@elvatis_com/openclaw-cli-bridge-elvatis 0.2.14 → 0.2.16

package/.ai/handoff/MANIFEST.json

@@ -2,34 +2,152 @@
   "aahp_version": "3.0",
   "project": "openclaw-cli-bridge-elvatis",
   "last_session": {
-    "agent": "openai-codex/gpt-5.3-codex",
+    "agent": "claude-code",
     "session_id": "main",
-    "timestamp": "2026-03-07T21:29:00Z",
-    "commit": "16fca7c",
+    "timestamp": "2026-03-08T08:08:44.175Z",
+    "commit": "30be8ae",
     "phase": "integration",
-    "duration_minutes": 60
+    "duration_minutes": 2
   },
   "files": {
-    "STATUS.md": { "checksum": "sha256:tbd", "updated": "2026-03-07T21:29:00Z", "lines": 0, "summary": "Auth bridge done; request bridge implemented; pending runtime validation." },
-    "NEXT_ACTIONS.md": { "checksum": "sha256:tbd", "updated": "2026-03-07T21:29:00Z", "lines": 0, "summary": "Top priority: validate proxy + vllm model calls, then release pipeline." },
-    "LOG.md": { "checksum": "sha256:tbd", "updated": "2026-03-07T21:29:00Z", "lines": 0, "summary": "Repo created, provider fixed, proxy architecture added." },
-    "DASHBOARD.md": { "checksum": "sha256:tbd", "updated": "2026-03-07T21:29:00Z", "lines": 0, "summary": "2 bridge phases implemented; validation pending." },
-    "TRUST.md": { "checksum": "sha256:tbd", "updated": "2026-03-07T21:29:00Z", "lines": 0, "summary": "No secret output, local-only proxy, explicit scope constraints." },
-    "CONVENTIONS.md": { "checksum": "sha256:tbd", "updated": "2026-03-07T21:29:00Z", "lines": 0, "summary": "TypeScript strict + AAHP v3 + multi-platform release discipline." },
-    "WORKFLOW.md": { "checksum": "sha256:tbd", "updated": "2026-03-07T21:29:00Z", "lines": 0, "summary": "Validate → harden → publish (GitHub, npm, ClawHub)." }
+    "STATUS.md": {
+      "checksum": "sha256:tbd",
+      "updated": "2026-03-07T21:29:00Z",
+      "lines": 0,
+      "summary": "Auth bridge done; request bridge implemented; pending runtime validation."
+    },
+    "NEXT_ACTIONS.md": {
+      "checksum": "sha256:tbd",
+      "updated": "2026-03-07T21:29:00Z",
+      "lines": 0,
+      "summary": "Top priority: validate proxy + vllm model calls, then release pipeline."
+    },
+    "LOG.md": {
+      "checksum": "sha256:tbd",
+      "updated": "2026-03-07T21:29:00Z",
+      "lines": 0,
+      "summary": "Repo created, provider fixed, proxy architecture added."
+    },
+    "DASHBOARD.md": {
+      "checksum": "sha256:tbd",
+      "updated": "2026-03-07T21:29:00Z",
+      "lines": 0,
+      "summary": "2 bridge phases implemented; validation pending."
+    },
+    "TRUST.md": {
+      "checksum": "sha256:tbd",
+      "updated": "2026-03-07T21:29:00Z",
+      "lines": 0,
+      "summary": "No secret output, local-only proxy, explicit scope constraints."
+    },
+    "CONVENTIONS.md": {
+      "checksum": "sha256:tbd",
+      "updated": "2026-03-07T21:29:00Z",
+      "lines": 0,
+      "summary": "TypeScript strict + AAHP v3 + multi-platform release discipline."
+    },
+    "WORKFLOW.md": {
+      "checksum": "sha256:tbd",
+      "updated": "2026-03-07T21:29:00Z",
+      "lines": 0,
+      "summary": "Validate → harden → publish (GitHub, npm, ClawHub)."
+    }
+  },
+  "quick_context": "All providers validated end-to-end. 28 automated tests (unit + e2e proxy) pass. Proxy endpoints, vllm/ prefix stripping, auth, streaming, error handling all verified. Next: publish to npm + ClawHub.",
+  "token_budget": {
+    "manifest_only": 90,
+    "manifest_plus_core": 350,
+    "full_read": 700
   },
-  "quick_context": "Codex auth bridge is working and repo is live. gpt-5.4 fails due to OpenAI scope limitations, so development is on gpt-5.3-codex. Request-bridge code for Gemini/Claude via vllm-compatible proxy exists; next is end-to-end validation.",
-  "token_budget": { "manifest_only": 90, "manifest_plus_core": 350, "full_read": 700 },
   "next_task_id": 9,
   "tasks": {
-    "T-001": { "title": "Scaffold plugin structure + AAHP handoff", "status": "done", "priority": "high", "depends_on": [], "created": "2026-03-07T20:40:00Z", "completed": "2026-03-07T20:56:00Z" },
-    "T-002": { "title": "Implement openai-codex provider (Codex CLI auth bridge)", "status": "done", "priority": "high", "depends_on": ["T-001"], "created": "2026-03-07T20:40:00Z", "completed": "2026-03-07T20:56:00Z" },
-    "T-003": { "title": "Test auth flow: openclaw models auth login --provider openai-codex", "status": "done", "priority": "high", "depends_on": ["T-002"], "created": "2026-03-07T20:56:00Z", "completed": "2026-03-07T21:01:00Z" },
-    "T-004": { "title": "Verify model call: test gpt-5.2 or gpt-5.3-codex responds", "status": "done", "priority": "high", "depends_on": ["T-003"], "created": "2026-03-07T20:56:00Z", "completed": "2026-03-07T21:27:00Z" },
-    "T-005": { "title": "Implement Gemini CLI request bridge", "status": "done", "priority": "medium", "depends_on": ["T-003"], "created": "2026-03-07T20:56:00Z", "completed": "2026-03-07T21:23:00Z" },
-    "T-006": { "title": "Implement Claude Code CLI request bridge", "status": "done", "priority": "medium", "depends_on": ["T-003"], "created": "2026-03-07T20:56:00Z", "completed": "2026-03-07T21:23:00Z" },
-    "T-007": { "title": "Create GitHub repo and push initial code", "status": "done", "priority": "high", "depends_on": ["T-004"], "created": "2026-03-07T21:20:00Z", "completed": "2026-03-07T21:24:00Z" },
-    "T-008": { "title": "Validate proxy endpoints + vllm model calls end-to-end", "status": "ready", "priority": "high", "depends_on": ["T-005", "T-006"], "created": "2026-03-07T21:29:00Z" },
-    "T-009": { "title": "Publish to npm + ClawHub", "status": "blocked", "priority": "medium", "depends_on": ["T-008"], "created": "2026-03-07T21:29:00Z" }
+    "T-001": {
+      "title": "Scaffold plugin structure + AAHP handoff",
+      "status": "done",
+      "priority": "high",
+      "depends_on": [],
+      "created": "2026-03-07T20:40:00Z",
+      "completed": "2026-03-07T20:56:00Z"
+    },
+    "T-002": {
+      "title": "Implement openai-codex provider (Codex CLI auth bridge)",
+      "status": "done",
+      "priority": "high",
+      "depends_on": [
+        "T-001"
+      ],
+      "created": "2026-03-07T20:40:00Z",
+      "completed": "2026-03-07T20:56:00Z"
+    },
+    "T-003": {
+      "title": "Test auth flow: openclaw models auth login --provider openai-codex",
+      "status": "done",
+      "priority": "high",
+      "depends_on": [
+        "T-002"
+      ],
+      "created": "2026-03-07T20:56:00Z",
+      "completed": "2026-03-07T21:01:00Z"
+    },
+    "T-004": {
+      "title": "Verify model call: test gpt-5.2 or gpt-5.3-codex responds",
+      "status": "done",
+      "priority": "high",
+      "depends_on": [
+        "T-003"
+      ],
+      "created": "2026-03-07T20:56:00Z",
+      "completed": "2026-03-07T21:27:00Z"
+    },
+    "T-005": {
+      "title": "Implement Gemini CLI request bridge",
+      "status": "done",
+      "priority": "medium",
+      "depends_on": [
+        "T-003"
+      ],
+      "created": "2026-03-07T20:56:00Z",
+      "completed": "2026-03-07T21:23:00Z"
+    },
+    "T-006": {
+      "title": "Implement Claude Code CLI request bridge",
+      "status": "done",
+      "priority": "medium",
+      "depends_on": [
+        "T-003"
+      ],
+      "created": "2026-03-07T20:56:00Z",
+      "completed": "2026-03-07T21:23:00Z"
+    },
+    "T-007": {
+      "title": "Create GitHub repo and push initial code",
+      "status": "done",
+      "priority": "high",
+      "depends_on": [
+        "T-004"
+      ],
+      "created": "2026-03-07T21:20:00Z",
+      "completed": "2026-03-07T21:24:00Z"
+    },
+    "T-008": {
+      "title": "Validate proxy endpoints + vllm model calls end-to-end",
+      "status": "done",
+      "priority": "high",
+      "depends_on": [
+        "T-005",
+        "T-006"
+      ],
+      "created": "2026-03-07T21:29:00Z",
+      "completed": "2026-03-08T08:08:44.175Z"
+    },
+    "T-009": {
+      "title": "Publish to npm + ClawHub",
+      "status": "ready",
+      "priority": "medium",
+      "depends_on": [
+        "T-008"
+      ],
+      "created": "2026-03-07T21:29:00Z"
+    }
   }
 }

package/.ai/handoff/NEXT_ACTIONS.md

@@ -1,42 +1,49 @@
 # NEXT_ACTIONS.md — openclaw-cli-bridge-elvatis
 
-_Last updated: 2026-03-07_
+_Last updated: 2026-03-08_
 
 ## Status Summary
 
-| Status | Count |
-|--------|-------|
-| Done   | 6     |
-| Ready  | 3     |
-| Blocked | 0   |
+| Status  | Count |
+|---------|-------|
+| Done    | 8     |
+| Ready   | 1     |
+| Blocked | 0     |
 
 ---
 
-## Ready — Work These Next
+## ⚡ Ready — Work These Next
 
-### T-101: [medium] — Unit tests for prompt formatter + model router
-- **Goal:** Cover `src/cli-runner.ts` message formatting and model routing logic with vitest tests.
-- **Files:** `test/cli-runner.test.ts`, `src/cli-runner.ts`
-- **Definition of done:** Prompt truncation, stdin format, and model→CLI mapping covered by tests.
+### T-009: [medium] — Publish to npm + ClawHub
 
-### T-102: [low] — Proxy auth key rotation via config
-- **Goal:** Allow `proxyApiKey` to be rotated without code change via config reload.
-- **Files:** `index.ts`, `src/proxy-server.ts`
+- **Goal:** Publish the next release to all distribution channels (GitHub, npm, ClawHub).
+- **Context:** All providers are validated end-to-end. 28 automated tests pass (unit + e2e proxy). The codebase is stable at v0.2.15. If changes were made since the last publish, bump the version first.
+- **What to do:**
+  1. Check if any code changes since v0.2.15 warrant a version bump
+  2. If bumping: update version in `package.json`, `openclaw.plugin.json`, `README.md`, `SKILL.md`, `STATUS.md` (see CONVENTIONS.md release checklist)
+  3. Run `npm run typecheck && npm test` — must pass
+  4. `git tag vX.Y.Z && git push origin main && git push origin vX.Y.Z`
+  5. `gh release create vX.Y.Z --title "..." --notes "..."`
+  6. `npm publish --access public`
+  7. ClawHub publish via rsync workaround (see CONVENTIONS.md)
+  8. Update all handoff docs (STATUS.md, DASHBOARD.md, LOG.md, NEXT_ACTIONS.md, README.md, SKILL.md)
+- **Files:** `package.json`, `openclaw.plugin.json`, `README.md`, `SKILL.md`, `.ai/handoff/STATUS.md`, `.ai/handoff/CONVENTIONS.md`
+- **Definition of done:** Package published on npm + ClawHub at matching version. GitHub release created. All docs updated.
 
-### T-103: [low] — Explicit model allowlist for CLI execution
-- **Goal:** Config-driven allowlist of which model IDs are permitted to spawn CLI subprocesses.
-- **Files:** `index.ts`, `src/cli-runner.ts`
+---
+
+## 🚫 Blocked
+
+_No blocked tasks._
 
 ---
 
-## Recently Completed
-
-| Task | Title | Date |
-|------|-------|------|
-| T-007 | Critical: remove fuser -k, safe proxy reuse via health probe | 2026-03-08 |
-| T-006 | Fix port leak: registerService stop() hook + closeAllConnections | 2026-03-07 |
-| T-005 | Add openclaw.extensions to package.json | 2026-03-07 |
-| T-004 | /cli-codex + /cli-codex-mini | 2026-03-07 |
-| T-003 | /cli-back + /cli-test | 2026-03-07 |
-| T-002 | /cli-* model switch commands | 2026-03-07 |
-| T-001 | Phase 1+2: auth + proxy + config patcher | 2026-03-07 |
+## ✅ Recently Completed
+
+| Task  | Title                                                        | Date       |
+|-------|--------------------------------------------------------------|------------|
+| T-008 | Validate proxy endpoints + vllm model calls end-to-end       | 2026-03-08 |
+| T-007 | Create GitHub repo and push initial code                     | 2026-03-07 |
+| T-006 | Implement Claude Code CLI request bridge                     | 2026-03-07 |
+| T-005 | Implement Gemini CLI request bridge                          | 2026-03-07 |
+| T-004 | Verify model call: test gpt-5.2 or gpt-5.3-codex responds   | 2026-03-07 |

package/.ai/handoff/STATUS.md

@@ -1,42 +1,49 @@
 # STATUS.md — openclaw-cli-bridge-elvatis
 
-_Last updated: 2026-03-07 by Akido (claude-sonnet-4-6)_
+_Last updated: 2026-03-08 by Akido (claude-sonnet-4-6)_
 
-## Current Version: 0.2.14 — STABLE
+## Current Version: 0.2.16 — STABLE
 
 ## What is done
 
 - ✅ Repo: `https://github.com/elvatis/openclaw-cli-bridge-elvatis`
-- ✅ npm: `@elvatis_com/openclaw-cli-bridge-elvatis@0.2.14`
-- ✅ ClawHub: `openclaw-cli-bridge-elvatis@0.2.14`
+- ✅ npm: `@elvatis_com/openclaw-cli-bridge-elvatis@0.2.16`
+- ✅ ClawHub: `openclaw-cli-bridge-elvatis@0.2.16`
 - ✅ Phase 1: `openai-codex` provider via `~/.codex/auth.json` (no re-login)
 - ✅ Phase 2: Local OpenAI-compatible proxy on `127.0.0.1:31337` (Gemini + Claude CLI)
 - ✅ Phase 3: 10 slash commands (`/cli-sonnet`, `/cli-opus`, `/cli-haiku`, `/cli-gemini`, `/cli-gemini-flash`, `/cli-gemini3`, `/cli-codex`, `/cli-codex-mini`, `/cli-back`, `/cli-test`)
 - ✅ Config patcher: auto-adds vllm provider to `openclaw.json` on first startup
 - ✅ Prompt delivery via stdin (no E2BIG, no Gemini agentic mode)
-- ✅ `registerService` stop() hook: closes proxy server on plugin teardown (fixes EADDRINUSE on hot-reload)
-- ✅ `openclaw.extensions` added to `package.json` (required for `openclaw plugins install`)
+- ✅ `registerService` stop() hook: closes proxy server on plugin teardown
+- ✅ `requireAuth: false` on all commands — webchat + WhatsApp authorized via gateway `commands.allowFrom`
+- ✅ `vllm/` prefix stripping in `routeToCliRunner` — accepts both `vllm/cli-claude/...` and bare `cli-claude/...`
+- ✅ End-to-end tested (2026-03-08): claude-sonnet-4-6 ✅ claude-haiku-4-5 ✅ gemini-2.5-flash ✅ gemini-2.5-pro ✅ codex ✅
+
+## Known Operational Notes
+
+- **Claude CLI auth expires** — token lifetime ~90 days. When `/cli-test` returns 401, run `claude auth login` on the server to refresh.
+- Config patcher writes `openclaw.json` directly → triggers one gateway restart on first install (expected, one-time only)
+- ClawHub publish ignores `.clawhubignore` — use rsync workaround (see CONVENTIONS.md)
 
 ## Bugs Fixed
 
+### v0.2.14 — vllm/ prefix not stripped in model router
+`routeToCliRunner` received full provider path `vllm/cli-claude/...` from OpenClaw
+but only checked for `cli-claude/...` — caused "Unknown CLI bridge model" on all requests.
+Fixed by stripping the `vllm/` prefix before routing.
+
+### v0.2.13 — requireAuth blocking webchat commands
+All `/cli-*` commands had `requireAuth: true`. Plugin-level auth checks `isAuthorizedSender`
+via a different resolution path than `commands.allowFrom` config — webchat senders were
+never authorized. Fixed by setting `requireAuth: false`; gateway-level `commands.allowFrom`
+is the correct security layer.
+
 ### v0.2.9 — Critical: Gateway SIGKILL via fuser
 `fuser -k 31337/tcp` was sending SIGKILL to the gateway process itself during
-in-process hot-reloads. The gateway holds port 31337 (via the proxy it spawned),
-so `fuser` found it and killed it — explaining `status=9/KILL` in systemd journal.
-Fixed by replacing `fuser -k` with a safe health probe (`GET /v1/models`): if the
-existing proxy responds, reuse it silently. If EADDRINUSE but no response, wait 1s
-and retry once. No process killing involved.
+in-process hot-reloads. Fixed by replacing `fuser -k` with a safe health probe.
 
-### v0.2.7–v0.2.8 — EADDRINUSE on hot-reload (partially fixed, superseded by v0.2.9)
-Added `closeAllConnections()` + `registerService` stop() hook. Port still leaked
-during systemd restarts due to race condition. v0.2.9 health-probe approach is the
-definitive fix.
+### v0.2.7–v0.2.8 — EADDRINUSE on hot-reload
+Added `closeAllConnections()` + `registerService` stop() hook.
 
 ### v0.2.6 — Port leak on gateway hot-reload
-HTTP proxy server had no cleanup handler. Fixed with `registerService` stop() callback.
-
-## Open Risks
-
-- `openai-codex/gpt-5.4` returns 401 missing scope `model.request` — external (OpenAI account scope), not plugin code
-- Config patcher writes `openclaw.json` directly → triggers one gateway restart on first install (expected, one-time only)
-- ClawHub publish ignores `.clawhubignore` — use rsync workaround (see CONVENTIONS.md)
+HTTP proxy server had no cleanup handler.

package/README.md

@@ -2,7 +2,7 @@
 
 > OpenClaw plugin that bridges locally installed AI CLIs (Codex, Gemini, Claude Code) as model providers — with slash commands for instant model switching, restore, and health testing.
 
-**Current version:** `0.2.14`
+**Current version:** `0.2.16`
 
 ---
 
@@ -234,8 +234,24 @@ npm test            # vitest run (5 unit tests for formatPrompt)
 
 ## Changelog
 
+### v0.2.16
+- **feat(T-101):** Expand test suite to 45 tests — new cases for `formatPrompt` (mixed roles, boundary values, system messages) and `routeToCliRunner` (gemini paths, edge cases)
+- **feat(T-103):** Add `DEFAULT_ALLOWED_CLI_MODELS` allowlist; `routeToCliRunner` now rejects unregistered models by default; pass `allowedModels: null` to opt out
+
+### v0.2.15
+- **docs:** Rewrite changelog (entries for v0.2.12–v0.2.14 were corrupted by repeated sed version bumps); all providers verified working (Claude, Gemini, Codex)
+- **docs:** Update STATUS.md with end-to-end test results
+
 ### v0.2.14
-- **docs:** Fix changelog (v0.2.10 entry was lost by sed, v0.2.11 description was wrong); enforce single-commit publish discipline
+- **fix:** Strip `vllm/` prefix in `routeToCliRunner` — OpenClaw sends full provider path (`vllm/cli-claude/...`) but proxy router expected bare `cli-claude/...`; caused "Unknown CLI bridge model" on all requests
+- **test:** Add 4 routing tests covering both prefixed and non-prefixed model paths (9 tests total)
+
+### v0.2.13
+- **fix:** Set `requireAuth: false` on all `/cli-*` commands — webchat senders were always blocked because plugin-level auth uses a different resolution path than `commands.allowFrom` config; gateway-level allowlist is the correct security layer
+- **fix:** Hardcoded `version: "0.2.5"` in plugin object (`index.ts`) — now tracks `package.json`
+
+### v0.2.12
+- **docs:** Fix changelog continuity — v0.2.10 entry was lost, v0.2.11 description was wrong; all entries now accurate
 
 ### v0.2.11
 - **docs:** Fix README `Current version` header (was stuck at 0.2.9 after 0.2.10 bump)

package/SKILL.md

@@ -53,4 +53,4 @@ Each command runs `openclaw models set <model>` atomically and replies with a co
 
 See `README.md` for full configuration reference and architecture diagram.
 
-**Version:** 0.2.14
+**Version:** 0.2.16

package/index.ts

@@ -277,7 +277,7 @@ function proxyTestRequest(
 const plugin = {
   id: "openclaw-cli-bridge-elvatis",
   name: "OpenClaw CLI Bridge",
-  version: "0.2.14",
+  version: "0.2.15",
   description:
     "Phase 1: openai-codex auth bridge. " +
     "Phase 2: HTTP proxy for gemini/claude CLIs. " +

package/openclaw.plugin.json

@@ -1,7 +1,7 @@
 {
   "id": "openclaw-cli-bridge-elvatis",
   "name": "OpenClaw CLI Bridge",
-  "version": "0.2.14",
+  "version": "0.2.16",
   "description": "Phase 1: openai-codex auth bridge. Phase 2: local HTTP proxy routing model calls through gemini/claude CLIs (vllm provider).",
   "providers": [
     "openai-codex"
@@ -36,4 +36,4 @@
       }
     }
   }
-}
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elvatis_com/openclaw-cli-bridge-elvatis",
-  "version": "0.2.14",
+  "version": "0.2.16",
   "description": "Bridges gemini, claude, and codex CLI tools as OpenClaw model providers. Reads existing CLI auth without re-login.",
   "type": "module",
   "openclaw": {
@@ -19,4 +19,4 @@
     "typescript": "^5.9.3",
     "vitest": "^4.0.18"
   }
-}
+}

package/src/cli-runner.ts

@@ -238,19 +238,55 @@ export async function runClaude(
   return result.stdout;
 }
 
+// ──────────────────────────────────────────────────────────────────────────────
+// Model allowlist (T-103)
+// ──────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Default set of permitted models for the CLI bridge.
+ * Matches the models registered as slash commands in index.ts.
+ * Expressed as normalized "cli-<type>/<model-id>" strings (vllm/ prefix already stripped).
+ *
+ * To extend: pass a custom set to routeToCliRunner via the `allowedModels` option.
+ * To disable the check: pass `null` for `allowedModels`.
+ */
+export const DEFAULT_ALLOWED_CLI_MODELS: ReadonlySet<string> = new Set([
+  // Claude Code CLI
+  "cli-claude/claude-sonnet-4-6",
+  "cli-claude/claude-opus-4-6",
+  "cli-claude/claude-haiku-4-5",
+  // Gemini CLI
+  "cli-gemini/gemini-2.5-pro",
+  "cli-gemini/gemini-2.5-flash",
+  "cli-gemini/gemini-3-pro",
+]);
+
 // ──────────────────────────────────────────────────────────────────────────────
 // Router
 // ──────────────────────────────────────────────────────────────────────────────
 
+export interface RouteOptions {
+  /**
+   * Explicit model allowlist (normalized, vllm/ stripped).
+   * Pass `null` to disable the allowlist check entirely.
+   * Defaults to DEFAULT_ALLOWED_CLI_MODELS.
+   */
+  allowedModels?: ReadonlySet<string> | null;
+}
+
 /**
  * Route a chat completion to the correct CLI based on model prefix.
  *   cli-gemini/<id>  → gemini CLI
  *   cli-claude/<id>  → claude CLI
+ *
+ * Enforces DEFAULT_ALLOWED_CLI_MODELS by default (T-103).
+ * Pass `allowedModels: null` to skip the allowlist check.
  */
 export async function routeToCliRunner(
   model: string,
   messages: ChatMessage[],
-  timeoutMs: number
+  timeoutMs: number,
+  opts: RouteOptions = {}
 ): Promise<string> {
   const prompt = formatPrompt(messages);
 
@@ -259,6 +295,18 @@ export async function routeToCliRunner(
   // "cli-<type>/<model>" portion.
   const normalized = model.startsWith("vllm/") ? model.slice(5) : model;
 
+  // T-103: enforce allowlist unless explicitly disabled
+  const allowedModels = opts.allowedModels === undefined
+    ? DEFAULT_ALLOWED_CLI_MODELS
+    : opts.allowedModels;
+
+  if (allowedModels !== null && !allowedModels.has(normalized)) {
+    const known = [...(allowedModels)].join(", ");
+    throw new Error(
+      `CLI bridge model not allowed: "${model}". Allowed: ${known || "(none)"}.`
+    );
+  }
+
   if (normalized.startsWith("cli-gemini/")) return runGemini(prompt, normalized, timeoutMs);
   if (normalized.startsWith("cli-claude/")) return runClaude(prompt, normalized, timeoutMs);
 

package/test/cli-runner.test.ts

@@ -1,5 +1,13 @@
-import { describe, it, expect, vi } from "vitest";
-import { formatPrompt, routeToCliRunner } from "../src/cli-runner.js";
+import { describe, it, expect } from "vitest";
+import {
+  formatPrompt,
+  routeToCliRunner,
+  DEFAULT_ALLOWED_CLI_MODELS,
+} from "../src/cli-runner.js";
+
+// ──────────────────────────────────────────────────────────────────────────────
+// formatPrompt
+// ──────────────────────────────────────────────────────────────────────────────
 
 describe("formatPrompt", () => {
   it("returns empty string for empty messages", () => {
@@ -17,10 +25,8 @@ describe("formatPrompt", () => {
       content: `msg ${i}`,
     }));
     const result = formatPrompt(messages);
-    // Should contain last 20 messages, not first 10
     expect(result).toContain("msg 29");
     expect(result).not.toContain("msg 0\n");
-    // Single-turn mode doesn't apply when there are multiple messages
     expect(result).toContain("[User]");
   });
 
@@ -33,8 +39,8 @@ describe("formatPrompt", () => {
     const result = formatPrompt([sys, ...msgs]);
     expect(result).toContain("[System]");
     expect(result).toContain("You are helpful");
-    expect(result).toContain("msg 24"); // last
-    expect(result).not.toContain("msg 0\n"); // first (truncated)
+    expect(result).toContain("msg 24");
+    expect(result).not.toContain("msg 0\n");
   });
 
   it("truncates individual message content at MAX_MSG_CHARS (4000)", () => {
@@ -43,32 +49,176 @@ describe("formatPrompt", () => {
     expect(result.length).toBeLessThan(5000);
     expect(result).toContain("truncated");
   });
+
+  // T-101: additional formatPrompt cases
+
+  it("formats a multi-turn user/assistant conversation with role labels", () => {
+    const messages = [
+      { role: "user" as const, content: "What is 2+2?" },
+      { role: "assistant" as const, content: "4" },
+      { role: "user" as const, content: "And 3+3?" },
+    ];
+    const result = formatPrompt(messages);
+    expect(result).toContain("[User]\nWhat is 2+2?");
+    expect(result).toContain("[Assistant]\n4");
+    expect(result).toContain("[User]\nAnd 3+3?");
+  });
+
+  it("single assistant message gets role label (not bare)", () => {
+    const result = formatPrompt([{ role: "assistant", content: "I am an assistant" }]);
+    expect(result).toContain("[Assistant]");
+  });
+
+  it("content exactly at MAX_MSG_CHARS (4000) is NOT truncated", () => {
+    const exact = "a".repeat(4000);
+    const result = formatPrompt([{ role: "user", content: exact }]);
+    expect(result).toBe(exact);
+    expect(result).not.toContain("truncated");
+  });
+
+  it("content well above MAX_MSG_CHARS is truncated to a shorter result", () => {
+    // Use 6000 chars — truncation suffix (~23 chars) + 4000 body = 4023, well below 6000
+    const over = "a".repeat(6000);
+    const result = formatPrompt([{ role: "user", content: over }]);
+    expect(result).toContain("truncated");
+    expect(result.length).toBeLessThan(over.length);
+    expect(result.startsWith("a".repeat(4000))).toBe(true);
+  });
+
+  it("system-only message uses role label (not bare)", () => {
+    const result = formatPrompt([{ role: "system", content: "Be concise" }]);
+    expect(result).toContain("[System]");
+    expect(result).toContain("Be concise");
+  });
+
+  it("system + single user message uses role labels (not bare)", () => {
+    const result = formatPrompt([
+      { role: "system", content: "Be concise" },
+      { role: "user", content: "Hi" },
+    ]);
+    expect(result).toContain("[System]");
+    expect(result).toContain("[User]");
+  });
 });
 
+// ──────────────────────────────────────────────────────────────────────────────
+// routeToCliRunner — model normalization + routing (T-101)
+// ──────────────────────────────────────────────────────────────────────────────
+
 describe("routeToCliRunner — model normalization", () => {
   it("rejects unknown model without vllm prefix", async () => {
     await expect(
-      routeToCliRunner("unknown/model", [], 1000)
+      routeToCliRunner("unknown/model", [], 1000, { allowedModels: null })
     ).rejects.toThrow("Unknown CLI bridge model");
   });
 
   it("rejects unknown model with vllm prefix", async () => {
     await expect(
-      routeToCliRunner("vllm/unknown/model", [], 1000)
+      routeToCliRunner("vllm/unknown/model", [], 1000, { allowedModels: null })
     ).rejects.toThrow("Unknown CLI bridge model");
   });
 
   it("accepts cli-claude/ without vllm prefix (calls runClaude path)", async () => {
-    // Should throw CLI spawn error (no real claude), not "Unknown CLI bridge model"
     await expect(
       routeToCliRunner("cli-claude/claude-sonnet-4-6", [{ role: "user", content: "hi" }], 500)
     ).rejects.not.toThrow("Unknown CLI bridge model");
   });
 
   it("accepts vllm/cli-claude/ — strips vllm prefix before routing", async () => {
-    // Should throw CLI spawn error (no real claude), not "Unknown CLI bridge model"
     await expect(
       routeToCliRunner("vllm/cli-claude/claude-sonnet-4-6", [{ role: "user", content: "hi" }], 500)
     ).rejects.not.toThrow("Unknown CLI bridge model");
   });
+
+  // T-101: gemini routing paths
+
+  it("accepts cli-gemini/ without vllm prefix (routes to gemini, not 'unknown')", async () => {
+    // gemini CLI may resolve or reject — what matters is it doesn't throw "Unknown CLI bridge model"
+    let errorMsg = "";
+    try {
+      await routeToCliRunner("cli-gemini/gemini-2.5-pro", [{ role: "user", content: "hi" }], 500);
+    } catch (e: any) {
+      errorMsg = e?.message ?? "";
+    }
+    expect(errorMsg).not.toContain("Unknown CLI bridge model");
+  });
+
+  it("accepts vllm/cli-gemini/ — strips vllm prefix before routing", async () => {
+    let errorMsg = "";
+    try {
+      await routeToCliRunner("vllm/cli-gemini/gemini-2.5-flash", [{ role: "user", content: "hi" }], 500);
+    } catch (e: any) {
+      errorMsg = e?.message ?? "";
+    }
+    expect(errorMsg).not.toContain("Unknown CLI bridge model");
+  });
+
+  it("rejects bare 'vllm/' with no type segment", async () => {
+    await expect(
+      routeToCliRunner("vllm/", [], 1000, { allowedModels: null })
+    ).rejects.toThrow("Unknown CLI bridge model");
+  });
+
+  it("rejects empty model string", async () => {
+    await expect(
+      routeToCliRunner("", [], 1000, { allowedModels: null })
+    ).rejects.toThrow("Unknown CLI bridge model");
+  });
+});
+
+// ──────────────────────────────────────────────────────────────────────────────
+// routeToCliRunner — model allowlist (T-103)
+// ──────────────────────────────────────────────────────────────────────────────
+
+describe("routeToCliRunner — model allowlist (T-103)", () => {
+  it("DEFAULT_ALLOWED_CLI_MODELS includes all registered claude models", () => {
+    expect(DEFAULT_ALLOWED_CLI_MODELS.has("cli-claude/claude-sonnet-4-6")).toBe(true);
+    expect(DEFAULT_ALLOWED_CLI_MODELS.has("cli-claude/claude-opus-4-6")).toBe(true);
+    expect(DEFAULT_ALLOWED_CLI_MODELS.has("cli-claude/claude-haiku-4-5")).toBe(true);
+  });
+
+  it("DEFAULT_ALLOWED_CLI_MODELS includes all registered gemini models", () => {
+    expect(DEFAULT_ALLOWED_CLI_MODELS.has("cli-gemini/gemini-2.5-pro")).toBe(true);
+    expect(DEFAULT_ALLOWED_CLI_MODELS.has("cli-gemini/gemini-2.5-flash")).toBe(true);
+    expect(DEFAULT_ALLOWED_CLI_MODELS.has("cli-gemini/gemini-3-pro")).toBe(true);
+  });
+
+  it("rejects a model not in the default allowlist", async () => {
+    await expect(
+      routeToCliRunner("vllm/cli-claude/claude-unknown-99", [{ role: "user", content: "hi" }], 500)
+    ).rejects.toThrow("CLI bridge model not allowed");
+  });
+
+  it("rejects an unregistered gemini model", async () => {
+    await expect(
+      routeToCliRunner("vllm/cli-gemini/gemini-1.0-pro", [{ role: "user", content: "hi" }], 500)
+    ).rejects.toThrow("CLI bridge model not allowed");
+  });
+
+  it("error message lists allowed models", async () => {
+    try {
+      await routeToCliRunner("vllm/cli-claude/bad-model", [{ role: "user", content: "hi" }], 500);
+    } catch (e: any) {
+      expect(e.message).toContain("cli-claude/claude-sonnet-4-6");
+    }
+  });
+
+  it("allowedModels: null disables the check — only routing matters", async () => {
+    // With null allowlist, unknown-prefix models still throw "Unknown CLI bridge model"
+    await expect(
+      routeToCliRunner("vllm/cli-claude/any-model", [{ role: "user", content: "hi" }], 500, {
+        allowedModels: null,
+      })
+    ).rejects.not.toThrow("CLI bridge model not allowed");
+  });
+
+  it("custom allowlist overrides defaults", async () => {
+    const custom = new Set(["cli-claude/claude-sonnet-4-6"]);
+    // claude-opus is in defaults but NOT in custom — should be rejected
+    await expect(
+      routeToCliRunner("vllm/cli-claude/claude-opus-4-6", [{ role: "user", content: "hi" }], 500, {
+        allowedModels: custom,
+      })
+    ).rejects.toThrow("CLI bridge model not allowed");
+  });
 });

package/test/proxy-e2e.test.ts

@@ -0,0 +1,397 @@
+/**
+ * End-to-end tests for the CLI bridge proxy server.
+ *
+ * Starts a real HTTP server on a random port and validates all endpoints:
+ *   - GET /health, /v1/health
+ *   - GET /v1/models
+ *   - POST /v1/chat/completions (non-streaming + streaming)
+ *   - Auth enforcement
+ *   - Error handling (bad JSON, missing fields, unknown model, 404)
+ *   - vllm/ prefix stripping through the full stack
+ *
+ * routeToCliRunner is mocked so we don't need real CLIs installed.
+ */
+
+import { describe, it, expect, beforeAll, afterAll, vi } from "vitest";
+import http from "node:http";
+import { startProxyServer, CLI_MODELS } from "../src/proxy-server.js";
+
+// Mock cli-runner so we don't spawn real CLIs
+vi.mock("../src/cli-runner.js", async (importOriginal) => {
+  const orig = await importOriginal<typeof import("../src/cli-runner.js")>();
+  return {
+    ...orig,
+    routeToCliRunner: vi.fn(async (model: string, _messages: unknown[], _timeout: number) => {
+      // Simulate the real router: strip vllm/ prefix, validate model
+      const normalized = model.startsWith("vllm/") ? model.slice(5) : model;
+      if (!normalized.startsWith("cli-gemini/") && !normalized.startsWith("cli-claude/")) {
+        throw new Error(`Unknown CLI bridge model: "${model}"`);
+      }
+      return `Mock response from ${normalized}`;
+    }),
+  };
+});
+
+const API_KEY = "test-key-e2e";
+let server: http.Server;
+let port: number;
+const baseUrl = () => `http://127.0.0.1:${port}`;
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Helpers
+// ──────────────────────────────────────────────────────────────────────────────
+
+function fetch(path: string, opts: {
+  method?: string;
+  headers?: Record<string, string>;
+  body?: string;
+} = {}): Promise<{ status: number; headers: http.IncomingHttpHeaders; body: string }> {
+  return new Promise((resolve, reject) => {
+    const url = new URL(path, baseUrl());
+    const req = http.request(url, {
+      method: opts.method ?? "GET",
+      headers: opts.headers,
+    }, (res) => {
+      const chunks: Buffer[] = [];
+      res.on("data", (d: Buffer) => chunks.push(d));
+      res.on("end", () => {
+        resolve({
+          status: res.statusCode ?? 0,
+          headers: res.headers,
+          body: Buffer.concat(chunks).toString("utf8"),
+        });
+      });
+    });
+    req.on("error", reject);
+    if (opts.body) req.write(opts.body);
+    req.end();
+  });
+}
+
+function json(path: string, body: unknown, extraHeaders: Record<string, string> = {}) {
+  return fetch(path, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${API_KEY}`,
+      ...extraHeaders,
+    },
+    body: JSON.stringify(body),
+  });
+}
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Setup / Teardown
+// ──────────────────────────────────────────────────────────────────────────────
+
+beforeAll(async () => {
+  // Use port 0 to let the OS pick a free port
+  server = await startProxyServer({
+    port: 0,
+    apiKey: API_KEY,
+    timeoutMs: 5_000,
+    log: () => {},
+    warn: () => {},
+  });
+  const addr = server.address();
+  port = typeof addr === "object" && addr ? addr.port : 0;
+});
+
+afterAll(async () => {
+  await new Promise<void>((resolve) => {
+    server.closeAllConnections();
+    server.close(() => resolve());
+  });
+});
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Health checks
+// ──────────────────────────────────────────────────────────────────────────────
+
+describe("GET /health", () => {
+  it("returns {status: ok}", async () => {
+    const res = await fetch("/health");
+    expect(res.status).toBe(200);
+    const body = JSON.parse(res.body);
+    expect(body.status).toBe("ok");
+    expect(body.service).toBe("openclaw-cli-bridge");
+  });
+});
+
+describe("GET /v1/health", () => {
+  it("returns {status: ok}", async () => {
+    const res = await fetch("/v1/health");
+    expect(res.status).toBe(200);
+    expect(JSON.parse(res.body).status).toBe("ok");
+  });
+});
+
+// ──────────────────────────────────────────────────────────────────────────────
+// CORS preflight
+// ──────────────────────────────────────────────────────────────────────────────
+
+describe("OPTIONS (CORS preflight)", () => {
+  it("returns 204 with CORS headers", async () => {
+    const res = await fetch("/v1/chat/completions", { method: "OPTIONS" });
+    expect(res.status).toBe(204);
+    expect(res.headers["access-control-allow-origin"]).toBe("*");
+    expect(res.headers["access-control-allow-methods"]).toContain("POST");
+  });
+});
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Model listing
+// ──────────────────────────────────────────────────────────────────────────────
+
+describe("GET /v1/models", () => {
+  it("returns all CLI bridge models in OpenAI format", async () => {
+    const res = await fetch("/v1/models");
+    expect(res.status).toBe(200);
+    const body = JSON.parse(res.body);
+    expect(body.object).toBe("list");
+    expect(body.data).toHaveLength(CLI_MODELS.length);
+
+    const ids = body.data.map((m: { id: string }) => m.id);
+    for (const model of CLI_MODELS) {
+      expect(ids).toContain(model.id);
+    }
+
+    // Each model has the correct OpenAI shape
+    for (const m of body.data) {
+      expect(m.object).toBe("model");
+      expect(m.owned_by).toBe("openclaw-cli-bridge");
+      expect(typeof m.created).toBe("number");
+    }
+  });
+
+  it("includes CORS headers", async () => {
+    const res = await fetch("/v1/models");
+    expect(res.headers["access-control-allow-origin"]).toBe("*");
+  });
+});
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Chat completions — non-streaming
+// ──────────────────────────────────────────────────────────────────────────────
+
+describe("POST /v1/chat/completions (non-streaming)", () => {
+  it("returns valid OpenAI completion for cli-claude model", async () => {
+    const res = await json("/v1/chat/completions", {
+      model: "cli-claude/claude-sonnet-4-6",
+      messages: [{ role: "user", content: "hello" }],
+      stream: false,
+    });
+
+    expect(res.status).toBe(200);
+    const body = JSON.parse(res.body);
+    expect(body.object).toBe("chat.completion");
+    expect(body.id).toMatch(/^chatcmpl-cli-/);
+    expect(body.model).toBe("cli-claude/claude-sonnet-4-6");
+    expect(body.choices).toHaveLength(1);
+    expect(body.choices[0].message.role).toBe("assistant");
+    expect(body.choices[0].message.content).toBe("Mock response from cli-claude/claude-sonnet-4-6");
+    expect(body.choices[0].finish_reason).toBe("stop");
+    expect(body.usage).toBeDefined();
+  });
+
+  it("returns valid completion for cli-gemini model", async () => {
+    const res = await json("/v1/chat/completions", {
+      model: "cli-gemini/gemini-2.5-pro",
+      messages: [{ role: "user", content: "hi" }],
+    });
+
+    expect(res.status).toBe(200);
+    const body = JSON.parse(res.body);
+    expect(body.choices[0].message.content).toBe("Mock response from cli-gemini/gemini-2.5-pro");
+  });
+
+  it("handles vllm/ prefix (OpenClaw sends full provider path)", async () => {
+    const res = await json("/v1/chat/completions", {
+      model: "vllm/cli-claude/claude-haiku-4-5",
+      messages: [{ role: "user", content: "test" }],
+    });
+
+    expect(res.status).toBe(200);
+    const body = JSON.parse(res.body);
+    // Model in response should be the requested model (vllm/ prefix preserved in response)
+    expect(body.model).toBe("vllm/cli-claude/claude-haiku-4-5");
+    // But the mock receives the model and strips vllm/ internally
+    expect(body.choices[0].message.content).toBe("Mock response from cli-claude/claude-haiku-4-5");
+  });
+
+  it("handles vllm/ prefix for gemini models", async () => {
+    const res = await json("/v1/chat/completions", {
+      model: "vllm/cli-gemini/gemini-2.5-flash",
+      messages: [{ role: "user", content: "test" }],
+    });
+
+    expect(res.status).toBe(200);
+    const body = JSON.parse(res.body);
+    expect(body.choices[0].message.content).toBe("Mock response from cli-gemini/gemini-2.5-flash");
+  });
+
+  it("passes multi-turn conversation", async () => {
+    const res = await json("/v1/chat/completions", {
+      model: "cli-claude/claude-sonnet-4-6",
+      messages: [
+        { role: "system", content: "You are helpful" },
+        { role: "user", content: "What is 2+2?" },
+        { role: "assistant", content: "4" },
+        { role: "user", content: "And 3+3?" },
+      ],
+    });
+
+    expect(res.status).toBe(200);
+    const body = JSON.parse(res.body);
+    expect(body.choices[0].message.content).toContain("Mock response");
+  });
+});
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Chat completions — streaming (SSE)
+// ──────────────────────────────────────────────────────────────────────────────
+
+describe("POST /v1/chat/completions (streaming)", () => {
+  it("returns SSE stream with correct chunks", async () => {
+    const res = await json("/v1/chat/completions", {
+      model: "cli-claude/claude-sonnet-4-6",
+      messages: [{ role: "user", content: "hello" }],
+      stream: true,
+    });
+
+    expect(res.status).toBe(200);
+    expect(res.headers["content-type"]).toBe("text/event-stream");
+
+    // Parse SSE events
+    const events = res.body
+      .split("\n\n")
+      .filter((e) => e.startsWith("data: "))
+      .map((e) => e.replace("data: ", ""));
+
+    // Should end with [DONE]
+    expect(events[events.length - 1]).toBe("[DONE]");
+
+    // Parse JSON chunks (all except [DONE])
+    const chunks = events
+      .filter((e) => e !== "[DONE]")
+      .map((e) => JSON.parse(e));
+
+    // First chunk should have role delta
+    expect(chunks[0].choices[0].delta.role).toBe("assistant");
+    expect(chunks[0].object).toBe("chat.completion.chunk");
+
+    // Last JSON chunk should have finish_reason: "stop"
+    const lastChunk = chunks[chunks.length - 1];
+    expect(lastChunk.choices[0].finish_reason).toBe("stop");
+
+    // Content chunks should reassemble to the full response
+    const fullContent = chunks
+      .map((c) => c.choices[0].delta.content ?? "")
+      .join("");
+    expect(fullContent).toBe("Mock response from cli-claude/claude-sonnet-4-6");
+
+    // All chunks should have consistent id
+    const ids = new Set(chunks.map((c) => c.id));
+    expect(ids.size).toBe(1);
+  });
+});
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Auth enforcement
+// ──────────────────────────────────────────────────────────────────────────────
+
+describe("Auth enforcement", () => {
+  it("rejects request without Authorization header", async () => {
+    const res = await fetch("/v1/chat/completions", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        model: "cli-claude/claude-sonnet-4-6",
+        messages: [{ role: "user", content: "hi" }],
+      }),
+    });
+
+    expect(res.status).toBe(401);
+    expect(JSON.parse(res.body).error.type).toBe("auth_error");
+  });
+
+  it("rejects request with wrong API key", async () => {
+    const res = await fetch("/v1/chat/completions", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: "Bearer wrong-key",
+      },
+      body: JSON.stringify({
+        model: "cli-claude/claude-sonnet-4-6",
+        messages: [{ role: "user", content: "hi" }],
+      }),
+    });
+
+    expect(res.status).toBe(401);
+  });
+
+  it("accepts request with correct API key", async () => {
+    const res = await json("/v1/chat/completions", {
+      model: "cli-claude/claude-sonnet-4-6",
+      messages: [{ role: "user", content: "hi" }],
+    });
+
+    expect(res.status).toBe(200);
+  });
+});
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Error handling
+// ──────────────────────────────────────────────────────────────────────────────
+
+describe("Error handling", () => {
+  it("returns 400 for invalid JSON body", async () => {
+    const res = await fetch("/v1/chat/completions", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${API_KEY}`,
+      },
+      body: "not json",
+    });
+
+    expect(res.status).toBe(400);
+    expect(JSON.parse(res.body).error.type).toBe("invalid_request_error");
+  });
+
+  it("returns 400 when model is missing", async () => {
+    const res = await json("/v1/chat/completions", {
+      messages: [{ role: "user", content: "hi" }],
+    });
+
+    expect(res.status).toBe(400);
+    expect(JSON.parse(res.body).error.message).toContain("model and messages are required");
+  });
+
+  it("returns 400 when messages is empty", async () => {
+    const res = await json("/v1/chat/completions", {
+      model: "cli-claude/claude-sonnet-4-6",
+      messages: [],
+    });
+
+    expect(res.status).toBe(400);
+  });
+
+  it("returns 500 for unknown model", async () => {
+    const res = await json("/v1/chat/completions", {
+      model: "unknown/model",
+      messages: [{ role: "user", content: "hi" }],
+    });
+
+    expect(res.status).toBe(500);
+    expect(JSON.parse(res.body).error.type).toBe("cli_error");
+    expect(JSON.parse(res.body).error.message).toContain("Unknown CLI bridge model");
+  });
+
+  it("returns 404 for unknown routes", async () => {
+    const res = await fetch("/v1/nonexistent");
+    expect(res.status).toBe(404);
+    expect(JSON.parse(res.body).error.type).toBe("not_found");
+  });
+});