diff --git a/extensions/firecrawl/src/config.ts b/extensions/firecrawl/src/config.ts index 8d4d563b95f..0a501afb65e 100644 --- a/extensions/firecrawl/src/config.ts +++ b/extensions/firecrawl/src/config.ts @@ -1,5 +1,5 @@ import type { OpenClawConfig } from "openclaw/plugin-sdk/config-runtime"; -import { resolveDefaultSecretProviderAlias } from "openclaw/plugin-sdk/provider-auth"; +import { canResolveEnvSecretRefInReadOnlyPath } from "openclaw/plugin-sdk/extension-shared"; import { resolveSecretInputString, normalizeSecretInput } from "openclaw/plugin-sdk/secret-input"; export const DEFAULT_FIRECRAWL_BASE_URL = "https://api.firecrawl.dev"; @@ -108,22 +108,6 @@ type ConfiguredSecretResolution = | { status: "missing" } | { status: "blocked" }; -function canResolveEnvSecretRefInReadOnlyPath(params: { - cfg?: OpenClawConfig; - provider: string; - id: string; -}): boolean { - const providerConfig = params.cfg?.secrets?.providers?.[params.provider]; - if (!providerConfig) { - return params.provider === resolveDefaultSecretProviderAlias(params.cfg ?? {}, "env"); - } - if (providerConfig.source !== "env") { - return false; - } - const allowlist = providerConfig.allowlist; - return !allowlist || allowlist.includes(params.id); -} - function resolveConfiguredSecret( value: unknown, path: string, diff --git a/extensions/xai/src/tool-auth-shared.ts b/extensions/xai/src/tool-auth-shared.ts index 1d6bc8ddb35..3338c504d5e 100644 --- a/extensions/xai/src/tool-auth-shared.ts +++ b/extensions/xai/src/tool-auth-shared.ts @@ -1,7 +1,7 @@ import type { OpenClawConfig } from "openclaw/plugin-sdk/config-runtime"; +import { canResolveEnvSecretRefInReadOnlyPath } from "openclaw/plugin-sdk/extension-shared"; import { coerceSecretRef, - resolveDefaultSecretProviderAlias, resolveNonEnvSecretRefApiKeyMarker, } from "openclaw/plugin-sdk/provider-auth"; import { @@ -24,22 +24,6 @@ type ConfiguredRuntimeApiKeyResolution = | { status: "missing" } | { status: "blocked" }; -function canResolveEnvSecretRefInReadOnlyPath(params: { - cfg?: OpenClawConfig; - provider: string; - id: string; -}): boolean { - const providerConfig = params.cfg?.secrets?.providers?.[params.provider]; - if (!providerConfig) { - return params.provider === resolveDefaultSecretProviderAlias(params.cfg ?? {}, "env"); - } - if (providerConfig.source !== "env") { - return false; - } - const allowlist = providerConfig.allowlist; - return !allowlist || allowlist.includes(params.id); -} - function readConfiguredOrManagedApiKey(value: unknown): string | undefined { const literal = normalizeSecretInputString(value); if (literal) { diff --git a/src/plugin-sdk/extension-shared.ts b/src/plugin-sdk/extension-shared.ts index f21dad06395..2f024254197 100644 --- a/src/plugin-sdk/extension-shared.ts +++ b/src/plugin-sdk/extension-shared.ts @@ -1,5 +1,7 @@ import type { z } from "zod"; +import type { OpenClawConfig } from "../config/config.js"; import { hasEnvHttpProxyConfigured } from "../infra/net/proxy-env.js"; +import { resolveDefaultSecretProviderAlias } from "../secrets/ref-contract.js"; import { runPassiveAccountLifecycle } from "./channel-lifecycle.core.js"; import { createLoggerBackedRuntime } from "./runtime-logger.js"; export { safeParseJsonWithSchema, safeParseWithSchema } from "../utils/zod-parse.js"; @@ -191,6 +193,22 @@ export function mapPluginConfigIssues( })); } +export function canResolveEnvSecretRefInReadOnlyPath(params: { + cfg?: OpenClawConfig; + provider: string; + id: string; +}): boolean { + const providerConfig = params.cfg?.secrets?.providers?.[params.provider]; + if (!providerConfig) { + return params.provider === resolveDefaultSecretProviderAlias(params.cfg ?? {}, "env"); + } + if (providerConfig.source !== "env") { + return false; + } + const allowlist = providerConfig.allowlist; + return !allowlist || allowlist.includes(params.id); +} + export function readPluginPackageVersion(params: { require: PackageJsonRequire; candidates?: readonly string[];