feat: add xAI OAuth web search and provider timeouts

[fuller-stack-dev]

Summary

• Reuse xAI OAuth auth profiles for Grok web_search during setup/runtime, with API-key/env/plugin config fallback after stale OAuth refresh.
• Add grok-build-0.1 to the xAI catalog and normalize Grok Code Fast aliases.
• Add provider-authored default timeout support for image/video/TTS providers and set xAI image/video defaults to 600s.
• Thread active agent auth context through web_search so non-default agent xAI OAuth/API-key profiles are used.
• Report OAuth-backed Grok web_search as enabled in the final onboarding summary when an xAI auth profile already exists.

Verification

• pnpm test extensions/xai/web-search.test.ts extensions/xai/model-id.test.ts extensions/xai/onboard.test.ts extensions/xai/image-generation-provider.test.ts extensions/xai/video-generation-provider.test.ts extensions/speech-core/src/tts.test.ts src/flows/search-setup.test.ts src/web-search/runtime.test.ts src/agents/model-auth.profiles.test.ts src/image-generation/runtime.test.ts src/video-generation/runtime.test.ts src/agents/tools/web-search.test.ts src/agents/tools/web-search.late-bind.test.ts src/agents/tools/web-search.signal.test.ts src/agents/tools/web-tools.enabled-defaults.test.ts
• pnpm test src/agents/tools/pdf-tool.model-config.test.ts src/agents/tools/image-tool.test.ts src/agents/tools/media-tool-shared.test.ts
• pnpm test src/wizard/setup.finalize.test.ts src/flows/search-setup.test.ts extensions/xai/web-search.test.ts
• pnpm exec oxfmt --check --threads=1 $(git diff --name-only upstream/main...HEAD -- '*.ts' '*.json')
• pnpm exec oxfmt --check --threads=1 src/wizard/setup.finalize.ts src/wizard/setup.finalize.test.ts src/wizard/i18n/locales/en.ts src/wizard/i18n/locales/zh-CN.ts src/wizard/i18n/locales/zh-TW.ts
• pnpm plugin-sdk:api:check
• pnpm config:docs:check
• node scripts/format-docs.mjs --check
• git diff --check upstream/main...HEAD
• git diff --check
• node scripts/check-web-search-provider-boundaries.mjs
• node scripts/check-extension-plugin-sdk-boundary.mjs --mode=src-outside-plugin-sdk extensions/xai
• node scripts/check-extension-plugin-sdk-boundary.mjs --mode=plugin-sdk-internal extensions/xai
• pnpm build
• AUTOREVIEW_AUTO_TESTS=0 .agents/skills/autoreview/scripts/autoreview --mode local
• AUTOREVIEW_AUTO_TESTS=0 .agents/skills/autoreview/scripts/autoreview --mode commit --commit HEAD

Real behavior proof

Behavior addressed: Grok web_search can be selected during onboarding/config when xAI OAuth already exists, runtime prefers OAuth, retries refreshed OAuth on 401, and falls back to xAI API-key auth/profile/env/config when OAuth remains stale. The active session agent directory is now threaded into web_search provider selection and execution, so non-default agents use their own xAI OAuth/API-key auth profiles. xAI catalog now includes grok-build-0.1; xAI image/video provider defaults use a 600s operation timeout. The final onboarding summary now treats an existing xAI OAuth auth profile as a valid web_search credential instead of reporting a missing API key.
Real environment tested: Local macOS source checkout on branch codex/xai-oauth-web-search, Node/pnpm repo toolchain, plus an isolated onboarding proof state seeded with a fake xAI OAuth auth profile. No real credentials were used.
Exact steps or command run after this patch: Ran the Verification commands listed above, then ran openclaw onboard --flow advanced --mode local --auth-choice skip --workspace <isolated-proof-workspace> --accept-risk --skip-daemon --skip-channels --skip-skills --skip-hooks --skip-health --skip-ui --skip-bootstrap --secret-input-mode plaintext against isolated state with Grok selected for web_search.
Evidence after fix: Focused Vitest shards passed; SDK/config baseline checks passed; docs/format/boundary/build gates passed; final local and current-HEAD autoreview runs were clean. Onboarding screenshot proof is attached in #85182 (comment), with sanitized proof bundle at https://gist.github.com/fuller-stack-dev/25f1005f74d30b467d6064acbd7b21c9.
Observed result after fix: OAuth-backed Grok web_search tests use xAI OAuth before configured API-key fallback, refresh on 401, fall back to a non-OAuth API-key auth profile when stale OAuth remains first, and pass active agentDir through generic web_search auto-detect and provider execution. Onboarding skips the API-key prompt when xAI OAuth exists and the final summary reports Credential: existing xAI OAuth sign-in..
What was not tested: Live xAI OAuth/API calls were not run from the onboarding proof; behavior is covered with mocked provider-auth and HTTP responses plus local onboarding proof using a fake OAuth profile.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Latest ClawSweeper review: 2026-05-22 07:45 UTC / May 22, 2026, 3:45 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds xAI OAuth-backed Grok web_search setup/runtime auth, active-agent auth routing, Grok model alias updates, provider default media/TTS timeouts, docs, changelog, and regression tests.

Reproducibility: not applicable. for the feature as a whole. For the prior fallback defect, latest-head source and regression-test evidence show the stale API-key profile path now reaches env/API-key fallback.

PR rating
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Summary: The patch looks materially repaired after the latest fallback fix, but incomplete real provider proof keeps the PR below merge-ready.

Rank-up moves:

• Add redacted live xAI OAuth/API web_search proof that shows runtime execution and, where feasible, refresh or fallback behavior.
• Get maintainer-visible acceptance of authProviderId, agentDir, and defaultTimeoutMs as public provider contracts or narrow the surface before merge.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Needs stronger real behavior proof before merge: The screenshots show seeded local onboarding/config state, but not a real xAI OAuth/API web_search run, refresh/fallback path, or timeout behavior; the contributor should add redacted terminal/log/recording/live output and update the PR body for re-review.

Risk before merge

• The supplied proof uses fake local xAI OAuth state and screenshots, so live xAI OAuth/API web_search execution, 401 refresh/fallback behavior, and provider timeout behavior are not proven in a real provider setup.
• authProviderId, WebSearchProviderContext.agentDir, and defaultTimeoutMs expand plugin/provider contracts; maintainers should explicitly accept those as durable surfaces or ask for a narrower xAI-local design.
• Credential precedence and active-agent auth threading can change existing Grok web_search routing during upgrade, even though the latest commit fixes the stale API-key fallback path.

Maintainer options:

1. Hold for live xAI proof (recommended)
   Require redacted terminal output, logs, recording, or linked artifact from a real xAI OAuth or API-key web_search run before merge because screenshots only prove seeded onboarding state.
2. Accept the contract expansion
   If maintainers want authProviderId, agentDir, and defaultTimeoutMs as public provider contracts, merge only after that decision is explicit and baseline checks remain green.
3. Narrow the public surface
   If the contract is not ready, keep the useful xAI behavior but move the new auth and timeout behavior behind xAI-local or already-approved provider seams.

Next step before merge
Human review is needed for real provider proof and the public provider-contract decision; there is no narrow remaining code defect for an automated repair PR.

Security
Cleared: No concrete dependency, workflow, package-resolution, lifecycle-script, download, or secret-printing regression was found; the auth changes are compatibility-sensitive rather than a confirmed security flaw.

Review details

Best possible solution:

Merge a maintainer-accepted version after redacted live xAI OAuth/API web_search proof, preserving the repaired fallback behavior and documenting the accepted SDK/provider contract.

Do we have a high-confidence way to reproduce the issue?

Not applicable for the feature as a whole. For the prior fallback defect, latest-head source and regression-test evidence show the stale API-key profile path now reaches env/API-key fallback.

Is this the best way to solve the issue?

Unclear until maintainer approval and proof: the implementation is coherent and the known fallback defect is fixed, but the new public provider contracts and live xAI behavior still need explicit acceptance and real runtime evidence.

Label changes:

• add rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🦪 silver shellfish, patch quality is 🐚 platinum hermit, and The patch looks materially repaired after the latest fallback fix, but incomplete real provider proof keeps the PR below merge-ready.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.

Label justifications:

• P2: This is a normal-priority provider/auth feature with limited blast radius but merge-relevant proof and contract risks.
• merge-risk: 🚨 compatibility: The PR changes public plugin/provider shapes and can alter existing Grok web_search credential precedence during upgrade.
• merge-risk: 🚨 auth-provider: The diff changes provider-auth profile selection, refresh, fallback, and active-agent directory behavior for xAI web_search.
• rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🦪 silver shellfish, patch quality is 🐚 platinum hermit, and The patch looks materially repaired after the latest fallback fix, but incomplete real provider proof keeps the PR below merge-ready.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The screenshots show seeded local onboarding/config state, but not a real xAI OAuth/API web_search run, refresh/fallback path, or timeout behavior; the contributor should add redacted terminal/log/recording/live output and update the PR body for re-review.
• proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The screenshots show seeded local onboarding/config state, but not a real xAI OAuth/API web_search run, refresh/fallback path, or timeout behavior; the contributor should add redacted terminal/log/recording/live output and update the PR body for re-review.

What I checked:

• Live PR state: GitHub API shows this PR open at head 3127008, assigned to steipete, with supplied screenshot proof and existing merge-risk labels; the PR body states live xAI OAuth/API calls were not run. (3127008b670d)
• Current main behavior: Current main Grok web_search resolves only scoped config/SecretRef/env XAI_API_KEY credentials before calling the xAI web_search runtime, so the PR changes real credential routing behavior rather than duplicating an already-complete OAuth path. (extensions/xai/src/web-search-provider.runtime.ts:174, 0e47815e6ec9)
• PR head auth implementation: PR head resolves xAI provider auth profiles, prefers OAuth, preserves configured web_search credentials ahead of non-OAuth provider auth, and falls back through env-first provider auth plus API-key profiles after 401 failures. (extensions/xai/src/web-search-provider.runtime.ts:284, 3127008b670d)
• Prior fallback defect addressed: The latest commit removes the non-OAuth rethrow guard and adds a regression test for stale xAI API-key profile fallback to XAI_API_KEY/env auth. (extensions/xai/web-search.test.ts:597, 3127008b670d)
• Public web-search contract expansion: The PR adds agentDir to WebSearchProviderContext and authProviderId to WebSearchProviderPlugin, making web-search providers able to depend on model-provider auth profile state. (src/plugins/web-provider-types.ts:29, 3127008b670d)
• Public timeout contract expansion: The PR adds defaultTimeoutMs to public video and speech provider shapes, which is useful but compatibility-sensitive as a durable plugin/provider contract. (src/plugin-sdk/video-generation.ts:156, 3127008b670d)

Likely related people:

• steipete: Recent history shows repeated xAI web-search and media timeout work, and steipete also authored the latest fallback-fix commit on this PR branch. (role: recent area contributor/reviewer; confidence: high; commits: 3127008b670d, b813183bfd66, 33b18f543baa; files: extensions/xai/src/web-search-provider.runtime.ts, src/web-search/runtime.ts, src/image-generation/runtime.ts)
• Jaaneek: Commit history for the xAI runtime shows Jaaneek authored the recent OAuth login and xAI sidecar auth changes that this PR builds on. (role: recent xAI OAuth contributor; confidence: high; commits: 5f1df99a9c23; files: extensions/xai/src/web-search-provider.runtime.ts, extensions/xai/xai-oauth.ts, extensions/xai/speech-provider.ts)
• vincentkoc: Recent generic web-search runtime history includes explicit provider loading and provider selection fixes by vincentkoc. (role: web-search/runtime adjacent contributor; confidence: medium; commits: 0668f1e003ed, 3f045d91295c, 7308e72fac98; files: src/web-search/runtime.ts, src/plugin-sdk/video-generation.ts)
• gumadeiras: The xAI web-search runtime split is directly adjacent to the runtime path changed by this PR. (role: xAI web-search runtime contributor; confidence: medium; commits: 1da928211b4e; files: extensions/xai/src/web-search-provider.runtime.ts, extensions/xai/web-search.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 0e47815e6ec9.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[fuller-stack-dev]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26266306386
• Updated: 2026-05-22T03:20:42.777Z

[fuller-stack-dev]

Behavior proof: xAI OAuth web_search onboarding

Behavior addressed: onboarding can select Grok (xAI) for web_search when an existing xAI OAuth auth profile is present, without requiring a separate XAI_API_KEY. API-key auth remains available as fallback.

Real environment tested: local source checkout with isolated OpenClaw state under .artifacts, seeded with a fake xAI OAuth auth profile. No real credentials were used, and the raw terminal transcript was not uploaded.

Exact steps or command run after this patch:

openclaw onboard --flow advanced --mode local --auth-choice skip --workspace <isolated-proof-workspace> --accept-risk --skip-daemon --skip-channels --skip-skills --skip-hooks --skip-health --skip-ui --skip-bootstrap --secret-input-mode plaintext
pnpm test src/wizard/setup.finalize.test.ts src/flows/search-setup.test.ts extensions/xai/web-search.test.ts
pnpm exec oxfmt --check --threads=1 src/wizard/setup.finalize.ts src/wizard/setup.finalize.test.ts src/wizard/i18n/locales/en.ts src/wizard/i18n/locales/zh-CN.ts src/wizard/i18n/locales/zh-TW.ts
pnpm test src/wizard/setup.finalize.test.ts
git diff --check
AUTOREVIEW_AUTO_TESTS=0 .agents/skills/autoreview/scripts/autoreview --mode local

Evidence after fix:

1. Provider selection shows Grok as configured via xAI OAuth/API key.

2. Selecting Grok reports that existing xAI OAuth is used and no separate API key is required.

3. Final onboarding summary reports web search enabled with an existing xAI OAuth sign-in.

4. Sanitized config proof: Grok is selected, no xAI web_search API key is stored, and the auth profile type is OAuth.

Observed result after fix: Grok-backed web_search is presented as OAuth-backed during onboarding, and the final summary no longer reports a missing API key when the xAI OAuth profile exists.

What was not tested: live xAI web_search network execution from this onboarding run; the provider/runtime test coverage remains focused on the existing xAI web_search credential path.

Sanitized proof bundle: https://gist.github.com/fuller-stack-dev/25f1005f74d30b467d6064acbd7b21c9

[fuller-stack-dev]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26270755728
• Updated: 2026-05-22T05:53:47.010Z

[steipete]

Maintainer proof for landing:

Behavior addressed: Grok web_search now reuses xAI OAuth/model-auth profiles and preserves API-key fallback when a selected profile returns 401.

Exact local commands run after fix:

• git diff --check
• node scripts/run-vitest.mjs extensions/xai/web-search.test.ts src/config/schema.help.quality.test.ts
• node scripts/run-vitest.mjs src/config/config.web-search-provider.test.ts src/config/sessions/delivery-info.test.ts
• AUTOREVIEW_AUTO_TESTS=0 .agents/skills/autoreview/scripts/autoreview --mode branch

Evidence after fix:

• Local targeted tests passed: xAI web-search/schema shard, config web-search/session delivery shard.
• Autoreview clean: no accepted/actionable findings reported.
• Pushed fixup commit: 3127008.
• Fresh GitHub runs on that SHA passed: CI 26275072795, CodeQL 26275072793, CodeQL Critical Quality 26275072824, OpenGrep PR Diff 26275072771, Workflow Sanity 26275072823, Real behavior proof 26275071943 / 26275352374.

What was not tested: no live xAI credential call; covered with mocked provider-auth/fetch regression tests.

Thanks @fuller-stack-dev.