github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 18:04:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Onboard: require explicit mode for env secret refs

Browse Source
This commit is contained in:
joshavant
2026-02-24 15:01:53 -06:00
committed by Peter Steinberger
parent 4d94b05ac5
commit cb119874dc
5 changed files with 131 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
src/commands/onboard-non-interactive/local/auth-choice.ts
View File

@@ -4,6 +4,7 @@ import { parseDurationMs } from "../../../cli/parse-duration.js";
import type { OpenClawConfig } from "../../../config/config.js";
import type { RuntimeEnv } from "../../../runtime.js";
import { normalizeSecretInput } from "../../../utils/normalize-secret-input.js";
import { normalizeSecretInputModeInput } from "../../auth-choice.apply-helpers.js";
import { buildTokenProfileId, validateAnthropicSetupToken } from "../../auth-token.js";
import { applyGoogleGeminiModelDefault } from "../../google-gemini-model-default.js";
import { applyPrimaryModel } from "../../model-picker.js";
@@ -74,6 +75,15 @@ export async function applyNonInteractiveAuthChoice(params: {
}): Promise<OpenClawConfig | null> {
const { authChoice, opts, runtime, baseConfig } = params;
let nextConfig = params.nextConfig;
const requestedSecretInputMode = normalizeSecretInputModeInput(opts.secretInputMode);
if (opts.secretInputMode && !requestedSecretInputMode) {
runtime.error('Invalid --secret-input-mode. Use "plaintext" or "ref".');
runtime.exit(1);
return null;
}
const apiKeyStorageOptions = requestedSecretInputMode
? { secretInputMode: requestedSecretInputMode }
: undefined;
if (authChoice === "claude-cli" || authChoice === "codex-cli") {
runtime.error(
@@ -121,7 +131,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setAnthropicApiKey(resolved.key);
await setAnthropicApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
return applyAuthProfileConfig(nextConfig, {
profileId: "anthropic:default",
@@ -198,7 +208,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setGeminiApiKey(resolved.key);
await setGeminiApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "google:default",
@@ -227,7 +237,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setZaiApiKey(resolved.key);
await setZaiApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "zai:default",
@@ -276,7 +286,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setXiaomiApiKey(resolved.key);
await setXiaomiApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "xiaomi:default",
@@ -299,7 +309,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
setXaiApiKey(resolved.key);
setXaiApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "xai:default",
@@ -322,7 +332,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setMistralApiKey(resolved.key);
await setMistralApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "mistral:default",
@@ -345,7 +355,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setVolcengineApiKey(resolved.key);
await setVolcengineApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "volcengine:default",
@@ -368,7 +378,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setByteplusApiKey(resolved.key);
await setByteplusApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "byteplus:default",
@@ -391,7 +401,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
setQianfanApiKey(resolved.key);
setQianfanApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "qianfan:default",
@@ -414,7 +424,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setOpenaiApiKey(resolved.key);
await setOpenaiApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "openai:default",
@@ -437,7 +447,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setOpenrouterApiKey(resolved.key);
await setOpenrouterApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "openrouter:default",
@@ -460,7 +470,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setKilocodeApiKey(resolved.key);
await setKilocodeApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "kilocode:default",
@@ -483,7 +493,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setLitellmApiKey(resolved.key);
await setLitellmApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "litellm:default",
@@ -506,7 +516,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setVercelAiGatewayApiKey(resolved.key);
await setVercelAiGatewayApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "vercel-ai-gateway:default",
@@ -541,7 +551,13 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setCloudflareAiGatewayConfig(accountId, gatewayId, resolved.key);
await setCloudflareAiGatewayConfig(
accountId,
gatewayId,
resolved.key,
undefined,
apiKeyStorageOptions,
);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "cloudflare-ai-gateway:default",
@@ -569,7 +585,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setMoonshotApiKey(resolved.key);
await setMoonshotApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "moonshot:default",
@@ -600,7 +616,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setKimiCodingApiKey(resolved.key);
await setKimiCodingApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "kimi-coding:default",
@@ -623,7 +639,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setSyntheticApiKey(resolved.key);
await setSyntheticApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "synthetic:default",
@@ -646,7 +662,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setVeniceApiKey(resolved.key);
await setVeniceApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "venice:default",
@@ -677,7 +693,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setMinimaxApiKey(resolved.key, undefined, profileId);
await setMinimaxApiKey(resolved.key, undefined, profileId, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId,
@@ -708,7 +724,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setOpencodeZenApiKey(resolved.key);
await setOpencodeZenApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "opencode:default",
@@ -731,7 +747,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setTogetherApiKey(resolved.key);
await setTogetherApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "together:default",
@@ -754,7 +770,7 @@ export async function applyNonInteractiveAuthChoice(params: {
return null;
}
if (resolved.source !== "profile") {
await setHuggingfaceApiKey(resolved.key);
await setHuggingfaceApiKey(resolved.key, undefined, apiKeyStorageOptions);
}
nextConfig = applyAuthProfileConfig(nextConfig, {
profileId: "huggingface:default",