feat: allow OpenRouter pricing API through proxy

[alexeykazakov]

OpenClaw's gateway fetches model pricing from openrouter.ai/api/v1/models to power cost estimation in the UI. The proxy was blocking this because openrouter.ai wasn't in the route allowlist unless the user explicitly configured an OpenRouter credential.

Summary by CodeRabbit

• New Features

  • Built-in passthrough for openrouter.ai is always added as an exact-match route with injection disabled by default; user credentials override it when present.

• Tests

  • Made proxy route tests resilient to ordering and route-count changes by locating routes by domain.
  • Added tests ensuring builtin passthrough routes are included, not duplicated, and that user credentials take precedence.

[coderabbitai]

Walkthrough

Adds a built-in passthrough domain list (including "openrouter.ai") and ensures those domains are inserted as exact-match proxy routes with Injector: "none". Tests updated to locate routes by domain using a new helper and to assert inclusion and precedence without relying on route ordering.

Changes

Cohort / File(s)	Summary
Proxy route generation logic internal/controller/claw_proxy.go	Added builtinPassthroughDomains ([]string{"openrouter.ai"}) and updated generateProxyConfig to prepend/merge any missing built-in domains as exact-match routes with Injector: "none" while preserving credential-derived routing logic.
Proxy configuration tests internal/controller/claw_proxy_test.go	Added findRouteByDomain test helper and TestBuiltinPassthroughDomains; refactored tests to use domain-based route lookup instead of fixed indices/lengths; adjusted route-count and ordering assertions where needed.
Configuration map test internal/controller/claw_configmap_test.go	Updated TestGenerateProxyConfigVertexSDK to use findRouteByDomain to select and assert route fields; removed strict assertions on cfg.Routes length.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 62.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: enabling OpenRouter pricing API access through the proxy by adding openrouter.ai as a built-in passthrough domain.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

internal/controller/claw_proxy_test.go (1)

412-415: Prefer domain lookup over index in empty-credentials builtin test.

cfg.Routes[0] is still order-coupled. Using findRouteByDomain(t, cfg.Routes, "openrouter.ai") here would keep this test stable if more builtin domains are added later.

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/controller/claw_proxy_test.go` around lines 412 - 415, The test
currently asserts on cfg.Routes[0] which couples the test to route ordering;
replace the index-based checks with a lookup using findRouteByDomain(t,
cfg.Routes, "openrouter.ai") to locate the route and then assert that its Domain
equals "openrouter.ai" and Injector equals "none" (i.e., use the found route
object instead of cfg.Routes[0]); update the two assertions to reference the
route returned by findRouteByDomain to make the test stable if builtin domains
are reordered or new ones are added.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@internal/controller/claw_proxy_test.go`:
- Around line 412-415: The test currently asserts on cfg.Routes[0] which couples
the test to route ordering; replace the index-based checks with a lookup using
findRouteByDomain(t, cfg.Routes, "openrouter.ai") to locate the route and then
assert that its Domain equals "openrouter.ai" and Injector equals "none" (i.e.,
use the found route object instead of cfg.Routes[0]); update the two assertions
to reference the route returned by findRouteByDomain to make the test stable if
builtin domains are reordered or new ones are added.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 2911f727-ad7f-46c3-a235-f05bba80b29f

📥 Commits

Reviewing files that changed from the base of the PR and between a2410e4 and 0b11ffc.

📒 Files selected for processing (3)

• internal/controller/claw_configmap_test.go
• internal/controller/claw_proxy.go
• internal/controller/claw_proxy_test.go

[coderabbitai]

🧹 Nitpick comments (1)

internal/controller/claw_proxy_test.go (1)

406-415: Consolidate overlapping builtin passthrough assertions.

Both subtests validate the same no-credentials openrouter.ai -> injector none behavior. Keeping this in one focused place (TestBuiltinPassthroughDomains) would reduce maintenance noise without losing coverage.

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

Also applies to: 503-512

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/controller/claw_proxy_test.go` around lines 406 - 415, Duplicate
subtest asserting the same no-credentials builtin passthrough behavior should be
removed and consolidated into the existing TestBuiltinPassthroughDomains test;
delete the t.Run block that calls generateProxyConfig(nil) and asserts
openrouter.ai injector == "none" (the subtest shown) and instead ensure
TestBuiltinPassthroughDomains includes an assertion that, for
generateProxyConfig(nil) (or equivalent no-credentials path), the route for
"openrouter.ai" returned by findRouteByDomain has Injector == "none" so coverage
remains while avoiding duplicate tests.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@internal/controller/claw_proxy_test.go`:
- Around line 406-415: Duplicate subtest asserting the same no-credentials
builtin passthrough behavior should be removed and consolidated into the
existing TestBuiltinPassthroughDomains test; delete the t.Run block that calls
generateProxyConfig(nil) and asserts openrouter.ai injector == "none" (the
subtest shown) and instead ensure TestBuiltinPassthroughDomains includes an
assertion that, for generateProxyConfig(nil) (or equivalent no-credentials
path), the route for "openrouter.ai" returned by findRouteByDomain has Injector
== "none" so coverage remains while avoiding duplicate tests.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: aae588aa-08a1-4304-bb65-e7b3378b8f7e

📥 Commits

Reviewing files that changed from the base of the PR and between 0b11ffc and 8076493.

📒 Files selected for processing (1)

• internal/controller/claw_proxy_test.go

[coderabbitai]

🧹 Nitpick comments (1)

internal/controller/claw_proxy_test.go (1)

298-301: Avoid hard-coding global route count/order in non-builtin-focused tests.

These assertions are brittle if more built-in passthrough domains are added later. Prefer checking presence and relative ordering constraints only.

♻️ Proposed refactor

@@
-		require.Len(t, cfg.Routes, 3)
-		assert.Equal(t, "api.example.com", cfg.Routes[0].Domain, "exact match should come first")
-		assert.Equal(t, "openrouter.ai", cfg.Routes[1].Domain, "builtin exact should come before suffix")
-		assert.Equal(t, ".example.com", cfg.Routes[2].Domain, "suffix match should come last")
+		domainIndex := map[string]int{}
+		for i, r := range cfg.Routes {
+			domainIndex[r.Domain] = i
+		}
+		require.Contains(t, domainIndex, "api.example.com")
+		require.Contains(t, domainIndex, "openrouter.ai")
+		require.Contains(t, domainIndex, ".example.com")
+		assert.Less(t, domainIndex["api.example.com"], domainIndex[".example.com"], "exact match should come before suffix")
+		assert.Less(t, domainIndex["openrouter.ai"], domainIndex[".example.com"], "builtin exact should come before suffix")
@@
-		require.Len(t, cfg.Routes, 3, "2 credential routes + 1 builtin passthrough")
+		assert.GreaterOrEqual(t, len(cfg.Routes), 3, "should include credential routes plus builtin passthrough routes")
+		_ = findRouteByDomain(t, cfg.Routes, "internal.example.com")
+		_ = findRouteByDomain(t, cfg.Routes, "api.example.com")
+		_ = findRouteByDomain(t, cfg.Routes, "openrouter.ai")

As per coding guidelines, “Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.”

Also applies to: 403-403

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/controller/claw_proxy_test.go` around lines 298 - 301, The test is
brittle due to hard-coding the total route count and exact ordering; instead
remove the require.Len(t, cfg.Routes, 3) and replace the exact equality checks
with presence and relative-order assertions: verify that "api.example.com",
"openrouter.ai" and the suffix ".example.com" appear in cfg.Routes (check
cfg.Routes[i].Domain), then assert that the index of "api.example.com" is less
than the index of ".example.com" and that the index of "openrouter.ai" is less
than the index of ".example.com" (use a small helper to find indexes or loop
through cfg.Routes to compare positions). This preserves relative ordering
without relying on a fixed total or exact positions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@internal/controller/claw_proxy_test.go`:
- Around line 298-301: The test is brittle due to hard-coding the total route
count and exact ordering; instead remove the require.Len(t, cfg.Routes, 3) and
replace the exact equality checks with presence and relative-order assertions:
verify that "api.example.com", "openrouter.ai" and the suffix ".example.com"
appear in cfg.Routes (check cfg.Routes[i].Domain), then assert that the index of
"api.example.com" is less than the index of ".example.com" and that the index of
"openrouter.ai" is less than the index of ".example.com" (use a small helper to
find indexes or loop through cfg.Routes to compare positions). This preserves
relative ordering without relying on a fixed total or exact positions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 969b4eb9-9a15-402d-9ebc-051972669eba

📥 Commits

Reviewing files that changed from the base of the PR and between 8076493 and 0168c76.

📒 Files selected for processing (1)

• internal/controller/claw_proxy_test.go