import fs from "node:fs/promises"; import path from "node:path"; import { setTimeout as delay } from "node:timers/promises"; import { afterEach, beforeAll, beforeEach, describe, expect, it, vi } from "vitest"; import { MINIMAX_API_BASE_URL, MINIMAX_CN_API_BASE_URL } from "../plugin-sdk/minimax.js"; import { OPENAI_DEFAULT_MODEL } from "../plugin-sdk/openai.js"; import { ZAI_CODING_CN_BASE_URL, ZAI_CODING_GLOBAL_BASE_URL, ZAI_GLOBAL_BASE_URL, } from "../plugin-sdk/zai.js"; import { makeTempWorkspace } from "../test-helpers/workspace.js"; import { withEnvAsync } from "../test-utils/env.js"; import { createThrowingRuntime, readJsonFile, type NonInteractiveRuntime, } from "./onboard-non-interactive.test-helpers.js"; type OnboardEnv = { configPath: string; runtime: NonInteractiveRuntime; }; type FetchLike = (input: RequestInfo | URL, init?: RequestInit) => Promise; const ensureWorkspaceAndSessionsMock = vi.hoisted(() => vi.fn(async (..._args: unknown[]) => {})); vi.mock("./onboard-non-interactive/local/auth-choice.plugin-providers.js", async () => { const [ { resolveDefaultAgentId, resolveAgentDir, resolveAgentWorkspaceDir }, { resolveDefaultAgentWorkspaceDir }, { enablePluginInConfig }, { upsertAuthProfile }, { createProviderApiKeyAuthMethod }, { providerApiKeyAuthRuntime }, { configureOpenAICompatibleSelfHostedProviderNonInteractive }, { detectZaiEndpoint }, { OPENAI_DEFAULT_MODEL }, ] = await Promise.all([ import("../agents/agent-scope.js"), import("../agents/workspace.js"), import("../plugins/enable.js"), import("../agents/auth-profiles/profiles.js"), import("../plugins/provider-api-key-auth.js"), import("../plugins/provider-api-key-auth.runtime.js"), import("../plugins/provider-self-hosted-setup.js"), import("./zai-endpoint-detect.js"), import("../plugin-sdk/openai.js"), ]); const ZAI_FALLBACKS = { "zai-api-key": { baseUrl: ZAI_GLOBAL_BASE_URL, modelId: "glm-5", }, "zai-coding-cn": { baseUrl: ZAI_CODING_CN_BASE_URL, modelId: "glm-4.7", }, "zai-coding-global": { baseUrl: ZAI_CODING_GLOBAL_BASE_URL, modelId: "glm-5", }, } as const; type HandlerContext = { authChoice: string; config: Record; baseConfig: Record; opts: Record; runtime: { error: (message: string) => void; exit: (code: number) => void; log: (s: string) => void; }; agentDir?: string; workspaceDir?: string; resolveApiKey: (input: { provider: string; flagValue?: string; flagName: `--${string}`; envVar: string; envVarName?: string; allowProfile?: boolean; required?: boolean; }) => Promise<{ key: string; source: "profile" | "env" | "flag"; envVarName?: string; } | null>; toApiKeyCredential: (input: { provider: string; resolved: { key: string; source: "profile" | "env" | "flag"; envVarName?: string; }; email?: string; metadata?: Record; }) => Record | null; }; type ChoiceHandler = { providerId: string; label: string; pluginId?: string; runNonInteractive: (ctx: HandlerContext) => Promise; }; function normalizeText(value: unknown): string { return typeof value === "string" ? value.replaceAll("\r", "").replaceAll("\n", "").trim() : ""; } function withProviderConfig( cfg: Record, providerId: string, patch: Record, ): Record { const models = cfg.models && typeof cfg.models === "object" ? (cfg.models as Record) : {}; const providers = models.providers && typeof models.providers === "object" ? (models.providers as Record) : {}; const existing = providers[providerId] && typeof providers[providerId] === "object" ? (providers[providerId] as Record) : {}; return { ...cfg, models: { ...models, providers: { ...providers, [providerId]: { ...existing, ...patch, }, }, }, }; } function buildTestProviderModel( id: string, params?: { reasoning?: boolean; input?: Array<"text" | "image">; contextWindow?: number; maxTokens?: number; }, ): Record { return { id, name: id, reasoning: params?.reasoning ?? false, input: params?.input ?? ["text"], cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0, }, contextWindow: params?.contextWindow ?? 131072, maxTokens: params?.maxTokens ?? 16384, }; } function createApiKeyChoice(params: { providerId: string; label: string; optionKey: string; flagName: `--${string}`; envVar: string; choiceId: string; pluginId?: string; defaultModel?: string; profileId?: string; profileIds?: string[]; applyConfig?: (cfg: Record) => Record; }): ChoiceHandler { const method = createProviderApiKeyAuthMethod({ providerId: params.providerId, methodId: "api-key", label: params.label, optionKey: params.optionKey, flagName: params.flagName, envVar: params.envVar, promptMessage: `Enter ${params.label} API key`, ...(params.profileId ? { profileId: params.profileId } : {}), ...(params.profileIds ? { profileIds: params.profileIds } : {}), ...(params.defaultModel ? { defaultModel: params.defaultModel } : {}), ...(params.applyConfig ? { applyConfig: (cfg) => params.applyConfig!(cfg as Record) as never } : {}), wizard: { choiceId: params.choiceId, choiceLabel: params.label, groupId: params.providerId, groupLabel: params.label, }, }); return { providerId: params.providerId, label: params.label, ...(params.pluginId ? { pluginId: params.pluginId } : {}), runNonInteractive: async (ctx) => await method.runNonInteractive!(ctx as never), }; } function createSelfHostedChoice(params: { providerId: string; label: string; defaultBaseUrl: string; defaultApiKeyEnvVar: string; modelPlaceholder: string; }): ChoiceHandler { return { providerId: params.providerId, label: params.label, runNonInteractive: async (ctx) => await configureOpenAICompatibleSelfHostedProviderNonInteractive({ ctx: ctx as never, providerId: params.providerId, providerLabel: params.label, defaultBaseUrl: params.defaultBaseUrl, defaultApiKeyEnvVar: params.defaultApiKeyEnvVar, modelPlaceholder: params.modelPlaceholder, }), }; } function createZaiChoice( choiceId: "zai-api-key" | "zai-coding-cn" | "zai-coding-global", ): ChoiceHandler { return { providerId: "zai", label: "Z.AI", runNonInteractive: async (ctx) => { const resolved = await ctx.resolveApiKey({ provider: "zai", flagValue: normalizeText(ctx.opts.zaiApiKey), flagName: "--zai-api-key", envVar: "ZAI_API_KEY", }); if (!resolved) { return null; } if (resolved.source !== "profile") { const credential = ctx.toApiKeyCredential({ provider: "zai", resolved }); if (!credential) { return null; } upsertAuthProfile({ profileId: "zai:default", credential: credential as never, agentDir: ctx.agentDir, }); } const detected = await detectZaiEndpoint({ apiKey: resolved.key, ...(choiceId === "zai-coding-global" ? { endpoint: "coding-global" as const } : choiceId === "zai-coding-cn" ? { endpoint: "coding-cn" as const } : {}), }); const fallback = ZAI_FALLBACKS[choiceId]; let next = providerApiKeyAuthRuntime.applyAuthProfileConfig(ctx.config as never, { profileId: "zai:default", provider: "zai", mode: "api_key", }) as Record; next = withProviderConfig(next, "zai", { baseUrl: detected?.baseUrl ?? fallback.baseUrl, api: "openai-completions", models: [ buildTestProviderModel(detected?.modelId ?? fallback.modelId, { input: ["text"], }), ], }); return providerApiKeyAuthRuntime.applyPrimaryModel( next as never, `zai/${detected?.modelId ?? fallback.modelId}`, ); }, }; } const cloudflareAiGatewayChoice: ChoiceHandler = { providerId: "cloudflare-ai-gateway", label: "Cloudflare AI Gateway", runNonInteractive: async (ctx) => { const accountId = normalizeText(ctx.opts.cloudflareAiGatewayAccountId); const gatewayId = normalizeText(ctx.opts.cloudflareAiGatewayGatewayId); const resolved = await ctx.resolveApiKey({ provider: "cloudflare-ai-gateway", flagValue: normalizeText(ctx.opts.cloudflareAiGatewayApiKey), flagName: "--cloudflare-ai-gateway-api-key", envVar: "CLOUDFLARE_AI_GATEWAY_API_KEY", }); if (!resolved) { return null; } if (resolved.source !== "profile") { const credential = ctx.toApiKeyCredential({ provider: "cloudflare-ai-gateway", resolved, metadata: { accountId, gatewayId }, }); if (!credential) { return null; } upsertAuthProfile({ profileId: "cloudflare-ai-gateway:default", credential: credential as never, agentDir: ctx.agentDir, }); } const withProfile = providerApiKeyAuthRuntime.applyAuthProfileConfig(ctx.config as never, { profileId: "cloudflare-ai-gateway:default", provider: "cloudflare-ai-gateway", mode: "api_key", }); return providerApiKeyAuthRuntime.applyPrimaryModel( withProfile, "cloudflare-ai-gateway/claude-sonnet-4-5", ); }, }; const anthropicTokenChoice: ChoiceHandler = { providerId: "anthropic", label: "Anthropic", runNonInteractive: async (ctx) => { const token = normalizeText(ctx.opts.token); if (!token) { ctx.runtime.error("Missing --token for --auth-choice token."); ctx.runtime.exit(1); return null; } upsertAuthProfile({ profileId: "anthropic:default", credential: { type: "token", provider: "anthropic", token, }, agentDir: ctx.agentDir, }); return providerApiKeyAuthRuntime.applyAuthProfileConfig(ctx.config as never, { profileId: "anthropic:default", provider: "anthropic", mode: "token", }); }, }; const choiceMap = new Map([ [ "apiKey", createApiKeyChoice({ providerId: "anthropic", label: "Anthropic", choiceId: "apiKey", optionKey: "anthropicApiKey", flagName: "--anthropic-api-key", envVar: "ANTHROPIC_API_KEY", }), ], [ "minimax-global-api", createApiKeyChoice({ providerId: "minimax", label: "MiniMax", choiceId: "minimax-global-api", optionKey: "minimaxApiKey", flagName: "--minimax-api-key", envVar: "MINIMAX_API_KEY", profileId: "minimax:global", defaultModel: "minimax/MiniMax-M2.7", applyConfig: (cfg) => withProviderConfig(cfg, "minimax", { baseUrl: MINIMAX_API_BASE_URL, api: "anthropic-messages", models: [buildTestProviderModel("MiniMax-M2.7")], }), }), ], [ "minimax-cn-api", createApiKeyChoice({ providerId: "minimax", label: "MiniMax", choiceId: "minimax-cn-api", optionKey: "minimaxApiKey", flagName: "--minimax-api-key", envVar: "MINIMAX_API_KEY", profileId: "minimax:cn", defaultModel: "minimax/MiniMax-M2.7", applyConfig: (cfg) => withProviderConfig(cfg, "minimax", { baseUrl: MINIMAX_CN_API_BASE_URL, api: "anthropic-messages", models: [buildTestProviderModel("MiniMax-M2.7")], }), }), ], ["zai-api-key", createZaiChoice("zai-api-key")], ["zai-coding-cn", createZaiChoice("zai-coding-cn")], ["zai-coding-global", createZaiChoice("zai-coding-global")], [ "xai-api-key", createApiKeyChoice({ providerId: "xai", label: "xAI", choiceId: "xai-api-key", optionKey: "xaiApiKey", flagName: "--xai-api-key", envVar: "XAI_API_KEY", defaultModel: "xai/grok-4", }), ], [ "mistral-api-key", createApiKeyChoice({ providerId: "mistral", label: "Mistral", choiceId: "mistral-api-key", optionKey: "mistralApiKey", flagName: "--mistral-api-key", envVar: "MISTRAL_API_KEY", defaultModel: "mistral/mistral-large-latest", }), ], [ "volcengine-api-key", createApiKeyChoice({ providerId: "volcengine", label: "Volcano Engine", choiceId: "volcengine-api-key", optionKey: "volcengineApiKey", flagName: "--volcengine-api-key", envVar: "VOLCANO_ENGINE_API_KEY", defaultModel: "volcengine-plan/ark-code-latest", }), ], [ "byteplus-api-key", createApiKeyChoice({ providerId: "byteplus", label: "BytePlus", choiceId: "byteplus-api-key", optionKey: "byteplusApiKey", flagName: "--byteplus-api-key", envVar: "BYTEPLUS_API_KEY", defaultModel: "byteplus-plan/ark-code-latest", }), ], [ "ai-gateway-api-key", createApiKeyChoice({ providerId: "vercel-ai-gateway", label: "Vercel AI Gateway", choiceId: "ai-gateway-api-key", optionKey: "aiGatewayApiKey", flagName: "--ai-gateway-api-key", envVar: "AI_GATEWAY_API_KEY", defaultModel: "vercel-ai-gateway/anthropic/claude-opus-4.6", }), ], [ "openai-api-key", createApiKeyChoice({ providerId: "openai", label: "OpenAI", choiceId: "openai-api-key", optionKey: "openaiApiKey", flagName: "--openai-api-key", envVar: "OPENAI_API_KEY", defaultModel: OPENAI_DEFAULT_MODEL, }), ], [ "openrouter-api-key", createApiKeyChoice({ providerId: "openrouter", label: "OpenRouter", choiceId: "openrouter-api-key", optionKey: "openrouterApiKey", flagName: "--openrouter-api-key", envVar: "OPENROUTER_API_KEY", }), ], [ "opencode-zen", createApiKeyChoice({ providerId: "opencode", label: "OpenCode", choiceId: "opencode-zen", optionKey: "opencodeApiKey", flagName: "--opencode-api-key", envVar: "OPENCODE_ZEN_API_KEY", profileIds: ["opencode:default", "opencode-go:default"], defaultModel: "opencode/claude-opus-4-6", }), ], [ "vllm", createSelfHostedChoice({ providerId: "vllm", label: "vLLM", defaultBaseUrl: "http://127.0.0.1:8000/v1", defaultApiKeyEnvVar: "VLLM_API_KEY", modelPlaceholder: "Qwen/Qwen3-32B", }), ], [ "sglang", createSelfHostedChoice({ providerId: "sglang", label: "SGLang", defaultBaseUrl: "http://127.0.0.1:30000/v1", defaultApiKeyEnvVar: "SGLANG_API_KEY", modelPlaceholder: "Qwen/Qwen3-32B", }), ], [ "litellm-api-key", createApiKeyChoice({ providerId: "litellm", label: "LiteLLM", choiceId: "litellm-api-key", optionKey: "litellmApiKey", flagName: "--litellm-api-key", envVar: "LITELLM_API_KEY", defaultModel: "litellm/claude-opus-4-6", }), ], ["cloudflare-ai-gateway-api-key", cloudflareAiGatewayChoice], [ "together-api-key", createApiKeyChoice({ providerId: "together", label: "Together", choiceId: "together-api-key", optionKey: "togetherApiKey", flagName: "--together-api-key", envVar: "TOGETHER_API_KEY", defaultModel: "together/moonshotai/Kimi-K2.5", }), ], [ "qianfan-api-key", createApiKeyChoice({ providerId: "qianfan", label: "Qianfan", choiceId: "qianfan-api-key", optionKey: "qianfanApiKey", flagName: "--qianfan-api-key", envVar: "QIANFAN_API_KEY", defaultModel: "qianfan/deepseek-v3.2", }), ], [ "modelstudio-api-key", createApiKeyChoice({ providerId: "modelstudio", label: "Model Studio", choiceId: "modelstudio-api-key", optionKey: "modelstudioApiKey", flagName: "--modelstudio-api-key", envVar: "MODELSTUDIO_API_KEY", defaultModel: "modelstudio/qwen3.5-plus", applyConfig: (cfg) => withProviderConfig(cfg, "modelstudio", { baseUrl: "https://coding-intl.dashscope.aliyuncs.com/v1", api: "openai-completions", models: [buildTestProviderModel("qwen3.5-plus")], }), }), ], ["token", anthropicTokenChoice], ]); return { applyNonInteractivePluginProviderChoice: async (params: { nextConfig: Record; authChoice: string; opts: Record; runtime: HandlerContext["runtime"]; baseConfig: Record; resolveApiKey: HandlerContext["resolveApiKey"]; toApiKeyCredential: HandlerContext["toApiKeyCredential"]; }) => { const handler = choiceMap.get(params.authChoice); if (!handler) { return undefined; } const enableResult = enablePluginInConfig( params.nextConfig as never, handler.pluginId ?? handler.providerId, ); if (!enableResult.enabled) { params.runtime.error( `${handler.label} plugin is disabled (${enableResult.reason ?? "blocked"}).`, ); params.runtime.exit(1); return null; } const agentId = resolveDefaultAgentId(enableResult.config); const agentDir = resolveAgentDir(enableResult.config, agentId); const workspaceDir = resolveAgentWorkspaceDir(enableResult.config, agentId) ?? resolveDefaultAgentWorkspaceDir(); return await handler.runNonInteractive({ authChoice: params.authChoice, config: enableResult.config, baseConfig: params.baseConfig, opts: params.opts, runtime: params.runtime, agentDir, workspaceDir, resolveApiKey: params.resolveApiKey, toApiKeyCredential: params.toApiKeyCredential, }); }, }; }); vi.mock("./onboard-helpers.js", async (importOriginal) => { const actual = await importOriginal(); return { ...actual, ensureWorkspaceAndSessions: ensureWorkspaceAndSessionsMock, }; }); const NON_INTERACTIVE_DEFAULT_OPTIONS = { nonInteractive: true, skipHealth: true, skipChannels: true, json: true, } as const; let runNonInteractiveSetup: typeof import("./onboard-non-interactive.js").runNonInteractiveSetup; let clearRuntimeAuthProfileStoreSnapshots: typeof import("../agents/auth-profiles.js").clearRuntimeAuthProfileStoreSnapshots; let ensureAuthProfileStore: typeof import("../agents/auth-profiles.js").ensureAuthProfileStore; let upsertAuthProfile: typeof import("../agents/auth-profiles.js").upsertAuthProfile; let resetFileLockStateForTest: typeof import("../infra/file-lock.js").resetFileLockStateForTest; let clearPluginDiscoveryCache: typeof import("../plugins/discovery.js").clearPluginDiscoveryCache; let clearPluginManifestRegistryCache: typeof import("../plugins/manifest-registry.js").clearPluginManifestRegistryCache; type ProviderAuthConfigSnapshot = { auth?: { profiles?: Record }; agents?: { defaults?: { model?: { primary?: string } } }; models?: { providers?: Record< string, { baseUrl?: string; api?: string; apiKey?: string | { source?: string; id?: string }; models?: Array<{ id?: string }>; } >; }; }; function createZaiFetchMock(responses: Record): FetchLike { return vi.fn(async (input, init) => { const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : ""; const parsedBody = typeof init?.body === "string" ? (JSON.parse(init.body) as { model?: string }) : {}; const key = `${url}::${parsedBody.model ?? ""}`; const status = responses[key] ?? 404; return new Response( JSON.stringify( status === 200 ? { ok: true } : { error: { code: "unsupported", message: "unsupported" } }, ), { status, headers: { "content-type": "application/json" }, }, ); }); } async function withZaiProbeFetch( responses: Record, run: (fetchMock: FetchLike) => Promise, ): Promise { const originalVitest = process.env.VITEST; delete process.env.VITEST; const fetchMock = createZaiFetchMock(responses); vi.stubGlobal("fetch", fetchMock); try { return await run(fetchMock); } finally { vi.unstubAllGlobals(); if (originalVitest === undefined) { delete process.env.VITEST; } else { process.env.VITEST = originalVitest; } } } async function removeDirWithRetry(dir: string): Promise { for (let attempt = 0; attempt < 5; attempt += 1) { try { await fs.rm(dir, { recursive: true, force: true }); return; } catch (error) { const code = (error as NodeJS.ErrnoException).code; const isTransient = code === "ENOTEMPTY" || code === "EBUSY" || code === "EPERM"; if (!isTransient || attempt === 4) { throw error; } await delay(10 * (attempt + 1)); } } } async function withOnboardEnv( prefix: string, run: (ctx: OnboardEnv) => Promise, ): Promise { const tempHome = await makeTempWorkspace(prefix); const configPath = path.join(tempHome, "openclaw.json"); const runtime = createThrowingRuntime(); try { await withEnvAsync( { HOME: tempHome, OPENCLAW_STATE_DIR: tempHome, OPENCLAW_CONFIG_PATH: configPath, OPENCLAW_SKIP_CHANNELS: "1", OPENCLAW_SKIP_GMAIL_WATCHER: "1", OPENCLAW_SKIP_CRON: "1", OPENCLAW_SKIP_CANVAS_HOST: "1", OPENCLAW_GATEWAY_TOKEN: undefined, OPENCLAW_GATEWAY_PASSWORD: undefined, CUSTOM_API_KEY: undefined, OPENCLAW_DISABLE_CONFIG_CACHE: "1", OPENCLAW_DISABLE_PLUGIN_DISCOVERY_CACHE: "1", OPENCLAW_DISABLE_PLUGIN_MANIFEST_CACHE: "1", }, async () => { await run({ configPath, runtime }); }, ); } finally { await removeDirWithRetry(tempHome); } } async function runNonInteractiveSetupWithDefaults( runtime: NonInteractiveRuntime, options: Record, ): Promise { await runNonInteractiveSetup( { ...NON_INTERACTIVE_DEFAULT_OPTIONS, ...options, }, runtime, ); } async function runOnboardingAndReadConfig( env: OnboardEnv, options: Record, ): Promise { await runNonInteractiveSetupWithDefaults(env.runtime, { skipSkills: true, ...options, }); return readJsonFile(env.configPath); } const CUSTOM_LOCAL_BASE_URL = "https://models.custom.local/v1"; const CUSTOM_LOCAL_MODEL_ID = "local-large"; const CUSTOM_LOCAL_PROVIDER_ID = "custom-models-custom-local"; async function runCustomLocalNonInteractive( runtime: NonInteractiveRuntime, overrides: Record = {}, ): Promise { await runNonInteractiveSetupWithDefaults(runtime, { authChoice: "custom-api-key", customBaseUrl: CUSTOM_LOCAL_BASE_URL, customModelId: CUSTOM_LOCAL_MODEL_ID, skipSkills: true, ...overrides, }); } async function readCustomLocalProviderApiKey(configPath: string): Promise { const cfg = await readJsonFile(configPath); const apiKey = cfg.models?.providers?.[CUSTOM_LOCAL_PROVIDER_ID]?.apiKey; return typeof apiKey === "string" ? apiKey : undefined; } async function readCustomLocalProviderApiKeyInput( configPath: string, ): Promise { const cfg = await readJsonFile(configPath); return cfg.models?.providers?.[CUSTOM_LOCAL_PROVIDER_ID]?.apiKey; } async function expectApiKeyProfile(params: { profileId: string; provider: string; key: string; metadata?: Record; }): Promise { const store = ensureAuthProfileStore(); const profile = store.profiles[params.profileId]; expect(profile?.type).toBe("api_key"); if (profile?.type === "api_key") { expect(profile.provider).toBe(params.provider); expect(profile.key).toBe(params.key); if (params.metadata) { expect(profile.metadata).toEqual(params.metadata); } } } async function loadProviderAuthOnboardModules(): Promise { vi.resetModules(); ({ runNonInteractiveSetup } = await import("./onboard-non-interactive.js")); ({ clearRuntimeAuthProfileStoreSnapshots, ensureAuthProfileStore, upsertAuthProfile } = await import("../agents/auth-profiles.js")); ({ resetFileLockStateForTest } = await import("../infra/file-lock.js")); ({ clearPluginDiscoveryCache } = await import("../plugins/discovery.js")); ({ clearPluginManifestRegistryCache } = await import("../plugins/manifest-registry.js")); } describe("onboard (non-interactive): provider auth", () => { beforeAll(async () => { await loadProviderAuthOnboardModules(); }); beforeEach(() => { clearRuntimeAuthProfileStoreSnapshots(); resetFileLockStateForTest(); clearPluginDiscoveryCache(); clearPluginManifestRegistryCache(); ensureWorkspaceAndSessionsMock.mockClear(); }); afterEach(() => { vi.unstubAllGlobals(); clearRuntimeAuthProfileStoreSnapshots(); resetFileLockStateForTest(); clearPluginDiscoveryCache(); clearPluginManifestRegistryCache(); ensureWorkspaceAndSessionsMock.mockClear(); }); it("stores MiniMax API key and uses global baseUrl by default", async () => { await withOnboardEnv("openclaw-onboard-minimax-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { authChoice: "minimax-global-api", minimaxApiKey: "sk-minimax-test", // pragma: allowlist secret }); expect(cfg.auth?.profiles?.["minimax:global"]?.provider).toBe("minimax"); expect(cfg.auth?.profiles?.["minimax:global"]?.mode).toBe("api_key"); expect(cfg.models?.providers?.minimax?.baseUrl).toBe(MINIMAX_API_BASE_URL); expect(cfg.agents?.defaults?.model?.primary).toBe("minimax/MiniMax-M2.7"); await expectApiKeyProfile({ profileId: "minimax:global", provider: "minimax", key: "sk-minimax-test", }); }); }); it("supports MiniMax CN API endpoint auth choice", async () => { await withOnboardEnv("openclaw-onboard-minimax-cn-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { authChoice: "minimax-cn-api", minimaxApiKey: "sk-minimax-test", // pragma: allowlist secret }); expect(cfg.auth?.profiles?.["minimax:cn"]?.provider).toBe("minimax"); expect(cfg.auth?.profiles?.["minimax:cn"]?.mode).toBe("api_key"); expect(cfg.models?.providers?.minimax?.baseUrl).toBe(MINIMAX_CN_API_BASE_URL); expect(cfg.agents?.defaults?.model?.primary).toBe("minimax/MiniMax-M2.7"); await expectApiKeyProfile({ profileId: "minimax:cn", provider: "minimax", key: "sk-minimax-test", }); }); }); it("stores Z.AI API key and uses global baseUrl by default", async () => { await withZaiProbeFetch( { [`${ZAI_GLOBAL_BASE_URL}/chat/completions::glm-5`]: 200, }, async (fetchMock) => await withOnboardEnv("openclaw-onboard-zai-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { authChoice: "zai-api-key", zaiApiKey: "zai-test-key", // pragma: allowlist secret }); expect(cfg.auth?.profiles?.["zai:default"]?.provider).toBe("zai"); expect(cfg.auth?.profiles?.["zai:default"]?.mode).toBe("api_key"); expect(cfg.models?.providers?.zai?.baseUrl).toBe(ZAI_GLOBAL_BASE_URL); expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-5"); expect(fetchMock).toHaveBeenCalled(); await expectApiKeyProfile({ profileId: "zai:default", provider: "zai", key: "zai-test-key", }); }), ); }); it("supports Z.AI CN coding endpoint auth choice", async () => { await withZaiProbeFetch( { [`${ZAI_CODING_CN_BASE_URL}/chat/completions::glm-5`]: 404, [`${ZAI_CODING_CN_BASE_URL}/chat/completions::glm-4.7`]: 200, }, async (fetchMock) => await withOnboardEnv("openclaw-onboard-zai-cn-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { authChoice: "zai-coding-cn", zaiApiKey: "zai-test-key", // pragma: allowlist secret }); expect(cfg.models?.providers?.zai?.baseUrl).toBe(ZAI_CODING_CN_BASE_URL); expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-4.7"); expect(fetchMock).toHaveBeenCalled(); }), ); }); it("supports Z.AI Coding Plan global endpoint with GLM-5 when available", async () => { await withZaiProbeFetch( { [`${ZAI_CODING_GLOBAL_BASE_URL}/chat/completions::glm-5`]: 200, }, async (fetchMock) => await withOnboardEnv("openclaw-onboard-zai-coding-global-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { authChoice: "zai-coding-global", zaiApiKey: "zai-test-key", // pragma: allowlist secret }); expect(cfg.models?.providers?.zai?.baseUrl).toBe(ZAI_CODING_GLOBAL_BASE_URL); expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-5"); expect(fetchMock).toHaveBeenCalled(); }), ); }); it("stores xAI API key and sets default model", async () => { await withOnboardEnv("openclaw-onboard-xai-", async (env) => { const rawKey = "xai-test-\r\nkey"; const cfg = await runOnboardingAndReadConfig(env, { authChoice: "xai-api-key", xaiApiKey: rawKey, }); expect(cfg.auth?.profiles?.["xai:default"]?.provider).toBe("xai"); expect(cfg.auth?.profiles?.["xai:default"]?.mode).toBe("api_key"); expect(cfg.agents?.defaults?.model?.primary).toBe("xai/grok-4"); await expectApiKeyProfile({ profileId: "xai:default", provider: "xai", key: "xai-test-key" }); }); }); it("infers Mistral auth choice from --mistral-api-key and sets default model", async () => { await withOnboardEnv("openclaw-onboard-mistral-infer-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { mistralApiKey: "mistral-test-key", // pragma: allowlist secret }); expect(cfg.auth?.profiles?.["mistral:default"]?.provider).toBe("mistral"); expect(cfg.auth?.profiles?.["mistral:default"]?.mode).toBe("api_key"); expect(cfg.agents?.defaults?.model?.primary).toBe("mistral/mistral-large-latest"); await expectApiKeyProfile({ profileId: "mistral:default", provider: "mistral", key: "mistral-test-key", }); }); }); it("stores Volcano Engine API key and sets default model", async () => { await withOnboardEnv("openclaw-onboard-volcengine-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { authChoice: "volcengine-api-key", volcengineApiKey: "volcengine-test-key", // pragma: allowlist secret }); expect(cfg.agents?.defaults?.model?.primary).toBe("volcengine-plan/ark-code-latest"); }); }); it("infers BytePlus auth choice from --byteplus-api-key and sets default model", async () => { await withOnboardEnv("openclaw-onboard-byteplus-infer-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { byteplusApiKey: "byteplus-test-key", // pragma: allowlist secret }); expect(cfg.agents?.defaults?.model?.primary).toBe("byteplus-plan/ark-code-latest"); }); }); it("stores Vercel AI Gateway API key and sets default model", async () => { await withOnboardEnv("openclaw-onboard-ai-gateway-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { authChoice: "ai-gateway-api-key", aiGatewayApiKey: "gateway-test-key", // pragma: allowlist secret }); expect(cfg.auth?.profiles?.["vercel-ai-gateway:default"]?.provider).toBe("vercel-ai-gateway"); expect(cfg.auth?.profiles?.["vercel-ai-gateway:default"]?.mode).toBe("api_key"); expect(cfg.agents?.defaults?.model?.primary).toBe( "vercel-ai-gateway/anthropic/claude-opus-4.6", ); await expectApiKeyProfile({ profileId: "vercel-ai-gateway:default", provider: "vercel-ai-gateway", key: "gateway-test-key", }); }); }); it("stores token auth profile", async () => { await withOnboardEnv("openclaw-onboard-token-", async ({ configPath, runtime }) => { const cleanToken = `sk-ant-oat01-${"a".repeat(80)}`; const token = `${cleanToken.slice(0, 30)}\r${cleanToken.slice(30)}`; await runNonInteractiveSetupWithDefaults(runtime, { authChoice: "token", tokenProvider: "anthropic", token, tokenProfileId: "anthropic:default", }); const cfg = await readJsonFile(configPath); expect(cfg.auth?.profiles?.["anthropic:default"]?.provider).toBe("anthropic"); expect(cfg.auth?.profiles?.["anthropic:default"]?.mode).toBe("token"); const store = ensureAuthProfileStore(); const profile = store.profiles["anthropic:default"]; expect(profile?.type).toBe("token"); if (profile?.type === "token") { expect(profile.provider).toBe("anthropic"); expect(profile.token).toBe(cleanToken); } }); }); it("stores OpenAI API key and sets OpenAI default model", async () => { await withOnboardEnv("openclaw-onboard-openai-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { authChoice: "openai-api-key", openaiApiKey: "sk-openai-test", // pragma: allowlist secret }); expect(cfg.agents?.defaults?.model?.primary).toBe(OPENAI_DEFAULT_MODEL); }); }); it.each([ { name: "anthropic", prefix: "openclaw-onboard-ref-flag-anthropic-", authChoice: "apiKey", optionKey: "anthropicApiKey", flagName: "--anthropic-api-key", envVar: "ANTHROPIC_API_KEY", }, { name: "openai", prefix: "openclaw-onboard-ref-flag-openai-", authChoice: "openai-api-key", optionKey: "openaiApiKey", flagName: "--openai-api-key", envVar: "OPENAI_API_KEY", }, { name: "openrouter", prefix: "openclaw-onboard-ref-flag-openrouter-", authChoice: "openrouter-api-key", optionKey: "openrouterApiKey", flagName: "--openrouter-api-key", envVar: "OPENROUTER_API_KEY", }, { name: "xai", prefix: "openclaw-onboard-ref-flag-xai-", authChoice: "xai-api-key", optionKey: "xaiApiKey", flagName: "--xai-api-key", envVar: "XAI_API_KEY", }, { name: "volcengine", prefix: "openclaw-onboard-ref-flag-volcengine-", authChoice: "volcengine-api-key", optionKey: "volcengineApiKey", flagName: "--volcengine-api-key", envVar: "VOLCANO_ENGINE_API_KEY", }, { name: "byteplus", prefix: "openclaw-onboard-ref-flag-byteplus-", authChoice: "byteplus-api-key", optionKey: "byteplusApiKey", flagName: "--byteplus-api-key", envVar: "BYTEPLUS_API_KEY", }, ])( "fails fast for $name when --secret-input-mode ref uses explicit key without env and does not leak the key", async ({ prefix, authChoice, optionKey, flagName, envVar }) => { await withOnboardEnv(prefix, async ({ runtime }) => { const providedSecret = `${envVar.toLowerCase()}-should-not-leak`; // pragma: allowlist secret const options: Record = { authChoice, secretInputMode: "ref", // pragma: allowlist secret [optionKey]: providedSecret, skipSkills: true, }; const envOverrides: Record = { [envVar]: undefined, }; await withEnvAsync(envOverrides, async () => { let thrown: Error | undefined; try { await runNonInteractiveSetupWithDefaults(runtime, options); } catch (error) { thrown = error as Error; } expect(thrown).toBeDefined(); const message = String(thrown?.message ?? ""); expect(message).toContain( `${flagName} cannot be used with --secret-input-mode ref unless ${envVar} is set in env.`, ); expect(message).toContain( `Set ${envVar} in env and omit ${flagName}, or use --secret-input-mode plaintext.`, ); expect(message).not.toContain(providedSecret); }); }); }, ); it("stores the detected env alias as keyRef for both OpenCode runtime providers", async () => { await withOnboardEnv("openclaw-onboard-ref-opencode-alias-", async ({ runtime }) => { await withEnvAsync( { OPENCODE_API_KEY: undefined, OPENCODE_ZEN_API_KEY: "opencode-zen-env-key", // pragma: allowlist secret }, async () => { await runNonInteractiveSetupWithDefaults(runtime, { authChoice: "opencode-zen", secretInputMode: "ref", // pragma: allowlist secret skipSkills: true, }); const store = ensureAuthProfileStore(); for (const profileId of ["opencode:default", "opencode-go:default"]) { const profile = store.profiles[profileId]; expect(profile?.type).toBe("api_key"); if (profile?.type === "api_key") { expect(profile.key).toBeUndefined(); expect(profile.keyRef).toEqual({ source: "env", provider: "default", id: "OPENCODE_ZEN_API_KEY", }); } } }, ); }); }); it("configures vLLM via the provider plugin in non-interactive mode", async () => { await withOnboardEnv("openclaw-onboard-vllm-non-interactive-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { authChoice: "vllm", customBaseUrl: "http://127.0.0.1:8100/v1", customApiKey: "vllm-test-key", // pragma: allowlist secret customModelId: "Qwen/Qwen3-8B", }); expect(cfg.auth?.profiles?.["vllm:default"]?.provider).toBe("vllm"); expect(cfg.auth?.profiles?.["vllm:default"]?.mode).toBe("api_key"); expect(cfg.models?.providers?.vllm).toEqual({ baseUrl: "http://127.0.0.1:8100/v1", api: "openai-completions", apiKey: "VLLM_API_KEY", models: [ expect.objectContaining({ id: "Qwen/Qwen3-8B", }), ], }); expect(cfg.agents?.defaults?.model?.primary).toBe("vllm/Qwen/Qwen3-8B"); await expectApiKeyProfile({ profileId: "vllm:default", provider: "vllm", key: "vllm-test-key", }); }); }); it("configures SGLang via the provider plugin in non-interactive mode", async () => { await withOnboardEnv("openclaw-onboard-sglang-non-interactive-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { authChoice: "sglang", customBaseUrl: "http://127.0.0.1:31000/v1", customApiKey: "sglang-test-key", // pragma: allowlist secret customModelId: "Qwen/Qwen3-32B", }); expect(cfg.auth?.profiles?.["sglang:default"]?.provider).toBe("sglang"); expect(cfg.auth?.profiles?.["sglang:default"]?.mode).toBe("api_key"); expect(cfg.models?.providers?.sglang).toEqual({ baseUrl: "http://127.0.0.1:31000/v1", api: "openai-completions", apiKey: "SGLANG_API_KEY", models: [ expect.objectContaining({ id: "Qwen/Qwen3-32B", }), ], }); expect(cfg.agents?.defaults?.model?.primary).toBe("sglang/Qwen/Qwen3-32B"); await expectApiKeyProfile({ profileId: "sglang:default", provider: "sglang", key: "sglang-test-key", }); }); }); it("stores LiteLLM API key and sets default model", async () => { await withOnboardEnv("openclaw-onboard-litellm-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { authChoice: "litellm-api-key", litellmApiKey: "litellm-test-key", // pragma: allowlist secret }); expect(cfg.auth?.profiles?.["litellm:default"]?.provider).toBe("litellm"); expect(cfg.auth?.profiles?.["litellm:default"]?.mode).toBe("api_key"); expect(cfg.agents?.defaults?.model?.primary).toBe("litellm/claude-opus-4-6"); await expectApiKeyProfile({ profileId: "litellm:default", provider: "litellm", key: "litellm-test-key", }); }); }); it.each([ { name: "stores Cloudflare AI Gateway API key and metadata", prefix: "openclaw-onboard-cf-gateway-", options: { authChoice: "cloudflare-ai-gateway-api-key", }, }, { name: "infers Cloudflare auth choice from API key flags", prefix: "openclaw-onboard-cf-gateway-infer-", options: {}, }, ])("$name", async ({ prefix, options }) => { await withOnboardEnv(prefix, async ({ configPath, runtime }) => { await runNonInteractiveSetupWithDefaults(runtime, { cloudflareAiGatewayAccountId: "cf-account-id", cloudflareAiGatewayGatewayId: "cf-gateway-id", cloudflareAiGatewayApiKey: "cf-gateway-test-key", // pragma: allowlist secret skipSkills: true, ...options, }); const cfg = await readJsonFile(configPath); expect(cfg.auth?.profiles?.["cloudflare-ai-gateway:default"]?.provider).toBe( "cloudflare-ai-gateway", ); expect(cfg.auth?.profiles?.["cloudflare-ai-gateway:default"]?.mode).toBe("api_key"); expect(cfg.agents?.defaults?.model?.primary).toBe("cloudflare-ai-gateway/claude-sonnet-4-5"); await expectApiKeyProfile({ profileId: "cloudflare-ai-gateway:default", provider: "cloudflare-ai-gateway", key: "cf-gateway-test-key", metadata: { accountId: "cf-account-id", gatewayId: "cf-gateway-id" }, }); }); }); it("infers Together auth choice from --together-api-key and sets default model", async () => { await withOnboardEnv("openclaw-onboard-together-infer-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { togetherApiKey: "together-test-key", // pragma: allowlist secret }); expect(cfg.auth?.profiles?.["together:default"]?.provider).toBe("together"); expect(cfg.auth?.profiles?.["together:default"]?.mode).toBe("api_key"); expect(cfg.agents?.defaults?.model?.primary).toBe("together/moonshotai/Kimi-K2.5"); await expectApiKeyProfile({ profileId: "together:default", provider: "together", key: "together-test-key", }); }); }); it("infers QIANFAN auth choice from --qianfan-api-key and sets default model", async () => { await withOnboardEnv("openclaw-onboard-qianfan-infer-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { qianfanApiKey: "qianfan-test-key", // pragma: allowlist secret }); expect(cfg.auth?.profiles?.["qianfan:default"]?.provider).toBe("qianfan"); expect(cfg.auth?.profiles?.["qianfan:default"]?.mode).toBe("api_key"); expect(cfg.agents?.defaults?.model?.primary).toBe("qianfan/deepseek-v3.2"); await expectApiKeyProfile({ profileId: "qianfan:default", provider: "qianfan", key: "qianfan-test-key", }); }); }); it("infers Model Studio auth choice from --modelstudio-api-key and sets default model", async () => { await withOnboardEnv("openclaw-onboard-modelstudio-infer-", async (env) => { const cfg = await runOnboardingAndReadConfig(env, { modelstudioApiKey: "modelstudio-test-key", // pragma: allowlist secret }); expect(cfg.auth?.profiles?.["modelstudio:default"]?.provider).toBe("modelstudio"); expect(cfg.auth?.profiles?.["modelstudio:default"]?.mode).toBe("api_key"); expect(cfg.models?.providers?.modelstudio?.baseUrl).toBe( "https://coding-intl.dashscope.aliyuncs.com/v1", ); expect(cfg.agents?.defaults?.model?.primary).toBe("modelstudio/qwen3.5-plus"); await expectApiKeyProfile({ profileId: "modelstudio:default", provider: "modelstudio", key: "modelstudio-test-key", }); }); }); it("configures a custom provider from non-interactive flags", async () => { await withOnboardEnv("openclaw-onboard-custom-provider-", async ({ configPath, runtime }) => { await runNonInteractiveSetupWithDefaults(runtime, { authChoice: "custom-api-key", customBaseUrl: "https://llm.example.com/v1", customApiKey: "custom-test-key", // pragma: allowlist secret customModelId: "foo-large", customCompatibility: "anthropic", skipSkills: true, }); const cfg = await readJsonFile(configPath); const provider = cfg.models?.providers?.["custom-llm-example-com"]; expect(provider?.baseUrl).toBe("https://llm.example.com/v1"); expect(provider?.api).toBe("anthropic-messages"); expect(provider?.apiKey).toBe("custom-test-key"); expect(provider?.models?.some((model) => model.id === "foo-large")).toBe(true); expect(cfg.agents?.defaults?.model?.primary).toBe("custom-llm-example-com/foo-large"); }); }); it("infers custom provider auth choice from custom flags", async () => { await withOnboardEnv( "openclaw-onboard-custom-provider-infer-", async ({ configPath, runtime }) => { await runNonInteractiveSetupWithDefaults(runtime, { customBaseUrl: "https://models.custom.local/v1", customModelId: "local-large", customApiKey: "custom-test-key", // pragma: allowlist secret skipSkills: true, }); const cfg = await readJsonFile(configPath); expect(cfg.models?.providers?.["custom-models-custom-local"]?.baseUrl).toBe( "https://models.custom.local/v1", ); expect(cfg.models?.providers?.["custom-models-custom-local"]?.api).toBe( "openai-completions", ); expect(cfg.agents?.defaults?.model?.primary).toBe("custom-models-custom-local/local-large"); }, ); }); it("uses CUSTOM_API_KEY env fallback for non-interactive custom provider auth", async () => { await withOnboardEnv( "openclaw-onboard-custom-provider-env-fallback-", async ({ configPath, runtime }) => { process.env.CUSTOM_API_KEY = "custom-env-key"; // pragma: allowlist secret await runCustomLocalNonInteractive(runtime); expect(await readCustomLocalProviderApiKey(configPath)).toBe("custom-env-key"); }, ); }); it("stores CUSTOM_API_KEY env ref for non-interactive custom provider auth in ref mode", async () => { await withOnboardEnv( "openclaw-onboard-custom-provider-env-ref-", async ({ configPath, runtime }) => { process.env.CUSTOM_API_KEY = "custom-env-key"; // pragma: allowlist secret await runCustomLocalNonInteractive(runtime, { secretInputMode: "ref", // pragma: allowlist secret }); expect(await readCustomLocalProviderApiKeyInput(configPath)).toEqual({ source: "env", provider: "default", id: "CUSTOM_API_KEY", }); }, ); }); it("fails fast for custom provider ref mode when --custom-api-key is set but CUSTOM_API_KEY env is missing", async () => { await withOnboardEnv("openclaw-onboard-custom-provider-ref-flag-", async ({ runtime }) => { const providedSecret = "custom-inline-key-should-not-leak"; // pragma: allowlist secret await withEnvAsync({ CUSTOM_API_KEY: undefined }, async () => { let thrown: Error | undefined; try { await runCustomLocalNonInteractive(runtime, { secretInputMode: "ref", // pragma: allowlist secret customApiKey: providedSecret, }); } catch (error) { thrown = error as Error; } expect(thrown).toBeDefined(); const message = String(thrown?.message ?? ""); expect(message).toContain( "--custom-api-key cannot be used with --secret-input-mode ref unless CUSTOM_API_KEY is set in env.", ); expect(message).toContain( "Set CUSTOM_API_KEY in env and omit --custom-api-key, or use --secret-input-mode plaintext.", ); expect(message).not.toContain(providedSecret); }); }); }); it("uses matching profile fallback for non-interactive custom provider auth", async () => { await withOnboardEnv( "openclaw-onboard-custom-provider-profile-fallback-", async ({ configPath, runtime }) => { upsertAuthProfile({ profileId: `${CUSTOM_LOCAL_PROVIDER_ID}:default`, credential: { type: "api_key", provider: CUSTOM_LOCAL_PROVIDER_ID, key: "custom-profile-key", }, }); await runCustomLocalNonInteractive(runtime); expect(await readCustomLocalProviderApiKey(configPath)).toBe("custom-profile-key"); }, ); }); it("fails custom provider auth when compatibility is invalid", async () => { await withOnboardEnv( "openclaw-onboard-custom-provider-invalid-compat-", async ({ runtime }) => { await expect( runNonInteractiveSetupWithDefaults(runtime, { authChoice: "custom-api-key", customBaseUrl: "https://models.custom.local/v1", customModelId: "local-large", customCompatibility: "xmlrpc", skipSkills: true, }), ).rejects.toThrow('Invalid --custom-compatibility (use "openai" or "anthropic").'); }, ); }); it("fails custom provider auth when explicit provider id is invalid", async () => { await withOnboardEnv("openclaw-onboard-custom-provider-invalid-id-", async ({ runtime }) => { await expect( runNonInteractiveSetupWithDefaults(runtime, { authChoice: "custom-api-key", customBaseUrl: "https://models.custom.local/v1", customModelId: "local-large", customProviderId: "!!!", skipSkills: true, }), ).rejects.toThrow( "Invalid custom provider config: Custom provider ID must include letters, numbers, or hyphens.", ); }); }); it("fails inferred custom auth when required flags are incomplete", async () => { await withOnboardEnv( "openclaw-onboard-custom-provider-missing-required-", async ({ runtime }) => { await expect( runNonInteractiveSetupWithDefaults(runtime, { customApiKey: "custom-test-key", // pragma: allowlist secret skipSkills: true, }), ).rejects.toThrow('Auth choice "custom-api-key" requires a base URL and model ID.'); }, ); }); });