fix(secrets): harden plan target paths and ref-only auth profiles

src/secrets/apply.test.ts

@@ -320,6 +320,49 @@ describe("secrets apply", () => {
     expect(rawConfig).not.toContain("sk-skill-plaintext");
   });
 
+  it("rejects plan targets that do not match allowed secret-bearing paths", async () => {
+    const plan: SecretsApplyPlan = {
+      version: 1,
+      protocolVersion: 1,
+      generatedAt: new Date().toISOString(),
+      generatedBy: "manual",
+      targets: [
+        {
+          type: "models.providers.apiKey",
+          path: "models.providers.openai.baseUrl",
+          pathSegments: ["models", "providers", "openai", "baseUrl"],
+          providerId: "openai",
+          ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
+        },
+      ],
+    };
+
+    await expect(runSecretsApply({ plan, env, write: false })).rejects.toThrow(
+      "Invalid plan target path",
+    );
+  });
+
+  it("rejects plan targets with forbidden prototype-like path segments", async () => {
+    const plan: SecretsApplyPlan = {
+      version: 1,
+      protocolVersion: 1,
+      generatedAt: new Date().toISOString(),
+      generatedBy: "manual",
+      targets: [
+        {
+          type: "skills.entries.apiKey",
+          path: "skills.entries.__proto__.apiKey",
+          pathSegments: ["skills", "entries", "__proto__", "apiKey"],
+          ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
+        },
+      ],
+    };
+
+    await expect(runSecretsApply({ plan, env, write: false })).rejects.toThrow(
+      "Invalid plan target path",
+    );
+  });
+
   it("applies provider upserts and deletes from plan", async () => {
     await fs.writeFile(
       configPath,

src/secrets/apply.ts

@@ -15,6 +15,7 @@ import {
   type SecretsApplyPlan,
   type SecretsPlanTarget,
   normalizeSecretsPlanOptions,
+  resolveValidatedTargetPathSegments,
 } from "./plan.js";
 import { listKnownSecretEnvVarNames } from "./provider-env-vars.js";
 import { resolveSecretRefValue } from "./resolve.js";
@@ -52,10 +53,6 @@ export type SecretsApplyResult = {
   warnings: string[];
 };
 
-function parseDotPath(pathname: string): string[] {
-  return pathname.split(".").filter(Boolean);
-}
-
 function getByPathSegments(root: unknown, segments: string[]): unknown {
   if (segments.length === 0) {
     return undefined;
@@ -114,15 +111,11 @@ function deleteByPathSegments(root: OpenClawConfig, segments: string[]): boolean
 }
 
 function resolveTargetPathSegments(target: SecretsPlanTarget): string[] {
-  const explicit = target.pathSegments;
-  if (
-    Array.isArray(explicit) &&
-    explicit.length > 0 &&
-    explicit.every((segment) => typeof segment === "string" && segment.trim().length > 0)
-  ) {
-    return [...explicit];
+  const resolved = resolveValidatedTargetPathSegments(target);
+  if (!resolved) {
+    throw new Error(`Invalid plan target path for ${target.type}: ${target.path}`);
   }
-  return parseDotPath(target.path);
+  return resolved;
 }
 
 function parseEnvValue(raw: string): string {

src/secrets/plan.ts

@@ -45,6 +45,15 @@ export type SecretsApplyPlan = {
 };
 
 const PROVIDER_ALIAS_PATTERN = /^[a-z][a-z0-9_-]{0,63}$/;
+const FORBIDDEN_PATH_SEGMENTS = new Set(["__proto__", "prototype", "constructor"]);
+
+function isSecretsPlanTargetType(value: unknown): value is SecretsPlanTargetType {
+  return (
+    value === "models.providers.apiKey" ||
+    value === "skills.entries.apiKey" ||
+    value === "channels.googlechat.serviceAccount"
+  );
+}
 
 function isObjectRecord(value: unknown): value is Record<string, unknown> {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
@@ -54,6 +63,104 @@ function isSecretProviderConfigShape(value: unknown): value is SecretProviderCon
   return SecretProviderSchema.safeParse(value).success;
 }
 
+function parseDotPath(pathname: string): string[] {
+  return pathname
+    .split(".")
+    .map((segment) => segment.trim())
+    .filter((segment) => segment.length > 0);
+}
+
+function hasForbiddenPathSegment(segments: string[]): boolean {
+  return segments.some((segment) => FORBIDDEN_PATH_SEGMENTS.has(segment));
+}
+
+function hasMatchingPathShape(
+  candidate: Pick<SecretsPlanTarget, "type" | "providerId" | "accountId">,
+  segments: string[],
+): boolean {
+  if (candidate.type === "models.providers.apiKey") {
+    if (
+      segments.length !== 4 ||
+      segments[0] !== "models" ||
+      segments[1] !== "providers" ||
+      segments[3] !== "apiKey"
+    ) {
+      return false;
+    }
+    return (
+      candidate.providerId === undefined ||
+      candidate.providerId.trim().length === 0 ||
+      candidate.providerId === segments[2]
+    );
+  }
+  if (candidate.type === "skills.entries.apiKey") {
+    return (
+      segments.length === 4 &&
+      segments[0] === "skills" &&
+      segments[1] === "entries" &&
+      segments[3] === "apiKey"
+    );
+  }
+  if (
+    segments.length === 3 &&
+    segments[0] === "channels" &&
+    segments[1] === "googlechat" &&
+    segments[2] === "serviceAccount"
+  ) {
+    return candidate.accountId === undefined || candidate.accountId.trim().length === 0;
+  }
+  if (
+    segments.length === 5 &&
+    segments[0] === "channels" &&
+    segments[1] === "googlechat" &&
+    segments[2] === "accounts" &&
+    segments[4] === "serviceAccount"
+  ) {
+    return (
+      candidate.accountId === undefined ||
+      candidate.accountId.trim().length === 0 ||
+      candidate.accountId === segments[3]
+    );
+  }
+  return false;
+}
+
+export function resolveValidatedTargetPathSegments(candidate: {
+  type?: SecretsPlanTargetType;
+  path?: string;
+  pathSegments?: string[];
+  providerId?: string;
+  accountId?: string;
+}): string[] | null {
+  if (!isSecretsPlanTargetType(candidate.type)) {
+    return null;
+  }
+  const path = typeof candidate.path === "string" ? candidate.path.trim() : "";
+  if (!path) {
+    return null;
+  }
+  const segments =
+    Array.isArray(candidate.pathSegments) && candidate.pathSegments.length > 0
+      ? candidate.pathSegments.map((segment) => String(segment).trim()).filter(Boolean)
+      : parseDotPath(path);
+  if (
+    segments.length === 0 ||
+    hasForbiddenPathSegment(segments) ||
+    path !== segments.join(".") ||
+    !hasMatchingPathShape(
+      {
+        type: candidate.type,
+        providerId: candidate.providerId,
+        accountId: candidate.accountId,
+      },
+      segments,
+    )
+  ) {
+    return null;
+  }
+  return segments;
+}
+
 export function isSecretsApplyPlan(value: unknown): value is SecretsApplyPlan {
   if (!value || typeof value !== "object" || Array.isArray(value)) {
     return false;
@@ -74,12 +181,14 @@ export function isSecretsApplyPlan(value: unknown): value is SecretsApplyPlan {
         candidate.type !== "channels.googlechat.serviceAccount") ||
       typeof candidate.path !== "string" ||
       !candidate.path.trim() ||
-      (candidate.pathSegments !== undefined &&
-        (!Array.isArray(candidate.pathSegments) ||
-          candidate.pathSegments.length === 0 ||
-          candidate.pathSegments.some(
-            (segment) => typeof segment !== "string" || segment.trim().length === 0,
-          ))) ||
+      (candidate.pathSegments !== undefined && !Array.isArray(candidate.pathSegments)) ||
+      !resolveValidatedTargetPathSegments({
+        type: candidate.type,
+        path: candidate.path,
+        pathSegments: candidate.pathSegments,
+        providerId: candidate.providerId,
+        accountId: candidate.accountId,
+      }) ||
       !ref ||
       typeof ref !== "object" ||
       (ref.source !== "env" && ref.source !== "file" && ref.source !== "exec") ||