Auth labels: handle token refs and share Pi credential conversion

2026-05-07 23:51:23 +00:00 · 2026-02-22 14:40:16 -08:00
parent e1301c31e7
commit cec404225d
7 changed files with 226 additions and 172 deletions
--- a/src/commands/models/list.auth-overview.test.ts
+++ b/src/commands/models/list.auth-overview.test.ts
@@ -0,0 +1,24 @@
+import { describe, expect, it } from "vitest";
+import { resolveProviderAuthOverview } from "./list.auth-overview.js";
+
+describe("resolveProviderAuthOverview", () => {
+  it("does not throw when token profile only has tokenRef", () => {
+    const overview = resolveProviderAuthOverview({
+      provider: "github-copilot",
+      cfg: {},
+      store: {
+        version: 1,
+        profiles: {
+          "github-copilot:default": {
+            type: "token",
+            provider: "github-copilot",
+            tokenRef: { source: "env", id: "GITHUB_TOKEN" },
+          },
+        },
+      } as never,
+      modelsPath: "/tmp/models.json",
+    });
+
+    expect(overview.profiles.labels[0]).toContain("token:ref(env:GITHUB_TOKEN)");
+  });
+});
--- a/src/commands/models/list.auth-overview.ts
+++ b/src/commands/models/list.auth-overview.ts
@@ -12,6 +12,22 @@ import { shortenHomePath } from "../../utils.js";
 import { maskApiKey } from "./list.format.js";
 import type { ProviderAuthOverview } from "./list.types.js";

+function formatProfileSecretLabel(params: {
+  value: string | undefined;
+  ref: { source: string; id: string } | undefined;
+  kind: "api-key" | "token";
+}): string {
+  const value = typeof params.value === "string" ? params.value.trim() : "";
+  if (value) {
+    return params.kind === "token" ? `token:${maskApiKey(value)}` : maskApiKey(value);
+  }
+  if (params.ref) {
+    const refLabel = `ref(${params.ref.source}:${params.ref.id})`;
+    return params.kind === "token" ? `token:${refLabel}` : refLabel;
+  }
+  return params.kind === "token" ? "token:missing" : "missing";
+}
+
 export function resolveProviderAuthOverview(params: {
  provider: string;
  cfg: OpenClawConfig;
@@ -40,10 +56,24 @@ export function resolveProviderAuthOverview(params: {
      return `${profileId}=missing`;
    }
    if (profile.type === "api_key") {
-      return withUnusableSuffix(`${profileId}=${maskApiKey(profile.key ?? "")}`, profileId);
+      return withUnusableSuffix(
+        `${profileId}=${formatProfileSecretLabel({
+          value: profile.key,
+          ref: profile.keyRef,
+          kind: "api-key",
+        })}`,
+        profileId,
+      );
    }
    if (profile.type === "token") {
-      return withUnusableSuffix(`${profileId}=token:${maskApiKey(profile.token)}`, profileId);
+      return withUnusableSuffix(
+        `${profileId}=${formatProfileSecretLabel({
+          value: profile.token,
+          ref: profile.tokenRef,
+          kind: "token",
+        })}`,
+        profileId,
+      );
    }
    const display = resolveAuthProfileDisplayLabel({ cfg, store, profileId });
    const suffix =