fix(onboard): address web search review follow-ups

13ernkastel · 13ernkastel · commit 006c4a01296a · 2026-04-05T11:23:09.000+08:00
diff --git a/bin/lib/onboard.js b/bin/lib/onboard.js
@@ -985,6 +985,10 @@ function normalizeWebSearchConfigValue(config) {
   return webSearch.normalizeWebSearchConfig(config);
 }
 
+function normalizePersistedWebSearchConfigValue(config) {
+  return webSearch.normalizePersistedWebSearchConfig(config);
+}
+
 function getWebSearchProviderMetadata(provider) {
   return webSearch.getWebSearchProvider(provider);
 }
@@ -1103,6 +1107,10 @@ async function ensureValidatedWebSearchCredential(provider) {
 
   while (true) {
     if (!apiKey) {
+      if (isNonInteractive()) {
+        console.error(`  ${credentialEnv} is required for ${label} in non-interactive mode.`);
+        return null;
+      }
       apiKey = await promptWebSearchApiKey(provider);
       usingSavedKey = false;
     }
@@ -1121,6 +1129,7 @@ async function ensureValidatedWebSearchCredential(provider) {
     if (validation.message) {
       console.error(`  ${validation.message}`);
     }
+    if (isNonInteractive()) return null;
 
     const action = await promptWebSearchRecovery(provider, validation);
     if (action === "back") return null;
@@ -4192,8 +4201,16 @@ async function onboard(opts = {}) {
       break;
     }
 
-    const persistedWebSearchConfig = normalizeWebSearchConfigValue(webSearchConfig);
-    if (persistedWebSearchConfig) {
+    const persistedWebSearchConfigRaw = normalizePersistedWebSearchConfigValue(webSearchConfig);
+    const persistedWebSearchConfig = normalizeWebSearchConfigValue(persistedWebSearchConfigRaw);
+    if (persistedWebSearchConfigRaw && persistedWebSearchConfigRaw.fetchEnabled === false) {
+      webSearchConfig = persistedWebSearchConfigRaw;
+      onboardSession.updateSession((current) => {
+        current.webSearchConfig = webSearchConfig;
+        return current;
+      });
+      note("  [resume] Keeping Web Search disabled.");
+    } else if (persistedWebSearchConfig) {
       const { label } = getWebSearchProviderMetadata(persistedWebSearchConfig.provider);
       note(`  [resume] Revalidating ${label} configuration.`);
       const apiKey = await ensureValidatedWebSearchCredential(persistedWebSearchConfig.provider);
diff --git a/docs/reference/commands.md b/docs/reference/commands.md
@@ -71,10 +71,10 @@ Supported non-experimental choices include NVIDIA Endpoints, OpenAI, Anthropic,
 Credentials are stored in `~/.nemoclaw/credentials.json`.
 The legacy `nemoclaw setup` command is deprecated; use `nemoclaw onboard` instead.
 
-If you enable Brave Search during onboarding, NemoClaw currently stores the Brave API key in the sandbox's OpenClaw configuration.
+If you enable web search during onboarding, NemoClaw currently stores the selected provider key in the sandbox's OpenClaw configuration as that provider's `apiKey`.
 That means the OpenClaw agent can read the key.
-NemoClaw explores an OpenShell-hosted credential path first, but the current OpenClaw Brave runtime does not consume that path end to end yet.
-Treat Brave Search as an explicit opt-in and use a dedicated low-privilege Brave key.
+NemoClaw explores an OpenShell-hosted credential path first, but the current OpenClaw web-search runtime does not consume that path end to end yet.
+Treat web search as an explicit opt-in and use a dedicated low-privilege provider key.
 
 For non-interactive onboarding, you must explicitly accept the third-party software notice:
 
@@ -97,6 +97,7 @@ $ BRAVE_API_KEY=... \
 
 Supported keys are `BRAVE_API_KEY`, `GEMINI_API_KEY`, and `TAVILY_API_KEY`.
 If more than one is set, NemoClaw prefers Brave, then Gemini, then Tavily unless `NEMOCLAW_WEB_SEARCH_PROVIDER` is set explicitly to `brave`, `gemini`, or `tavily`.
+Whichever provider wins that selection has its key copied into the sandbox OpenClaw config, so agents can read the selected provider's `apiKey`.
 Enabling web search also enables `web_fetch`.
 
 The wizard prompts for a sandbox name.
diff --git a/src/lib/onboard-session.test.ts b/src/lib/onboard-session.test.ts
@@ -120,15 +120,15 @@ describe("onboard session", () => {
     expect(loaded.metadata.token).toBeUndefined();
   });
 
-  it("normalizes legacy web search configs and clears explicit disable updates", () => {
+  it("normalizes legacy web search configs and preserves explicit disable updates", () => {
     session.saveSession(session.createSession({ webSearchConfig: { fetchEnabled: true } }));
 
     let loaded = session.loadSession();
     expect(loaded.webSearchConfig).toEqual({ provider: "brave", fetchEnabled: true });
 
     session.completeSession({ webSearchConfig: { provider: "brave", fetchEnabled: false } });
     loaded = session.loadSession();
-    expect(loaded.webSearchConfig).toBeNull();
+    expect(loaded.webSearchConfig).toEqual({ provider: "brave", fetchEnabled: false });
   });
 
   it("does not clear existing metadata when updates omit whitelisted metadata fields", () => {
@@ -204,14 +204,18 @@ describe("onboard session", () => {
     session.saveSession(session.createSession());
     session.markStepFailed(
       "inference",
-      "provider auth failed with NVIDIA_API_KEY=nvapi-secret TAVILY_API_KEY=tvly-secret Bearer topsecret sk-secret-value ghp_1234567890123456789012345",
+      "provider auth failed with NVIDIA_API_KEY=nvapi-secret BRAVE_API_KEY=brv-secret GEMINI_API_KEY=gem-secret TAVILY_API_KEY=tvly-secret Bearer topsecret sk-secret-value ghp_1234567890123456789012345",
     );
 
     const loaded = session.loadSession();
     expect(loaded.steps.inference.error).toContain("NVIDIA_API_KEY=<REDACTED>");
+    expect(loaded.steps.inference.error).toContain("BRAVE_API_KEY=<REDACTED>");
+    expect(loaded.steps.inference.error).toContain("GEMINI_API_KEY=<REDACTED>");
     expect(loaded.steps.inference.error).toContain("TAVILY_API_KEY=<REDACTED>");
     expect(loaded.steps.inference.error).toContain("Bearer <REDACTED>");
     expect(loaded.steps.inference.error).not.toContain("nvapi-secret");
+    expect(loaded.steps.inference.error).not.toContain("brv-secret");
+    expect(loaded.steps.inference.error).not.toContain("gem-secret");
     expect(loaded.steps.inference.error).not.toContain("tvly-secret");
     expect(loaded.steps.inference.error).not.toContain("topsecret");
     expect(loaded.steps.inference.error).not.toContain("sk-secret-value");
diff --git a/src/lib/onboard-session.ts b/src/lib/onboard-session.ts
@@ -10,7 +10,11 @@
 import fs from "node:fs";
 import path from "node:path";
 
-import { normalizeWebSearchConfig, type WebSearchConfig } from "./web-search";
+import {
+  getWebSearchCredentialEnvNames,
+  normalizePersistedWebSearchConfig,
+  type PersistedWebSearchConfig,
+} from "./web-search";
 
 export const SESSION_VERSION = 1;
 export const SESSION_DIR = path.join(process.env.HOME || "/tmp", ".nemoclaw");
@@ -55,7 +59,7 @@ export interface Session {
   credentialEnv: string | null;
   preferredInferenceApi: string | null;
   nimContainer: string | null;
-  webSearchConfig: WebSearchConfig | null;
+  webSearchConfig: PersistedWebSearchConfig | null;
   policyPresets: string[] | null;
   metadata: SessionMetadata;
   steps: Record<string, StepState>;
@@ -84,7 +88,7 @@ export interface SessionUpdates {
   credentialEnv?: string;
   preferredInferenceApi?: string;
   nimContainer?: string;
-  webSearchConfig?: WebSearchConfig | null;
+  webSearchConfig?: PersistedWebSearchConfig | null;
   policyPresets?: string[];
   metadata?: { gatewayName?: string };
 }
@@ -119,13 +123,30 @@ export function isObject(value: unknown): value is Record<string, unknown> {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 
+function escapeRegExp(value: string): string {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+const REDACTED_CREDENTIAL_ENV_NAMES = Array.from(
+  new Set([
+    "NVIDIA_API_KEY",
+    "OPENAI_API_KEY",
+    "ANTHROPIC_API_KEY",
+    "COMPATIBLE_API_KEY",
+    "COMPATIBLE_ANTHROPIC_API_KEY",
+    ...getWebSearchCredentialEnvNames(),
+  ]),
+);
+
+const CREDENTIAL_ASSIGNMENT_RE = new RegExp(
+  `(${REDACTED_CREDENTIAL_ENV_NAMES.map(escapeRegExp).join("|")})=\\S+`,
+  "gi",
+);
+
 export function redactSensitiveText(value: unknown): string | null {
   if (typeof value !== "string") return null;
   return value
-    .replace(
-      /(NVIDIA_API_KEY|OPENAI_API_KEY|ANTHROPIC_API_KEY|GEMINI_API_KEY|COMPATIBLE_API_KEY|COMPATIBLE_ANTHROPIC_API_KEY|BRAVE_API_KEY|TAVILY_API_KEY)=\S+/gi,
-      "$1=<REDACTED>",
-    )
+    .replace(CREDENTIAL_ASSIGNMENT_RE, "$1=<REDACTED>")
     .replace(/Bearer\s+\S+/gi, "Bearer <REDACTED>")
     .replace(/nvapi-[A-Za-z0-9_-]{10,}/g, "<REDACTED>")
     .replace(/ghp_[A-Za-z0-9]{20,}/g, "<REDACTED>")
@@ -192,7 +213,7 @@ export function createSession(overrides: Partial<Session> = {}): Session {
     credentialEnv: overrides.credentialEnv || null,
     preferredInferenceApi: overrides.preferredInferenceApi || null,
     nimContainer: overrides.nimContainer || null,
-    webSearchConfig: normalizeWebSearchConfig(overrides.webSearchConfig),
+    webSearchConfig: normalizePersistedWebSearchConfig(overrides.webSearchConfig),
     policyPresets: Array.isArray(overrides.policyPresets)
       ? overrides.policyPresets.filter((value) => typeof value === "string")
       : null,
@@ -223,7 +244,7 @@ export function normalizeSession(data: unknown): Session | null {
     preferredInferenceApi:
       typeof d.preferredInferenceApi === "string" ? d.preferredInferenceApi : null,
     nimContainer: typeof d.nimContainer === "string" ? d.nimContainer : null,
-    webSearchConfig: normalizeWebSearchConfig(d.webSearchConfig),
+    webSearchConfig: normalizePersistedWebSearchConfig(d.webSearchConfig),
     policyPresets: Array.isArray(d.policyPresets)
       ? (d.policyPresets as unknown[]).filter((value) => typeof value === "string") as string[]
       : null,
@@ -410,14 +431,9 @@ export function filterSafeUpdates(updates: SessionUpdates): Partial<Session> {
     if (updates.webSearchConfig === null) {
       safe.webSearchConfig = null;
     } else {
-      const normalizedWebSearchConfig = normalizeWebSearchConfig(updates.webSearchConfig);
+      const normalizedWebSearchConfig = normalizePersistedWebSearchConfig(updates.webSearchConfig);
       if (normalizedWebSearchConfig) {
         safe.webSearchConfig = normalizedWebSearchConfig;
-      } else if (
-        isObject(updates.webSearchConfig) &&
-        updates.webSearchConfig.fetchEnabled === false
-      ) {
-        safe.webSearchConfig = null;
       }
     }
   }
diff --git a/src/lib/web-search.test.ts b/src/lib/web-search.test.ts
@@ -33,6 +33,10 @@ describe("web-search helpers", () => {
     });
   });
 
+  it("rejects persisted configs with unsupported providers", () => {
+    expect(normalizeWebSearchConfig({ provider: "duckduckgo", fetchEnabled: true })).toBeNull();
+  });
+
   it("builds the Brave Search OpenClaw config fragment", () => {
     expect(
       buildWebSearchConfigFragment({ provider: "brave", fetchEnabled: true }, "brv-x"),
@@ -92,6 +96,38 @@ describe("web-search helpers", () => {
     });
   });
 
+  it("encodes Tavily Search docker config using the Tavily plugin entry", () => {
+    const encoded = buildWebSearchDockerConfig(
+      { provider: "tavily", fetchEnabled: true },
+      "tvly-x",
+    );
+    expect(JSON.parse(Buffer.from(encoded, "base64").toString("utf8"))).toEqual({
+      plugins: {
+        entries: {
+          tavily: {
+            enabled: true,
+            config: {
+              webSearch: {
+                apiKey: "tvly-x",
+              },
+            },
+          },
+        },
+      },
+      tools: {
+        web: {
+          search: {
+            enabled: true,
+            provider: "tavily",
+          },
+          fetch: {
+            enabled: true,
+          },
+        },
+      },
+    });
+  });
+
   it("includes provider-specific exposure caveats in the warning text", () => {
     const warning = getWebSearchExposureWarningLines("tavily").join(" ");
     expect(warning).toContain("Tavily API key");
diff --git a/src/lib/web-search.ts b/src/lib/web-search.ts
@@ -8,6 +8,13 @@ export interface WebSearchConfig {
   fetchEnabled: boolean;
 }
 
+export interface DisabledWebSearchConfig {
+  provider?: WebSearchProvider;
+  fetchEnabled: false;
+}
+
+export type PersistedWebSearchConfig = WebSearchConfig | DisabledWebSearchConfig;
+
 export interface WebSearchProviderMetadata {
   provider: WebSearchProvider;
   label: string;
@@ -74,14 +81,36 @@ export function getWebSearchProvider(provider: WebSearchProvider): WebSearchProv
   return WEB_SEARCH_PROVIDERS[provider];
 }
 
-export function normalizeWebSearchConfig(value: unknown): WebSearchConfig | null {
-  if (!isObject(value) || value.fetchEnabled !== true) return null;
+export function normalizePersistedWebSearchConfig(
+  value: unknown,
+): PersistedWebSearchConfig | null {
+  if (!isObject(value) || typeof value.fetchEnabled !== "boolean") return null;
+
+  if (value.fetchEnabled === false) {
+    const provider =
+      value.provider === undefined ? undefined : parseWebSearchProvider(value.provider);
+    if (value.provider !== undefined && !provider) return null;
+    return provider ? { provider, fetchEnabled: false } : { fetchEnabled: false };
+  }
+
+  const provider =
+    value.provider === undefined ? "brave" : parseWebSearchProvider(value.provider);
+  if (!provider) return null;
   return {
-    provider: parseWebSearchProvider(value.provider) || "brave",
+    provider,
     fetchEnabled: true,
   };
 }
 
+export function normalizeWebSearchConfig(value: unknown): WebSearchConfig | null {
+  const normalized = normalizePersistedWebSearchConfig(value);
+  return normalized?.fetchEnabled === true ? normalized : null;
+}
+
+export function getWebSearchCredentialEnvNames(): string[] {
+  return listWebSearchProviders().map((provider) => provider.credentialEnv);
+}
+
 export function getWebSearchExposureWarningLines(provider: WebSearchProvider): string[] {
   const { label } = getWebSearchProvider(provider);
   return [
diff --git a/test/onboard.test.js b/test/onboard.test.js
