diff --git a/CHANGELOG.md b/CHANGELOG.md index 184488c8324..354874c67fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -68,6 +68,7 @@ Docs: https://docs.openclaw.ai - Plugins/compat: expand the central compatibility registry with dated owners, replacements, and removal targets for legacy SDK, manifest, setup, registry-migration, and agent-runtime surfaces. Thanks @vincentkoc. - Plugins/registry: ignore stale persisted registry reads when plugin policy no longer matches current config, and stamp generated registry files with a do-not-edit warning. Thanks @vincentkoc. - Config/plugins: keep plugin command-alias validation on cold manifest metadata instead of importing the runtime alias resolver. Thanks @vincentkoc. +- Security/plugins: keep web-search credential presence checks on cold config, env, and manifest metadata instead of importing web-search provider runtime. Thanks @vincentkoc. - Diagnostics/OTEL: surface provider request identifiers as bounded hashes on model-call diagnostics and span events, without exporting raw request IDs or metric labels. Thanks @Lidang-Jiang and @vincentkoc. - Plugins/diagnostics: add metadata-only `model_call_started` and `model_call_ended` hooks for provider/model call telemetry without exposing prompts, responses, headers, request bodies, or raw provider request IDs. Thanks @vincentkoc. - Diagnostics/OTEL: emit bounded context assembly diagnostics and export `openclaw.context.assembled` spans with prompt/history sizes but no prompt, history, response, or session-key content. Thanks @vincentkoc. diff --git a/src/plugins/web-search-credential-presence.test.ts b/src/plugins/web-search-credential-presence.test.ts index afedee7deea..8bd0ddbb07a 100644 --- a/src/plugins/web-search-credential-presence.test.ts +++ b/src/plugins/web-search-credential-presence.test.ts @@ -1,21 +1,10 @@ -import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest"; +import fs from "node:fs"; +import path from "node:path"; +import { fileURLToPath } from "node:url"; +import { beforeAll, describe, expect, it } from "vitest"; import type { OpenClawConfig } from "../config/types.openclaw.js"; -const { resolvePluginWebSearchProvidersMock } = vi.hoisted(() => ({ - resolvePluginWebSearchProvidersMock: vi.fn(() => [ - { - id: "brave", - pluginId: "brave", - envVars: ["BRAVE_API_KEY"], - getCredentialValue: (searchConfig: Record | undefined) => - searchConfig?.apiKey, - }, - ]), -})); - -vi.mock("./web-search-providers.runtime.js", () => ({ - resolvePluginWebSearchProviders: resolvePluginWebSearchProvidersMock, -})); +const repoRoot = fileURLToPath(new URL("../..", import.meta.url)); let hasConfiguredWebSearchCredential: typeof import("./web-search-credential-presence.js").hasConfiguredWebSearchCredential; @@ -23,11 +12,17 @@ beforeAll(async () => { ({ hasConfiguredWebSearchCredential } = await import("./web-search-credential-presence.js")); }); -beforeEach(() => { - resolvePluginWebSearchProvidersMock.mockClear(); -}); - describe("hasConfiguredWebSearchCredential", () => { + it("does not statically import web-search runtime providers", () => { + const source = fs.readFileSync( + path.join(repoRoot, "src/plugins/web-search-credential-presence.ts"), + "utf8", + ); + + expect(source).not.toMatch(/\bfrom\s+["'][^"']*web-search-providers\.runtime\.js["']/); + expect(source).not.toMatch(/\bfrom\s+["'][^"']*loader\.js["']/); + }); + it("keeps empty config and env on the manifest-only path", () => { expect( hasConfiguredWebSearchCredential({ @@ -37,10 +32,9 @@ describe("hasConfiguredWebSearchCredential", () => { bundledAllowlistCompat: true, }), ).toBe(false); - expect(resolvePluginWebSearchProvidersMock).not.toHaveBeenCalled(); }); - it("loads provider runtime only when a credential candidate exists", () => { + it("detects configured web search credential candidates without runtime loading", () => { expect( hasConfiguredWebSearchCredential({ config: { @@ -51,6 +45,5 @@ describe("hasConfiguredWebSearchCredential", () => { bundledAllowlistCompat: true, }), ).toBe(true); - expect(resolvePluginWebSearchProvidersMock).toHaveBeenCalledTimes(1); }); }); diff --git a/src/plugins/web-search-credential-presence.ts b/src/plugins/web-search-credential-presence.ts index c5bbb0b3f25..2fbc5f7ceff 100644 --- a/src/plugins/web-search-credential-presence.ts +++ b/src/plugins/web-search-credential-presence.ts @@ -1,7 +1,6 @@ import type { OpenClawConfig } from "../config/types.openclaw.js"; import type { PluginManifestRecord } from "./manifest-registry.js"; import { loadPluginManifestRegistryForPluginRegistry } from "./plugin-registry.js"; -import { resolvePluginWebSearchProviders } from "./web-search-providers.runtime.js"; function hasConfiguredCredentialValue(value: unknown): boolean { if (typeof value === "string") { @@ -74,29 +73,13 @@ export function hasConfiguredWebSearchCredential(params: { const searchConfig = params.searchConfig ?? (params.config.tools?.web?.search as Record | undefined); - if ( - !hasConfiguredSearchCredentialCandidate(searchConfig) && - !hasConfiguredPluginWebSearchCandidate(params.config) && - !hasManifestWebSearchEnvCredentialCandidate({ + return ( + hasConfiguredSearchCredentialCandidate(searchConfig) || + hasConfiguredPluginWebSearchCandidate(params.config) || + hasManifestWebSearchEnvCredentialCandidate({ config: params.config, env: params.env, origin: params.origin, }) - ) { - return false; - } - return resolvePluginWebSearchProviders({ - config: params.config, - env: params.env, - bundledAllowlistCompat: params.bundledAllowlistCompat ?? false, - origin: params.origin, - }).some((provider) => { - const configuredCredential = - provider.getConfiguredCredentialValue?.(params.config) ?? - provider.getCredentialValue(searchConfig); - if (hasConfiguredCredentialValue(configuredCredential)) { - return true; - } - return provider.envVars.some((envVar) => hasConfiguredCredentialValue(params.env?.[envVar])); - }); + ); }