feat: add hosted model providers

[steipete]

Summary

• Add bundled GMI Cloud and NovitaAI OpenAI-compatible provider plugins with manifests, catalogs, docs, labels, and plugin reference pages.
• Add a first-class qwen-oauth provider for externally supplied Qwen Portal tokens, including portal payload compatibility, alias auth/catalog metadata, docs, and legacy OAuth doctor guidance.
• Add first-class ollama-cloud hosted provider support while preserving local Ollama behavior, plus docs and generated provider/plugin indexes.

Verification

• node -e "for (const f of ['extensions/gmi/openclaw.plugin.json','extensions/novita/openclaw.plugin.json','extensions/qwen/openclaw.plugin.json','extensions/ollama/openclaw.plugin.json']) JSON.parse(require('fs').readFileSync(f,'utf8')); console.log('json ok')"
• pnpm format:docs:check
• pnpm plugins:inventory:check
• pnpm deps:shrinkwrap:changed:check
• git diff --check
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.extensions.json ...touched provider files...
• node scripts/run-tsgo.mjs -b extensions/gmi/tsconfig.json extensions/novita/tsconfig.json extensions/qwen/tsconfig.json extensions/ollama/tsconfig.json
• Direct TS probes for GMI/Novita/Qwen/Ollama provider registration, Qwen portal alias payload patching, Qwen portal auth fallback, and legacy Qwen Portal OAuth doctor hint.
• /Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode local returned clean before the final test-only type-narrowing fix. Final autoreview accepted one remaining Qwen finding about the discontinued upstream free-tier OAuth path; this PR intentionally supports externally supplied Portal tokens for provider parity rather than an automated OAuth flow.

Real behavior proof

Behavior addressed: GMI, NovitaAI, Qwen OAuth/Portal-token, and Ollama Cloud provider routing are available through bundled provider/plugin surfaces.

Real environment tested: Local OpenClaw checkout plus Blacksmith Testbox for generated guards and typecheck lanes; browser session for provider-key acquisition attempts; Ollama Cloud live API.

Exact steps or command run after this patch: Stored a newly generated Ollama Cloud API key in the Molty 1Password service-account vault, then called https://ollama.com/api/tags with that key. Ran the local and Testbox commands listed above.

Evidence after fix: Ollama Cloud /api/tags returned 39 hosted models, including gpt-oss:120b, glm-4.7, qwen3-coder:480b, minimax-m2, and minimax-m2.7. Testbox pnpm check:changed reached all generated guards and then failed in unrelated all-typecheck files.

Observed result after fix: Provider manifests parse, generated plugin inventory and shrinkwrap are current, docs format is clean, touched provider type/lint probes pass, and autoreview has no accepted provider-implementation defects after the explicit Qwen scope decision.

What was not tested: Live GMI, NovitaAI, and Qwen Portal calls were not completed because no existing 1Password keys were found and the browser sessions were not authenticated/reachable for those providers. Broad Testbox pnpm check:changed is blocked by unrelated existing type errors in src/agents/bash-tools.exec-host-node.test.ts and extensions/codex-supervisor/src/plugin-tools.ts.

[github-actions]

Dependency Guard

This PR changes dependency-related files. Maintainers should confirm these changes are intentional.

Changed files:

• extensions/gmi/package.json
• extensions/novita/package.json
• pnpm-lock.yaml

Maintainer follow-up:

• Review whether the dependency changes are intentional.
• Inspect resolved package deltas when lockfile, shrinkwrap, or workspace dependency policy changes are present.
• Treat package-lock.json and npm-shrinkwrap.json diffs as security-review surfaces.
• Run pnpm deps:changes:report -- --base-ref origin/main --markdown /tmp/dependency-changes.md --json /tmp/dependency-changes.json locally for detailed release-style evidence.

[github-actions]

Dependency graph change authorized

This PR includes dependency graph changes. A member of @openclaw/openclaw-secops authorized this exact head SHA with /allow-dependencies-change.

• Approved SHA: c9714b9fcaf94b86af28765923937fde04826b89
• Approved by: @steipete
• Reason: intentional new first-class provider plugin manifests for GMI and Novita, plus workspace lock updates; no external runtime dependency added

A later push changes the PR head SHA and requires a fresh security approval.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 30, 2026, 1:44 AM ET / 05:44 UTC.

Summary
This PR adds bundled GMI and Novita provider plugins, adds Qwen Portal-token provider support, adds an ollama-cloud provider id, and updates provider docs, plugin inventory, labels, manifests, tests, and dependency metadata.

PR surface: Source +1011, Tests +255, Docs +196, Config +68, Other -5. Total +1525 across 45 files.

Reproducibility: not applicable. this is a feature PR adding hosted provider surfaces, not a bug report with a current-main failure path.

Review metrics: 1 noteworthy metric.

• Provider auth surface: 10 provider ids/aliases added; 4 auth choices added. These additions affect onboarding, auth-profile routing, model refs, and upgrade behavior beyond ordinary implementation code.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🦐 gold shrimp
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted live terminal output or logs for GMI, NovitaAI, and Qwen Portal-token calls, or split out providers without live proof.
• Get security or maintainer authorization for dependency graph changes on the exact head SHA.
• Record the maintainer decision for restoring Qwen Portal-token support versus keeping the current removal/migration guidance.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: The PR body gives live output for Ollama Cloud only and says GMI, NovitaAI, and Qwen Portal live calls were not completed; add redacted terminal logs or live output and update the PR body to trigger re-review.

Risk before merge

• [P1] Merging this PR intentionally reverses current Qwen Portal removal guidance by adding qwen-oauth, so maintainers need to approve the provider contract and migration story.
• [P1] The PR changes lockfiles and package manifests; the repository dependency graph guard says this requires security authorization for the exact head SHA or removal of the graph changes.
• [P1] The PR body provides live Ollama Cloud evidence, but explicitly says live GMI, NovitaAI, and Qwen Portal calls were not completed.

Maintainer options:

1. Authorize dependency graph changes (recommended)
   Security or maintainers should approve the exact head SHA for dependency graph changes, or the branch should remove those graph changes before merge.
2. Approve the Qwen Portal contract
   Maintainers can explicitly accept the restored Portal-token provider path and its docs/doctor migration behavior as a supported provider surface.
3. Split unproved providers
   If live proof or Qwen product approval remains unsettled, split the branch into provider-specific PRs so the proved hosted routes can proceed independently.

Next step before merge

• [P1] Protected-label handling, dependency security approval, and the Qwen Portal product decision require human maintainer review rather than an automated repair lane.

Security
Needs attention: The dependency graph changes are security-sensitive and are already blocked by the repository guard until the exact head SHA is authorized or the changes are removed.

Review details

Best possible solution:

Land only after maintainer approval for Qwen Portal-token support, security approval or removal of dependency graph changes, and sufficient live proof or a narrower split of unproven providers.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a feature PR adding hosted provider surfaces, not a bug report with a current-main failure path.

Is this the best way to solve the issue?

Unclear: the GMI/Novita and Ollama Cloud additions follow existing plugin patterns, but restoring Qwen Portal-token support conflicts with current removal docs and needs maintainer approval.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 344aff383bdc.

Label changes

Label changes:

• add P2: This is a broad but non-urgent provider feature PR with limited immediate user-impact evidence.
• add merge-risk: 🚨 compatibility: The PR changes documented provider availability, provider ids, setup choices, and doctor guidance that can affect upgrades and existing model refs.
• add merge-risk: 🚨 auth-provider: The patch adds and changes provider/auth routing for GMI, NovitaAI, Qwen Portal tokens, and Ollama Cloud.
• add merge-risk: 🚨 security-boundary: The PR changes dependency graph files and package manifests, which the repository treats as a security-review surface.
• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🦐 gold shrimp.
• add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body gives live output for Ollama Cloud only and says GMI, NovitaAI, and Qwen Portal live calls were not completed; add redacted terminal logs or live output and update the PR body to trigger re-review.

Label justifications:

• P2: This is a broad but non-urgent provider feature PR with limited immediate user-impact evidence.
• merge-risk: 🚨 compatibility: The PR changes documented provider availability, provider ids, setup choices, and doctor guidance that can affect upgrades and existing model refs.
• merge-risk: 🚨 auth-provider: The patch adds and changes provider/auth routing for GMI, NovitaAI, Qwen Portal tokens, and Ollama Cloud.
• merge-risk: 🚨 security-boundary: The PR changes dependency graph files and package manifests, which the repository treats as a security-review surface.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🦐 gold shrimp.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body gives live output for Ollama Cloud only and says GMI, NovitaAI, and Qwen Portal live calls were not completed; add redacted terminal logs or live output and update the PR body to trigger re-review.

Evidence reviewed

PR surface:

Source +1011, Tests +255, Docs +196, Config +68, Other -5. Total +1525 across 45 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	19	1032	21	+1011
Tests	5	264	9	+255
Docs	14	218	22	+196
Config	5	68	0	+68
Generated	0	0	0	0
Other	2	12	17	-5
Total	45	1594	69	+1525

Security concerns:

• [medium] Authorize dependency graph changes before merge — npm-shrinkwrap.json:57
  The PR changes npm-shrinkwrap.json, pnpm-lock.yaml, and provider package manifests; the dependency graph guard says external PR graph changes require security authorization for this head SHA.
  Confidence: 0.93

What I checked:

• Protected label: The provided GitHub context lists the protected maintainer label, so this PR needs explicit maintainer handling rather than cleanup closure. (d0557fcdfe3d)
• Current main lacks GMI/Novita provider files: Current main has no extensions/gmi, extensions/novita, or matching provider docs/reference pages, so the new provider additions are not already implemented on main. (344aff383bdc)
• Current Qwen Portal behavior: Current main documents Qwen OAuth/Portal as removed, so reintroducing qwen-oauth is a product and compatibility decision rather than already-settled current behavior. Public docs: docs/providers/qwen.md. (docs/providers/qwen.md:9, 344aff383bdc)
• Current Qwen doctor behavior: Current main returns a deprecated-provider migration hint for qwen-portal, while the PR changes that path to allow re-authentication with a current Portal token. (src/agents/auth-profiles/doctor.ts:10, 344aff383bdc)
• Current Ollama Cloud support: Current main already supports Ollama Cloud through the existing ollama provider and documents https://ollama.com plus OLLAMA_API_KEY; the PR adds a separate first-class ollama-cloud id on top of that. Public docs: docs/providers/ollama.md. (docs/providers/ollama.md:10, 344aff383bdc)
• Dependency graph guard: The GitHub Actions dependency graph guard comment says this head changes npm-shrinkwrap.json, pnpm-lock.yaml, and provider package manifests and is blocked until security authorizes the exact head SHA or the graph changes are removed. (d0557fcdfe3d)

Likely related people:

• vincentkoc: Git history and blame show Vincent Koc introduced the current Qwen/Ollama provider docs and auth-profile doctor behavior that this PR changes. (role: recent area contributor; confidence: high; commits: 51d0ef80c23f; files: extensions/qwen/index.ts, extensions/ollama/src/setup.ts, docs/providers/qwen.md)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[steipete]

/allow-dependencies-change intentional new first-class provider plugin manifests for GMI and Novita, plus workspace lock updates; no external runtime dependency added

[steipete]

/allow-dependencies-change intentional new first-class provider plugin manifests for GMI and Novita, plus workspace lock updates; no external runtime dependency added

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c9714b9fca

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pass Ollama Cloud key into catalog discovery

When a user has a valid Ollama Cloud key, the live catalog still calls the hosted /api/tags path without that key because buildOllamaCloudProvider() invokes the shared Ollama discovery helper with only the base URL. Ollama Cloud's documented direct API requires an Authorization: Bearer $OLLAMA_API_KEY header, so discovery will get an unauthorized/empty response and silently fall back to the three static defaults instead of exposing the hosted model list. Thread the apiKey resolved in the catalog runner into the tags/show requests used for Ollama Cloud discovery.

Useful? React with 👍 / 👎.

[steipete]

Verification before merge:

Exact local commands run after this patch:

• pnpm docs:list
• git diff --check
• pnpm check:test-types

Live provider proof:

• GMI: HTTP 200, zai-org/GLM-5.1-FP8, response OK
• Novita: HTTP 200, deepseek/deepseek-v3-0324, response OK
• Ollama Cloud: HTTP 200, gpt-oss:20b and kimi-k2.6, response OK
• Qwen ModelStudio Intl: HTTP 200, qwen3-coder-plus, response OK

CI:

• Fresh PR SHA: c9714b9fcaf94b86af28765923937fde04826b89
• Relevant GitHub checks: full PR matrix passed, including check-docs, check-lint, check-prod-types, check-test-types, dependency guard, security high shards, critical quality selected shards, and CI timing summary.

Known proof gaps:

• Live proof used direct provider API calls with keys injected from 1Password; no secret values were printed.
• Qwen OAuth/Portal itself is not live-tested because the current Qwen CLI OAuth route is discontinued; the working Qwen route is ModelStudio Intl standard key.