[Feature]: Normalize Brave web search key path to tools.web.search.brave.apiKey (with backward-compatible alias)

[kesku]

Summary

Make Brave search key config symmetric with other providers by using tools.web.search.brave.apiKey as the primary path, while keeping tools.web.search.apiKey as a backward-compatible alias

• src/agents/tools/web-search.ts: resolveSearchApiKey should read search.brave.apiKey first, then alias fallback
• src/commands/onboard-search.ts: applySearchKey and resolveExistingKey should write/read canonical Brave path and support alias read
• src/config/zod-schema.agent-runtime.ts: add search.brave.apiKey; keep top-level search.apiKey accepted for compatibility
• src/config/schema.labels.ts: update Brave label to canonical nested key
• src/config/schema.help.ts: update help text to canonical key + compatibility note
• src/secrets/target-registry-data.ts: add tools.web.search.brave.apiKey target
• src/secrets/runtime-config-collectors-core.ts: collect canonical Brave key (plus alias fallback during migration)

Compatibility behavior:

• Read canonical first, then alias.
• Write canonical only (onboarding/new config)

Problem to solve

Brave is the only search provider using the top-level key path (tools.web.search.apiKey), while others use tools.web.search..apiKey. This asymmetry creates avoidable config confusion and special-case code paths in onboarding, schema/help labels, secret targets, and runtime collectors

Proposed solution

Adopt tools.web.search.brave.apiKey as the canonical Brave key path and keep tools.web.search.apiKey as a deprecated fallback alias for backward compatibility

Alternatives considered

Keep current special-case top-level Brave key. Rejected because it preserves inconsistency, there are 5 other search options!

Impact

Affected: users configuring web search providers and maintainers touching config/runtime/secrets code
Severity: Medium
Frequency: Whenever web search is configured or onboarding/search tooling is changed
Consequence: Higher support/debug cost and increased chance of key-path misconfiguration

Evidence/examples

• resolveSearchApiKey fallback to BRAVE_API_KEY
• schema/help text references “Brave Search API Key” and top-level path
• other providers are nested under search.<provider>.apiKey

Additional information

No response

[Sid-Qin]

Submitted a fix in PR #34600. Normalized Brave search key to tools.web.search.brave.apiKey with backward-compatible fallback to the legacy top-level apiKey path. Changes span 12 files across schema, resolution, wizard, audit, and docs.

[steipete]

Closing this as implemented after Codex review.

Current main already resolves the underlying request, but via the newer plugin-owned Brave credential path plugins.entries.brave.config.webSearch.apiKey instead of the proposed intermediate tools.web.search.brave.apiKey. The legacy tools.web.search.apiKey path is still supported as a compatibility alias, onboarding writes the canonical provider-owned location, doctor migrates the legacy key forward, and the docs mark the old path as legacy. This behavior is already present in the v2026.4.22 release tree.

What I checked:

• Brave canonical credential path is plugin-owned now: The Brave web-search provider declares plugins.entries.brave.config.webSearch.apiKey as its credential path. (extensions/brave/src/brave-web-search-provider.ts:8, 9153598e659d)
• Legacy top-level key still works as compatibility alias: Brave runtime resolves the configured plugin key and still falls back through readConfiguredSecretString(..., "tools.web.search.apiKey"), preserving backward compatibility. (extensions/brave/src/brave-web-search-provider.runtime.ts:46, 9153598e659d)
• Manifest explicitly advertises compatibility runtime path: The Brave plugin manifest keeps tools.web.search.apiKey in compatibilityRuntimePaths, which is the compatibility hook for old config. (extensions/brave/openclaw.plugin.json:21, 9153598e659d)
• Onboarding/setup writes and reads provider-owned config generically: Search setup resolves existing keys from provider entries and writes keys back through each provider's configured credential setter, so Brave onboarding now targets the provider-owned canonical path instead of the legacy top-level field. (src/flows/search-setup.ts:135, 9153598e659d)
• Doctor migrates old key into Brave plugin config: Legacy tools.web.search.apiKey is migrated to plugins.entries.brave.config.webSearch.apiKey when only the old top-level key exists. (src/commands/doctor/shared/legacy-web-search-migrate.ts:63, 9153598e659d)
• Docs and secret surfaces reflect canonical-plus-legacy behavior: Docs say Brave settings now live under plugins.entries.brave.config.webSearch.* and call tools.web.search.apiKey a legacy compatibility shim; the generated secret-surface docs list both the canonical Brave plugin key and the legacy alias. Public docs: docs/brave-search.md. (docs/brave-search.md:47, 9153598e659d)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 9153598e659d; fix evidence: release v2026.4.22, commit 00bd2cf7a376.