Add provider-aware chat model picker

[bkudiess]

Summary

• Problem: Windows chat showed model choices as flat model ids, which made provider, default/current state, readiness, and context-window details hard to distinguish.
• Why it matters: Duplicate model ids across providers and fast model switches could make the picker ambiguous or send with a stale model.
• What changed: Added provider-rich model choices, provider-qualified picker identity, readiness/default labels, clear-to-default through explicit session patch clear, and send ordering behind in-flight model changes.
• User impact: Users get clearer model choices and model switches are preserved more reliably across duplicate providers, reconnects, and fast sends.
• What did NOT change (scope boundary): No new permissions, no credential/storage behavior changes, and no new command execution surface.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs / instructions
• Tests / validation
• Security hardening
• Chore / infra

Scope (select all touched areas)

• Tray / WinUI UX
• Windows node capability
• Local MCP / winnode
• Gateway / connection / pairing
• Setup / onboarding
• Permissions / privacy / security
• Tests / CI / docs

Linked Issue/PR

• Closes #
• Related #
• Related to a bug or regression

Validation

• .\build.ps1 — Passed
• dotnet test .\tests\OpenClaw.Shared.Tests\OpenClaw.Shared.Tests.csproj --no-restore — Passed, 2571 passed / 31 skipped
• dotnet test .\tests\OpenClaw.Tray.Tests\OpenClaw.Tray.Tests.csproj --no-restore — Passed, 1328 passed
• dotnet test .\tests\OpenClaw.Tray.Tests\OpenClaw.Tray.Tests.csproj --filter "FullyQualifiedName~ChatModelChoiceTests|FullyQualifiedName~OpenClawChatDataProviderTests" — Passed, 190 passed

Real behavior proof

• Environment tested: Windows ARM64, local non-isolated OpenClaw Tray build from this branch.
• PR head / commit tested: 7b02ebff
• Exact steps or command run:
  • Launched OpenClaw.Tray.WinUI.exe from the branch build output.
  • Ran focused model-picker/provider tests covering duplicate provider ids, clear-to-default, unavailable/auth-needed states, send-after-switch ordering, failed model-patch fallback, reconnect cache matching, and synthetic-thread provider context.
• Evidence after fix:
  • Focused tests passed: 190 tests.
  • Full tray tests passed: 1328 tests.
  • Full shared tests passed: 2571 tests / 31 skipped.
• Observed result: Model picker behavior is provider-aware, preserves provider identity across duplicate model ids, clears to default with explicit null, and waits for model changes before sends.

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No
• If any Yes, explain risk + mitigation: N/A

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No
• If yes, exact upgrade steps: N/A

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only conversations that still need reviewer or maintainer judgment.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 27, 2026, 2:10 AM ET / 06:10 UTC.

Summary
The branch adds provider-rich chat model choices, provider-qualified model picker identity, clear-to-default session patching, send-after-model-change ordering, and focused shared/tray tests.

Reproducibility: not applicable. as a feature PR. Current-main source confirms the old flat raw-id picker, and the PR proof/tests exercise the new provider-aware behavior.

Review metrics: 2 noteworthy metrics.

• Diff surface: 13 files changed, +1235/-46. The change spans shared gateway parsing, chat state, WinUI picker behavior, and tests, so provider-routing review matters beyond green CI.
• Reported validation: 4 commands reported, including full build/shared/tray tests and 190 focused tests. The PR body and follow-up comment report the repository-required validation plus focused picker/provider coverage, although this read-only review did not rerun tests.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit ✨ media proof bonus
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Keep a visible maintainer decision or redacted live gateway trace for provider-qualified sessions.patch compatibility before merge.

Mantis proof suggestion
A short visual proof pass would help maintainers see the provider/default/context/auth-needed/unavailable picker states in a real tray build. A maintainer can ask Mantis to capture proof by posting this exact PR comment:

@openclaw-mantis visual task: verify the Windows Tray chat model picker shows provider/context/default, auth-needed, unavailable, and clear-to-default states.

Risk before merge

• [P1] Provider-aware selections now send provider-qualified SelectionId values when provider metadata exists; if a supported gateway catalog still expects raw model ids for sessions.patch, model switching could fail or choose the wrong provider.
• [P1] The proof includes a visible tray picker screenshot and focused tests, but this review did not inspect a redacted live gateway trace showing a provider-qualified sessions.patch value accepted end to end.

Maintainer options:

1. Accept provider-qualified model refs
   Merge if maintainers accept the cited gateway behavior as the supported model-selection contract for provider-aware catalogs.
2. Keep raw-id patching until contract lands
   Preserve the richer display but send raw model IDs unless or until the gateway exposes or documents provider-qualified selection as the stable Windows-node contract.
3. Pause for live contract proof
   Wait for a redacted live gateway trace or equivalent maintainer proof showing provider-qualified sessions.patch model selection succeeds before merge.

Next step before merge

• [P2] A human maintainer needs to accept or reject provider-qualified model refs as the Windows/gateway session patch contract; there is no narrow automated repair finding left.

Security
Cleared: The diff changes tray UI, gateway metadata parsing, and session patch payload values without adding dependencies, workflows, permissions, secret handling, or command execution surface.

Review details

Best possible solution:

Land the provider-aware picker after maintainers accept provider-qualified sessions.patch model values as the gateway contract, or adjust the patching path to preserve raw IDs until that contract is explicit.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a feature PR. Current-main source confirms the old flat raw-id picker, and the PR proof/tests exercise the new provider-aware behavior.

Is this the best way to solve the issue?

Yes, with a maintainer contract check. The implementation is narrow and reuses the existing SessionPatch.Clear path, but provider-qualified model refs should be explicitly accepted or proven against the gateway before merge.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 556e7dafc4ba.

Label changes

Label justifications:

• P2: This is a normal-priority user-facing model picker/provider-routing improvement with limited but real model-choice blast radius.
• merge-risk: 🚨 auth-provider: The diff changes model identity values sent through sessions.patch, which can affect provider routing and selected model behavior beyond what local unit tests fully settle.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (screenshot): The PR body includes an after-fix Windows Tray screenshot showing the provider/context model picker plus reported local app launch and full/focused validation; the remaining live gateway trace question is tracked as merge risk, not missing contributor proof.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes an after-fix Windows Tray screenshot showing the provider/context model picker plus reported local app launch and full/focused validation; the remaining live gateway trace question is tracked as merge risk, not missing contributor proof.
• proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The PR body includes an after-fix Windows Tray screenshot showing the provider/context model picker plus reported local app launch and full/focused validation; the remaining live gateway trace question is tracked as merge risk, not missing contributor proof.

Evidence reviewed

What I checked:

• Repository policy read: AGENTS.md was read fully; its tray UX, chat, gateway, and PR proof guidance applies to this PR because it changes WinUI chat and gateway session/model behavior. (AGENTS.md:1, 556e7dafc4ba)
• No maintainer notes found: No .agents/maintainer-notes files were present in this checkout, so there were no matching internal maintainer decisions to apply.
• Current main still has flat raw-id picker: Current main builds the model ComboBox directly from AvailableModels and forwards the selected raw string to OnModelChanged, so the provider-aware picker is not already implemented. (src/OpenClaw.Tray.WinUI/Chat/OpenClawComposer.cs:260, 556e7dafc4ba)
• Provider-rich choice mapping: The PR keeps auth-needed rows visible, hides explicitly unconfigured rows without an auth path, and deduplicates by provider-qualified selection identity. (src/OpenClaw.Chat/ChatModelChoice.cs:49, d971a62c84e2)
• Provider-rich composer UI: The PR builds a model picker from ChatModelChoice, adds a default clear entry, preserves stale/custom current models, disables unavailable choices, and sends the selected entry tag as the model identity. (src/OpenClaw.Tray.WinUI/Chat/OpenClawComposer.cs:269, d971a62c84e2)
• Clear-to-default and send ordering: The PR routes blank model sets as no-ops, adds explicit clear via the bridge, tracks in-flight model patches per session, and waits before sends so a fast send cannot overtake a model switch. (src/OpenClaw.Tray.WinUI/Chat/OpenClawChatDataProvider.cs:931, d971a62c84e2)

Likely related people:

• bkudiess: Prior merged history introduced the typed gateway protocol and SessionPatch path now used by this PR's clear/set model behavior. (role: gateway protocol contributor; confidence: high; commits: 2cae69ba6ca4; files: src/OpenClaw.Shared/GatewayProtocolModels.cs, src/OpenClaw.Shared/OpenClawGatewayClient.Protocol.cs, tests/OpenClaw.Shared.Tests/GatewayProtocolModelsTests.cs)
• shanselman: Merged current-main work for configured-model filtering in the same model parser/provider path and authored the latest force-pushed branch commit that dedupes cached model ids. (role: recent model-selector contributor; confidence: medium; commits: d1b136347e95, d971a62c84e2; files: src/OpenClaw.Shared/OpenClawGatewayClient.cs, src/OpenClaw.Tray.WinUI/Chat/OpenClawChatDataProvider.cs, tests/OpenClaw.Shared.Tests/OpenClawGatewayClientTests.cs)
• TurboTheTurtle: Recent current-main history changed the same WinUI chat composer surface that this PR updates for the model picker. (role: recent adjacent UI contributor; confidence: medium; commits: c5aa130dbf55; files: src/OpenClaw.Tray.WinUI/Chat/OpenClawComposer.cs)
• RBrid: Recent current-main history changed OpenClawChatDataProvider, ChatModels, and adjacent provider tests in the same chat/session state area. (role: recent chat data-provider contributor; confidence: medium; commits: 4e7982bafb86; files: src/OpenClaw.Tray.WinUI/Chat/OpenClawChatDataProvider.cs, src/OpenClaw.Chat/ChatModels.cs, tests/OpenClaw.Tray.Tests/OpenClawChatDataProviderTests.cs)
• christineyan4: Current main includes recent OpenClawChatDataProvider work adjacent to the chat snapshot/session state path modified by this PR. (role: recent adjacent data-provider contributor; confidence: low; commits: 8c9acbcfb5d8; files: src/OpenClaw.Tray.WinUI/Chat/OpenClawChatDataProvider.cs)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[bkudiess]

Addressed ClawSweeper's P2 finding:

• configured:false models are still hidden by default, but configured:false + requiresAuth:true rows now remain visible so the picker can show the auth-needed state/provider-auth path.
• Added focused coverage in ChatModelChoiceTests and OpenClawChatDataProviderTests.

Validation after the fix:

• dotnet test .\tests\OpenClaw.Tray.Tests\OpenClaw.Tray.Tests.csproj --filter "FullyQualifiedName~ChatModelChoiceTests|FullyQualifiedName~OpenClawChatDataProviderTests" — passed, 190 tests
• .\build.ps1 — passed
• dotnet test .\tests\OpenClaw.Shared.Tests\OpenClaw.Shared.Tests.csproj --no-restore — passed, 2571 passed / 31 skipped
• dotnet test .\tests\OpenClaw.Tray.Tests\OpenClaw.Tray.Tests.csproj --no-restore — passed, 1328 tests

Provider-qualified sessions.patch proof: the upstream gateway test sessions.patch preserves nested model ids under provider overrides covers a provider-qualified model ref (nvidia/moonshotai/kimi-k2.5) resolving into provider nvidia and model moonshotai/kimi-k2.5.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.