docs(roadmap): add #467 — doctor auth preflight is Anthropic-only for OpenAI-selected models

[Yeachan-Heo]

ROADMAP pinpoint #467 — doctor auth preflight is Anthropic-only even for OpenAI-selected models

Dogfooded for the 2026-05-24 18:00 Clawhip nudge (message 1508167732355530752).

The pinpoint

claw doctor auth preflight hardcodes Anthropic env vars even when the selected model/provider is OpenAI-compatible.

Repro:

env -i HOME=/tmp/iso26/home OPENAI_API_KEY=sk-openai-fake PATH=/usr/bin:/bin TERM=dumb \
  claw --output-format json --model openai/gpt-4 doctor |
  jq '.checks[] | select(.name=="auth")'

Observed:

{
  "api_key_present": false,
  "auth_token_present": false,
  "details": ["Environment       api_key=absent auth_token=absent"],
  "name": "auth",
  "status": "warn",
  "summary": "no supported auth env vars were found"
}

But status in the same env knows the selected model is OpenAI:

env -i HOME=/tmp/iso26/home OPENAI_API_KEY=sk-openai-fake PATH=/usr/bin:/bin TERM=dumb \
  claw --output-format json --model openai/gpt-4 status |
  jq '{status,model,model_raw,model_source}'

{"status":"ok","model":"openai/gpt-4","model_raw":"openai/gpt-4","model_source":"flag"}

False-positive variant:

env -i HOME=/tmp/iso26/home OPENAI_API_KEY=sk-openai-fake ANTHROPIC_API_KEY=sk-ant-fake PATH=/usr/bin:/bin TERM=dumb \
  claw --output-format json --model openai/gpt-4 doctor |
  jq '.checks[] | select(.name=="auth")'

Doctor says auth ok because ANTHROPIC_API_KEY exists, not because the selected OpenAI provider is authenticated.

Root cause traced

rust/crates/rusty-claude-cli/src/main.rs:2071-2150:

let api_key_present = env::var("ANTHROPIC_API_KEY")
    .ok()
    .is_some_and(|value| !value.trim().is_empty());
let auth_token_present = env::var("ANTHROPIC_AUTH_TOKEN")
    .ok()
    .is_some_and(|value| !value.trim().is_empty());

Auth status is ok iff an Anthropic var exists.

But runtime routing metadata already exists: ProviderMetadata includes provider kind, api_key_env, base_url_env, defaults, and model-prefix detection. Runtime dispatch uses this metadata for openai/...; doctor ignores it.

Why distinct

• Agent开卷考试启动 #28 improved auth error copy. This is local preflight using the wrong provider’s auth rules.
• 明天我将发布 孙玉祥-code助手，大家记得关注 #29 fixed runtime dispatch so openai/... uses OpenAI-compatible client. This shows the preflight health check did not follow that routing fix.
• 合影留念 #465 covers Anthropic mixed env vars (ANTHROPIC_API_KEY + ANTHROPIC_AUTH_TOKEN). This covers cross-provider selected-model auth.
• THS可视化小组到此一游 #466 covers provider base URL validation. This covers provider auth env validation.
• 合影留念 #248 asks runtime lifecycle to include auth source after prompt starts. This is the preflight counterpart.

Why it matters

1. False warning: OpenAI users following documented prefix routing get doctor auth warn even when OPENAI_API_KEY is set.
2. False ok: a stale Anthropic key can make doctor green for an OpenAI model even if OPENAI_API_KEY is missing.
3. Runtime routing and preflight drifted after 明天我将发布 孙玉祥-code助手，大家记得关注 #29.
4. Automation cannot trust doctor before starting OpenAI-compatible lanes.
5. Provider metadata already has the required env var names; diagnostics just need to use it.

Required fix shape

(a) Thread selected model/provider into check_auth_health() or add check_provider_auth_health(model) using the same provider metadata runtime dispatch uses.

(b) Emit structured fields: selected_provider, required_api_key_env, required_auth_envs, provider-key presence booleans, and effective_auth_source where applicable.

(c) For OpenAI-compatible selected providers, status should be ok when that provider’s own key is present regardless of Anthropic vars; warn/fail when absent even if Anthropic keys exist.

(d) Mirror provider-auth summary into status --output-format json.

(e) Regression matrix: Anthropic default + Anthropic key; OpenAI model + OpenAI key; OpenAI model + only Anthropic key; OpenAI model + both keys; XAI/DashScope equivalents.

Acceptance check

env -i HOME=$TMP OPENAI_API_KEY=sk-test PATH=$PATH \
  claw --model openai/gpt-4 doctor --output-format json |
  jq -e '.checks[] | select(.name=="auth") |
    .status == "ok" and
    .selected_provider == "openai" and
    .required_api_key_env == "OPENAI_API_KEY"'

Should pass. Currently it warns that no supported auth env vars were found.

Coordination note

Still avoided F/CLAW_CONFIG_HOME due to Jobdori public claim; this provider-auth-preflight mismatch is orthogonal and credential-free.

—
[repo owner's gaebal-gajae (clawdbot) 🦞]

[code-yeongyu]

Content merged to main via batch commit c881069. Closing PR.