Summary

• Problem: Exa exposes plugins.entries.exa.config.webSearch.apiKey, but the canonical SecretRef target registry omitted that path.
• Why it matters: users cannot target Exa's web-search API key through the SecretRef contract surfaces that drive discovery, auditing, and related tooling.
• What changed: added plugins.entries.exa.config.webSearch.apiKey to src/secrets/target-registry-data.ts.
• What did NOT change (scope boundary): this PR does not update the secops-owned docs/reference/secretref-credential-surface.md page or its generated matrix artifacts.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Feature]: Add Exa apiKey to secretRef #65791
• Related [Feature]: Add Exa apiKey to secretRef #65791
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: the SecretRef registry's bundled web-search entries were maintained manually and Exa's plugin-owned credential path was never added there.
• Missing detection / guardrail: there was no contract-level guardrail ensuring every bundled web-search provider credential path is represented in the canonical SecretRef registry.
• Contributing context (if known): runtime/provider surfaces already knew about Exa's credential path, so the omission was isolated to the central SecretRef contract surface.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: a contract/seam test that compares bundled web-search provider credential paths against the SecretRef registry.
• Scenario the test should lock in: every bundled web-search provider that declares a SecretRef-capable credential path is also present in the canonical SecretRef target registry.
• Why this is the smallest reliable guardrail: this bug is a registry/provider contract mismatch rather than logic local to a single helper.
• Existing test that already covers this (if any): none that specifically enforce provider-to-registry parity for bundled web-search credentials.
• If no new test is added, why not: I intentionally removed the one-off Exa-specific assertion to preserve the current broad-coverage testing pattern instead of adding a provider-specific special case.

User-visible / Behavior Changes

Users can now target Exa's web-search API key through the canonical SecretRef contract surface at plugins.entries.exa.config.webSearch.apiKey.

Diagram (if applicable)

N/A

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: Linux
• Runtime/container: local repo checkout
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): plugins.entries.exa.config.webSearch.apiKey configured as a SecretRef target path

Steps

1. Inspect the SecretRef target registry entries for bundled web-search providers.
2. Compare them with the Exa web-search provider contract, which advertises plugins.entries.exa.config.webSearch.apiKey.
3. Run pnpm test src/secrets/target-registry.test.ts after the registry change.

Expected

• Exa's credential path is part of the canonical SecretRef registry.
• The targeted SecretRef registry test passes.

Actual

• After the change, Exa's credential path is in the registry and the targeted test passes.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: confirmed the registry now includes plugins.entries.exa.config.webSearch.apiKey; reran pnpm test src/secrets/target-registry.test.ts successfully.
• Edge cases checked: removed the Exa-specific unit assertion to keep test coverage aligned with the repo's current broad-pattern testing style.
• What you did not verify: I did not update or regenerate the secops-owned SecretRef reference docs/matrix files in this PR.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps:

Risks and Mitigations

• Risk: the docs/reference SecretRef surface remains out of sync with the code contract until a secops-approved docs follow-up lands.
  • Mitigation: this PR keeps the code fix minimal and explicitly calls out the remaining docs gap for a separate owner-approved follow-up.