feat(xai): add device code OAuth login

[fuller-stack-dev]

Summary

• add xAI OAuth device-code login using auth.x.ai device authorization and token polling
• register the new xai-device-code auth choice alongside API key and loopback OAuth
• document the remote/VPS-friendly login commands and cover the flow in xAI tests

Real behavior proof

• Behavior or issue addressed: xAI device-code login can be selected in OpenClaw without a localhost callback and prints a local-browser verification URL/code for remote/VPS use.
• Real environment tested: macOS source checkout at /Users/wilfred/.openclaw/workspace/core/openclaw-main-runtime, Node 24.14, OpenClaw source CLI 2026.5.19 (f5af40c3d9), source bundled plugins loaded via OPENCLAW_BUNDLED_PLUGINS_DIR=extensions, remote detection forced with SSH_TTY=/dev/pts/0.
• Exact steps or command run after this patch:

OPENCLAW_BUNDLED_PLUGINS_DIR=extensions SSH_TTY=/dev/pts/0 \
  node --import tsx src/entry.ts --profile xai-pr-proof \
  models auth login --provider xai --device-code

• Evidence after fix: terminal output from the command above, with the short-lived user code redacted:

OpenClaw 2026.5.19 (f5af40c3d9)
◓ Requesting xAI device code
◇ xAI device code
Open this URL in your LOCAL browser and enter the code below.
URL: https://accounts.x.ai/oauth2/device?user_code=<redacted>
Code: <redacted>
Code expires in 15 minutes. Never share it.

Open this URL in your LOCAL browser:

https://accounts.x.ai/oauth2/device

◑ Waiting for xAI device authorization...

Live xAI discovery used by the flow:

curl https://auth.x.ai/.well-known/openid-configuration
issuer=https://auth.x.ai
device_authorization_endpoint=https://auth.x.ai/oauth2/device/code
token_endpoint=https://auth.x.ai/oauth2/token

• Observed result after fix: OpenClaw selected the new device-code auth method for provider xai, requested a real xAI device code, printed the complete verification URL/code for the operator, logged only the base device URL for remote access, skipped localhost callback/browser opening under SSH_TTY, and entered token polling.
• What was not tested: Final token persistence after approving the code in an x.ai account was not completed; the CLI was canceled after the remote prompt/polling state appeared to avoid binding a personal account in PR proof.

Tests

• pnpm test:extension xai
• pnpm tsgo:extensions
• pnpm tsgo:test:extensions
• pnpm run lint:extensions:bundled
• pnpm exec oxfmt --check extensions/xai/xai-oauth.ts extensions/xai/xai-oauth.test.ts extensions/xai/index.ts extensions/xai/index.test.ts docs/providers/xai.md extensions/xai/openclaw.plugin.json

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Adds xAI device-code OAuth login, onboarding/docs/changelog entries, and focused xAI auth tests.

Reproducibility: not applicable. this is a feature PR, not a bug report. The relevant proof path is the live device-code login and xAI model call supplied in the PR discussion, not a failing current-main reproduction.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: Good, likely mergeable provider-auth PR with sufficient live proof and no blocking findings; final confidence depends on normal CI/head validation.

Rank-up moves:

• Verify the listed xAI extension/type/lint checks or equivalent CI on head f800dc03a9ffd5d2785fdfc93240457dafef147a before merge.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

PR egg
✨ Hatched: 🥚 common Mossy Test Hopper

        .--^^^^--.           
     .-'  o    o  '-.        
    /       \__/      \      
   |    /\  ____  /\   |     
   |   /  \/____\/  \  |     
    \  \_.------._/  /       
     '._  `----'  _.'        
        '-.____.-'           
       _/|_|  |_|\_          
      /__|      |__\         
       .-----------.         
      '-------------'        

Rarity: 🥚 common.
Trait: watches the merge queue.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Mossy Test Hopper in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• How to hatch it: reach status: 👀 ready for maintainer look or status: 🚀 automerge armed; that usually means sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

Real behavior proof
Sufficient (live_output): The PR discussion now includes live after-fix proof of xAI device-code approval, OAuth profile persistence, default model update, and a live model call; the production auth file is unchanged between the proved head and final head.

Risk before merge
Why this matters: - This adds a selectable OAuth credential path, so maintainers still need to accept normal auth-provider risk around xAI account eligibility and upstream device-code policy despite the supplied live proof.

• This read-only sweep did not rerun the listed extension/type/lint commands; merge should rely on CI or an equivalent head-SHA validation run.

Maintainer options:

1. Merge after CI with live-proofed auth risk (recommended)
   If CI is green, maintainers can accept the additive auth-provider risk because the supplied live proof exercises approval, token persistence, and a live xAI model request.
2. Run one more xAI account smoke
   A maintainer can repeat the device-code login on another eligible xAI account before merge if account-class coverage is important.

Next step before merge
No automated repair lane is needed; the PR has no blocking findings and should proceed through normal maintainer review, CI, and merge-risk acceptance.

Security
Cleared: No concrete security or supply-chain regression was found; the diff is limited to xAI auth/docs/tests/changelog, adds no dependencies or workflow execution, and validates HTTPS x.ai OAuth endpoints.

Review details

Best possible solution:

Land the provider-owned device-code method after head-SHA CI/validation, while preserving existing xAI API-key and loopback OAuth behavior.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a feature PR, not a bug report. The relevant proof path is the live device-code login and xAI model call supplied in the PR discussion, not a failing current-main reproduction.

Is this the best way to solve the issue?

Yes: implementing this as xAI plugin extraAuth plus a manifest auth choice uses the existing generic --device-code CLI seam and keeps provider policy out of core. The remaining merge decision is CI/head validation and auth-provider risk acceptance, not a different architecture.

Label justifications:

• P2: This is a normal provider-auth feature with limited blast radius and no evidence of a current production regression.
• merge-risk: 🚨 auth-provider: The PR adds a new OAuth device-code flow that creates and refreshes xAI credential profiles.

What I checked:

• Current main does not already implement this: A current-main search found no xAI device-code identifiers or auth-flow markers under the xAI plugin/docs, so the PR is not obsolete on main. (ddeaebfc6807)
• PR implements provider-owned device-code flow: The PR head adds discovery parsing, device-code request/polling, token parsing, credential extras, and the exported xAI device-code auth method inside the xAI plugin auth module. (extensions/xai/xai-oauth.ts:613, f800dc03a9ff)
• PR registers the method with the xAI provider: The PR head registers createXaiDeviceCodeAuthMethod() alongside existing API-key and loopback OAuth auth methods. (extensions/xai/index.ts:190, f800dc03a9ff)
• Manifest and docs expose the onboarding choice: The PR head adds xai-device-code to provider auth choices and documents both onboarding and models auth login --device-code commands. (extensions/xai/openclaw.plugin.json:66, f800dc03a9ff)
• Docs describe the user-facing flow: The provider docs explain remote/VPS use and say OpenClaw prints an xAI URL and short code while the remote process polls for token exchange completion. Public docs: docs/providers/xai.md. (docs/providers/xai.md:58, f800dc03a9ff)
• Focused tests cover registration and successful login shape: The PR head tests provider auth registration, remote behavior, device-code request/token bodies, credential persistence fields, and progress completion for the successful mocked flow. (extensions/xai/xai-oauth.test.ts:169, f800dc03a9ff)

Likely related people:

• Peter Steinberger: Current-main blame/log in this checkout attributes the existing xAI OAuth module, plugin auth registration, and provider docs to the same commit by Peter Steinberger; the checkout history is shallow, so confidence is medium. (role: current xAI provider/auth area contributor; confidence: medium; commits: df8505b09d2e; files: extensions/xai/xai-oauth.ts, extensions/xai/index.ts, docs/providers/xai.md)
• obviyus: The PR timeline shows obviyus assigned, authored follow-up commits on this branch, and supplied the live xAI approval/token-persistence/model-call proof; this makes them a likely follow-up reviewer for this PR. (role: PR follow-up contributor and proof provider; confidence: medium; commits: e73b283cba38, 2693a99e3a50, f800dc03a9ff; files: extensions/xai/xai-oauth.ts, extensions/xai/xai-oauth.test.ts, CHANGELOG.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against ddeaebfc6807.

[fuller-stack-dev]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26079657276
• Updated: 2026-05-19T06:17:44.355Z

[obviyus]

Proof for PR head 635bdab:

Behavior addressed: xAI device-code OAuth login completes the hosted approval flow, exchanges the code, persists an OAuth auth profile, and can use that profile for a live model request.

Real environment tested: homelab Linux, PR checkout at 635bdab, isolated ephemeral OpenClaw state. Account identifiers, auth code, and token-bearing paths are intentionally redacted.

Exact steps or command run after this patch:

OPENCLAW_STATE_DIR=<ephemeral-state> \
OPENCLAW_CONFIG_PATH=<ephemeral-state>/openclaw.json \
OPENCLAW_BUNDLED_PLUGINS_DIR=extensions \
node --import tsx src/entry.ts --profile xai-pr-e2e models auth login --provider xai --device-code --set-default

OPENCLAW_STATE_DIR=<ephemeral-state> \
OPENCLAW_CONFIG_PATH=<ephemeral-state>/openclaw.json \
OPENCLAW_BUNDLED_PLUGINS_DIR=extensions \
node --import tsx src/entry.ts --profile xai-pr-e2e infer model run --local --model xai/grok-4.3 --prompt 'Reply with exactly: xai-pr-84005-ok'

Evidence after fix: device-code auth completed successfully, the config was updated, an xai/oauth auth profile was created, and the default model was set to xai/grok-4.3.

Observed result after fix: live xAI model call returned xai-pr-84005-ok.

What was not tested: long-running gateway service mode; this was a source-checkout CLI/device-code/auth-profile/live-model E2E smoke.

[obviyus]

Landed via rebase onto main.

• Scoped tests:
  • node scripts/run-vitest.mjs extensions/xai/xai-oauth.test.ts extensions/xai/index.test.ts
  • git diff --check
  • node scripts/run-vitest.mjs test/extension-test-boundary.test.ts extensions/xai/xai-oauth.test.ts extensions/xai/index.test.ts
  • node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.extensions.test.json --incremental false
• Live proof: redacted xAI device-code auth completed, created an xai/oauth profile, set xai/grok-4.3 as default, and a live infer model run --local --model xai/grok-4.3 returned xai-pr-84005-ok.
• Changelog: CHANGELOG.md updated.
• Land commit: c6967eea6840be49c04a84e77825ba663f5dfca6
• Merge commit: 1d77170a305b039ce609a04ae17f0ec1c5b69ce8

Thanks @fuller-stack-dev!