refactor: use generic web search runtime credential hooks

2026-05-06 17:00:50 +00:00 · 2026-04-22 05:45:37 +01:00
parent 94f670b893
commit 89741c7a23
3 changed files with 38 additions and 1 deletions
--- a/src/secrets/channel-contract-surface-guardrails.test.ts
+++ b/src/secrets/channel-contract-surface-guardrails.test.ts
@@ -70,6 +70,10 @@ const CORE_SECRET_SURFACE_GUARDS = [
    path: "src/flows/search-setup.ts",
    forbiddenPatterns: [/\bbrave\b/],
  },
+  {
+    path: "src/web-search/runtime.ts",
+    forbiddenPatterns: [/\bbrave\b/],
+  },
  {
    path: "src/media-understanding/defaults.ts",
    forbiddenPatterns: [
--- a/src/web-search/runtime.test.ts
+++ b/src/web-search/runtime.test.ts
@@ -155,6 +155,39 @@ describe("web search runtime", () => {
    });
  });

+  it("auto-detects a provider through its legacy search config reader", async () => {
+    const provider = createCustomSearchProvider({
+      getConfiguredCredentialValue: () => undefined,
+      getCredentialValue: (searchConfig) =>
+        (searchConfig?.customLegacy &&
+        typeof searchConfig.customLegacy === "object" &&
+        !Array.isArray(searchConfig.customLegacy)
+          ? (searchConfig.customLegacy as Record<string, unknown>)
+          : undefined
+        )?.apiKey,
+    });
+    resolveRuntimeWebSearchProvidersMock.mockReturnValue([provider]);
+    resolvePluginWebSearchProvidersMock.mockReturnValue([provider]);
+
+    await expect(
+      runWebSearch({
+        config: {
+          tools: {
+            web: {
+              search: {
+                customLegacy: { apiKey: "legacy-key" },
+              } as never,
+            },
+          },
+        },
+        args: { query: "hello" },
+      }),
+    ).resolves.toEqual({
+      provider: "custom",
+      result: { query: "hello", ok: true },
+    });
+  });
+
  it("treats non-env SecretRefs as configured credentials for provider auto-detect", async () => {
    const provider = createCustomSearchProvider();
    resolveRuntimeWebSearchProvidersMock.mockReturnValue([provider]);
--- a/src/web-search/runtime.ts
+++ b/src/web-search/runtime.ts
@@ -73,7 +73,7 @@ function hasEntryCredential(
    toolConfig: search as Record<string, unknown> | undefined,
    resolveRawValue: ({ provider: currentProvider, config: currentConfig, toolConfig }) =>
      currentProvider.getConfiguredCredentialValue?.(currentConfig) ??
-      (currentProvider.id === "brave" ? currentProvider.getCredentialValue(toolConfig) : undefined),
+      currentProvider.getCredentialValue(toolConfig),
    resolveEnvValue: ({ provider: currentProvider, configuredEnvVarId }) =>
      (configuredEnvVarId ? readWebProviderEnvValue([configuredEnvVarId]) : undefined) ??
      readWebProviderEnvValue(currentProvider.envVars),