Inconsistent re-export pattern for DeepSeek constants

All other provider constants in this file are re-exported with a simple export { ... } from the providers aggregation layer (models-config.providers.js). For example, Qianfan on line 34:

export { QIANFAN_BASE_URL, QIANFAN_DEFAULT_MODEL_ID };

The DeepSeek block instead imports directly from models-config.providers.static.js (bypassing the aggregation layer) with private aliases (_DEEPSEEK_BASE_URL) and then assigns them to new exported constants. This is functionally equivalent but inconsistent with the established pattern.

Note: this also requires adding DEEPSEEK_DEFAULT_MODEL_ID to the destructured import in the first line of the file alongside QIANFAN_BASE_URL / QIANFAN_DEFAULT_MODEL_ID.

This is a comment left during a code review.
Path: src/commands/onboard-auth.models.ts
Line: 37-43

Comment:
**Inconsistent re-export pattern for DeepSeek constants**

All other provider constants in this file are re-exported with a simple `export { ... }` from the providers aggregation layer (`models-config.providers.js`). For example, Qianfan on line 34:

```ts
export { QIANFAN_BASE_URL, QIANFAN_DEFAULT_MODEL_ID };
```

The DeepSeek block instead imports directly from `models-config.providers.static.js` (bypassing the aggregation layer) with private aliases (`_DEEPSEEK_BASE_URL`) and then assigns them to new exported constants. This is functionally equivalent but inconsistent with the established pattern.

```suggestion
export {
  DEEPSEEK_BASE_URL,
  DEEPSEEK_DEFAULT_MODEL_ID,
} from "../agents/models-config.providers.js";
export const DEEPSEEK_DEFAULT_MODEL_REF = `deepseek/${DEEPSEEK_DEFAULT_MODEL_ID}`;
```
Note: this also requires adding `DEEPSEEK_DEFAULT_MODEL_ID` to the destructured import in the first line of the file alongside `QIANFAN_BASE_URL` / `QIANFAN_DEFAULT_MODEL_ID`.

How can I resolve this? If you propose a fix, please make it concise.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

Direct import from .static bypasses the aggregation layer

DEEPSEEK_DEFAULT_MODEL_ID, DEEPSEEK_BASE_URL, and buildDeepSeekProvider are imported directly from models-config.providers.static.js. Every other provider in this file (Qianfan, Xiaomi, etc.) imports from the aggregation layer models-config.providers.js, which already re-exports these symbols. Importing straight from .static skips the single source-of-truth module and makes this block the only outlier in the file.

This is a comment left during a code review.
Path: src/commands/onboard-auth.config-core.ts
Line: 14-18

Comment:
**Direct import from `.static` bypasses the aggregation layer**

`DEEPSEEK_DEFAULT_MODEL_ID`, `DEEPSEEK_BASE_URL`, and `buildDeepSeekProvider` are imported directly from `models-config.providers.static.js`. Every other provider in this file (Qianfan, Xiaomi, etc.) imports from the aggregation layer `models-config.providers.js`, which already re-exports these symbols. Importing straight from `.static` skips the single source-of-truth module and makes this block the only outlier in the file.

```suggestion
import {
  DEEPSEEK_DEFAULT_MODEL_ID,
  DEEPSEEK_BASE_URL,
  buildDeepSeekProvider,
} from "../agents/models-config.providers.js";
```

How can I resolve this? If you propose a fix, please make it concise.

DEEPSEEK_BASE_URL and DEEPSEEK_DEFAULT_MODEL_ID missing from barrel

onboard-auth.ts is the public barrel for the onboard-auth subsystem. The analogous Qianfan exports (QIANFAN_BASE_URL, QIANFAN_DEFAULT_MODEL_ID) and Moonshot exports (MOONSHOT_BASE_URL, MOONSHOT_DEFAULT_MODEL_ID) are all individually surfaced from this barrel. DEEPSEEK_BASE_URL and DEEPSEEK_DEFAULT_MODEL_ID are defined and exported in onboard-auth.models.ts but neither is re-exported here, leaving the barrel inconsistent with the pattern every other provider follows.

This is a comment left during a code review.
Path: src/commands/onboard-auth.ts
Line: 117-118

Comment:
**`DEEPSEEK_BASE_URL` and `DEEPSEEK_DEFAULT_MODEL_ID` missing from barrel**

`onboard-auth.ts` is the public barrel for the `onboard-auth` subsystem. The analogous Qianfan exports (`QIANFAN_BASE_URL`, `QIANFAN_DEFAULT_MODEL_ID`) and Moonshot exports (`MOONSHOT_BASE_URL`, `MOONSHOT_DEFAULT_MODEL_ID`) are all individually surfaced from this barrel. `DEEPSEEK_BASE_URL` and `DEEPSEEK_DEFAULT_MODEL_ID` are defined and exported in `onboard-auth.models.ts` but neither is re-exported here, leaving the barrel inconsistent with the pattern every other provider follows.

How can I resolve this? If you propose a fix, please make it concise.

deepseekApiKey option not wired into the CLI flag infrastructure

deepseekApiKey is added to OnboardOptions here, but three companion files that every other provider populates were not updated:

1. onboard-provider-auth-flags.ts — deepseekApiKey is absent from the OnboardProviderAuthOptionKey union type (lines 3–31), and there is no entry in the ONBOARD_PROVIDER_AUTH_FLAGS array for it. Without this, a --deepseek-api-key flag is never registered with the CLI parser.

2. onboard-non-interactive/local/auth-choice.api-key-providers.ts — No entry bridges params.opts.deepseekApiKey to the DeepSeek credential-setting flow, so the non-interactive onboarding path silently skips it.

3. onboard-non-interactive/local/auth-choice-inference.ts — deepseekApiKey is absent from the AuthChoiceFlag union type that inferAuthChoiceFromFlags iterates over.

Every other provider (e.g. Qianfan at line 191 of onboard-provider-auth-flags.ts) has all three pieces in place. As-is, users cannot run openclaw onboard non-interactively by passing the DeepSeek key via a CLI flag or environment variable through this option.

This is a comment left during a code review.
Path: src/commands/onboard-types.ts
Line: 144

Comment:
**`deepseekApiKey` option not wired into the CLI flag infrastructure**

`deepseekApiKey` is added to `OnboardOptions` here, but three companion files that every other provider populates were not updated:

1. **`onboard-provider-auth-flags.ts`** — `deepseekApiKey` is absent from the `OnboardProviderAuthOptionKey` union type (lines 3–31), and there is no entry in the `ONBOARD_PROVIDER_AUTH_FLAGS` array for it. Without this, a `--deepseek-api-key` flag is never registered with the CLI parser.

2. **`onboard-non-interactive/local/auth-choice.api-key-providers.ts`** — No entry bridges `params.opts.deepseekApiKey` to the DeepSeek credential-setting flow, so the non-interactive onboarding path silently skips it.

3. **`onboard-non-interactive/local/auth-choice-inference.ts`** — `deepseekApiKey` is absent from the `AuthChoiceFlag` union type that `inferAuthChoiceFromFlags` iterates over.

Every other provider (e.g. Qianfan at line 191 of `onboard-provider-auth-flags.ts`) has all three pieces in place. As-is, users cannot run `openclaw onboard` non-interactively by passing the DeepSeek key via a CLI flag or environment variable through this option.

How can I resolve this? If you propose a fix, please make it concise.

Register DeepSeek in shared auth-flag registry

This adds a DeepSeek group, but deepseek-api-key is not wired into ONBOARD_PROVIDER_AUTH_FLAGS, and buildAuthChoiceOptions() only materializes provider API-key choices from that shared registry. Because promptAuthChoiceGrouped drops groups with no options, the new DeepSeek group is filtered out in interactive onboarding, and the CLI also never gets a --deepseek-api-key flag. Add the DeepSeek entry to the shared flag/option plumbing so this menu choice is actually reachable.

Useful? React with 👍 / 👎.

Handle deepseek-api-key in non-interactive onboarding

Adding deepseek-api-key as a built-in AuthChoice makes this value look supported, but the non-interactive local path has no DeepSeek branch in applySimpleNonInteractiveApiKeyChoice, and applyNonInteractiveAuthChoice falls through to return nextConfig when a choice is unhandled. In openclaw onboard --non-interactive --auth-choice deepseek-api-key, onboarding can therefore succeed without persisting a key or configuring the DeepSeek provider/default model, which is a silent automation failure.

Useful? React with 👍 / 👎.

Add DeepSeek to env API-key candidate registry

The new withApiKey("deepseek", ...) loader depends on resolveProviderApiKey(), which resolves environment credentials through resolveEnvApiKeyVarName()/resolveEnvApiKey(). Because src/agents/model-auth-env-vars.ts has no deepseek candidate list, DEEPSEEK_API_KEY is ignored, so DeepSeek will not be implicitly configured from env-only auth and users must have a profile/config key already present for this provider to work.

Useful? React with 👍 / 👎.

Fixed — added deepseek to model-auth-env-vars.ts so DEEPSEEK_API_KEY is resolved from env.

Wire DeepSeek into default env-ref provider mapping

setDeepSeekApiKey() routes through buildApiKeyCredential("deepseek", ...); when --secret-input-mode ref is used, that path requires a default provider env-var mapping and throws if none exists. Since deepseek is not in src/secrets/provider-env-vars.ts, DeepSeek onboarding in ref mode (notably non-interactive fallback) can fail instead of persisting a secret reference.

Useful? React with 👍 / 👎.

Fixed — added deepseek to provider-env-vars.ts so ref-mode credential storage works correctly.