github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 05:32:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(secrets): finalize external secrets runtime and migration hardening

Browse Source
This commit is contained in:
joshavant
2026-02-24 19:34:29 -06:00
committed by Peter Steinberger
parent c5b89fbaea
commit 0e69660c41
22 changed files with 442 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/secrets/resolve.ts
View File

@@ -2,7 +2,7 @@ import type { OpenClawConfig } from "../config/config.js";
import type { SecretRef } from "../config/types.secrets.js";
import { resolveUserPath } from "../utils.js";
import { readJsonPointer } from "./json-pointer.js";
import { isNonEmptyString, normalizePositiveInt } from "./shared.js";
import { isNonEmptyString, isRecord, normalizePositiveInt } from "./shared.js";
import { decryptSopsJsonFile, DEFAULT_SOPS_TIMEOUT_MS } from "./sops.js";
export type SecretRefResolveCache = {
@@ -39,6 +39,11 @@ async function resolveFileSecretPayload(options: ResolveSecretRefOptions): Promi
path: resolveUserPath(fileSource.path),
timeoutMs: normalizePositiveInt(fileSource.timeoutMs, DEFAULT_SOPS_TIMEOUT_MS),
missingBinaryMessage: options.missingBinaryMessage ?? DEFAULT_SOPS_MISSING_BINARY_MESSAGE,
}).then((payload) => {
if (!isRecord(payload)) {
throw new Error("sops decrypt failed: decrypted payload is not a JSON object");
}
return payload;
});
if (cache) {
cache.fileSecretsPromise = promise;