openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/providers/xai.md‎
Lines changed: 8 additions & 5 deletions b/‎docs/providers/xai.md‎
Lines changed: 8 additions & 5 deletions
diff --git a/‎docs/tools/code-execution.md‎
Lines changed: 13 additions & 11 deletions b/‎docs/tools/code-execution.md‎
Lines changed: 13 additions & 11 deletions
diff --git a/‎docs/tools/grok-search.md‎
Lines changed: 4 additions & 4 deletions b/‎docs/tools/grok-search.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎docs/tools/web.md‎
Lines changed: 3 additions & 2 deletions b/‎docs/tools/web.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎extensions/xai/code-execution.test.ts‎
Lines changed: 22 additions & 0 deletions b/‎extensions/xai/code-execution.test.ts‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎extensions/xai/code-execution.ts‎
Lines changed: 12 additions & 3 deletions b/‎extensions/xai/code-execution.ts‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎extensions/xai/index.ts‎
Lines changed: 22 additions & 14 deletions b/‎extensions/xai/index.ts‎
Lines changed: 22 additions & 14 deletions
diff --git a/‎extensions/xai/src/tool-auth-shared.test.ts‎
Lines changed: 40 additions & 0 deletions b/‎extensions/xai/src/tool-auth-shared.test.ts‎
Lines changed: 40 additions & 0 deletions
@@ -191,6 +191,7 @@ Docs: https://docs.openclaw.ai
 - Gateway/sessions: rotate generated transcript paths when gateway sessions reset, complementing the daily-rollover transcript persistence. (#79076) Thanks @vincentkoc.
 - Dependencies: pin the transitive `fast-uri` production dependency to `3.1.2` so the production dependency audit no longer resolves the vulnerable `<=3.1.1` range. Thanks @shakkernerd.
 - Plugins/install: fail managed npm plugin installs when OpenClaw cannot repair a required plugin-local `node_modules/openclaw` peer link, preventing that peer-link failure mode from producing unusable `@openclaw/codex` installs. Refs #79462. Thanks @ai-hpc.
+- xAI/tools: register and execute `x_search` and `code_execution` when the xAI API key comes from an auth profile, keeping the plugin tool gate aligned with `openclaw onboard --auth-choice xai-api-key`. Fixes #79353. Thanks @dbernaltbn.
 - Cron/agents: recognize same-target `edit`↔`write` recovery in `isSameToolMutationAction`, so a successful `write` to a path clears an earlier failed `edit` on the same path. Stops cron from reporting fatal failures when an agent self-heals across `edit` and `write`, while preserving same-tool fingerprint matching, blocking different-target writes, and excluding tools (including `apply_patch`) whose real call args do not produce a stable `path` fingerprint segment. Fixes #79024. Thanks @RenzoMXD.
 - Gateway/Tailscale: add opt-in `gateway.tailscale.preserveFunnel` so when `tailscale.mode = "serve"` and an externally configured Tailscale Funnel route already covers the gateway port, OpenClaw skips re-applying `tailscale serve` on startup and skips the `resetOnExit` teardown for that run, keeping operator-managed Funnel exposure alive across gateway restarts. Fixes #57241. Thanks @RenzoMXD.
 - CLI/router: when `openclaw <name>` does not match a CLI subcommand, check plugin tool manifests first so names like `lcm_recent` get an agent-tool diagnostic instead of the misleading suggestion to add the tool name to `plugins.allow`. Fixes #77214. Thanks @100yenadmin.
 
@@ -33,8 +33,9 @@ OpenClaw ships a bundled `xai` provider plugin for Grok models.
 
 <Note>
 OpenClaw uses the xAI Responses API as the bundled xAI transport. The same
-`XAI_API_KEY` can also power Grok-backed `web_search`, first-class `x_search`,
-and remote `code_execution`.
+API key from `openclaw onboard --auth-choice xai-api-key` can also power
+first-class `x_search` and remote `code_execution`; `XAI_API_KEY` or plugin
+web-search config can power Grok-backed `web_search` too.
 If you store an xAI key under `plugins.entries.xai.config.webSearch.apiKey`,
 the bundled xAI model provider reuses that key as a fallback too.
 Set `plugins.entries.xai.config.webSearch.baseUrl` to route Grok `web_search`
@@ -122,7 +123,8 @@ Legacy aliases still normalize to the canonical bundled ids:
 
 <AccordionGroup>
   <Accordion title="Web search">
-    The bundled `grok` web-search provider uses `XAI_API_KEY` too:
+    The bundled `grok` web-search provider can use `XAI_API_KEY` or a plugin
+    web-search key:
 
     ```bash
     openclaw config set tools.web.search.provider grok
@@ -409,8 +411,9 @@ Legacy aliases still normalize to the canonical bundled ids:
   </Accordion>
 
   <Accordion title="Known limits">
-    - Auth is API-key only today. There is no xAI OAuth or device-code flow in
-      OpenClaw yet.
+    - Auth is API-key only today. The API key may be stored in an xAI auth
+      profile, environment variable, or plugin config; there is no xAI OAuth or
+      device-code flow in OpenClaw yet.
     - `grok-4.20-multi-agent-experimental-beta-0304` is not supported on the
       normal xAI provider path because it requires a different upstream API
       surface than the standard OpenClaw xAI transport.
 
@@ -9,14 +9,14 @@ title: "Code execution"
 
 `code_execution` runs sandboxed remote Python analysis on xAI's Responses API. It is registered by the bundled `xai` plugin (under the `tools` contract) and dispatches to the same `https://api.x.ai/v1/responses` endpoint used by `x_search`.
 
-| Property           | Value                                                          |
-| ------------------ | -------------------------------------------------------------- |
-| Tool name          | `code_execution`                                               |
-| Provider plugin    | `xai` (bundled, `enabledByDefault: true`)                      |
-| Auth               | `XAI_API_KEY` or `plugins.entries.xai.config.webSearch.apiKey` |
-| Default model      | `grok-4-1-fast`                                                |
-| Default timeout    | 30 seconds                                                     |
-| Default `maxTurns` | unset (xAI applies its own internal limit)                     |
+| Property           | Value                                                                             |
+| ------------------ | --------------------------------------------------------------------------------- |
+| Tool name          | `code_execution`                                                                  |
+| Provider plugin    | `xai` (bundled, `enabledByDefault: true`)                                         |
+| Auth               | xAI auth profile, `XAI_API_KEY`, or `plugins.entries.xai.config.webSearch.apiKey` |
+| Default model      | `grok-4-1-fast`                                                                   |
+| Default timeout    | 30 seconds                                                                        |
+| Default `maxTurns` | unset (xAI applies its own internal limit)                                        |
 
 This is different from local [`exec`](/tools/exec):
 
@@ -37,7 +37,9 @@ Do **not** use it when you need local files, your shell, your repo, or paired de
 
 <Steps>
   <Step title="Provide an xAI API key">
-    Set `XAI_API_KEY` in the gateway environment, or configure the key under the xAI plugin so the same credential covers `code_execution`, `x_search`, web search, and other xAI tools:
+    Run `openclaw onboard --auth-choice xai-api-key` for `code_execution` and
+    `x_search`, or set `XAI_API_KEY` / configure the key under the xAI plugin
+    when you also want Grok web search to use the same credential:
 
     ```bash
     export XAI_API_KEY=xai-...
@@ -117,12 +119,12 @@ The tool takes a single `task` parameter internally, so the agent should send th
 
 ## Errors
 
-When the tool runs without auth, it returns a structured `missing_xai_api_key` error pointing at the env var and config path. The error is JSON, not a thrown exception, so the agent can self-correct:
+When the tool runs without auth, it returns a structured `missing_xai_api_key` error pointing at the auth-profile, env var, and config options. The error is JSON, not a thrown exception, so the agent can self-correct:
 
 ```json
 {
   "error": "missing_xai_api_key",
-  "message": "code_execution needs an xAI API key. Set XAI_API_KEY in the Gateway environment, or configure plugins.entries.xai.config.webSearch.apiKey.",
+  "message": "code_execution needs an xAI API key. Run openclaw onboard --auth-choice xai-api-key, set XAI_API_KEY in the Gateway environment, or configure plugins.entries.xai.config.webSearch.apiKey.",
   "docs": "https://docs.openclaw.ai/tools/code-execution"
 }
 ```
 
@@ -10,10 +10,10 @@ OpenClaw supports Grok as a `web_search` provider, using xAI web-grounded
 responses to produce AI-synthesized answers backed by live search results
 with citations.
 
-The same `XAI_API_KEY` can also power the built-in `x_search` tool for X
-(formerly Twitter) post search. If you store the key under
-`plugins.entries.xai.config.webSearch.apiKey`, OpenClaw now reuses it as a
-fallback for the bundled xAI model provider too.
+The same xAI API key can also power the built-in `x_search` tool for X
+(formerly Twitter) post search and the `code_execution` tool. If you store the
+key under `plugins.entries.xai.config.webSearch.apiKey`, OpenClaw now reuses it
+as a fallback for the bundled xAI model provider too.
 
 For post-level X metrics such as reposts, replies, bookmarks, or views, prefer
 `x_search` with the exact post URL or status ID instead of a broad search
 
@@ -255,7 +255,8 @@ When you choose **Kimi** during `openclaw onboard` or
 - the default Kimi web-search model (defaults to `kimi-k2.6`)
 
 For `x_search`, configure `plugins.entries.xai.config.xSearch.*`. It uses the
-same `XAI_API_KEY` fallback as Grok web search.
+same xAI auth profile as chat, or the `XAI_API_KEY` / plugin web-search
+credential used by Grok web search.
 Legacy `tools.web.x_search.*` config is auto-migrated by `openclaw doctor --fix`.
 When you choose Grok during `openclaw onboard` or `openclaw configure --section web`,
 OpenClaw can also offer optional `x_search` setup with the same key.
@@ -367,7 +368,7 @@ tool on the request that serves this tool call.
             cacheTtlMinutes: 15,
           },
           webSearch: {
-            apiKey: "xai-...", // optional if XAI_API_KEY is set
+            apiKey: "xai-...", // optional if an xAI auth profile or XAI_API_KEY is set
             baseUrl: "https://api.x.ai/v1", // optional shared xAI Responses base URL
           },
         },
 
@@ -65,6 +65,28 @@ describe("xai code_execution tool", () => {
     expect(tool?.name).toBe("code_execution");
   });
 
+  it("enables code_execution from an xAI auth profile and uses it for requests", async () => {
+    const mockFetch = installCodeExecutionFetch();
+    const tool = createCodeExecutionTool({
+      config: {},
+      auth: {
+        hasAuthForProvider: (providerId) => providerId === "xai",
+        resolveApiKeyForProvider: async (providerId) =>
+          providerId === "xai" ? "xai-profile-key" : undefined, // pragma: allowlist secret
+      },
+    });
+
+    expect(tool?.name).toBe("code_execution");
+    await tool?.execute?.("code-execution:auth-profile", {
+      task: "Sum [20, 22]",
+    });
+
+    const request = mockFetch.mock.calls[0]?.[1] as RequestInit | undefined;
+    expect((request?.headers as Record<string, string> | undefined)?.Authorization).toBe(
+      "Bearer xai-profile-key",
+    );
+  });
+
   it("uses the xAI Responses code_interpreter tool", async () => {
     const mockFetch = installCodeExecutionFetch();
     const tool = createCodeExecutionTool({
 
@@ -7,7 +7,11 @@ import {
   resolveXaiCodeExecutionMaxTurns,
   resolveXaiCodeExecutionModel,
 } from "./src/code-execution-shared.js";
-import { isXaiToolEnabled, resolveXaiToolApiKey } from "./src/tool-auth-shared.js";
+import {
+  isXaiToolEnabled,
+  resolveXaiToolApiKeyWithAuth,
+  type XaiToolAuthContext,
+} from "./src/tool-auth-shared.js";
 
 type CodeExecutionConfig = {
   enabled?: boolean;
@@ -53,17 +57,20 @@ function resolveCodeExecutionEnabled(params: {
   sourceConfig?: unknown;
   runtimeConfig?: unknown;
   config?: CodeExecutionConfig;
+  auth?: XaiToolAuthContext;
 }): boolean {
   return isXaiToolEnabled({
     enabled: readCodeExecutionConfigRecord(params.config)?.enabled as boolean | undefined,
     runtimeConfig: params.runtimeConfig as never,
     sourceConfig: params.sourceConfig as never,
+    auth: params.auth,
   });
 }
 
 export function createCodeExecutionTool(options?: {
   config?: unknown;
   runtimeConfig?: Record<string, unknown> | null;
+  auth?: XaiToolAuthContext;
 }) {
   const runtimeConfig = options?.runtimeConfig ?? getRuntimeConfigSnapshot();
   const codeExecutionConfig =
@@ -74,6 +81,7 @@ export function createCodeExecutionTool(options?: {
       sourceConfig: options?.config,
       runtimeConfig: runtimeConfig ?? undefined,
       config: codeExecutionConfig,
+      auth: options?.auth,
     })
   ) {
     return null;
@@ -91,15 +99,16 @@ export function createCodeExecutionTool(options?: {
       }),
     }),
     execute: async (_toolCallId: string, args: Record<string, unknown>) => {
-      const apiKey = resolveXaiToolApiKey({
+      const apiKey = await resolveXaiToolApiKeyWithAuth({
         runtimeConfig: (runtimeConfig ?? undefined) as never,
         sourceConfig: options?.config as never,
+        auth: options?.auth,
       });
       if (!apiKey) {
         return jsonResult({
           error: "missing_xai_api_key",
           message:
-            "code_execution needs an xAI API key. Set XAI_API_KEY in the Gateway environment, or configure plugins.entries.xai.config.webSearch.apiKey.",
+            "code_execution needs an xAI API key. Run openclaw onboard --auth-choice xai-api-key, set XAI_API_KEY in the Gateway environment, or configure plugins.entries.xai.config.webSearch.apiKey.",
           docs: "https://docs.openclaw.ai/tools/code-execution",
         });
       }
 
@@ -1,7 +1,7 @@
 import { defineSingleProviderPluginEntry } from "openclaw/plugin-sdk/provider-entry";
 import { OPENAI_COMPATIBLE_REPLAY_HOOKS } from "openclaw/plugin-sdk/provider-model-shared";
 import { defaultToolStreamExtraParams } from "openclaw/plugin-sdk/provider-stream-shared";
-import { jsonResult, readProviderEnvValue } from "openclaw/plugin-sdk/provider-web-search";
+import { jsonResult } from "openclaw/plugin-sdk/provider-web-search";
 import { Type } from "typebox";
 import {
   applyXaiRuntimeModelCompat,
@@ -16,7 +16,11 @@ import { buildXaiProvider } from "./provider-catalog.js";
 import { isModernXaiModel, resolveXaiForwardCompatModel } from "./provider-models.js";
 import { buildXaiRealtimeTranscriptionProvider } from "./realtime-transcription-provider.js";
 import { buildXaiSpeechProvider } from "./speech-provider.js";
-import { resolveFallbackXaiAuth } from "./src/tool-auth-shared.js";
+import {
+  isXaiToolEnabled,
+  resolveFallbackXaiAuth,
+  type XaiToolAuthContext,
+} from "./src/tool-auth-shared.js";
 import { resolveEffectiveXSearchConfig } from "./src/x-search-config.js";
 import { wrapXaiProviderStream } from "./stream.js";
 import { buildXaiMediaUnderstandingProvider } from "./stt.js";
@@ -44,15 +48,13 @@ function loadXSearchModule(): Promise<XSearchModule> {
   return xSearchModulePromise;
 }
 
-function hasResolvableXaiApiKey(config: unknown): boolean {
-  return Boolean(
-    resolveFallbackXaiAuth(config as never)?.apiKey || readProviderEnvValue(["XAI_API_KEY"]),
-  );
+function hasResolvableXaiApiKey(config: unknown, auth?: XaiToolAuthContext): boolean {
+  return isXaiToolEnabled({ sourceConfig: config as never, auth });
 }
 
-function isCodeExecutionEnabled(config: unknown): boolean {
+function isCodeExecutionEnabled(config: unknown, auth?: XaiToolAuthContext): boolean {
   if (!config || typeof config !== "object") {
-    return hasResolvableXaiApiKey(config);
+    return hasResolvableXaiApiKey(config, auth);
   }
   const entries = (config as Record<string, unknown>).plugins;
   const pluginEntries =
@@ -74,26 +76,28 @@ function isCodeExecutionEnabled(config: unknown): boolean {
   if (codeExecution?.enabled === false) {
     return false;
   }
-  return hasResolvableXaiApiKey(config);
+  return hasResolvableXaiApiKey(config, auth);
 }
 
-function isXSearchEnabled(config: unknown): boolean {
+function isXSearchEnabled(config: unknown, auth?: XaiToolAuthContext): boolean {
   const resolved =
     config && typeof config === "object"
       ? resolveEffectiveXSearchConfig(config as never)
       : undefined;
   if (resolved?.enabled === false) {
     return false;
   }
-  return hasResolvableXaiApiKey(config);
+  return hasResolvableXaiApiKey(config, auth);
 }
 
 function createLazyCodeExecutionTool(ctx: {
   config?: Record<string, unknown>;
   runtimeConfig?: Record<string, unknown>;
+  hasAuthForProvider?: XaiToolAuthContext["hasAuthForProvider"];
+  resolveApiKeyForProvider?: XaiToolAuthContext["resolveApiKeyForProvider"];
 }) {
   const effectiveConfig = ctx.runtimeConfig ?? ctx.config;
-  if (!isCodeExecutionEnabled(effectiveConfig)) {
+  if (!isCodeExecutionEnabled(effectiveConfig, ctx)) {
     return null;
   }
 
@@ -113,12 +117,13 @@ function createLazyCodeExecutionTool(ctx: {
       const tool = createCodeExecutionTool({
         config: ctx.config as never,
         runtimeConfig: (ctx.runtimeConfig as never) ?? null,
+        auth: ctx,
       });
       if (!tool) {
         return jsonResult({
           error: "missing_xai_api_key",
           message:
-            "code_execution needs an xAI API key. Set XAI_API_KEY in the Gateway environment, or configure plugins.entries.xai.config.webSearch.apiKey.",
+            "code_execution needs an xAI API key. Run openclaw onboard --auth-choice xai-api-key, set XAI_API_KEY in the Gateway environment, or configure plugins.entries.xai.config.webSearch.apiKey.",
           docs: "https://docs.openclaw.ai/tools/code-execution",
         });
       }
@@ -130,9 +135,11 @@ function createLazyCodeExecutionTool(ctx: {
 function createLazyXSearchTool(ctx: {
   config?: Record<string, unknown>;
   runtimeConfig?: Record<string, unknown>;
+  hasAuthForProvider?: XaiToolAuthContext["hasAuthForProvider"];
+  resolveApiKeyForProvider?: XaiToolAuthContext["resolveApiKeyForProvider"];
 }) {
   const effectiveConfig = ctx.runtimeConfig ?? ctx.config;
-  if (!isXSearchEnabled(effectiveConfig)) {
+  if (!isXSearchEnabled(effectiveConfig, ctx)) {
     return null;
   }
 
@@ -141,6 +148,7 @@ function createLazyXSearchTool(ctx: {
     const tool = createXSearchTool({
       config: ctx.config as never,
       runtimeConfig: (ctx.runtimeConfig as never) ?? null,
+      auth: ctx,
     });
     if (!tool) {
       return jsonResult(buildMissingXSearchApiKeyPayload());
 
@@ -5,6 +5,7 @@ import {
   resolveFallbackXaiAuth,
   resolveFallbackXaiApiKey,
   resolveXaiToolApiKey,
+  resolveXaiToolApiKeyWithAuth,
 } from "./tool-auth-shared.js";
 
 describe("xai tool auth helpers", () => {
@@ -138,6 +139,17 @@ describe("xai tool auth helpers", () => {
     expect(isXaiToolEnabled({ enabled: true })).toBe(true);
   });
 
+  it("uses xAI auth profiles when tool config and env are absent", async () => {
+    const auth = {
+      hasAuthForProvider: (providerId: string) => providerId === "xai",
+      resolveApiKeyForProvider: async (providerId: string) =>
+        providerId === "xai" ? "profile-key" : undefined, // pragma: allowlist secret
+    };
+
+    expect(isXaiToolEnabled({ auth })).toBe(true);
+    await expect(resolveXaiToolApiKeyWithAuth({ auth })).resolves.toBe("profile-key");
+  });
+
   it("does not use env fallback when a non-env SecretRef is configured but unavailable", () => {
     vi.stubEnv("XAI_API_KEY", "env-key");
 
@@ -164,6 +176,34 @@ describe("xai tool auth helpers", () => {
     ).toBeUndefined();
   });
 
+  it("does not bypass blocked explicit tool config with auth profiles", async () => {
+    const auth = {
+      hasAuthForProvider: (providerId: string) => providerId === "xai",
+      resolveApiKeyForProvider: async () => "profile-key", // pragma: allowlist secret
+    };
+
+    const sourceConfig = {
+      plugins: {
+        entries: {
+          xai: {
+            config: {
+              webSearch: {
+                apiKey: {
+                  source: "file",
+                  provider: "vault",
+                  id: "/xai/tool-key",
+                },
+              },
+            },
+          },
+        },
+      },
+    };
+
+    expect(isXaiToolEnabled({ sourceConfig, auth })).toBe(false);
+    await expect(resolveXaiToolApiKeyWithAuth({ sourceConfig, auth })).resolves.toBeUndefined();
+  });
+
   it("resolves env SecretRefs from source config when runtime snapshot is unavailable", () => {
     vi.stubEnv("XAI_API_KEY", "xai-secretref-key");