import type { ApiKeyCredential } from "../../../agents/auth-profiles/types.js"; import type { OpenClawConfig } from "../../../config/types.openclaw.js"; import type { SecretInput } from "../../../config/types.secrets.js"; import { formatErrorMessage } from "../../../infra/errors.js"; import { resolveManifestDeprecatedProviderAuthChoice } from "../../../plugins/provider-auth-choices.js"; import type { RuntimeEnv } from "../../../runtime.js"; import { resolveDefaultSecretProviderAlias } from "../../../secrets/ref-contract.js"; import { formatDeprecatedNonInteractiveAuthChoiceError, isDeprecatedAuthChoice, } from "../../auth-choice-legacy.js"; import { normalizeSecretInputModeInput } from "../../auth-choice.apply-helpers.js"; import { normalizeApiKeyTokenProviderAuthChoice } from "../../auth-choice.apply.api-providers.js"; import { applyCustomApiConfig, CustomApiError, parseNonInteractiveCustomApiFlags, resolveCustomProviderId, } from "../../onboard-custom-config.js"; import type { AuthChoice, OnboardOptions } from "../../onboard-types.js"; import { resolveNonInteractiveApiKey } from "../api-keys.js"; import { applyNonInteractivePluginProviderChoice } from "./auth-choice.plugin-providers.js"; type ResolvedNonInteractiveApiKey = NonNullable< Awaited> >; export async function applyNonInteractiveAuthChoice(params: { nextConfig: OpenClawConfig; authChoice: AuthChoice; opts: OnboardOptions; runtime: RuntimeEnv; baseConfig: OpenClawConfig; }): Promise { const { opts, runtime, baseConfig } = params; const authChoice = normalizeApiKeyTokenProviderAuthChoice({ authChoice: params.authChoice, tokenProvider: opts.tokenProvider, config: params.nextConfig, env: process.env, }); let nextConfig = params.nextConfig; const requestedSecretInputMode = normalizeSecretInputModeInput(opts.secretInputMode); if (opts.secretInputMode && !requestedSecretInputMode) { runtime.error('Invalid --secret-input-mode. Use "plaintext" or "ref".'); runtime.exit(1); return null; } const toStoredSecretInput = (resolved: ResolvedNonInteractiveApiKey): SecretInput | null => { const storePlaintextSecret = requestedSecretInputMode !== "ref"; // pragma: allowlist secret if (storePlaintextSecret) { return resolved.key; } if (resolved.source !== "env") { return resolved.key; } if (!resolved.envVarName) { runtime.error( [ `Unable to determine which environment variable to store as a ref for provider "${authChoice}".`, "Set an explicit provider env var and retry, or use --secret-input-mode plaintext.", ].join("\n"), ); runtime.exit(1); return null; } return { source: "env", provider: resolveDefaultSecretProviderAlias(baseConfig, "env", { preferFirstProviderForSource: true, }), id: resolved.envVarName, }; }; const resolveApiKey = (input: Parameters[0]) => resolveNonInteractiveApiKey({ ...input, secretInputMode: requestedSecretInputMode, }); const toApiKeyCredential = (params: { provider: string; resolved: ResolvedNonInteractiveApiKey; email?: string; metadata?: Record; }): ApiKeyCredential | null => { const storeSecretRef = requestedSecretInputMode === "ref" && params.resolved.source === "env"; // pragma: allowlist secret if (storeSecretRef) { if (!params.resolved.envVarName) { runtime.error( [ `--secret-input-mode ref requires an explicit environment variable for provider "${params.provider}".`, "Set the provider API key env var and retry, or use --secret-input-mode plaintext.", ].join("\n"), ); runtime.exit(1); return null; } return { type: "api_key", provider: params.provider, keyRef: { source: "env", provider: resolveDefaultSecretProviderAlias(baseConfig, "env", { preferFirstProviderForSource: true, }), id: params.resolved.envVarName, }, ...(params.email ? { email: params.email } : {}), ...(params.metadata ? { metadata: params.metadata } : {}), }; } return { type: "api_key", provider: params.provider, key: params.resolved.key, ...(params.email ? { email: params.email } : {}), ...(params.metadata ? { metadata: params.metadata } : {}), }; }; if (isDeprecatedAuthChoice(authChoice, { config: nextConfig, env: process.env })) { runtime.error( formatDeprecatedNonInteractiveAuthChoiceError(authChoice, { config: nextConfig, env: process.env, })!, ); runtime.exit(1); return null; } const pluginProviderChoice = await applyNonInteractivePluginProviderChoice({ nextConfig, authChoice, opts, runtime, baseConfig, resolveApiKey: (input) => resolveApiKey({ ...input, cfg: baseConfig, runtime, }), toApiKeyCredential, }); if (pluginProviderChoice !== undefined) { return pluginProviderChoice; } if (authChoice === "setup-token" || authChoice === "token") { runtime.error( [ `Auth choice "${params.authChoice}" was not matched to a provider setup flow.`, 'For Anthropic legacy token auth, use "--auth-choice setup-token --token-provider anthropic --token " or pass "--auth-choice token --token-provider anthropic".', ].join("\n"), ); runtime.exit(1); return null; } const deprecatedChoice = resolveManifestDeprecatedProviderAuthChoice(authChoice as string, { config: nextConfig, env: process.env, }); if (deprecatedChoice) { runtime.error( `"${authChoice as string}" is no longer supported. Use --auth-choice ${deprecatedChoice.choiceId} instead.`, ); runtime.exit(1); return null; } if (authChoice === "custom-api-key") { try { const customAuth = parseNonInteractiveCustomApiFlags({ baseUrl: opts.customBaseUrl, modelId: opts.customModelId, compatibility: opts.customCompatibility, apiKey: opts.customApiKey, providerId: opts.customProviderId, }); const resolvedProviderId = resolveCustomProviderId({ config: nextConfig, baseUrl: customAuth.baseUrl, providerId: customAuth.providerId, }); const resolvedCustomApiKey = await resolveApiKey({ provider: resolvedProviderId.providerId, cfg: baseConfig, flagValue: customAuth.apiKey, flagName: "--custom-api-key", envVar: "CUSTOM_API_KEY", envVarName: "CUSTOM_API_KEY", runtime, required: false, }); let customApiKeyInput: SecretInput | undefined; if (resolvedCustomApiKey) { const storeCustomApiKeyAsRef = requestedSecretInputMode === "ref"; // pragma: allowlist secret if (storeCustomApiKeyAsRef) { const stored = toStoredSecretInput(resolvedCustomApiKey); if (!stored) { return null; } customApiKeyInput = stored; } else { customApiKeyInput = resolvedCustomApiKey.key; } } const result = applyCustomApiConfig({ config: nextConfig, baseUrl: customAuth.baseUrl, modelId: customAuth.modelId, compatibility: customAuth.compatibility, apiKey: customApiKeyInput, providerId: customAuth.providerId, }); if (result.providerIdRenamedFrom && result.providerId) { runtime.log( `Custom provider ID "${result.providerIdRenamedFrom}" already exists for a different base URL. Using "${result.providerId}".`, ); } return result.config; } catch (err) { if (err instanceof CustomApiError) { switch (err.code) { case "missing_required": case "invalid_compatibility": runtime.error(err.message); break; default: runtime.error(`Invalid custom provider config: ${err.message}`); break; } runtime.exit(1); return null; } const reason = formatErrorMessage(err); runtime.error(`Invalid custom provider config: ${reason}`); runtime.exit(1); return null; } } if ( authChoice === "oauth" || authChoice === "chutes" || authChoice === "minimax-global-oauth" || authChoice === "minimax-cn-oauth" ) { runtime.error( authChoice === "oauth" ? 'Auth choice "oauth" is no longer supported directly. Use "--auth-choice setup-token --token-provider anthropic" for Anthropic legacy token auth, or a provider-specific OAuth choice.' : "OAuth requires interactive mode.", ); runtime.exit(1); return null; } return nextConfig; }