feat(launcher): drop dead frontmatter model + validate model name (never-break)

G1: remove the dead `model:` line from all 6 .openclaw/agents/*.md prompts —
launcher never read it; config (agent_model_*) is the single source of truth.

G2: add is_valid_model helper (format check ^claude-…$) applied inside
resolve_agent_model's resolution cascade and at the inline --fallback-model
read in _spawn. An invalid name is logged and skipped to the next valid level
(in the limit: no --model flag), never passed to the CLI, never raises. Format
check chosen over an allowlist for forward-compatibility (ADR-001).

G3 (routing) and G4 (fallback) intentionally NOT enabled — all agents stay on
claude-opus-4-8; agent_fallback_model stays "".

Docs (golden source) updated in the same change: README model/effort table +
validation, CLAUDE.md, .env.example (ORCH_AGENT_MODEL_*/EFFORT_*/FALLBACK_MODEL),
CHANGELOG. Tests: test_agent_frontmatter_no_model.py (G1), extended
test_resolve_agent_model.py (G2 never-break).

Refs: ORCH-074
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.env.example

@@ -12,6 +12,44 @@ ORCH_GITEA_WEBHOOK_SECRET=
 ORCH_CLAUDE_BIN=/usr/bin/claude
 ORCH_REPOS_DIR=/home/slin/repos
 ORCH_DB_PATH=/app/data/orchestrator.db
+
+# ── Agent model / effort / fallback (ORCH-41, validation ORCH-74) ─────────────
+# Per-agent LLM model + reasoning effort, resolved by launcher.resolve_agent_*.
+# Resolution priority (per agent): project-override (projects_json agent_models/
+# agent_efforts) > ORCH_AGENT_MODEL_<AGENT> / ORCH_AGENT_EFFORT_<AGENT> >
+# ORCH_AGENT_MODEL_DEFAULT / ORCH_AGENT_EFFORT_DEFAULT > CLI default (no flag).
+# The frontmatter `model:` in .openclaw/agents/*.md is DESCRIPTIVE only and is NOT
+# read — config below is the single source of truth for the model (ORCH-74 G1).
+#
+# ORCH-74 (G2): a resolved MODEL name is validated (^claude-…$ format check) before
+# it reaches --model. A structurally invalid name (typo, gpt-4, empty) is logged and
+# the next valid level is used (in the limit: no --model flag). Forward-compatible:
+# a future claude-* version passes without editing any allowlist. EFFORT is validated
+# against low|medium|high|xhigh|max (ORCH-41); an invalid effort is dropped.
+#
+# All 6 agents resolve to claude-opus-4-8 (model-routing G3 NOT enabled). Leave the
+# per-agent overrides empty to use the default. Do NOT hardcode the model version
+# anywhere except ORCH_AGENT_MODEL_DEFAULT.
+ORCH_AGENT_MODEL_DEFAULT=claude-opus-4-8
+ORCH_AGENT_MODEL_ANALYST=
+ORCH_AGENT_MODEL_ARCHITECT=
+ORCH_AGENT_MODEL_DEVELOPER=
+ORCH_AGENT_MODEL_REVIEWER=
+ORCH_AGENT_MODEL_TESTER=
+ORCH_AGENT_MODEL_DEPLOYER=
+# Effort split: thinking agents (analyst/architect/developer/reviewer) -> high;
+# mechanical agents (tester/deployer) -> medium.
+ORCH_AGENT_EFFORT_DEFAULT=high
+ORCH_AGENT_EFFORT_ANALYST=high
+ORCH_AGENT_EFFORT_ARCHITECT=high
+ORCH_AGENT_EFFORT_DEVELOPER=high
+ORCH_AGENT_EFFORT_REVIEWER=high
+ORCH_AGENT_EFFORT_TESTER=medium
+ORCH_AGENT_EFFORT_DEPLOYER=medium
+# Optional --fallback-model used when the primary is overloaded. Empty -> no flag
+# (G4 NOT enabled, ADR-001 ORCH-74: determinism — all agents stay on opus-4-8). A
+# non-empty value is validated by the SAME predicate as the model; a typo is dropped.
+ORCH_AGENT_FALLBACK_MODEL=
 # ORCH-042/ORCH-067: live-tracker mode. bump (DEFAULT since ORCH-067) -> on every
 # update the old card is deleted and a fresh one is sent silently to the BOTTOM of
 # the chat (deleteMessage + sendMessage + repoint), so the current status is always