fix: support X-OpenViking-Account and X-OpenViking-User headers for root API key

[leckylao]

Problem

When using root API key with the OpenClaw plugin, users get this error:

Access denied for viking://agent/xxx/memories

Additionally, auto-recall can timeout with:

openviking: auto-recall search timeout

Background

We understand the recommendation is to use user API keys instead of root API keys. However, there is a fundamental mismatch in the current plugin design:

1. The plugin searches both scopes by default:

   • viking://user/memories (user scope)
   • viking://agent/memories (agent scope)

2. User API keys can only access user scope (viking://user/*)

3. Agent scope requires either:

   • Root API key + X-OpenViking-Account + X-OpenViking-User headers
   • Or disabling agent scope search entirely

This means users who follow the recommendation to use user API keys will still get Access denied errors for agent scope searches.

Fixes in This PR

1. Support X-OpenViking-Account and X-OpenViking-User headers

Added accountId and userId config options so root API key users can access agent scope:

// client.ts - Send headers when configured
if (this.accountId) {
  headers.set("X-OpenViking-Account", this.accountId);
}
if (this.userId) {
  headers.set("X-OpenViking-User", this.userId);
}

2. Increase auto-recall timeout from 5s to 15s

The initial auto-recall needs multiple API calls:

• /api/v1/system/status (get user identity)
• /api/v1/fs/ls (list spaces)
• /api/v1/search/search (actual search)

These serial calls can exceed 5 seconds, especially with cold cache. Increased timeout to 15 seconds.

3. Add accountId/userId to config validation

Updated config.ts allowed keys list and openclaw.plugin.json schema to accept the new config options.

Usage

# For root API key users who want agent scope access
openclaw config set plugins.entries.openviking.config.apiKey <root-api-key>
openclaw config set plugins.entries.openviking.config.accountId default
openclaw config set plugins.entries.openviking.config.userId main
openclaw config set plugins.entries.openviking.config.timeoutMs 15000

# For user API key users (no additional config needed, but agent scope will be denied)
openclaw config set plugins.entries.openviking.config.apiKey <user-api-key>
# Note: agent scope search will return Access denied with user key

Current Options (Before This Fix)

Option	Pros	Cons
Use user API key	More secure, recommended	Agent scope search fails with Access denied
Use root API key without headers	Works for user scope	Agent scope search fails with Access denied
Disable agent scope search	No errors	Lose agent-specific memory context

Alternative Solutions Considered

1. Disable agent scope search by default - Would require code change to skip agent scope, losing functionality
2. Detect root vs user key and auto-adjust - Not feasible, API key types are not distinguishable
3. Document the limitation - Works for user key users, but root key users still broken

Testing

Tested on OpenClaw + OpenViking 0.2.12:

• Root API key + accountId/userId → both scopes work ✅
• User API key → user scope works, agent scope denied (expected) ✅
• Auto-recall timeout → fixed with 15s timeout ✅

[github-actions]

Failed to generate code suggestions for PR