diff --git a/src/secrets/channel-contract-surface-guardrails.test.ts b/src/secrets/channel-contract-surface-guardrails.test.ts
index eb9d5903a7c..a61e4848198 100644
--- a/src/secrets/channel-contract-surface-guardrails.test.ts
+++ b/src/secrets/channel-contract-surface-guardrails.test.ts
@@ -70,6 +70,10 @@ const CORE_SECRET_SURFACE_GUARDS = [
     path: "src/flows/search-setup.ts",
     forbiddenPatterns: [/\bbrave\b/],
   },
+  {
+    path: "src/web-search/runtime.ts",
+    forbiddenPatterns: [/\bbrave\b/],
+  },
   {
     path: "src/media-understanding/defaults.ts",
     forbiddenPatterns: [
diff --git a/src/web-search/runtime.test.ts b/src/web-search/runtime.test.ts
index b7ccda54cca..1677854e0c2 100644
--- a/src/web-search/runtime.test.ts
+++ b/src/web-search/runtime.test.ts
@@ -155,6 +155,39 @@ describe("web search runtime", () => {
     });
   });
 
+  it("auto-detects a provider through its legacy search config reader", async () => {
+    const provider = createCustomSearchProvider({
+      getConfiguredCredentialValue: () => undefined,
+      getCredentialValue: (searchConfig) =>
+        (searchConfig?.customLegacy &&
+        typeof searchConfig.customLegacy === "object" &&
+        !Array.isArray(searchConfig.customLegacy)
+          ? (searchConfig.customLegacy as Record<string, unknown>)
+          : undefined
+        )?.apiKey,
+    });
+    resolveRuntimeWebSearchProvidersMock.mockReturnValue([provider]);
+    resolvePluginWebSearchProvidersMock.mockReturnValue([provider]);
+
+    await expect(
+      runWebSearch({
+        config: {
+          tools: {
+            web: {
+              search: {
+                customLegacy: { apiKey: "legacy-key" },
+              } as never,
+            },
+          },
+        },
+        args: { query: "hello" },
+      }),
+    ).resolves.toEqual({
+      provider: "custom",
+      result: { query: "hello", ok: true },
+    });
+  });
+
   it("treats non-env SecretRefs as configured credentials for provider auto-detect", async () => {
     const provider = createCustomSearchProvider();
     resolveRuntimeWebSearchProvidersMock.mockReturnValue([provider]);
diff --git a/src/web-search/runtime.ts b/src/web-search/runtime.ts
index 8f0f4da758f..31f41921006 100644
--- a/src/web-search/runtime.ts
+++ b/src/web-search/runtime.ts
@@ -73,7 +73,7 @@ function hasEntryCredential(
     toolConfig: search as Record<string, unknown> | undefined,
     resolveRawValue: ({ provider: currentProvider, config: currentConfig, toolConfig }) =>
       currentProvider.getConfiguredCredentialValue?.(currentConfig) ??
-      (currentProvider.id === "brave" ? currentProvider.getCredentialValue(toolConfig) : undefined),
+      currentProvider.getCredentialValue(toolConfig),
     resolveEnvValue: ({ provider: currentProvider, configuredEnvVarId }) =>
       (configuredEnvVarId ? readWebProviderEnvValue([configuredEnvVarId]) : undefined) ??
       readWebProviderEnvValue(currentProvider.envVars),