fix(xai): make x_search auth plugin-owned

[vincentkoc]

Summary

• Problem: x_search still exposed a separate core auth surface at tools.web.x_search.apiKey even though xAI auth is already plugin-owned via plugins.entries.xai.config.webSearch.apiKey / XAI_API_KEY.
• Why it matters: the extra key makes config/schema/SecretRef surfaces inconsistent, suggests a second credential is needed, and leaves migration debt after #59674.
• What changed: removed tools.web.x_search.apiKey from the canonical schema and generated SecretRef/config surfaces, moved x-search legacy migration into the shared legacy-config load path, and kept runtime behavior compatible by resolving migrated plugin-owned auth.
• What did NOT change (scope boundary): tools.web.x_search.* still exists for behavior knobs (enabled, model, inlineCitations, maxTurns, timeoutSeconds, cacheTtlMinutes); this PR does not change xAI request behavior beyond auth resolution.

Change Type (select all)

• Bug fix
• Refactor required for the fix
• Feature
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• API / contracts
• UI / DX
• Memory / storage
• Integrations
• CI/CD / infra

Linked Issue/PR

• Related !refactor(xai): move x_search config behind plugin boundary #59674
• This PR fixes a bug or regression

Root Cause / Regression History (if applicable)

• Root cause: #59674 moved x_search settings behind the xAI plugin boundary but left the legacy auth slot (tools.web.x_search.apiKey) in the canonical schema and SecretRef surfaces.
• Missing detection / guardrail: migration existed, but only doctor/secrets runtime applied it explicitly; general config-load migration did not.
• Prior context (git blame, prior PR, issue, or refactor if known): #59674 established plugin-owned xSearch config but stopped short of removing the legacy auth field from core surfaces.
• Why this regressed now: the repo still advertised the old path as supported, so generated schema/docs/tests kept treating it as canonical.
• If unknown, what was ruled out: N/A.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file:
• Scenario the test should lock in: legacy tools.web.x_search.apiKey is migrated into plugin-owned xAI auth on normal config load, while canonical config/SecretRef surfaces no longer expose the legacy key.
• Why this is the smallest reliable guardrail: it covers both the migration seam and the generated config/registry surfaces where the stale key kept leaking back out.
• Existing test that already covers this (if any): src/config/legacy-x-search.test.ts and src/commands/doctor-legacy-config.migrations.test.ts covered doctor migration only.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

• tools.web.x_search.apiKey is no longer a canonical supported config/SecretRef surface.
• Existing configs using that legacy key still migrate automatically to plugins.entries.xai.config.webSearch.apiKey during normal config load and openclaw doctor --fix.
• x_search continues to use plugin-owned/shared xAI auth or XAI_API_KEY.

Diagram (if applicable)

Before:
legacy tools.web.x_search.apiKey -> separate x_search auth path still documented/supported

After:
legacy tools.web.x_search.apiKey -> auto-migrate on load/doctor -> plugins.entries.xai.config.webSearch.apiKey -> x_search auth

Security Impact (required)

• New permissions/capabilities? (Yes/No): No
• Secrets/tokens handling changed? (Yes/No): Yes
• New/changed network calls? (Yes/No): No
• Command/tool execution surface changed? (Yes/No): No
• Data access scope changed? (Yes/No): No
• If any Yes, explain risk + mitigation: auth resolution is narrowed, not broadened. The legacy x_search key is removed from canonical SecretRef/config surfaces, while automatic migration preserves backwards compatibility.

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 22 + pnpm
• Model/provider: xAI / Grok
• Integration/channel (if any): N/A
• Relevant config (redacted): legacy tools.web.x_search.apiKey and plugin-owned plugins.entries.xai.config.webSearch.apiKey

Steps

1. Configure legacy tools.web.x_search.apiKey and start through normal config-load/runtime paths.
2. Verify the effective runtime auth lands on plugins.entries.xai.config.webSearch.apiKey and x_search still executes.
3. Verify generated schema/docs/SecretRef surfaces no longer list tools.web.x_search.apiKey as canonical.

Expected

• Legacy key migrates automatically.
• Canonical schema/SecretRef surfaces only advertise plugin-owned/shared xAI auth.

Actual

• As expected after this patch.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: focused x-search tests, legacy migration tests, doctor migration tests, secrets runtime tests, config/schema/doc baseline tests, target-registry sync, pnpm tsgo, pnpm build.
• Edge cases checked: legacy x_search auth in source config with migrated runtime config; canonical SecretRef matrix/registry sync after removal.
• What you did not verify: full live xAI network calls.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No): Yes
• Config/env changes? (Yes/No): Yes
• Migration needed? (Yes/No): No
• If yes, exact upgrade steps: legacy tools.web.x_search.apiKey auto-migrates on load and through openclaw doctor --fix; canonical config is plugins.entries.xai.config.webSearch.apiKey or XAI_API_KEY.

Risks and Mitigations

• Risk: removing the field from the canonical schema could break older configs if migration did not run early enough.
  • Mitigation: moved x-search migration into the shared legacy-config load path and covered it with migration/runtime tests.
• Risk: generated config/SecretRef surfaces drift from the runtime behavior.
  • Mitigation: regenerated base schema, config baselines, and SecretRef matrix, and ran the sync tests.

[greptile-apps]

Greptile Summary

This PR removes tools.web.x_search.apiKey as a canonical auth surface and consolidates all xAI authentication under plugins.entries.xai.config.webSearch.apiKey, with automatic legacy migration wired into the standard migrateLegacyConfig / applyLegacyMigrations pipeline. The generated schema, SecretRef matrix, credential surface docs, and config-baseline are all updated consistently, and new tests cover the migration seam and migrated-runtime-auth flow.

The refactor is logically sound. The two P2 notes below are minor: dead computed variables in resolveXSearchApiKey left over from removing the legacy fallbacks, and a subtle narrowing of the secrets/runtime.ts validation-failure fallback path (only affects already-invalid configs).

Confidence Score: 5/5

• Safe to merge — changes are contained to the auth surface cleanup, migrations are well-tested, and runtime behavior is backward-compatible.
• All remaining findings are P2 (dead variables and an edge-case in an already-invalid-config fallback path). Neither blocks merge. The migration logic, schema removal, and test coverage are thorough.
• extensions/xai/x-search.ts (dead variables in resolveXSearchApiKey); src/secrets/runtime.ts (validation-failure fallback narrowing)

Prompt To Fix All With AI

This is a comment left during a code review.
Path: extensions/xai/x-search.ts
Line: 98-112

Comment:
**Dead variables left after refactor**

`sourceXSearchConfig` and `runtimeXSearchConfig` are assigned but never read — they were presumably used when the function still fell back to the legacy x_search config. After removing those fallbacks, both variables are now unreachable dead code and can be deleted.

```suggestion
function resolveXSearchApiKey(params: {
  sourceConfig?: OpenClawConfig;
  runtimeConfig?: OpenClawConfig;
}): string | undefined {
  return (
    resolveFallbackXaiApiKey(params.runtimeConfig) ??
    resolveFallbackXaiApiKey(params.sourceConfig) ??
    readProviderEnvValue(["XAI_API_KEY"])
  );
}
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/secrets/runtime.ts
Line: 171-174

Comment:
**Fallback no longer applies x_search migration on validation failure**

Previously, when `migrateLegacyConfig` returned `config: null` (migration applied but validation failed), the fallback still ran `migrateLegacyXSearchConfig` on `params.config`, so the legacy `tools.web.x_search.apiKey` was surfaced under the plugin path at runtime. Now `params.config` is used as-is, so x_search auth is not migrated in that path.

This only affects users who simultaneously have a legacy `tools.web.x_search.apiKey` **and** a separate schema violation that fails post-migration validation — an already-broken config. Worth documenting as a known edge case if there are any known consumers of this snapshot function with partially-invalid configs.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "Merge branch 'main' into chore/x-search-..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 77cf7bde2a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2e6da7c617

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".