Auth profiles: never persist plaintext when refs are present

2026-05-08 21:48:27 +00:00 · 2026-02-21 17:08:20 -08:00
parent 4c5a2c3c6d
commit e1301c31e7
5 changed files with 157 additions and 12 deletions
--- a/src/agents/auth-profiles.runtime-snapshot-save.test.ts
+++ b/src/agents/auth-profiles.runtime-snapshot-save.test.ts
@@ -0,0 +1,71 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+import {
+  activateSecretsRuntimeSnapshot,
+  clearSecretsRuntimeSnapshot,
+  prepareSecretsRuntimeSnapshot,
+} from "../secrets/runtime.js";
+import { ensureAuthProfileStore, markAuthProfileUsed } from "./auth-profiles.js";
+
+describe("auth profile runtime snapshot persistence", () => {
+  it("does not write resolved plaintext keys during usage updates", async () => {
+    const stateDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-auth-runtime-save-"));
+    const agentDir = path.join(stateDir, "agents", "main", "agent");
+    const authPath = path.join(agentDir, "auth-profiles.json");
+    try {
+      await fs.mkdir(agentDir, { recursive: true });
+      await fs.writeFile(
+        authPath,
+        `${JSON.stringify(
+          {
+            version: 1,
+            profiles: {
+              "openai:default": {
+                type: "api_key",
+                provider: "openai",
+                keyRef: { source: "env", id: "OPENAI_API_KEY" },
+              },
+            },
+          },
+          null,
+          2,
+        )}\n`,
+        "utf8",
+      );
+
+      const snapshot = await prepareSecretsRuntimeSnapshot({
+        config: {},
+        env: { OPENAI_API_KEY: "sk-runtime-openai" },
+        agentDirs: [agentDir],
+      });
+      activateSecretsRuntimeSnapshot(snapshot);
+
+      const runtimeStore = ensureAuthProfileStore(agentDir);
+      expect(runtimeStore.profiles["openai:default"]).toMatchObject({
+        type: "api_key",
+        key: "sk-runtime-openai",
+        keyRef: { source: "env", id: "OPENAI_API_KEY" },
+      });
+
+      await markAuthProfileUsed({
+        store: runtimeStore,
+        profileId: "openai:default",
+        agentDir,
+      });
+
+      const persisted = JSON.parse(await fs.readFile(authPath, "utf8")) as {
+        profiles: Record<string, { key?: string; keyRef?: unknown }>;
+      };
+      expect(persisted.profiles["openai:default"]?.key).toBeUndefined();
+      expect(persisted.profiles["openai:default"]?.keyRef).toEqual({
+        source: "env",
+        id: "OPENAI_API_KEY",
+      });
+    } finally {
+      clearSecretsRuntimeSnapshot();
+      await fs.rm(stateDir, { recursive: true, force: true });
+    }
+  });
+});