#14508: fix(models): allow forward-compat models in allowlist check

## Summary This PR fixes issue #14502 where the model allowlist blocks forward-compat fallback models like `anthropic/claude-opus-4-6`. ## Root Cause In `buildAllowedModelSet()`, models from `agents.defaults.models` are only allowed if: 1. `isCliProvider()` returns true, OR 2. `catalogKeys.has(key)` returns true, OR 3. `configuredProviders[providerKey] != null` For `anthropic/claude-opus-4-6`, none of these are true because: - Anthropic is a built-in provider (not in `models.providers`) - `opus-4-6` isn't in the Pi SDK catalog (only `opus-4-5`) - The forward-compat fallback runs AFTER the allowlist check ## Solution Added a check for **native providers** - providers that are natively supported via environment variables and don't require explicit configuration. This includes: `anthropic`, `openai`, `google`, `groq`, `xai`, `cerebras`, `mistral`, `openrouter`, `together`, `voyage`, `deepgram`, etc. The new logic adds an `else if (isNativeProvider(providerKey))` branch that allows models from native providers to be added to the allowlist even when they're not in the catalog. ## Changes - Added `NATIVE_PROVIDERS` set with all providers that work via env vars - Added `isNativeProvider()` helper function (exported for external use) - Updated `buildAllowedModelSet()` to allow native provider models - Added tests for `isNativeProvider()` and the new allowlist behavior ## Testing All existing tests pass, plus new tests for: - `isNativeProvider()` recognizes built-in providers - `buildAllowedModelSet()` allows native provider models not in catalog - Unknown providers are still blocked (unless explicitly configured) Fixes #14502 <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This change updates the model allowlist construction so that models from "native" providers (providers that can be authenticated/configured via built-in environment-variable or built-in auth handling) are considered allowlist-able even when they are not present in the curated Pi SDK model catalog. Concretely, `buildAllowedModelSet()` now adds allowlisted keys when `isNativeProvider(providerKey)` is true, which unblocks forward-compat fallback model IDs like `anthropic/claude-opus-4-6` before they appear in the catalog. The PR also adds `isNativeProvider()` (based on a `NATIVE_PROVIDERS` set) and corresponding Vitest coverage for both the helper and the new allowlist behavior. This fits into the existing model-selection pipeline where config allowlists are normalized and checked before model resolution/fallbacks happen downstream. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk. - The change is narrowly scoped to allowlist construction and is covered by new unit tests. The native-provider set aligns with existing built-in env/auth resolution paths, and unknown providers remain blocked unless explicitly configured. - No files require special attention <!-- greptile_other_comments_section --> <!-- /greptile_comment -->