github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 20:34:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Gateway: add manual secrets reload command

Browse Source
This commit is contained in:
joshavant
2026-02-21 13:57:49 -08:00
committed by Peter Steinberger
parent 301fe18909
commit fe56700026
8 changed files with 186 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/cli/program/register.subclis.ts
View File

@@ -260,6 +260,15 @@ const entries: SubCliEntry[] = [
mod.registerSecurityCli(program); mod.registerSecurityCli(program);
}, },
}, },
{
name: "secrets",
description: "Secrets runtime reload controls",
hasSubcommands: true,
register: async (program) => {
const mod = await import("../secrets-cli.js");
mod.registerSecretsCli(program);
},
},
{ {
name: "skills", name: "skills",
description: "List and inspect available skills", description: "List and inspect available skills",

53
src/cli/secrets-cli.test.ts Normal file
View File

@@ -0,0 +1,53 @@
import { Command } from "commander";
import { beforeEach, describe, expect, it, vi } from "vitest";
import { createCliRuntimeCapture } from "./test-runtime-capture.js";
const callGatewayFromCli = vi.fn();
const { defaultRuntime, runtimeLogs, runtimeErrors, resetRuntimeCapture } =
createCliRuntimeCapture();
vi.mock("./gateway-rpc.js", () => ({
addGatewayClientOptions: (cmd: Command) => cmd,
callGatewayFromCli: (method: string, opts: unknown, params?: unknown, extra?: unknown) =>
callGatewayFromCli(method, opts, params, extra),
}));
vi.mock("../runtime.js", () => ({
defaultRuntime,
}));
const { registerSecretsCli } = await import("./secrets-cli.js");
describe("secrets CLI", () => {
const createProgram = () => {
const program = new Command();
program.exitOverride();
registerSecretsCli(program);
return program;
};
beforeEach(() => {
resetRuntimeCapture();
callGatewayFromCli.mockReset();
});
it("calls secrets.reload and prints human output", async () => {
callGatewayFromCli.mockResolvedValue({ ok: true, warningCount: 1 });
await createProgram().parseAsync(["secrets", "reload"], { from: "user" });
expect(callGatewayFromCli).toHaveBeenCalledWith(
"secrets.reload",
expect.anything(),
undefined,
expect.objectContaining({ expectFinal: false }),
);
expect(runtimeLogs.at(-1)).toBe("Secrets reloaded with 1 warning(s).");
expect(runtimeErrors).toHaveLength(0);
});
it("prints JSON when requested", async () => {
callGatewayFromCli.mockResolvedValue({ ok: true, warningCount: 0 });
await createProgram().parseAsync(["secrets", "reload", "--json"], { from: "user" });
expect(runtimeLogs.at(-1)).toContain('"ok": true');
});
});

47
src/cli/secrets-cli.ts Normal file
View File

@@ -0,0 +1,47 @@
import type { Command } from "commander";
import { danger } from "../globals.js";
import { defaultRuntime } from "../runtime.js";
import { formatDocsLink } from "../terminal/links.js";
import { theme } from "../terminal/theme.js";
import { addGatewayClientOptions, callGatewayFromCli, type GatewayRpcOpts } from "./gateway-rpc.js";
type SecretsReloadOptions = GatewayRpcOpts & { json?: boolean };
export function registerSecretsCli(program: Command) {
const secrets = program
.command("secrets")
.description("Secrets runtime controls")
.addHelpText(
"after",
() =>
`\n${theme.muted("Docs:")} ${formatDocsLink("/gateway/security", "docs.openclaw.ai/gateway/security")}\n`,
);
addGatewayClientOptions(
secrets
.command("reload")
.description("Re-resolve secret references and atomically swap runtime snapshot")
.option("--json", "Output JSON", false),
).action(async (opts: SecretsReloadOptions) => {
try {
const result = await callGatewayFromCli("secrets.reload", opts, undefined, {
expectFinal: false,
});
if (opts.json) {
defaultRuntime.log(JSON.stringify(result, null, 2));
return;
}
const warningCount = Number(
(result as { warningCount?: unknown } | undefined)?.warningCount ?? 0,
);
if (Number.isFinite(warningCount) && warningCount > 0) {
defaultRuntime.log(`Secrets reloaded with ${warningCount} warning(s).`);
return;
}
defaultRuntime.log("Secrets reloaded.");
} catch (err) {
defaultRuntime.error(danger(String(err)));
defaultRuntime.exit(1);
}
});
}

1
src/gateway/method-scopes.ts
View File

@@ -101,6 +101,7 @@ const METHOD_SCOPE_GROUPS: Record<OperatorScope, readonly string[]> = {
"agents.delete", "agents.delete",
"skills.install", "skills.install",
"skills.update", "skills.update",
"secrets.reload",
"cron.add", "cron.add",
"cron.update", "cron.update",
"cron.remove", "cron.remove",

1
src/gateway/server-methods-list.ts
View File

@@ -50,6 +50,7 @@ const BASE_METHODS = [
"update.run", "update.run",
"voicewake.get", "voicewake.get",
"voicewake.set", "voicewake.set",
"secrets.reload",
"sessions.list", "sessions.list",
"sessions.preview", "sessions.preview",
"sessions.patch", "sessions.patch",

43
src/gateway/server-methods/secrets.test.ts Normal file
View File

@@ -0,0 +1,43 @@
import { describe, expect, it, vi } from "vitest";
import { createSecretsHandlers } from "./secrets.js";
describe("secrets handlers", () => {
it("responds with warning count on successful reload", async () => {
const handlers = createSecretsHandlers({
reloadSecrets: vi.fn().mockResolvedValue({ warningCount: 2 }),
});
const respond = vi.fn();
await handlers["secrets.reload"]({
req: { type: "req", id: "1", method: "secrets.reload" },
params: {},
client: null,
isWebchatConnect: () => false,
respond,
context: {} as never,
});
expect(respond).toHaveBeenCalledWith(true, { ok: true, warningCount: 2 });
});
it("returns unavailable when reload fails", async () => {
const handlers = createSecretsHandlers({
reloadSecrets: vi.fn().mockRejectedValue(new Error("reload failed")),
});
const respond = vi.fn();
await handlers["secrets.reload"]({
req: { type: "req", id: "1", method: "secrets.reload" },
params: {},
client: null,
isWebchatConnect: () => false,
respond,
context: {} as never,
});
expect(respond).toHaveBeenCalledWith(
false,
undefined,
expect.objectContaining({
code: "UNAVAILABLE",
message: "Error: reload failed",
}),
);
});
});

17
src/gateway/server-methods/secrets.ts Normal file
View File

@@ -0,0 +1,17 @@
import { ErrorCodes, errorShape } from "../protocol/index.js";
import type { GatewayRequestHandlers } from "./types.js";
export function createSecretsHandlers(params: {
reloadSecrets: () => Promise<{ warningCount: number }>;
}): GatewayRequestHandlers {
return {
"secrets.reload": async ({ respond }) => {
try {
const result = await params.reloadSecrets();
respond(true, { ok: true, warningCount: result.warningCount });
} catch (err) {
respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, String(err)));
}
},
};
}

15
src/gateway/server.impl.ts
View File

@@ -77,6 +77,7 @@ import { GATEWAY_EVENTS, listGatewayMethods } from "./server-methods-list.js";
import { coreGatewayHandlers } from "./server-methods.js"; import { coreGatewayHandlers } from "./server-methods.js";
import { createExecApprovalHandlers } from "./server-methods/exec-approval.js"; import { createExecApprovalHandlers } from "./server-methods/exec-approval.js";
import { safeParseJson } from "./server-methods/nodes.helpers.js"; import { safeParseJson } from "./server-methods/nodes.helpers.js";
import { createSecretsHandlers } from "./server-methods/secrets.js";
import { hasConnectedMobileNode } from "./server-mobile-nodes.js"; import { hasConnectedMobileNode } from "./server-mobile-nodes.js";
import { loadGatewayModelCatalog } from "./server-model-catalog.js"; import { loadGatewayModelCatalog } from "./server-model-catalog.js";
import { createNodeSubscriptionManager } from "./server-node-subscriptions.js"; import { createNodeSubscriptionManager } from "./server-node-subscriptions.js";
@@ -666,6 +667,19 @@ export async function startGatewayServer(
const execApprovalHandlers = createExecApprovalHandlers(execApprovalManager, { const execApprovalHandlers = createExecApprovalHandlers(execApprovalManager, {
forwarder: execApprovalForwarder, forwarder: execApprovalForwarder,
}); });
const secretsHandlers = createSecretsHandlers({
reloadSecrets: async () => {
const active = getActiveSecretsRuntimeSnapshot();
if (!active) {
throw new Error("Secrets runtime snapshot is not active.");
}
const prepared = await activateRuntimeSecrets(active.sourceConfig, {
reason: "reload",
activate: true,
});
return { warningCount: prepared.warnings.length };
},
});
const canvasHostServerPort = (canvasHostServer as CanvasHostServer | null)?.port; const canvasHostServerPort = (canvasHostServer as CanvasHostServer | null)?.port;
@@ -687,6 +701,7 @@ export async function startGatewayServer(
extraHandlers: { extraHandlers: {
...pluginRegistry.gatewayHandlers, ...pluginRegistry.gatewayHandlers,
...execApprovalHandlers, ...execApprovalHandlers,
...secretsHandlers,
}, },
broadcast, broadcast,
context: { context: {