Derive onboarding choices from loaded providers

resolveProviderWizardOptions now builds auth choices directly from manifest records, so it no longer verifies that the corresponding provider actually loads. In this state, plugins with valid openclaw.plugin.json but load/runtime failures are still shown, and plugins that only expose wizard metadata via registerProvider(...).wizard are omitted; both cases desynchronize the prompt from applyAuthChoiceLoadedPluginProvider, which resolves against resolvePluginProviders and can return null (silent no-op) for a selected choice.

Useful? React with 👍 / 👎.

This file is no longer modified in this PR — no longer applicable.

Derive model-picker setup entries from loaded providers

resolveProviderModelPickerEntries has the same manifest-only source of truth, so model-setup options can be presented for providers that are not actually loadable at runtime. When the user selects one of these entries, promptDefaultModel resolves choices via resolvePluginProviders/resolveProviderPluginChoice and can fail to resolve the selection, causing the setup action to do nothing despite the option being offered.

Useful? React with 👍 / 👎.

This file is no longer modified in this PR — no longer applicable.

Silent character stripping produces a wrong endpoint

Invalid characters in a resource name are silently dropped rather than rejected. For example, a user providing fabric_hub (underscore) — a very common typo for fabric-hub — gets transformed to fabrichub, which resolves to the completely different endpoint fabrichub.services.ai.azure.com. The user receives no warning and will get confusing auth errors instead of a clear input-validation message.

A safer approach is to reject the input when non-[a-z0-9-] characters remain after lowercasing:

This is a comment left during a code review.
Path: src/commands/anthropic-azure-utils.ts
Line: 66-70

Comment:
**Silent character stripping produces a wrong endpoint**

Invalid characters in a resource name are silently dropped rather than rejected. For example, a user providing `fabric_hub` (underscore) — a very common typo for `fabric-hub` — gets transformed to `fabrichub`, which resolves to the completely different endpoint `fabrichub.services.ai.azure.com`. The user receives no warning and will get confusing auth errors instead of a clear input-validation message.

A safer approach is to reject the input when non-`[a-z0-9-]` characters remain after lowercasing:

```suggestion
  const normalizedResource = raw.toLowerCase();
  if (/[^a-z0-9-]/.test(normalizedResource)) {
    throw new Error(
      `Azure Claude resource name "${raw}" contains invalid characters. ` +
        "Only lowercase letters, numbers, and hyphens are allowed (e.g. fabric-hub).",
    );
  }
  if (!normalizedResource) {
    throw new Error("Azure Claude resource name must contain alphanumeric characters or hyphens.");
  }
  return `https://${normalizedResource}${ANTHROPIC_AZURE_HOST_SUFFIX}${ANTHROPIC_AZURE_API_SUFFIX}`;
```

How can I resolve this? If you propose a fix, please make it concise.

Fixed — resource names with invalid characters are now rejected with a descriptive error message instead of being silently stripped. Added a regression test covering fabric_hub and space-containing inputs.

Breaking change for plugins that declare wizard.onboarding only in TypeScript

The old implementation called resolvePluginProviders(), which compiled and evaluated each plugin's TypeScript entry point so that provider.wizard?.onboarding could be read from the runtime object. The new fast path reads record.wizard?.onboarding exclusively from the JSON manifest, bypassing TypeScript entirely.

Any third-party (or first-party) plugin that declared wizard.onboarding only in its TypeScript entry and did not mirror it in openclaw.plugin.json will now silently disappear from the auth choice list. The bundled plugins (vllm, sglang, ollama) are updated in this very PR, but custom/third-party plugins have no migration path and no warning.

Consider adding a diagnostic entry when a plugin has a TypeScript-defined wizard.onboarding but lacks the JSON wizard field, or at minimum documenting this as a breaking change in the PR description and migration guide.

This is a comment left during a code review.
Path: src/plugins/provider-wizard.ts
Line: 71-110

Comment:
**Breaking change for plugins that declare `wizard.onboarding` only in TypeScript**

The old implementation called `resolvePluginProviders()`, which compiled and evaluated each plugin's TypeScript entry point so that `provider.wizard?.onboarding` could be read from the runtime object. The new fast path reads `record.wizard?.onboarding` exclusively from the JSON manifest, bypassing TypeScript entirely.

Any third-party (or first-party) plugin that declared `wizard.onboarding` only in its TypeScript entry and did **not** mirror it in `openclaw.plugin.json` will now silently disappear from the auth choice list. The bundled plugins (vllm, sglang, ollama) are updated in this very PR, but custom/third-party plugins have no migration path and no warning.

Consider adding a diagnostic entry when a plugin has a TypeScript-defined `wizard.onboarding` but lacks the JSON `wizard` field, or at minimum documenting this as a breaking change in the PR description and migration guide.

How can I resolve this? If you propose a fix, please make it concise.

This file is no longer modified in this PR — the setup → onboarding rename was from merge commits in the old branch history, not part of this feature. The rebased branch only touches Azure-specific files.

Use generic --token input for apiKey-mapped Azure auth

When authChoice=apiKey with tokenProvider=anthropic-azure, normalizeApiKeyTokenProviderAuthChoice routes into this Azure branch, but the API key source is hardcoded to opts.anthropicAzureApiKey instead of opts.token. As a result, flows like --auth-choice apiKey --token-provider anthropic-azure --token ... ignore the supplied token and fall back to env/prompt, which breaks scripted onboarding and is inconsistent with other apiKey-mapped providers.

Useful? React with 👍 / 👎.

Set agent override when Azure auth skips global default

In applyAuthChoiceApiProviders, the new anthropic-azure-api-key path only applies applyAgentDefaultModelPrimary(...) when params.setDefaultModel is true and never assigns agentModelOverride otherwise. Callers that intentionally pass setDefaultModel: false (for example agent-scoped setup flows) depend on agentModelOverride to set that agent’s model, so choosing Azure Claude can silently leave the agent on its previous provider/model despite writing Azure auth/config, leading to model/auth mismatches at runtime.

Useful? React with 👍 / 👎.

Fixed — replaced the manual applyAgentDefaultModelPrimary call with applyProviderDefaultModel() (the shared helper from createAuthChoiceDefaultModelApplierForMutableState). This correctly sets agentModelOverride for agent-scoped flows when setDefaultModel is false, matching the pattern used by other providers (e.g. LiteLLM).

Reject invalid Azure endpoint paths during URL normalization

normalizeAnthropicAzureBaseUrl currently appends "/anthropic" to any existing path that does not already end with that suffix, so inputs like https://<resource>.services.ai.azure.com/anthropic/v1 are normalized to .../anthropic/v1/anthropic and then saved into provider config. That produces a malformed base URL which will make subsequent Anthropic requests fail at runtime instead of failing fast during onboarding; the normalizer should reject unexpected path segments (or explicitly canonicalize known variants) rather than concatenating blindly.

Useful? React with 👍 / 👎.

Reject invalid Azure resource hosts in URL input

When users pass a full URL, normalization only checks that the hostname ends with .services.ai.azure.com, so invalid resource labels like fabric_hub.services.ai.azure.com are accepted even though the resource-name path rejects underscores. This stores an endpoint that cannot be resolved by Azure and pushes the failure to runtime requests instead of failing fast during onboarding; the URL branch should validate the resource label with the same character rules used for bare resource names.

Useful? React with 👍 / 👎.

Reject unsupported Azure endpoint paths

When the input is a full URL, the normalizer appends "/anthropic" to any pathname that does not already end with that suffix, so values like https://<resource>.services.ai.azure.com/anthropic/v1 become .../anthropic/v1/anthropic. That produces a malformed provider baseUrl and shifts the failure to runtime requests instead of failing fast during onboarding.

Useful? React with 👍 / 👎.

Validate Azure resource label in URL host

The URL branch only checks endsWith(".services.ai.azure.com"), so hosts with invalid resource labels (for example underscores) pass validation and are persisted as endpoints. This allows clearly invalid Azure resource hosts to be accepted in onboarding and fail later at request time rather than being rejected immediately.

Useful? React with 👍 / 👎.