github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 18:44:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(security): add provider-based external secrets management

Browse Source
This commit is contained in:
joshavant
2026-02-25 17:39:31 -06:00
committed by Peter Steinberger
parent bb60cab76d
commit 4e7a833a24
35 changed files with 1779 additions and 669 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/commands/onboard-auth.credentials.ts
View File

@@ -4,7 +4,12 @@ import type { OAuthCredentials } from "@mariozechner/pi-ai";
import { resolveOpenClawAgentDir } from "../agents/agent-paths.js";
import { upsertAuthProfile } from "../agents/auth-profiles.js";
import { resolveStateDir } from "../config/paths.js";
import { isSecretRef, type SecretInput, type SecretRef } from "../config/types.secrets.js";
import {
coerceSecretRef,
DEFAULT_SECRET_PROVIDER_ALIAS,
type SecretInput,
type SecretRef,
} from "../config/types.secrets.js";
import { KILOCODE_DEFAULT_MODEL_REF } from "../providers/kilocode-shared.js";
import { PROVIDER_ENV_VARS } from "../secrets/provider-env-vars.js";
import { normalizeSecretInput } from "../utils/normalize-secret-input.js";
@@ -22,7 +27,7 @@ export type ApiKeyStorageOptions = {
};
function buildEnvSecretRef(id: string): SecretRef {
return { source: "env", id };
return { source: "env", provider: DEFAULT_SECRET_PROVIDER_ALIAS, id };
}
function parseEnvSecretRef(value: string): SecretRef | null {
@@ -49,8 +54,9 @@ function resolveApiKeySecretInput(
input: SecretInput,
options?: ApiKeyStorageOptions,
): SecretInput {
if (isSecretRef(input)) {
return input;
const coercedRef = coerceSecretRef(input);
if (coercedRef) {
return coercedRef;
}
const normalized = normalizeSecretInput(input);
const inlineEnvRef = parseEnvSecretRef(normalized);