[Fix] Warm provider auth off main thread

[samzong]

Summary

• Problem: gateway provider-auth prewarm could monopolize the main Node event loop during startup, delaying channel handshakes and inbound message handling.
• Solution: move the provider-auth warm path into a worker thread while preserving the prepared auth-state cache contract and cancellation semantics.
• What changed: added a provider-auth worker entry, serialized/published warm snapshots, carried runtime auth-store presence into the worker, and updated startup/reload/logout rewarm call sites.
• What did NOT change (scope boundary): model-provider auth semantics, credential persistence, channel startup ordering, and public config defaults are unchanged.

Motivation

• Closes [Bug]: 2026.5.22 gateway pre-warm (warmCurrentProviderAuthState) blocks event loop ~60s on startup, breaks channel handshakes #85999. The reported 2026.5.22 regression shows provider-auth prewarm taking 58-68s with 36s event-loop stalls on a 2vCPU Linux gateway, causing Discord/Feishu/Telegram startup timeouts and delayed inbound messages.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: 2026.5.22 gateway pre-warm (warmCurrentProviderAuthState) blocks event loop ~60s on startup, breaks channel handshakes #85999
• Fixes [BUG] Auth pre-warming blocks event loop for 60-90s, causing cascading timeouts #86506
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior or issue addressed: provider-auth warm now executes through a worker-thread runtime path instead of doing the expensive provider/auth sweep on the gateway main event loop.
• Real environment tested: local OpenClaw source checkout and built dist output on macOS with Node v24.14.0.
• Exact steps or command run after this patch:

  node --import tsx -e "import('./src/agents/model-provider-auth.ts').then(async ({warmCurrentProviderAuthStateOffMainThread, clearCurrentProviderAuthState}) => { await warmCurrentProviderAuthStateOffMainThread({models:{providers:{demo:{baseUrl:'https://example.com/v1', api:'openai', models:[{id:'m'}]}}}}); clearCurrentProviderAuthState(); console.log('ok-default'); })"
  node -e "const fs=require('fs'); const f=fs.readdirSync('dist').find(f=>/^model-provider-auth-.*\.js$/.test(f)); import('./dist/'+f).then(async m=>{await m.a({models:{providers:{demo:{baseUrl:'https://example.com/v1',api:'openai',models:[{id:'m'}]}}}}, {timeoutMs:30000}); m.n(); console.log('ok', f);})"

• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output):

  ok-default
  node --import tsx -e ... 47.43s user 3.84s system 102% cpu 50.221 total
  
  ok model-provider-auth-OLG_yXSX.js
  

• Observed result after fix: both the source-checkout worker path and built dist worker chunk completed successfully and published/cleared provider-auth state without touching channel code.
• What was not tested: the original Azure B2als_v2 host and live Discord/Telegram/Feishu restart path were not available in this local session.
• Before evidence (optional but encouraged): issue logs show provider auth state pre-warmed in 58655ms eventLoopMax=36540.8ms and provider auth state pre-warmed in 67840ms eventLoopMax=36876.3ms on 2026.5.22.

Root Cause (if applicable)

• Root cause: warmCurrentProviderAuthState ran the catalog/provider/agent auth discovery sweep on the gateway process main thread after gateway ready. On constrained hosts, external auth discovery and store hydration could stall the event loop long enough to break channel startup timers.
• Missing detection / guardrail: existing coverage asserted auth correctness but did not lock the gateway startup/reload/logout call sites to a non-main-thread warm path or require the worker entry in dist/release checks.
• Contributing context (if known): configured agents with multiple providers amplify the per-agent provider-auth sweep.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/agents/model-provider-auth.test.ts, src/agents/model-provider-auth.worker.test.ts, src/gateway/server-startup-post-attach.test.ts, src/gateway/server-reload-handlers.test.ts, src/gateway/server-methods/models-auth-status.test.ts, src/gateway/server.reload.test.ts, src/infra/tsdown-config.test.ts, test/release-check.test.ts.
• Scenario the test should lock in: worker snapshot publication, stale/cancelled warm suppression, runtime auth-store presence transfer, gateway startup/reload/logout using the off-main-thread warmer, and release/build inclusion of the worker entry.
• Why this is the smallest reliable guardrail: it covers the ownership boundary where the regression entered without requiring live provider credentials or channel transports.
• Existing test that already covers this (if any): existing auth-state tests covered correctness but not the worker boundary.
• If no new test is added, why not: N/A - new tests are included.

User-visible / Behavior Changes

Gateway startup, reload, and logout-triggered provider-auth rewarm should no longer block channel timers on the main event loop. Auth answers and config semantics remain unchanged.

Diagram (if applicable)

Before:
gateway ready -> main-thread provider auth sweep -> channel timers delayed

After:
gateway ready -> worker-thread provider auth sweep -> snapshot publish -> channel timers keep running

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) Yes
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: runtime auth-store snapshots passed to the worker are reduced to provider-presence-only placeholder credentials, so the worker can preserve auth availability semantics without copying real token material.

Repro + Verification

Environment

• OS: macOS local checkout
• Runtime/container: Node v24.14.0, pnpm workspace scripts, built dist
• Model/provider: minimal demo OpenAI-compatible provider config
• Integration/channel (if any): N/A - worker/auth runtime path only
• Relevant config (redacted): one demo provider with one model and no secrets

Steps

1. Run the focused Vitest set for the touched auth/gateway/release surfaces.
2. Build tsdown dist with the worker entry included.
3. Execute the source-checkout worker warm smoke.
4. Execute the built-dist worker warm smoke.
5. Run pre-ship profile scans.

Expected

• Provider-auth warm completes through the worker path, the built worker chunk is resolvable, and focused tests pass.

Actual

• Focused tests passed: 11 files, 214 tests.
• node scripts/tsdown-build.mjs --no-clean completed successfully.
• Source worker smoke printed ok-default.
• Dist worker smoke printed ok model-provider-auth-OLG_yXSX.js.
• Pre-ship codex-style, coderabbit-style, and greptileai-style scans returned NO_FINDINGS.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: focused auth/gateway/release tests, tsdown build, source worker smoke, built dist worker smoke, pre-ship profile scan.
• Edge cases checked: stale warm cancellation, worker timeout/error handling, invalid worker payloads, runtime auth-store presence transfer, gateway startup/reload/logout call-site rewiring, release-check worker inclusion.
• What you did not verify: live affected Linux VM restart and live channel handshakes.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A - no migration needed.

Risks and Mitigations

• Risk: worker startup failures could leave the prepared auth cache cold.
  • Mitigation: failures are logged by existing call sites and hasAuthForModelProvider keeps the existing compute fallback when no prepared snapshot matches.
• Risk: runtime-only auth snapshots could leak credential material into worker data.
  • Mitigation: the warm path sends provider-presence-only placeholder credentials, not real token values.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 27, 2026, 6:22 PM ET / 22:22 UTC.

Summary
The PR moves provider-auth warming into a worker thread, serializes prepared auth snapshots back to the gateway process, preserves runtime auth presence, rewires startup/reload/logout rewarm call sites, and adds worker packaging/release coverage plus a generated diffs-viewer stabilization.

PR surface: Source +522, Tests +355, Other +6. Total +883 across 21 files.

Reproducibility: yes. The linked issue logs show 58-90s provider-auth prewarm stalls, and the PR discussion includes Testbox before/after proof where current main delayed a 100 ms timer to about 34.1s while the PR kept it at 100 ms.

Review metrics: 2 noteworthy metrics.

• Packaged worker entry: 1 added. The fix depends on the new worker being present in built dist, so the release-check and tsdown entry are a merge-relevant artifact surface.
• Config/default surfaces: 0 added, 0 changed, 0 removed. This keeps the fix out of operator config migration territory; the merge risk is runtime auth/cache behavior rather than a new user setting.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• The worker path changes auth-provider cache publication semantics for runtime-only stores and plugin synthetic auth; the current patch preserves fallbacks, but maintainers still need to accept that behavior as the desired auth contract.
• Gateway availability now depends on a packaged worker entry resolving correctly and timing out safely; the PR adds release checks and fallback behavior, but this remains a merge-relevant startup surface.
• The branch includes a generated diffs-viewer runtime and generator tweak unrelated to provider-auth warming; it appears to be CI stabilization, but it is extra generated runtime churn in an otherwise gateway/auth PR.

Maintainer options:

1. Accept the worker auth-cache contract
   Maintainers can land this once they are comfortable that runtime auth presence and incomplete synthetic-auth cases are preserved by omission/fallback rather than by publishing false negatives.
2. Request one more packaged-gateway proof
   Before merge, maintainers may ask for a packaged gateway startup or restart proof on Linux that shows the worker chunk resolves and channel/RPC timers remain responsive.
3. Split generated asset stabilization
   If reviewers do not want unrelated generated diffs-viewer churn in this fix, split the esbuild NaN stabilization and rebuilt asset into a separate CI-focused PR.

Next step before merge
There is no narrow automated repair to request; maintainers need to accept or ask for more proof on the auth-provider, availability, and generated-artifact merge risks.

Security
Cleared: No concrete security or supply-chain blocker found; the worker receives reduced auth-presence stores and metadata, with no dependency, workflow, permission, or secret-source expansion in the final diff.

Review details

Best possible solution:

Land the worker-based root fix once maintainers accept the auth-cache and packaging risk, keeping fallback computation intact and preserving the release-check guard for the new worker artifact.

Do we have a high-confidence way to reproduce the issue?

Yes. The linked issue logs show 58-90s provider-auth prewarm stalls, and the PR discussion includes Testbox before/after proof where current main delayed a 100 ms timer to about 34.1s while the PR kept it at 100 ms.

Is this the best way to solve the issue?

Yes, with maintainer risk acceptance. Moving the expensive warm sweep to a worker while keeping fallback computation is the narrowest root fix I saw; an operator config switch would be only a mitigation.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against fb1dfd486bb9.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR supplies terminal output for source and built-dist worker smoke tests, plus Testbox before/after live output showing the event-loop responsiveness improvement.

Label justifications:

• P1: The linked reports describe a real gateway startup regression where provider-auth prewarm stalls channel handshakes and inbound message handling.
• merge-risk: 🚨 auth-provider: The PR changes how prepared provider-auth state is computed and transferred across process boundaries.
• merge-risk: 🚨 availability: The fix changes gateway startup/reload/logout warm behavior and introduces a worker path that must resolve and fail safely.
• merge-risk: 🚨 other: The branch also includes generated diffs-viewer/runtime build stabilization that is outside the auth-provider fix path.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR supplies terminal output for source and built-dist worker smoke tests, plus Testbox before/after live output showing the event-loop responsiveness improvement.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR supplies terminal output for source and built-dist worker smoke tests, plus Testbox before/after live output showing the event-loop responsiveness improvement.

Evidence reviewed

PR surface:

Source +522, Tests +355, Other +6. Total +883 across 21 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	10	567	45	+522
Tests	7	381	26	+355
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	4	6	0	+6
Total	21	954	71	+883

What I checked:

• Repository policy read: Read the full root AGENTS.md plus scoped guides for src/agents, src/gateway, src/gateway/server-methods, scripts, extensions, and src/agents/tools; auth/provider routing and gateway startup are compatibility- and availability-sensitive under the repo policy. (AGENTS.md:1, fb1dfd486bb9)
• Current-main behavior: Current main imports and calls warmCurrentProviderAuthState from the post-attach startup warmer, so the reported startup prewarm still runs through the main gateway process path on main. (src/gateway/server-startup-post-attach.ts:194, fb1dfd486bb9)
• Current warm loop: Current main's warmCurrentProviderAuthState loads the catalog, iterates configured agents and providers, opens the auth store, and awaits hasAuthForModelProvider on the gateway-side path. (src/agents/model-provider-auth.ts:199, fb1dfd486bb9)
• PR worker implementation: The PR head adds warmCurrentProviderAuthStateOffMainThread, collects runtime auth stores/lookups, runs the warm snapshot through a Worker with timeout/cancellation handling, and publishes the returned snapshot only if still current. (src/agents/model-provider-auth.ts:535, 8c3e3d4aa571)
• Worker entry behavior: The worker validates input, installs runtime auth profile snapshots, builds the provider-auth snapshot in read-only mode, and returns either an ok snapshot or failed error result. (src/agents/model-provider-auth.worker.ts:46, 8c3e3d4aa571)
• Regression coverage: The PR adds tests for read-only auth-store warm snapshots, omission of unsafe false synthetic-auth answers, runtime auth-store transfer, cancellation, stale publication suppression, and worker snapshot behavior. (src/agents/model-provider-auth.test.ts:122, 8c3e3d4aa571)

Likely related people:

• Alex Knight: Current-main blame for the provider-auth warm function and gateway post-attach call site points to commit 42e9504 in the local checkout. (role: recent area contributor; confidence: medium; commits: 42e9504114f3; files: src/agents/model-provider-auth.ts, src/gateway/server-startup-post-attach.ts, src/gateway/server-reload-handlers.ts)
• steipete: Peter authored multiple PR-head follow-up commits that made the worker path read-only, repaired CI/build fallout, avoided stale plugin auth warm results, and preserved partial auth warm cache behavior. (role: recent follow-up owner; confidence: high; commits: e2e7874b4d7a, cac118fcaac6, e8e597fe8bca; files: src/agents/model-provider-auth.ts, src/agents/model-provider-auth.worker.ts, src/agents/auth-profiles/store.ts)
• Vincent Koc: Recent auth-profile store history includes several commits by Vincent around runtime auth profile state and external CLI OAuth behavior, which is adjacent to the store snapshot boundary this PR touches. (role: adjacent auth-store contributor; confidence: medium; commits: a001b5343f, 2bc031c357, 03231c0633; files: src/agents/auth-profiles/store.ts)
• sallyom: Sally was assigned on the PR and posted the Testbox before/after responsiveness proof for the rebased branch. (role: reviewer/validation owner; confidence: medium; files: src/agents/model-provider-auth.ts, src/gateway/server-startup-post-attach.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🌱 uncommon Tiny Merge Sprite

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🌱 uncommon.
Trait: polishes edge cases.
Image traits: location branch lighthouse; accessory rollback rope; palette rose quartz and slate; mood celebratory; pose guarding a tiny green check; shell soft speckled shell; lighting tiny status-light glow; background tiny artifact crates.
Share on X: post this hatch
Copy: My PR egg hatched a 🌱 uncommon Tiny Merge Sprite in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[steipete]

Verification before merge:

Behavior addressed: provider-auth warm now runs off the main thread while preserving cancellation/stale-generation guards and read-only auth-state semantics.
Real environment tested: local macOS checkout plus GitHub Actions for PR head 8c3e3d4aa571e313b7edc77a0978d507f0270aca.
Exact steps or command run after this patch:

• node scripts/run-vitest.mjs src/agents/model-provider-auth.test.ts src/agents/model-provider-auth.worker.test.ts
• node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.core.test.json --incremental false --pretty false
• GITHUB_ACTIONS=true node scripts/run-bundled-extension-oxlint.mjs
• node scripts/build-diffs-viewer-runtime.mjs curated && node scripts/build-diffs-viewer-runtime.mjs full && git diff --exit-code -- extensions/diffs/assets/viewer-runtime.js extensions/diffs-language-pack/assets/viewer-runtime.js
• pnpm protocol:gen && pnpm protocol:gen:swift
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
  Evidence after fix: GitHub Actions green: CI https://github.com/openclaw/openclaw/actions/runs/26541952783, CodeQL https://github.com/openclaw/openclaw/actions/runs/26541952781, OpenGrep https://github.com/openclaw/openclaw/actions/runs/26541952857, Real behavior proof https://github.com/openclaw/openclaw/actions/runs/26542255231.
  Observed result after fix: local focused provider-auth, type, lint, generated artifact, protocol, and autoreview checks passed; PR required checks are green.
  What was not tested: a live provider-auth prewarm repro session under an actual clanker workload in this turn.