mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-11 13:21:41 +00:00
feat(secrets): expand SecretRef coverage across user-supplied credentials (#29580)
* feat(secrets): expand secret target coverage and gateway tooling * docs(secrets): align gateway and CLI secret docs * chore(protocol): regenerate swift gateway models for secrets methods * fix(config): restore talk apiKey fallback and stabilize runner test * ci(windows): reduce test worker count for shard stability * ci(windows): raise node heap for test shard stability * test(feishu): make proxy env precedence assertion windows-safe * fix(gateway): resolve auth password SecretInput refs for clients * fix(gateway): resolve remote SecretInput credentials for clients * fix(secrets): skip inactive refs in command snapshot assignments * fix(secrets): scope gateway.remote refs to effective auth surfaces * fix(secrets): ignore memory defaults when enabled agents disable search * fix(secrets): honor Google Chat serviceAccountRef inheritance * fix(secrets): address tsgo errors in command and gateway collectors * fix(secrets): avoid auth-store load in providers-only configure * fix(gateway): defer local password ref resolution by precedence * fix(secrets): gate telegram webhook secret refs by webhook mode * fix(secrets): gate slack signing secret refs to http mode * fix(secrets): skip telegram botToken refs when tokenFile is set * fix(secrets): gate discord pluralkit refs by enabled flag * fix(secrets): gate discord voice tts refs by voice enabled * test(secrets): make runtime fixture modes explicit * fix(cli): resolve local qr password secret refs * fix(cli): fail when gateway leaves command refs unresolved * fix(gateway): fail when local password SecretRef is unresolved * fix(gateway): fail when required remote SecretRefs are unresolved * fix(gateway): resolve local password refs only when password can win * fix(cli): skip local password SecretRef resolution on qr token override * test(gateway): cast SecretRef fixtures to OpenClawConfig * test(secrets): activate mode-gated targets in runtime coverage fixture * fix(cron): support SecretInput webhook tokens safely * fix(bluebubbles): support SecretInput passwords across config paths * fix(msteams): make appPassword SecretInput-safe in onboarding/token paths * fix(bluebubbles): align SecretInput schema helper typing * fix(cli): clarify secrets.resolve version-skew errors * refactor(secrets): return structured inactive paths from secrets.resolve * refactor(gateway): type onboarding secret writes as SecretInput * chore(protocol): regenerate swift models for secrets.resolve * feat(secrets): expand extension credential secretref support * fix(secrets): gate web-search refs by active provider * fix(onboarding): detect SecretRef credentials in extension status * fix(onboarding): allow keeping existing ref in secret prompt * fix(onboarding): resolve gateway password SecretRefs for probe and tui * fix(onboarding): honor secret-input-mode for local gateway auth * fix(acp): resolve gateway SecretInput credentials * fix(secrets): gate gateway.remote refs to remote surfaces * test(secrets): cover pattern matching and inactive array refs * docs(secrets): clarify secrets.resolve and remote active surfaces * fix(bluebubbles): keep existing SecretRef during onboarding * fix(tests): resolve CI type errors in new SecretRef coverage * fix(extensions): replace raw fetch with SSRF-guarded fetch * test(secrets): mark gateway remote targets active in runtime coverage * test(infra): normalize home-prefix expectation across platforms * fix(cli): only resolve local qr password refs in password mode * test(cli): cover local qr token mode with unresolved password ref * docs(cli): clarify local qr password ref resolution behavior * refactor(extensions): reuse sdk SecretInput helpers * fix(wizard): resolve onboarding env-template secrets before plaintext * fix(cli): surface secrets.resolve diagnostics in memory and qr * test(secrets): repair post-rebase runtime and fixtures * fix(gateway): skip remote password ref resolution when token wins * fix(secrets): treat tailscale remote gateway refs as active * fix(gateway): allow remote password fallback when token ref is unresolved * fix(gateway): ignore stale local password refs for none and trusted-proxy * fix(gateway): skip remote secret ref resolution on local call paths * test(cli): cover qr remote tailscale secret ref resolution * fix(secrets): align gateway password active-surface with auth inference * fix(cli): resolve inferred local gateway password refs in qr * fix(gateway): prefer resolvable remote password over token ref pre-resolution * test(gateway): cover none and trusted-proxy stale password refs * docs(secrets): sync qr and gateway active-surface behavior * fix: restore stability blockers from pre-release audit * Secrets: fix collector/runtime precedence contradictions * docs: align secrets and web credential docs * fix(rebase): resolve integration regressions after main rebase * fix(node-host): resolve gateway secret refs for auth * fix(secrets): harden secretinput runtime readers * gateway: skip inactive auth secretref resolution * cli: avoid gateway preflight for inactive secret refs * extensions: allow unresolved refs in onboarding status * tests: fix qr-cli module mock hoist ordering * Security: align audit checks with SecretInput resolution * Gateway: resolve local-mode remote fallback secret refs * Node host: avoid resolving inactive password secret refs * Secrets runtime: mark Slack appToken inactive for HTTP mode * secrets: keep inactive gateway remote refs non-blocking * cli: include agent memory secret targets in runtime resolution * docs(secrets): sync docs with active-surface and web search behavior * fix(secrets): keep telegram top-level token refs active for blank account tokens * fix(daemon): resolve gateway password secret refs for probe auth * fix(secrets): skip IRC NickServ ref resolution when NickServ is disabled * fix(secrets): align token inheritance and exec timeout defaults * docs(secrets): clarify active-surface notes in cli docs * cli: require secrets.resolve gateway capability * gateway: log auth secret surface diagnostics * secrets: remove dead provider resolver module * fix(secrets): restore gateway auth precedence and fallback resolution * fix(tests): align plugin runtime mock typings --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
This commit is contained in:
Josh Avant
@@ -1,6 +1,6 @@
|
||||
import { loadConfig } from "../../config/config.js";
|
||||
import { logConfigUpdated } from "../../config/logging.js";
|
||||
import type { RuntimeEnv } from "../../runtime.js";
|
||||
import { loadModelsConfig } from "./load-config.js";
|
||||
import {
|
||||
ensureFlagCompatibility,
|
||||
normalizeAlias,
|
||||
@@ -13,7 +13,7 @@ export async function modelsAliasesListCommand(
|
||||
runtime: RuntimeEnv,
|
||||
) {
|
||||
ensureFlagCompatibility(opts);
|
||||
const cfg = loadConfig();
|
||||
const cfg = await loadModelsConfig({ commandName: "models aliases list", runtime });
|
||||
const models = cfg.agents?.defaults?.models ?? {};
|
||||
const aliases = Object.entries(models).reduce<Record<string, string>>(
|
||||
(acc, [modelKey, entry]) => {
|
||||
@@ -53,7 +53,8 @@ export async function modelsAliasesAddCommand(
|
||||
runtime: RuntimeEnv,
|
||||
) {
|
||||
const alias = normalizeAlias(aliasRaw);
|
||||
const resolved = resolveModelTarget({ raw: modelRaw, cfg: loadConfig() });
|
||||
const cfg = await loadModelsConfig({ commandName: "models aliases add", runtime });
|
||||
const resolved = resolveModelTarget({ raw: modelRaw, cfg });
|
||||
const _updated = await updateConfig((cfg) => {
|
||||
const modelKey = `${resolved.provider}/${resolved.model}`;
|
||||
const nextModels = { ...cfg.agents?.defaults?.models };
|
||||
|
||||
@@ -5,13 +5,13 @@ import {
|
||||
setAuthProfileOrder,
|
||||
} from "../../agents/auth-profiles.js";
|
||||
import { normalizeProviderId } from "../../agents/model-selection.js";
|
||||
import { loadConfig } from "../../config/config.js";
|
||||
import type { RuntimeEnv } from "../../runtime.js";
|
||||
import { shortenHomePath } from "../../utils.js";
|
||||
import { loadModelsConfig } from "./load-config.js";
|
||||
import { resolveKnownAgentId } from "./shared.js";
|
||||
|
||||
function resolveTargetAgent(
|
||||
cfg: ReturnType<typeof loadConfig>,
|
||||
cfg: Awaited<ReturnType<typeof loadModelsConfig>>,
|
||||
raw?: string,
|
||||
): {
|
||||
agentId: string;
|
||||
@@ -28,13 +28,16 @@ function describeOrder(store: AuthProfileStore, provider: string): string[] {
|
||||
return Array.isArray(order) ? order : [];
|
||||
}
|
||||
|
||||
function resolveAuthOrderContext(opts: { provider: string; agent?: string }) {
|
||||
async function resolveAuthOrderContext(
|
||||
opts: { provider: string; agent?: string },
|
||||
runtime: RuntimeEnv,
|
||||
) {
|
||||
const rawProvider = opts.provider?.trim();
|
||||
if (!rawProvider) {
|
||||
throw new Error("Missing --provider.");
|
||||
}
|
||||
const provider = normalizeProviderId(rawProvider);
|
||||
const cfg = loadConfig();
|
||||
const cfg = await loadModelsConfig({ commandName: "models auth-order", runtime });
|
||||
const { agentId, agentDir } = resolveTargetAgent(cfg, opts.agent);
|
||||
return { cfg, agentId, agentDir, provider };
|
||||
}
|
||||
@@ -43,7 +46,7 @@ export async function modelsAuthOrderGetCommand(
|
||||
opts: { provider: string; agent?: string; json?: boolean },
|
||||
runtime: RuntimeEnv,
|
||||
) {
|
||||
const { agentId, agentDir, provider } = resolveAuthOrderContext(opts);
|
||||
const { agentId, agentDir, provider } = await resolveAuthOrderContext(opts, runtime);
|
||||
const store = ensureAuthProfileStore(agentDir, {
|
||||
allowKeychainPrompt: false,
|
||||
});
|
||||
@@ -76,7 +79,7 @@ export async function modelsAuthOrderClearCommand(
|
||||
opts: { provider: string; agent?: string },
|
||||
runtime: RuntimeEnv,
|
||||
) {
|
||||
const { agentId, agentDir, provider } = resolveAuthOrderContext(opts);
|
||||
const { agentId, agentDir, provider } = await resolveAuthOrderContext(opts, runtime);
|
||||
const updated = await setAuthProfileOrder({
|
||||
agentDir,
|
||||
provider,
|
||||
@@ -95,7 +98,7 @@ export async function modelsAuthOrderSetCommand(
|
||||
opts: { provider: string; agent?: string; order: string[] },
|
||||
runtime: RuntimeEnv,
|
||||
) {
|
||||
const { agentId, agentDir, provider } = resolveAuthOrderContext(opts);
|
||||
const { agentId, agentDir, provider } = await resolveAuthOrderContext(opts, runtime);
|
||||
|
||||
const store = ensureAuthProfileStore(agentDir, {
|
||||
allowKeychainPrompt: false,
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import { buildModelAliasIndex, resolveModelRefFromString } from "../../agents/model-selection.js";
|
||||
import type { OpenClawConfig } from "../../config/config.js";
|
||||
import { loadConfig } from "../../config/config.js";
|
||||
import { logConfigUpdated } from "../../config/logging.js";
|
||||
import { resolveAgentModelFallbackValues, toAgentModelListLike } from "../../config/model-input.js";
|
||||
import type { RuntimeEnv } from "../../runtime.js";
|
||||
import { loadModelsConfig } from "./load-config.js";
|
||||
import {
|
||||
DEFAULT_PROVIDER,
|
||||
ensureFlagCompatibility,
|
||||
@@ -44,7 +44,7 @@ export async function listFallbacksCommand(
|
||||
runtime: RuntimeEnv,
|
||||
) {
|
||||
ensureFlagCompatibility(opts);
|
||||
const cfg = loadConfig();
|
||||
const cfg = await loadModelsConfig({ commandName: `models ${params.key} list`, runtime });
|
||||
const fallbacks = getFallbacks(cfg, params.key);
|
||||
|
||||
if (opts.json) {
|
||||
|
||||
@@ -8,6 +8,7 @@ import { formatErrorWithStack } from "./list.errors.js";
|
||||
import { loadModelRegistry, toModelRow } from "./list.registry.js";
|
||||
import { printModelTable } from "./list.table.js";
|
||||
import type { ModelRow } from "./list.types.js";
|
||||
import { loadModelsConfig } from "./load-config.js";
|
||||
import { DEFAULT_PROVIDER, ensureFlagCompatibility, isLocalBaseUrl, modelKey } from "./shared.js";
|
||||
|
||||
export async function modelsListCommand(
|
||||
@@ -21,9 +22,8 @@ export async function modelsListCommand(
|
||||
runtime: RuntimeEnv,
|
||||
) {
|
||||
ensureFlagCompatibility(opts);
|
||||
const { loadConfig } = await import("../../config/config.js");
|
||||
const { ensureAuthProfileStore } = await import("../../agents/auth-profiles.js");
|
||||
const cfg = loadConfig();
|
||||
const cfg = await loadModelsConfig({ commandName: "models list", runtime });
|
||||
const authStore = ensureAuthProfileStore();
|
||||
const providerFilter = (() => {
|
||||
const raw = opts.provider?.trim();
|
||||
|
||||
@@ -25,7 +25,7 @@ import {
|
||||
} from "../../agents/model-selection.js";
|
||||
import { formatCliCommand } from "../../cli/command-format.js";
|
||||
import { withProgressTotals } from "../../cli/progress.js";
|
||||
import { CONFIG_PATH, loadConfig } from "../../config/config.js";
|
||||
import { CONFIG_PATH } from "../../config/config.js";
|
||||
import {
|
||||
resolveAgentModelFallbackValues,
|
||||
resolveAgentModelPrimaryValue,
|
||||
@@ -50,6 +50,7 @@ import {
|
||||
sortProbeResults,
|
||||
type AuthProbeSummary,
|
||||
} from "./list.probe.js";
|
||||
import { loadModelsConfig } from "./load-config.js";
|
||||
import {
|
||||
DEFAULT_MODEL,
|
||||
DEFAULT_PROVIDER,
|
||||
@@ -76,7 +77,7 @@ export async function modelsStatusCommand(
|
||||
if (opts.plain && opts.probe) {
|
||||
throw new Error("--probe cannot be used with --plain output.");
|
||||
}
|
||||
const cfg = loadConfig();
|
||||
const cfg = await loadModelsConfig({ commandName: "models status", runtime });
|
||||
const agentId = resolveKnownAgentId({ cfg, rawAgentId: opts.agent });
|
||||
const agentDir = agentId ? resolveAgentDir(cfg, agentId) : resolveOpenClawAgentDir();
|
||||
const agentModelPrimary = agentId ? resolveAgentExplicitModelPrimary(cfg, agentId) : undefined;
|
||||
|
||||
22
src/commands/models/load-config.ts
Normal file
22
src/commands/models/load-config.ts
Normal file
@@ -0,0 +1,22 @@
|
||||
import { resolveCommandSecretRefsViaGateway } from "../../cli/command-secret-gateway.js";
|
||||
import { getModelsCommandSecretTargetIds } from "../../cli/command-secret-targets.js";
|
||||
import { loadConfig, type OpenClawConfig } from "../../config/config.js";
|
||||
import type { RuntimeEnv } from "../../runtime.js";
|
||||
|
||||
export async function loadModelsConfig(params: {
|
||||
commandName: string;
|
||||
runtime?: RuntimeEnv;
|
||||
}): Promise<OpenClawConfig> {
|
||||
const loadedRaw = loadConfig();
|
||||
const { resolvedConfig, diagnostics } = await resolveCommandSecretRefsViaGateway({
|
||||
config: loadedRaw,
|
||||
commandName: params.commandName,
|
||||
targetIds: getModelsCommandSecretTargetIds(),
|
||||
});
|
||||
if (params.runtime) {
|
||||
for (const entry of diagnostics) {
|
||||
params.runtime.log(`[secrets] ${entry}`);
|
||||
}
|
||||
}
|
||||
return resolvedConfig;
|
||||
}
|
||||
@@ -2,7 +2,6 @@ import { cancel, multiselect as clackMultiselect, isCancel } from "@clack/prompt
|
||||
import { resolveApiKeyForProvider } from "../../agents/model-auth.js";
|
||||
import { type ModelScanResult, scanOpenRouterModels } from "../../agents/model-scan.js";
|
||||
import { withProgressTotals } from "../../cli/progress.js";
|
||||
import { loadConfig } from "../../config/config.js";
|
||||
import { logConfigUpdated } from "../../config/logging.js";
|
||||
import { toAgentModelListLike } from "../../config/model-input.js";
|
||||
import type { RuntimeEnv } from "../../runtime.js";
|
||||
@@ -12,6 +11,7 @@ import {
|
||||
stylePromptTitle,
|
||||
} from "../../terminal/prompt-style.js";
|
||||
import { pad, truncate } from "./list.format.js";
|
||||
import { loadModelsConfig } from "./load-config.js";
|
||||
import { formatMs, formatTokenK, updateConfig } from "./shared.js";
|
||||
|
||||
const MODEL_PAD = 42;
|
||||
@@ -167,7 +167,7 @@ export async function modelsScanCommand(
|
||||
throw new Error("--concurrency must be > 0");
|
||||
}
|
||||
|
||||
const cfg = loadConfig();
|
||||
const cfg = await loadModelsConfig({ commandName: "models scan", runtime });
|
||||
const probe = opts.probe ?? true;
|
||||
let storedKey: string | undefined;
|
||||
if (probe) {
|
||||
|
||||
Reference in New Issue
Block a user