fix: listmodels to always honor restricted models

fix: restrictions should resolve canonical names for openrouter
fix: tools now correctly return restricted list by presenting model names in schema
fix: tests updated to ensure these manage their expected env vars properly
perf: cache model alias resolution to avoid repeated checks

providers/openai_compatible.py

@@ -39,6 +39,7 @@ class OpenAICompatibleProvider(ModelProvider):
             base_url: Base URL for the API endpoint
             **kwargs: Additional configuration options including timeout
         """
+        self._allowed_alias_cache: dict[str, str] = {}
         super().__init__(api_key, **kwargs)
         self._client = None
         self.base_url = base_url
@@ -74,9 +75,33 @@ class OpenAICompatibleProvider(ModelProvider):
             canonical = canonical_name.lower()
 
             if requested not in self.allowed_models and canonical not in self.allowed_models:
-                raise ValueError(
-                    f"Model '{requested_name}' is not allowed by restriction policy. Allowed models: {sorted(self.allowed_models)}"
-                )
+                allowed = False
+                for allowed_entry in list(self.allowed_models):
+                    normalized_resolved = self._allowed_alias_cache.get(allowed_entry)
+                    if normalized_resolved is None:
+                        try:
+                            resolved_name = self._resolve_model_name(allowed_entry)
+                        except Exception:
+                            continue
+
+                        if not resolved_name:
+                            continue
+
+                        normalized_resolved = resolved_name.lower()
+                        self._allowed_alias_cache[allowed_entry] = normalized_resolved
+
+                    if normalized_resolved == canonical:
+                        # Canonical match discovered via alias resolution – mark as allowed and
+                        # memoise the canonical entry for future lookups.
+                        allowed = True
+                        self._allowed_alias_cache[canonical] = canonical
+                        self.allowed_models.add(canonical)
+                        break
+
+                if not allowed:
+                    raise ValueError(
+                        f"Model '{requested_name}' is not allowed by restriction policy. Allowed models: {sorted(self.allowed_models)}"
+                    )
 
     def _parse_allowed_models(self) -> Optional[set[str]]:
         """Parse allowed models from environment variable.
@@ -94,6 +119,7 @@ class OpenAICompatibleProvider(ModelProvider):
             models = {m.strip().lower() for m in models_str.split(",") if m.strip()}
             if models:
                 logging.info(f"Configured allowed models for {self.FRIENDLY_NAME}: {sorted(models)}")
+                self._allowed_alias_cache = {}
                 return models
 
         # Log info if no allow-list configured for proxy providers