feat: unified auth + multimodal AgentRuntime — implementation plan

[alexey-pelykh]

Overview

Comprehensive plan for unified credential management and multimodal media support across all CLI runtimes. Successor to #376 (which captured the research, spikes, and architectural evolution).

Background

#376 started as "gut auth profiles + media understanding" and evolved through several rounds of analysis into a restructuring plan:

• Auth profiles are mis-wired, not useless — should be middleware-wide, not agent-specific
• Media understanding should be decomposed: STT → middleware, image/video → runtime-dependent
• TTS has its own credential silo that bypasses auth profiles (upstream design gap)
• CLI runtimes can accept multimodal input (Gemini best, Claude images-only, Codex/OpenCode blocked upstream)

Key decisions documented in #376 comments:

• Spike results: CLI media capabilities
• Revised architecture: repurpose not gut
• TTS credential fragmentation: upstream gap
• Per-agent auth config design
• Onboarding wizard impact: stays single-key simple

---

Phase 1: Auth Foundation ✅

Unified credential management with per-agent key rotation.

#	Task	Issue	Status
1	Relocate src/agents/auth-profiles/ → src/auth/	#419	done ✅
2	Add auth config field (auth?: false | string | string[])	#421	done ✅
3	Wire auth profile → CLI env injection	#422	done ✅
4	Retry with rotated key on rate-limit	#423	done ✅
5	Adapt onboarding wizard	#417	done ✅
6	Adapt OpenClaw import	#427	done ✅
7	Relocate auth store to global path + strip legacy migration	#438	done ✅
8	Import: consolidate per-agent auth into global store	#439	done ✅

---

Phase 2: Multimodal Contract + Routing ✅

AgentRuntime multimodal contract and ChannelBridge media routing.

#	Task	Issue	Status
9	AgentRuntime multimodal contract (MediaAttachment, mediaCapabilities)	#385	done ✅
10	Fix buildChannelMessage mediaUrls wiring	#384	done ✅
11	ChannelBridge media routing (capability check → passthrough or fallback)	#387	done ✅

---

Phase 3: Gemini Multimodal ✅

Gemini gets full native multimodal — images, audio, video, PDF.

#	Task	Issue	Status
12	Gemini runtime multimodal (@path syntax, temp files)	#397	done ✅

---

Phase 4: Claude Multimodal ✅

Claude gets native image support via stdin stream-json refactor.

#	Task	Issue	Status
13	Claude runtime multimodal (stdin stream-json, images)	#396	done ✅

---

Phase 5: STT + User Feedback ✅

Voice messages work end-to-end for all runtimes. Clear feedback when media can't be processed.

#	Task	Issue	Blocked by	Status
14	Extract STT from src/media-understanding/ → src/stt/	#424	—	done ✅
15	Communicate multimodal limitations to users	#400	#424	done ✅

---

Phase 6: TTS Credential Unification ✅

TTS joins unified auth. All credentials through one system.

#	Task	Issue	Blocked by	Status
16	Add ElevenLabs to auth provider system	#403	—	done ✅
17	TTS uses resolveApiKeyForProvider from src/auth/	#402	#403	done ✅

---

Phase 7: Voice Channel Validation ✅

Voice-only channels require STT/TTS auth credentials.

#	Task	Issue	Blocked by	Status
18	Require STT/TTS auth for voice-only channels	#471	#424, #402, #403	done ✅

---

Phase 8: Cleanup ✅

Remove dead code after all phases land.

#	Task	Issue	Blocked by	Status
19	Remove dead media understanding code (multi-provider vision runner)	#425	#424 ✅	done ✅
20	Remove dead auth profile consumers (session overrides, directive handlers)	#426	#402	done ✅

---

Parallelization

Phase 1 ✅ ── Phase 2 ✅
                │
                ├── Phase 3 ✅ (Gemini #397) ──────────┐
                ├── Phase 4 ✅ (Claude #396) ───────────┤
                ├── Phase 5 ✅ (STT #424 → #400) ────┼── Phase 7 ✅ (voice #471)
                └── Phase 6 ✅ (TTS auth #403 → #402) ──┤
                                                      └── Phase 8 ✅ (cleanup #425, #426)

Phases 3, 4, 5, 6 are all independent and can run in parallel. Phase 7 needs Phases 5+6. Phase 8 needs all of them.

Out of scope (for now)

• Codex multimodal (feat(runtime/codex): multimodal I/O support #398) — blocked upstream (codex#5773)
• OpenCode multimodal (feat(runtime/opencode): multimodal I/O support (blocked upstream) #399) — blocked upstream (hardcoded text/plain MIME)
• Outbound AgentMediaEvent — no runtime emits media today, add when needed
• Per-request key rotation inside a CLI session — session-level rotation is sufficient
• Multi-key onboarding UX — wizard stays single-key, rotation configured post-wizard
• remoteclaw auth add CLI command — natural follow-up, not scoped here

All related issues

Issue	Title	Phase	Status
#375	runtimeEnv config field	prereq	done ✅
#376	Auth/media research and architectural evolution	predecessor	superseded
#384	buildChannelMessage never populates mediaUrls	2	done ✅
#385	AgentRuntime multimodal contract	2	done ✅
#386	Per-runtime multimodal (tracking)	3-4	tracking
#387	Middleware multimodal propagation	2	done ✅
#396	Claude runtime multimodal	4	done ✅
#397	Gemini runtime multimodal	3	done ✅
#398	Codex runtime multimodal (blocked upstream)	—	out of scope
#399	OpenCode runtime multimodal (blocked upstream)	—	out of scope
#400	Communicate multimodal limitations	5	done ✅
#402	TTS auth profile integration	6	done ✅
#403	ElevenLabs auth provider	6	done ✅
#417	Onboarding wizard adaptation	1	done ✅
#419	Auth profiles relocation	1	done ✅
#421	Per-agent auth config field	1	done ✅
#422	Auth profile → CLI env injection	1	done ✅
#423	Retry with rotated key on rate-limit	1	done ✅
#424	STT extraction to src/stt/	5	done ✅
#425	Remove dead media understanding code	8	done ✅
#426	Remove dead auth profile consumers	8	done ✅
#427	OpenClaw import adaptation	1	done ✅
#438	Auth store global relocation	1	done ✅
#439	Import: consolidate per-agent auth	1	done ✅
#471	Voice channel STT/TTS validation	7	done ✅
#478	Wire auxiliary provider auth flags	6	done ✅
#497	Plugin SDK: custom STT providers	—	done ✅
#498	Plugin SDK: custom TTS providers	—	done ✅
#374	CLIRuntimeBase stderr swallowing	—	independent

[alexey-pelykh]

Onboarding wizard impact

Decision: Wizard stays "one key, one runtime" simple.

The onboarding wizard (src/wizard/onboarding.ts promptRuntimeCredential()) currently asks for exactly one API key per runtime and stores it as a single auth profile. This UX remains unchanged — multi-key rotation and per-agent auth are post-wizard concerns.

What changes in the wizard

Phase	Change	Description
1	Import path updates	agents/auth-profiles/ → auth/ in wizard code
1	Storage path update	resolveAuthStorePath() follows relocation
1	Set auth field	When user provides a key, set agents.defaults.auth: "{profile-id}" in config
1	Explicit skip semantics	When user skips credential, set agents.defaults.auth: false explicitly

What does NOT change

• No multi-key prompt — wizard always asks for one key. Users add more keys later via direct config edit or future remoteclaw auth CLI command.
• No TTS/STT credential prompt — voice channel credentials are configured post-wizard (Phase 3/4 concern).
• No runtime capability notice — "your runtime supports/doesn't support multimodal" messaging is Phase 3 (feat(middleware): communicate multimodal limitations to users when runtime can't handle media #400), not an onboarding concern.
• QuickStart vs Advanced flow distinction — both stay single-key. Advanced flow does NOT expand to multi-key.

Consequences

1. Rotation requires post-wizard setup: Users who want key rotation must manually edit config.json5 to change auth: "anthropic:default" → auth: ["anthropic:key1", "anthropic:key2"] and add profiles via auth store.
2. Wizard-created config is immediately functional: Single key + auth: "{profile-id}" works out of the box, no further config needed.
3. Phase 5 cleanup is minimal for wizard: Just import path updates and adding the auth field write — no UX redesign.
4. Future remoteclaw auth add command: Natural follow-up to let users add/rotate keys without hand-editing JSON. Not scoped in feat: unified auth + multimodal AgentRuntime — implementation plan #415.