Summary

On 2026.5.3-1, the bench gateway returned FailoverError: Unknown model: anthropic/claude-haiku-4.5 on every agent run while agents.defaults.model.primary was correctly set to openrouter/anthropic/claude-haiku-4.5. The session entry for agent:main:main held providerOverride: "anthropic" and modelOverride: "claude-haiku-4.5", the back half of the OpenRouter id with the openrouter/ wrapper missing.

The dispatcher in agent-command reads the override before the global default. Since the per agent allowlist is empty for most operators, allowAnyModel is true and the existing self heal block at the top of the override handling never fires. The corrupt override is then passed to runWithModelFallback, the resolver looks up an anthropic provider that is not registered, and the run fails with FailoverError: Unknown model: anthropic/claude-haiku-4.5. openclaw models list --agent <id> continues to show the configured model as valid the entire time, which makes the bug hard to find.

This is the same bug class as #70572 (closed 2026-04-25 as not reproducible). The session state layer is still vulnerable in 2026.5.3-1.

Reproduction

The corrupt state can be created directly:

python3 -c "import json, pathlib; sj = pathlib.Path.home()/'.openclaw/agents/main/sessions/sessions.json'; d = json.loads(sj.read_text()); d['agent:main:main'].update({'providerOverride':'anthropic','modelOverride':'claude-haiku-4.5','modelOverrideSource':'user'}); sj.write_text(json.dumps(d, indent=2))"

Then openclaw agent --agent main -m ping produces FailoverError: Unknown model: anthropic/claude-haiku-4.5. The same shape can also be produced by the Control UI per session model picker against an OpenRouter id, in some flows; the deterministic reproduction above is the safer regression case.

Side observation: the same agent:main:main entry has modelProvider: "openrouter" and model: "anthropic/claude-haiku-4.5" (the runtime fields, correctly shaped) right next to the corrupt providerOverride/modelOverride pair. Two writers, disagreeing on shape.

Expected

Either the writer rejects the corrupt provider/model pair, or the dispatcher self heals when it reads an override whose provider is not registered in cfg.models.providers. Ideally both, since the writer side prevents new corruption while the read side fixes existing corrupt sessions on the next run.

Suggested fix

Two narrow patches close the loop. Verified locally against the 2026.5.3-1 dist build.

1. Write side guard in applyModelOverrideToSessionEntry (src/sessions/model-overrides.ts): refuse to persist when selection.provider is not present in cfg.models.providers. Return {updated: false} with a warning. The single sessions.patch caller should pass cfg and surface the refusal as an invalid response so the UI sees an error rather than a silent write.

2. Read side self heal in agent-command (the override cleanup block right before override consumption): the existing block currently only runs when !allowAnyModel. Extend the predicate to also clear the override when its provider is not registered in cfg.models.providers, regardless of allowAnyModel mode. This auto repairs sessions corrupted before the write side guard exists.

I applied both against the local dist build (dist/model-overrides-*.js, dist/sessions-patch-*.js, dist/agent-command-*.js). Unit tested by importing the writer directly and confirmed:

• broken ("anthropic", "claude-haiku-4.5") is refused with a [openclaw-local-patch] refused session override write warning,
• valid ("openrouter", "anthropic/claude-haiku-4.5") writes through,
• callers that do not pass cfg keep the previous behavior, so failover bookkeeping and subagent spawn paths are unaffected.

Regression tested by reinjecting the corrupt pattern into sessions.json and running the agent: the entry auto cleared, the run completed against the global default, no FailoverError, stderr showed [openclaw-local-patch] clearing session override with unregistered provider "anthropic". Happy to send a PR if useful, just point me at whichever entry points should also be covered (sessions.patch is the obvious one; subagent spawn already builds qualified ids via splitModelRef so it should be safe to leave alone).

Environment

openclaw 2026.5.3-1 (commit 2eae30e), node 22.x, macOS 14, gateway run via launchd. 8 agent bench, OpenRouter key in per agent auth-profiles.json.