feat: auto-discover MiniMax credentials from OpenClaw

tars90percent · tars90percent · commit 01beb9944270 · 2026-04-13T19:56:56.000+08:00
When no API key is configured, the CLI now checks OpenClaw's
auth-profiles.json and openclaw.json for existing MiniMax credentials
before prompting the user. This lets users skip re-entering their
API key if they already have one configured in OpenClaw.
diff --git a/src/auth/discover.ts b/src/auth/discover.ts
@@ -0,0 +1,90 @@
+import { readFileSync, existsSync } from 'fs';
+import { homedir } from 'os';
+import { join } from 'path';
+
+export interface DiscoveredCredential {
+  key: string;
+  source: string;
+  region?: 'global' | 'cn';
+}
+
+const OPENCLAW_AUTH_PROFILES_PATH = join(
+  '.openclaw', 'agents', 'main', 'agent', 'auth-profiles.json',
+);
+const OPENCLAW_CONFIG_PATH = join('.openclaw', 'openclaw.json');
+
+const API_KEY_PROFILE_IDS: Array<{ id: string; region: 'global' | 'cn' }> = [
+  { id: 'minimax:global', region: 'global' },
+  { id: 'minimax:cn', region: 'cn' },
+];
+
+function tryReadJson(filePath: string): unknown {
+  try {
+    if (!existsSync(filePath)) return null;
+    return JSON.parse(readFileSync(filePath, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+function probeAuthProfiles(home: string): DiscoveredCredential | null {
+  const filePath = join(home, OPENCLAW_AUTH_PROFILES_PATH);
+  const data = tryReadJson(filePath);
+  if (!data || typeof data !== 'object' || Array.isArray(data)) return null;
+
+  const store = data as Record<string, unknown>;
+  if (typeof store.profiles !== 'object' || !store.profiles) return null;
+  const profiles = store.profiles as Record<string, unknown>;
+
+  // 1. Check API key profiles (preferred)
+  for (const { id, region } of API_KEY_PROFILE_IDS) {
+    const profile = profiles[id];
+    if (!profile || typeof profile !== 'object') continue;
+    const p = profile as Record<string, unknown>;
+    if (p.type === 'api_key' && typeof p.key === 'string' && p.key.length > 0) {
+      return { key: p.key, source: 'OpenClaw auth-profiles.json', region };
+    }
+  }
+
+  // 2. Check OAuth profiles (access field holds the API key)
+  for (const [id, profile] of Object.entries(profiles)) {
+    if (!id.startsWith('minimax-portal:')) continue;
+    if (!profile || typeof profile !== 'object') continue;
+    const p = profile as Record<string, unknown>;
+    if (p.type === 'oauth' && typeof p.access === 'string' && p.access.length > 0) {
+      return { key: p.access, source: 'OpenClaw auth-profiles.json' };
+    }
+  }
+
+  return null;
+}
+
+function probeOpenClawConfig(home: string): DiscoveredCredential | null {
+  const filePath = join(home, OPENCLAW_CONFIG_PATH);
+  const data = tryReadJson(filePath);
+  if (!data || typeof data !== 'object') return null;
+
+  const models = (data as Record<string, unknown>).models;
+  if (!models || typeof models !== 'object') return null;
+
+  const providers = (models as Record<string, unknown>).providers;
+  if (!providers || typeof providers !== 'object') return null;
+
+  const p = providers as Record<string, unknown>;
+  for (const providerKey of ['minimax', 'minimax-portal']) {
+    const entry = p[providerKey];
+    if (!entry || typeof entry !== 'object') continue;
+    const apiKey = (entry as Record<string, unknown>).apiKey;
+    if (typeof apiKey === 'string' && apiKey.length > 0) {
+      return { key: apiKey, source: 'OpenClaw config' };
+    }
+  }
+
+  return null;
+}
+
+export function discoverExternalCredential(homeDir?: string): DiscoveredCredential | null {
+  const home = homeDir ?? homedir();
+
+  return probeAuthProfiles(home) ?? probeOpenClawConfig(home) ?? null;
+}
diff --git a/src/auth/setup.ts b/src/auth/setup.ts
@@ -5,6 +5,7 @@ import { isInteractive } from '../utils/env';
 import { maskToken } from '../utils/token';
 import { CLIError } from '../errors/base';
 import { ExitCode } from '../errors/codes';
+import { discoverExternalCredential } from './discover';
 
 export async function ensureApiKey(config: Config): Promise<void> {
   if (config.apiKey || config.fileApiKey) return;
@@ -23,6 +24,38 @@ export async function ensureApiKey(config: Config): Promise<void> {
     }
   }
 
+  // Try to discover credentials from external tools (e.g. OpenClaw)
+  if (!key) {
+    const discovered = discoverExternalCredential();
+    if (discovered) {
+      const interactive = isInteractive({ nonInteractive: config.nonInteractive });
+      let accepted = !interactive;
+
+      if (interactive) {
+        accepted = !!(await promptConfirm({
+          message: `Found MiniMax API key (${maskToken(discovered.key)}) in ${discovered.source}. Import it?`,
+        }));
+      }
+
+      if (accepted) {
+        const data: Record<string, unknown> = {
+          ...(readConfigFile() as Record<string, unknown>),
+          api_key: discovered.key,
+        };
+        if (discovered.region) data.region = discovered.region;
+        await writeConfigFile(data);
+        config.fileApiKey = discovered.key;
+        if (discovered.region) {
+          config.region = discovered.region;
+          config.needsRegionDetection = false;
+        }
+        const path = config.configPath ?? '~/.mmx/config.json';
+        process.stderr.write(`Imported API key from ${discovered.source} → ${path}\n`);
+        return;
+      }
+    }
+  }
+
   if (!key) {
     if (!isInteractive({ nonInteractive: config.nonInteractive })) {
       throw new CLIError(
diff --git a/test/auth/discover.test.ts b/test/auth/discover.test.ts
@@ -0,0 +1,245 @@
+import { describe, it, expect, beforeEach, afterEach } from 'bun:test';
+import { discoverExternalCredential } from '../../src/auth/discover';
+import { mkdirSync, writeFileSync, rmSync, existsSync } from 'fs';
+import { join } from 'path';
+import { tmpdir } from 'os';
+
+describe('discoverExternalCredential', () => {
+  const testDir = join(tmpdir(), `mmx-discover-test-${Date.now()}`);
+  const originalHome = process.env.HOME;
+
+  const authProfilesDir = join(testDir, '.openclaw', 'agents', 'main', 'agent');
+  const authProfilesPath = join(authProfilesDir, 'auth-profiles.json');
+  const openclawConfigPath = join(testDir, '.openclaw', 'openclaw.json');
+
+  beforeEach(() => {
+    mkdirSync(authProfilesDir, { recursive: true });
+    process.env.HOME = testDir;
+  });
+
+  afterEach(() => {
+    process.env.HOME = originalHome;
+    if (existsSync(testDir)) {
+      rmSync(testDir, { recursive: true, force: true });
+    }
+  });
+
+  it('returns null when no OpenClaw directory exists', () => {
+    rmSync(join(testDir, '.openclaw'), { recursive: true, force: true });
+    const result = discoverExternalCredential(testDir);
+    expect(result).toBeNull();
+  });
+
+  it('discovers API key from minimax:global profile', () => {
+    writeFileSync(authProfilesPath, JSON.stringify({
+      version: 1,
+      profiles: {
+        'minimax:global': {
+          type: 'api_key',
+          provider: 'minimax',
+          key: 'sk-test-global-key',
+        },
+      },
+    }));
+
+    const result = discoverExternalCredential(testDir);
+    expect(result).not.toBeNull();
+    expect(result!.key).toBe('sk-test-global-key');
+    expect(result!.region).toBe('global');
+    expect(result!.source).toBe('OpenClaw auth-profiles.json');
+  });
+
+  it('discovers API key from minimax:cn profile', () => {
+    writeFileSync(authProfilesPath, JSON.stringify({
+      version: 1,
+      profiles: {
+        'minimax:cn': {
+          type: 'api_key',
+          provider: 'minimax',
+          key: 'sk-test-cn-key',
+        },
+      },
+    }));
+
+    const result = discoverExternalCredential(testDir);
+    expect(result).not.toBeNull();
+    expect(result!.key).toBe('sk-test-cn-key');
+    expect(result!.region).toBe('cn');
+  });
+
+  it('extracts access field from OAuth profile as API key', () => {
+    writeFileSync(authProfilesPath, JSON.stringify({
+      version: 1,
+      profiles: {
+        'minimax-portal:default': {
+          type: 'oauth',
+          provider: 'minimax-portal',
+          access: 'sk-oauth-access-key',
+          refresh: 'refresh-token',
+          expires: Date.now() + 3600000,
+        },
+      },
+    }));
+
+    const result = discoverExternalCredential(testDir);
+    expect(result).not.toBeNull();
+    expect(result!.key).toBe('sk-oauth-access-key');
+    expect(result!.source).toBe('OpenClaw auth-profiles.json');
+  });
+
+  it('prefers API key profile over OAuth profile', () => {
+    writeFileSync(authProfilesPath, JSON.stringify({
+      version: 1,
+      profiles: {
+        'minimax:global': {
+          type: 'api_key',
+          provider: 'minimax',
+          key: 'sk-api-key',
+        },
+        'minimax-portal:default': {
+          type: 'oauth',
+          provider: 'minimax-portal',
+          access: 'sk-oauth-key',
+          refresh: 'refresh',
+          expires: Date.now() + 3600000,
+        },
+      },
+    }));
+
+    const result = discoverExternalCredential(testDir);
+    expect(result).not.toBeNull();
+    expect(result!.key).toBe('sk-api-key');
+  });
+
+  it('prefers global over cn when both present', () => {
+    writeFileSync(authProfilesPath, JSON.stringify({
+      version: 1,
+      profiles: {
+        'minimax:global': {
+          type: 'api_key',
+          provider: 'minimax',
+          key: 'sk-global',
+        },
+        'minimax:cn': {
+          type: 'api_key',
+          provider: 'minimax',
+          key: 'sk-cn',
+        },
+      },
+    }));
+
+    const result = discoverExternalCredential(testDir);
+    expect(result).not.toBeNull();
+    expect(result!.key).toBe('sk-global');
+    expect(result!.region).toBe('global');
+  });
+
+  it('discovers API key from openclaw.json config', () => {
+    writeFileSync(openclawConfigPath, JSON.stringify({
+      models: {
+        providers: {
+          minimax: {
+            apiKey: 'sk-config-key',
+          },
+        },
+      },
+    }));
+
+    const result = discoverExternalCredential(testDir);
+    expect(result).not.toBeNull();
+    expect(result!.key).toBe('sk-config-key');
+    expect(result!.source).toBe('OpenClaw config');
+  });
+
+  it('prefers auth-profiles.json over openclaw.json', () => {
+    writeFileSync(authProfilesPath, JSON.stringify({
+      version: 1,
+      profiles: {
+        'minimax:global': {
+          type: 'api_key',
+          provider: 'minimax',
+          key: 'sk-from-profiles',
+        },
+      },
+    }));
+    writeFileSync(openclawConfigPath, JSON.stringify({
+      models: {
+        providers: {
+          minimax: {
+            apiKey: 'sk-from-config',
+          },
+        },
+      },
+    }));
+
+    const result = discoverExternalCredential(testDir);
+    expect(result).not.toBeNull();
+    expect(result!.key).toBe('sk-from-profiles');
+    expect(result!.source).toBe('OpenClaw auth-profiles.json');
+  });
+
+  it('returns null for corrupted JSON', () => {
+    writeFileSync(authProfilesPath, '{not valid json!!!');
+    const result = discoverExternalCredential(testDir);
+    expect(result).toBeNull();
+  });
+
+  it('returns null for wrong schema (missing profiles key)', () => {
+    writeFileSync(authProfilesPath, JSON.stringify({
+      version: 1,
+      something_else: {},
+    }));
+
+    const result = discoverExternalCredential(testDir);
+    expect(result).toBeNull();
+  });
+
+  it('skips profiles with unknown type', () => {
+    writeFileSync(authProfilesPath, JSON.stringify({
+      version: 1,
+      profiles: {
+        'minimax:global': {
+          type: 'saml',
+          provider: 'minimax',
+        },
+      },
+    }));
+
+    const result = discoverExternalCredential(testDir);
+    expect(result).toBeNull();
+  });
+
+  it('skips API key profile with empty key', () => {
+    writeFileSync(authProfilesPath, JSON.stringify({
+      version: 1,
+      profiles: {
+        'minimax:global': {
+          type: 'api_key',
+          provider: 'minimax',
+          key: '',
+        },
+      },
+    }));
+
+    const result = discoverExternalCredential(testDir);
+    expect(result).toBeNull();
+  });
+
+  it('skips OAuth profile with empty access', () => {
+    writeFileSync(authProfilesPath, JSON.stringify({
+      version: 1,
+      profiles: {
+        'minimax-portal:default': {
+          type: 'oauth',
+          provider: 'minimax-portal',
+          access: '',
+          refresh: 'refresh',
+          expires: Date.now(),
+        },
+      },
+    }));
+
+    const result = discoverExternalCredential(testDir);
+    expect(result).toBeNull();
+  });
+});
