42e3d8d693
* Secrets: add inline allowlist review set * Secrets: narrow detect-secrets file exclusions * Secrets: exclude Docker fingerprint false positive * Secrets: allowlist test and docs false positives * Secrets: refresh baseline after allowlist updates * Secrets: fix gateway chat fixture pragma * Secrets: format pre-commit config * Android: keep talk mode fixture JSON valid * Feishu: rely on client timeout injection * Secrets: allowlist provider auth test fixtures * Secrets: allowlist onboard search fixtures * Secrets: allowlist onboard mode fixture * Secrets: allowlist gateway auth mode fixture * Secrets: allowlist APNS wake test key * Secrets: allowlist gateway reload fixtures * Secrets: allowlist moonshot video fixture * Secrets: allowlist auto audio fixture * Secrets: allowlist tiny audio fixture * Secrets: allowlist embeddings fixtures * Secrets: allowlist resolve fixtures * Secrets: allowlist target registry pattern fixtures * Secrets: allowlist gateway chat env fixture * Secrets: refresh baseline after fixture allowlists * Secrets: reapply gateway chat env allowlist * Secrets: reapply gateway chat env allowlist * Secrets: stabilize gateway chat env allowlist * Secrets: allowlist runtime snapshot save fixture * Secrets: allowlist oauth profile fixtures * Secrets: allowlist compaction identifier fixture * Secrets: allowlist model auth fixture * Secrets: allowlist model status fixtures * Secrets: allowlist custom onboarding fixture * Secrets: allowlist mattermost token summary fixtures * Secrets: allowlist gateway auth suite fixtures * Secrets: allowlist channel summary fixture * Secrets: allowlist provider usage auth fixtures * Secrets: allowlist media proxy fixture * Secrets: allowlist secrets audit fixtures * Secrets: refresh baseline after final fixture allowlists * Feishu: prefer explicit client timeout * Feishu: test direct timeout precedence
119 lines
3.8 KiB
TypeScript
119 lines
3.8 KiB
TypeScript
import type { OpenClawConfig } from "../config/config.js";
|
|
import { coerceSecretRef, resolveSecretInputRef } from "../config/types.secrets.js";
|
|
import { getPath } from "./path-utils.js";
|
|
import { isExpectedResolvedSecretValue } from "./secret-value.js";
|
|
import { discoverConfigSecretTargetsByIds } from "./target-registry.js";
|
|
|
|
export type CommandSecretAssignment = {
|
|
path: string;
|
|
pathSegments: string[];
|
|
value: unknown;
|
|
};
|
|
|
|
export type ResolveAssignmentsFromSnapshotResult = {
|
|
assignments: CommandSecretAssignment[];
|
|
diagnostics: string[];
|
|
};
|
|
|
|
export type UnresolvedCommandSecretAssignment = {
|
|
path: string;
|
|
pathSegments: string[];
|
|
};
|
|
|
|
export type AnalyzeAssignmentsFromSnapshotResult = {
|
|
assignments: CommandSecretAssignment[];
|
|
diagnostics: string[];
|
|
unresolved: UnresolvedCommandSecretAssignment[];
|
|
inactive: UnresolvedCommandSecretAssignment[];
|
|
};
|
|
|
|
export function analyzeCommandSecretAssignmentsFromSnapshot(params: {
|
|
sourceConfig: OpenClawConfig;
|
|
resolvedConfig: OpenClawConfig;
|
|
targetIds: ReadonlySet<string>;
|
|
inactiveRefPaths?: ReadonlySet<string>;
|
|
allowedPaths?: ReadonlySet<string>;
|
|
}): AnalyzeAssignmentsFromSnapshotResult {
|
|
const defaults = params.sourceConfig.secrets?.defaults;
|
|
const assignments: CommandSecretAssignment[] = [];
|
|
const diagnostics: string[] = [];
|
|
const unresolved: UnresolvedCommandSecretAssignment[] = [];
|
|
const inactive: UnresolvedCommandSecretAssignment[] = [];
|
|
|
|
for (const target of discoverConfigSecretTargetsByIds(params.sourceConfig, params.targetIds)) {
|
|
if (params.allowedPaths && !params.allowedPaths.has(target.path)) {
|
|
continue;
|
|
}
|
|
const { explicitRef, ref } = resolveSecretInputRef({
|
|
value: target.value,
|
|
refValue: target.refValue,
|
|
defaults,
|
|
});
|
|
const inlineCandidateRef = explicitRef ? coerceSecretRef(target.value, defaults) : null;
|
|
if (!ref) {
|
|
continue;
|
|
}
|
|
|
|
const resolved = getPath(params.resolvedConfig, target.pathSegments);
|
|
if (!isExpectedResolvedSecretValue(resolved, target.entry.expectedResolvedValue)) {
|
|
if (params.inactiveRefPaths?.has(target.path)) {
|
|
diagnostics.push(
|
|
`${target.path}: secret ref is configured on an inactive surface; skipping command-time assignment.`,
|
|
);
|
|
inactive.push({
|
|
path: target.path,
|
|
pathSegments: [...target.pathSegments],
|
|
});
|
|
continue;
|
|
}
|
|
unresolved.push({
|
|
path: target.path,
|
|
pathSegments: [...target.pathSegments],
|
|
});
|
|
continue;
|
|
}
|
|
|
|
assignments.push({
|
|
path: target.path,
|
|
pathSegments: [...target.pathSegments],
|
|
value: resolved,
|
|
});
|
|
|
|
const hasCompetingSiblingRef =
|
|
target.entry.secretShape === "sibling_ref" && explicitRef && inlineCandidateRef; // pragma: allowlist secret
|
|
if (hasCompetingSiblingRef) {
|
|
diagnostics.push(
|
|
`${target.path}: both inline and sibling ref were present; sibling ref took precedence.`,
|
|
);
|
|
}
|
|
}
|
|
|
|
return { assignments, diagnostics, unresolved, inactive };
|
|
}
|
|
|
|
export function collectCommandSecretAssignmentsFromSnapshot(params: {
|
|
sourceConfig: OpenClawConfig;
|
|
resolvedConfig: OpenClawConfig;
|
|
commandName: string;
|
|
targetIds: ReadonlySet<string>;
|
|
inactiveRefPaths?: ReadonlySet<string>;
|
|
allowedPaths?: ReadonlySet<string>;
|
|
}): ResolveAssignmentsFromSnapshotResult {
|
|
const analyzed = analyzeCommandSecretAssignmentsFromSnapshot({
|
|
sourceConfig: params.sourceConfig,
|
|
resolvedConfig: params.resolvedConfig,
|
|
targetIds: params.targetIds,
|
|
inactiveRefPaths: params.inactiveRefPaths,
|
|
allowedPaths: params.allowedPaths,
|
|
});
|
|
if (analyzed.unresolved.length > 0) {
|
|
throw new Error(
|
|
`${params.commandName}: ${analyzed.unresolved[0]?.path ?? "target"} is unresolved in the active runtime snapshot.`,
|
|
);
|
|
}
|
|
return {
|
|
assignments: analyzed.assignments,
|
|
diagnostics: analyzed.diagnostics,
|
|
};
|
|
}
|