openclaw
diff --git a/‎docs/.generated/config-baseline.json‎
Lines changed: 6 additions & 84 deletions b/‎docs/.generated/config-baseline.json‎
Lines changed: 6 additions & 84 deletions
diff --git a/‎docs/.generated/config-baseline.jsonl‎
Lines changed: 7 additions & 11 deletions b/‎docs/.generated/config-baseline.jsonl‎
Lines changed: 7 additions & 11 deletions
diff --git a/‎docs/reference/secretref-credential-surface.md‎
Lines changed: 0 additions & 1 deletion b/‎docs/reference/secretref-credential-surface.md‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎docs/reference/secretref-user-supplied-credentials-matrix.json‎
Lines changed: 0 additions & 7 deletions b/‎docs/reference/secretref-user-supplied-credentials-matrix.json‎
Lines changed: 0 additions & 7 deletions
diff --git a/‎extensions/xai/x-search.test.ts‎
Lines changed: 38 additions & 0 deletions b/‎extensions/xai/x-search.test.ts‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎extensions/xai/x-search.ts‎
Lines changed: 2 additions & 21 deletions b/‎extensions/xai/x-search.ts‎
Lines changed: 2 additions & 21 deletions
diff --git a/‎src/commands/doctor-legacy-config.migrations.test.ts‎
Lines changed: 5 additions & 9 deletions b/‎src/commands/doctor-legacy-config.migrations.test.ts‎
Lines changed: 5 additions & 9 deletions
diff --git a/‎src/config/legacy-migrate.test.ts‎
Lines changed: 32 additions & 0 deletions b/‎src/config/legacy-migrate.test.ts‎
Lines changed: 32 additions & 0 deletions
@@ -67338,69 +67338,14 @@
       "tags": [],
       "hasChildren": true
     },
-    {
-      "path": "tools.web.x_search.apiKey",
-      "kind": "core",
-      "type": [
-        "object",
-        "string"
-      ],
-      "required": false,
-      "deprecated": false,
-      "sensitive": true,
-      "tags": [
-        "auth",
-        "security",
-        "tools"
-      ],
-      "label": "xAI API Key",
-      "help": "xAI API key for X search (fallback: XAI_API_KEY env var).",
-      "hasChildren": true
-    },
-    {
-      "path": "tools.web.x_search.apiKey.id",
-      "kind": "core",
-      "type": "string",
-      "required": true,
-      "deprecated": false,
-      "sensitive": false,
-      "tags": [],
-      "hasChildren": false
-    },
-    {
-      "path": "tools.web.x_search.apiKey.provider",
-      "kind": "core",
-      "type": "string",
-      "required": true,
-      "deprecated": false,
-      "sensitive": false,
-      "tags": [],
-      "hasChildren": false
-    },
-    {
-      "path": "tools.web.x_search.apiKey.source",
-      "kind": "core",
-      "type": "string",
-      "required": true,
-      "deprecated": false,
-      "sensitive": false,
-      "tags": [],
-      "hasChildren": false
-    },
     {
       "path": "tools.web.x_search.cacheTtlMinutes",
       "kind": "core",
       "type": "number",
       "required": false,
       "deprecated": false,
       "sensitive": false,
-      "tags": [
-        "performance",
-        "storage",
-        "tools"
-      ],
-      "label": "X Search Cache TTL (min)",
-      "help": "Cache TTL in minutes for x_search results.",
+      "tags": [],
       "hasChildren": false
     },
     {
@@ -67410,11 +67355,7 @@
       "required": false,
       "deprecated": false,
       "sensitive": false,
-      "tags": [
-        "tools"
-      ],
-      "label": "Enable X Search Tool",
-      "help": "Enable the x_search tool (requires XAI_API_KEY or tools.web.x_search.apiKey).",
+      "tags": [],
       "hasChildren": false
     },
     {
@@ -67424,11 +67365,7 @@
       "required": false,
       "deprecated": false,
       "sensitive": false,
-      "tags": [
-        "tools"
-      ],
-      "label": "X Search Inline Citations",
-      "help": "Keep inline citations from xAI in x_search responses when available (default: false).",
+      "tags": [],
       "hasChildren": false
     },
     {
@@ -67438,12 +67375,7 @@
       "required": false,
       "deprecated": false,
       "sensitive": false,
-      "tags": [
-        "performance",
-        "tools"
-      ],
-      "label": "X Search Max Turns",
-      "help": "Optional max internal search/tool turns xAI may use per x_search request. Omit to let xAI choose.",
+      "tags": [],
       "hasChildren": false
     },
     {
@@ -67453,12 +67385,7 @@
       "required": false,
       "deprecated": false,
       "sensitive": false,
-      "tags": [
-        "models",
-        "tools"
-      ],
-      "label": "X Search Model",
-      "help": "Model to use for X search (default: \"grok-4-1-fast-non-reasoning\").",
+      "tags": [],
       "hasChildren": false
     },
     {
@@ -67468,12 +67395,7 @@
       "required": false,
       "deprecated": false,
       "sensitive": false,
-      "tags": [
-        "performance",
-        "tools"
-      ],
-      "label": "X Search Timeout (sec)",
-      "help": "Timeout in seconds for x_search requests.",
+      "tags": [],
       "hasChildren": false
     },
     {
 
@@ -1,4 +1,4 @@
-{"generatedBy":"scripts/generate-config-doc-baseline.ts","recordType":"meta","totalPaths":5781}
+{"generatedBy":"scripts/generate-config-doc-baseline.ts","recordType":"meta","totalPaths":5777}
 {"recordType":"path","path":"acp","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"ACP","help":"ACP runtime controls for enabling dispatch, selecting backends, constraining allowed agent targets, and tuning streamed turn projection behavior.","hasChildren":true}
 {"recordType":"path","path":"acp.allowedAgents","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"ACP Allowed Agents","help":"Allowlist of ACP target agent ids permitted for ACP runtime sessions. Empty means no additional allowlist restriction.","hasChildren":true}
 {"recordType":"path","path":"acp.allowedAgents.*","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -5742,16 +5742,12 @@
 {"recordType":"path","path":"tools.web.search.provider","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["tools"],"label":"Web Search Provider","help":"Search provider id. Auto-detected from available API keys if omitted.","hasChildren":false}
 {"recordType":"path","path":"tools.web.search.timeoutSeconds","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["performance","tools"],"label":"Web Search Timeout (sec)","help":"Timeout in seconds for web_search requests.","hasChildren":false}
 {"recordType":"path","path":"tools.web.x_search","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":true}
-{"recordType":"path","path":"tools.web.x_search.apiKey","kind":"core","type":["object","string"],"required":false,"deprecated":false,"sensitive":true,"tags":["auth","security","tools"],"label":"xAI API Key","help":"xAI API key for X search (fallback: XAI_API_KEY env var).","hasChildren":true}
-{"recordType":"path","path":"tools.web.x_search.apiKey.id","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
-{"recordType":"path","path":"tools.web.x_search.apiKey.provider","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
-{"recordType":"path","path":"tools.web.x_search.apiKey.source","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
-{"recordType":"path","path":"tools.web.x_search.cacheTtlMinutes","kind":"core","type":"number","required":false,"deprecated":false,"sensitive":false,"tags":["performance","storage","tools"],"label":"X Search Cache TTL (min)","help":"Cache TTL in minutes for x_search results.","hasChildren":false}
-{"recordType":"path","path":"tools.web.x_search.enabled","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["tools"],"label":"Enable X Search Tool","help":"Enable the x_search tool (requires XAI_API_KEY or tools.web.x_search.apiKey).","hasChildren":false}
-{"recordType":"path","path":"tools.web.x_search.inlineCitations","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["tools"],"label":"X Search Inline Citations","help":"Keep inline citations from xAI in x_search responses when available (default: false).","hasChildren":false}
-{"recordType":"path","path":"tools.web.x_search.maxTurns","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["performance","tools"],"label":"X Search Max Turns","help":"Optional max internal search/tool turns xAI may use per x_search request. Omit to let xAI choose.","hasChildren":false}
-{"recordType":"path","path":"tools.web.x_search.model","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["models","tools"],"label":"X Search Model","help":"Model to use for X search (default: \"grok-4-1-fast-non-reasoning\").","hasChildren":false}
-{"recordType":"path","path":"tools.web.x_search.timeoutSeconds","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["performance","tools"],"label":"X Search Timeout (sec)","help":"Timeout in seconds for x_search requests.","hasChildren":false}
+{"recordType":"path","path":"tools.web.x_search.cacheTtlMinutes","kind":"core","type":"number","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"tools.web.x_search.enabled","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"tools.web.x_search.inlineCitations","kind":"core","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"tools.web.x_search.maxTurns","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"tools.web.x_search.model","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
+{"recordType":"path","path":"tools.web.x_search.timeoutSeconds","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
 {"recordType":"path","path":"ui","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"UI","help":"UI presentation settings for accenting and assistant identity shown in control surfaces. Use this for branding and readability customization without changing runtime behavior.","hasChildren":true}
 {"recordType":"path","path":"ui.assistant","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Assistant Appearance","help":"Assistant display identity settings for name and avatar shown in UI surfaces. Keep these values aligned with your operator-facing persona and support expectations.","hasChildren":true}
 {"recordType":"path","path":"ui.assistant.avatar","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Assistant Avatar","help":"Assistant avatar image source used in UI surfaces (URL, path, or data URI depending on runtime support). Use trusted assets and consistent branding dimensions for clean rendering.","hasChildren":false}
 
@@ -39,7 +39,6 @@ Scope intent:
 - `plugins.entries.firecrawl.config.webSearch.apiKey`
 - `plugins.entries.tavily.config.webSearch.apiKey`
 - `tools.web.search.apiKey`
-- `tools.web.x_search.apiKey`
 - `gateway.auth.password`
 - `gateway.auth.token`
 - `gateway.remote.token`
 
@@ -523,13 +523,6 @@
       "path": "tools.web.search.apiKey",
       "secretShape": "secret_input",
       "optIn": true
-    },
-    {
-      "id": "tools.web.x_search.apiKey",
-      "configFile": "openclaw.json",
-      "path": "tools.web.x_search.apiKey",
-      "secretShape": "secret_input",
-      "optIn": true
     }
   ]
 }
@@ -231,6 +231,44 @@ describe("xai x_search tool", () => {
     );
   });
 
+  it("uses migrated runtime auth when the source config still carries legacy x_search apiKey", async () => {
+    const mockFetch = installXSearchFetch();
+    const tool = createXSearchTool({
+      config: {
+        tools: {
+          web: {
+            x_search: {
+              apiKey: "legacy-x-search-key", // pragma: allowlist secret
+              enabled: true,
+            } as Record<string, unknown>,
+          },
+        },
+      },
+      runtimeConfig: {
+        plugins: {
+          entries: {
+            xai: {
+              config: {
+                webSearch: {
+                  apiKey: "migrated-runtime-key", // pragma: allowlist secret
+                },
+              },
+            },
+          },
+        },
+      },
+    });
+
+    await tool?.execute?.("x-search:migrated-runtime-key", {
+      query: "migrated runtime auth",
+    });
+
+    const request = mockFetch.mock.calls[0]?.[1] as RequestInit | undefined;
+    expect((request?.headers as Record<string, string> | undefined)?.Authorization).toBe(
+      "Bearer migrated-runtime-key",
+    );
+  });
+
   it("rejects invalid date ordering before calling xAI", async () => {
     const mockFetch = installXSearchFetch();
     const tool = createXSearchTool({
 
@@ -77,11 +77,6 @@ function resolveFallbackXaiApiKey(cfg?: OpenClawConfig): string | undefined {
   return readPluginXaiWebSearchApiKey(cfg) ?? readLegacyGrokApiKey(cfg);
 }
 
-function readLegacyXSearchApiKey(cfg?: OpenClawConfig): string | undefined {
-  const legacyConfig = resolveLegacyXSearchConfig(cfg);
-  return readConfiguredSecretString(legacyConfig?.apiKey, "tools.web.x_search.apiKey");
-}
-
 function resolveXSearchConfig(cfg?: OpenClawConfig): Record<string, unknown> | undefined {
   return resolveEffectiveXSearchConfig(cfg);
 }
@@ -94,33 +89,19 @@ function resolveXSearchEnabled(params: {
   if (params.config?.enabled === false) {
     return false;
   }
-  if (
-    resolveFallbackXaiApiKey(params.runtimeConfig) ||
-    readLegacyXSearchApiKey(params.runtimeConfig)
-  ) {
+  if (resolveFallbackXaiApiKey(params.runtimeConfig)) {
     return true;
   }
-  return Boolean(
-    resolveFallbackXaiApiKey(params.cfg) ||
-    readLegacyXSearchApiKey(params.cfg) ||
-    readProviderEnvValue(["XAI_API_KEY"]),
-  );
+  return Boolean(resolveFallbackXaiApiKey(params.cfg) || readProviderEnvValue(["XAI_API_KEY"]));
 }
 
 function resolveXSearchApiKey(params: {
   sourceConfig?: OpenClawConfig;
   runtimeConfig?: OpenClawConfig;
 }): string | undefined {
-  const sourceXSearchConfig = resolveXSearchConfig(params.sourceConfig);
-  const runtimeXSearchConfig =
-    params.runtimeConfig && params.runtimeConfig !== params.sourceConfig
-      ? resolveXSearchConfig(params.runtimeConfig)
-      : undefined;
   return (
     resolveFallbackXaiApiKey(params.runtimeConfig) ??
     resolveFallbackXaiApiKey(params.sourceConfig) ??
-    readLegacyXSearchApiKey(params.runtimeConfig) ??
-    readLegacyXSearchApiKey(params.sourceConfig) ??
     readProviderEnvValue(["XAI_API_KEY"])
   );
 }
 
@@ -125,7 +125,7 @@ describe("normalizeCompatibilityConfigValues", () => {
     ]);
   });
 
-  it("migrates legacy x_search config into xai plugin-owned config", () => {
+  it("migrates legacy x_search auth into xai plugin-owned config", () => {
     const res = normalizeCompatibilityConfigValues({
       tools: {
         web: {
@@ -138,25 +138,21 @@ describe("normalizeCompatibilityConfigValues", () => {
       },
     });
 
-    expect(
-      (res.config.tools?.web as Record<string, unknown> | undefined)?.x_search,
-    ).toBeUndefined();
+    expect((res.config.tools?.web as Record<string, unknown> | undefined)?.x_search).toEqual({
+      enabled: true,
+      model: "grok-4-1-fast",
+    });
     expect(res.config.plugins?.entries?.xai).toEqual({
       enabled: true,
       config: {
         webSearch: {
           apiKey: "xai-legacy-key",
         },
-        xSearch: {
-          enabled: true,
-          model: "grok-4-1-fast",
-        },
       },
     });
     expect(res.changes).toEqual(
       expect.arrayContaining([
         "Moved tools.web.x_search.apiKey → plugins.entries.xai.config.webSearch.apiKey.",
-        "Moved tools.web.x_search → plugins.entries.xai.config.xSearch.",
       ]),
     );
   });
 
@@ -286,6 +286,38 @@ describe("legacy migrate tts provider shape", () => {
   });
 });
 
+describe("legacy migrate x_search auth", () => {
+  it("moves only legacy x_search auth into plugin-owned xai config", () => {
+    const res = migrateLegacyConfig({
+      tools: {
+        web: {
+          x_search: {
+            apiKey: "xai-legacy-key",
+            enabled: true,
+            model: "grok-4-1-fast",
+          },
+        },
+      },
+    });
+
+    expect((res.config?.tools?.web as Record<string, unknown> | undefined)?.x_search).toEqual({
+      enabled: true,
+      model: "grok-4-1-fast",
+    });
+    expect(res.config?.plugins?.entries?.xai).toEqual({
+      enabled: true,
+      config: {
+        webSearch: {
+          apiKey: "xai-legacy-key",
+        },
+      },
+    });
+    expect(res.changes).toEqual([
+      "Moved tools.web.x_search.apiKey → plugins.entries.xai.config.webSearch.apiKey.",
+    ]);
+  });
+});
+
 describe("legacy migrate heartbeat config", () => {
   it("moves top-level heartbeat into agents.defaults.heartbeat", () => {
     const res = migrateLegacyConfig({
Original file line number	Diff line number	Diff line change
`@@ -523,13 +523,6 @@`
`523`	`523`	`"path": "tools.web.search.apiKey",`
`524`	`524`	`"secretShape": "secret_input",`
`525`	`525`	`"optIn": true`
`526`		`- },`
`527`		`- {`
`528`		`- "id": "tools.web.x_search.apiKey",`
`529`		`- "configFile": "openclaw.json",`
`530`		`- "path": "tools.web.x_search.apiKey",`
`531`		`- "secretShape": "secret_input",`
`532`		`- "optIn": true`
`533`	`526`	`}`
`534`	`527`	`]`
`535`	`528`	`}`