fix(secrets): harden plan target paths and ref-only auth profiles

2026-05-08 01:01:23 +00:00 · 2026-02-26 14:25:01 +01:00
parent 485cd0c512
commit 820d614757
6 changed files with 258 additions and 21 deletions
--- a/src/agents/models-config.providers.ts
+++ b/src/agents/models-config.providers.ts
@@ -1,5 +1,6 @@
 import type { OpenClawConfig } from "../config/config.js";
 import type { ModelDefinitionConfig } from "../config/types.models.js";
+import { coerceSecretRef } from "../config/types.secrets.js";
 import { createSubsystemLogger } from "../logging/subsystem.js";
 import {
  DEFAULT_COPILOT_API_BASE_URL,
@@ -357,10 +358,24 @@ function resolveApiKeyFromProfiles(params: {
      continue;
    }
    if (cred.type === "api_key") {
-      return cred.key;
+      if (cred.key?.trim()) {
+        return cred.key;
+      }
+      const keyRef = coerceSecretRef(cred.keyRef);
+      if (keyRef?.source === "env" && keyRef.id.trim()) {
+        return keyRef.id.trim();
+      }
+      continue;
    }
    if (cred.type === "token") {
-      return cred.token;
+      if (cred.token?.trim()) {
+        return cred.token;
+      }
+      const tokenRef = coerceSecretRef(cred.tokenRef);
+      if (tokenRef?.source === "env" && tokenRef.id.trim()) {
+        return tokenRef.id.trim();
+      }
+      continue;
    }
  }
  return undefined;
@@ -1017,7 +1032,13 @@ export async function resolveImplicitCopilotProvider(params: {
    const profileId = listProfilesForProvider(authStore, "github-copilot")[0];
    const profile = profileId ? authStore.profiles[profileId] : undefined;
    if (profile && profile.type === "token") {
-      selectedGithubToken = profile.token;
+      selectedGithubToken = profile.token?.trim() ?? "";
+      if (!selectedGithubToken) {
+        const tokenRef = coerceSecretRef(profile.tokenRef);
+        if (tokenRef?.source === "env" && tokenRef.id.trim()) {
+          selectedGithubToken = (env[tokenRef.id] ?? process.env[tokenRef.id] ?? "").trim();
+        }
+      }
    }
  }

--- a/src/agents/models-config.providers.volcengine-byteplus.test.ts
+++ b/src/agents/models-config.providers.volcengine-byteplus.test.ts
@@ -3,6 +3,7 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { describe, expect, it } from "vitest";
 import { captureEnv } from "../test-utils/env.js";
+import { upsertAuthProfile } from "./auth-profiles.js";
 import { resolveImplicitProviders } from "./models-config.providers.js";

 describe("Volcengine and BytePlus providers", () => {
@@ -37,4 +38,40 @@ describe("Volcengine and BytePlus providers", () => {
      envSnapshot.restore();
    }
  });
+
+  it("includes providers when auth profiles are env keyRef-only", async () => {
+    const agentDir = mkdtempSync(join(tmpdir(), "openclaw-test-"));
+    const envSnapshot = captureEnv(["VOLCANO_ENGINE_API_KEY", "BYTEPLUS_API_KEY"]);
+    delete process.env.VOLCANO_ENGINE_API_KEY;
+    delete process.env.BYTEPLUS_API_KEY;
+
+    upsertAuthProfile({
+      profileId: "volcengine:default",
+      credential: {
+        type: "api_key",
+        provider: "volcengine",
+        keyRef: { source: "env", provider: "default", id: "VOLCANO_ENGINE_API_KEY" },
+      },
+      agentDir,
+    });
+    upsertAuthProfile({
+      profileId: "byteplus:default",
+      credential: {
+        type: "api_key",
+        provider: "byteplus",
+        keyRef: { source: "env", provider: "default", id: "BYTEPLUS_API_KEY" },
+      },
+      agentDir,
+    });
+
+    try {
+      const providers = await resolveImplicitProviders({ agentDir });
+      expect(providers?.volcengine?.apiKey).toBe("VOLCANO_ENGINE_API_KEY");
+      expect(providers?.["volcengine-plan"]?.apiKey).toBe("VOLCANO_ENGINE_API_KEY");
+      expect(providers?.byteplus?.apiKey).toBe("BYTEPLUS_API_KEY");
+      expect(providers?.["byteplus-plan"]?.apiKey).toBe("BYTEPLUS_API_KEY");
+    } finally {
+      envSnapshot.restore();
+    }
+  });
 });
--- a/src/agents/models-config.uses-first-github-copilot-profile-env-tokens.test.ts
+++ b/src/agents/models-config.uses-first-github-copilot-profile-env-tokens.test.ts
@@ -76,4 +76,38 @@ describe("models-config", () => {
      });
    });
  });
+
+  it("uses tokenRef env var when github-copilot profile omits plaintext token", async () => {
+    await withTempHome(async (home) => {
+      await withUnsetCopilotTokenEnv(async () => {
+        const fetchMock = mockCopilotTokenExchangeSuccess();
+        const agentDir = path.join(home, "agent-profiles");
+        await fs.mkdir(agentDir, { recursive: true });
+        process.env.COPILOT_REF_TOKEN = "token-from-ref-env";
+        await fs.writeFile(
+          path.join(agentDir, "auth-profiles.json"),
+          JSON.stringify(
+            {
+              version: 1,
+              profiles: {
+                "github-copilot:default": {
+                  type: "token",
+                  provider: "github-copilot",
+                  tokenRef: { source: "env", provider: "default", id: "COPILOT_REF_TOKEN" },
+                },
+              },
+            },
+            null,
+            2,
+          ),
+        );
+
+        await ensureOpenClawModelsJson({ models: { providers: {} } }, agentDir);
+
+        const [, opts] = fetchMock.mock.calls[0] as [string, { headers?: Record<string, string> }];
+        expect(opts?.headers?.Authorization).toBe("Bearer token-from-ref-env");
+        delete process.env.COPILOT_REF_TOKEN;
+      });
+    });
+  });
 });