Greptile Summary

Simplified API key error messages by replacing technical details (auth store paths, agentDir) with clear, actionable instructions. When an API key is missing, users now see which environment variable to set and what command to run, rather than internal file paths.

• Extracted PROVIDER_ENV_MAP constant to eliminate duplication between resolveEnvApiKey() and the new getEnvVarHint() helper function
• New error format provides environment variable name (e.g., GEMINI_API_KEY) and suggests running openclaw auth add <provider> to configure it
• Handles edge cases correctly: providers without env vars (like google-vertex using gcloud adc) show command-only instruction
• All 151 affected tests pass, error classification (substring match on "no api key found") continues to work correctly

Confidence Score: 5/5

• This PR is safe to merge with no risk
• Clean refactoring with improved UX that maintains all existing functionality. The change extracts a shared constant to eliminate duplication, simplifies error messages for better user experience, and includes comprehensive test coverage. No logic changes affect the authentication flow - only the error message formatting is improved. All tests pass and error classification remains functional.
• No files require special attention

_{Last reviewed commit: 38a7c8a}

Good catch — fixed in 78bfd4e. The command is now openclaw models auth add (the interactive auth wizard registered at src/cli/models-cli.ts:298).

The original error had the same issue (openclaw agents add <id> manages workspace agents, not API keys).

Addressed Codex P2 ("Use agent-scoped guidance in missing-key hint") in 5924c21:

When resolveApiKeyForProvider is called with a non-default agentDir, the error now appends (agent auth store: <path>) so users in multi-agent setups know which store needs credentials.

CI failures: pre-existing upstream issues (not from this PR)

Both check and secrets failures affect all open PRs, not just this one:

1. check — ChannelKind import (TS2305)

Upstream commit 55a2d12f40 ("refactor: split inbound and reload pipelines into staged modules") moved ChannelKind out of config-reload.ts into config-reload-plan.ts, but server-reload-handlers.ts:20 still imports from the old location.

Fix: Update the import in src/gateway/server-reload-handlers.ts:

-import type { ChannelKind, GatewayReloadPlan } from "./config-reload.js";
+import type { ChannelKind } from "./config-reload-plan.js";
+import type { GatewayReloadPlan } from "./config-reload.js";

2. check — ThreadType enum as type (TS2749)

Upstream commit f9025c3f55 ("feat(zalouser): add reactions, group context, and receipt acks") introduced ApiTypingCapability in extensions/zalouser/src/zalo-js.ts:67 using bare ThreadType in type position, which tsgo rejects.

Fix: Use (typeof ThreadType)[keyof typeof ThreadType] instead of bare ThreadType in the type alias.

3. secrets — npm audit (11 advisories)

extensions__googlechat>openclaw requires >=2026.3.1. Not actionable from any PR branch — requires a new release or an audit allowlist.

PR #32128 includes fixes for issues 1 and 2. Once those land (or main is patched directly), both PRs should go green on check.

Looks like Peter already fixed it. Commit 0e16749 landed on main — fixes both the pairing-store.ts lint errors, the agents-utils.ts lint error, AND bumps the googlechat/memory-core deps (npm audit fix).

Both issues are already resolved on main.

Please take a look at this @Takhoffman at your leisure.

Thanks for the PR! Multiple PRs address issue #31544 (missing API key guidance). Keeping #31554 as the earliest submission. Closing to reduce noise. This is an AI-assisted triage review. If we got this wrong, feel free to reopen — happy to revisit.