import type { ApiKeyCredential } from "../../../agents/auth-profiles/types.js"; import type { OpenClawConfig } from "../../../config/config.js"; import type { SecretInput } from "../../../config/types.secrets.js"; import { applyAuthProfileConfig } from "../../../plugins/provider-auth-helpers.js"; import { setCloudflareAiGatewayConfig } from "../../../plugins/provider-auth-storage.js"; import type { RuntimeEnv } from "../../../runtime.js"; import { resolveDefaultSecretProviderAlias } from "../../../secrets/ref-contract.js"; import { normalizeSecretInputModeInput } from "../../auth-choice.apply-helpers.js"; import { normalizeApiKeyTokenProviderAuthChoice } from "../../auth-choice.apply.api-providers.js"; import { applyCloudflareAiGatewayConfig } from "../../onboard-auth.config-gateways.js"; import { applyCustomApiConfig, CustomApiError, parseNonInteractiveCustomApiFlags, resolveCustomProviderId, } from "../../onboard-custom.js"; import type { AuthChoice, OnboardOptions } from "../../onboard-types.js"; import { resolveNonInteractiveApiKey } from "../api-keys.js"; import { applySimpleNonInteractiveApiKeyChoice } from "./auth-choice.api-key-providers.js"; import { applyNonInteractivePluginProviderChoice } from "./auth-choice.plugin-providers.js"; type ResolvedNonInteractiveApiKey = NonNullable< Awaited> >; export async function applyNonInteractiveAuthChoice(params: { nextConfig: OpenClawConfig; authChoice: AuthChoice; opts: OnboardOptions; runtime: RuntimeEnv; baseConfig: OpenClawConfig; }): Promise { const { opts, runtime, baseConfig } = params; const authChoice = normalizeApiKeyTokenProviderAuthChoice({ authChoice: params.authChoice, tokenProvider: opts.tokenProvider, config: params.nextConfig, env: process.env, }); let nextConfig = params.nextConfig; const requestedSecretInputMode = normalizeSecretInputModeInput(opts.secretInputMode); if (opts.secretInputMode && !requestedSecretInputMode) { runtime.error('Invalid --secret-input-mode. Use "plaintext" or "ref".'); runtime.exit(1); return null; } const apiKeyStorageOptions = requestedSecretInputMode ? { secretInputMode: requestedSecretInputMode } : undefined; const toStoredSecretInput = (resolved: ResolvedNonInteractiveApiKey): SecretInput | null => { const storePlaintextSecret = requestedSecretInputMode !== "ref"; // pragma: allowlist secret if (storePlaintextSecret) { return resolved.key; } if (resolved.source !== "env") { return resolved.key; } if (!resolved.envVarName) { runtime.error( [ `Unable to determine which environment variable to store as a ref for provider "${authChoice}".`, "Set an explicit provider env var and retry, or use --secret-input-mode plaintext.", ].join("\n"), ); runtime.exit(1); return null; } return { source: "env", provider: resolveDefaultSecretProviderAlias(baseConfig, "env", { preferFirstProviderForSource: true, }), id: resolved.envVarName, }; }; const resolveApiKey = (input: Parameters[0]) => resolveNonInteractiveApiKey({ ...input, secretInputMode: requestedSecretInputMode, }); const toApiKeyCredential = (params: { provider: string; resolved: ResolvedNonInteractiveApiKey; email?: string; metadata?: Record; }): ApiKeyCredential | null => { const storeSecretRef = requestedSecretInputMode === "ref" && params.resolved.source === "env"; // pragma: allowlist secret if (storeSecretRef) { if (!params.resolved.envVarName) { runtime.error( [ `--secret-input-mode ref requires an explicit environment variable for provider "${params.provider}".`, "Set the provider API key env var and retry, or use --secret-input-mode plaintext.", ].join("\n"), ); runtime.exit(1); return null; } return { type: "api_key", provider: params.provider, keyRef: { source: "env", provider: resolveDefaultSecretProviderAlias(baseConfig, "env", { preferFirstProviderForSource: true, }), id: params.resolved.envVarName, }, ...(params.email ? { email: params.email } : {}), ...(params.metadata ? { metadata: params.metadata } : {}), }; } return { type: "api_key", provider: params.provider, key: params.resolved.key, ...(params.email ? { email: params.email } : {}), ...(params.metadata ? { metadata: params.metadata } : {}), }; }; const maybeSetResolvedApiKey = async ( resolved: ResolvedNonInteractiveApiKey, setter: (value: SecretInput) => Promise | void, ): Promise => { if (resolved.source === "profile") { return true; } const stored = toStoredSecretInput(resolved); if (!stored) { return false; } await setter(stored); return true; }; if (authChoice === "claude-cli" || authChoice === "codex-cli") { runtime.error( [ `Auth choice "${authChoice}" is deprecated.`, 'Use "--auth-choice token" (Anthropic setup-token) or "--auth-choice openai-codex".', ].join("\n"), ); runtime.exit(1); return null; } if (authChoice === "setup-token") { runtime.error( [ 'Auth choice "setup-token" requires interactive mode.', 'Use "--auth-choice token" with --token and --token-provider anthropic.', ].join("\n"), ); runtime.exit(1); return null; } const pluginProviderChoice = await applyNonInteractivePluginProviderChoice({ nextConfig, authChoice, opts, runtime, baseConfig, resolveApiKey: (input) => resolveApiKey({ ...input, cfg: baseConfig, runtime, }), toApiKeyCredential, }); if (pluginProviderChoice !== undefined) { return pluginProviderChoice; } const simpleApiKeyChoice = await applySimpleNonInteractiveApiKeyChoice({ authChoice, nextConfig, baseConfig, opts, runtime, apiKeyStorageOptions, resolveApiKey, maybeSetResolvedApiKey, }); if (simpleApiKeyChoice !== undefined) { return simpleApiKeyChoice; } if (authChoice === "cloudflare-ai-gateway-api-key") { const accountId = opts.cloudflareAiGatewayAccountId?.trim() ?? ""; const gatewayId = opts.cloudflareAiGatewayGatewayId?.trim() ?? ""; if (!accountId || !gatewayId) { runtime.error( [ 'Auth choice "cloudflare-ai-gateway-api-key" requires Account ID and Gateway ID.', "Use --cloudflare-ai-gateway-account-id and --cloudflare-ai-gateway-gateway-id.", ].join("\n"), ); runtime.exit(1); return null; } const resolved = await resolveApiKey({ provider: "cloudflare-ai-gateway", cfg: baseConfig, flagValue: opts.cloudflareAiGatewayApiKey, flagName: "--cloudflare-ai-gateway-api-key", envVar: "CLOUDFLARE_AI_GATEWAY_API_KEY", runtime, }); if (!resolved) { return null; } if (resolved.source !== "profile") { const stored = toStoredSecretInput(resolved); if (!stored) { return null; } await setCloudflareAiGatewayConfig( accountId, gatewayId, stored, undefined, apiKeyStorageOptions, ); } nextConfig = applyAuthProfileConfig(nextConfig, { profileId: "cloudflare-ai-gateway:default", provider: "cloudflare-ai-gateway", mode: "api_key", }); return applyCloudflareAiGatewayConfig(nextConfig, { accountId, gatewayId, }); } // Legacy aliases: these choice values were removed; fail with an actionable message so // existing CI automation gets a clear error instead of silently exiting 0 with no auth. const REMOVED_MINIMAX_CHOICES: Record = { minimax: "minimax-global-api", "minimax-api": "minimax-global-api", "minimax-cloud": "minimax-global-api", "minimax-api-lightning": "minimax-global-api", "minimax-api-key-cn": "minimax-cn-api", }; if (Object.prototype.hasOwnProperty.call(REMOVED_MINIMAX_CHOICES, authChoice as string)) { const replacement = REMOVED_MINIMAX_CHOICES[authChoice as string]; runtime.error( `"${authChoice as string}" is no longer supported. Use --auth-choice ${replacement} instead.`, ); runtime.exit(1); return null; } if (authChoice === "custom-api-key") { try { const customAuth = parseNonInteractiveCustomApiFlags({ baseUrl: opts.customBaseUrl, modelId: opts.customModelId, compatibility: opts.customCompatibility, apiKey: opts.customApiKey, providerId: opts.customProviderId, }); const resolvedProviderId = resolveCustomProviderId({ config: nextConfig, baseUrl: customAuth.baseUrl, providerId: customAuth.providerId, }); const resolvedCustomApiKey = await resolveApiKey({ provider: resolvedProviderId.providerId, cfg: baseConfig, flagValue: customAuth.apiKey, flagName: "--custom-api-key", envVar: "CUSTOM_API_KEY", envVarName: "CUSTOM_API_KEY", runtime, required: false, }); let customApiKeyInput: SecretInput | undefined; if (resolvedCustomApiKey) { const storeCustomApiKeyAsRef = requestedSecretInputMode === "ref"; // pragma: allowlist secret if (storeCustomApiKeyAsRef) { const stored = toStoredSecretInput(resolvedCustomApiKey); if (!stored) { return null; } customApiKeyInput = stored; } else { customApiKeyInput = resolvedCustomApiKey.key; } } const result = applyCustomApiConfig({ config: nextConfig, baseUrl: customAuth.baseUrl, modelId: customAuth.modelId, compatibility: customAuth.compatibility, apiKey: customApiKeyInput, providerId: customAuth.providerId, }); if (result.providerIdRenamedFrom && result.providerId) { runtime.log( `Custom provider ID "${result.providerIdRenamedFrom}" already exists for a different base URL. Using "${result.providerId}".`, ); } return result.config; } catch (err) { if (err instanceof CustomApiError) { switch (err.code) { case "missing_required": case "invalid_compatibility": runtime.error(err.message); break; default: runtime.error(`Invalid custom provider config: ${err.message}`); break; } runtime.exit(1); return null; } const reason = err instanceof Error ? err.message : String(err); runtime.error(`Invalid custom provider config: ${reason}`); runtime.exit(1); return null; } } if ( authChoice === "oauth" || authChoice === "chutes" || authChoice === "qwen-portal" || authChoice === "minimax-global-oauth" || authChoice === "minimax-cn-oauth" ) { runtime.error("OAuth requires interactive mode."); runtime.exit(1); return null; } return nextConfig; }