee8fd1)
• History provenance: The checked-out history is collapsed to commit e42726204490fa6829105efcf9b54284a937fc85 for the central files, so feature ownership is weak; that commit introduced the current snapshots of the Google provider, runtime LLM, gateway plugin, and fs-safe files in this checkout. (extensions/google/provider-registration.ts:56, e42726204490)

Likely related people:

• clawsweeper[bot]: The collapsed checkout history attributes the relevant Google provider, runtime LLM, gateway plugin, and fs-safe source snapshots to commit e427262. (role: current-history author; confidence: low; commits: e42726204490; files: extensions/google/provider-registration.ts, extensions/google/provider-policy.ts, extensions/google/transport-stream.ts)
• takhoffman: The only relevant source-history commit available in this checkout records Approved-by: takhoffman, so this is a weak but concrete routing signal for the imported current code. (role: reviewer/approver in available history; confidence: low; commits: e42726204490; files: extensions/google/provider-registration.ts, extensions/google/provider-policy.ts, extensions/google/transport-stream.ts)
• nxmxbbd: They reviewed this PR discussion, identified the earlier literal-prefix contract regression, and linked a narrower related model-ref PR for the same allowlist issue. (role: adjacent reviewer; confidence: medium; files: src/plugins/runtime/runtime-llm.runtime.ts, src/gateway/server-plugins.ts, src/agents/model-ref-shared.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 66dcc4ee8fd1.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[nxmxbbd]

I think the formatLiteralProviderPrefixedModelRef hunk may be changing a different contract than the runtime LLM allowlist bug.

On this PR's current head 557c2fb21a5ba2b078384ab725f0b49533c4bf1f, the new helper test passes:

src/agents/model-ref-shared.test.ts
Test Files  1 passed
Tests       6 passed

But the existing literal-prefix picker coverage fails:

node scripts/run-vitest.mjs src/commands/model-picker.test.ts -t 'literal double-prefix'

src/commands/model-picker.test.ts (50 tests | 2 failed | 48 skipped)

× shows literal double-prefix labels for providers that preserve literal prefixes
× shows literal double-prefix keep label before browsing provider catalogs

Expected: "Keep current (nvidia/nvidia/nemotron-3-super-120b-a12b)"
Received: "Keep current (nvidia/nemotron-3-super-120b-a12b)"

Expected: "Keep current (nvidia/nvidia/nemotron-3-super-120b-a12b)"
Received: "Keep current (nvidia/nemotron-3-super-120b-a12b)"

That looks intentional in the existing NVIDIA / literal-prefix path:

• src/commands/model-picker.test.ts explicitly names the behavior as "literal double-prefix labels for providers that preserve literal prefixes".
• src/flows/model-picker.ts comments say to show the literal form, e.g. nvidia/nvidia/..., in the "Keep current" label.
• docs/providers/nvidia.md documents openclaw models set nvidia/nvidia/nemotron-3-super-120b-a12b.
• The preserveLiteralProviderPrefix path appears to be a display/literal <provider>/<entry.id> contract, not the canonical allowlist-key path.

One extra concern: the new helper test uses openrouter, but current production callers only invoke this helper for providers that opt into preserveLiteralProviderPrefix; the current production opt-in appears to be NVIDIA. So the new test locks a synthetic helper behavior rather than the live display path that this helper currently serves.

So if the goal here is only #84887's runtime LLM allowlist diagnostic, I think the safer fix is to drop the formatLiteralProviderPrefixedModelRef hunk and keep the canonicalization change scoped to the runtime/gateway allowlist paths.

If the intended product change is to remove the NVIDIA-style literal double-prefix display everywhere, then this probably needs to be handled as a broader behavior change with the picker tests, docs, and preserveLiteralProviderPrefix comments updated together.

After updating the branch, a fresh bot review should pick this up via the usual re-review flow.

[cropsgg]

I think the formatLiteralProviderPrefixedModelRef hunk may be changing a different contract than the runtime LLM allowlist bug.

On this PR's current head 557c2fb21a5ba2b078384ab725f0b49533c4bf1f, the new helper test passes:

src/agents/model-ref-shared.test.ts
Test Files  1 passed
Tests       6 passed

But the existing literal-prefix picker coverage fails:

node scripts/run-vitest.mjs src/commands/model-picker.test.ts -t 'literal double-prefix'

src/commands/model-picker.test.ts (50 tests | 2 failed | 48 skipped)

× shows literal double-prefix labels for providers that preserve literal prefixes
× shows literal double-prefix keep label before browsing provider catalogs

Expected: "Keep current (nvidia/nvidia/nemotron-3-super-120b-a12b)"
Received: "Keep current (nvidia/nemotron-3-super-120b-a12b)"

Expected: "Keep current (nvidia/nvidia/nemotron-3-super-120b-a12b)"
Received: "Keep current (nvidia/nemotron-3-super-120b-a12b)"

That looks intentional in the existing NVIDIA / literal-prefix path:

• src/commands/model-picker.test.ts explicitly names the behavior as "literal double-prefix labels for providers that preserve literal prefixes".
• src/flows/model-picker.ts comments say to show the literal form, e.g. nvidia/nvidia/..., in the "Keep current" label.
• docs/providers/nvidia.md documents openclaw models set nvidia/nvidia/nemotron-3-super-120b-a12b.
• The preserveLiteralProviderPrefix path appears to be a display/literal <provider>/<entry.id> contract, not the canonical allowlist-key path.

One extra concern: the new helper test uses openrouter, but current production callers only invoke this helper for providers that opt into preserveLiteralProviderPrefix; the current production opt-in appears to be NVIDIA. So the new test locks a synthetic helper behavior rather than the live display path that this helper currently serves.

So if the goal here is only #84887's runtime LLM allowlist diagnostic, I think the safer fix is to drop the formatLiteralProviderPrefixedModelRef hunk and keep the canonicalization change scoped to the runtime/gateway allowlist paths.

If the intended product change is to remove the NVIDIA-style literal double-prefix display everywhere, then this probably needs to be handled as a broader behavior change with the picker tests, docs, and preserveLiteralProviderPrefix comments updated together.

After updating the branch, a fresh bot review should pick this up via the usual re-review flow.

[cropsgg]

Reopening — closed accidentally.

[cropsgg]

Thanks — agreed. I reverted the formatLiteralProviderPrefixedModelRef hunk and removed the synthetic OpenRouter helper test in ac960cb.

#84887 is now scoped to modelKey() in runtime-llm.runtime.ts and server-plugins.ts only. NVIDIA preserveLiteralProviderPrefix / literal double-prefix picker labels are unchanged (node scripts/run-vitest.mjs src/commands/model-picker.test.ts -t 'literal double-prefix' passes).

I also tightened Vertex routing to parsed hostname matching per the manifest contract (not substring), with negative tests for proxy/lookalike URLs.

@clawsweeper re-review when you have a moment.

[cropsgg]

@clawsweeper re-review

Head edc04d7b updates:

• CI: check-prod-types, check-test-types, check-additional-extension-package-boundary, checks-node-agentic-commands-models, and Real behavior proof are green.
• Proof gate: PR body proof section reformatted (no # lines inside fenced blocks — they were truncating Observed result / What was not tested). Label proof: supplied applied.
• TS: isGoogleVertexBaseUrl accepts string | null to match GoogleProviderConfigLike.baseUrl.
• Scope unchanged: modelKey() only for Runtime LLM allowlist diagnostics can double-prefix provider-qualified model refs #84887; NVIDIA literal-prefix display untouched; Vertex hostname parsing retained.

Please re-rate with the updated proof section and exact head.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26234255568
• Updated: 2026-05-21T15:12:25.309Z