fix: reuse provider auth lookup facts

[RomneyDa]

before:

after:

Summary

• Reuse prepared provider auth lookup facts across gateway/model-listing provider auth checks.
• Avoid broad plugin/runtime discovery for providers that cannot have synthetic auth, while preserving fallback behavior when metadata is incomplete or a configured provider may own synthetic local auth.
• Declare LM Studio synthetic auth metadata so the lightweight manifest path matches its existing runtime hook.

Verification

• node scripts/run-vitest.mjs src/agents/model-provider-auth.test.ts src/agents/model-auth.test.ts src/agents/model-auth.profiles.test.ts src/plugins/provider-runtime.synthetic-auth-discovery.test.ts src/plugins/synthetic-auth.runtime.test.ts src/plugins/bundled-plugin-metadata.test.ts extensions/lmstudio/index.test.ts
• pnpm tsgo:core
• git diff --check
• AUTOREVIEW_AUTO_TESTS=0 .agents/skills/autoreview/scripts/autoreview --mode local

Real behavior proof
Behavior addressed: Gateway/model-listing auth checks no longer repeatedly rediscover broad provider plugin/runtime metadata for providers that cannot satisfy plugin-owned synthetic auth.
Real environment tested: Local macOS source checkout.
Exact steps or command run after this patch: The focused Vitest command, pnpm tsgo:core, git diff --check, and autoreview command listed above.
Evidence after fix: Focused tests passed: 10 files, 281 tests. Typecheck and diff check passed. Autoreview reported no accepted/actionable findings.
Observed result after fix: Provider auth lookup facts are prepared once per checker/warm scope and reused through the loop while synthetic-auth fallback remains available when metadata is incomplete.
What was not tested: A live gateway CPU repro/profile was not rerun after the patch.

[clawsweeper]

Codex review: needs maintainer review before merge.

Latest ClawSweeper review: 2026-05-22 21:59 UTC / May 22, 2026, 5:59 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This PR reuses prepared provider auth lookup metadata across model-listing auth checks, scopes synthetic-auth discovery to declared refs, adds LM Studio synthetic-auth metadata, and updates focused tests plus the changelog.

Reproducibility: yes. at source level. Current main shows the model-listing provider-auth compute path reuses env lookup facts but still broadly reaches synthetic-auth plugin discovery; I did not run the live gateway CPU profile.

PR rating
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Summary: The implementation looks normally mergeable once the protected auth-provider compatibility decision is accepted.

Rank-up moves:

• Maintainer should explicitly accept or reject the syntheticAuthRefs cold-discovery compatibility contract.
• A live gateway/profile rerun would reduce remaining confidence risk for the performance claim.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The external contributor proof gate does not apply to this MEMBER, maintainer-labeled PR; the body reports focused tests/typecheck and explicitly says no live gateway profile was rerun.

Risk before merge

• Merging can make cold model-listing auth stop probing an undeclared external plugin-owned synthetic auth hook when complete registry metadata does not list its ref and no provider config exists; maintainers need to accept syntheticAuthRefs as the compatibility contract.
• The performance claim is supported by source inspection and focused tests in the PR body, but the author explicitly did not rerun a live gateway CPU/profile repro after the patch.

Maintainer options:

1. Accept manifest-scoped cold discovery (recommended)
   Merge if maintainers accept that external synthetic-auth plugins must declare syntheticAuthRefs for cold model-list auth, with fallback reserved for incomplete metadata or configured providers.
2. Preserve undeclared runtime-hook fallback
   Before merge, add an explicit fallback or warning path for undeclared external runtime hooks if that compatibility behavior must remain supported.
3. Hold for live profile proof
   Pause merge if maintainers want a live gateway/profile trace proving the repeated-discovery reduction in the real model-listing path.

Next step before merge
The remaining blocker is protected maintainer judgment on an auth-provider compatibility contract, not an autonomous repair task.

Security
Cleared: No concrete security or supply-chain regression found; the diff changes auth lookup control flow and manifest metadata without adding dependencies, workflows, downloads, or secret exposure.

Review details

Best possible solution:

Keep the prepared lookup design, but merge only after maintainers accept the manifest syntheticAuthRefs cold-discovery contract and the focused validation as enough upgrade proof.

Do we have a high-confidence way to reproduce the issue?

Yes at source level. Current main shows the model-listing provider-auth compute path reuses env lookup facts but still broadly reaches synthetic-auth plugin discovery; I did not run the live gateway CPU profile.

Is this the best way to solve the issue?

Yes, if maintainers accept syntheticAuthRefs as the cold-discovery contract. The patch moves lookup facts earlier and preserves fallback for incomplete metadata or configured providers, and I did not find a narrower concrete code repair.

Label justifications:

• P2: The PR is a focused provider-auth performance and compatibility improvement with limited blast radius but real auth-provider surface area.
• merge-risk: 🚨 compatibility: The PR changes whether complete registry metadata can skip broad probing of undeclared synthetic-auth runtime hooks during cold model-list auth.
• merge-risk: 🚨 auth-provider: The changed lookup path affects provider auth detection and synthetic local auth availability for model-listing flows.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and The implementation looks normally mergeable once the protected auth-provider compatibility decision is accepted.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The external contributor proof gate does not apply to this MEMBER, maintainer-labeled PR; the body reports focused tests/typecheck and explicitly says no live gateway profile was rerun.

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/model-provider-auth.test.ts src/agents/model-auth.test.ts src/agents/model-auth.profiles.test.ts src/plugins/provider-runtime.synthetic-auth-discovery.test.ts src/plugins/synthetic-auth.runtime.test.ts src/plugins/bundled-plugin-metadata.test.ts extensions/lmstudio/index.test.ts
• pnpm tsgo:core
• git diff --check

What I checked:

• Current main auth path: Current main still calls plugin synthetic auth broadly from hasRuntimeAvailableProviderAuth after env, config, and local-config checks, which is the hot-path behavior this PR narrows. (src/agents/model-auth.ts:347, 7e16a50c7eac)
• Current main prepared state: Current main prewarms provider auth with a prepared env-auth lookup, but does not carry synthetic-auth ref facts through the runtime auth check. (src/agents/model-provider-auth.ts:91, 7e16a50c7eac)
• PR diff: The PR introduces RuntimeProviderAuthLookup, createRuntimeProviderAuthLookup, and runtimeLookup threading so env and synthetic-auth metadata are prepared once and reused. (src/agents/model-auth.ts:65, 8d65a37e9802)
• Synthetic auth compatibility surface: The PR makes synthetic-auth ref discovery report completeness and uses complete metadata to skip broad plugin probing unless fallback conditions apply. (src/plugins/synthetic-auth.runtime.ts:20, 8d65a37e9802)
• Documented manifest contract: The plugin manifest docs already define syntheticAuthRefs as the refs whose plugin-owned synthetic auth hook should be probed during cold model discovery before runtime loads. Public docs: docs/plugins/manifest.md. (docs/plugins/manifest.md:167, 7e16a50c7eac)
• LM Studio source match: Current LM Studio runtime has a resolveSyntheticAuth hook, while its manifest on main has nonSecretAuthMarkers and providerAuthEnvVars but no syntheticAuthRefs; the PR adds the missing manifest ref. (extensions/lmstudio/index.ts:92, 7e16a50c7eac)

Likely related people:

• Peter Steinberger: git blame and file history show the current main provider-auth hot path, synthetic-auth runtime helper, LM Studio metadata, and the later provider-auth prewarm cancellation all trace to his recent commits. (role: recent area contributor; confidence: high; commits: 86b87df7e3df, 60e3749de339; files: src/agents/model-auth.ts, src/agents/model-provider-auth.ts, src/plugins/synthetic-auth.runtime.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7e16a50c7eac.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🌱 uncommon Clockwork Review Wisp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🌱 uncommon.
Trait: keeps receipts.
Image traits: location diff observatory; accessory miniature diff map; palette seafoam, black, and opal; mood mischievous; pose guarding a tiny green check; shell polished stone shell; lighting calm overcast light; background gentle dashboard dots.
Share on X: post this hatch
Copy: My PR egg hatched a 🌱 uncommon Clockwork Review Wisp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[RomneyDa]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26312221629
• Updated: 2026-05-22T21:21:07.536Z

[RomneyDa]

Self-review (READY FOR /prepare-pr).

What it does

• src/agents/model-auth.ts introduces RuntimeProviderAuthLookup (env-auth lookup + optional syntheticAuthProviderRefs) and createRuntimeProviderAuthLookup. hasRuntimeAvailableProviderAuth now gates resolveSyntheticLocalProviderAuth behind shouldResolvePluginSyntheticAuth.
• src/agents/model-provider-auth.ts prepares the lookup once per warm scope, and lazily in createProviderAuthChecker (runtimeAuthLookup ??=), instead of rebuilding the alias/candidate/evidence maps per call.
• src/plugins/synthetic-auth.runtime.ts adds resolveRuntimeSyntheticAuthProviderRefState returning { refs, complete } and harvests plugin.syntheticAuthRefs from the live registry so the registry path matches the manifest-snapshot path.
• extensions/lmstudio/openclaw.plugin.json declares syntheticAuthRefs: ["lmstudio"] to match the existing resolveSyntheticAuth hook in extensions/lmstudio/index.ts:92.

Fallbacks preserved

• complete=false (registry diagnostics present, or snapshot source not persisted/provided) → keep doing the broad lookup.
• Provider with any user config in cfg.providers → keep doing the broad lookup.
• hasSyntheticLocalProviderAuthConfig (user-localhost baseUrl) still runs before the gated branch, so local-config users are unaffected.

Verification

• node scripts/run-vitest.mjs on model-provider-auth, model-auth, model-auth.profiles, provider-runtime.synthetic-auth-discovery, synthetic-auth.runtime, bundled-plugin-metadata, extensions/lmstudio/index — all pass.
• pnpm tsgo:core, git diff --check, autoreview — clean.
• Live gateway CPU re-profile after the patch not rerun.

Non-blocking

• listProviderSyntheticAuthRefs accepts modelApi but no caller threads it yet — leaves a clean extension point if a model-listing caller wants to prune further on api family.
• EnvApiKeyLookupOptions newly exported just for a Pick<> inside model-auth.ts — an unexported alias would also work.

Changelog: ### Fixes entry added under ## 2026.5.22. Docs: no user-visible surface.

[RomneyDa]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26313212697
• Updated: 2026-05-22T21:44:25.223Z