Skip to content

fix(openclaw): upsert and attach inference provider at AgentHarness sandbox creation#1964

Draft
nloke wants to merge 2 commits into
kagent-dev:mainfrom
nloke:fix/openclaw-inference-provider-not-attached
Draft

fix(openclaw): upsert and attach inference provider at AgentHarness sandbox creation#1964
nloke wants to merge 2 commits into
kagent-dev:mainfrom
nloke:fix/openclaw-inference-provider-not-attached

Conversation

@nloke
Copy link
Copy Markdown

@nloke nloke commented Jun 4, 2026

Problem

When deploying an AgentHarness using the openclaw backend, the agent starts and Slack connects successfully, but all LLM calls fail with a Connection error.

Root Cause

openclaw uses an HTTP proxy (HTTPS_PROXY=http://10.200.0.1:3128) to resolve credentials at request time. The openclaw.json config stores an unresolved placeholder:

"apiKey": "openshell:resolve:env:OPENAI_API_KEY"

When openclaw (running as UID 998) makes an LLM call, the proxy intercepts the Bearer openshell:resolve:env:OPENAI_API_KEY header, looks up OPENAI_API_KEY from the sandbox's attached inference provider, and replaces it with the real key before forwarding to the upstream LLM gateway.

ClawBackend.EnsureAgentHarness calls attachMessagingProviders to attach Slack providers but never creates or attaches an inference provider. The sandbox is created without one — the proxy has nothing to resolve and closes the connection.

Fix

Added upsertInferenceProviderForHarness wired into EnsureAgentHarness:

  1. Reads the ModelConfig referenced by the AgentHarness
  2. Resolves the API key from the referenced k8s secret
  3. Calls UpsertInferenceProvider on the OpenShell gRPC API with {OPENAI_API_KEY, OPENAI_BASE_URL}
  4. Passes the provider name into attachMessagingProviders so the sandbox is created with the provider attached

The sandbox process never holds the real key — credential resolution happens in the proxy at request time, preserving the OpenShell security model.

Files Changed

Testing

Validated end-to-end on a local kind cluster with a Slack bot (socket mode) backed by an OpenAI-compatible LiteLLM gateway. Bot receives messages and returns LLM responses after this fix.

Notes

nloke added 2 commits June 4, 2026 11:11
@nloke
fix(openclaw): fallback to conditions when AgentHarness phase=UNSPECI…
fb918dd 
…FIED

When the openclaw backend returns phase=UNSPECIFIED, the controller
would never surface Ready=True to the AgentHarness. Fall back to
checking status.conditions[Ready=True] in that case.

See: kagent-dev#1958
@nloke
fix(openclaw): upsert and attach inference provider at sandbox creation
ec051a7 
AgentHarness with openclaw backend fails all LLM calls because the
OpenShell inference provider is never attached to the sandbox. The
openclaw proxy resolves 'openshell:resolve:env:OPENAI_API_KEY' by
looking up credentials from the sandbox's attached provider — if none
is attached, the proxy closes the connection.

Fix: wire upsertInferenceProviderForHarness into EnsureAgentHarness.
It reads the ModelConfig, resolves the API key from the referenced k8s
secret, upserts the provider via OpenShell gRPC, and passes it into
attachMessagingProviders so the sandbox is created with the provider
attached.

The sandbox process never holds the real key — credential resolution
happens in the proxy at request time, preserving the security model.
@github-actions github-actions Bot added the bug Something isn't working label Jun 4, 2026
@nloke nloke mentioned this pull request Jun 4, 2026
Open
@nloke
Copy link
Copy Markdown
Author

nloke commented Jun 4, 2026

Fixes #1965

@nloke nloke mentioned this pull request Jun 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@supreme-gg-gg supreme-gg-gg Awaiting requested review from supreme-gg-gg supreme-gg-gg will be requested when the pull request is marked ready for review supreme-gg-gg is a code owner

@iplay88keys iplay88keys Awaiting requested review from iplay88keys iplay88keys will be requested when the pull request is marked ready for review iplay88keys is a code owner

@jmhbh jmhbh Awaiting requested review from jmhbh jmhbh will be requested when the pull request is marked ready for review jmhbh is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nloke