mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-08 07:21:23 +00:00
fix: decouple owner display secret from gateway auth token
This commit is contained in:
Peter Steinberger
@@ -11,6 +11,7 @@ import { buildTtsSystemPromptHint } from "../../tts/tts.js";
|
||||
import { isRecord } from "../../utils.js";
|
||||
import { buildModelAliasLines } from "../model-alias-lines.js";
|
||||
import { resolveDefaultModelForAgent } from "../model-selection.js";
|
||||
import { resolveOwnerDisplaySetting } from "../owner-display.js";
|
||||
import type { EmbeddedContextFile } from "../pi-embedded-helpers.js";
|
||||
import { detectRuntimeShell } from "../shell-utils.js";
|
||||
import { buildSystemPromptParams } from "../system-prompt-params.js";
|
||||
@@ -81,16 +82,14 @@ export function buildSystemPrompt(params: {
|
||||
},
|
||||
});
|
||||
const ttsHint = params.config ? buildTtsSystemPromptHint(params.config) : undefined;
|
||||
const ownerDisplay = resolveOwnerDisplaySetting(params.config);
|
||||
return buildAgentSystemPrompt({
|
||||
workspaceDir: params.workspaceDir,
|
||||
defaultThinkLevel: params.defaultThinkLevel,
|
||||
extraSystemPrompt: params.extraSystemPrompt,
|
||||
ownerNumbers: params.ownerNumbers,
|
||||
ownerDisplay: params.config?.commands?.ownerDisplay,
|
||||
ownerDisplaySecret:
|
||||
params.config?.commands?.ownerDisplaySecret ??
|
||||
params.config?.gateway?.auth?.token ??
|
||||
params.config?.gateway?.remote?.token,
|
||||
ownerDisplay: ownerDisplay.ownerDisplay,
|
||||
ownerDisplaySecret: ownerDisplay.ownerDisplaySecret,
|
||||
reasoningTagHint: false,
|
||||
heartbeatPrompt: params.heartbeatPrompt,
|
||||
docsPath: params.docsPath,
|
||||
|
||||
78
src/agents/owner-display.test.ts
Normal file
78
src/agents/owner-display.test.ts
Normal file
@@ -0,0 +1,78 @@
|
||||
import { describe, expect, it } from "vitest";
|
||||
import type { OpenClawConfig } from "../config/config.js";
|
||||
import { ensureOwnerDisplaySecret, resolveOwnerDisplaySetting } from "./owner-display.js";
|
||||
|
||||
describe("resolveOwnerDisplaySetting", () => {
|
||||
it("returns keyed hash settings when hash mode has an explicit secret", () => {
|
||||
const cfg = {
|
||||
commands: {
|
||||
ownerDisplay: "hash",
|
||||
ownerDisplaySecret: " owner-secret ",
|
||||
},
|
||||
} as OpenClawConfig;
|
||||
|
||||
expect(resolveOwnerDisplaySetting(cfg)).toEqual({
|
||||
ownerDisplay: "hash",
|
||||
ownerDisplaySecret: "owner-secret",
|
||||
});
|
||||
});
|
||||
|
||||
it("does not fall back to gateway tokens when hash secret is missing", () => {
|
||||
const cfg = {
|
||||
commands: {
|
||||
ownerDisplay: "hash",
|
||||
},
|
||||
gateway: {
|
||||
auth: { token: "gateway-auth-token" },
|
||||
remote: { token: "gateway-remote-token" },
|
||||
},
|
||||
} as OpenClawConfig;
|
||||
|
||||
expect(resolveOwnerDisplaySetting(cfg)).toEqual({
|
||||
ownerDisplay: "hash",
|
||||
ownerDisplaySecret: undefined,
|
||||
});
|
||||
});
|
||||
|
||||
it("disables owner hash secret when display mode is raw", () => {
|
||||
const cfg = {
|
||||
commands: {
|
||||
ownerDisplay: "raw",
|
||||
ownerDisplaySecret: "owner-secret",
|
||||
},
|
||||
} as OpenClawConfig;
|
||||
|
||||
expect(resolveOwnerDisplaySetting(cfg)).toEqual({
|
||||
ownerDisplay: "raw",
|
||||
ownerDisplaySecret: undefined,
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe("ensureOwnerDisplaySecret", () => {
|
||||
it("generates a dedicated secret when hash mode is enabled without one", () => {
|
||||
const cfg = {
|
||||
commands: {
|
||||
ownerDisplay: "hash",
|
||||
},
|
||||
} as OpenClawConfig;
|
||||
|
||||
const result = ensureOwnerDisplaySecret(cfg, () => "generated-owner-secret");
|
||||
expect(result.generatedSecret).toBe("generated-owner-secret");
|
||||
expect(result.config.commands?.ownerDisplaySecret).toBe("generated-owner-secret");
|
||||
expect(result.config.commands?.ownerDisplay).toBe("hash");
|
||||
});
|
||||
|
||||
it("does nothing when a hash secret is already configured", () => {
|
||||
const cfg = {
|
||||
commands: {
|
||||
ownerDisplay: "hash",
|
||||
ownerDisplaySecret: "existing-owner-secret",
|
||||
},
|
||||
} as OpenClawConfig;
|
||||
|
||||
const result = ensureOwnerDisplaySecret(cfg, () => "generated-owner-secret");
|
||||
expect(result.generatedSecret).toBeUndefined();
|
||||
expect(result.config).toEqual(cfg);
|
||||
});
|
||||
});
|
||||
58
src/agents/owner-display.ts
Normal file
58
src/agents/owner-display.ts
Normal file
@@ -0,0 +1,58 @@
|
||||
import crypto from "node:crypto";
|
||||
import type { OpenClawConfig } from "../config/config.js";
|
||||
|
||||
export type OwnerDisplaySetting = {
|
||||
ownerDisplay?: "raw" | "hash";
|
||||
ownerDisplaySecret?: string;
|
||||
};
|
||||
|
||||
export type OwnerDisplaySecretResolution = {
|
||||
config: OpenClawConfig;
|
||||
generatedSecret?: string;
|
||||
};
|
||||
|
||||
function trimToUndefined(value?: string): string | undefined {
|
||||
const trimmed = value?.trim();
|
||||
return trimmed ? trimmed : undefined;
|
||||
}
|
||||
|
||||
/**
|
||||
* Resolve owner display settings for prompt rendering.
|
||||
* Keep auth secrets decoupled from owner hash secrets.
|
||||
*/
|
||||
export function resolveOwnerDisplaySetting(config?: OpenClawConfig): OwnerDisplaySetting {
|
||||
const ownerDisplay = config?.commands?.ownerDisplay;
|
||||
if (ownerDisplay !== "hash") {
|
||||
return { ownerDisplay, ownerDisplaySecret: undefined };
|
||||
}
|
||||
return {
|
||||
ownerDisplay: "hash",
|
||||
ownerDisplaySecret: trimToUndefined(config?.commands?.ownerDisplaySecret),
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* Ensure hash mode has a dedicated secret.
|
||||
* Returns updated config and generated secret when autofill was needed.
|
||||
*/
|
||||
export function ensureOwnerDisplaySecret(
|
||||
config: OpenClawConfig,
|
||||
generateSecret: () => string = () => crypto.randomBytes(32).toString("hex"),
|
||||
): OwnerDisplaySecretResolution {
|
||||
const settings = resolveOwnerDisplaySetting(config);
|
||||
if (settings.ownerDisplay !== "hash" || settings.ownerDisplaySecret) {
|
||||
return { config };
|
||||
}
|
||||
const generatedSecret = generateSecret();
|
||||
return {
|
||||
config: {
|
||||
...config,
|
||||
commands: {
|
||||
...config.commands,
|
||||
ownerDisplay: "hash",
|
||||
ownerDisplaySecret: generatedSecret,
|
||||
},
|
||||
},
|
||||
generatedSecret,
|
||||
};
|
||||
}
|
||||
@@ -33,6 +33,7 @@ import { DEFAULT_MODEL, DEFAULT_PROVIDER } from "../defaults.js";
|
||||
import { resolveOpenClawDocsPath } from "../docs-path.js";
|
||||
import { getApiKeyForModel, resolveModelAuthMode } from "../model-auth.js";
|
||||
import { ensureOpenClawModelsJson } from "../models-config.js";
|
||||
import { resolveOwnerDisplaySetting } from "../owner-display.js";
|
||||
import {
|
||||
ensureSessionHeader,
|
||||
validateAnthropicTurns,
|
||||
@@ -480,17 +481,15 @@ export async function compactEmbeddedPiSessionDirect(
|
||||
moduleUrl: import.meta.url,
|
||||
});
|
||||
const ttsHint = params.config ? buildTtsSystemPromptHint(params.config) : undefined;
|
||||
const ownerDisplay = resolveOwnerDisplaySetting(params.config);
|
||||
const appendPrompt = buildEmbeddedSystemPrompt({
|
||||
workspaceDir: effectiveWorkspace,
|
||||
defaultThinkLevel: params.thinkLevel,
|
||||
reasoningLevel: params.reasoningLevel ?? "off",
|
||||
extraSystemPrompt: params.extraSystemPrompt,
|
||||
ownerNumbers: params.ownerNumbers,
|
||||
ownerDisplay: params.config?.commands?.ownerDisplay,
|
||||
ownerDisplaySecret:
|
||||
params.config?.commands?.ownerDisplaySecret ??
|
||||
params.config?.gateway?.auth?.token ??
|
||||
params.config?.gateway?.remote?.token,
|
||||
ownerDisplay: ownerDisplay.ownerDisplay,
|
||||
ownerDisplaySecret: ownerDisplay.ownerDisplaySecret,
|
||||
reasoningTagHint,
|
||||
heartbeatPrompt: isDefaultAgent
|
||||
? resolveHeartbeatPrompt(params.config?.agents?.defaults?.heartbeat?.prompt)
|
||||
|
||||
@@ -47,6 +47,7 @@ import { resolveImageSanitizationLimits } from "../../image-sanitization.js";
|
||||
import { resolveModelAuthMode } from "../../model-auth.js";
|
||||
import { resolveDefaultModelForAgent } from "../../model-selection.js";
|
||||
import { createOllamaStreamFn, OLLAMA_NATIVE_BASE_URL } from "../../ollama-stream.js";
|
||||
import { resolveOwnerDisplaySetting } from "../../owner-display.js";
|
||||
import {
|
||||
isCloudCodeAssistFormatError,
|
||||
resolveBootstrapMaxChars,
|
||||
@@ -505,6 +506,7 @@ export async function runEmbeddedAttempt(
|
||||
moduleUrl: import.meta.url,
|
||||
});
|
||||
const ttsHint = params.config ? buildTtsSystemPromptHint(params.config) : undefined;
|
||||
const ownerDisplay = resolveOwnerDisplaySetting(params.config);
|
||||
|
||||
const appendPrompt = buildEmbeddedSystemPrompt({
|
||||
workspaceDir: effectiveWorkspace,
|
||||
@@ -512,11 +514,8 @@ export async function runEmbeddedAttempt(
|
||||
reasoningLevel: params.reasoningLevel ?? "off",
|
||||
extraSystemPrompt: params.extraSystemPrompt,
|
||||
ownerNumbers: params.ownerNumbers,
|
||||
ownerDisplay: params.config?.commands?.ownerDisplay,
|
||||
ownerDisplaySecret:
|
||||
params.config?.commands?.ownerDisplaySecret ??
|
||||
params.config?.gateway?.auth?.token ??
|
||||
params.config?.gateway?.remote?.token,
|
||||
ownerDisplay: ownerDisplay.ownerDisplay,
|
||||
ownerDisplaySecret: ownerDisplay.ownerDisplaySecret,
|
||||
reasoningTagHint,
|
||||
heartbeatPrompt: isDefaultAgent
|
||||
? resolveHeartbeatPrompt(params.config?.agents?.defaults?.heartbeat?.prompt)
|
||||
|
||||
Reference in New Issue
Block a user