// Verifies safe, user-facing auth labels without exposing credential values.

import { beforeEach, describe, expect, it, vi } from "vitest";

import { resolveModelAuthLabel } from "./model-auth-label.js";

});

it("does not include token value in label for token profiles", () => {

// Labels may be shown in status output, so token-backed profiles identify

// the auth mode/profile only and never echo token material or refs.

mocks.ensureAuthProfileStore.mockReturnValue({

version: 1,

profiles: {

});

it("uses accepted provider ids before falling back to provider env auth", () => {

// Accepted provider ids let aliases share a profile match before env

// fallback would report a less-specific API-key label.

mocks.ensureAuthProfileStore.mockReturnValue({

version: 1,

profiles: {

// Covers model auth resolution across env, profiles, CLI, and provider aliases.

import fs from "node:fs/promises";

import os from "node:os";

import path from "node:path";

env?: NodeJS.ProcessEnv;

tempPrefix?: string;

}) {

// Vertex ADC credentials are file evidence, not a raw API key. Tests create

// a temporary credentials file and expect the non-secret marker to win.

const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), params.tempPrefix ?? "openclaw-adc-"));

const credentialsPath = path.join(tempDir, "adc.json");

await fs.writeFile(credentialsPath, params.credentialsJson, "utf8");

}));

vi.mock("./model-auth-env-vars.js", () => {

// Workspace-provided auth evidence is only trusted when the plugin is in the

// effective allowlist, mirroring runtime plugin scoping.

const hasAllowedPlugin = (config: unknown, pluginId: string): boolean => {

if (!config || typeof config !== "object") {

return false;

// Verifies provider auth resolution, synthetic auth, and auth header behavior.

import type { Model } from "openclaw/plugin-sdk/llm";

import { afterEach, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";

import type { ModelProviderConfig } from "../config/config.js";

shouldDeferProviderSyntheticProfileAuthWithPlugin: (params: {

context?: { resolvedApiKey?: string };

}) => params.context?.resolvedApiKey === "synthetic-defer",

// Synthetic auth is provider-owned. Tests model local/no-key and plugin

// config credentials without depending on real plugins.

resolveProviderSyntheticAuthWithPlugin: (params: {

provider: string;

config?: {

modelId = "llama3",

modelName = "Llama 3",

): ModelProviderConfig {

// Minimal custom OpenAI-compatible provider used across auth tests.

return {

baseUrl,

api: "openai-completions" as const,

// Proves workspace plugin auth evidence participates in model auth checks.

import fs from "node:fs/promises";

import os from "node:os";

import path from "node:path";

import { hasAuthForModelProvider } from "./model-provider-auth.js";

async function writeWorkspaceAuthEvidencePlugin(workspaceDir: string) {

// Creates a trusted workspace plugin manifest with local-file auth evidence

// so runtime and picker checks exercise the same scoped metadata path.

const pluginDir = path.join(workspaceDir, ".openclaw", "extensions", "workspace-cloud");

await fs.mkdir(pluginDir, { recursive: true });

await fs.writeFile(path.join(pluginDir, "index.ts"), "export default {}\n", "utf8");

describe("workspace plugin model auth evidence", () => {

it("uses trusted workspace plugin auth evidence across runtime and picker auth checks", async () => {

// Without workspace scope the same env var is ignored; with scope, the

// plugin-owned marker is accepted across all auth surfaces.

const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-workspace-auth-"));

const workspaceDir = path.join(tempRoot, "workspace");

const bundledDir = path.join(tempRoot, "bundled");

// Verifies model catalog lookup scope for custom and manifest-owned models.

import { describe, expect, it } from "vitest";

import type { OpenClawConfig } from "../config/types.openclaw.js";

import { resolveModelCatalogScope } from "./model-catalog-scope.js";

describe("resolveModelCatalogScope", () => {

it("keeps explicit custom provider models scoped to that provider", () => {

// Custom provider model ids may collide with built-ins, so lookup should

// not fall through to bare manifest refs.

const cfg = {

models: {

providers: {

// Covers model catalog loading, plugin manifests, normalization, and suppression.

import { mkdirSync, rmSync, writeFileSync } from "node:fs";

import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";

import type { OpenClawConfig } from "../config/config.js";

}

function mockCatalogImportFailThenRecover() {

// Simulates a transient discovery import failure so cache/error handling can

// prove the catalog loader recovers on the next attempt.

let call = 0;

setModelCatalogImportForTest(async () => {

call += 1;

reasoning?: boolean;

contextWindow?: number;

}) {

// Minimal plugin metadata snapshot containing a manifest-owned external

// provider model catalog.

return {

policyHash: "policy",

index: {

provider: string,

id: string,

): ModelCatalogEntry {

// Most catalog tests need a narrowed entry before checking capabilities or

// normalized ids; fail loudly when the fixture model disappears.

const entry = findCatalogEntry(entries, provider, id);

if (!entry) {

throw new Error(`expected catalog entry ${provider}/${id}`);