fix: redact config values in skills status

2026-05-08 07:11:25 +00:00 · 2026-02-14 17:32:19 +01:00
parent 188c4cd076
commit d3428053d9
7 changed files with 154 additions and 514 deletions
--- a/src/gateway/server.skills-status.e2e.test.ts
+++ b/src/gateway/server.skills-status.e2e.test.ts
@@ -0,0 +1,72 @@
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+import {
+  connectOk,
+  installGatewayTestHooks,
+  rpcReq,
+  startServerWithClient,
+} from "./test-helpers.js";
+
+installGatewayTestHooks({ scope: "suite" });
+
+async function withServer<T>(
+  run: (ws: Awaited<ReturnType<typeof startServerWithClient>>["ws"]) => Promise<T>,
+) {
+  const { server, ws, prevToken } = await startServerWithClient("secret");
+  try {
+    return await run(ws);
+  } finally {
+    ws.close();
+    await server.close();
+    if (prevToken === undefined) {
+      delete process.env.OPENCLAW_GATEWAY_TOKEN;
+    } else {
+      process.env.OPENCLAW_GATEWAY_TOKEN = prevToken;
+    }
+  }
+}
+
+describe("gateway skills.status", () => {
+  it("does not expose raw config values to operator.read clients", async () => {
+    const prevBundledSkillsDir = process.env.OPENCLAW_BUNDLED_SKILLS_DIR;
+    process.env.OPENCLAW_BUNDLED_SKILLS_DIR = path.join(process.cwd(), "skills");
+    const secret = "discord-token-secret-abc";
+    const { writeConfigFile } = await import("../config/config.js");
+    await writeConfigFile({
+      session: { mainKey: "main-test" },
+      channels: {
+        discord: {
+          token: secret,
+        },
+      },
+    });
+
+    try {
+      await withServer(async (ws) => {
+        await connectOk(ws, { token: "secret", scopes: ["operator.read"] });
+        const res = await rpcReq<{
+          skills?: Array<{
+            name?: string;
+            configChecks?: Array<{ path?: string; satisfied?: boolean } & Record<string, unknown>>;
+          }>;
+        }>(ws, "skills.status", {});
+
+        expect(res.ok).toBe(true);
+        expect(JSON.stringify(res.payload)).not.toContain(secret);
+
+        const discord = res.payload?.skills?.find((s) => s.name === "discord");
+        expect(discord).toBeTruthy();
+        const check = discord?.configChecks?.find((c) => c.path === "channels.discord.token");
+        expect(check).toBeTruthy();
+        expect(check?.satisfied).toBe(true);
+        expect(check && "value" in check).toBe(false);
+      });
+    } finally {
+      if (prevBundledSkillsDir === undefined) {
+        delete process.env.OPENCLAW_BUNDLED_SKILLS_DIR;
+      } else {
+        process.env.OPENCLAW_BUNDLED_SKILLS_DIR = prevBundledSkillsDir;
+      }
+    }
+  });
+});