fix(security): keep web search credential checks cold

CHANGELOG.md

@@ -68,6 +68,7 @@ Docs: https://docs.openclaw.ai
 - Plugins/compat: expand the central compatibility registry with dated owners, replacements, and removal targets for legacy SDK, manifest, setup, registry-migration, and agent-runtime surfaces. Thanks @vincentkoc.
 - Plugins/registry: ignore stale persisted registry reads when plugin policy no longer matches current config, and stamp generated registry files with a do-not-edit warning. Thanks @vincentkoc.
 - Config/plugins: keep plugin command-alias validation on cold manifest metadata instead of importing the runtime alias resolver. Thanks @vincentkoc.
+- Security/plugins: keep web-search credential presence checks on cold config, env, and manifest metadata instead of importing web-search provider runtime. Thanks @vincentkoc.
 - Diagnostics/OTEL: surface provider request identifiers as bounded hashes on model-call diagnostics and span events, without exporting raw request IDs or metric labels. Thanks @Lidang-Jiang and @vincentkoc.
 - Plugins/diagnostics: add metadata-only `model_call_started` and `model_call_ended` hooks for provider/model call telemetry without exposing prompts, responses, headers, request bodies, or raw provider request IDs. Thanks @vincentkoc.
 - Diagnostics/OTEL: emit bounded context assembly diagnostics and export `openclaw.context.assembled` spans with prompt/history sizes but no prompt, history, response, or session-key content. Thanks @vincentkoc.

src/plugins/web-search-credential-presence.test.ts

@@ -1,21 +1,10 @@
-import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { beforeAll, describe, expect, it } from "vitest";
 import type { OpenClawConfig } from "../config/types.openclaw.js";
 
-const { resolvePluginWebSearchProvidersMock } = vi.hoisted(() => ({
-  resolvePluginWebSearchProvidersMock: vi.fn(() => [
-    {
-      id: "brave",
-      pluginId: "brave",
-      envVars: ["BRAVE_API_KEY"],
-      getCredentialValue: (searchConfig: Record<string, unknown> | undefined) =>
-        searchConfig?.apiKey,
-    },
-  ]),
-}));
-
-vi.mock("./web-search-providers.runtime.js", () => ({
-  resolvePluginWebSearchProviders: resolvePluginWebSearchProvidersMock,
-}));
+const repoRoot = fileURLToPath(new URL("../..", import.meta.url));
 
 let hasConfiguredWebSearchCredential: typeof import("./web-search-credential-presence.js").hasConfiguredWebSearchCredential;
 
@@ -23,11 +12,17 @@ beforeAll(async () => {
   ({ hasConfiguredWebSearchCredential } = await import("./web-search-credential-presence.js"));
 });
 
-beforeEach(() => {
-  resolvePluginWebSearchProvidersMock.mockClear();
-});
-
 describe("hasConfiguredWebSearchCredential", () => {
+  it("does not statically import web-search runtime providers", () => {
+    const source = fs.readFileSync(
+      path.join(repoRoot, "src/plugins/web-search-credential-presence.ts"),
+      "utf8",
+    );
+
+    expect(source).not.toMatch(/\bfrom\s+["'][^"']*web-search-providers\.runtime\.js["']/);
+    expect(source).not.toMatch(/\bfrom\s+["'][^"']*loader\.js["']/);
+  });
+
   it("keeps empty config and env on the manifest-only path", () => {
     expect(
       hasConfiguredWebSearchCredential({
@@ -37,10 +32,9 @@ describe("hasConfiguredWebSearchCredential", () => {
         bundledAllowlistCompat: true,
       }),
     ).toBe(false);
-    expect(resolvePluginWebSearchProvidersMock).not.toHaveBeenCalled();
   });
 
-  it("loads provider runtime only when a credential candidate exists", () => {
+  it("detects configured web search credential candidates without runtime loading", () => {
     expect(
       hasConfiguredWebSearchCredential({
         config: {
@@ -51,6 +45,5 @@ describe("hasConfiguredWebSearchCredential", () => {
         bundledAllowlistCompat: true,
       }),
     ).toBe(true);
-    expect(resolvePluginWebSearchProvidersMock).toHaveBeenCalledTimes(1);
   });
 });

src/plugins/web-search-credential-presence.ts

@@ -1,7 +1,6 @@
 import type { OpenClawConfig } from "../config/types.openclaw.js";
 import type { PluginManifestRecord } from "./manifest-registry.js";
 import { loadPluginManifestRegistryForPluginRegistry } from "./plugin-registry.js";
-import { resolvePluginWebSearchProviders } from "./web-search-providers.runtime.js";
 
 function hasConfiguredCredentialValue(value: unknown): boolean {
   if (typeof value === "string") {
@@ -74,29 +73,13 @@ export function hasConfiguredWebSearchCredential(params: {
   const searchConfig =
     params.searchConfig ??
     (params.config.tools?.web?.search as Record<string, unknown> | undefined);
-  if (
-    !hasConfiguredSearchCredentialCandidate(searchConfig) &&
-    !hasConfiguredPluginWebSearchCandidate(params.config) &&
-    !hasManifestWebSearchEnvCredentialCandidate({
+  return (
+    hasConfiguredSearchCredentialCandidate(searchConfig) ||
+    hasConfiguredPluginWebSearchCandidate(params.config) ||
+    hasManifestWebSearchEnvCredentialCandidate({
       config: params.config,
       env: params.env,
       origin: params.origin,
     })
-  ) {
-    return false;
-  }
-  return resolvePluginWebSearchProviders({
-    config: params.config,
-    env: params.env,
-    bundledAllowlistCompat: params.bundledAllowlistCompat ?? false,
-    origin: params.origin,
-  }).some((provider) => {
-    const configuredCredential =
-      provider.getConfiguredCredentialValue?.(params.config) ??
-      provider.getCredentialValue(searchConfig);
-    if (hasConfiguredCredentialValue(configuredCredential)) {
-      return true;
-    }
-    return provider.envVars.some((envVar) => hasConfiguredCredentialValue(params.env?.[envVar]));
-  });
+  );
 }