fix(secrets): harden plan target paths and ref-only auth profiles

2026-05-11 15:43:44 +00:00 · 2026-02-26 14:25:01 +01:00
parent 485cd0c512
commit 820d614757
6 changed files with 258 additions and 21 deletions
--- a/src/secrets/apply.ts
+++ b/src/secrets/apply.ts
@@ -15,6 +15,7 @@ import {
  type SecretsApplyPlan,
  type SecretsPlanTarget,
  normalizeSecretsPlanOptions,
+  resolveValidatedTargetPathSegments,
 } from "./plan.js";
 import { listKnownSecretEnvVarNames } from "./provider-env-vars.js";
 import { resolveSecretRefValue } from "./resolve.js";
@@ -52,10 +53,6 @@ export type SecretsApplyResult = {
  warnings: string[];
 };

-function parseDotPath(pathname: string): string[] {
-  return pathname.split(".").filter(Boolean);
-}
-
 function getByPathSegments(root: unknown, segments: string[]): unknown {
  if (segments.length === 0) {
    return undefined;
@@ -114,15 +111,11 @@ function deleteByPathSegments(root: OpenClawConfig, segments: string[]): boolean
 }

 function resolveTargetPathSegments(target: SecretsPlanTarget): string[] {
-  const explicit = target.pathSegments;
-  if (
-    Array.isArray(explicit) &&
-    explicit.length > 0 &&
-    explicit.every((segment) => typeof segment === "string" && segment.trim().length > 0)
-  ) {
-    return [...explicit];
+  const resolved = resolveValidatedTargetPathSegments(target);
+  if (!resolved) {
+    throw new Error(`Invalid plan target path for ${target.type}: ${target.path}`);
  }
-  return parseDotPath(target.path);
+  return resolved;
 }

 function parseEnvValue(raw: string): string {