feat: add OpenRouter OAuth to onboarding

[Patrick-Erichsen]

Summary

• Cherry-pick [codex] Add OpenRouter OAuth login #91031 to add provider-owned OpenRouter PKCE OAuth login while preserving @kenrogers' authorship.
• Feature OpenRouter in the top-level CLI model/auth provider picker so onboarding shows it alongside OpenAI, Anthropic, xAI, and Google.
• Keep OAuth mechanics owned by the OpenRouter provider metadata/runtime path instead of adding provider-specific onboarding code in core.

Verification

• node scripts/run-vitest.mjs extensions/openrouter/oauth.test.ts extensions/openrouter/index.test.ts extensions/openrouter/onboard.test.ts extensions/openrouter/provider-runtime.contract.test.ts src/plugins/contracts/providers.contract.test.ts src/plugins/contracts/registry.contract.test.ts src/commands/auth-choice.test.ts src/commands/models/auth.test.ts src/commands/auth-choice-options.test.ts
• git diff --check origin/main..HEAD
• pnpm exec oxfmt --check src/commands/auth-choice-options.ts src/commands/auth-choice-options.test.ts extensions/openrouter/index.test.ts extensions/openrouter/oauth.ts extensions/openrouter/provider-contract-api.ts extensions/openrouter/openclaw.plugin.json
• pnpm docs:list
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main

Real behavior proof

Behavior addressed: OpenRouter appears as a first-class top-level choice in the CLI model/auth provider picker, and selecting it shows the expected setup hint.

Real environment tested: Local OpenClaw checkout on macOS with an isolated temporary OpenClaw home/config path.

Exact steps or command run after this patch:

tmp=$(mktemp -d /tmp/openclaw-openrouter-onboarding-proof.XXXXXX)
env OPENCLAW_HOME="$tmp" \
  OPENCLAW_STATE_DIR="$tmp/state" \
  OPENCLAW_CONFIG_PATH="$tmp/openclaw.json" \
  pnpm openclaw configure --section model

Evidence after fix:

OpenClaw configure
Model/auth provider
● OpenAI (ChatGPT/Codex sign-in or API key)
○ Anthropic
○ xAI (Grok)
○ Google
○ OpenRouter
○ More…
○ Skip for now

Selected-row hint proof:

Model/auth provider
○ Google
● OpenRouter (OAuth or API key)
○ More…
○ Skip for now

Observed result after fix: OpenRouter is visible in the top-level provider list and carries the OAuth or API key help text from provider-owned auth metadata.

What was not tested: This PR did not run a fresh live OpenRouter browser consent flow. The cherry-picked OAuth PR includes redacted live proof of browser authorization, callback exchange, stored openrouter:default, and a model call with OPENROUTER_API_KEY unset.

Refs #91031.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 10, 2026, 12:54 AM ET / 04:54 UTC.

Summary
The PR adds OpenRouter PKCE OAuth login, registers it in OpenRouter provider auth metadata and docs, and features OpenRouter in the top-level CLI model/auth provider picker.

PR surface: Source +459, Tests +350, Docs +41. Total +850 across 10 files.

Reproducibility: not applicable. this is a feature PR, not a bug report. The relevant behavior check is after-fix proof showing OpenRouter in the CLI picker plus predecessor live OAuth proof for the cherry-picked runtime commit.

Review metrics: 1 noteworthy metric.

• Provider auth surfaces: 1 OAuth method added; 1 featured auth choice added. This changes the user-facing auth/provider picker and profile-writing behavior, so maintainers should review it as an auth surface change rather than ordinary docs polish.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none.

Risk before merge

• [P1] Merging ships a new auth-provider path that exchanges a browser OAuth callback for API-key material and writes openrouter:default; the discussion explicitly accepts this auth-provider risk, but it still needs maintainer landing judgment.
• [P1] The current branch provides fresh terminal proof for the top-level picker, while the full live browser consent and model-call proof comes from the cherry-picked predecessor branch rather than a fresh run on this exact head.

Maintainer options:

1. Land With Accepted Auth Risk (recommended)
   Maintain the current provider-owned implementation and land it only after the protected auth-provider review accepts the new OAuth-to-API-key storage path.
2. Request Fresh Live OAuth Proof
   If maintainers want branch-local proof instead of relying on the predecessor live run, ask for a fresh redacted OpenRouter browser consent, callback exchange, profile status, and model-call transcript on this head.
3. Pause In Favor Of The Predecessor
   If attribution plus picker follow-up is no longer the desired landing path, pause this PR and make the predecessor branch or a maintainer-owned replacement the canonical target.

Next step before merge

• No automated repair is indicated; the remaining action is maintainer review and landing of a protected auth-provider PR with accepted merge risk.

Security
Cleared: The diff is security-sensitive because it adds OAuth callback and credential storage behavior, but I found no concrete supply-chain or credential-handling defect in the reviewed patch.

Review details

Best possible solution:

Land this canonical attributed branch after maintainer auth-provider review, then close the predecessor branch as superseded by this one.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a feature PR, not a bug report. The relevant behavior check is after-fix proof showing OpenRouter in the CLI picker plus predecessor live OAuth proof for the cherry-picked runtime commit.

Is this the best way to solve the issue?

Yes, with maintainer review: the implementation keeps OpenRouter-specific OAuth mechanics inside the OpenRouter plugin and uses existing provider auth metadata for the core picker. The safer alternative would only be to require fresh live OAuth proof on this exact branch before landing.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against b4cdd9211957.

Label changes

Label justifications:

• P2: This is a normal-priority provider onboarding feature with limited scope, but it is auth-sensitive and user-facing.
• merge-risk: 🚨 auth-provider: The PR adds a new OpenRouter OAuth flow that exchanges callback codes for API-key credentials and changes provider auth/profile behavior.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body and comment include branch-local terminal proof for the CLI picker, and the linked cherry-picked predecessor includes redacted live terminal proof of browser OAuth completion, stored profile use, and an OpenRouter model call.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body and comment include branch-local terminal proof for the CLI picker, and the linked cherry-picked predecessor includes redacted live terminal proof of browser OAuth completion, stored profile use, and an OpenRouter model call.

Evidence reviewed

PR surface:

Source +459, Tests +350, Docs +41. Total +850 across 10 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	5	462	3	+459
Tests	3	350	0	+350
Docs	2	61	20	+41
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	10	873	23	+850

What I checked:

• Current main lacks OpenRouter OAuth: Current main's OpenRouter manifest has only the openrouter-api-key provider auth choice, so the requested OAuth onboarding is not already implemented on main. (extensions/openrouter/openclaw.plugin.json:46, b4cdd9211957)
• Latest release lacks OpenRouter OAuth: The latest release tag v2026.6.5 shows the same API-key-only OpenRouter auth choice, so this is not already shipped. (extensions/openrouter/openclaw.plugin.json:46, 5181e4f7c82b)
• PR adds the manifest auth choice: The PR adds a second OpenRouter provider auth choice with method oauth, choice id openrouter-oauth, and onboardingFeatured: true. (extensions/openrouter/openclaw.plugin.json:61, dfa22c0a73e7)
• PR adds provider-owned OAuth runtime: The new OpenRouter OAuth runtime builds the OpenRouter auth URL, validates callback state, exchanges the code at the OpenRouter auth-keys endpoint, and returns an openrouter:default API-key profile plus OpenRouter config defaults. (extensions/openrouter/oauth.ts:162, dfa22c0a73e7)
• Picker behavior is covered by branch tests: The PR updates the grouped auth-choice test to include OpenRouter in the featured top-level provider order after Google. (src/commands/auth-choice-options.test.ts:513, dfa22c0a73e7)
• Dependency contract checked: OpenRouter's OAuth PKCE guide documents sending users to /auth with callback_url, code_challenge, and code_challenge_method=S256, then exchanging the returned code at /api/v1/auth/keys; the PR follows that shape. (openrouter.ai)

Likely related people:

• Peter Steinberger: Introduced the provider onboarding auth metadata manifest path that this PR extends, and has broad prior ownership across provider/plugin auth configuration. (role: feature-history owner; confidence: medium; commits: ae60094fb556, 4a0f72866b4d; files: src/plugins/provider-auth-choices.ts, src/flows/provider-flow.ts, extensions/openrouter/openclaw.plugin.json)
• Vincent Koc: Recent OpenRouter provider fixes and provider-family refactors make this person a good routing candidate for OpenRouter runtime behavior. (role: recent OpenRouter contributor; confidence: medium; commits: 791dbf4f9dde, b56517b0eede; files: extensions/openrouter/index.ts, extensions/openrouter/openclaw.plugin.json, docs/providers/openrouter.md)
• Dallin Romney: Most recent blame on the OpenRouter provider entry and auth-choice ordering surface comes from a runtime-plugin prewarm refactor that moved the touched files on current main. (role: recent adjacent contributor; confidence: medium; commits: 8b84e951e5a6; files: extensions/openrouter/index.ts, src/commands/auth-choice-options.ts)
• Pavan Kumar Gondhi: Recently fixed provider auth-choice resolution and trust boundaries, which are directly adjacent to this PR's manifest auth choice changes. (role: adjacent provider-auth-choice contributor; confidence: medium; commits: 2d97eae53e21; files: src/plugins/provider-auth-choices.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[Patrick-Erichsen]

Proof update before review loop:

• node scripts/run-vitest.mjs extensions/openrouter/oauth.test.ts extensions/openrouter/index.test.ts extensions/openrouter/onboard.test.ts extensions/openrouter/provider-runtime.contract.test.ts src/plugins/contracts/providers.contract.test.ts src/plugins/contracts/registry.contract.test.ts src/commands/auth-choice.test.ts src/commands/models/auth.test.ts src/commands/auth-choice-options.test.ts — passed 4 shards / 166 tests locally after rebasing on current origin/main.
• git diff --check origin/main..HEAD — clean.
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main — clean, no accepted/actionable findings.

CLI prompt proof:

Model/auth provider
● OpenAI (ChatGPT/Codex sign-in or API key)
○ Anthropic
○ xAI (Grok)
○ Google
○ OpenRouter
○ More…
○ Skip for now

Selected-row hint proof:

Model/auth provider
○ Google
● OpenRouter (OAuth or API key)
○ More…
○ Skip for now

[Patrick-Erichsen]

/clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27254143834
• Updated: 2026-06-10T05:21:21.379Z

[Patrick-Erichsen]

Maintainer decision: make this PR the canonical landing path for OpenRouter OAuth onboarding.

Rationale:

• This branch preserves @kenrogers' original OpenRouter OAuth commit from [codex] Add OpenRouter OAuth login #91031 by cherry-pick, retaining attribution.
• It adds the missing follow-up to feature OpenRouter in the top-level onboarding provider picker.
• Current-branch proof covers the picker behavior, and the predecessor PR supplies redacted live OAuth callback/exchange/profile/model-call proof for the cherry-picked implementation.

I accept the auth-provider merge-risk label for this landing path. After this PR lands, #91031 should be closed as superseded by the attributed cherry-pick here.

[Patrick-Erichsen]

/clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27253521980
• Updated: 2026-06-10T04:45:25.883Z

[Patrick-Erichsen]

/clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27253856189
• Updated: 2026-06-10T04:55:01.251Z