SecretRef: harden custom/provider secret persistence and reuse (#42554)

* Models: gate custom provider keys by usable secret semantics * Config: project runtime writes onto source snapshot * Models: prevent stale apiKey preservation for marker-managed providers * Runner: strip SecretRef marker headers from resolved models * Secrets: scan active agent models.json path in audit * Config: guard runtime-source projection for unrelated configs * Extensions: fix onboarding type errors in CI * Tests: align setup helper account-enabled expectation * Secrets audit: harden models.json file reads * fix: harden SecretRef custom/provider secret persistence (#42554) (thanks @joshavant)
2026-03-12 07:20:45 +00:00 · 2026-03-10 18:46:47 -05:00
parent 20237358d9
commit 36d2ae2a22
40 changed files with 651 additions and 73 deletions
--- a/extensions/bluebubbles/src/onboarding.ts
+++ b/extensions/bluebubbles/src/onboarding.ts
@@ -6,6 +6,7 @@ import type {
  WizardPrompter,
 } from "openclaw/plugin-sdk/bluebubbles";
 import {
+  DEFAULT_ACCOUNT_ID,
  formatDocsLink,
  mergeAllowFromEntries,
  normalizeAccountId,
--- a/extensions/googlechat/src/onboarding.ts
+++ b/extensions/googlechat/src/onboarding.ts
@@ -1,5 +1,6 @@
 import type { OpenClawConfig, DmPolicy } from "openclaw/plugin-sdk/googlechat";
 import {
+  DEFAULT_ACCOUNT_ID,
  applySetupAccountConfigPatch,
  addWildcardAllowFrom,
  formatDocsLink,
--- a/extensions/nextcloud-talk/src/onboarding.ts
+++ b/extensions/nextcloud-talk/src/onboarding.ts
@@ -232,7 +232,7 @@ export const nextcloudTalkOnboardingAdapter: ChannelOnboardingAdapter = {
          botSecret: value,
        }),
    });
-    next = secretStep.cfg;
+    next = secretStep.cfg as CoreConfig;

    if (secretStep.action === "keep" && baseUrl !== resolvedAccount.baseUrl) {
      next = setNextcloudTalkAccountConfig(next, accountId, {
@@ -278,7 +278,7 @@ export const nextcloudTalkOnboardingAdapter: ChannelOnboardingAdapter = {
      next =
        apiPasswordStep.action === "keep"
          ? setNextcloudTalkAccountConfig(next, accountId, { apiUser })
-          : apiPasswordStep.cfg;
+          : (apiPasswordStep.cfg as CoreConfig);
    }

    if (forceAllowFrom) {
--- a/extensions/zalouser/src/onboarding.ts
+++ b/extensions/zalouser/src/onboarding.ts
@@ -5,6 +5,7 @@ import type {
  WizardPrompter,
 } from "openclaw/plugin-sdk/zalouser";
 import {
+  DEFAULT_ACCOUNT_ID,
  formatResolvedUnresolvedNote,
  mergeAllowFromEntries,
  normalizeAccountId,