fix: align xAI tool auth profiles

[brokemac79]

Summary

Fixes #79353.

• Pass trusted auth-profile provider helpers through plugin tool context so plugin factories can align with manifest auth availability.
• Teach the bundled xAI x_search and code_execution tools to register and execute with an xAI auth profile, while preserving existing plugin config/env precedence and blocked SecretRef behavior.
• Update xAI tool docs, missing-key guidance, and regression coverage for the auth-profile path.

Real behavior proof (required for external PRs)

• Behavior or issue addressed: xAI x_search and code_execution failed to register when the only xAI credential was an OpenClaw xAI auth profile rather than plugin config or XAI_API_KEY.
• Real environment tested: Windows 11 local OpenClaw checkout on this PR branch, using the real bundled xAI plugin registration path and xAI tool auth resolver. No valid live xAI API key is configured on this machine.
• Exact steps or command run after this patch:
  • corepack pnpm exec tsx - with a local script that imports ./extensions/xai/index.ts, registers the real xAI plugin through a minimal plugin API, supplies an xAI auth-profile provider helper, and calls resolveXaiToolApiKeyWithAuth.
  • corepack pnpm test extensions/xai/src/tool-auth-shared.test.ts extensions/xai/index.test.ts extensions/xai/x-search.test.ts extensions/xai/code-execution.test.ts src/plugins/tools.optional.test.ts src/secrets/runtime-web-tools.test.ts src/config/config.web-search-provider.test.ts src/agents/openclaw-tools.browser-plugin.integration.test.ts
• Evidence after fix: copied local console output from the real xAI plugin registration/auth-resolution path, run outside Vitest:

> corepack pnpm exec tsx -
{
  "registeredToolNames": [
    "code_execution",
    "x_search"
  ],
  "authProfileAvailable": true,
  "resolvedApiKeyFromAuthProfile": "<auth-profile-key>",
  "registeredFromEmptyPluginConfig": true
}

Supplemental note: an earlier local execution attempt with a deliberately fake xAI auth-profile key reached xAI and failed with xAI's expected invalid-key response, confirming the auth-profile credential flowed into the real request path; I did not include that full error output because no valid live xAI credential is available here.

• Observed result after fix: both optional xAI tools register from an empty plugin config when hasAuthForProvider("xai") is true, and the shared xAI tool auth resolver returns the auth-profile API key for execution.
• What was not tested: a live xAI Responses API call with a valid xAI key; this machine does not have a valid xAI API key configured. The request-building/execution path is covered by targeted tests with intercepted fetch.

Verification

• corepack pnpm test extensions/xai/src/tool-auth-shared.test.ts extensions/xai/index.test.ts extensions/xai/x-search.test.ts extensions/xai/code-execution.test.ts src/plugins/tools.optional.test.ts src/secrets/runtime-web-tools.test.ts src/config/config.web-search-provider.test.ts src/agents/openclaw-tools.browser-plugin.integration.test.ts
• corepack pnpm exec oxfmt --check --threads=1 extensions/xai/index.ts extensions/xai/src/tool-auth-shared.ts extensions/xai/x-search.ts extensions/xai/x-search-tool-shared.ts extensions/xai/code-execution.ts extensions/xai/src/web-search-provider.runtime.ts src/agents/openclaw-plugin-tools.ts src/plugins/tool-types.ts src/agents/openclaw-tools.browser-plugin.integration.test.ts extensions/xai/src/tool-auth-shared.test.ts extensions/xai/x-search.test.ts extensions/xai/code-execution.test.ts docs/providers/xai.md docs/tools/web.md docs/tools/code-execution.md docs/tools/grok-search.md CHANGELOG.md
• git diff --check origin/main...HEAD
• corepack pnpm check:changelog-attributions
• corepack pnpm check:changed
• corepack pnpm exec tsgo -p tsconfig.core.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core.tsbuildinfo
• corepack pnpm exec tsgo -p tsconfig.extensions.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions.tsbuildinfo
• corepack pnpm exec tsgo -p test/tsconfig/tsconfig.core.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core-test.tsbuildinfo
• corepack pnpm exec tsgo -p test/tsconfig/tsconfig.extensions.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions-test.tsbuildinfo
• corepack pnpm exec tsgo -p tsconfig.plugin-sdk.dts.json --declaration true
• corepack pnpm docs:check-mdx
• corepack pnpm docs:check-i18n-glossary
• corepack pnpm docs:check-links

Notes: corepack pnpm build reached bundled plugin assets/postbuild, then hit the local Windows path-with-space wrapper issue in build:plugin-sdk:dts (New project split by the wrapper). The direct plugin SDK dts command above passed. Full check:docs is similarly blocked locally because its package script invokes bare pnpm; direct docs checks above passed, while markdownlint also reports an unrelated pre-existing docs/CLAUDE.md newline issue.

[clawsweeper]

Codex review: needs maintainer review before merge.

Summary
The PR threads auth-profile availability and API-key resolver callbacks into plugin tool context, then updates xAI x_search and code_execution runtime paths, docs, tests, and changelog to use them.

Reproducibility: yes. source-level: current main's manifest tool availability accepts xAI auth profiles, but the xAI lazy factories and execution resolver only check plugin config and env credentials. The related reporter comment confirms the same auth-profile-only setup fails in practice.

Real behavior proof
Sufficient (terminal): The PR body provides after-fix terminal output from a real Windows checkout showing xAI plugin registration and auth-profile key resolution with secret material redacted.

Next step before merge
No repair lane candidate: the patch has no blocking findings, and the remaining action is normal maintainer review and merge gating.

Security
Cleared: The diff changes credential routing through existing in-process trusted plugin-tool helpers and adds docs/tests; it introduces no new dependencies, workflows, or artifact execution paths.

Review details

Best possible solution:

Land the focused PR after maintainer review, keeping xAI tool registration and execution aligned with auth profiles while preserving explicit config and SecretRef blocking semantics.

Do we have a high-confidence way to reproduce the issue?

Yes, source-level: current main's manifest tool availability accepts xAI auth profiles, but the xAI lazy factories and execution resolver only check plugin config and env credentials. The related reporter comment confirms the same auth-profile-only setup fails in practice.

Is this the best way to solve the issue?

Yes. The PR moves the existing auth-profile ordering and key-resolution helpers into the plugin tool context and uses xAI-owned resolver helpers, which is the narrow fix while preserving current config and SecretRef behavior.

What I checked:

• Related report confirmation: The linked reporter confirmed that xAI chat works with an auth profile while x_search and code_execution do not register because the factory gate does not consult the auth-profile store.
• Current-main factory gate: The current xAI lazy tool gate only accepts plugin/legacy config or XAI_API_KEY, then returns null before registering the tools when that check fails. (extensions/xai/index.ts:47, e84eb59ea288)
• Current-main execution auth sources: The current xAI tool auth resolver checks runtime/source plugin web-search config, legacy Grok config, and env, but has no auth-profile resolver path. (extensions/xai/src/tool-auth-shared.ts:133, e84eb59ea288)
• Manifest availability mismatch: The xAI manifest declares authSignals for xai, and manifest availability treats hasAuthForProvider("xai") as sufficient, so discovery can select tools that the current xAI factory later drops. (extensions/xai/openclaw.plugin.json:138, e84eb59ea288)
• PR auth-order repair: The PR replaces direct profile-list availability with resolveAuthProfileOrder() and resolveApiKeyForProfile(), then passes the helpers into plugin tool context. (src/agents/openclaw-plugin-tools.ts:76, 97944aad15ed)
• PR xAI resolver path: The PR adds async auth-profile resolution for xAI tools after configured-key/blocked-SecretRef checks and before env fallback, and both xAI tool execution paths call it. (extensions/xai/src/tool-auth-shared.ts:185, 97944aad15ed)

Likely related people:

• @steipete: Recent GitHub file history shows repeated maintenance of the xAI plugin entry, xAI tool auth helper, xAI tool files, and related plugin-sdk/config boundaries. (role: recent maintainer; confidence: medium; commits: 6f6b8fc4650c, ea4d0a3ce7cf, b813183bfd66; files: extensions/xai/index.ts, extensions/xai/src/tool-auth-shared.ts, extensions/xai/x-search.ts)
• @shakkernerd: Recent history shows the manifest availability gate work that is central to the mismatch between manifest auth-profile availability and xAI runtime tool registration. (role: adjacent owner; confidence: medium; commits: 3cf1dd982ba0; files: src/agents/openclaw-plugin-tools.ts, extensions/xai/openclaw.plugin.json)
• @vincentkoc: History shows xAI config and auth ownership work around moving x_search config behind the plugin boundary and making x_search auth plugin-owned. (role: introduced adjacent xAI auth behavior; confidence: medium; commits: 3e4de956c068, 3872a866a16b, 65842aabada0; files: extensions/xai/x-search.ts, extensions/xai/src/tool-auth-shared.ts, extensions/xai/openclaw.plugin.json)
• @huntharo: History shows earlier work adding and moving the xAI x_search and code_execution tool surfaces that this PR updates. (role: introduced xAI tool surface; confidence: medium; commits: c8ed1638eab3, b7ab0ddb5599, 0bd0097557d6; files: extensions/xai/x-search.ts, extensions/xai/code-execution.ts, docs/tools/code-execution.md)

Remaining risk / open question:

• The proof does not include a successful live xAI Responses API call with a valid key; it covers real registration/key routing plus intercepted request tests and a fake-key reachability note.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e84eb59ea288.

[brokemac79]

Addressed the ClawSweeper feedback and force-pushed 56aa60461a.

What changed:

• Routed plugin-tool auth-profile resolution through resolveAuthProfileOrder() so explicit auth.order / eligibility / cooldown behavior is honored before resolving xAI tool credentials.
• Added a regression case where an earlier stored xAI profile is excluded by auth.order, and the plugin helper resolves the ordered profile instead.
• Narrowed docs so Grok web_search is documented as using XAI_API_KEY or plugin web-search config, while auth-profile wording stays scoped to x_search / code_execution.
• Rebased onto current openclaw/main (a7b359d319).

Validation run locally from O:\openclaw-pr-maintenance:

• corepack pnpm test extensions/xai/src/tool-auth-shared.test.ts extensions/xai/index.test.ts extensions/xai/x-search.test.ts extensions/xai/code-execution.test.ts src/agents/openclaw-tools.browser-plugin.integration.test.ts src/plugins/tools.optional.test.ts
• corepack pnpm exec oxfmt --check --threads=1 src/agents/openclaw-plugin-tools.ts src/agents/openclaw-tools.browser-plugin.integration.test.ts extensions/xai/src/tool-auth-shared.ts extensions/xai/src/tool-auth-shared.test.ts docs/providers/xai.md docs/tools/web.md docs/tools/code-execution.md docs/tools/grok-search.md CHANGELOG.md
• corepack pnpm check:changed
• corepack pnpm check:changelog-attributions
• corepack pnpm exec oxlint -c .oxlintrc.json --type-aware --tsconfig config/tsconfig/oxlint.json --allow eslint/no-underscore-dangle --report-unused-disable-directives-severity error src/agents/openclaw-plugin-tools.ts src/agents/openclaw-tools.browser-plugin.integration.test.ts extensions
• git diff --check origin/main...HEAD

Fresh CI is pending on the new head.

[brokemac79]

Rebased this branch onto current openclaw/main (c0132e9aa3) after upstream moved again. The only conflict was CHANGELOG.md; I kept both current upstream fixes and this PR's xAI/tools auth-profile entry.

Validation after the rebase:

• corepack pnpm test extensions/xai/code-execution.test.ts extensions/xai/src/tool-auth-shared.test.ts extensions/xai/x-search.test.ts src/agents/openclaw-tools.browser-plugin.integration.test.ts (9 + 28 tests passed across the selected shards)
• corepack pnpm exec oxfmt --check --threads=1 over CHANGELOG.md, docs, and touched xAI/plugin files
• corepack pnpm check:changelog-attributions
• corepack pnpm check:changed
• git diff --check origin/main...HEAD

[steipete]

Landed via temp rebase onto main.

• Local gate: pnpm test extensions/xai/src/tool-auth-shared.test.ts extensions/xai/index.test.ts extensions/xai/x-search.test.ts extensions/xai/code-execution.test.ts src/agents/openclaw-tools.browser-plugin.integration.test.ts src/plugins/tools.optional.test.ts; pnpm exec oxfmt --check --threads=1 ...; pnpm check:changelog-attributions; git diff --check origin/main...HEAD
• CI gate: exact SHA a92ede389ce476bcf760f7c7dd9800a11a6ff9e2 green for CI, CodeQL, CodeQL Critical Quality, Workflow Sanity, OpenGrep, and Real behavior proof
• Land commit: a92ede3
• Merge commit: 48f51c1

Thanks @brokemac79!