fix(agents): skip wildcard catalog metadata refs

[giodl73-repo]

Summary

Skips wildcard default model allowlist entries while building concrete model catalog metadata and configured models list rows.

Entries such as openai-codex/* are valid allowlist selectors, but they are not concrete model ids and do not have per-model alias metadata to resolve or display as configured rows. The catalog metadata builder and configured list resolver now ignore those wildcard keys instead of sending them through concrete model normalization.

Split out from #85817 so the policy-scoping PR remains policy-only.

Verification

• node scripts/run-vitest.mjs src/commands/models/list.configured.test.ts src/agents/model-catalog-visibility.test.ts --reporter=dot -> 3 files, 9 tests passed
• ./node_modules/.bin/oxfmt --check src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
• ./node_modules/.bin/oxlint --tsconfig config/tsconfig/oxlint.core.json src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
• git diff --check refs/remotes/upstream-safe/main...HEAD
• git diff --check

Signed head: 01fbfe3ae08446dec418d14af119872a2cea1a23.

Real behavior proof

Behavior addressed: wildcard default model allowlist entries are treated as selectors, not concrete catalog model ids or configured model rows.

Real environment tested: WSL Ubuntu 24.04 checkout under /root/src/openclaw-86524, with a temp OpenClaw home at /tmp/openclaw-86524-proof.

Exact steps or command run after this patch: OPENCLAW_HOME=/tmp/openclaw-86524-proof OPENCLAW_DISABLE_AUTO_UPDATE=1 OPENCLAW_DISABLE_BUNDLED_PLUGINS=1 OPENCLAW_TEST_FAST=1 node --import tsx src/entry.ts models list --json

Evidence after fix: the temp config set agents.defaults.model to openai/gpt-5.5 and included both agents.defaults.models["openai-codex/*"] = {} and agents.defaults.models["openai/gpt-5.5"].alias = "Primary".

Observed result after fix: the redacted JSON summary was { "modelCount": 1, "keys": ["openai/gpt-5.5"], "wildcardRows": [], "configuredRows": [{ "key": "openai/gpt-5.5", "tags": ["default", "configured", "alias:Primary"], "aliases": [] }] }.

What was not tested: live provider catalog discovery with external provider credentials.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 25, 2026, 9:06 PM ET / 01:06 UTC.

Summary
The PR skips agents.defaults.models keys ending in /* while building model catalog alias metadata and configured models list rows, with a focused regression test.

PR surface: Source +6, Tests +19. Total +25 across 3 files.

Reproducibility: yes. Source inspection shows current main treats every default model key as a configured row and alias metadata key while the visibility parser already classifies provider/* separately; the PR body gives a concrete after-fix CLI proof path.

Review metrics: 1 noteworthy metric.

• Wildcard default selectors: 1 existing selector form changes display handling in 2 model-list paths. agents.defaults.models["provider/*"] is compatibility-sensitive because existing configs may notice different configured-row or alias metadata output after merge.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• Merging changes user-visible models list and catalog metadata behavior for existing configs that use wildcard default model selectors; maintainers should confirm that selector-only behavior is intended before landing.

Maintainer options:

1. Confirm selector-only semantics (recommended)
   Have the model/config owner confirm that wildcard defaults are selectors only, then merge the focused fix with the existing proof.
2. Document wildcard display semantics first
   If wildcard rows need a user-visible representation, update the docs and tests before changing configured-list output.
3. Pause if wildcard aliases are intentional
   If aliases or rows on wildcard keys are meant to work, pause this PR and replace it with a design for provider-wide display metadata.

Next step before merge
No automated repair is needed; the remaining action is maintainer review because the protected label and compatibility-visible model config output change need a human land decision.

Security
Cleared: The diff only changes TypeScript model-list logic and a focused test; it does not touch dependencies, scripts, workflows, secrets, or code-download paths.

Review details

Best possible solution:

Land the focused skip if maintainers agree wildcard allowlist selectors should stay selection-only and not appear as concrete configured rows; otherwise define explicit wildcard display semantics before merging.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main treats every default model key as a configured row and alias metadata key while the visibility parser already classifies provider/* separately; the PR body gives a concrete after-fix CLI proof path.

Is this the best way to solve the issue?

Yes. The patch is the narrowest maintainable fix for the reported behavior because it leaves wildcard allowlist selection intact and only prevents wildcard selectors from being resolved as concrete display rows or alias metadata.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against c9364f03dcbb.

Label changes

Label changes:

• add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• remove rating: 🐚 platinum hermit: Current PR rating is rating: 🦞 diamond lobster, so this older rating label is no longer current.

Label justifications:

• P2: This is a normal-priority focused bug fix for model catalog/configured-list output with limited blast radius.
• merge-risk: 🚨 compatibility: The PR changes how existing wildcard model default config entries appear in user-facing model list/catalog output.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix real CLI proof with a temp OpenClaw home and redacted JSON output showing no wildcard configured rows.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix real CLI proof with a temp OpenClaw home and redacted JSON output showing no wildcard configured rows.

Evidence reviewed

PR surface:

Source +6, Tests +19. Total +25 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	6	0	+6
Tests	1	19	0	+19
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	25	0	+25

What I checked:

• Repository policy applied: Root AGENTS.md and the scoped src/agents/AGENTS.md were read; the review applied the protected-label rule and the model config compatibility-risk guidance for config/default output behavior. (AGENTS.md:18, c9364f03dcbb)
• Current wildcard contract: Current main already classifies agents.defaults.models entries ending in /* as provider wildcards instead of exact model refs, which supports treating them as selectors. (src/agents/model-selection-shared.ts:1223, c9364f03dcbb)
• Current configured-row gap: Current main's configured-row resolver iterates every agents.defaults.models key and resolves it into a configured entry without skipping wildcard selector keys. (src/commands/models/list.configured.ts:75, c9364f03dcbb)
• PR implementation: The PR head adds a wildcard-selector guard before resolving configured models list rows and before resolving alias metadata keys for model catalog entries. (src/commands/models/list.configured.ts:76, 01fbfe3ae084)
• Regression coverage: The new test configures openai-codex/* alongside openai/gpt-5.5 and expects only the concrete model row with the configured alias. (src/commands/models/list.configured.test.ts:77, 01fbfe3ae084)
• Docs contract: Gateway docs describe provider/* entries as provider-scoped discovery for the allowed/configured catalog, not as a concrete model id row. Public docs: docs/gateway/protocol.md. (docs/gateway/protocol.md:617, c9364f03dcbb)

Likely related people:

• steipete: Peter Steinberger authored the shared model selection helper and allowlist parsing refactors that underpin this model visibility/config path. (role: feature-history owner; confidence: high; commits: 310d2db31241, 3eed32108187, dfc18b7a2b; files: src/agents/model-selection-shared.ts, src/commands/models/list.configured.ts)
• UB: Current-main blame attributes the visible catalog metadata, wildcard parsing, and configured-row resolver bodies in this checkout to commit 48adcb1. (role: current-main snapshot introducer; confidence: medium; commits: 48adcb162c92; files: src/agents/model-selection-shared.ts, src/commands/models/list.configured.ts)
• Deepflame: Deepflame recently changed the same model manifest/catalog context area in src/agents/model-selection-shared.ts on main. (role: recent area contributor; confidence: medium; commits: ea2496b00c5c; files: src/agents/model-selection-shared.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Clockwork Branchling

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: sparkles near resolved comments.
Image traits: location release reef; accessory lint brush; palette sunrise gold and clean white; mood sparkly; pose stepping out of a freshly hatched shell; shell woven fiber shell; lighting gentle morning glow; background small green status lights.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Clockwork Branchling in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[giodl73-repo]

@clawsweeper re-review

Follow-up for the proof gap:

• New head: b4601c09d5f
• Added a matching models list configured-row guard so agents.defaults.models["provider/*"] is treated only as a selector, not as a concrete configured model row.
• Added focused regression coverage in src/commands/models/list.configured.test.ts.
• Focused WSL validation passed:
  • node scripts/run-vitest.mjs src/commands/models/list.configured.test.ts src/agents/model-catalog-visibility.test.ts --reporter=dot -> 3 files, 9 tests passed
  • ./node_modules/.bin/oxfmt --check src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
  • ./node_modules/.bin/oxlint --tsconfig config/tsconfig/oxlint.core.json src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
  • git diff --check
• Real CLI proof with temp OpenClaw home and config containing openai-codex/* plus openai/gpt-5.5 produced one model row, openai/gpt-5.5, and wildcardRows: [].

I updated the PR body with the exact proof command and redacted JSON summary.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26410441383
• Updated: 2026-05-25T16:43:18.868Z

[giodl73-repo]

@clawsweeper re-review

Current-head refresh for #86524:

• Rebases giodl73-repo:fix-agent-model-catalog-wildcard onto current upstream main; new head cf53b81717aa991676f03d70df59bf6e08e7af46.
• Focused WSL validation passed:
  • node scripts/run-vitest.mjs src/commands/models/list.configured.test.ts src/agents/model-catalog-visibility.test.ts --reporter=dot -> 3 files, 9 tests passed
  • ./node_modules/.bin/oxfmt --check src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
  • ./node_modules/.bin/oxlint --tsconfig config/tsconfig/oxlint.core.json src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
  • git diff --check refs/remotes/upstream-safe/main...HEAD
• The refreshed commits are SSH-signed with the giodl73 key.
• The PR body still includes the real models list --json proof showing wildcard selector rows are omitted.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26411608742
• Updated: 2026-05-25T17:16:36.935Z

[giodl73-repo]

@clawsweeper re-review

Current-head refresh for #86524:

• Rebases giodl73-repo:fix-agent-model-catalog-wildcard onto current upstream main; new head a90eb0e25486c553b215b8ce1868789210c414e1.
• Focused WSL validation passed after rebase:
  • node scripts/run-vitest.mjs src/commands/models/list.configured.test.ts src/agents/model-catalog-visibility.test.ts --reporter=dot -> 3 files, 9 tests passed
  • ./node_modules/.bin/oxfmt --check src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
  • ./node_modules/.bin/oxlint --tsconfig config/tsconfig/oxlint.core.json src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
  • git diff --check refs/remotes/upstream-safe/main...HEAD
• The PR body still includes the real models list --json proof showing wildcard selector rows are omitted.
• The refreshed commits are SSH-signed with the giodl73 key.

No merge performed.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26414023403
• Updated: 2026-05-25T18:27:20.288Z

[giodl73-repo]

@clawsweeper re-review

Refreshed onto upstream main e844d1d6e56b31fa574b4c2970fdd6e59a9f2e83, which includes the upstream cron-service CI fix. New signed head is 8ac970726a0.

Focused validation after rebase passed:

• node scripts/run-vitest.mjs src/commands/models/list.configured.test.ts src/agents/model-catalog-visibility.test.ts --reporter=dot -> 3 files, 9 tests passed

No merge performed.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26415676893
• Updated: 2026-05-25T19:13:09.968Z

[giodl73-repo]

@clawsweeper re-review

Resolved the current main conflict on #86524 and refreshed the branch.

• Rebased giodl73-repo:fix-agent-model-catalog-wildcard onto upstream main fe14bcecee0.
• New signed head: da4b21618bc0c702d91326a18a3a35d826b2f821.
• Conflict resolution in src/agents/model-selection-shared.ts preserves upstream's alias-only metadata optimization and adds the wildcard selector skip before resolving concrete keys.
• Focused WSL validation passed:
  • node scripts/run-vitest.mjs src/commands/models/list.configured.test.ts src/agents/model-catalog-visibility.test.ts --reporter=dot -> 3 files, 9 tests passed
  • ./node_modules/.bin/oxfmt --check src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
  • ./node_modules/.bin/oxlint --tsconfig config/tsconfig/oxlint.core.json src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
  • git diff --check refs/remotes/upstream-safe/main...HEAD

No merge performed.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26417874996
• Updated: 2026-05-25T20:17:38.194Z

[giodl73-repo]

@clawsweeper re-review

Refreshed #86524 onto current upstream main; new signed head is d428da795ef00c28012e6a65cba4ef34704a5416.

Focused validation after the refresh passed:

• node scripts/run-vitest.mjs src/commands/models/list.configured.test.ts src/agents/model-catalog-visibility.test.ts --reporter=dot -> 3 files, 9 tests passed
• ./node_modules/.bin/oxfmt --check ...
• ./node_modules/.bin/oxlint --tsconfig config/tsconfig/oxlint.core.json ...
• git diff --check refs/remotes/upstream-safe/main...HEAD and git diff --check

The existing real models list --json proof remains in the PR body. No merge performed.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26424288218
• Updated: 2026-05-25T23:53:45.022Z

[giodl73-repo]

@clawsweeper re-review

Refreshed #86524 onto current upstream main; new signed head is 98c8c88a241dddc98f936ff8d2b6448275cec3d6.

Focused WSL validation after the refresh passed:

• node scripts/run-vitest.mjs src/commands/models/list.configured.test.ts src/agents/model-catalog-visibility.test.ts --reporter=dot -> 3 files, 9 tests passed
• ./node_modules/.bin/oxfmt --check src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
• ./node_modules/.bin/oxlint --tsconfig config/tsconfig/oxlint.core.json src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
• git diff --check refs/remotes/upstream-safe/main...HEAD
• git diff --check

The existing models list --json proof remains in the PR body. No merge performed.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26425765475
• Updated: 2026-05-26T00:49:40.574Z

[giodl73-repo]

@clawsweeper re-review

Refreshed #86524 onto current upstream main; new signed head is 01fbfe3ae08446dec418d14af119872a2cea1a23.

Focused WSL validation after the refresh passed:

• node scripts/run-vitest.mjs src/commands/models/list.configured.test.ts src/agents/model-catalog-visibility.test.ts --reporter=dot -> 3 files, 9 tests passed
• ./node_modules/.bin/oxfmt --check src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
• ./node_modules/.bin/oxlint --tsconfig config/tsconfig/oxlint.core.json src/commands/models/list.configured.ts src/commands/models/list.configured.test.ts src/agents/model-selection-shared.ts src/agents/model-catalog-visibility.test.ts
• git diff --check refs/remotes/upstream-safe/main...HEAD
• git diff --check

The existing models list --json proof remains in the PR body. No merge performed.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26426339227
• Updated: 2026-05-26T01:10:42.303Z