From c19f322ff97412eaca6ed6b7e7ec2427181c7246 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Tue, 7 Apr 2026 08:35:01 +0100
Subject: [PATCH] perf(secrets): move plugin-owned coverage out of core matrix

---
 .../googlechat/src/secret-contract.test.ts    | 60 +++++++++++++++++++
 src/secrets/runtime-web-tools.test.ts         | 30 ++++++++++
 src/secrets/runtime.coverage.test.ts          |  8 ++-
 3 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 extensions/googlechat/src/secret-contract.test.ts

diff --git a/extensions/googlechat/src/secret-contract.test.ts b/extensions/googlechat/src/secret-contract.test.ts
new file mode 100644
index 00000000000..c8cf0a3e7c1
--- /dev/null
+++ b/extensions/googlechat/src/secret-contract.test.ts
@@ -0,0 +1,60 @@
+import { describe, expect, it } from "vitest";
+import { resolveSecretRefValues } from "../../../src/secrets/resolve.js";
+import {
+  applyResolvedAssignments,
+  createResolverContext,
+} from "../../../src/secrets/runtime-shared.js";
+import { collectRuntimeConfigAssignments } from "./secret-contract.js";
+
+describe("googlechat secret contract", () => {
+  it("resolves account serviceAccount SecretRefs for enabled accounts", async () => {
+    const sourceConfig = {
+      channels: {
+        googlechat: {
+          enabled: true,
+          accounts: {
+            work: {
+              enabled: true,
+              serviceAccountRef: {
+                source: "env",
+                provider: "default",
+                id: "GOOGLECHAT_SERVICE_ACCOUNT",
+              },
+            },
+          },
+        },
+      },
+    };
+    const resolvedConfig = structuredClone(sourceConfig);
+    const context = createResolverContext({
+      sourceConfig,
+      env: {
+        GOOGLECHAT_SERVICE_ACCOUNT: '{"client_email":"bot@example.com"}',
+      },
+    });
+
+    collectRuntimeConfigAssignments({
+      config: resolvedConfig,
+      defaults: undefined,
+      context,
+    });
+
+    const resolved = await resolveSecretRefValues(
+      context.assignments.map((assignment) => assignment.ref),
+      {
+        config: sourceConfig,
+        env: context.env,
+        cache: context.cache,
+      },
+    );
+    applyResolvedAssignments({
+      assignments: context.assignments,
+      resolved,
+    });
+
+    expect(resolvedConfig.channels.googlechat.accounts.work.serviceAccount).toBe(
+      '{"client_email":"bot@example.com"}',
+    );
+    expect(context.warnings).toEqual([]);
+  });
+});
diff --git a/src/secrets/runtime-web-tools.test.ts b/src/secrets/runtime-web-tools.test.ts
index 0ee56c2facc..989799e2442 100644
--- a/src/secrets/runtime-web-tools.test.ts
+++ b/src/secrets/runtime-web-tools.test.ts
@@ -1015,6 +1015,36 @@ describe("runtime web tools resolution", () => {
     ).toBe("firecrawl-runtime-key");
   });
 
+  it("resolves legacy Firecrawl web fetch SecretRefs through the plugin-owned path", async () => {
+    const { metadata, resolvedConfig } = await runRuntimeWebTools({
+      config: asConfig({
+        tools: {
+          web: {
+            fetch: {
+              firecrawl: {
+                apiKey: { source: "env", provider: "default", id: "FIRECRAWL_API_KEY" },
+              },
+            },
+          },
+        },
+      }),
+      env: {
+        FIRECRAWL_API_KEY: "firecrawl-legacy-key",
+      },
+    });
+
+    expect(metadata.fetch.providerSource).toBe("auto-detect");
+    expect(metadata.fetch.selectedProvider).toBe("firecrawl");
+    expect(metadata.fetch.selectedProviderKeySource).toBe("env");
+    expect(
+      (
+        resolvedConfig.plugins?.entries?.firecrawl?.config as
+          | { webFetch?: { apiKey?: unknown } }
+          | undefined
+      )?.webFetch?.apiKey,
+    ).toBe("firecrawl-legacy-key");
+  });
+
   it("fails fast when active web fetch provider SecretRef is unresolved with no fallback", async () => {
     const sourceConfig = asConfig({
       plugins: {
diff --git a/src/secrets/runtime.coverage.test.ts b/src/secrets/runtime.coverage.test.ts
index 486590e3beb..502f52a0835 100644
--- a/src/secrets/runtime.coverage.test.ts
+++ b/src/secrets/runtime.coverage.test.ts
@@ -53,6 +53,10 @@ const COVERAGE_REGISTRY_ENTRIES = loadCoverageRegistryEntries();
 const DEBUG_COVERAGE_BATCHES = process.env.OPENCLAW_DEBUG_RUNTIME_COVERAGE === "1";
 const COVERAGE_LOADABLE_PLUGIN_ORIGINS =
   buildCoverageLoadablePluginOrigins(COVERAGE_REGISTRY_ENTRIES);
+const PLUGIN_OWNED_OPENCLAW_COVERAGE_EXCLUSIONS = new Set([
+  "channels.googlechat.accounts.*.serviceAccount",
+  "tools.web.fetch.firecrawl.apiKey",
+]);
 
 let applyResolvedAssignments: typeof import("./runtime-shared.js").applyResolvedAssignments;
 let collectAuthStoreAssignments: typeof import("./runtime-auth-collectors.js").collectAuthStoreAssignments;
@@ -513,7 +517,9 @@ describe("secrets runtime target coverage", () => {
 
   it("handles every openclaw.json registry target when configured as active", async () => {
     const entries = COVERAGE_REGISTRY_ENTRIES.filter(
-      (entry) => entry.configFile === "openclaw.json",
+      (entry) =>
+        entry.configFile === "openclaw.json" &&
+        !PLUGIN_OWNED_OPENCLAW_COVERAGE_EXCLUSIONS.has(entry.id),
     );
     for (const batch of buildCoverageBatches(entries)) {
       logCoverageBatch("openclaw.json", batch);