fix(onboard): pin Brave web-search plugin and preserve its apiKey through build doctor

[johnellison]

Summary

Two related defects break Brave web_search out of the box when web search is enabled. Both stem from the same gap: the Brave web-search provider is an external plugin (@openclaw/brave-plugin) — exactly like the messaging channels and the diagnostics-OTEL exporter that scripts/openclaw-build-messaging-plugins.py already pins and prepares — but it was never given the same treatment.

1. Unpinned plugin drifts ahead of the host (the runtime crash)

Without an explicit pin, openclaw doctor --fix installs the plugin from the official catalog's unversioned npmSpec, so it resolves to npm latest. Once OpenClaw publishes a release the NemoClaw OPENCLAW_VERSION pin hasn't caught up to, latest drifts ahead of the host. The newer plugin imports plugin-SDK symbols the older host doesn't export, so web_search fails at runtime with:

(0 , _providerWebSearch.readPositiveIntegerParam) is not a function

Because it only breaks once latest has drifted past the pin, it reproduces intermittently — which matches the "can't reproduce on my side" back-and-forth in #3948.

Timeline:

package	2026.5.22 published	2026.6.1 published
core openclaw	May 24	Jun 3
@openclaw/brave-plugin	May 24	Jun 3

@openclaw/brave-plugin@latest is now 2026.6.1 (peerDependencies.openclaw: ">=2026.6.1"). main pins OPENCLAW_VERSION=2026.5.27 → host 2026.5.27 + plugin 2026.6.1 = incompatible. Every web-search onboard since Jun 3 is affected.

2. Build-time doctor can strip the Brave apiKey placeholder

generate-openclaw-config.mts writes tools.web.search.apiKey = "openshell:resolve:env:BRAVE_API_KEY", but the build-time openclaw doctor --fix runs with only the messaging-channel placeholders in its env. With BRAVE_API_KEY absent, doctor can mutate/strip the web-search block while repairing the config — leaving Brave search without a usable key at runtime (the literal symptom in the #3948 title: "Brave API key is not usable inside sandbox"). Caught by CodeRabbit's review here.

Fix

• Pin and install @openclaw/brave-plugin@$OPENCLAW_VERSION when NEMOCLAW_WEB_SEARCH_ENABLED is set, mirroring the messaging-channel and diagnostics-OTEL handling.
• Inject the BRAVE_API_KEY placeholder into the doctor env when web search is enabled, the same way the channel bot tokens are already injected, so doctor preserves the resolvable web-search config.

NEMOCLAW_WEB_SEARCH_ENABLED is already an ARG exported into the build ENV block this script runs under (Dockerfile), so no Dockerfile change is needed. The plugin publishes a build for every core calver (e.g. @openclaw/brave-plugin@2026.5.27 exists), so the pin always resolves.

Tests

Added cases mirroring the diagnostics-OTEL tests:

• pins @openclaw/brave-plugin@$OPENCLAW_VERSION and injects the BRAVE_API_KEY doctor-env placeholder when web search is enabled
• does not install the plugin or inject the placeholder when web search is disabled
• requires OPENCLAW_VERSION when web search is enabled

Verified the --dry-run output, --pin install ordering, and doctor-env contents against each assertion locally; the existing messaging/OTEL cases are unaffected.

Verification

On a live sandbox, swapping the drifted 2026.6.1 plugin for the OPENCLAW_VERSION-matched build makes web_search return real Brave results with no SDK error. A direct curl to api.search.brave.com returned 200 throughout — the API key and network policy were never the problem; only the plugin/host version skew and the build-time config repair.

Fixes #3948

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Build-time installer now treats the Brave web-search provider as an optional, externally pinned plugin when enabled.
  • Added validation to require a matching runtime release/version when web-search is enabled and to surface configuration errors.

• Tests

  • Added tests for web-search enablement, install spec generation, dry-run reporting, and error handling when the required version is missing.

Signed-off-by: John Ellison john@john-ellison.com

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Walkthrough

Treats the Brave web-search provider as an optional external plugin that must be pinned to OPENCLAW_VERSION when enabled; threads a web_search_enabled flag through validation, spec generation, doctor env overrides, and adds tests plus a webSearchEnabled dry-run field.

Changes

Web-search plugin support

Layer / File(s)	Summary
Web-search plugin contract and core implementation scripts/openclaw-build-messaging-plugins.py	Module docstring clarifies Brave web-search provider must be pinned to OPENCLAW_VERSION. New WEB_SEARCH_PLUGIN_PACKAGE constant introduced. require_openclaw_version, plugin_specs, and main gain/accept web_search_enabled; when enabled, OPENCLAW_VERSION is required and the Brave npm install spec is appended. --dry-run JSON includes webSearchEnabled.
Web-search plugin functional tests test/openclaw-build-messaging-plugins.test.ts	Tests verify enabling web-search includes the Brave plugin pinned to the provided version and sets webSearchEnabled true; disabling omits the Brave plugin and sets the flag false; enabling without OPENCLAW_VERSION exits non-zero with OPENCLAW_VERSION is required error.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4591: Earlier PR that introduced the npm:-prefixed install spec pattern and OPENCLAW_VERSION pinning logic extended here to the Brave web-search plugin.

Suggested labels

fix, integration: openclaw

Suggested reviewers

• cv
• prekshivyas

Poem

🐰 A brave plugin hops in with a version to keep,
Pinned to the trunk so the runtimes don't weep,
Flags in the env tell the build what to send,
Tests check the install and errors if not pinned.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: pinning the Brave web-search plugin to OPENCLAW_VERSION and preserving its apiKey configuration through the build doctor process.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

scripts/openclaw-build-messaging-plugins.py (1)

136-140: ⚡ Quick win

Include Brave API key placeholder in doctor env overrides when web search is enabled.

doctor_env_overrides(...) is still channel-only. With NEMOCLAW_WEB_SEARCH_ENABLED=1, the generated config uses openshell:resolve:env:BRAVE_API_KEY; not passing that placeholder into openclaw doctor --fix risks doctor mutating the web-search block unexpectedly.

Suggested patch

-def doctor_env_overrides(channels: Iterable[str]) -> dict[str, str]:
+def doctor_env_overrides(
+    channels: Iterable[str],
+    *,
+    web_search_enabled: bool,
+) -> dict[str, str]:
     overrides: dict[str, str] = {}
     for channel in channels:
         overrides.update(DOCTOR_ENV_BY_CHANNEL.get(channel, {}))
+    if web_search_enabled:
+        overrides["BRAVE_API_KEY"] = "openshell:resolve:env:BRAVE_API_KEY"
     return overrides
@@
-    env_overrides = doctor_env_overrides(channels)
+    env_overrides = doctor_env_overrides(
+        channels, web_search_enabled=web_search_enabled
+    )

Also applies to: 173-197

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/openclaw-build-messaging-plugins.py` around lines 136 - 140,
doctor_env_overrides currently only aggregates channel-specific entries
(DOCTOR_ENV_BY_CHANNEL) and omits the Brave API key placeholder when web search
is enabled; update doctor_env_overrides to also inject the BRAVE_API_KEY
placeholder into the returned dict when the environment flag
NEMOCLAW_WEB_SEARCH_ENABLED (or equivalent config) is truthy so that
openshell:resolve:env:BRAVE_API_KEY is present for openclaw doctor --fix; modify
the same logic area referenced further down (the other doctor env aggregation
block) to apply the same addition so both places include the Brave key
placeholder when web search is enabled, using the existing symbols
doctor_env_overrides, DOCTOR_ENV_BY_CHANNEL, and the BRAVE_API_KEY placeholder
name.

test/openclaw-build-messaging-plugins.test.ts (1)

141-153: ⚡ Quick win

Add a doctorEnv assertion for BRAVE_API_KEY in the web-search-enabled test.

This test already validates install pinning; adding a doctorEnv assertion will lock the end-to-end contract and prevent regressions in doctor --fix input shaping.

Suggested assertion

   it("pins the Brave web-search plugin to OPENCLAW_VERSION when web search is enabled", () => {
@@
     expect(payload.webSearchEnabled).toBe(true);
+    expect(payload.doctorEnv).toMatchObject({
+      BRAVE_API_KEY: "openshell:resolve:env:BRAVE_API_KEY",
+    });
     expect(payload.installSpecs).toEqual([
       "npm:`@openclaw/slack`@2026.5.22",
       "npm:`@openclaw/brave-plugin`@2026.5.22",
     ]);
   });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/openclaw-build-messaging-plugins.test.ts` around lines 141 - 153, The
test "pins the Brave web-search plugin to OPENCLAW_VERSION when web search is
enabled" currently checks install pinning but omits verifying doctorEnv; modify
that test (the one constructing payload via parseDryRun and asserting
payload.webSearchEnabled/installSpecs) to also assert that payload.doctorEnv
includes a BRAVE_API_KEY entry when NEMOCLAW_WEB_SEARCH_ENABLED is set, e.g.,
add an assertion on payload.doctorEnv (using payload.doctorEnv or
payload.doctorEnv.BRAVE_API_KEY) to ensure BRAVE_API_KEY is present and
non-empty to lock the doctor --fix contract.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@scripts/openclaw-build-messaging-plugins.py`:
- Around line 136-140: doctor_env_overrides currently only aggregates
channel-specific entries (DOCTOR_ENV_BY_CHANNEL) and omits the Brave API key
placeholder when web search is enabled; update doctor_env_overrides to also
inject the BRAVE_API_KEY placeholder into the returned dict when the environment
flag NEMOCLAW_WEB_SEARCH_ENABLED (or equivalent config) is truthy so that
openshell:resolve:env:BRAVE_API_KEY is present for openclaw doctor --fix; modify
the same logic area referenced further down (the other doctor env aggregation
block) to apply the same addition so both places include the Brave key
placeholder when web search is enabled, using the existing symbols
doctor_env_overrides, DOCTOR_ENV_BY_CHANNEL, and the BRAVE_API_KEY placeholder
name.

In `@test/openclaw-build-messaging-plugins.test.ts`:
- Around line 141-153: The test "pins the Brave web-search plugin to
OPENCLAW_VERSION when web search is enabled" currently checks install pinning
but omits verifying doctorEnv; modify that test (the one constructing payload
via parseDryRun and asserting payload.webSearchEnabled/installSpecs) to also
assert that payload.doctorEnv includes a BRAVE_API_KEY entry when
NEMOCLAW_WEB_SEARCH_ENABLED is set, e.g., add an assertion on payload.doctorEnv
(using payload.doctorEnv or payload.doctorEnv.BRAVE_API_KEY) to ensure
BRAVE_API_KEY is present and non-empty to lock the doctor --fix contract.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8e553946-5bdc-4c80-9630-a6015daf3ec6

📥 Commits

Reviewing files that changed from the base of the PR and between ec408c8 and 25389e0.

📒 Files selected for processing (2)

• scripts/openclaw-build-messaging-plugins.py
• test/openclaw-build-messaging-plugins.test.ts

[wscurran]

✨ Thanks for submitting this detailed PR about pinning the Brave web-search plugin to OPENCLAW_VERSION. This proposes a way to fix the intermittent failure in the onboarding flow.

---

Related open issues:

• #3948 [NemoClaw][Brave Search][Policy&Network] Agent still claims no web access and Brave API key is not usable inside sandbox despite brave preset enabled

[johnellison]

Updated to address @coderabbitai's review. The PR now covers both root causes of #3948:

1. Plugin version drift (the readPositiveIntegerParam runtime crash) — pin @openclaw/brave-plugin to OPENCLAW_VERSION.
2. apiKey stripped at build time (the "API key not usable" symptom) — inject the BRAVE_API_KEY placeholder into the openclaw doctor --fix env when web search is enabled, exactly as CodeRabbit suggested and matching how the channel bot tokens are already handled.

Tests now assert the doctorEnv placeholder is present when web search is on and absent when off. No Dockerfile change needed — NEMOCLAW_WEB_SEARCH_ENABLED is already plumbed into this build step.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@johnellison Excellent — the two-pronged fix looks comprehensive:

1. Plugin version drift — pinning @openclaw/brave-plugin@$OPENCLAW_VERSION at build time eliminates the readPositiveIntegerParam runtime crash when the latest tag races ahead of OPENCLAW_VERSION.
2. BRAVE_API_KEY injection — adding the placeholder to doctor_env_overrides() (gated on NEMOCLAW_WEB_SEARCH_ENABLED) mirrors the existing bot-token pattern and prevents the API key from being stripped during openclaw doctor --fix.

The test coverage for both the installSpecs pinning and the doctorEnv placeholder presence/absence is a solid approach. Together these changes should fully resolve #3948. The PR looks good from a review standpoint. Thanks for the thorough follow-through!

(๑˃ᴗ˂)ﻭ ✨

[prekshivyas]

LGTM on the code — well-reasoned and it addresses both halves of #3948:

1. Pins @openclaw/brave-plugin to OPENCLAW_VERSION (same pattern as messaging channels + diagnostics-OTEL), preventing the unversioned-catalog drift where a newer plugin imports SDK symbols the pinned host lacks (readPositiveIntegerParam is not a function) → web_search crashes → 'agent claims no web access'.
2. Injects BRAVE_API_KEY=openshell:resolve:env:BRAVE_API_KEY into the doctor --fix env so the tools.web.search.apiKey block isn't stripped — directly fixing the 'Brave key not usable' symptom. (The raw-curl 422 in the report is expected — curl doesn't carry the token.)
   Test added, logic is sound.

One thing before merge: CI currently shows only 4 checks (the python/test suite appears to have aged out on this older PR). Recommend a rebase/main-merge to re-trigger the full suite and confirm green before merging.

[prekshivyas]

@johnellison one small thing left to make CI green:

dco-check needs a sign-off line in the PR description. Edit this PR's description (the top box, not a comment) and add this line at the very bottom:

Signed-off-by: John Ellison <john@john-ellison.com>

That's all it checks — once that line is in the description, dco-check turns green.

(I already pushed a tiny Biome-format commit to clear static-checks, so that one's handled.)

[johnellison]

@prekshivyas Done — added the Signed-off-by line to the PR description and dco-check is green now. All checks should be passing; ready for merge from my side. Thanks for the pointer!