From 4babd925c40d9eeaecee95482b630342540da4f9 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 1 May 2026 23:37:51 +0100 Subject: [PATCH] refactor: trim infra env exports --- src/infra/exec-approval-session-target.ts | 6 ---- src/infra/exec-safe-bin-policy-profiles.ts | 2 +- src/infra/fs-pinned-write-helper.ts | 2 +- src/infra/gateway-discovery-targets.ts | 2 +- src/infra/gateway-lock.ts | 2 +- src/infra/git-root.ts | 2 +- src/infra/heartbeat-reason.ts | 2 +- src/infra/heartbeat-typing.ts | 2 +- src/infra/host-env-security.ts | 35 ++++++++++------------ 9 files changed, 23 insertions(+), 32 deletions(-) diff --git a/src/infra/exec-approval-session-target.ts b/src/infra/exec-approval-session-target.ts index 0cf32fe0a13..c3fc061b444 100644 --- a/src/infra/exec-approval-session-target.ts +++ b/src/infra/exec-approval-session-target.ts @@ -10,12 +10,6 @@ import type { ExecApprovalRequest } from "./exec-approvals.js"; import { resolveSessionDeliveryTarget } from "./outbound/targets.js"; import type { PluginApprovalRequest } from "./plugin-approvals.js"; -export { - doesApprovalRequestMatchChannelAccount, - resolveApprovalRequestAccountId, - resolveApprovalRequestChannelAccountId, -} from "./approval-request-account-binding.js"; - export type ExecApprovalSessionTarget = { channel?: string; to: string; diff --git a/src/infra/exec-safe-bin-policy-profiles.ts b/src/infra/exec-safe-bin-policy-profiles.ts index e0609f3f2e3..283bb220620 100644 --- a/src/infra/exec-safe-bin-policy-profiles.ts +++ b/src/infra/exec-safe-bin-policy-profiles.ts @@ -295,7 +295,7 @@ export function resolveSafeBinProfiles( }; } -export function resolveSafeBinDeniedFlags( +function resolveSafeBinDeniedFlags( fixtures: Readonly> = SAFE_BIN_PROFILE_FIXTURES, ): Record { const out: Record = {}; diff --git a/src/infra/fs-pinned-write-helper.ts b/src/infra/fs-pinned-write-helper.ts index c7a91510b93..6659a73e461 100644 --- a/src/infra/fs-pinned-write-helper.ts +++ b/src/infra/fs-pinned-write-helper.ts @@ -7,7 +7,7 @@ import type { Readable } from "node:stream"; import { pipeline } from "node:stream/promises"; import type { FileIdentityStat } from "./file-identity.js"; -export type PinnedWriteInput = +type PinnedWriteInput = | { kind: "buffer"; data: string | Buffer; encoding?: BufferEncoding } | { kind: "stream"; stream: Readable }; diff --git a/src/infra/gateway-discovery-targets.ts b/src/infra/gateway-discovery-targets.ts index dbc374e765a..028643f55a8 100644 --- a/src/infra/gateway-discovery-targets.ts +++ b/src/infra/gateway-discovery-targets.ts @@ -5,7 +5,7 @@ import { type GatewayDiscoveryResolvedEndpoint, } from "./bonjour-discovery.js"; -export type GatewayDiscoveryTarget = { +type GatewayDiscoveryTarget = { title: string; domain: string; endpoint: GatewayDiscoveryResolvedEndpoint | null; diff --git a/src/infra/gateway-lock.ts b/src/infra/gateway-lock.ts index 22b64dccea8..6ad152a310f 100644 --- a/src/infra/gateway-lock.ts +++ b/src/infra/gateway-lock.ts @@ -29,7 +29,7 @@ const LockPayloadSchema = z.object({ startTime: z.number().optional(), }) as z.ZodType; -export type GatewayLockHandle = { +type GatewayLockHandle = { lockPath: string; configPath: string; release: () => Promise; diff --git a/src/infra/git-root.ts b/src/infra/git-root.ts index 9966947079e..748014a123d 100644 --- a/src/infra/git-root.ts +++ b/src/infra/git-root.ts @@ -1,7 +1,7 @@ import fs from "node:fs"; import path from "node:path"; -export const DEFAULT_GIT_DISCOVERY_MAX_DEPTH = 12; +const DEFAULT_GIT_DISCOVERY_MAX_DEPTH = 12; function walkUpFrom( startDir: string, diff --git a/src/infra/heartbeat-reason.ts b/src/infra/heartbeat-reason.ts index b6d4bde67c4..ca5cde1336a 100644 --- a/src/infra/heartbeat-reason.ts +++ b/src/infra/heartbeat-reason.ts @@ -1,6 +1,6 @@ import { normalizeOptionalString } from "../shared/string-coerce.js"; -export type HeartbeatReasonKind = +type HeartbeatReasonKind = | "retry" | "interval" | "manual" diff --git a/src/infra/heartbeat-typing.ts b/src/infra/heartbeat-typing.ts index 14fe06a0f66..15fc59db42d 100644 --- a/src/infra/heartbeat-typing.ts +++ b/src/infra/heartbeat-typing.ts @@ -8,7 +8,7 @@ type HeartbeatTypingLogger = { debug?: (message: string, meta?: Record) => void; }; -export type HeartbeatTypingTarget = { +type HeartbeatTypingTarget = { channel: string; to?: string; accountId?: string | null; diff --git a/src/infra/host-env-security.ts b/src/infra/host-env-security.ts index 31d43024121..2cc65310449 100644 --- a/src/infra/host-env-security.ts +++ b/src/infra/host-env-security.ts @@ -4,25 +4,25 @@ import { markOpenClawExecEnv } from "./openclaw-exec-env.js"; const PORTABLE_ENV_VAR_KEY = /^[A-Za-z_][A-Za-z0-9_]*$/; const WINDOWS_COMPAT_OVERRIDE_ENV_VAR_KEY = /^[A-Za-z_][A-Za-z0-9_()]*$/; -export const HOST_DANGEROUS_ENV_KEY_VALUES: readonly string[] = Object.freeze([ +const HOST_DANGEROUS_ENV_KEY_VALUES: readonly string[] = Object.freeze([ ...HOST_ENV_SECURITY_POLICY.blockedKeys, ]); -export const HOST_DANGEROUS_ENV_PREFIXES: readonly string[] = Object.freeze([ +const HOST_DANGEROUS_ENV_PREFIXES: readonly string[] = Object.freeze([ ...HOST_ENV_SECURITY_POLICY.blockedPrefixes, ]); -export const HOST_DANGEROUS_INHERITED_ENV_KEY_VALUES: readonly string[] = Object.freeze([ +const HOST_DANGEROUS_INHERITED_ENV_KEY_VALUES: readonly string[] = Object.freeze([ ...HOST_ENV_SECURITY_POLICY.blockedInheritedKeys, ]); -export const HOST_DANGEROUS_INHERITED_ENV_PREFIXES: readonly string[] = Object.freeze([ +const HOST_DANGEROUS_INHERITED_ENV_PREFIXES: readonly string[] = Object.freeze([ ...HOST_ENV_SECURITY_POLICY.blockedInheritedPrefixes, ]); -export const HOST_DANGEROUS_OVERRIDE_ENV_KEY_VALUES: readonly string[] = Object.freeze([ +const HOST_DANGEROUS_OVERRIDE_ENV_KEY_VALUES: readonly string[] = Object.freeze([ ...HOST_ENV_SECURITY_POLICY.blockedOverrideKeys, ]); -export const HOST_DANGEROUS_OVERRIDE_ENV_PREFIXES: readonly string[] = Object.freeze([ +const HOST_DANGEROUS_OVERRIDE_ENV_PREFIXES: readonly string[] = Object.freeze([ ...HOST_ENV_SECURITY_POLICY.blockedOverridePrefixes, ]); -export const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_KEY_VALUES: readonly string[] = Object.freeze([ +const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_KEY_VALUES: readonly string[] = Object.freeze([ "TERM", "LANG", "LC_ALL", @@ -32,16 +32,13 @@ export const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_KEY_VALUES: readonly string "NO_COLOR", "FORCE_COLOR", ]); -export const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_PREFIX_VALUES: readonly string[] = - Object.freeze(["LC_"]); -export const HOST_DANGEROUS_ENV_KEYS = new Set(HOST_DANGEROUS_ENV_KEY_VALUES); -export const HOST_DANGEROUS_INHERITED_ENV_KEYS = new Set( - HOST_DANGEROUS_INHERITED_ENV_KEY_VALUES, -); -export const HOST_DANGEROUS_OVERRIDE_ENV_KEYS = new Set( - HOST_DANGEROUS_OVERRIDE_ENV_KEY_VALUES, -); -export const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_KEYS = new Set( +const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_PREFIX_VALUES: readonly string[] = Object.freeze([ + "LC_", +]); +const HOST_DANGEROUS_ENV_KEYS = new Set(HOST_DANGEROUS_ENV_KEY_VALUES); +const HOST_DANGEROUS_INHERITED_ENV_KEYS = new Set(HOST_DANGEROUS_INHERITED_ENV_KEY_VALUES); +const HOST_DANGEROUS_OVERRIDE_ENV_KEYS = new Set(HOST_DANGEROUS_OVERRIDE_ENV_KEY_VALUES); +const HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_KEYS = new Set( HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_KEY_VALUES, ); @@ -59,13 +56,13 @@ function isShellWrapperAllowedOverrideEnvVarName(rawKey: string): boolean { ); } -export type HostExecEnvSanitizationResult = { +type HostExecEnvSanitizationResult = { env: Record; rejectedOverrideBlockedKeys: string[]; rejectedOverrideInvalidKeys: string[]; }; -export type HostExecEnvOverrideDiagnostics = { +type HostExecEnvOverrideDiagnostics = { rejectedOverrideBlockedKeys: string[]; rejectedOverrideInvalidKeys: string[]; };