Summary

• Problem: Ollama has no onboarding path. Users must configure auth cases through Ollama externally.
• Why it matters: Trying to use Ollama cloud models requires auth, but this is not obvious through the onboarding.
• What changed: Added Ollama as a first-class onboarding provider with Cloud+Local / Local-only mode, browser-based Cloud sign-in via /api/me, smart model suggestions per mode, auto-pull of missing models, and graceful fallback. Extracted shared ollama-models.ts module to avoid duplication existing models selection logic for Ollama.
• What did NOT change (scope boundary): No changes to existing provider flows, model picker logic, gateway configuration, or Ollama streaming runtime behavior. models-config.providers.discovery.ts only refactored to import shared constants from the new module.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Feature request: Add Ollama as a local model provider in QuickStart #8239
• Closes [Feature]: Configure Ollama from onboard #3494

User-visible / Behavior Changes

• New "Ollama (Cloud and local open models)" option in the onboarding provider picker:

◆  Model/auth provider
│  ○ OpenAI
│  ○ Anthropic
│  ○ Chutes
│  ○ vLLM
│  ● Ollama (Cloud and local open models)
│  ○ MiniMax
│  ○ Moonshot AI (Kimi K2.5)

• Ollama base URL prompt and Cloud+Local / Local mode selection:

◆  Ollama base URL
│  http://127.0.0.1:11434
│
◆  Ollama mode
│  ● Cloud + Local (Ollama cloud models + local models)
│  ○ Local

• Cloud mode triggers browser sign-in when not authenticated:

◇  Ollama Cloud ──────────────────────────────────╮
│                                                  │
│  Sign in to Ollama Cloud:                        │
│  https://ollama.com/connect?name=...&key=...     │
│                                                  │
├──────────────────────────────────────────────────╯
│
◇  Have you signed in?
│  Yes

• Model picker shows cloud + local models with suggested defaults first:

◆  Default model
│  ● Keep current (default: ollama/kimi-k2.5:cloud)
│  ○ Enter model manually
│  ○ ollama/glm-4.7-flash:latest
│  ○ ollama/glm-5:cloud
│  ○ ollama/kimi-k2.5:cloud
│  ○ ollama/minimax-m2.5:cloud
│  ○ ollama/qwen3.5:35b

• Auto-pulls selected model if not available locally
• Non-interactive mode (--auth-choice ollama) supported for CI/automation

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No, stores a placeholder ollama-local credential in auth-profiles for the Ollama provider (same pattern as other local providers), actual auth happens in the external Ollama server.
• New/changed network calls? Yes — fetches /api/tags, /api/me, and /api/pull from the user-configured Ollama base URL during onboarding
• Command/tool execution surface changed? No
• Data access scope changed? No
• All network calls are to the user's own Ollama instance (localhost by default) or Ollama Cloud (ollama.com) when the user explicitly selects Cloud+Local mode and authenticates via browser. No new external services contacted without user action.

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 22+
• Model/provider: Ollama (local + cloud)
• Integration/channel (if any): N/A
• Relevant config (redacted): Default onboarding config

Steps

1. Run openclaw onboard
2. Select "Ollama" as provider
3. Accept default base URL, select Cloud+Local or Local mode
4. Complete sign-in if Cloud+Local, select a model

Expected

• Ollama provider configured in config.yaml with discovered models
• Selected model auto-pulled if not available locally
• Auth profile stored

Actual

• All of the above works as expected

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording (terminal walkthrough above)
• Perf numbers (if relevant)

New tests: ollama-setup.test.ts (13 tests), auth-choice.apply.ollama.test.ts (2 tests), auth-choice-options.test.ts (5 tests)

Human Verification (required)

• Verified scenarios: Full interactive onboarding with Ollama Cloud+Local mode, browser sign-in, model selection
• Edge cases checked: Ollama not reachable, cloud auth rejection, model not available locally

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: Revert commit; Ollama option disappears from onboarding, existing configs unaffected
• Files/config to restore: None, no existing config format changes

Risks and Mitigations

• Risk: Ollama Cloud /api/me endpoint behavior could change
  • Mitigation: On failure/unreachable, checkOllamaCloudAuth returns signedIn: true (assumes no cloud auth needed), so onboarding degrades gracefully