Release 0.4.2: MiniMax x-api-key auth, Feishu pairing file watcher

agentkernel · agentkernel · commit 78bd3a13ffca · 2026-03-26T17:06:00.000+08:00
- MiniMax: use Anthropic-style x-api-key (authHeader false); migrate configs; exclude MiniMax from blanket Bearer migration
- Feishu: replace 12s polling with fs.watch on credentials dir; dedupe by openId and throttle without openId
- Version bump and docs (CHANGELOG, README, bundle manifest)

Made-with: Cursor
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,16 @@
 
 All notable changes to OpenClaw Desktop will be documented in this file.
 
+## [0.4.2] - 2026-03-26
+
+### Fixed
+
+- **MiniMax HTTP 401 `invalid api key`:** MiniMax’s Anthropic-compatible API (`https://api.minimax.io/anthropic`) expects **Anthropic-style `x-api-key`** (official docs: `ANTHROPIC_API_KEY` + Anthropic SDK). The shell had set `authHeader: true` (**Bearer**), which MiniMax rejects even when the key is valid. The MiniMax seed no longer sets Bearer; existing `openclaw.json` entries are migrated to **`authHeader: false`** on load. The blanket third-party `anthropic-messages` migration **excludes** MiniMax; OpenCode Zen, Kimi Coding, Synthetic, Cloudflare AI Gateway, etc. are unchanged.
+
+### Changed
+
+- **Feishu DM pairing notifications:** Replaced the 12s polling loop with **`fs.watch` on `~/.openclaw/credentials`** (debounced) so pairing JSON updates drive notifications; **dedupe by `openId`** and a short throttle when `openId` is missing to avoid repeated toasts when the pairing code rotates.
+
 ## [0.4.1] - 2026-03-26
 
 ### Changed
diff --git a/README.md b/README.md
@@ -54,9 +54,13 @@ If you've been searching for *how to install OpenClaw on Windows*, *how to run O
 
 **System:** Windows 10/11 x64 · ~350 MB free space · Internet for API calls
 
+## Latest: MiniMax `invalid api key` (401)
+
+MiniMax’s Anthropic-compatible base URL (`https://api.minimax.io/anthropic`) expects **Anthropic-style `x-api-key`** ([MiniMax platform docs](https://platform.minimax.io/docs/guides/text-generation): `ANTHROPIC_API_KEY` + Anthropic SDK). Older shell builds set `authHeader: true` (**Bearer**), which MiniMax rejects. Current builds omit Bearer for MiniMax and migrate existing `openclaw.json` to `authHeader: false` on startup. Other third-party `anthropic-messages` hosts (OpenCode Zen, Kimi Coding, Synthetic, Cloudflare AI Gateway, …) may still use `authHeader: true` where required.
+
 ## What's New in v0.3.4
 
-- **MiniMax / Anthropic-compatible 401:** `models.providers.*` now sets **`authHeader: true`** for third-party `anthropic-messages` hosts (same as OpenClaw `extensions/minimax/onboard.ts`). Existing configs are migrated on startup—fixes invalid API key errors when the key is correct but auth headers did not match the host.
+- **Third-party Anthropic-compatible 401 (excluding MiniMax):** `authHeader: true` for hosts that expect Bearer. MiniMax is handled separately (see above).
 
 Earlier highlights (v0.3.3): `minimax:global` profile id + auth-profiles migration.
 
diff --git a/README.zh-CN.md b/README.zh-CN.md
@@ -54,9 +54,13 @@
 
 **系统要求：** Windows 10/11 x64 · 约 350 MB 可用空间 · 网络连接（用于 API 调用）
 
+## 最新：MiniMax `invalid api key`（401）
+
+MiniMax 的 Anthropic 兼容地址（`https://api.minimax.io/anthropic`）使用与 Anthropic 相同的 **`x-api-key`**（见 [MiniMax 平台文档](https://platform.minimax.io/docs/guides/text-generation)：`ANTHROPIC_API_KEY` + Anthropic SDK）。旧版 Shell 曾为 MiniMax 设置 `authHeader: true`（**Bearer**），会导致密钥正确仍被服务端拒绝。当前版本对 MiniMax 不再使用 Bearer，并在启动时将已有 `openclaw.json` 迁移为 `authHeader: false`。其他第三方 `anthropic-messages` 端点（OpenCode Zen、Kimi Coding、Synthetic、Cloudflare AI Gateway 等）仍按需在适当时机使用 `authHeader: true`。
+
 ## v0.3.4 更新亮点
 
-- **MiniMax / Anthropic 兼容 401：** 与 OpenClaw 上游一致，为第三方 **`anthropic-messages`** 端点设置 **`authHeader: true`**；启动时自动迁移已有 `openclaw.json`。密钥正确但仍报 invalid api key 时多属此类问题。
+- **第三方 Anthropic 兼容 401（不含 MiniMax）：** 对需要 Bearer 的端点设置 `authHeader: true`；MiniMax 单独处理（见上文）。
 
 更早版本（v0.3.3）要点：`minimax:global` 与 auth-profiles 迁移 — 详见 [CHANGELOG.md](CHANGELOG.md)。
 
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "openclaw-desktop",
-  "version": "0.4.1+openclaw.2026.3.24",
+  "version": "0.4.2+openclaw.2026.3.24",
   "openclawBundleVersion": "2026.3.24",
   "description": "Community-maintained Windows desktop app and installer for OpenClaw.",
   "type": "module",
diff --git a/resources/bundle-manifest.json b/resources/bundle-manifest.json
@@ -1,4 +1,4 @@
 {
-  "shellVersion": "0.4.1+openclaw.2026.3.24",
+  "shellVersion": "0.4.2+openclaw.2026.3.24",
   "bundledOpenClawVersion": "2026.3.24"
 }
diff --git a/src/main/config/openclaw-config.ts b/src/main/config/openclaw-config.ts
@@ -171,10 +171,17 @@ function migrateAuthOrderFullProfileIds(
   return { config: next, changed: true }
 }
 
+/** MiniMax Anthropic-compatible hosts use the same credential transport as Anthropic (`x-api-key`), per platform docs (ANTHROPIC_API_KEY + Anthropic SDK). Bearer (`authHeader: true`) yields HTTP 401 invalid api key. */
+function isMinimaxAnthropicProvider(providerId: string, baseUrl: string): boolean {
+  if (providerId === 'minimax') return true
+  const u = baseUrl.toLowerCase()
+  return u.includes('api.minimax.io') || u.includes('minimaxi.com')
+}
+
 /**
- * OpenClaw `extensions/minimax/onboard.ts` sets `authHeader: true` for third-party Anthropic-compatible
- * APIs (MiniMax, Synthetic, etc.). Without it, gateways can get HTTP 401 from hosts that expect
- * Bearer-style auth (see upstream issue #29169). Only set when missing; do not override explicit values.
+ * Third-party Anthropic-compatible APIs that are not Anthropic official often need `authHeader: true`
+ * (Bearer) — e.g. OpenCode Zen, Kimi Coding, Synthetic (see upstream issue #29169).
+ * MiniMax is excluded: it expects Anthropic-style `x-api-key`, not Bearer.
  */
 function migrateAnthropicThirdPartyAuthHeader(
   config: OpenClawConfig,
@@ -190,7 +197,7 @@ function migrateAnthropicThirdPartyAuthHeader(
     return { config, changed: false }
   }
 
-  for (const [, raw] of Object.entries(nextProviders)) {
+  for (const [providerId, raw] of Object.entries(nextProviders)) {
     if (!raw || typeof raw !== 'object' || Array.isArray(raw)) continue
     const p = raw as Record<string, unknown>
     if (p.authHeader !== undefined) continue
@@ -199,6 +206,7 @@ function migrateAnthropicThirdPartyAuthHeader(
     const baseUrl = typeof p.baseUrl === 'string' ? p.baseUrl : ''
     if (!baseUrl.trim()) continue
     if (baseUrl.includes('api.anthropic.com')) continue
+    if (isMinimaxAnthropicProvider(providerId, baseUrl)) continue
     p.authHeader = true
     changed = true
   }
@@ -207,6 +215,40 @@ function migrateAnthropicThirdPartyAuthHeader(
   return { config: next, changed: true }
 }
 
+/**
+ * Earlier desktop migrations set `authHeader: true` for all third-party anthropic-messages hosts including MiniMax.
+ * MiniMax requires Anthropic-style `x-api-key` (docs: ANTHROPIC_API_KEY + base https://api.minimax.io/anthropic). Flip to false.
+ */
+function migrateMinimaxAuthHeaderToXApiKey(
+  config: OpenClawConfig,
+): { config: OpenClawConfig; changed: boolean } {
+  const providers = config.models?.providers
+  if (!providers || typeof providers !== 'object') {
+    return { config, changed: false }
+  }
+  let changed = false
+  const next = JSON.parse(JSON.stringify(config)) as OpenClawConfig
+  const nextProviders = next.models?.providers
+  if (!nextProviders || typeof nextProviders !== 'object') {
+    return { config, changed: false }
+  }
+
+  for (const [providerId, raw] of Object.entries(nextProviders)) {
+    if (!raw || typeof raw !== 'object' || Array.isArray(raw)) continue
+    const p = raw as Record<string, unknown>
+    if (p.authHeader !== true) continue
+    const api = typeof p.api === 'string' ? p.api : ''
+    if (api !== 'anthropic-messages') continue
+    const baseUrl = typeof p.baseUrl === 'string' ? p.baseUrl : ''
+    if (!isMinimaxAnthropicProvider(providerId, baseUrl)) continue
+    p.authHeader = false
+    changed = true
+  }
+
+  if (!changed) return { config, changed: false }
+  return { config: next, changed: true }
+}
+
 /**
  * OpenClaw 2026.1.29+: gateway auth mode `none` removed — gateway must use token or password.
  * Migrate legacy `mode: "none"` using whichever credential field is present.
@@ -369,14 +411,17 @@ export function readOpenClawConfig(): OpenClawConfig {
       cfg = migratedAuthOrder.config
       const migratedAuthHeader = migrateAnthropicThirdPartyAuthHeader(cfg)
       cfg = migratedAuthHeader.config
+      const migratedMinimaxAuthHeader = migrateMinimaxAuthHeaderToXApiKey(cfg)
+      cfg = migratedMinimaxAuthHeader.config
       if (
         migratedProviders.changed ||
         migratedFeishu.changed ||
         migratedControlUiRoot.changed ||
         migratedControlUi.changed ||
         migratedAuthNone.changed ||
         migratedAuthOrder.changed ||
-        migratedAuthHeader.changed
+        migratedAuthHeader.changed ||
+        migratedMinimaxAuthHeader.changed
       ) {
         try {
           writeOpenClawConfig(cfg)
@@ -404,7 +449,12 @@ export function readOpenClawConfig(): OpenClawConfig {
           }
           if (migratedAuthHeader.changed) {
             console.info(
-              '[config] Set models.providers.*.authHeader=true for third-party anthropic-messages hosts in openclaw.json',
+              '[config] Set models.providers.*.authHeader=true for third-party anthropic-messages hosts (excluding MiniMax) in openclaw.json',
+            )
+          }
+          if (migratedMinimaxAuthHeader.changed) {
+            console.info(
+              '[config] Set models.providers.minimax.authHeader=false (Anthropic x-api-key) for MiniMax in openclaw.json',
             )
           }
         } catch (err) {
diff --git a/src/main/index.ts b/src/main/index.ts
@@ -27,6 +27,7 @@ import { syncLoginItemToSystem, getLoginItemOpenAtLogin, clearLoginItem } from '
 import { patchGatewayResponseHeaders } from './security/gateway-response-headers.js'
 import { rewriteGatewayRequestUrlWithToken } from './security/gateway-request-auth.js'
 import { listPendingFeishuPairing } from './pairing/index.js'
+import { watchFeishuPairingCredentialsDir } from './pairing/feishu-pairing-credentials-watcher.js'
 import { resolveTrayLocale, getFeishuPairingNotificationStrings, formatFeishuPairingBody } from './tray/tray-i18n.js'
 import { registerShellFileProtocol, registerShellPrivileges } from './shell-protocol.js'
 
@@ -39,7 +40,7 @@ process.on('uncaughtException', (error) => {
   dialog.showErrorBox('Unexpected Error', error.stack ?? error.message)
 })
 let isQuitting = false
-let feishuPairingNotifyTimer: ReturnType<typeof setInterval> | null = null
+let stopFeishuPairingNotifyWatcher: (() => void) | null = null
 const windowManager = new WindowManager({
   defaultGatewayPort: DEFAULT_GATEWAY_PORT,
   readShellConfig,
@@ -102,9 +103,9 @@ async function cleanupBeforeQuit(): Promise<void> {
   // 5. Stop background update polling
   stopBackgroundUpdateCheck()
 
-  if (feishuPairingNotifyTimer) {
-    clearInterval(feishuPairingNotifyTimer)
-    feishuPairingNotifyTimer = null
+  if (stopFeishuPairingNotifyWatcher) {
+    stopFeishuPairingNotifyWatcher()
+    stopFeishuPairingNotifyWatcher = null
   }
 }
 
@@ -307,14 +308,34 @@ app.whenReady().then(() => {
   trayManager.create()
   trayManager.setGatewayStatus(gatewayManager.getStatus().status)
 
+  /** Pairing codes we already surfaced via system notification (session). */
   const notifiedFeishuPairingCodes = new Set<string>()
-  const pollFeishuPairingNotifications = () => {
+  /**
+   * When the gateway refreshes the pairing challenge frequently, `code` changes while `openId`
+   * stays the same — dedupe by openId so we do not spam duplicate system notifications.
+   */
+  const notifiedFeishuPairingOpenIds = new Set<string>()
+  /** When pending rows have no openId yet, only one notification per interval (rotating code / noisy state). */
+  let lastFeishuPairingNotifyWithoutOpenIdAt = 0
+  const FEISHU_PAIRING_NOTIFY_MIN_INTERVAL_MS = 120_000
+
+  const processFeishuPairingNotifications = () => {
     void listPendingFeishuPairing()
       .then(({ requests }) => {
+        const now = Date.now()
         for (const row of requests) {
           const code = row.code.trim().toUpperCase()
-          if (!code || notifiedFeishuPairingCodes.has(code)) continue
+          if (!code) continue
+          const openId = row.openId?.trim()
+          if (openId) {
+            if (notifiedFeishuPairingOpenIds.has(openId)) continue
+          } else {
+            if (notifiedFeishuPairingCodes.has(code)) continue
+            if (now - lastFeishuPairingNotifyWithoutOpenIdAt < FEISHU_PAIRING_NOTIFY_MIN_INTERVAL_MS) continue
+            lastFeishuPairingNotifyWithoutOpenIdAt = now
+          }
           notifiedFeishuPairingCodes.add(code)
+          if (openId) notifiedFeishuPairingOpenIds.add(openId)
           if (!Notification.isSupported()) continue
           const loc = resolveTrayLocale(readShellConfig)
           const notifCopy = getFeishuPairingNotificationStrings(loc)
@@ -330,8 +351,8 @@ app.whenReady().then(() => {
       })
       .catch(() => {})
   }
-  feishuPairingNotifyTimer = setInterval(pollFeishuPairingNotifications, 12_000)
-  pollFeishuPairingNotifications()
+  processFeishuPairingNotifications()
+  stopFeishuPairingNotifyWatcher = watchFeishuPairingCredentialsDir(processFeishuPairingNotifications)
 
   // 5. Pre-start checks (bundle + config)
   const prestartCheck = runPrestartCheck()
diff --git a/src/main/pairing/feishu-pairing-credentials-watcher.ts b/src/main/pairing/feishu-pairing-credentials-watcher.ts
@@ -0,0 +1,62 @@
+import fs from 'node:fs'
+import path from 'node:path'
+import { getUserDataDir } from '../utils/paths.js'
+
+const CREDENTIALS_SUBDIR = 'credentials'
+/** Debounce rapid writes (save + rename) and multi-platform double events */
+const DEBOUNCE_MS = 400
+
+function isFeishuPairingJsonFilename(filename: string | null): boolean {
+  if (!filename) return false
+  const lower = filename.toLowerCase()
+  if (!lower.endsWith('.json')) return false
+  return lower.includes('pairing')
+}
+
+/**
+ * Watch `~/.openclaw/credentials` for Feishu pairing store files (`*pairing*.json`).
+ * Invokes `onChange` after writes settle — no polling loop.
+ */
+export function watchFeishuPairingCredentialsDir(onChange: () => void): () => void {
+  const dir = path.join(getUserDataDir(), CREDENTIALS_SUBDIR)
+  try {
+    fs.mkdirSync(dir, { recursive: true })
+  } catch {
+    // If mkdir fails, still try watch (caller may handle empty pending)
+  }
+
+  let debounceTimer: ReturnType<typeof setTimeout> | null = null
+  const schedule = () => {
+    if (debounceTimer) clearTimeout(debounceTimer)
+    debounceTimer = setTimeout(() => {
+      debounceTimer = null
+      onChange()
+    }, DEBOUNCE_MS)
+  }
+
+  let watcher: fs.FSWatcher | null = null
+  try {
+    watcher = fs.watch(dir, (_event, filename) => {
+      // Some platforms emit with null filename — still worth one debounced read
+      if (filename != null && !isFeishuPairingJsonFilename(filename)) return
+      schedule()
+    })
+  } catch {
+    return () => {
+      if (debounceTimer) clearTimeout(debounceTimer)
+    }
+  }
+
+  return () => {
+    if (debounceTimer) {
+      clearTimeout(debounceTimer)
+      debounceTimer = null
+    }
+    try {
+      watcher?.close()
+    } catch {
+      // ignore
+    }
+    watcher = null
+  }
+}
diff --git a/src/main/wizard/setup-handler.ts b/src/main/wizard/setup-handler.ts
@@ -68,8 +68,8 @@ type ProviderSeed = {
   /** OpenClaw `models.providers.*.api`; omit for plugin-native providers (e.g. Google Gemini). */
   api?: string
   /**
-   * Third-party Anthropic-compatible hosts need `authHeader: true` so the gateway sends the same
-   * auth as upstream `applyMinimaxApiConfig` / OpenClaw issue #29169 (MiniMax 401 without Bearer).
+   * Some third-party Anthropic-compatible hosts need `authHeader: true` (Bearer). MiniMax uses
+   * default Anthropic `x-api-key` — do not set here.
    */
   authHeader?: boolean
 }
@@ -126,7 +126,7 @@ const PROVIDER_SEEDS: Partial<Record<ModelProvider, ProviderSeed>> = {
     providerId: 'minimax',
     baseUrl: 'https://api.minimax.io/anthropic',
     api: 'anthropic-messages',
-    authHeader: true,
+    /** Omit authHeader (default): MiniMax uses Anthropic-style `x-api-key`; Bearer breaks with 401 invalid api key. */
   },
   xai: {
     providerId: 'xai',
diff --git a/src/shared/types.ts b/src/shared/types.ts
@@ -213,8 +213,7 @@ export interface ModelProviderConfig {
   /** Custom HTTP headers */
   headers?: Record<string, string>
   /**
-   * Third-party `anthropic-messages` hosts (MiniMax, Synthetic, Cloudflare gateway, etc.) need `true`
-   * so the gateway matches OpenClaw upstream onboard configs. Use `false` for local proxies (e.g. copilot-proxy).
+   * Third-party `anthropic-messages` hosts that expect Bearer credentials (Synthetic, OpenCode Zen, Kimi Coding, Cloudflare gateway, etc.) use `true`. MiniMax (`api.minimax.io`) uses Anthropic-style `x-api-key` — omit or `false`. Use `false` for local proxies (e.g. copilot-proxy).
    */
   authHeader?: boolean
   models?: Array<Record<string, unknown> & { id: string; name?: string }>

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "openclaw-desktop",`
`3`		`- "version": "0.4.1+openclaw.2026.3.24",`
	`3`	`+ "version": "0.4.2+openclaw.2026.3.24",`
`4`	`4`	`"openclawBundleVersion": "2026.3.24",`
`5`	`5`	`"description": "Community-maintained Windows desktop app and installer for OpenClaw.",`
`6`	`6`	`"type": "module",`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`		`- "shellVersion": "0.4.1+openclaw.2026.3.24",`
	`2`	`+ "shellVersion": "0.4.2+openclaw.2026.3.24",`
`3`	`3`	`"bundledOpenClawVersion": "2026.3.24"`
`4`	`4`	`}`