From f3a511bd604aafe624d87b3c68f6c6b5779ca3f5 Mon Sep 17 00:00:00 2001
From: Alexey Kazakov <alkazako@redhat.com>
Date: Tue, 12 May 2026 17:43:55 -0700
Subject: [PATCH 1/3] feat: add web search and web fetch support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add WebSearchSpec and WebFetchSpec to Claw CRD with CEL validation
  requiring secretRef for API-keyed providers (brave, tavily)
- New claw_web_search.go: provider registry, validation, ConfigMap
  injection (operator.json), and proxy env var mounting
- Proxy injects search API keys transparently; gateway sees only a
  placeholder — supports brave (api_key), tavily (bearer), duckduckgo
  (passthrough), and gemini (reuses google credential)
- Wire validation, ConfigMap injection, proxy config routes, secret
  version stamping, and secret watch into the reconciler
- Comprehensive tests covering validation, ConfigMap injection, proxy
  routes, deployment env vars, secret stamping, and full reconcile
- Update PLATFORM.md skill with examples and provider-setup.md docs

Signed-off-by: Alexey Kazakov <alkazako@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
---
 api/v1alpha1/claw_types.go                    |  41 +
 api/v1alpha1/zz_generated.deepcopy.go         |  50 +
 .../bases/claw.sandbox.redhat.com_claws.yaml  |  62 ++
 docs/provider-setup.md                        | 165 +++-
 internal/assets/manifests/claw/configmap.yaml |  79 +-
 internal/controller/claw_channels_test.go     |   6 +-
 internal/controller/claw_proxy.go             |  40 +
 internal/controller/claw_proxy_test.go        |  68 +-
 .../controller/claw_resource_controller.go    |  24 +-
 internal/controller/claw_web_search.go        | 348 +++++++
 internal/controller/claw_web_search_test.go   | 916 ++++++++++++++++++
 11 files changed, 1758 insertions(+), 41 deletions(-)
 create mode 100644 internal/controller/claw_web_search.go
 create mode 100644 internal/controller/claw_web_search_test.go

diff --git a/api/v1alpha1/claw_types.go b/api/v1alpha1/claw_types.go
index d4dede8..02ca584 100644
--- a/api/v1alpha1/claw_types.go
+++ b/api/v1alpha1/claw_types.go
@@ -52,6 +52,7 @@ const (
 	ConditionTypeProxyConfigured         = "ProxyConfigured"
 	ConditionTypeDevicePairingConfigured = "DevicePairingConfigured"
 	ConditionTypeMcpServersConfigured    = "McpServersConfigured"
+	ConditionTypeWebSearchConfigured     = "WebSearchConfigured"
 )
 
 // Annotation keys used on pod templates to trigger rollouts on config changes.
@@ -263,6 +264,36 @@ type McpEnvFromSecret struct {
 	SecretRef SecretRefEntry `json:"secretRef"`
 }
 
+// WebSearchSpec configures the operator-managed web search provider.
+// +kubebuilder:validation:XValidation:rule="self.provider in ['duckduckgo','gemini'] || has(self.secretRef)",message="secretRef is required for API-keyed search providers"
+type WebSearchSpec struct {
+	// Provider selects the web search provider.
+	// Known values: brave, tavily, duckduckgo, gemini.
+	// +kubebuilder:validation:MinLength=1
+	Provider string `json:"provider"`
+
+	// SecretRef references a Secret key holding the search API key.
+	// Required for API-keyed providers (brave, tavily).
+	// Not needed for key-free (duckduckgo) or LLM-as-search (gemini).
+	// +optional
+	SecretRef *SecretRefEntry `json:"secretRef,omitempty"`
+
+	// Config is provider-specific configuration merged into
+	// plugins.entries.<provider>.config.webSearch in operator.json.
+	// Use for provider-specific tuning (mode, maxResults, etc.).
+	// +kubebuilder:pruning:PreserveUnknownFields
+	// +optional
+	Config *runtime.RawExtension `json:"config,omitempty"`
+}
+
+// WebFetchSpec configures the web_fetch tool.
+type WebFetchSpec struct {
+	// Enabled activates the web_fetch tool. Fetched URLs are gated by
+	// the proxy allowlist.
+	// +kubebuilder:default=true
+	Enabled bool `json:"enabled"`
+}
+
 // ClawSpec defines the desired state of Claw
 type ClawSpec struct {
 	// ConfigMode controls how operator config is applied on pod start.
@@ -281,6 +312,16 @@ type ClawSpec struct {
 	// Map keys are server names as they appear in the mcp.servers config.
 	// +optional
 	McpServers map[string]McpServerSpec `json:"mcpServers,omitempty"`
+
+	// WebSearch configures the web search provider for the OpenClaw agent.
+	// +optional
+	WebSearch *WebSearchSpec `json:"webSearch,omitempty"`
+
+	// WebFetch enables the web_fetch tool for arbitrary URL fetching.
+	// Fetched URLs are gated by the proxy allowlist — only domains
+	// permitted by credentials, search providers, or builtins are reachable.
+	// +optional
+	WebFetch *WebFetchSpec `json:"webFetch,omitempty"`
 }
 
 // ClawStatus defines the observed state of Claw
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 9227b56..7acd404 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -213,6 +213,16 @@ func (in *ClawSpec) DeepCopyInto(out *ClawSpec) {
 			(*out)[key] = *val.DeepCopy()
 		}
 	}
+	if in.WebSearch != nil {
+		in, out := &in.WebSearch, &out.WebSearch
+		*out = new(WebSearchSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.WebFetch != nil {
+		in, out := &in.WebFetch, &out.WebFetch
+		*out = new(WebFetchSpec)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClawSpec.
@@ -416,3 +426,43 @@ func (in *SecretRefEntry) DeepCopy() *SecretRefEntry {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebFetchSpec) DeepCopyInto(out *WebFetchSpec) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebFetchSpec.
+func (in *WebFetchSpec) DeepCopy() *WebFetchSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(WebFetchSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebSearchSpec) DeepCopyInto(out *WebSearchSpec) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(SecretRefEntry)
+		**out = **in
+	}
+	if in.Config != nil {
+		in, out := &in.Config, &out.Config
+		*out = new(runtime.RawExtension)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebSearchSpec.
+func (in *WebSearchSpec) DeepCopy() *WebSearchSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(WebSearchSpec)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/config/crd/bases/claw.sandbox.redhat.com_claws.yaml b/config/crd/bases/claw.sandbox.redhat.com_claws.yaml
index 24dd13d..aee5629 100644
--- a/config/crd/bases/claw.sandbox.redhat.com_claws.yaml
+++ b/config/crd/bases/claw.sandbox.redhat.com_claws.yaml
@@ -327,6 +327,68 @@ spec:
                   McpServers declares MCP servers injected into OpenClaw's config.
                   Map keys are server names as they appear in the mcp.servers config.
                 type: object
+              webFetch:
+                description: |-
+                  WebFetch enables the web_fetch tool for arbitrary URL fetching.
+                  Fetched URLs are gated by the proxy allowlist — only domains
+                  permitted by credentials, search providers, or builtins are reachable.
+                properties:
+                  enabled:
+                    default: true
+                    description: |-
+                      Enabled activates the web_fetch tool. Fetched URLs are gated by
+                      the proxy allowlist.
+                    type: boolean
+                required:
+                - enabled
+                type: object
+              webSearch:
+                description: WebSearch configures the web search provider for the
+                  OpenClaw agent.
+                properties:
+                  config:
+                    description: |-
+                      Config is provider-specific configuration merged into
+                      plugins.entries.<provider>.config.webSearch in operator.json.
+                      Use for provider-specific tuning (mode, maxResults, etc.).
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
+                  provider:
+                    description: |-
+                      Provider selects the web search provider.
+                      Known values: brave, tavily, duckduckgo, gemini.
+                    minLength: 1
+                    type: string
+                  secretRef:
+                    description: |-
+                      SecretRef references a Secret key holding the search API key.
+                      Required for API-keyed providers (brave, tavily).
+                      Not needed for key-free (duckduckgo) or LLM-as-search (gemini).
+                    properties:
+                      key:
+                        description: Key is the key in the Secret's data map
+                        minLength: 1
+                        type: string
+                      name:
+                        description: Name is the name of the Secret
+                        minLength: 1
+                        type: string
+                      role:
+                        description: |-
+                          Role distinguishes multiple secrets for the same credential.
+                          Required when multiple secretRef entries are present (e.g., Slack botToken/appToken).
+                        maxLength: 63
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
+                required:
+                - provider
+                type: object
+                x-kubernetes-validations:
+                - message: secretRef is required for API-keyed search providers
+                  rule: self.provider in ['duckduckgo','gemini'] || has(self.secretRef)
             type: object
           status:
             description: ClawStatus defines the observed state of Claw
diff --git a/docs/provider-setup.md b/docs/provider-setup.md
index 1e437a0..c6dee6a 100644
--- a/docs/provider-setup.md
+++ b/docs/provider-setup.md
@@ -1,6 +1,6 @@
 # Provider Setup
 
-This guide covers configuring LLM providers, external services, messaging channels, and MCP servers for use with Claw. Each section walks through creating the necessary Secret and Claw CR configuration.
+This guide covers configuring LLM providers, external services, messaging channels, MCP servers, web search, and web fetch for use with Claw. Each section walks through creating the necessary Secret and Claw CR configuration.
 
 All examples assume you have set your target namespace:
 
@@ -856,3 +856,166 @@ The operator reconciles `spec.mcpServers` into the `mcp.servers` section of `ope
 - **Overwrite mode**: The full config is replaced on every pod start, including MCP servers.
 
 The operator also validates that all `envFrom`-referenced Secrets exist and contain the specified keys. If validation fails, the `McpServersConfigured` condition is set to `False` with a descriptive error message, and `Ready` is set to `False`.
+
+## Web Search
+
+The operator can configure a web search provider for the OpenClaw agent via `spec.webSearch`. Search API keys are injected by the MITM proxy — they never reach the gateway container.
+
+### Brave Search
+
+Uses the [Brave Search API](https://brave.com/search/api/) with an API key injected via the `X-Subscription-Token` header.
+
+**1. Get an API key** from [Brave Search API](https://brave.com/search/api/).
+
+**2. Create the Secret:**
+
+```sh
+oc create secret generic brave-search-key \
+  --from-literal=api-key=YOUR_BRAVE_API_KEY \
+  -n $NS
+```
+
+**3. Add to your Claw CR:**
+
+```sh
+oc apply -f - <<EOF
+apiVersion: claw.sandbox.redhat.com/v1alpha1
+kind: Claw
+metadata:
+  name: instance
+  namespace: $NS
+spec:
+  credentials: []  # your existing credentials
+  webSearch:
+    provider: brave
+    secretRef:
+      name: brave-search-key
+      key: api-key
+EOF
+```
+
+### Tavily
+
+Uses the [Tavily API](https://tavily.com/) with a bearer token.
+
+**1. Get an API key** from [Tavily](https://app.tavily.com/).
+
+**2. Create the Secret:**
+
+```sh
+oc create secret generic tavily-key \
+  --from-literal=api-key=YOUR_TAVILY_API_KEY \
+  -n $NS
+```
+
+**3. Add to your Claw CR:**
+
+```sh
+oc apply -f - <<EOF
+apiVersion: claw.sandbox.redhat.com/v1alpha1
+kind: Claw
+metadata:
+  name: instance
+  namespace: $NS
+spec:
+  credentials: []  # your existing credentials
+  webSearch:
+    provider: tavily
+    secretRef:
+      name: tavily-key
+      key: api-key
+EOF
+```
+
+You can pass provider-specific configuration via `spec.webSearch.config`:
+
+```yaml
+webSearch:
+  provider: tavily
+  secretRef:
+    name: tavily-key
+    key: api-key
+  config:
+    maxResults: 10
+```
+
+### DuckDuckGo
+
+Key-free search — no API key or Secret needed.
+
+```sh
+oc apply -f - <<EOF
+apiVersion: claw.sandbox.redhat.com/v1alpha1
+kind: Claw
+metadata:
+  name: instance
+  namespace: $NS
+spec:
+  credentials: []  # your existing credentials
+  webSearch:
+    provider: duckduckgo
+EOF
+```
+
+### Gemini (Search Grounding)
+
+Uses Google's Gemini search grounding, which sends a regular Gemini API call with `tools: [{ google_search }]`. This reuses your existing `google` provider credential — no additional Secret is needed.
+
+**Prerequisite:** You must have a `google` provider credential in `spec.credentials`.
+
+```sh
+oc apply -f - <<EOF
+apiVersion: claw.sandbox.redhat.com/v1alpha1
+kind: Claw
+metadata:
+  name: instance
+  namespace: $NS
+spec:
+  credentials:
+    - name: google
+      provider: google
+      type: apiKey
+      secretRef:
+        - name: gemini-api-key
+          key: api-key
+  webSearch:
+    provider: gemini
+EOF
+```
+
+### How It Works
+
+The operator sets `tools.web.search.provider` in `operator.json` and, for API-keyed providers, adds a proxy route for the search domain with credential injection. A placeholder API key is set in the config so OpenClaw makes the HTTP call; the proxy strips it and injects the real key.
+
+The `WebSearchConfigured` condition tracks the status:
+- `True` — provider validated and config injected
+- `False` — validation failed (missing secret, missing google credential for gemini, unknown provider)
+
+## Web Fetch
+
+The `web_fetch` tool allows the agent to fetch arbitrary URLs. Enable it via `spec.webFetch`:
+
+```yaml
+spec:
+  webFetch:
+    enabled: true
+```
+
+Fetched URLs are gated by the proxy allowlist. Only domains already permitted by credentials, search providers, or builtin passthroughs are reachable. To allow additional domains for fetching, add `type: none` credential entries:
+
+```sh
+oc apply -f - <<EOF
+apiVersion: claw.sandbox.redhat.com/v1alpha1
+kind: Claw
+metadata:
+  name: instance
+  namespace: $NS
+spec:
+  credentials:
+    - name: docs-site
+      type: none
+      domain: docs.python.org
+  webFetch:
+    enabled: true
+EOF
+```
diff --git a/internal/assets/manifests/claw/configmap.yaml b/internal/assets/manifests/claw/configmap.yaml
index f21d87f..cf5f31b 100644
--- a/internal/assets/manifests/claw/configmap.yaml
+++ b/internal/assets/manifests/claw/configmap.yaml
@@ -138,7 +138,7 @@ data:
   PLATFORM.md: |
     ---
     name: platform
-    description: "Platform overview, proxy architecture, LLM provider model management, messaging channel integration, and MCP server configuration."
+    description: "Platform overview, proxy architecture, LLM provider model management, messaging channel integration, MCP server configuration, and web search/fetch."
     ---
 
     # Platform Overview
@@ -558,6 +558,83 @@ data:
     User-managed MCP servers (added via `openclaw mcp set` inside the pod) coexist
     fine with operator-managed ones as long as names don't collide.
 
+    # Web Search & Web Fetch
+
+    The operator can configure a web search provider via `spec.webSearch` in the Claw
+    CR. This sets up the search tool without you needing to manually edit config files.
+
+    ## Provider categories
+
+    | Provider | Category | How auth works |
+    |----------|----------|----------------|
+    | Brave | Standalone API | Proxy injects API key via `X-Subscription-Token` header |
+    | Tavily | Standalone API | Proxy injects API key via `Authorization: Bearer` header |
+    | DuckDuckGo | Key-free | No API key needed — passthrough route |
+    | Gemini | LLM-as-search | Reuses existing `google` provider credential |
+
+    For API-keyed providers (Brave, Tavily), the search API key is mounted on the
+    **proxy** container — the gateway never sees it. The operator sets a placeholder
+    key in the config; the proxy strips it and injects the real key on outbound requests.
+
+    ## Examples
+
+    **Brave** (API-keyed — requires a Secret):
+    ```yaml
+    spec:
+      webSearch:
+        provider: brave
+        secretRef:
+          name: brave-search-key
+          key: api-key
+    ```
+
+    **DuckDuckGo** (key-free — no Secret needed):
+    ```yaml
+    spec:
+      webSearch:
+        provider: duckduckgo
+    ```
+
+    **Gemini** (LLM-as-search — reuses existing `google` credential):
+    ```yaml
+    spec:
+      credentials:
+        - name: google
+          provider: google
+          # ...
+      webSearch:
+        provider: gemini
+    ```
+
+    **Web fetch + web search together:**
+    ```yaml
+    spec:
+      webSearch:
+        provider: tavily
+        secretRef:
+          name: tavily-key
+          key: api-key
+      webFetch:
+        enabled: true
+    ```
+
+    ## Web Fetch
+
+    When `spec.webFetch.enabled: true` is set, the `web_fetch` tool lets you fetch
+    arbitrary URLs. However, only domains already allowed by the proxy (LLM providers,
+    search APIs, builtin passthroughs, `type: none` entries) are reachable. The proxy
+    blocks all other domains.
+
+    ## What NOT to do
+
+    **Do NOT** manually configure `tools.web.search` or `tools.web.fetch` in
+    `openclaw.json` or via config patches. The operator manages these settings —
+    manual changes will be overwritten on the next pod restart.
+
+    **Do NOT** set search API keys as environment variables (`BRAVE_API_KEY`,
+    `TAVILY_API_KEY`, etc.) on the gateway container. The operator uses proxy-based
+    credential injection to keep secrets off the gateway.
+
     # Custom Domains
 
     For any other external service, the user can add a `type: none` entry with the
diff --git a/internal/controller/claw_channels_test.go b/internal/controller/claw_channels_test.go
index 03108f7..3c43ade 100644
--- a/internal/controller/claw_channels_test.go
+++ b/internal/controller/claw_channels_test.go
@@ -461,7 +461,7 @@ func TestGenerateProxyConfigWithChannelCompanions(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved([]clawv1alpha1.CredentialSpec{cred}), nil)
+		data, err := generateProxyConfig(toResolved([]clawv1alpha1.CredentialSpec{cred}), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -484,7 +484,7 @@ func TestGenerateProxyConfigWithChannelCompanions(t *testing.T) {
 			Type:    clawv1alpha1.CredentialTypeNone,
 		}
 
-		data, err := generateProxyConfig(toResolved([]clawv1alpha1.CredentialSpec{cred}), nil)
+		data, err := generateProxyConfig(toResolved([]clawv1alpha1.CredentialSpec{cred}), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -513,7 +513,7 @@ func TestGenerateProxyConfigWithChannelCompanions(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved([]clawv1alpha1.CredentialSpec{cred}), nil)
+		data, err := generateProxyConfig(toResolved([]clawv1alpha1.CredentialSpec{cred}), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
diff --git a/internal/controller/claw_proxy.go b/internal/controller/claw_proxy.go
index 5fa8d19..1b05bc0 100644
--- a/internal/controller/claw_proxy.go
+++ b/internal/controller/claw_proxy.go
@@ -107,6 +107,7 @@ var builtinPassthroughDomains = []builtinPassthrough{
 func generateProxyConfig(
 	credentials []resolvedCredential,
 	mcpServers map[string]clawv1alpha1.McpServerSpec,
+	webSearch *clawv1alpha1.WebSearchSpec,
 ) ([]byte, error) {
 	var exact, suffix []proxyRoute
 
@@ -216,6 +217,10 @@ func generateProxyConfig(
 		}
 	}
 
+	if route, ok := webSearchRoute(webSearch); ok {
+		exact = append(exact, route)
+	}
+
 	// Stable ordering: exact before suffix, alphabetical within each group.
 	// Within the same domain, routes with AllowedPaths sort before catch-all routes
 	// so the proxy's MatchRoute picks the specific route first.
@@ -232,6 +237,30 @@ func generateProxyConfig(
 	return json.Marshal(cfg)
 }
 
+// webSearchRoute builds a proxy route for the web search provider, if applicable.
+// Returns false for LLM-as-search providers (e.g., gemini) and unknown providers.
+func webSearchRoute(webSearch *clawv1alpha1.WebSearchSpec) (proxyRoute, bool) {
+	if webSearch == nil {
+		return proxyRoute{}, false
+	}
+	info, ok := knownSearchProviders[webSearch.Provider]
+	if !ok {
+		return proxyRoute{}, false
+	}
+	route := proxyRoute{
+		Domain:   info.Domain,
+		Injector: info.Injector,
+	}
+	switch info.Injector {
+	case "api_key":
+		route.EnvVar = credEnvVarName(webSearchCredPrefix)
+		route.Header = info.Header
+	case "bearer":
+		route.EnvVar = credEnvVarName(webSearchCredPrefix)
+	}
+	return route, true
+}
+
 // mcpPassthroughRoutes extracts domains from HTTP MCP server URLs and returns
 // passthrough routes for domains not already covered by credentials or builtins.
 // Suffix-match credentials (e.g. ".googleapis.com") cover subdomains, so an MCP
@@ -511,6 +540,17 @@ func (r *ClawResourceReconciler) stampSecretVersionAnnotation(
 		}
 	}
 
+	if ws := instance.Spec.WebSearch; ws != nil && ws.SecretRef != nil {
+		secret := &corev1.Secret{}
+		if err := r.Get(ctx, client.ObjectKey{
+			Namespace: instance.Namespace,
+			Name:      ws.SecretRef.Name,
+		}, secret); err != nil {
+			return fmt.Errorf("failed to get Secret %q for web search: %w", ws.SecretRef.Name, err)
+		}
+		versions[webSearchCredPrefix] = secret.ResourceVersion
+	}
+
 	if len(versions) == 0 {
 		return nil
 	}
diff --git a/internal/controller/claw_proxy_test.go b/internal/controller/claw_proxy_test.go
index e73d545..7112253 100644
--- a/internal/controller/claw_proxy_test.go
+++ b/internal/controller/claw_proxy_test.go
@@ -176,7 +176,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -205,7 +205,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -231,7 +231,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -260,7 +260,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -293,7 +293,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -323,7 +323,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -349,7 +349,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -377,7 +377,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -407,7 +407,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -437,7 +437,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -463,7 +463,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -490,7 +490,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -520,7 +520,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -559,7 +559,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -601,7 +601,7 @@ func TestGenerateProxyConfig(t *testing.T) {
 
 func TestBuiltinPassthroughDomains(t *testing.T) {
 	t.Run("should include clawhub.ai as none route with no credentials", func(t *testing.T) {
-		data, err := generateProxyConfig(nil, nil)
+		data, err := generateProxyConfig(nil, nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -612,7 +612,7 @@ func TestBuiltinPassthroughDomains(t *testing.T) {
 	})
 
 	t.Run("should include openrouter.ai as none route with no credentials", func(t *testing.T) {
-		data, err := generateProxyConfig(nil, nil)
+		data, err := generateProxyConfig(nil, nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -623,7 +623,7 @@ func TestBuiltinPassthroughDomains(t *testing.T) {
 	})
 
 	t.Run("should include raw.githubusercontent.com with path restriction", func(t *testing.T) {
-		data, err := generateProxyConfig(nil, nil)
+		data, err := generateProxyConfig(nil, nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -634,7 +634,7 @@ func TestBuiltinPassthroughDomains(t *testing.T) {
 	})
 
 	t.Run("should include registry.npmjs.org as none route with no credentials", func(t *testing.T) {
-		data, err := generateProxyConfig(nil, nil)
+		data, err := generateProxyConfig(nil, nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -645,7 +645,7 @@ func TestBuiltinPassthroughDomains(t *testing.T) {
 	})
 
 	t.Run("should have no path restriction on unrestricted builtins", func(t *testing.T) {
-		data, err := generateProxyConfig(nil, nil)
+		data, err := generateProxyConfig(nil, nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -666,7 +666,7 @@ func TestBuiltinPassthroughDomains(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -694,7 +694,7 @@ func TestBuiltinPassthroughDomains(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -866,7 +866,7 @@ func TestGenerateProxyConfigVertexSDK(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -909,7 +909,7 @@ func TestGenerateProxyConfigVertexSDK(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), nil)
+		data, err := generateProxyConfig(toResolved(credentials), nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -1216,7 +1216,7 @@ func TestGenerateProxyConfigKubernetes(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(creds, nil)
+		data, err := generateProxyConfig(creds, nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -1241,7 +1241,7 @@ func TestGenerateProxyConfigKubernetes(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(creds, nil)
+		data, err := generateProxyConfig(creds, nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -1267,7 +1267,7 @@ func TestGenerateProxyConfigKubernetes(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(creds, nil)
+		data, err := generateProxyConfig(creds, nil, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -1291,7 +1291,7 @@ func TestMcpServerDomainExtraction(t *testing.T) {
 			"context7": {URL: "https://mcp.context7.com/mcp", Transport: "streamable-http"},
 		}
 
-		data, err := generateProxyConfig(nil, mcpServers)
+		data, err := generateProxyConfig(nil, mcpServers, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -1316,7 +1316,7 @@ func TestMcpServerDomainExtraction(t *testing.T) {
 			"example": {URL: "https://mcp.example.com/mcp"},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), mcpServers)
+		data, err := generateProxyConfig(toResolved(credentials), mcpServers, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -1336,7 +1336,7 @@ func TestMcpServerDomainExtraction(t *testing.T) {
 			"npm-mcp": {URL: "https://registry.npmjs.org/mcp"},
 		}
 
-		data, err := generateProxyConfig(nil, mcpServers)
+		data, err := generateProxyConfig(nil, mcpServers, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -1359,7 +1359,7 @@ func TestMcpServerDomainExtraction(t *testing.T) {
 			},
 		}
 
-		data, err := generateProxyConfig(nil, mcpServers)
+		data, err := generateProxyConfig(nil, mcpServers, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -1373,7 +1373,7 @@ func TestMcpServerDomainExtraction(t *testing.T) {
 			"bad": {URL: "://not-a-url"},
 		}
 
-		data, err := generateProxyConfig(nil, mcpServers)
+		data, err := generateProxyConfig(nil, mcpServers, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -1388,7 +1388,7 @@ func TestMcpServerDomainExtraction(t *testing.T) {
 			"svc2": {URL: "https://api.example.com/mcp2"},
 		}
 
-		data, err := generateProxyConfig(nil, mcpServers)
+		data, err := generateProxyConfig(nil, mcpServers, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -1408,7 +1408,7 @@ func TestMcpServerDomainExtraction(t *testing.T) {
 			"upper": {URL: "https://MCP.Example.COM/api"},
 		}
 
-		data, err := generateProxyConfig(nil, mcpServers)
+		data, err := generateProxyConfig(nil, mcpServers, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
@@ -1434,7 +1434,7 @@ func TestMcpServerDomainExtraction(t *testing.T) {
 			"vertex": {URL: "https://us-central1-aiplatform.googleapis.com/mcp"},
 		}
 
-		data, err := generateProxyConfig(toResolved(credentials), mcpServers)
+		data, err := generateProxyConfig(toResolved(credentials), mcpServers, nil)
 		require.NoError(t, err)
 
 		var cfg proxyConfig
diff --git a/internal/controller/claw_resource_controller.go b/internal/controller/claw_resource_controller.go
index 201d72f..949ffef 100644
--- a/internal/controller/claw_resource_controller.go
+++ b/internal/controller/claw_resource_controller.go
@@ -389,7 +389,7 @@ type ClawResourceReconciler struct {
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch
 
 // Reconcile manages the complete lifecycle of resources for Claw instances
-func (r *ClawResourceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+func (r *ClawResourceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { //nolint:gocyclo
 	logger := log.FromContext(ctx)
 	logger.Info("Reconciling Claw", "name", req.Name, "namespace", req.Namespace)
 
@@ -430,6 +430,15 @@ func (r *ClawResourceReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		return ctrl.Result{}, err
 	}
 
+	// Validate web search configuration (secret existence, credential cross-refs)
+	if err := r.validateWebSearchConfig(ctx, instance); err != nil {
+		logger.Error(err, "Web search validation failed")
+		if statusErr := r.Status().Update(ctx, instance); statusErr != nil {
+			logger.Error(statusErr, "Failed to update status after web search validation failure")
+		}
+		return ctrl.Result{}, err
+	}
+
 	// Generate proxy config, apply ConfigMaps (proxy config + Vertex AI stub ADC)
 	proxyConfigJSON, err := r.applyProxyResources(ctx, instance, resolvedCreds)
 	if err != nil {
@@ -625,6 +634,9 @@ func (r *ClawResourceReconciler) enrichConfigAndNetworkPolicy(
 	if err := injectMcpServersIntoConfigMap(objects, instance); err != nil {
 		return fmt.Errorf("failed to inject MCP servers into ConfigMap: %w", err)
 	}
+	if err := injectWebSearchIntoConfigMap(objects, instance); err != nil {
+		return fmt.Errorf("failed to inject web search config into ConfigMap: %w", err)
+	}
 	if err := injectKubernetesSkill(objects, resolvedCreds, instance.Name); err != nil {
 		return fmt.Errorf("failed to inject Kubernetes skill: %w", err)
 	}
@@ -652,6 +664,9 @@ func (r *ClawResourceReconciler) configureDeployments(
 	if err := configureProxyForCredentials(objects, instance, resolvedCreds); err != nil {
 		return fmt.Errorf("failed to configure proxy deployment for credentials: %w", err)
 	}
+	if err := configureProxyForWebSearch(objects, instance); err != nil {
+		return fmt.Errorf("failed to configure proxy for web search: %w", err)
+	}
 	if err := configureClawDeploymentForVertex(objects, resolvedCreds, instance.Name); err != nil {
 		return fmt.Errorf("failed to configure claw deployment for Vertex AI: %w", err)
 	}
@@ -677,7 +692,7 @@ func (r *ClawResourceReconciler) configureDeployments(
 func (r *ClawResourceReconciler) applyProxyResources(ctx context.Context, instance *clawv1alpha1.Claw, resolvedCreds []resolvedCredential) ([]byte, error) {
 	logger := log.FromContext(ctx)
 
-	proxyConfigJSON, err := generateProxyConfig(resolvedCreds, instance.Spec.McpServers)
+	proxyConfigJSON, err := generateProxyConfig(resolvedCreds, instance.Spec.McpServers, instance.Spec.WebSearch)
 	if err != nil {
 		logger.Error(err, "Failed to generate proxy config")
 		setCondition(instance, clawv1alpha1.ConditionTypeProxyConfigured, metav1.ConditionFalse, clawv1alpha1.ConditionReasonConfigFailed, err.Error())
@@ -1328,5 +1343,10 @@ func clawReferencesSecret(instance clawv1alpha1.Claw, secretName string) bool {
 			}
 		}
 	}
+	if instance.Spec.WebSearch != nil && instance.Spec.WebSearch.SecretRef != nil {
+		if instance.Spec.WebSearch.SecretRef.Name == secretName {
+			return true
+		}
+	}
 	return false
 }
diff --git a/internal/controller/claw_web_search.go b/internal/controller/claw_web_search.go
new file mode 100644
index 0000000..59ae08a
--- /dev/null
+++ b/internal/controller/claw_web_search.go
@@ -0,0 +1,348 @@
+/*
+Copyright 2026 Red Hat.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	clawv1alpha1 "github.com/codeready-toolchain/claw-operator/api/v1alpha1"
+)
+
+type searchProviderInfo struct {
+	Domain   string
+	Injector string
+	Header   string // only for api_key injector
+}
+
+// knownSearchProviders maps search provider names to their proxy route configuration.
+// Providers not in this map are checked against llmAsSearchProviders.
+var knownSearchProviders = map[string]searchProviderInfo{
+	"brave":      {Domain: "api.search.brave.com", Injector: "api_key", Header: "X-Subscription-Token"},
+	"tavily":     {Domain: "api.tavily.com", Injector: "bearer"},
+	"duckduckgo": {Domain: "html.duckduckgo.com", Injector: injectorNone},
+}
+
+// llmAsSearchProviders maps search provider names to the LLM credential provider
+// that must exist in spec.credentials.
+var llmAsSearchProviders = map[string]string{
+	"gemini": "google",
+}
+
+const (
+	placeholderAPIKey   = "ah-ah-ah-you-didnt-say-the-magic-word"
+	injectorNone        = "none"
+	webSearchCredPrefix = "websearch"
+)
+
+// webSearchNeedsSecret returns true if the provider requires a dedicated search API key.
+func webSearchNeedsSecret(provider string) bool {
+	info, ok := knownSearchProviders[provider]
+	return ok && info.Injector != injectorNone
+}
+
+func (r *ClawResourceReconciler) validateWebSearchConfig(
+	ctx context.Context,
+	instance *clawv1alpha1.Claw,
+) error {
+	ws := instance.Spec.WebSearch
+	if ws == nil {
+		meta.RemoveStatusCondition(&instance.Status.Conditions, clawv1alpha1.ConditionTypeWebSearchConfigured)
+		return nil
+	}
+
+	provider := ws.Provider
+
+	if info, ok := knownSearchProviders[provider]; ok {
+		if info.Injector == injectorNone {
+			setCondition(instance, clawv1alpha1.ConditionTypeWebSearchConfigured, metav1.ConditionTrue,
+				clawv1alpha1.ConditionReasonConfigured,
+				fmt.Sprintf("web search provider %q configured", provider))
+			return nil
+		}
+
+		if ws.SecretRef == nil {
+			err := fmt.Errorf("web search provider %q requires secretRef", provider)
+			setCondition(instance, clawv1alpha1.ConditionTypeWebSearchConfigured, metav1.ConditionFalse,
+				clawv1alpha1.ConditionReasonValidationFailed, err.Error())
+			setCondition(instance, clawv1alpha1.ConditionTypeReady, metav1.ConditionFalse,
+				clawv1alpha1.ConditionReasonValidationFailed, err.Error())
+			return err
+		}
+
+		secret := &corev1.Secret{}
+		if err := r.Get(ctx, client.ObjectKey{
+			Namespace: instance.Namespace,
+			Name:      ws.SecretRef.Name,
+		}, secret); err != nil {
+			err = fmt.Errorf("web search Secret %q not found: %w", ws.SecretRef.Name, err)
+			setCondition(instance, clawv1alpha1.ConditionTypeWebSearchConfigured, metav1.ConditionFalse,
+				clawv1alpha1.ConditionReasonValidationFailed, err.Error())
+			setCondition(instance, clawv1alpha1.ConditionTypeReady, metav1.ConditionFalse,
+				clawv1alpha1.ConditionReasonValidationFailed, err.Error())
+			return err
+		}
+		if _, ok := secret.Data[ws.SecretRef.Key]; !ok {
+			err := fmt.Errorf("key %q not found in web search Secret %q", ws.SecretRef.Key, ws.SecretRef.Name)
+			setCondition(instance, clawv1alpha1.ConditionTypeWebSearchConfigured, metav1.ConditionFalse,
+				clawv1alpha1.ConditionReasonValidationFailed, err.Error())
+			setCondition(instance, clawv1alpha1.ConditionTypeReady, metav1.ConditionFalse,
+				clawv1alpha1.ConditionReasonValidationFailed, err.Error())
+			return err
+		}
+
+		setCondition(instance, clawv1alpha1.ConditionTypeWebSearchConfigured, metav1.ConditionTrue,
+			clawv1alpha1.ConditionReasonConfigured,
+			fmt.Sprintf("web search provider %q configured", provider))
+		return nil
+	}
+
+	if requiredProvider, ok := llmAsSearchProviders[provider]; ok {
+		found := false
+		for _, cred := range instance.Spec.Credentials {
+			if cred.Provider == requiredProvider {
+				found = true
+				break
+			}
+		}
+		if !found {
+			err := fmt.Errorf(
+				"web search provider %q requires a %q credential in spec.credentials",
+				provider, requiredProvider,
+			)
+			setCondition(instance, clawv1alpha1.ConditionTypeWebSearchConfigured, metav1.ConditionFalse,
+				clawv1alpha1.ConditionReasonValidationFailed, err.Error())
+			setCondition(instance, clawv1alpha1.ConditionTypeReady, metav1.ConditionFalse,
+				clawv1alpha1.ConditionReasonValidationFailed, err.Error())
+			return err
+		}
+
+		setCondition(instance, clawv1alpha1.ConditionTypeWebSearchConfigured, metav1.ConditionTrue,
+			clawv1alpha1.ConditionReasonConfigured,
+			fmt.Sprintf("web search provider %q configured (using %q credential)", provider, requiredProvider))
+		return nil
+	}
+
+	err := fmt.Errorf("unknown web search provider %q", provider)
+	setCondition(instance, clawv1alpha1.ConditionTypeWebSearchConfigured, metav1.ConditionFalse,
+		clawv1alpha1.ConditionReasonValidationFailed, err.Error())
+	setCondition(instance, clawv1alpha1.ConditionTypeReady, metav1.ConditionFalse,
+		clawv1alpha1.ConditionReasonValidationFailed, err.Error())
+	return err
+}
+
+// injectWebSearchIntoConfigMap sets tools.web.search, tools.web.fetch, and
+// plugins.entries for the search provider in operator.json.
+func injectWebSearchIntoConfigMap(objects []*unstructured.Unstructured, instance *clawv1alpha1.Claw) error {
+	if instance.Spec.WebSearch == nil && instance.Spec.WebFetch == nil {
+		return nil
+	}
+
+	configMapName := getConfigMapName(instance.Name)
+	for _, obj := range objects {
+		if obj.GetKind() != ConfigMapKind || obj.GetName() != configMapName {
+			continue
+		}
+
+		operatorJSON, found, err := unstructured.NestedString(obj.Object, "data", "operator.json")
+		if err != nil {
+			return fmt.Errorf("failed to extract operator.json from ConfigMap: %w", err)
+		}
+		if !found {
+			return fmt.Errorf("operator.json not found in ConfigMap data")
+		}
+
+		var config map[string]any
+		if err := json.Unmarshal([]byte(operatorJSON), &config); err != nil {
+			return fmt.Errorf("failed to parse operator.json: %w", err)
+		}
+
+		tools, _ := config["tools"].(map[string]any)
+		if tools == nil {
+			tools = map[string]any{}
+		}
+		web, _ := tools["web"].(map[string]any)
+		if web == nil {
+			web = map[string]any{}
+		}
+
+		if ws := instance.Spec.WebSearch; ws != nil {
+			web["search"] = map[string]any{
+				"enabled":  true,
+				"provider": ws.Provider,
+			}
+
+			if err := injectSearchPluginEntry(config, ws); err != nil {
+				return err
+			}
+		}
+
+		if wf := instance.Spec.WebFetch; wf != nil {
+			web["fetch"] = map[string]any{
+				"enabled": wf.Enabled,
+			}
+		}
+
+		tools["web"] = web
+		config["tools"] = tools
+
+		updatedJSON, err := json.MarshalIndent(config, "    ", "  ")
+		if err != nil {
+			return fmt.Errorf("failed to marshal operator.json: %w", err)
+		}
+
+		if err := unstructured.SetNestedField(obj.Object, string(updatedJSON), "data", "operator.json"); err != nil {
+			return fmt.Errorf("failed to set updated operator.json in ConfigMap: %w", err)
+		}
+		return nil
+	}
+
+	return fmt.Errorf("ConfigMap %q not found in manifests", configMapName)
+}
+
+// injectSearchPluginEntry adds the plugin entry for the search provider into
+// plugins.entries.<pluginID>.config.webSearch.
+func injectSearchPluginEntry(config map[string]any, ws *clawv1alpha1.WebSearchSpec) error {
+	pluginID := ws.Provider
+
+	// Gemini uses the "google" plugin entry
+	if requiredProvider, ok := llmAsSearchProviders[ws.Provider]; ok {
+		pluginID = requiredProvider
+	}
+
+	webSearchConfig := map[string]any{}
+
+	// API-keyed providers get a placeholder key
+	if webSearchNeedsSecret(ws.Provider) {
+		webSearchConfig["apiKey"] = placeholderAPIKey
+	}
+
+	// Merge user-provided config
+	if ws.Config != nil && ws.Config.Raw != nil {
+		var userConfig map[string]any
+		if err := json.Unmarshal(ws.Config.Raw, &userConfig); err != nil {
+			return fmt.Errorf("failed to parse webSearch.config: %w", err)
+		}
+		for k, v := range userConfig {
+			webSearchConfig[k] = v
+		}
+	}
+
+	// Key-free providers with no user config need no plugin entry
+	if len(webSearchConfig) == 0 {
+		return nil
+	}
+
+	existingPlugins, _ := config["plugins"].(map[string]any)
+	if existingPlugins == nil {
+		existingPlugins = map[string]any{}
+	}
+	existingEntries, _ := existingPlugins["entries"].(map[string]any)
+	if existingEntries == nil {
+		existingEntries = map[string]any{}
+	}
+
+	pluginEntry, _ := existingEntries[pluginID].(map[string]any)
+	if pluginEntry == nil {
+		pluginEntry = map[string]any{}
+	}
+	pluginConfig, _ := pluginEntry["config"].(map[string]any)
+	if pluginConfig == nil {
+		pluginConfig = map[string]any{}
+	}
+
+	pluginConfig["webSearch"] = webSearchConfig
+	pluginEntry["config"] = pluginConfig
+	existingEntries[pluginID] = pluginEntry
+	existingPlugins["entries"] = existingEntries
+	config["plugins"] = existingPlugins
+
+	return nil
+}
+
+// configureProxyForWebSearch mounts the search API key Secret as an env var
+// on the proxy container. Only applies to API-keyed providers.
+func configureProxyForWebSearch(
+	objects []*unstructured.Unstructured,
+	instance *clawv1alpha1.Claw,
+) error {
+	if instance.Spec.WebSearch == nil {
+		return nil
+	}
+	if !webSearchNeedsSecret(instance.Spec.WebSearch.Provider) {
+		return nil
+	}
+	ref := instance.Spec.WebSearch.SecretRef
+	if ref == nil {
+		return nil
+	}
+
+	for _, obj := range objects {
+		if obj.GetKind() != DeploymentKind || obj.GetName() != getProxyDeploymentName(instance.GetName()) {
+			continue
+		}
+
+		containers, found, err := unstructured.NestedSlice(obj.Object, "spec", "template", "spec", "containers")
+		if err != nil {
+			return fmt.Errorf("failed to get containers from proxy deployment: %w", err)
+		}
+		if !found {
+			return fmt.Errorf("containers field not found in proxy deployment")
+		}
+
+		for i, c := range containers {
+			cm, ok := c.(map[string]any)
+			if !ok {
+				continue
+			}
+			if name, _, _ := unstructured.NestedString(cm, "name"); name != ClawProxyContainerName {
+				continue
+			}
+
+			envVars, _, _ := unstructured.NestedSlice(cm, "env")
+			envVars = append(envVars, map[string]any{
+				"name": credEnvVarName(webSearchCredPrefix),
+				"valueFrom": map[string]any{
+					"secretKeyRef": map[string]any{
+						"name": ref.Name,
+						"key":  ref.Key,
+					},
+				},
+			})
+
+			if err := unstructured.SetNestedSlice(cm, envVars, "env"); err != nil {
+				return fmt.Errorf("failed to set env vars: %w", err)
+			}
+			containers[i] = cm
+			if err := unstructured.SetNestedSlice(
+				obj.Object, containers, "spec", "template", "spec", "containers",
+			); err != nil {
+				return fmt.Errorf("failed to set containers: %w", err)
+			}
+			return nil
+		}
+		return fmt.Errorf("container %q not found in proxy deployment", ClawProxyContainerName)
+	}
+	return fmt.Errorf("claw-proxy deployment not found in manifests")
+}
diff --git a/internal/controller/claw_web_search_test.go b/internal/controller/claw_web_search_test.go
new file mode 100644
index 0000000..2617e50
--- /dev/null
+++ b/internal/controller/claw_web_search_test.go
@@ -0,0 +1,916 @@
+/*
+Copyright 2026 Red Hat.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	clawv1alpha1 "github.com/codeready-toolchain/claw-operator/api/v1alpha1"
+)
+
+func TestValidateWebSearchConfig(t *testing.T) {
+	ctx := context.Background()
+
+	t.Run("brave with valid secret succeeds", func(t *testing.T) {
+		t.Cleanup(func() { deleteAndWaitAllResources(t, namespace) })
+
+		secret := createTestAPIKeySecret("brave-key", namespace, "api-key", "test-brave-key")
+		require.NoError(t, k8sClient.Create(ctx, secret))
+
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider:  "brave",
+					SecretRef: &clawv1alpha1.SecretRefEntry{Name: "brave-key", Key: "api-key"},
+				},
+			},
+		}
+		require.NoError(t, k8sClient.Create(ctx, instance))
+
+		reconciler := createClawReconciler()
+		err := reconciler.validateWebSearchConfig(ctx, instance)
+		require.NoError(t, err)
+		cond := apimeta.FindStatusCondition(instance.Status.Conditions, clawv1alpha1.ConditionTypeWebSearchConfigured)
+		require.NotNil(t, cond)
+		assert.Equal(t, metav1.ConditionTrue, cond.Status)
+	})
+
+	t.Run("brave with missing secret fails", func(t *testing.T) {
+		t.Cleanup(func() { deleteAndWaitAllResources(t, namespace) })
+
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider:  "brave",
+					SecretRef: &clawv1alpha1.SecretRefEntry{Name: "nonexistent", Key: "api-key"},
+				},
+			},
+		}
+		require.NoError(t, k8sClient.Create(ctx, instance))
+
+		reconciler := createClawReconciler()
+		err := reconciler.validateWebSearchConfig(ctx, instance)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "not found")
+		cond := apimeta.FindStatusCondition(instance.Status.Conditions, clawv1alpha1.ConditionTypeWebSearchConfigured)
+		require.NotNil(t, cond)
+		assert.Equal(t, metav1.ConditionFalse, cond.Status)
+	})
+
+	t.Run("brave with wrong key fails", func(t *testing.T) {
+		t.Cleanup(func() { deleteAndWaitAllResources(t, namespace) })
+
+		secret := createTestAPIKeySecret("brave-key2", namespace, "api-key", "val")
+		require.NoError(t, k8sClient.Create(ctx, secret))
+
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider:  "brave",
+					SecretRef: &clawv1alpha1.SecretRefEntry{Name: "brave-key2", Key: "wrong-key"},
+				},
+			},
+		}
+		require.NoError(t, k8sClient.Create(ctx, instance))
+
+		reconciler := createClawReconciler()
+		err := reconciler.validateWebSearchConfig(ctx, instance)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), `key "wrong-key" not found`)
+		cond := apimeta.FindStatusCondition(instance.Status.Conditions, clawv1alpha1.ConditionTypeWebSearchConfigured)
+		require.NotNil(t, cond)
+		assert.Equal(t, metav1.ConditionFalse, cond.Status)
+	})
+
+	t.Run("tavily with valid secret succeeds", func(t *testing.T) {
+		t.Cleanup(func() { deleteAndWaitAllResources(t, namespace) })
+
+		secret := createTestAPIKeySecret("tavily-key", namespace, "api-key", "test-tavily-key")
+		require.NoError(t, k8sClient.Create(ctx, secret))
+
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider:  "tavily",
+					SecretRef: &clawv1alpha1.SecretRefEntry{Name: "tavily-key", Key: "api-key"},
+				},
+			},
+		}
+		require.NoError(t, k8sClient.Create(ctx, instance))
+
+		reconciler := createClawReconciler()
+		require.NoError(t, reconciler.validateWebSearchConfig(ctx, instance))
+		cond := apimeta.FindStatusCondition(instance.Status.Conditions, clawv1alpha1.ConditionTypeWebSearchConfigured)
+		require.NotNil(t, cond)
+		assert.Equal(t, metav1.ConditionTrue, cond.Status)
+	})
+
+	t.Run("duckduckgo needs no secret", func(t *testing.T) {
+		t.Cleanup(func() { deleteAndWaitAllResources(t, namespace) })
+
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider: "duckduckgo",
+				},
+			},
+		}
+		require.NoError(t, k8sClient.Create(ctx, instance))
+
+		reconciler := createClawReconciler()
+		require.NoError(t, reconciler.validateWebSearchConfig(ctx, instance))
+		cond := apimeta.FindStatusCondition(instance.Status.Conditions, clawv1alpha1.ConditionTypeWebSearchConfigured)
+		require.NotNil(t, cond)
+		assert.Equal(t, metav1.ConditionTrue, cond.Status)
+	})
+
+	t.Run("gemini with google credential succeeds", func(t *testing.T) {
+		t.Cleanup(func() { deleteAndWaitAllResources(t, namespace) })
+
+		secret := createTestAPIKeySecret("google-api-key", namespace, "api-key", "test-google-key")
+		require.NoError(t, k8sClient.Create(ctx, secret))
+
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				Credentials: []clawv1alpha1.CredentialSpec{
+					{Name: "google", Provider: "google", Type: clawv1alpha1.CredentialTypeAPIKey,
+						Domain:    ".googleapis.com",
+						SecretRef: []clawv1alpha1.SecretRefEntry{{Name: "google-api-key", Key: "api-key"}}},
+				},
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider: "gemini",
+				},
+			},
+		}
+		require.NoError(t, k8sClient.Create(ctx, instance))
+
+		reconciler := createClawReconciler()
+		require.NoError(t, reconciler.validateWebSearchConfig(ctx, instance))
+		cond := apimeta.FindStatusCondition(instance.Status.Conditions, clawv1alpha1.ConditionTypeWebSearchConfigured)
+		require.NotNil(t, cond)
+		assert.Equal(t, metav1.ConditionTrue, cond.Status)
+	})
+
+	t.Run("gemini without google credential fails", func(t *testing.T) {
+		t.Cleanup(func() { deleteAndWaitAllResources(t, namespace) })
+
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider: "gemini",
+				},
+			},
+		}
+		require.NoError(t, k8sClient.Create(ctx, instance))
+
+		reconciler := createClawReconciler()
+		err := reconciler.validateWebSearchConfig(ctx, instance)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), `requires a "google" credential`)
+		cond := apimeta.FindStatusCondition(instance.Status.Conditions, clawv1alpha1.ConditionTypeWebSearchConfigured)
+		require.NotNil(t, cond)
+		assert.Equal(t, metav1.ConditionFalse, cond.Status)
+	})
+
+	t.Run("unknown provider fails", func(t *testing.T) {
+		t.Cleanup(func() { deleteAndWaitAllResources(t, namespace) })
+
+		secret := createTestAPIKeySecret("bogus-key", namespace, "api-key", "val")
+		require.NoError(t, k8sClient.Create(ctx, secret))
+
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider:  "bogus",
+					SecretRef: &clawv1alpha1.SecretRefEntry{Name: "bogus-key", Key: "api-key"},
+				},
+			},
+		}
+		require.NoError(t, k8sClient.Create(ctx, instance))
+
+		reconciler := createClawReconciler()
+		err := reconciler.validateWebSearchConfig(ctx, instance)
+		require.Error(t, err)
+		assert.Equal(t, `unknown web search provider "bogus"`, err.Error())
+	})
+}
+
+func TestInjectWebSearchIntoConfigMap(t *testing.T) {
+	t.Run("brave sets tools.web.search and plugins entry with placeholder", func(t *testing.T) {
+		reconciler := createClawReconciler()
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider:  "brave",
+					SecretRef: &clawv1alpha1.SecretRefEntry{Name: "s", Key: "k"},
+				},
+			},
+		}
+		objects, err := reconciler.buildKustomizedObjects(instance)
+		require.NoError(t, err)
+
+		require.NoError(t, injectWebSearchIntoConfigMap(objects, instance))
+
+		config := extractOperatorJSON(t, objects, instance.Name)
+
+		tools, ok := config["tools"].(map[string]any)
+		require.True(t, ok)
+		web, ok := tools["web"].(map[string]any)
+		require.True(t, ok)
+		search, ok := web["search"].(map[string]any)
+		require.True(t, ok)
+		assert.Equal(t, true, search["enabled"])
+		assert.Equal(t, "brave", search["provider"])
+
+		plugins, ok := config["plugins"].(map[string]any)
+		require.True(t, ok)
+		entries, ok := plugins["entries"].(map[string]any)
+		require.True(t, ok)
+		braveEntry, ok := entries["brave"].(map[string]any)
+		require.True(t, ok)
+		braveConfig, ok := braveEntry["config"].(map[string]any)
+		require.True(t, ok)
+		webSearch, ok := braveConfig["webSearch"].(map[string]any)
+		require.True(t, ok)
+		assert.Equal(t, placeholderAPIKey, webSearch["apiKey"])
+	})
+
+	t.Run("tavily with custom config merges into plugin entry", func(t *testing.T) {
+		reconciler := createClawReconciler()
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider:  "tavily",
+					SecretRef: &clawv1alpha1.SecretRefEntry{Name: "s", Key: "k"},
+					Config:    &runtime.RawExtension{Raw: []byte(`{"maxResults":10}`)},
+				},
+			},
+		}
+		objects, err := reconciler.buildKustomizedObjects(instance)
+		require.NoError(t, err)
+
+		require.NoError(t, injectWebSearchIntoConfigMap(objects, instance))
+
+		config := extractOperatorJSON(t, objects, instance.Name)
+		plugins := config["plugins"].(map[string]any)
+		entries := plugins["entries"].(map[string]any)
+		tavilyEntry := entries["tavily"].(map[string]any)
+		tavilyConfig := tavilyEntry["config"].(map[string]any)
+		webSearch := tavilyConfig["webSearch"].(map[string]any)
+		assert.Equal(t, placeholderAPIKey, webSearch["apiKey"])
+		assert.Equal(t, float64(10), webSearch["maxResults"])
+	})
+
+	t.Run("duckduckgo sets search provider with no plugin entry", func(t *testing.T) {
+		reconciler := createClawReconciler()
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider: "duckduckgo",
+				},
+			},
+		}
+		objects, err := reconciler.buildKustomizedObjects(instance)
+		require.NoError(t, err)
+
+		require.NoError(t, injectWebSearchIntoConfigMap(objects, instance))
+
+		config := extractOperatorJSON(t, objects, instance.Name)
+		tools := config["tools"].(map[string]any)
+		web := tools["web"].(map[string]any)
+		search := web["search"].(map[string]any)
+		assert.Equal(t, "duckduckgo", search["provider"])
+
+		// No plugin entry for duckduckgo (key-free)
+		_, hasPlugins := config["plugins"]
+		assert.False(t, hasPlugins)
+	})
+
+	t.Run("gemini sets search provider under google plugin entry", func(t *testing.T) {
+		reconciler := createClawReconciler()
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider: "gemini",
+					Config:   &runtime.RawExtension{Raw: []byte(`{"model":"gemini-2.0-flash"}`)},
+				},
+			},
+		}
+		objects, err := reconciler.buildKustomizedObjects(instance)
+		require.NoError(t, err)
+
+		require.NoError(t, injectWebSearchIntoConfigMap(objects, instance))
+
+		config := extractOperatorJSON(t, objects, instance.Name)
+		tools := config["tools"].(map[string]any)
+		web := tools["web"].(map[string]any)
+		search := web["search"].(map[string]any)
+		assert.Equal(t, "gemini", search["provider"])
+
+		plugins := config["plugins"].(map[string]any)
+		entries := plugins["entries"].(map[string]any)
+		googleEntry := entries["google"].(map[string]any)
+		googleConfig := googleEntry["config"].(map[string]any)
+		webSearch := googleConfig["webSearch"].(map[string]any)
+		assert.Equal(t, "gemini-2.0-flash", webSearch["model"])
+		_, hasAPIKey := webSearch["apiKey"]
+		assert.False(t, hasAPIKey, "gemini should not have placeholder apiKey")
+	})
+
+	t.Run("webFetch sets tools.web.fetch.enabled", func(t *testing.T) {
+		reconciler := createClawReconciler()
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				WebFetch: &clawv1alpha1.WebFetchSpec{Enabled: true},
+			},
+		}
+		objects, err := reconciler.buildKustomizedObjects(instance)
+		require.NoError(t, err)
+
+		require.NoError(t, injectWebSearchIntoConfigMap(objects, instance))
+
+		config := extractOperatorJSON(t, objects, instance.Name)
+		tools := config["tools"].(map[string]any)
+		web := tools["web"].(map[string]any)
+		fetch := web["fetch"].(map[string]any)
+		assert.Equal(t, true, fetch["enabled"])
+	})
+
+	t.Run("no-op when neither webSearch nor webFetch set", func(t *testing.T) {
+		reconciler := createClawReconciler()
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+		}
+		objects, err := reconciler.buildKustomizedObjects(instance)
+		require.NoError(t, err)
+
+		require.NoError(t, injectWebSearchIntoConfigMap(objects, instance))
+
+		config := extractOperatorJSON(t, objects, instance.Name)
+		_, hasTools := config["tools"]
+		assert.False(t, hasTools, "tools should not be added when web search/fetch are nil")
+	})
+}
+
+func TestGenerateProxyConfigWithWebSearch(t *testing.T) {
+	t.Run("brave adds api_key route with custom header", func(t *testing.T) {
+		ws := &clawv1alpha1.WebSearchSpec{
+			Provider:  "brave",
+			SecretRef: &clawv1alpha1.SecretRefEntry{Name: "s", Key: "k"},
+		}
+		data, err := generateProxyConfig(nil, nil, ws)
+		require.NoError(t, err)
+
+		var cfg proxyConfig
+		require.NoError(t, json.Unmarshal(data, &cfg))
+
+		route := findRouteByDomain(t, cfg.Routes, "api.search.brave.com")
+		assert.Equal(t, "api_key", route.Injector)
+		assert.Equal(t, "X-Subscription-Token", route.Header)
+		assert.Equal(t, "CRED_WEBSEARCH", route.EnvVar)
+	})
+
+	t.Run("tavily adds bearer route", func(t *testing.T) {
+		ws := &clawv1alpha1.WebSearchSpec{
+			Provider:  "tavily",
+			SecretRef: &clawv1alpha1.SecretRefEntry{Name: "s", Key: "k"},
+		}
+		data, err := generateProxyConfig(nil, nil, ws)
+		require.NoError(t, err)
+
+		var cfg proxyConfig
+		require.NoError(t, json.Unmarshal(data, &cfg))
+
+		route := findRouteByDomain(t, cfg.Routes, "api.tavily.com")
+		assert.Equal(t, "bearer", route.Injector)
+		assert.Equal(t, "CRED_WEBSEARCH", route.EnvVar)
+	})
+
+	t.Run("duckduckgo adds passthrough route", func(t *testing.T) {
+		ws := &clawv1alpha1.WebSearchSpec{Provider: "duckduckgo"}
+		data, err := generateProxyConfig(nil, nil, ws)
+		require.NoError(t, err)
+
+		var cfg proxyConfig
+		require.NoError(t, json.Unmarshal(data, &cfg))
+
+		route := findRouteByDomain(t, cfg.Routes, "html.duckduckgo.com")
+		assert.Equal(t, "none", route.Injector)
+		assert.Empty(t, route.EnvVar)
+	})
+
+	t.Run("gemini adds no new route", func(t *testing.T) {
+		ws := &clawv1alpha1.WebSearchSpec{Provider: "gemini"}
+		data, err := generateProxyConfig(nil, nil, ws)
+		require.NoError(t, err)
+
+		var cfg proxyConfig
+		require.NoError(t, json.Unmarshal(data, &cfg))
+
+		for _, route := range cfg.Routes {
+			assert.NotContains(t, route.Domain, "gemini",
+				"gemini should not add its own route")
+		}
+	})
+
+	t.Run("nil webSearch adds no search route", func(t *testing.T) {
+		data, err := generateProxyConfig(nil, nil, nil)
+		require.NoError(t, err)
+
+		var cfg proxyConfig
+		require.NoError(t, json.Unmarshal(data, &cfg))
+
+		for _, route := range cfg.Routes {
+			assert.NotEqual(t, "api.search.brave.com", route.Domain)
+			assert.NotEqual(t, "api.tavily.com", route.Domain)
+			assert.NotEqual(t, "html.duckduckgo.com", route.Domain)
+		}
+	})
+}
+
+func TestConfigureProxyForWebSearch(t *testing.T) {
+	buildObjects := func(t *testing.T) (*clawv1alpha1.Claw, []*unstructured.Unstructured) {
+		t.Helper()
+		reconciler := createClawReconciler()
+		instance := &clawv1alpha1.Claw{}
+		instance.Name = testInstanceName
+		instance.Namespace = namespace
+		objects, err := reconciler.buildKustomizedObjects(instance)
+		require.NoError(t, err)
+		return instance, objects
+	}
+
+	findProxyEnvVars := func(t *testing.T, objects []*unstructured.Unstructured) []any {
+		t.Helper()
+		for _, obj := range objects {
+			if obj.GetKind() != DeploymentKind || obj.GetName() != getProxyDeploymentName(testInstanceName) {
+				continue
+			}
+			containers, _, _ := unstructured.NestedSlice(obj.Object, "spec", "template", "spec", "containers")
+			for _, c := range containers {
+				cm, ok := c.(map[string]any)
+				if !ok {
+					continue
+				}
+				if name, _, _ := unstructured.NestedString(cm, "name"); name == ClawProxyContainerName {
+					envVars, _, _ := unstructured.NestedSlice(cm, "env")
+					return envVars
+				}
+			}
+		}
+		t.Fatal("proxy container not found")
+		return nil
+	}
+
+	hasEnvVar := func(envVars []any, name string) bool {
+		for _, e := range envVars {
+			em, ok := e.(map[string]any)
+			if !ok {
+				continue
+			}
+			if n, _, _ := unstructured.NestedString(em, "name"); n == name {
+				return true
+			}
+		}
+		return false
+	}
+
+	t.Run("adds CRED_WEBSEARCH for brave", func(t *testing.T) {
+		instance, objects := buildObjects(t)
+		instance.Spec.WebSearch = &clawv1alpha1.WebSearchSpec{
+			Provider:  "brave",
+			SecretRef: &clawv1alpha1.SecretRefEntry{Name: "brave-key", Key: "api-key"},
+		}
+
+		require.NoError(t, configureProxyForWebSearch(objects, instance))
+
+		envVars := findProxyEnvVars(t, objects)
+		assert.True(t, hasEnvVar(envVars, "CRED_WEBSEARCH"), "CRED_WEBSEARCH should be added")
+	})
+
+	t.Run("adds CRED_WEBSEARCH for tavily", func(t *testing.T) {
+		instance, objects := buildObjects(t)
+		instance.Spec.WebSearch = &clawv1alpha1.WebSearchSpec{
+			Provider:  "tavily",
+			SecretRef: &clawv1alpha1.SecretRefEntry{Name: "tavily-key", Key: "api-key"},
+		}
+
+		require.NoError(t, configureProxyForWebSearch(objects, instance))
+
+		envVars := findProxyEnvVars(t, objects)
+		assert.True(t, hasEnvVar(envVars, "CRED_WEBSEARCH"), "CRED_WEBSEARCH should be added")
+	})
+
+	t.Run("no env var for duckduckgo", func(t *testing.T) {
+		instance, objects := buildObjects(t)
+		instance.Spec.WebSearch = &clawv1alpha1.WebSearchSpec{
+			Provider: "duckduckgo",
+		}
+
+		require.NoError(t, configureProxyForWebSearch(objects, instance))
+
+		envVars := findProxyEnvVars(t, objects)
+		assert.False(t, hasEnvVar(envVars, "CRED_WEBSEARCH"), "duckduckgo should not add CRED_WEBSEARCH")
+	})
+
+	t.Run("no env var for gemini", func(t *testing.T) {
+		instance, objects := buildObjects(t)
+		instance.Spec.WebSearch = &clawv1alpha1.WebSearchSpec{
+			Provider: "gemini",
+		}
+
+		require.NoError(t, configureProxyForWebSearch(objects, instance))
+
+		envVars := findProxyEnvVars(t, objects)
+		assert.False(t, hasEnvVar(envVars, "CRED_WEBSEARCH"), "gemini should not add CRED_WEBSEARCH")
+	})
+
+	t.Run("no-op when webSearch is nil", func(t *testing.T) {
+		instance, objects := buildObjects(t)
+		require.NoError(t, configureProxyForWebSearch(objects, instance))
+
+		envVars := findProxyEnvVars(t, objects)
+		assert.False(t, hasEnvVar(envVars, "CRED_WEBSEARCH"))
+	})
+}
+
+func TestStampSecretVersionWithWebSearch(t *testing.T) {
+	ctx := context.Background()
+
+	t.Run("stamps web search secret ResourceVersion", func(t *testing.T) {
+		t.Cleanup(func() { deleteAndWaitAllResources(t, namespace) })
+
+		secret := createTestAPIKeySecret("ws-secret", namespace, "api-key", "brave-key-val")
+		require.NoError(t, k8sClient.Create(ctx, secret))
+
+		// Re-read to get ResourceVersion
+		require.NoError(t, k8sClient.Get(ctx, client.ObjectKey{Name: "ws-secret", Namespace: namespace}, secret))
+
+		createClawInstance(t, ctx, testInstanceName, namespace)
+
+		// Update the Claw instance with webSearch
+		instance := &clawv1alpha1.Claw{}
+		require.NoError(t, k8sClient.Get(ctx, client.ObjectKey{Name: testInstanceName, Namespace: namespace}, instance))
+		instance.Spec.WebSearch = &clawv1alpha1.WebSearchSpec{
+			Provider:  "brave",
+			SecretRef: &clawv1alpha1.SecretRefEntry{Name: "ws-secret", Key: "api-key"},
+		}
+		require.NoError(t, k8sClient.Update(ctx, instance))
+
+		reconciler := createClawReconciler()
+		reconcileClaw(t, ctx, reconciler, testInstanceName, namespace)
+
+		deployment := &appsv1.Deployment{}
+		require.NoError(t, k8sClient.Get(ctx, client.ObjectKey{
+			Name:      getProxyDeploymentName(testInstanceName),
+			Namespace: namespace,
+		}, deployment))
+
+		annotations := deployment.Spec.Template.Annotations
+		require.NotNil(t, annotations)
+		wsKey := clawv1alpha1.AnnotationPrefixSecretVersion + webSearchCredPrefix + clawv1alpha1.AnnotationSuffixSecretVersion
+		rv, ok := annotations[wsKey]
+		assert.True(t, ok, "websearch-secret-version annotation should exist")
+		assert.Equal(t, secret.ResourceVersion, rv)
+	})
+}
+
+func TestWebSearchFullReconcile(t *testing.T) {
+	ctx := context.Background()
+
+	t.Run("brave web search produces correct proxy config and operator.json", func(t *testing.T) {
+		t.Cleanup(func() { deleteAndWaitAllResources(t, namespace) })
+
+		braveSecret := createTestAPIKeySecret("brave-search-secret", namespace, "api-key", "brave-val")
+		require.NoError(t, k8sClient.Create(ctx, braveSecret))
+
+		createClawInstance(t, ctx, testInstanceName, namespace)
+
+		instance := &clawv1alpha1.Claw{}
+		require.NoError(t, k8sClient.Get(ctx, client.ObjectKey{Name: testInstanceName, Namespace: namespace}, instance))
+		instance.Spec.WebSearch = &clawv1alpha1.WebSearchSpec{
+			Provider:  "brave",
+			SecretRef: &clawv1alpha1.SecretRefEntry{Name: "brave-search-secret", Key: "api-key"},
+		}
+		instance.Spec.WebFetch = &clawv1alpha1.WebFetchSpec{Enabled: true}
+		require.NoError(t, k8sClient.Update(ctx, instance))
+
+		reconciler := createClawReconciler()
+		reconcileClaw(t, ctx, reconciler, testInstanceName, namespace)
+
+		// Verify proxy config JSON contains the brave route
+		proxyConfigCM := &corev1.ConfigMap{}
+		require.NoError(t, k8sClient.Get(ctx, client.ObjectKey{
+			Name:      getProxyConfigMapName(testInstanceName),
+			Namespace: namespace,
+		}, proxyConfigCM))
+		var proxyCfg proxyConfig
+		require.NoError(t, json.Unmarshal([]byte(proxyConfigCM.Data["proxy-config.json"]), &proxyCfg))
+		braveRoute := findRouteByDomain(t, proxyCfg.Routes, "api.search.brave.com")
+		assert.Equal(t, "api_key", braveRoute.Injector)
+		assert.Equal(t, "X-Subscription-Token", braveRoute.Header)
+		assert.Equal(t, "CRED_WEBSEARCH", braveRoute.EnvVar)
+
+		// Verify proxy deployment has CRED_WEBSEARCH env var
+		proxyDeploy := &appsv1.Deployment{}
+		require.NoError(t, k8sClient.Get(ctx, client.ObjectKey{
+			Name:      getProxyDeploymentName(testInstanceName),
+			Namespace: namespace,
+		}, proxyDeploy))
+		var foundEnv bool
+		for _, c := range proxyDeploy.Spec.Template.Spec.Containers {
+			if c.Name == ClawProxyContainerName {
+				for _, e := range c.Env {
+					if e.Name == "CRED_WEBSEARCH" {
+						foundEnv = true
+						require.NotNil(t, e.ValueFrom)
+						require.NotNil(t, e.ValueFrom.SecretKeyRef)
+						assert.Equal(t, "brave-search-secret", e.ValueFrom.SecretKeyRef.Name)
+						assert.Equal(t, "api-key", e.ValueFrom.SecretKeyRef.Key)
+					}
+				}
+			}
+		}
+		assert.True(t, foundEnv, "CRED_WEBSEARCH env var should exist on proxy container")
+
+		// Verify operator.json has web search and web fetch config
+		gwConfigCM := &corev1.ConfigMap{}
+		require.NoError(t, k8sClient.Get(ctx, client.ObjectKey{
+			Name:      getConfigMapName(testInstanceName),
+			Namespace: namespace,
+		}, gwConfigCM))
+		var opJSON map[string]any
+		require.NoError(t, json.Unmarshal([]byte(gwConfigCM.Data["operator.json"]), &opJSON))
+		tools := opJSON["tools"].(map[string]any)
+		web := tools["web"].(map[string]any)
+		search := web["search"].(map[string]any)
+		assert.Equal(t, true, search["enabled"])
+		assert.Equal(t, "brave", search["provider"])
+		fetch := web["fetch"].(map[string]any)
+		assert.Equal(t, true, fetch["enabled"])
+
+		plugins := opJSON["plugins"].(map[string]any)
+		entries := plugins["entries"].(map[string]any)
+		braveEntry := entries["brave"].(map[string]any)
+		braveConfig := braveEntry["config"].(map[string]any)
+		webSearch := braveConfig["webSearch"].(map[string]any)
+		assert.Equal(t, placeholderAPIKey, webSearch["apiKey"])
+
+		// Verify WebSearchConfigured condition
+		require.NoError(t, k8sClient.Get(ctx, client.ObjectKey{Name: testInstanceName, Namespace: namespace}, instance))
+		cond := apimeta.FindStatusCondition(instance.Status.Conditions, clawv1alpha1.ConditionTypeWebSearchConfigured)
+		require.NotNil(t, cond)
+		assert.Equal(t, metav1.ConditionTrue, cond.Status)
+	})
+
+	t.Run("duckduckgo reconcile requires no secret and sets condition", func(t *testing.T) {
+		t.Cleanup(func() { deleteAndWaitAllResources(t, namespace) })
+
+		createClawInstance(t, ctx, testInstanceName, namespace)
+
+		instance := &clawv1alpha1.Claw{}
+		require.NoError(t, k8sClient.Get(ctx, client.ObjectKey{Name: testInstanceName, Namespace: namespace}, instance))
+		instance.Spec.WebSearch = &clawv1alpha1.WebSearchSpec{Provider: "duckduckgo"}
+		require.NoError(t, k8sClient.Update(ctx, instance))
+
+		reconciler := createClawReconciler()
+		reconcileClaw(t, ctx, reconciler, testInstanceName, namespace)
+
+		// Verify proxy config has duckduckgo passthrough
+		proxyConfigCM := &corev1.ConfigMap{}
+		require.NoError(t, k8sClient.Get(ctx, client.ObjectKey{
+			Name:      getProxyConfigMapName(testInstanceName),
+			Namespace: namespace,
+		}, proxyConfigCM))
+		var proxyCfg proxyConfig
+		require.NoError(t, json.Unmarshal([]byte(proxyConfigCM.Data["proxy-config.json"]), &proxyCfg))
+		ddgRoute := findRouteByDomain(t, proxyCfg.Routes, "html.duckduckgo.com")
+		assert.Equal(t, "none", ddgRoute.Injector)
+		assert.Empty(t, ddgRoute.EnvVar)
+
+		// No CRED_WEBSEARCH on proxy deployment
+		proxyDeploy := &appsv1.Deployment{}
+		require.NoError(t, k8sClient.Get(ctx, client.ObjectKey{
+			Name:      getProxyDeploymentName(testInstanceName),
+			Namespace: namespace,
+		}, proxyDeploy))
+		for _, c := range proxyDeploy.Spec.Template.Spec.Containers {
+			if c.Name == ClawProxyContainerName {
+				for _, e := range c.Env {
+					assert.NotEqual(t, "CRED_WEBSEARCH", e.Name, "duckduckgo should not add CRED_WEBSEARCH")
+				}
+			}
+		}
+
+		// Condition should be True
+		require.NoError(t, k8sClient.Get(ctx, client.ObjectKey{Name: testInstanceName, Namespace: namespace}, instance))
+		cond := apimeta.FindStatusCondition(instance.Status.Conditions, clawv1alpha1.ConditionTypeWebSearchConfigured)
+		require.NotNil(t, cond)
+		assert.Equal(t, metav1.ConditionTrue, cond.Status)
+	})
+
+	t.Run("condition removed when webSearch is nil", func(t *testing.T) {
+		t.Cleanup(func() { deleteAndWaitAllResources(t, namespace) })
+
+		createClawInstance(t, ctx, testInstanceName, namespace)
+
+		reconciler := createClawReconciler()
+		reconcileClaw(t, ctx, reconciler, testInstanceName, namespace)
+
+		instance := &clawv1alpha1.Claw{}
+		require.NoError(t, k8sClient.Get(ctx, client.ObjectKey{Name: testInstanceName, Namespace: namespace}, instance))
+		cond := apimeta.FindStatusCondition(instance.Status.Conditions, clawv1alpha1.ConditionTypeWebSearchConfigured)
+		assert.Nil(t, cond, "WebSearchConfigured should not be present when webSearch is nil")
+	})
+}
+
+func TestInjectWebSearchAndFetchCombined(t *testing.T) {
+	t.Run("both webSearch and webFetch set together", func(t *testing.T) {
+		reconciler := createClawReconciler()
+		instance := &clawv1alpha1.Claw{
+			ObjectMeta: metav1.ObjectMeta{Name: testInstanceName, Namespace: namespace},
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider:  "tavily",
+					SecretRef: &clawv1alpha1.SecretRefEntry{Name: "s", Key: "k"},
+				},
+				WebFetch: &clawv1alpha1.WebFetchSpec{Enabled: true},
+			},
+		}
+		objects, err := reconciler.buildKustomizedObjects(instance)
+		require.NoError(t, err)
+
+		require.NoError(t, injectWebSearchIntoConfigMap(objects, instance))
+
+		config := extractOperatorJSON(t, objects, instance.Name)
+		tools := config["tools"].(map[string]any)
+		web := tools["web"].(map[string]any)
+
+		search := web["search"].(map[string]any)
+		assert.Equal(t, true, search["enabled"])
+		assert.Equal(t, "tavily", search["provider"])
+
+		fetch := web["fetch"].(map[string]any)
+		assert.Equal(t, true, fetch["enabled"])
+
+		plugins := config["plugins"].(map[string]any)
+		entries := plugins["entries"].(map[string]any)
+		tavilyEntry := entries["tavily"].(map[string]any)
+		tavilyConfig := tavilyEntry["config"].(map[string]any)
+		webSearch := tavilyConfig["webSearch"].(map[string]any)
+		assert.Equal(t, placeholderAPIKey, webSearch["apiKey"])
+	})
+}
+
+func TestConfigureProxyForWebSearchSecretRef(t *testing.T) {
+	t.Run("secretKeyRef references correct secret name and key", func(t *testing.T) {
+		reconciler := createClawReconciler()
+		instance := &clawv1alpha1.Claw{}
+		instance.Name = testInstanceName
+		instance.Namespace = namespace
+		instance.Spec.WebSearch = &clawv1alpha1.WebSearchSpec{
+			Provider:  "brave",
+			SecretRef: &clawv1alpha1.SecretRefEntry{Name: "my-brave-secret", Key: "my-key"},
+		}
+		objects, err := reconciler.buildKustomizedObjects(instance)
+		require.NoError(t, err)
+
+		require.NoError(t, configureProxyForWebSearch(objects, instance))
+
+		for _, obj := range objects {
+			if obj.GetKind() != DeploymentKind || obj.GetName() != getProxyDeploymentName(testInstanceName) {
+				continue
+			}
+			containers, _, _ := unstructured.NestedSlice(obj.Object, "spec", "template", "spec", "containers")
+			for _, c := range containers {
+				cm := c.(map[string]any)
+				if name, _, _ := unstructured.NestedString(cm, "name"); name != ClawProxyContainerName {
+					continue
+				}
+				envVars, _, _ := unstructured.NestedSlice(cm, "env")
+				for _, e := range envVars {
+					em := e.(map[string]any)
+					if n, _, _ := unstructured.NestedString(em, "name"); n == "CRED_WEBSEARCH" {
+						secretName, _, _ := unstructured.NestedString(em, "valueFrom", "secretKeyRef", "name")
+						secretKey, _, _ := unstructured.NestedString(em, "valueFrom", "secretKeyRef", "key")
+						assert.Equal(t, "my-brave-secret", secretName)
+						assert.Equal(t, "my-key", secretKey)
+						return
+					}
+				}
+			}
+		}
+		t.Fatal("CRED_WEBSEARCH env var not found")
+	})
+}
+
+func TestWebSearchRouteHelper(t *testing.T) {
+	t.Run("nil returns false", func(t *testing.T) {
+		_, ok := webSearchRoute(nil)
+		assert.False(t, ok)
+	})
+
+	t.Run("unknown provider returns false", func(t *testing.T) {
+		_, ok := webSearchRoute(&clawv1alpha1.WebSearchSpec{Provider: "unknown"})
+		assert.False(t, ok)
+	})
+
+	t.Run("gemini returns false", func(t *testing.T) {
+		_, ok := webSearchRoute(&clawv1alpha1.WebSearchSpec{Provider: "gemini"})
+		assert.False(t, ok)
+	})
+
+	t.Run("brave returns correct route", func(t *testing.T) {
+		route, ok := webSearchRoute(&clawv1alpha1.WebSearchSpec{Provider: "brave"})
+		require.True(t, ok)
+		assert.Equal(t, "api.search.brave.com", route.Domain)
+		assert.Equal(t, "api_key", route.Injector)
+		assert.Equal(t, "X-Subscription-Token", route.Header)
+		assert.Equal(t, "CRED_WEBSEARCH", route.EnvVar)
+	})
+
+	t.Run("tavily returns correct route", func(t *testing.T) {
+		route, ok := webSearchRoute(&clawv1alpha1.WebSearchSpec{Provider: "tavily"})
+		require.True(t, ok)
+		assert.Equal(t, "api.tavily.com", route.Domain)
+		assert.Equal(t, "bearer", route.Injector)
+		assert.Equal(t, "CRED_WEBSEARCH", route.EnvVar)
+		assert.Empty(t, route.Header)
+	})
+
+	t.Run("duckduckgo returns passthrough route", func(t *testing.T) {
+		route, ok := webSearchRoute(&clawv1alpha1.WebSearchSpec{Provider: "duckduckgo"})
+		require.True(t, ok)
+		assert.Equal(t, "html.duckduckgo.com", route.Domain)
+		assert.Equal(t, "none", route.Injector)
+		assert.Empty(t, route.EnvVar)
+	})
+}
+
+func TestClawReferencesSecretWebSearch(t *testing.T) {
+	t.Run("matches web search secret", func(t *testing.T) {
+		instance := clawv1alpha1.Claw{
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{
+					Provider:  "brave",
+					SecretRef: &clawv1alpha1.SecretRefEntry{Name: "brave-search-key", Key: "api-key"},
+				},
+			},
+		}
+		assert.True(t, clawReferencesSecret(instance, "brave-search-key"))
+		assert.False(t, clawReferencesSecret(instance, "other-secret"))
+	})
+
+	t.Run("no match when webSearch is nil", func(t *testing.T) {
+		instance := clawv1alpha1.Claw{}
+		assert.False(t, clawReferencesSecret(instance, "anything"))
+	})
+
+	t.Run("no match when secretRef is nil", func(t *testing.T) {
+		instance := clawv1alpha1.Claw{
+			Spec: clawv1alpha1.ClawSpec{
+				WebSearch: &clawv1alpha1.WebSearchSpec{Provider: "duckduckgo"},
+			},
+		}
+		assert.False(t, clawReferencesSecret(instance, "anything"))
+	})
+}

From 8ef150467f38c7b8b999c3c15068f811bb77550b Mon Sep 17 00:00:00 2001
From: Alexey Kazakov <alkazako@redhat.com>
Date: Tue, 12 May 2026 17:52:06 -0700
Subject: [PATCH 2/3] fix: prevent duplicate routes when web search domain is
 already covered

- Move web search route insertion before MCP passthrough extraction
  and gate it with domainCovered() to skip when a credential or
  suffix-match already covers the domain
- Add tests for exact-match and suffix-match deduplication

Signed-off-by: Alexey Kazakov <alkazako@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
---
 internal/controller/claw_proxy.go           | 12 +++--
 internal/controller/claw_web_search_test.go | 51 +++++++++++++++++++++
 2 files changed, 59 insertions(+), 4 deletions(-)

diff --git a/internal/controller/claw_proxy.go b/internal/controller/claw_proxy.go
index 1b05bc0..844aff3 100644
--- a/internal/controller/claw_proxy.go
+++ b/internal/controller/claw_proxy.go
@@ -123,6 +123,14 @@ func generateProxyConfig(
 		}
 	}
 
+	if wsRoute, ok := webSearchRoute(webSearch); ok {
+		wsDomain := strings.ToLower(wsRoute.Domain)
+		if !domainCovered(wsDomain, coveredDomains) {
+			coveredDomains[wsDomain] = true
+			exact = append(exact, wsRoute)
+		}
+	}
+
 	exact = append(exact, mcpPassthroughRoutes(mcpServers, coveredDomains)...)
 
 	for _, rc := range credentials {
@@ -217,10 +225,6 @@ func generateProxyConfig(
 		}
 	}
 
-	if route, ok := webSearchRoute(webSearch); ok {
-		exact = append(exact, route)
-	}
-
 	// Stable ordering: exact before suffix, alphabetical within each group.
 	// Within the same domain, routes with AllowedPaths sort before catch-all routes
 	// so the proxy's MatchRoute picks the specific route first.
diff --git a/internal/controller/claw_web_search_test.go b/internal/controller/claw_web_search_test.go
index 2617e50..59834f3 100644
--- a/internal/controller/claw_web_search_test.go
+++ b/internal/controller/claw_web_search_test.go
@@ -465,6 +465,57 @@ func TestGenerateProxyConfigWithWebSearch(t *testing.T) {
 			assert.NotEqual(t, "html.duckduckgo.com", route.Domain)
 		}
 	})
+
+	t.Run("skips web search route when credential already covers domain", func(t *testing.T) {
+		creds := []resolvedCredential{{
+			CredentialSpec: clawv1alpha1.CredentialSpec{
+				Name:   "brave-cred",
+				Domain: "api.search.brave.com",
+				Type:   clawv1alpha1.CredentialTypeBearer,
+			},
+		}}
+		ws := &clawv1alpha1.WebSearchSpec{
+			Provider:  "brave",
+			SecretRef: &clawv1alpha1.SecretRefEntry{Name: "s", Key: "k"},
+		}
+		data, err := generateProxyConfig(creds, nil, ws)
+		require.NoError(t, err)
+
+		var cfg proxyConfig
+		require.NoError(t, json.Unmarshal(data, &cfg))
+
+		var count int
+		for _, route := range cfg.Routes {
+			if route.Domain == "api.search.brave.com" {
+				count++
+			}
+		}
+		assert.Equal(t, 1, count, "domain should appear exactly once (from credential, not web search)")
+	})
+
+	t.Run("skips web search route when suffix credential covers domain", func(t *testing.T) {
+		creds := []resolvedCredential{{
+			CredentialSpec: clawv1alpha1.CredentialSpec{
+				Name:   "brave-wildcard",
+				Domain: ".brave.com",
+				Type:   clawv1alpha1.CredentialTypeBearer,
+			},
+		}}
+		ws := &clawv1alpha1.WebSearchSpec{
+			Provider:  "brave",
+			SecretRef: &clawv1alpha1.SecretRefEntry{Name: "s", Key: "k"},
+		}
+		data, err := generateProxyConfig(creds, nil, ws)
+		require.NoError(t, err)
+
+		var cfg proxyConfig
+		require.NoError(t, json.Unmarshal(data, &cfg))
+
+		for _, route := range cfg.Routes {
+			assert.NotEqual(t, "api.search.brave.com", route.Domain,
+				"web search route should be skipped when suffix credential covers the domain")
+		}
+	})
 }
 
 func TestConfigureProxyForWebSearch(t *testing.T) {

From 027fcee48ceabca003612b197e53c798b8f23642 Mon Sep 17 00:00:00 2001
From: Alexey Kazakov <alkazako@redhat.com>
Date: Tue, 12 May 2026 17:57:44 -0700
Subject: [PATCH 3/3] test: harden web search ConfigMap injection assertions

- Guard type assertions in tavily and gemini subtests with require
  to produce clear failures instead of panics
- Replace brittle "no plugins block" assertion in duckduckgo test
  with a targeted check that duckduckgo has no plugin entry

Signed-off-by: Alexey Kazakov <alkazako@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
---
 internal/controller/claw_web_search_test.go | 57 ++++++++++++++-------
 1 file changed, 38 insertions(+), 19 deletions(-)

diff --git a/internal/controller/claw_web_search_test.go b/internal/controller/claw_web_search_test.go
index 59834f3..3dfeb1d 100644
--- a/internal/controller/claw_web_search_test.go
+++ b/internal/controller/claw_web_search_test.go
@@ -288,11 +288,16 @@ func TestInjectWebSearchIntoConfigMap(t *testing.T) {
 		require.NoError(t, injectWebSearchIntoConfigMap(objects, instance))
 
 		config := extractOperatorJSON(t, objects, instance.Name)
-		plugins := config["plugins"].(map[string]any)
-		entries := plugins["entries"].(map[string]any)
-		tavilyEntry := entries["tavily"].(map[string]any)
-		tavilyConfig := tavilyEntry["config"].(map[string]any)
-		webSearch := tavilyConfig["webSearch"].(map[string]any)
+		plugins, ok := config["plugins"].(map[string]any)
+		require.True(t, ok, "plugins should be present")
+		entries, ok := plugins["entries"].(map[string]any)
+		require.True(t, ok, "plugins.entries should be present")
+		tavilyEntry, ok := entries["tavily"].(map[string]any)
+		require.True(t, ok, "plugins.entries.tavily should be present")
+		tavilyConfig, ok := tavilyEntry["config"].(map[string]any)
+		require.True(t, ok, "plugins.entries.tavily.config should be present")
+		webSearch, ok := tavilyConfig["webSearch"].(map[string]any)
+		require.True(t, ok, "plugins.entries.tavily.config.webSearch should be present")
 		assert.Equal(t, placeholderAPIKey, webSearch["apiKey"])
 		assert.Equal(t, float64(10), webSearch["maxResults"])
 	})
@@ -313,14 +318,20 @@ func TestInjectWebSearchIntoConfigMap(t *testing.T) {
 		require.NoError(t, injectWebSearchIntoConfigMap(objects, instance))
 
 		config := extractOperatorJSON(t, objects, instance.Name)
-		tools := config["tools"].(map[string]any)
-		web := tools["web"].(map[string]any)
-		search := web["search"].(map[string]any)
+		tools, ok := config["tools"].(map[string]any)
+		require.True(t, ok, "tools should be present")
+		web, ok := tools["web"].(map[string]any)
+		require.True(t, ok, "tools.web should be present")
+		search, ok := web["search"].(map[string]any)
+		require.True(t, ok, "tools.web.search should be present")
 		assert.Equal(t, "duckduckgo", search["provider"])
 
-		// No plugin entry for duckduckgo (key-free)
-		_, hasPlugins := config["plugins"]
-		assert.False(t, hasPlugins)
+		plugins, _ := config["plugins"].(map[string]any)
+		if plugins != nil {
+			entries, _ := plugins["entries"].(map[string]any)
+			_, hasDDG := entries["duckduckgo"]
+			assert.False(t, hasDDG, "duckduckgo should not have a plugin entry")
+		}
 	})
 
 	t.Run("gemini sets search provider under google plugin entry", func(t *testing.T) {
@@ -340,16 +351,24 @@ func TestInjectWebSearchIntoConfigMap(t *testing.T) {
 		require.NoError(t, injectWebSearchIntoConfigMap(objects, instance))
 
 		config := extractOperatorJSON(t, objects, instance.Name)
-		tools := config["tools"].(map[string]any)
-		web := tools["web"].(map[string]any)
-		search := web["search"].(map[string]any)
+		tools, ok := config["tools"].(map[string]any)
+		require.True(t, ok, "tools should be present")
+		web, ok := tools["web"].(map[string]any)
+		require.True(t, ok, "tools.web should be present")
+		search, ok := web["search"].(map[string]any)
+		require.True(t, ok, "tools.web.search should be present")
 		assert.Equal(t, "gemini", search["provider"])
 
-		plugins := config["plugins"].(map[string]any)
-		entries := plugins["entries"].(map[string]any)
-		googleEntry := entries["google"].(map[string]any)
-		googleConfig := googleEntry["config"].(map[string]any)
-		webSearch := googleConfig["webSearch"].(map[string]any)
+		plugins, ok := config["plugins"].(map[string]any)
+		require.True(t, ok, "plugins should be present")
+		entries, ok := plugins["entries"].(map[string]any)
+		require.True(t, ok, "plugins.entries should be present")
+		googleEntry, ok := entries["google"].(map[string]any)
+		require.True(t, ok, "plugins.entries.google should be present")
+		googleConfig, ok := googleEntry["config"].(map[string]any)
+		require.True(t, ok, "plugins.entries.google.config should be present")
+		webSearch, ok := googleConfig["webSearch"].(map[string]any)
+		require.True(t, ok, "plugins.entries.google.config.webSearch should be present")
 		assert.Equal(t, "gemini-2.0-flash", webSearch["model"])
 		_, hasAPIKey := webSearch["apiKey"]
 		assert.False(t, hasAPIKey, "gemini should not have placeholder apiKey")