CLI: make read-only SecretRef status flows degrade safely (#37023)

* CLI: add read-only SecretRef inspection * CLI: fix read-only SecretRef status regressions * CLI: preserve read-only SecretRef status fallbacks * Docs: document read-only channel inspection hook * CLI: preserve audit coverage for read-only SecretRefs * CLI: fix read-only status account selection * CLI: fix targeted gateway fallback analysis * CLI: fix Slack HTTP read-only inspection * CLI: align audit credential status checks * CLI: restore Telegram read-only fallback semantics
2026-05-11 21:03:43 +00:00 · 2026-03-05 23:07:13 -06:00
parent 8d4a2f2c59
commit 0e4245063f
58 changed files with 3422 additions and 215 deletions
--- a/src/secrets/command-config.ts
+++ b/src/secrets/command-config.ts
@@ -15,18 +15,35 @@ export type ResolveAssignmentsFromSnapshotResult = {
  diagnostics: string[];
 };

-export function collectCommandSecretAssignmentsFromSnapshot(params: {
+export type UnresolvedCommandSecretAssignment = {
+  path: string;
+  pathSegments: string[];
+};
+
+export type AnalyzeAssignmentsFromSnapshotResult = {
+  assignments: CommandSecretAssignment[];
+  diagnostics: string[];
+  unresolved: UnresolvedCommandSecretAssignment[];
+  inactive: UnresolvedCommandSecretAssignment[];
+};
+
+export function analyzeCommandSecretAssignmentsFromSnapshot(params: {
  sourceConfig: OpenClawConfig;
  resolvedConfig: OpenClawConfig;
-  commandName: string;
  targetIds: ReadonlySet<string>;
  inactiveRefPaths?: ReadonlySet<string>;
-}): ResolveAssignmentsFromSnapshotResult {
+  allowedPaths?: ReadonlySet<string>;
+}): AnalyzeAssignmentsFromSnapshotResult {
  const defaults = params.sourceConfig.secrets?.defaults;
  const assignments: CommandSecretAssignment[] = [];
  const diagnostics: string[] = [];
+  const unresolved: UnresolvedCommandSecretAssignment[] = [];
+  const inactive: UnresolvedCommandSecretAssignment[] = [];

  for (const target of discoverConfigSecretTargetsByIds(params.sourceConfig, params.targetIds)) {
+    if (params.allowedPaths && !params.allowedPaths.has(target.path)) {
+      continue;
+    }
    const { explicitRef, ref } = resolveSecretInputRef({
      value: target.value,
      refValue: target.refValue,
@@ -43,11 +60,17 @@ export function collectCommandSecretAssignmentsFromSnapshot(params: {
        diagnostics.push(
          `${target.path}: secret ref is configured on an inactive surface; skipping command-time assignment.`,
        );
+        inactive.push({
+          path: target.path,
+          pathSegments: [...target.pathSegments],
+        });
        continue;
      }
-      throw new Error(
-        `${params.commandName}: ${target.path} is unresolved in the active runtime snapshot.`,
-      );
+      unresolved.push({
+        path: target.path,
+        pathSegments: [...target.pathSegments],
+      });
+      continue;
    }

    assignments.push({
@@ -63,5 +86,31 @@ export function collectCommandSecretAssignmentsFromSnapshot(params: {
    }
  }

-  return { assignments, diagnostics };
+  return { assignments, diagnostics, unresolved, inactive };
+}
+
+export function collectCommandSecretAssignmentsFromSnapshot(params: {
+  sourceConfig: OpenClawConfig;
+  resolvedConfig: OpenClawConfig;
+  commandName: string;
+  targetIds: ReadonlySet<string>;
+  inactiveRefPaths?: ReadonlySet<string>;
+  allowedPaths?: ReadonlySet<string>;
+}): ResolveAssignmentsFromSnapshotResult {
+  const analyzed = analyzeCommandSecretAssignmentsFromSnapshot({
+    sourceConfig: params.sourceConfig,
+    resolvedConfig: params.resolvedConfig,
+    targetIds: params.targetIds,
+    inactiveRefPaths: params.inactiveRefPaths,
+    allowedPaths: params.allowedPaths,
+  });
+  if (analyzed.unresolved.length > 0) {
+    throw new Error(
+      `${params.commandName}: ${analyzed.unresolved[0]?.path ?? "target"} is unresolved in the active runtime snapshot.`,
+    );
+  }
+  return {
+    assignments: analyzed.assignments,
+    diagnostics: analyzed.diagnostics,
+  };
 }