From 1db2e63519e1f76f813402f7209f7de93c59e952 Mon Sep 17 00:00:00 2001
From: Shakker <shakkerdroid@gmail.com>
Date: Wed, 29 Apr 2026 20:07:20 +0100
Subject: [PATCH] fix: align provider auth checker with config evidence

---
 src/agents/model-auth.profiles.test.ts | 29 ++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/src/agents/model-auth.profiles.test.ts b/src/agents/model-auth.profiles.test.ts
index e598261aa30..04f357dcadf 100644
--- a/src/agents/model-auth.profiles.test.ts
+++ b/src/agents/model-auth.profiles.test.ts
@@ -17,6 +17,7 @@ import {
   resolveEnvApiKey,
   resolveModelAuthMode,
 } from "./model-auth.js";
+import { hasAuthForModelProvider } from "./model-provider-auth.js";
 
 async function expectVertexAdcEnvApiKey(params: {
   provider: string;
@@ -525,6 +526,34 @@ describe("getApiKeyForModel", () => {
     }
   });
 
+  it("uses the same trusted workspace manifest auth evidence in provider auth checks", async () => {
+    const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-workspace-cloud-auth-"));
+    const credentialsPath = path.join(tempDir, "credentials.json");
+    await fs.writeFile(credentialsPath, "{}", "utf8");
+    const store = { version: 1 as const, profiles: {} };
+
+    try {
+      await withEnvAsync({ WORKSPACE_CLOUD_CREDENTIALS: credentialsPath }, async () => {
+        expect(
+          hasAuthForModelProvider({
+            provider: "workspace-cloud",
+            cfg: { plugins: { allow: ["workspace-cloud"] } },
+            store,
+          }),
+        ).toBe(true);
+        expect(
+          hasAuthForModelProvider({
+            provider: "workspace-cloud",
+            cfg: { plugins: {} },
+            store,
+          }),
+        ).toBe(false);
+      });
+    } finally {
+      await fs.rm(tempDir, { recursive: true, force: true });
+    }
+  });
+
   it("hasAvailableAuthForProvider('google') accepts GOOGLE_API_KEY fallback", async () => {
     await withEnvAsync(
       {