perf(secrets): propagate snapshots and eliminate esm side-effects in auth env vars

[medns]

Summary

What problem does this PR solve?

• This PR resolves a performance bottleneck where the multi-channel AI gateway unnecessarily scans the disk for plugin manifests, causing higher latency during startup, model-auth, and environment loading paths.
• It eliminates a top-level ESM side-effect in model-auth-env-vars.ts which executed a full candidate resolution on import.
• It eliminates config object degradation (collapsing config to {} on default fallback) which caused cache fingerprint mismatches and cache bypass.
• It propagates metadata snapshots to alias map resolutions to prevent duplicate cold load operations.

Why does this matter now?

• Cold startup and tool selection are critical hot paths in the OpenClaw gateway; avoiding redundant file system operations directly translates to better scalability and zero unnecessary disk overhead during Gateway startup and client connection.

What is the intended outcome?

• Fast, pure memory-based resolutions when snapshots are available.
• Zero ESM import side-effects.
• Complete type-safety and robust test assertions.

What is intentionally out of scope?

• Optimization of the actual disk-scan algorithm or other parts of the plugins loaders (PR 1 and PR 2 address other cache aspects).

What does success look like?

• All tests pass, tsgo compilation succeeds with no type errors, and resolving credentials requires only 1 snapshot load instead of 2.

What should reviewers focus on?

• Verification of snapshot passing into resolveProviderAuthAliasMap inside src/secrets/provider-env-vars.ts.

• Absence of PROVIDER_ENV_API_KEY_CANDIDATES in non-test production code.

• Mark as AI-assisted in the PR description

Linked context

Which issue does this close?

Closes #

Which issues, PRs, or discussions are related?

Related #

Was this requested by a maintainer or owner?

Yes, requested as part of the performance part 2 proposal.

Real behavior proof (required for external PRs)

• Behavior or issue addressed: Eliminate ESM top-level autostart and propagate metadata snapshots to resolveProviderAuthAliasMap within provider-env-vars.ts, avoiding duplicate snapshot loading and preventing snapshot fingerprint mismatch.
• Real environment tested: Win32 10.0.26200, PowerShell / Bash, Node 22.19.0
• Exact steps or command run after this patch: Run following code

import { performance } from "node:perf_hooks";
import { setCurrentPluginMetadataSnapshot } from "../src/plugins/current-plugin-metadata-snapshot.js";
import type { PluginMetadataSnapshot } from "../src/plugins/plugin-metadata-snapshot.types.js";

const dummySnapshot = {
  policyHash: "dummy-policy-hash",
  index: { plugins: [] },
  registryDiagnostics: [],
  manifestRegistry: { plugins: [] },
  plugins: [
    {
      id: "plugin-a",
      origin: "global",
      providerAuthEnvVars: {
        provider1: ["PROVIDER_1_API_KEY"],
      },
      providerAuthAliases: {
        "alias-1": "provider1",
      },
    },
  ],
  diagnostics: [],
  byPluginId: new Map(),
  normalizePluginId: (id: string) => id,
  owners: {
    channels: new Map(),
    channelConfigs: new Map(),
    providers: new Map(),
    modelCatalogProviders: new Map(),
    cliBackends: new Map(),
    setupProviders: new Map(),
    commandAliases: new Map(),
    contracts: new Map(),
  },
  metrics: {
    registrySnapshotMs: 0,
    manifestRegistryMs: 0,
    ownerMapsMs: 0,
    totalMs: 0,
    indexPluginCount: 1,
    manifestPluginCount: 1,
  },
} as unknown as PluginMetadataSnapshot;

async function run() {
  console.log("=== OpenClaw Performance Benchmark (Auth Env & Secrets) ===");

  setCurrentPluginMetadataSnapshot(dummySnapshot, {
    config: {},
  });

  const module = await import("../src/agents/model-auth-env-vars.js");

  for (let i = 0; i < 1000; i++) {
    module.resolveProviderEnvApiKeyCandidates();
  }

  const start = performance.now();
  for (let i = 0; i < 10000; i++) {
    module.resolveProviderEnvApiKeyCandidates();
  }
  const elapsed = performance.now() - start;

  console.log(`10,000 iterations of resolveProviderEnvApiKeyCandidates() took: ${elapsed.toFixed(3)} ms`);
  console.log(`Average latency per resolution: ${(elapsed / 10000).toFixed(6)} ms`);
  console.log("========================================================\n");
}

run().catch(console.error);

• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output): We ran a performance micro-benchmark measuring snapshot resolution times before and after this patch using an active dummy snapshot to evaluate in-memory propagation.

  • Before the Patch (With snapshot cache bypass / duplicate load)

  === OpenClaw Performance Benchmark (Auth Env & Secrets) ===
  10,000 iterations of resolveProviderEnvApiKeyCandidates() took: 9037.665 ms
  Average latency per resolution: 0.903767 ms
  ========================================================
  

  • After the Patch (With warm snapshot propagation)

  === OpenClaw Performance Benchmark (Auth Env & Secrets) ===
  10,000 iterations of resolveProviderEnvApiKeyCandidates() took: 4508.109 ms
  Average latency per resolution: 0.450811 ms
  ========================================================
  

• Observed result after fix:

  • Resolving env-var candidates on a warm snapshot is exactly twice as fast (latency cut by 50% from 0.90ms to 0.45ms), completely bypassing the duplicate snapshot lookup in provider alias mapping.
  • The newly introduced test verifying default snapshot isolation passes perfectly. All 17 tests in provider-env-vars.dynamic.test.ts are green.

• What was not tested: Integration of actual cloud providers on a live staging server (which is out of scope for pure static metadata snapshot propagation checks).

• Proof limitations or environment constraints: Tested locally on Windows host.

Tests and validation

Which commands did you run?

• pnpm exec vitest run --config test/vitest/vitest.secrets.config.ts src/secrets/provider-env-vars.dynamic.test.ts
• pnpm exec vitest run --config test/vitest/vitest.agents.config.ts src/agents/model-auth.profiles.test.ts
• pnpm check:test-types

What regression coverage was added or updated?

• Added only loads plugin metadata snapshot once when resolving env var candidates, avoiding duplicate snapshot loads in provider-env-vars.dynamic.test.ts.
• Added does not reuse a load-path current snapshot for default provider env lookups without parameters in provider-env-vars.dynamic.test.ts to enforce default snapshot isolation and prevent fingerprint mismatches.

What failed before this fix, if known?

• Not a functional failure, but a performance bottleneck where loading provider credentials would cause a redundant duplicate scan of plugin metadata on disk due to missing snapshot propagation in auth alias resolution, and loading model-auth-env-vars module always triggered an early disk scan.

Risk checklist

Did user-visible behavior change? (No)

Did config, environment, or migration behavior change? (No)

Did security, auth, secrets, network, or tool execution behavior change? (Yes)

• Yes, credential resolution became faster by reusing already resolved in-memory snapshot contexts instead of cold loading them again.

What is the highest-risk area?

• Type soundness of optional config references and optional chain usages.

How is that risk mitigated?

• Fully checked by tsgo compiler across all core and extension packages, and fully covered by extensive existing auth unit tests.

Current review state

What is the next action?

• Waiting for maintainer review.

What is still waiting on author, maintainer, CI, or external proof?

• None.

Which bot or reviewer comments were addressed?

• None.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 27, 2026, 3:17 AM ET / 07:17 UTC.

Summary
The PR rewires provider auth env-var discovery to reuse combined snapshot-backed alias, env-candidate, and auth-evidence lookup maps, removes the eager PROVIDER_ENV_API_KEY_CANDIDATES export, and updates related auth/provider tests and mocks.

PR surface: Source +61, Tests +230. Total +291 across 26 files.

Reproducibility: not applicable. as a user bug reproduction: this is an internal performance/auth hot-path cleanup. The PR body supplies a Windows Node 22.19 micro-benchmark plus focused auth/provider tests for the changed lookup path.

Review metrics: 1 noteworthy metric.

• Exact-head check state: 76 success, 1 in progress, 1 neutral, 1 cancelled automation, 21 skipped. The remaining in-progress build-artifacts check should finish before maintainers treat the head as merge-ready.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Get auth/provider maintainer sign-off on config/env/workspace/plugin-trust context separation.
• Wait for exact-head build-artifacts to finish and rerun or explain it if it fails.

Risk before merge

• Provider credential discovery now depends on alias, env-var candidate, and auth evidence maps sharing one metadata snapshot; a missed config, env, workspace, or plugin-trust boundary could hide or mis-associate auth hints.
• Exact-head CI was not fully settled at review time because build-artifacts was still in progress.

Maintainer options:

1. Review and land after finished build (recommended)
   Have an auth/provider reviewer confirm config, env, workspace, and plugin-trust context separation, then merge once exact-head build-artifacts finishes cleanly or is explained.
2. Patch boundary issues if found
   If review finds mixed snapshot context or plugin trust behavior, repair the combined resolver and add focused tests before merge.

Next step before merge
No concrete changed-line repair is identified; maintainers should review the auth-provider snapshot boundary and exact-head build result.

Security
Cleared: The diff changes credential lookup plumbing but adds no dependency, workflow, script, secret logging, or new external secret sink.

Review details

Best possible solution:

Land this after an auth/provider reviewer confirms the snapshot-context boundaries and the exact-head build check completes cleanly or is explicitly explained.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a user bug reproduction: this is an internal performance/auth hot-path cleanup. The PR body supplies a Windows Node 22.19 micro-benchmark plus focused auth/provider tests for the changed lookup path.

Is this the best way to solve the issue?

Mostly yes: the combined lookup-map resolver is the narrow maintainable direction for removing duplicate metadata snapshot loads. It still needs auth/provider maintainer review because credential discovery context separation is compatibility-sensitive.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against f327df866cb0.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes copied before/after Windows Node 22.19 benchmark output and focused auth/provider test results for the changed snapshot lookup path.

Label justifications:

• P2: This is a normal-priority internal auth/provider performance cleanup with limited direct user-visible blast radius.
• merge-risk: 🚨 auth-provider: The PR changes credential discovery by sharing provider auth alias, env-var candidate, and auth evidence lookup through one plugin metadata snapshot.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes copied before/after Windows Node 22.19 benchmark output and focused auth/provider test results for the changed snapshot lookup path.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes copied before/after Windows Node 22.19 benchmark output and focused auth/provider test results for the changed snapshot lookup path.

Evidence reviewed

PR surface:

Source +61, Tests +230. Total +291 across 26 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	9	133	72	+61
Tests	17	269	39	+230
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	26	402	111	+291

What I checked:

• Root policy read: Read the full root AGENTS.md and scoped src/agents, src/plugins, and test/helpers AGENTS.md; auth/provider compatibility, plugin metadata hot-path, and benchmark guidance shaped the review. (AGENTS.md:22, f327df866cb0)
• Current main still has eager import work: Current main exports PROVIDER_ENV_API_KEY_CANDIDATES by calling resolveProviderEnvApiKeyCandidates() at module load, so the PR is not obsolete. (src/agents/model-auth-env-vars.ts:39, f327df866cb0)
• PR removes the eager export and adds a lazy combined facade: At PR head, model-auth-env-vars.ts exports resolveProviderEnvAuthLookupMaps() and no longer contains a production PROVIDER_ENV_API_KEY_CANDIDATES export. (src/agents/model-auth-env-vars.ts:25, a4edf29bbc3b)
• PR centralizes snapshot-backed lookup maps: resolveProviderAuthLookupMaps() resolves one metadata snapshot, passes it into alias resolution, and derives env candidate and auth evidence maps from that same snapshot. (src/secrets/provider-env-vars.ts:278, a4edf29bbc3b)
• Runtime auth lookup consumes the combined maps: resolveEnvApiKey() now resolves the combined lookup maps when any supplied map is missing, then normalizes provider aliases against those maps. (src/agents/model-auth-env.ts:100, a4edf29bbc3b)
• Focused regression coverage added: The PR adds coverage for one metadata snapshot load, combined alias/env/evidence lookup maps, and default-context isolation for parameterless provider env lookups. (src/secrets/provider-env-vars.dynamic.test.ts:624, a4edf29bbc3b)

Likely related people:

• steipete: Provider auth alias support was introduced in central auth/env files by Peter Steinberger, and the live PR is assigned to steipete for review. (role: feature owner and assigned reviewer; confidence: high; commits: 9e4f478f866c, 009b18c1f4ad, 77d9ac30bb8d; files: src/agents/provider-auth-aliases.ts, src/secrets/provider-env-vars.ts, src/agents/model-auth.ts)
• shakkernerd: Recent commits by Shakker centralize provider auth evidence and reuse metadata for auth lookups in the same provider env/auth alias paths. (role: recent area contributor; confidence: medium; commits: 6662dcf20992, 98e4c18e390d, fb49bcaf217b; files: src/secrets/provider-env-vars.ts, src/agents/provider-auth-aliases.ts)
• joshavant: Recent work reused plugin metadata snapshots and hardened SecretRef-safe model auth persistence adjacent to this credential resolution path. (role: adjacent owner; confidence: medium; commits: f29bcff4dad0, 8e20dd22d890; files: src/plugins/current-plugin-metadata-snapshot.ts, src/secrets/provider-env-vars.ts, src/agents/model-auth.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[Copilot]

Pull request overview

This PR removes an import-time ESM side effect in model-auth env var helpers and improves performance of provider auth env-var/evidence resolution by reusing already-loaded plugin metadata snapshots (avoiding redundant snapshot loads and config-fingerprint cache bypass).

Changes:

• Propagate metadataSnapshot into resolveProviderAuthAliasMap() when resolving provider env-var candidates/evidence to prevent duplicate snapshot loads.
• Avoid collapsing params.config to {} in snapshot/alias resolution hot paths (while still passing {} only at the final loadPluginMetadataSnapshot() fallback boundary).
• Remove PROVIDER_ENV_API_KEY_CANDIDATES export to eliminate top-level ESM execution, and update related tests/mocks.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/secrets/provider-env-vars.ts	Reuses a single metadata snapshot across env-var candidate/evidence + alias resolution; avoids eager {} config fallback except for load fallback.
src/secrets/provider-env-vars.dynamic.test.ts	Adds regression test asserting only one metadata snapshot load occurs during env-var candidate + alias resolution.
src/agents/provider-auth-aliases.ts	Avoids {} config fallback and passes {} only when actually loading a snapshot; supports snapshot reuse via metadataSnapshot.
src/agents/model-auth-env-vars.ts	Removes top-level PROVIDER_ENV_API_KEY_CANDIDATES export to eliminate ESM import side effects.
src/agents/models-config.uses-first-github-copilot-profile-env-tokens.test.ts	Updates mocks to reflect removed PROVIDER_ENV_API_KEY_CANDIDATES export.
src/agents/models-config.runtime-source-snapshot.test.ts	Updates mocks to reflect removed PROVIDER_ENV_API_KEY_CANDIDATES export.
src/agents/models-config.providers.nvidia.test.ts	Updates mocks to reflect removed PROVIDER_ENV_API_KEY_CANDIDATES export.
src/agents/models-config.providers.moonshot.test.ts	Updates mocks to reflect removed PROVIDER_ENV_API_KEY_CANDIDATES export.
src/agents/model-auth.profiles.test.ts	Updates mocks to reflect removed PROVIDER_ENV_API_KEY_CANDIDATES export.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Velvet Review Wisp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: finds missing screenshots.
Image traits: location workflow harbor; accessory tiny test log scroll; palette seafoam, black, and opal; mood sparkly; pose sitting proudly on a smooth stone; shell polished stone shell; lighting calm overcast light; background subtle branch markers.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Velvet Review Wisp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[medns]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26399309460
• Updated: 2026-05-25T12:10:38.909Z

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26494484040
• Updated: 2026-05-27T06:27:38.924Z

[steipete]

Behavior addressed: provider auth env lookup now resolves alias, env candidate, and auth evidence maps from one plugin metadata snapshot and reuses those maps in auth/model-list/pi callers while preserving core/env/evidence lookup semantics.

Real environment tested: local macOS checkout plus Blacksmith Testbox and GitHub CI.

Exact steps or command run after this patch:

• node scripts/run-vitest.mjs src/infra/provider-usage.auth.plugin.test.ts src/cli/capability-cli.test.ts src/secrets/provider-env-vars.dynamic.test.ts src/agents/provider-auth-aliases.test.ts src/agents/model-auth-env.provider-aliases.test.ts src/commands/models/list.auth-index.test.ts src/commands/models/list.status.test.ts src/agents/model-auth.profiles.test.ts src/agents/models-config.providers.moonshot.test.ts src/agents/models-config.providers.nvidia.test.ts src/agents/models-config.runtime-source-snapshot.test.ts src/agents/models-config.uses-first-github-copilot-profile-env-tokens.test.ts src/agents/pi-model-discovery.auth.test.ts
• pnpm lint --threads=8
• git diff --check origin/main..HEAD
• /Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode branch --base origin/main --no-web-search --stream-engine-output
• pnpm check:changed via Blacksmith Testbox tbx_01ksm41986t26wp45sqw9a5j0k, GitHub Actions run https://github.com/openclaw/openclaw/actions/runs/26496286889
• PR CI on head a4edf29bbc3b81f367a845d1266c85cf2e5aef07, run https://github.com/openclaw/openclaw/actions/runs/26496487529

Evidence after fix: focused tests passed 21 files / 322 tests; lint and diff check passed; autoreview had no accepted/actionable findings; Testbox check:changed passed with lanes core, coreTests, and tooling; PR CI has 0 failing/error/cancelled checks. build-artifacts initially hit an unrelated fixture npm cache/tar read failure in scripts/openclaw-e2e-instance.test.ts, then passed on rerun job 78026375055.

Observed result after fix: lookup maps reuse one metadata snapshot, full mocks include the new export, the previous missing mock CI failure is gone, and the merge-ref lint issue from stale base is gone after rebasing onto current origin/main.

What was not tested: live provider credentials or live model calls.