fix(plugins): dedupe provider-prefixed model refs in runtime LLM allowlist policy

[nxmxbbd]

Summary

• Problem: The plugin runtime LLM policy gate (src/plugins/runtime/runtime-llm.runtime.ts) and the gateway fallback subagent policy gate (src/gateway/server-plugins.ts) each build allowlist Set keys and resolved-selection keys via ad-hoc ${normalized.provider}/${normalized.model} concatenation. When a provider plugin manifest contributes prefixWhenBare (e.g. OpenRouter) and the resolved selection's modelId already carries the provider segment, the concatenation produces a double-prefixed key (openrouter/openrouter/gpt-5.4-mini). The user-typed allowlist entry does not carry the duplicate prefix, so Set.has misses and the diagnostic surfaces a confusing openrouter/openrouter/... string.
• Solution: Swap the 5 ad-hoc concat sites in the two affected flows to the existing canonical modelKey() helper at src/agents/model-ref-shared.ts:17 (already re-exported via src/agents/model-selection.ts). modelKey dedupes when model already starts with ${provider}/, so both pair sides remain symmetric: allowlist Set construction + resolved-selection lookup produce identical canonical keys, the policy gate keeps the same contract, and the diagnostic surfaces the deduped, user-recognizable ref.
• What changed: 5 modelKey(p, m) swaps + 2 named-import additions across runtime-llm.runtime.ts (2 sites) and server-plugins.ts (3 sites), plus 2 regression tests (one per file) locking in the deduped diagnostic.
• What did NOT change (scope boundary): legacyModelKey (intentional raw concat for legacy lookup), the wider set of normalizeModelRef callers under src/agents/** (each requires its own diagnosis), and the cross-file normalizeAllowedModelRef duplication (known smell, separate refactor).

Motivation

#84887 was opened by 100yenadmin who reported their plugin LLM allowlist diagnostic surfaced openrouter/openrouter/gpt-5.4-mini even though the actionable model ref they had configured was openrouter/gpt-5.4-mini. The doubled provider segment confused remediation. The reporter's suggested fix shape ("normalize runtime LLM model refs with a helper that strips only duplicated provider prefixes after normalizeModelRef()") matches the canonical modelKey() helper that already lives in src/agents/model-ref-shared.ts — the bug here is that two flows didn't use it.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Runtime LLM allowlist diagnostics can double-prefix provider-qualified model refs #84887
• Related fix: model ref normalization, Vertex transport routing, symlink workspace dirs #84934
• This PR fixes a bug or regression

Real behavior proof

• Behavior or issue addressed: Plugin LLM runtime allowlist policy and gateway fallback subagent policy both build canonical provider/model keys via ad-hoc concatenation that does not dedupe when the resolved modelId already carries the provider segment, producing a double-prefixed diagnostic and (in the reporter's environment) a wrongly denied allowlist match.

• Real environment tested: Local checkout at /root/repos/openclaw-84887 rebased onto current upstream/main (f39f56a096). Direct production-source invocation via node_modules/.bin/tsx /tmp/proof-84887.mts, importing the actual production modelKey from src/agents/model-selection.ts (re-exported from src/agents/model-ref-shared.ts). Also focused vitest on the two touched test files.

• Exact steps or command run after this patch:

node_modules/.bin/tsx /tmp/proof-84887.mts
node scripts/run-vitest.mjs src/plugins/runtime/runtime-llm.runtime.test.ts src/gateway/server-plugins.test.ts

• Evidence after fix:

Terminal capture from this branch, copied live output of the production modelKey invocation:

=== Pre-fix path (ad-hoc concat) ===
  allowlist Set entry: "openrouter/gpt-5.4-mini"
  resolved ref:        "openrouter/openrouter/gpt-5.4-mini"
  Set.has(resolved):   false  (bug: false; legitimate selection denied)
  diagnostic emitted:  model override "openrouter/openrouter/gpt-5.4-mini" is not allowlisted for plugin "lossless-claw".

=== Post-fix path (modelKey() from src/agents/model-ref-shared.ts) ===
  allowlist Set entry: "openrouter/gpt-5.4-mini"
  resolved ref:        "openrouter/gpt-5.4-mini"
  Set.has(resolved):   true  (fix: true; legitimate selection allowed)

=== Cross-check vs #84887 reporter's verbatim error ===
  reporter wrote: Plugin LLM completion model override "openrouter/openrouter/gpt-5.4-mini" is not allowlisted for plugin "lossless-claw".
  local pre-fix:  Plugin LLM completion model override "openrouter/openrouter/gpt-5.4-mini" is not allowlisted for plugin "lossless-claw".
  match: true

Focused regression tests on both touched flows, copied live output:

 RUN  v4.1.7 /root/repos/openclaw-84887

 Test Files  2 passed (2)
      Tests  64 passed (64)
   Start at  18:36:29
   Duration  6.18s (transform 1.86s, setup 179ms, import 857ms, tests 4.97s, environment 0ms)

• Observed result after fix: The production modelKey collapses (provider="openrouter", model="openrouter/gpt-5.4-mini") to the single-prefix canonical key "openrouter/gpt-5.4-mini". The Set.has lookup that was previously denying legitimate selections now succeeds, and the diagnostic for real deny cases carries the user-recognizable single-prefix ref (matching the reporter's allowlist entry shape). The pre-fix path simulation reproduces the reporter's verbatim diagnostic string character-for-character, confirming the diagnosis end-to-end through the real production helper.

• What was not tested: No live OpenRouter API call or live Lossless plugin invocation; the bug is host-side normalization, so an end-to-end runtime call is not required to validate the fix. The "allow" case end-to-end through runtimeContext.llm.complete was not added as a vitest case because in the vitest environment (no OpenRouter plugin manifest loaded) the host's normalizeProviderModelIdWithRuntime does not re-prefix bare model ids, so both Set-construction and resolved-side paths produce symmetric output and the bug becomes invisible at the policy gate (it only surfaces in the diagnostic string). The diagnostic-dedup regression tests in both files cover the same concat logic the allow path depends on.

• Before evidence (optional but encouraged): The reporter's [lcm] runtime.llm.complete error log in the issue body shows Plugin LLM completion model override "openrouter/openrouter/gpt-5.4-mini" is not allowlisted for plugin "lossless-claw".. The pre-fix path simulation in the proof capture above produces this exact string character-for-character.

Root Cause

• Root cause: Two independent flows (plugin runtime LLM policy + gateway fallback subagent policy) each build canonical provider/model keys via local ad-hoc ${normalized.provider}/${normalized.model} concatenation. The repo already has a canonical helper modelKey(provider, model) at src/agents/model-ref-shared.ts:17 that dedupes when model already starts with ${provider}/. The ad-hoc paths were missing the dedup branch. When OpenRouter's manifest prefixWhenBare=openrouter produces a resolved selection.modelId of openrouter/gpt-5.4-mini, the concatenation generates a doubled key while the user-entered allowlist ref stays single-prefixed; the Set.has lookup misses and the diagnostic surfaces the confusing doubled string.
• Missing detection / guardrail: No regression test exercised an allowlist deny diagnostic where the resolved selection's modelId already carried the provider segment. Both regression test files in this PR add that coverage.
• Contributing context: The two flows independently re-implement normalizeAllowedModelRef (one in runtime-llm.runtime.ts, one in server-plugins.ts); both implementations carry the same canonical-key bug. Consolidating them is out of scope for this focused fix and left as a follow-up.

Regression Test Plan

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file:
  • src/plugins/runtime/runtime-llm.runtime.test.ts — context-engine LLM deny diagnostic (Runtime LLM allowlist diagnostics can double-prefix provider-qualified model refs #84887)
  • src/gateway/server-plugins.test.ts — fallback subagent override deny diagnostic (Runtime LLM allowlist diagnostics can double-prefix provider-qualified model refs #84887)
• Scenario the test should lock in: When the resolved selection's modelId arrives with the provider segment already prepended (simulating OpenRouter's prefixWhenBare behavior), an allowlist deny must surface the deduped single-prefix ref in the diagnostic and (transitively) construct symmetric canonical Set keys on both sides of the policy check.
• Why this is the smallest reliable guardrail: The two tests exercise the exact concat sites changed in this PR and lock the canonical-key contract by inspecting the user-visible diagnostic string. Any future regression that reintroduces ad-hoc concat at either site will break the verbatim assertion immediately.
• Existing test that already covers this (if any): None — neither test file previously asserted the deduped form of provider-prefixed resolved refs.
• If no new test is added, why not: N/A — new tests added.

User-visible / Behavior Changes

Users configuring plugin LLM allowlists or gateway fallback subagent allowlists with single-prefix entries (e.g. openrouter/gpt-5.4-mini) will now match their selections correctly when the selection's modelId arrives provider-prefixed via a plugin's prefixWhenBare hook. Deny diagnostics will surface the deduped single-prefix ref instead of the previously doubled form. Users who deliberately configured legacy double-prefix entries like openrouter/openrouter/hunter-alpha will see those entries collapse to the same canonical key as the deduped resolved ref; the policy gate semantics remain consistent (legacy entries continue to match their intended targets via the deduped canonical key).

Security Impact

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)

This is a focused diagnostic + canonical-key contract fix in two host-side normalization paths. No auth, network, permission, or data-access surface is touched.

Repro + Verification

Environment

• OS: Linux (x64)
• Runtime/container: Node 22.22.1, pnpm 11.1.0
• Model/provider: N/A (production-source unit invocation; bug is host-side normalization)
• Integration/channel (if any): Plugin runtime LLM API + gateway fallback subagent path
• Relevant config (redacted): N/A

Steps

1. Configure plugin allowlist allowedModels: ["openrouter/gpt-5.4-mini"] for a plugin that calls api.runtime.llm.complete (or use a fallback subagent override targeting OpenRouter).
2. Trigger the runtime LLM call with a selection where selection.modelId arrives openrouter/gpt-5.4-mini (via OpenRouter's manifest prefixWhenBare=openrouter).
3. Pre-fix: the policy denies the legitimate selection and emits model override "openrouter/openrouter/gpt-5.4-mini" is not allowlisted for plugin "X".

Expected

• The legitimate selection is allowed; deny diagnostics for genuinely-out-of-allowlist selections carry the deduped single-prefix ref.

Actual (before fix)

• Allowlist Set lookup misses; diagnostic carries the doubled-prefix ref (verbatim match to reporter's log line above).

Human Verification

• Verified scenarios: Pre-fix path verbatim match to the reporter's diagnostic string; post-fix Set.has succeeds on the rebased branch via production-source modelKey invocation; vitest deny-diagnostic regression tests pass in both touched files; full src/plugins/runtime/ + src/gateway/ vitest scope passed (242 files / 2672 tests) before rebase, focused 2-file scope (64 tests) reran clean post-rebase. pnpm build completes; dist/runtime-llm.runtime-*.js and dist/server-plugins-*.js contain the modelKey reference paths.
• Edge cases checked: Wildcard * allowlist entries short-circuit before the concat path (untouched). Empty provider/model inputs are rejected by normalizeAllowedModelRef before reaching the concat (untouched). Legacy double-prefix allowlist entries collapse to the same canonical key as the deduped resolved ref. legacyModelKey (intentional raw concat for back-compat lookup) is not on the policy-gate path and is untouched.
• What I did not verify: Live OpenRouter API traffic (not relevant — host-side normalization fix). Live Lossless plugin invocation (also not on the host-side normalization path). Other ~16 normalizeModelRef callers under src/agents/** outside the two policy-gate flows fixed here (out of scope; each requires its own diagnosis and proof).

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)

Users who had configured legacy double-prefix workaround entries see those entries collapse to the same canonical key now used by both the allowlist Set and the resolved-selection key. Single-prefix entries (which the user-facing diagnostics already encouraged) continue to work, now also matching provider-prefixed resolved selections that previously slipped past the policy gate.

Risks and Mitigations

• Risk: Two flows independently re-implement normalizeAllowedModelRef; this PR fixes the bug in both but does not consolidate them.
  • Mitigation: The duplication is explicitly out of scope and left as a follow-up. Both implementations now share the canonical modelKey() helper for key construction, so the contract is consistent across both flows. A separate refactor PR can dedupe the helper body without affecting the canonical-key semantics this PR establishes.
• Risk: Other normalizeModelRef callers under src/agents/** may have the same ad-hoc concat pattern; this PR does not touch them.
  • Mitigation: Each non-policy-gate caller has different semantics (catalog lookup, alias resolution, fallback observation logging). Mixing them into this fix would expand blast radius beyond Runtime LLM allowlist diagnostics can double-prefix provider-qualified model refs #84887's scope. An independent diff review confirmed no third raw-concat site exists in either Set/diagnostic flow this PR is changing.

#84887

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR replaces ad-hoc provider/model key concatenation in plugin runtime LLM and gateway fallback allowlist policy paths with modelKey and adds one regression test per path.

Reproducibility: yes. Source inspection shows current main can normalize an OpenRouter selection to provider openrouter plus model openrouter/... and then raw-concat it into openrouter/openrouter/...; I did not run tests because this review is read-only.

PR rating
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🦞 diamond lobster
Summary: This is a good, likely mergeable bug-fix PR with sufficient host-side proof and a small canonical-helper patch.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (live_output): The PR body supplies after-fix live output from production-source helper invocation plus focused regression test output for both changed policy paths.

Next step before merge
No ClawSweeper repair lane is needed because the PR has no blocking findings and only needs normal maintainer review and CI handling.

Security
Cleared: The diff only changes local model-ref normalization and tests, with no dependency, CI, secret, network, auth, or executable supply-chain surface touched.

Review details

Best possible solution:

Land the focused modelKey substitution with its two regression tests after normal CI, leaving broader helper consolidation as a separate cleanup.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main can normalize an OpenRouter selection to provider openrouter plus model openrouter/... and then raw-concat it into openrouter/openrouter/...; I did not run tests because this review is read-only.

Is this the best way to solve the issue?

Yes. Reusing the existing modelKey contract is the narrow maintainable fix and avoids adding a second runtime-only dedupe rule.

Label changes:

• add P2: This is a normal-priority provider/model allowlist bug with limited blast radius in plugin runtime LLM and gateway fallback policy diagnostics.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body supplies after-fix live output from production-source helper invocation plus focused regression test output for both changed policy paths.

Label justifications:

• P2: This is a normal-priority provider/model allowlist bug with limited blast radius in plugin runtime LLM and gateway fallback policy diagnostics.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🐚 platinum hermit, patch quality is 🦞 diamond lobster, and This is a good, likely mergeable bug-fix PR with sufficient host-side proof and a small canonical-helper patch.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body supplies after-fix live output from production-source helper invocation plus focused regression test output for both changed policy paths.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body supplies after-fix live output from production-source helper invocation plus focused regression test output for both changed policy paths.

What I checked:

• Current main runtime LLM policy raw-concats normalized refs: The plugin runtime allowlist builder returns ${normalized.provider}/${normalized.model}, and the resolved selection check builds the same raw string after normalizeModelRef. (src/plugins/runtime/runtime-llm.runtime.ts:238, bde07ddb1552)
• Current main gateway fallback policy raw-concats normalized refs: The gateway fallback subagent allowlist and requested-model resolver both construct provider/model strings manually instead of using the canonical helper. (src/gateway/server-plugins.ts:130, bde07ddb1552)
• Canonical helper already dedupes provider-prefixed model ids: modelKey trims provider/model and returns the model unchanged when it already starts with the normalized provider prefix. (src/agents/model-ref-shared.ts:17, bde07ddb1552)
• OpenRouter manifest can produce provider-prefixed model ids: The bundled OpenRouter plugin manifest sets modelIdNormalization.providers.openrouter.prefixWhenBare to openrouter, matching the reported double-prefix path. (extensions/openrouter/openclaw.plugin.json:8, bde07ddb1552)
• Latest shipped release still has the raw concat behavior: Tag v2026.5.19 contains the same runtime and gateway raw-concat sites, so the PR is not obsolete against the shipped release. (src/plugins/runtime/runtime-llm.runtime.ts:238, a185ca283a74)
• PR diff is focused and covered: The provided PR diff changes the five raw-concat sites to modelKey and adds deny-diagnostic regressions in runtime-llm.runtime.test.ts and server-plugins.test.ts. (a2c4437fcf4a)

Likely related people:

• Frank Yang: Blame shows the current extracted runtime LLM, gateway fallback policy, and modelKey helper files were carried into their current form by the recent test-isolation commit. (role: recent area contributor; confidence: high; commits: 258524973798; files: src/plugins/runtime/runtime-llm.runtime.ts, src/gateway/server-plugins.ts, src/agents/model-ref-shared.ts)
• jalehman: Earlier plugin runtime and fallback subagent work added the context plugin runtime and forwarded plugin subagent override behavior that this policy path builds on. (role: feature-history owner; confidence: medium; commits: fee91fefceb4, 1399ca5fcb51; files: src/gateway/server-plugins.ts, src/gateway/server-plugins.test.ts, src/plugins/runtime/types.ts)
• vincentkoc: Recent gateway plugin fallback state refactoring touched the same server-plugins surface without changing the allowlist key contract. (role: adjacent gateway contributor; confidence: medium; commits: d0002c5e1e49; files: src/gateway/server-plugins.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against bde07ddb1552.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Frosted Lint Imp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: guards the happy path.
Image traits: location status garden; accessory miniature diff map; palette cobalt, lime, and pearl; mood bright-eyed; pose leaning over a miniature review desk; shell matte ceramic shell; lighting calm overcast light; background small green status lights.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Frosted Lint Imp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[vincentkoc]

Closing this as superseded by the narrower maintainer-selected fix in #84946, merged at commit 937a756.

That landed the #84887 runtime LLM allowlist diagnostic fix by using modelKey() at the two runtime LLM policy formatting sites and added focused regression coverage for the provider-qualified OpenRouter shape. The broader gateway fallback normalization in this PR is not part of the selected #84887 fix path and should be proposed separately if it still has a concrete repro.

[nxmxbbd]

@vincentkoc following up on your closure note here: I opened #85445 as the separate PR for the gateway fallback path.

Current state there:

• It keeps the runtime LLM fix from fix #84887: avoid duplicate provider prefix in runtime LLM allowlist diagnostics #84946 separate and only touches src/gateway/server-plugins.ts plus its focused tests.
• It covers the remaining gateway fallback raw-concat sites on both configured allowlist and requested override comparison sides.
• It includes the concrete provider-prefixed OpenRouter repro, plus deny-diagnostic and matching-allow regression coverage.
• ClawSweeper has accepted the production-source gateway fallback smoke proof: proof: sufficient, status: 👀 ready for maintainer look.

So this closed PR can stay closed; the unresolved gateway fallback path is now tracked in #85445.