xAI: restore generic auth and x_search seams

huntharo · steipete · commit c8ed1638eab3 · 2026-03-28T21:35:13.000Z
diff --git a/extensions/xai/api.ts b/extensions/xai/api.ts
@@ -14,17 +14,7 @@ export {
   XAI_DEFAULT_MAX_TOKENS,
 } from "./model-definitions.js";
 export { isModernXaiModel, resolveXaiForwardCompatModel } from "./provider-models.js";
-export {
-  __testing as xSearchTesting,
-  buildXaiXSearchPayload,
-  requestXaiXSearch,
-  resolveXaiXSearchInlineCitations,
-  resolveXaiXSearchMaxTurns,
-  resolveXaiXSearchModel,
-  type XaiXSearchOptions,
-} from "./src/x-search-shared.js";
-import { normalizeXaiModelId } from "./model-id.js";
-export { normalizeXaiModelId };
+export { normalizeXaiModelId } from "./model-id.js";
 
 export const XAI_TOOL_SCHEMA_PROFILE = "xai";
 export const HTML_ENTITY_TOOL_CALL_ARGUMENTS_ENCODING = "html-entities";
diff --git a/extensions/xai/x-search.ts b/extensions/xai/x-search.ts
@@ -0,0 +1,8 @@
+export {
+  buildXaiXSearchPayload,
+  requestXaiXSearch,
+  resolveXaiXSearchInlineCitations,
+  resolveXaiXSearchMaxTurns,
+  resolveXaiXSearchModel,
+  type XaiXSearchOptions,
+} from "./src/x-search-shared.js";
diff --git a/src/agents/models-config.providers.secrets.ts b/src/agents/models-config.providers.secrets.ts
@@ -2,6 +2,7 @@ import type { OpenClawConfig } from "../config/config.js";
 import { coerceSecretRef, resolveSecretInputRef } from "../config/types.secrets.js";
 import { createSubsystemLogger } from "../logging/subsystem.js";
 import { formatApiKeyPreview } from "../plugins/provider-auth-input.js";
+import { resolveProviderSyntheticAuthWithPlugin } from "../plugins/provider-runtime.js";
 import { normalizeOptionalSecretInput } from "../utils/normalize-secret-input.js";
 import { listProfilesForProvider } from "./auth-profiles/profiles.js";
 import { ensureAuthProfileStore } from "./auth-profiles/store.js";
@@ -13,7 +14,6 @@ import {
   resolveNonEnvSecretRefHeaderValueMarker,
 } from "./model-auth-markers.js";
 import { resolveAwsSdkEnvVarName } from "./model-auth-runtime-shared.js";
-import { normalizeProviderId } from "./provider-id.js";
 
 type ModelsConfig = NonNullable<OpenClawConfig["models"]>;
 export type ProviderConfig = NonNullable<ModelsConfig["providers"]>[string];
@@ -438,34 +438,16 @@ function resolveConfigBackedProviderAuth(params: { provider: string; config?: Op
       source: "config";
     }
   | undefined {
-  let apiKey: string | undefined;
-  if (normalizeProviderId(params.provider) === "xai") {
-    const pluginApiKey = normalizeOptionalSecretInput(
-      params.config?.plugins?.entries?.xai?.config &&
-        typeof params.config.plugins.entries.xai.config === "object" &&
-        !Array.isArray(params.config.plugins.entries.xai.config)
-        ? ((params.config.plugins.entries.xai.config as { webSearch?: { apiKey?: unknown } })
-            .webSearch?.apiKey ?? undefined)
-        : undefined,
-    );
-    const pluginApiKeyRef = coerceSecretRef(
-      params.config?.plugins?.entries?.xai?.config &&
-        typeof params.config.plugins.entries.xai.config === "object" &&
-        !Array.isArray(params.config.plugins.entries.xai.config)
-        ? ((params.config.plugins.entries.xai.config as { webSearch?: { apiKey?: unknown } })
-            .webSearch?.apiKey ?? undefined)
-        : undefined,
-    );
-    const legacyApiKey = normalizeOptionalSecretInput(
-      params.config?.tools?.web?.search?.grok?.apiKey,
-    );
-    const legacyApiKeyRef = coerceSecretRef(params.config?.tools?.web?.search?.grok?.apiKey);
-    apiKey =
-      pluginApiKey ??
-      (pluginApiKeyRef ? resolveNonEnvSecretRefApiKeyMarker(pluginApiKeyRef.source) : undefined) ??
-      legacyApiKey ??
-      (legacyApiKeyRef ? resolveNonEnvSecretRefApiKeyMarker(legacyApiKeyRef.source) : undefined);
-  }
+  const synthetic = resolveProviderSyntheticAuthWithPlugin({
+    provider: params.provider,
+    config: params.config,
+    context: {
+      config: params.config,
+      provider: params.provider,
+      providerConfig: params.config?.models?.providers?.[params.provider],
+    },
+  });
+  const apiKey = synthetic?.apiKey?.trim();
   if (!apiKey) {
     if (shouldTraceProviderAuth(params.provider)) {
       log.info("[xai-auth] bootstrap config fallback: no config-backed key found");
diff --git a/src/agents/tools/x-search.ts b/src/agents/tools/x-search.ts
@@ -1,13 +1,12 @@
 import { Type } from "@sinclair/typebox";
 import {
-  xSearchTesting as xaiXSearchTesting,
   buildXaiXSearchPayload,
   requestXaiXSearch,
   resolveXaiXSearchInlineCitations,
   resolveXaiXSearchMaxTurns,
   resolveXaiXSearchModel,
   type XaiXSearchOptions,
-} from "../../../extensions/xai/api.js";
+} from "../../../extensions/xai/x-search.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { resolveProviderWebSearchPluginConfig } from "../../plugin-sdk/provider-web-search.js";
 import type { RuntimeWebXSearchMetadata } from "../../secrets/runtime-web-tools.types.js";
@@ -259,9 +258,13 @@ export function createXSearchTool(options?: {
 
 export const __testing = {
   buildXSearchCacheKey,
+  buildXaiXSearchPayload,
   normalizeOptionalIsoDate,
+  requestXaiXSearch,
+  resolveXaiXSearchInlineCitations,
+  resolveXaiXSearchMaxTurns,
+  resolveXaiXSearchModel,
   resolveXSearchApiKey,
   resolveXSearchConfig,
   resolveXSearchEnabled,
-  ...xaiXSearchTesting,
 } as const;
diff --git a/src/plugins/public-artifacts.ts b/src/plugins/public-artifacts.ts
@@ -46,6 +46,7 @@ const EXTRA_GUARDED_EXTENSION_PUBLIC_SURFACE_BASENAMES = assertUniqueValues(
     "setup-api.js",
     "setup-entry.js",
     "timeouts.js",
+    "x-search.js",
   ] as const,
   "extra guarded extension public surface basename",
 );
