CLI: make read-only SecretRef status flows degrade safely (#37023)

* CLI: add read-only SecretRef inspection * CLI: fix read-only SecretRef status regressions * CLI: preserve read-only SecretRef status fallbacks * Docs: document read-only channel inspection hook * CLI: preserve audit coverage for read-only SecretRefs * CLI: fix read-only status account selection * CLI: fix targeted gateway fallback analysis * CLI: fix Slack HTTP read-only inspection * CLI: align audit credential status checks * CLI: restore Telegram read-only fallback semantics
2026-03-12 07:20:45 +00:00 · 2026-03-05 23:07:13 -06:00
parent 8d4a2f2c59
commit 0e4245063f
58 changed files with 3422 additions and 215 deletions
--- a/extensions/slack/src/channel.test.ts
+++ b/extensions/slack/src/channel.test.ts
@@ -182,4 +182,53 @@ describe("slackPlugin config", () => {
    expect(configured).toBe(false);
    expect(snapshot?.configured).toBe(false);
  });
+
+  it("does not mark partial configured-unavailable token status as configured", async () => {
+    const snapshot = await slackPlugin.status?.buildAccountSnapshot?.({
+      account: {
+        accountId: "default",
+        name: "Default",
+        enabled: true,
+        configured: false,
+        botTokenStatus: "configured_unavailable",
+        appTokenStatus: "missing",
+        botTokenSource: "config",
+        appTokenSource: "none",
+        config: {},
+      } as never,
+      cfg: {} as OpenClawConfig,
+      runtime: undefined,
+    });
+
+    expect(snapshot?.configured).toBe(false);
+    expect(snapshot?.botTokenStatus).toBe("configured_unavailable");
+    expect(snapshot?.appTokenStatus).toBe("missing");
+  });
+
+  it("keeps HTTP mode signing-secret unavailable accounts configured in snapshots", async () => {
+    const snapshot = await slackPlugin.status?.buildAccountSnapshot?.({
+      account: {
+        accountId: "default",
+        name: "Default",
+        enabled: true,
+        configured: true,
+        mode: "http",
+        botTokenStatus: "available",
+        signingSecretStatus: "configured_unavailable",
+        botTokenSource: "config",
+        signingSecretSource: "config",
+        config: {
+          mode: "http",
+          botToken: "xoxb-http",
+          signingSecret: { source: "env", provider: "default", id: "SLACK_SIGNING_SECRET" },
+        },
+      } as never,
+      cfg: {} as OpenClawConfig,
+      runtime: undefined,
+    });
+
+    expect(snapshot?.configured).toBe(true);
+    expect(snapshot?.botTokenStatus).toBe("available");
+    expect(snapshot?.signingSecretStatus).toBe("configured_unavailable");
+  });
 });
--- a/extensions/slack/src/channel.ts
+++ b/extensions/slack/src/channel.ts
@@ -7,6 +7,7 @@ import {
  formatPairingApproveHint,
  getChatChannelMeta,
  handleSlackMessageAction,
+  inspectSlackAccount,
  listSlackMessageActions,
  listSlackAccountIds,
  listSlackDirectoryGroupsFromConfig,
@@ -16,6 +17,8 @@ import {
  normalizeAccountId,
  normalizeSlackMessagingTarget,
  PAIRING_APPROVED_MESSAGE,
+  projectCredentialSnapshotFields,
+  resolveConfiguredFromRequiredCredentialStatuses,
  resolveDefaultSlackAccountId,
  resolveSlackAccount,
  resolveSlackReplyToMode,
@@ -131,6 +134,7 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
  config: {
    listAccountIds: (cfg) => listSlackAccountIds(cfg),
    resolveAccount: (cfg, accountId) => resolveSlackAccount({ cfg, accountId }),
+    inspectAccount: (cfg, accountId) => inspectSlackAccount({ cfg, accountId }),
    defaultAccountId: (cfg) => resolveDefaultSlackAccountId(cfg),
    setAccountEnabled: ({ cfg, accountId, enabled }) =>
      setAccountEnabledInConfigSection({
@@ -428,14 +432,23 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
      return await getSlackRuntime().channel.slack.probeSlack(token, timeoutMs);
    },
    buildAccountSnapshot: ({ account, runtime, probe }) => {
-      const configured = isSlackAccountConfigured(account);
+      const mode = account.config.mode ?? "socket";
+      const configured =
+        (mode === "http"
+          ? resolveConfiguredFromRequiredCredentialStatuses(account, [
+              "botTokenStatus",
+              "signingSecretStatus",
+            ])
+          : resolveConfiguredFromRequiredCredentialStatuses(account, [
+              "botTokenStatus",
+              "appTokenStatus",
+            ])) ?? isSlackAccountConfigured(account);
      return {
        accountId: account.accountId,
        name: account.name,
        enabled: account.enabled,
        configured,
-        botTokenSource: account.botTokenSource,
-        appTokenSource: account.appTokenSource,
+        ...projectCredentialSnapshotFields(account),
        running: runtime?.running ?? false,
        lastStartAt: runtime?.lastStartAt ?? null,
        lastStopAt: runtime?.lastStopAt ?? null,