vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-26 08:31:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: resolve acpx MCP secret inputs

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-30 05:29:12 +09:00
parent 35233bae96
commit 694bc082a8
6 changed files with 861 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
src/secrets/runtime.test.ts
View File

@@ -2423,6 +2423,165 @@ describe("secrets runtime snapshot", () => {
);
});
it("resolves SecretRef objects for active acpx MCP env vars", async () => {
const config = asConfig({
plugins: {
entries: {
acpx: {
enabled: true,
config: {
mcpServers: {
github: {
command: "npx",
env: {
GITHUB_TOKEN: {
source: "env",
provider: "default",
id: "GH_TOKEN_SECRET",
},
},
},
},
},
},
},
},
});
const snapshot = await prepareSecretsRuntimeSnapshot({
config,
env: {
GH_TOKEN_SECRET: "ghp-object-token",
},
agentDirs: ["/tmp/openclaw-agent-main"],
loadAuthStore: () => ({ version: 1, profiles: {} }),
});
const sourceEntries = snapshot.sourceConfig.plugins?.entries as Record<
string,
{ config?: Record<string, unknown> }
>;
const sourceMcpServers = sourceEntries?.acpx?.config?.mcpServers as Record<
string,
{ env?: Record<string, unknown> }
>;
const entries = snapshot.config.plugins?.entries as Record<
string,
{ config?: Record<string, unknown> }
>;
const mcpServers = entries?.acpx?.config?.mcpServers as Record<
string,
{ env?: Record<string, unknown> }
>;
expect(mcpServers?.github?.env?.GITHUB_TOKEN).toBe("ghp-object-token");
expect(sourceMcpServers?.github?.env?.GITHUB_TOKEN).toEqual({
source: "env",
provider: "default",
id: "GH_TOKEN_SECRET",
});
});
it("resolves inline env-template refs for active acpx MCP env vars", async () => {
const config = asConfig({
plugins: {
entries: {
acpx: {
enabled: true,
config: {
mcpServers: {
github: {
command: "npx",
env: {
GITHUB_TOKEN: "${GH_TOKEN_SECRET}",
SECOND_TOKEN: "${SECOND_SECRET}",
LITERAL: "literal-value",
},
},
},
},
},
},
},
});
const snapshot = await prepareSecretsRuntimeSnapshot({
config,
env: {
GH_TOKEN_SECRET: "ghp-inline-token",
SECOND_SECRET: "ghp-second-token",
},
agentDirs: ["/tmp/openclaw-agent-main"],
loadAuthStore: () => ({ version: 1, profiles: {} }),
});
const entries = snapshot.config.plugins?.entries as Record<
string,
{ config?: Record<string, unknown> }
>;
const mcpServers = entries?.acpx?.config?.mcpServers as Record<
string,
{ env?: Record<string, unknown> }
>;
expect(mcpServers?.github?.env?.GITHUB_TOKEN).toBe("ghp-inline-token");
expect(mcpServers?.github?.env?.SECOND_TOKEN).toBe("ghp-second-token");
expect(mcpServers?.github?.env?.LITERAL).toBe("literal-value");
});
it("treats bundled acpx MCP env refs as inactive until the plugin is enabled", async () => {
const config = asConfig({
plugins: {
entries: {
acpx: {
config: {
mcpServers: {
github: {
command: "npx",
env: {
GITHUB_TOKEN: {
source: "env",
provider: "default",
id: "GH_TOKEN_SECRET",
},
},
},
},
},
},
},
},
});
const snapshot = await prepareSecretsRuntimeSnapshot({
config,
env: {},
agentDirs: ["/tmp/openclaw-agent-main"],
loadAuthStore: () => ({ version: 1, profiles: {} }),
});
expect(
snapshot.warnings.some(
(warning) =>
warning.code === "SECRETS_REF_IGNORED_INACTIVE_SURFACE" &&
warning.path === "plugins.entries.acpx.config.mcpServers.github.env.GITHUB_TOKEN",
),
).toBe(true);
const entries = snapshot.config.plugins?.entries as Record<
string,
{ config?: Record<string, unknown> }
>;
const mcpServers = entries?.acpx?.config?.mcpServers as Record<
string,
{ env?: Record<string, unknown> }
>;
expect(mcpServers?.github?.env?.GITHUB_TOKEN).toEqual({
source: "env",
provider: "default",
id: "GH_TOKEN_SECRET",
});
});
it("does not write inherited auth stores during runtime secret activation", async () => {
const root = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-secrets-runtime-"));
const stateDir = path.join(root, ".openclaw");