vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-20 14:30:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Secrets: gate exec dry-run and preflight resolution behind --allow-exec (#49417)

Browse Source 
* Secrets: gate exec dry-run resolution behind --allow-exec

* Secrets: fix dry-run completeness and skipped exec audit semantics

* Secrets: require --allow-exec for exec-containing apply writes

* Docs: align secrets exec consent behavior

* Changelog: note secrets exec consent gating
This commit is contained in:
Josh Avant
2026-03-17 23:24:34 -05:00
committed by GitHub
parent bf470b711b
commit 0ffcc308f2
13 changed files with 747 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

271
src/cli/secrets-cli.test.ts
View File

@@ -1,3 +1,6 @@
import fs from "node:fs/promises";
import os from "node:os";
import path from "node:path";
import { Command } from "commander";
import { beforeEach, describe, expect, it, vi } from "vitest";
import { createCliRuntimeCapture } from "./test-runtime-capture.js";
@@ -23,7 +26,7 @@ vi.mock("../runtime.js", () => ({
}));
vi.mock("../secrets/audit.js", () => ({
runSecretsAudit: () => runSecretsAudit(),
runSecretsAudit: (options: unknown) => runSecretsAudit(options),
resolveSecretsAuditExitCode: (report: unknown, check: boolean) =>
resolveSecretsAuditExitCode(report, check),
}));
@@ -90,6 +93,11 @@ describe("secrets CLI", () => {
shadowedRefCount: 0,
legacyResidueCount: 0,
},
resolution: {
refsChecked: 0,
skippedExecRefs: 0,
resolvabilityComplete: true,
},
findings: [],
});
resolveSecretsAuditExitCode.mockReturnValue(1);
@@ -97,10 +105,42 @@ describe("secrets CLI", () => {
await expect(
createProgram().parseAsync(["secrets", "audit", "--check"], { from: "user" }),
).rejects.toBeTruthy();
expect(runSecretsAudit).toHaveBeenCalled();
expect(runSecretsAudit).toHaveBeenCalledWith(
expect.objectContaining({
allowExec: false,
}),
);
expect(resolveSecretsAuditExitCode).toHaveBeenCalledWith(expect.anything(), true);
});
it("forwards --allow-exec to secrets audit", async () => {
runSecretsAudit.mockResolvedValue({
version: 1,
status: "clean",
filesScanned: [],
summary: {
plaintextCount: 0,
unresolvedRefCount: 0,
shadowedRefCount: 0,
legacyResidueCount: 0,
},
resolution: {
refsChecked: 1,
skippedExecRefs: 0,
resolvabilityComplete: true,
},
findings: [],
});
resolveSecretsAuditExitCode.mockReturnValue(0);
await createProgram().parseAsync(["secrets", "audit", "--allow-exec"], { from: "user" });
expect(runSecretsAudit).toHaveBeenCalledWith(
expect.objectContaining({
allowExec: true,
}),
);
});
it("runs secrets configure then apply when confirmed", async () => {
runSecretsConfigureInteractive.mockResolvedValue({
plan: {
@@ -125,6 +165,12 @@ describe("secrets CLI", () => {
mode: "dry-run",
changed: true,
changedFiles: ["/tmp/openclaw.json"],
checks: {
resolvability: true,
resolvabilityComplete: true,
},
refsChecked: 1,
skippedExecRefs: 0,
warningCount: 0,
warnings: [],
},
@@ -134,6 +180,12 @@ describe("secrets CLI", () => {
mode: "write",
changed: true,
changedFiles: ["/tmp/openclaw.json"],
checks: {
resolvability: true,
resolvabilityComplete: true,
},
refsChecked: 1,
skippedExecRefs: 0,
warningCount: 0,
warnings: [],
});
@@ -169,6 +221,12 @@ describe("secrets CLI", () => {
mode: "dry-run",
changed: false,
changedFiles: [],
checks: {
resolvability: true,
resolvabilityComplete: true,
},
refsChecked: 0,
skippedExecRefs: 0,
warningCount: 0,
warnings: [],
},
@@ -179,6 +237,215 @@ describe("secrets CLI", () => {
expect(runSecretsConfigureInteractive).toHaveBeenCalledWith(
expect.objectContaining({
agentId: "ops",
allowExecInPreflight: false,
}),
);
});
it("forwards --allow-exec to secrets apply dry-run", async () => {
const planPath = path.join(
os.tmpdir(),
`openclaw-secrets-cli-test-${Date.now()}-${Math.random().toString(16).slice(2)}.json`,
);
await fs.writeFile(
planPath,
`${JSON.stringify({
version: 1,
protocolVersion: 1,
generatedAt: new Date().toISOString(),
generatedBy: "manual",
targets: [],
})}\n`,
"utf8",
);
runSecretsApply.mockResolvedValue({
mode: "dry-run",
changed: false,
changedFiles: [],
checks: {
resolvability: true,
resolvabilityComplete: true,
},
refsChecked: 0,
skippedExecRefs: 0,
warningCount: 0,
warnings: [],
});
await createProgram().parseAsync(
["secrets", "apply", "--from", planPath, "--dry-run", "--allow-exec"],
{
from: "user",
},
);
expect(runSecretsApply).toHaveBeenCalledWith(
expect.objectContaining({
write: false,
allowExec: true,
}),
);
await fs.rm(planPath, { force: true });
});
it("forwards --allow-exec to secrets apply write mode", async () => {
const planPath = path.join(
os.tmpdir(),
`openclaw-secrets-cli-test-${Date.now()}-${Math.random().toString(16).slice(2)}.json`,
);
await fs.writeFile(
planPath,
`${JSON.stringify({
version: 1,
protocolVersion: 1,
generatedAt: new Date().toISOString(),
generatedBy: "manual",
targets: [],
})}\n`,
"utf8",
);
runSecretsApply.mockResolvedValue({
mode: "write",
changed: false,
changedFiles: [],
checks: {
resolvability: true,
resolvabilityComplete: true,
},
refsChecked: 0,
skippedExecRefs: 0,
warningCount: 0,
warnings: [],
});
await createProgram().parseAsync(["secrets", "apply", "--from", planPath, "--allow-exec"], {
from: "user",
});
expect(runSecretsApply).toHaveBeenCalledWith(
expect.objectContaining({
write: true,
allowExec: true,
}),
);
await fs.rm(planPath, { force: true });
});
it("does not print skipped-exec note when apply dry-run skippedExecRefs is zero", async () => {
const planPath = path.join(
os.tmpdir(),
`openclaw-secrets-cli-test-${Date.now()}-${Math.random().toString(16).slice(2)}.json`,
);
await fs.writeFile(
planPath,
`${JSON.stringify({
version: 1,
protocolVersion: 1,
generatedAt: new Date().toISOString(),
generatedBy: "manual",
targets: [],
})}\n`,
"utf8",
);
runSecretsApply.mockResolvedValue({
mode: "dry-run",
changed: false,
changedFiles: [],
checks: {
resolvability: true,
resolvabilityComplete: false,
},
refsChecked: 0,
skippedExecRefs: 0,
warningCount: 0,
warnings: [],
});
await createProgram().parseAsync(["secrets", "apply", "--from", planPath, "--dry-run"], {
from: "user",
});
expect(runtimeLogs.some((line) => line.includes("Secrets apply dry-run note: skipped"))).toBe(
false,
);
await fs.rm(planPath, { force: true });
});
it("does not print skipped-exec note when configure preflight skippedExecRefs is zero", async () => {
runSecretsConfigureInteractive.mockResolvedValue({
plan: {
version: 1,
protocolVersion: 1,
generatedAt: "2026-02-26T00:00:00.000Z",
generatedBy: "openclaw secrets configure",
targets: [],
},
preflight: {
mode: "dry-run",
changed: false,
changedFiles: [],
checks: {
resolvability: true,
resolvabilityComplete: false,
},
refsChecked: 0,
skippedExecRefs: 0,
warningCount: 0,
warnings: [],
},
});
confirm.mockResolvedValue(false);
await createProgram().parseAsync(["secrets", "configure"], { from: "user" });
expect(runtimeLogs.some((line) => line.includes("Preflight note: skipped"))).toBe(false);
});
it("forwards --allow-exec to configure preflight and apply", async () => {
runSecretsConfigureInteractive.mockResolvedValue({
plan: {
version: 1,
protocolVersion: 1,
generatedAt: "2026-02-26T00:00:00.000Z",
generatedBy: "openclaw secrets configure",
targets: [],
},
preflight: {
mode: "dry-run",
changed: false,
changedFiles: [],
checks: {
resolvability: true,
resolvabilityComplete: true,
},
refsChecked: 0,
skippedExecRefs: 0,
warningCount: 0,
warnings: [],
},
});
runSecretsApply.mockResolvedValue({
mode: "write",
changed: false,
changedFiles: [],
checks: {
resolvability: true,
resolvabilityComplete: true,
},
refsChecked: 0,
skippedExecRefs: 0,
warningCount: 0,
warnings: [],
});
await createProgram().parseAsync(["secrets", "configure", "--apply", "--yes", "--allow-exec"], {
from: "user",
});
expect(runSecretsConfigureInteractive).toHaveBeenCalledWith(
expect.objectContaining({
allowExecInPreflight: true,
}),
);
expect(runSecretsApply).toHaveBeenCalledWith(
expect.objectContaining({
write: true,
allowExec: true,
}),
);
});

39
src/cli/secrets-cli.ts
View File

@@ -15,6 +15,7 @@ type SecretsReloadOptions = GatewayRpcOpts & { json?: boolean };
type SecretsAuditOptions = {
check?: boolean;
json?: boolean;
allowExec?: boolean;
};
type SecretsConfigureOptions = {
apply?: boolean;
@@ -23,11 +24,13 @@ type SecretsConfigureOptions = {
providersOnly?: boolean;
skipProviderSetup?: boolean;
agent?: string;
allowExec?: boolean;
json?: boolean;
};
type SecretsApplyOptions = {
from: string;
dryRun?: boolean;
allowExec?: boolean;
json?: boolean;
};
@@ -82,10 +85,17 @@ export function registerSecretsCli(program: Command) {
.command("audit")
.description("Audit plaintext secrets, unresolved refs, and precedence drift")
.option("--check", "Exit non-zero when findings are present", false)
.option(
"--allow-exec",
"Allow exec SecretRef resolution during audit (may execute provider commands)",
false,
)
.option("--json", "Output JSON", false)
.action(async (opts: SecretsAuditOptions) => {
try {
const report = await runSecretsAudit();
const report = await runSecretsAudit({
allowExec: Boolean(opts.allowExec),
});
if (opts.json) {
defaultRuntime.log(JSON.stringify(report, null, 2));
} else {
@@ -102,6 +112,11 @@ export function registerSecretsCli(program: Command) {
defaultRuntime.log(`... ${report.findings.length - 20} more finding(s).`);
}
}
if (report.resolution.skippedExecRefs > 0) {
defaultRuntime.log(
`Audit note: skipped ${report.resolution.skippedExecRefs} exec SecretRef resolvability check(s). Re-run with --allow-exec to execute exec providers during audit.`,
);
}
}
const exitCode = resolveSecretsAuditExitCode(report, Boolean(opts.check));
if (exitCode !== 0) {
@@ -128,6 +143,11 @@ export function registerSecretsCli(program: Command) {
"--agent <id>",
"Agent id for auth-profiles targets (default: configured default agent)",
)
.option(
"--allow-exec",
"Allow exec SecretRef preflight checks (may execute provider commands)",
false,
)
.option("--plan-out <path>", "Write generated plan JSON to a file")
.option("--json", "Output JSON", false)
.action(async (opts: SecretsConfigureOptions) => {
@@ -136,6 +156,7 @@ export function registerSecretsCli(program: Command) {
providersOnly: Boolean(opts.providersOnly),
skipProviderSetup: Boolean(opts.skipProviderSetup),
agentId: typeof opts.agent === "string" ? opts.agent : undefined,
allowExecInPreflight: Boolean(opts.allowExec),
});
if (opts.planOut) {
fs.writeFileSync(opts.planOut, `${JSON.stringify(configured.plan, null, 2)}\n`, "utf8");
@@ -160,6 +181,14 @@ export function registerSecretsCli(program: Command) {
defaultRuntime.log(`- warning: ${warning}`);
}
}
if (
!configured.preflight.checks.resolvabilityComplete &&
configured.preflight.skippedExecRefs > 0
) {
defaultRuntime.log(
`Preflight note: skipped ${configured.preflight.skippedExecRefs} exec SecretRef resolvability check(s). Re-run with --allow-exec to execute exec providers during preflight.`,
);
}
const providerUpserts = Object.keys(configured.plan.providerUpserts ?? {}).length;
const providerDeletes = configured.plan.providerDeletes?.length ?? 0;
defaultRuntime.log(
@@ -196,6 +225,7 @@ export function registerSecretsCli(program: Command) {
const result = await runSecretsApply({
plan: configured.plan,
write: true,
allowExec: Boolean(opts.allowExec),
});
if (opts.json) {
defaultRuntime.log(JSON.stringify(result, null, 2));
@@ -218,6 +248,7 @@ export function registerSecretsCli(program: Command) {
.description("Apply a previously generated secrets plan")
.requiredOption("--from <path>", "Path to plan JSON")
.option("--dry-run", "Validate/preflight only", false)
.option("--allow-exec", "Allow exec SecretRef checks (may execute provider commands)", false)
.option("--json", "Output JSON", false)
.action(async (opts: SecretsApplyOptions) => {
try {
@@ -225,6 +256,7 @@ export function registerSecretsCli(program: Command) {
const result = await runSecretsApply({
plan,
write: !opts.dryRun,
allowExec: Boolean(opts.allowExec),
});
if (opts.json) {
defaultRuntime.log(JSON.stringify(result, null, 2));
@@ -236,6 +268,11 @@ export function registerSecretsCli(program: Command) {
? `Secrets apply dry run: ${result.changedFiles.length} file(s) would change.`
: "Secrets apply dry run: no changes.",
);
if (!result.checks.resolvabilityComplete && result.skippedExecRefs > 0) {
defaultRuntime.log(
`Secrets apply dry-run note: skipped ${result.skippedExecRefs} exec SecretRef resolvability check(s). Re-run with --allow-exec to execute exec providers during dry-run.`,
);
}
return;
}
defaultRuntime.log(