import { afterEach, beforeAll, describe, expect, it } from "vitest"; import type { OpenClawConfig } from "../config/config.js"; function asConfig(value: unknown): OpenClawConfig { return value as OpenClawConfig; } const EMPTY_LOADABLE_PLUGIN_ORIGINS = new Map(); let clearConfigCache: typeof import("../config/config.js").clearConfigCache; let clearRuntimeConfigSnapshot: typeof import("../config/config.js").clearRuntimeConfigSnapshot; let clearSecretsRuntimeSnapshot: typeof import("./runtime.js").clearSecretsRuntimeSnapshot; let prepareSecretsRuntimeSnapshot: typeof import("./runtime.js").prepareSecretsRuntimeSnapshot; describe("secrets runtime snapshot", () => { beforeAll(async () => { ({ clearConfigCache, clearRuntimeConfigSnapshot } = await import("../config/config.js")); ({ clearSecretsRuntimeSnapshot, prepareSecretsRuntimeSnapshot } = await import("./runtime.js")); }); afterEach(() => { clearSecretsRuntimeSnapshot(); clearRuntimeConfigSnapshot(); clearConfigCache(); }); it("resolves sandbox ssh secret refs for active ssh backends", async () => { const snapshot = await prepareSecretsRuntimeSnapshot({ config: asConfig({ agents: { defaults: { sandbox: { mode: "all", backend: "ssh", ssh: { target: "peter@example.com:22", identityData: { source: "env", provider: "default", id: "SSH_IDENTITY_DATA" }, certificateData: { source: "env", provider: "default", id: "SSH_CERTIFICATE_DATA", }, knownHostsData: { source: "env", provider: "default", id: "SSH_KNOWN_HOSTS_DATA", }, }, }, }, }, }), env: { SSH_IDENTITY_DATA: "PRIVATE KEY", SSH_CERTIFICATE_DATA: "SSH CERT", SSH_KNOWN_HOSTS_DATA: "example.com ssh-ed25519 AAAATEST", }, includeAuthStoreRefs: false, loadablePluginOrigins: EMPTY_LOADABLE_PLUGIN_ORIGINS, }); expect(snapshot.config.agents?.defaults?.sandbox?.ssh).toMatchObject({ identityData: "PRIVATE KEY", certificateData: "SSH CERT", knownHostsData: "example.com ssh-ed25519 AAAATEST", }); }); it("treats sandbox ssh secret refs as inactive when ssh backend is not selected", async () => { const snapshot = await prepareSecretsRuntimeSnapshot({ config: asConfig({ agents: { defaults: { sandbox: { mode: "all", backend: "docker", ssh: { identityData: { source: "env", provider: "default", id: "SSH_IDENTITY_DATA" }, }, }, }, }, }), env: {}, includeAuthStoreRefs: false, loadablePluginOrigins: EMPTY_LOADABLE_PLUGIN_ORIGINS, }); expect(snapshot.config.agents?.defaults?.sandbox?.ssh?.identityData).toEqual({ source: "env", provider: "default", id: "SSH_IDENTITY_DATA", }); expect(snapshot.warnings).toEqual( expect.arrayContaining([ expect.objectContaining({ code: "SECRETS_REF_IGNORED_INACTIVE_SURFACE", path: "agents.defaults.sandbox.ssh.identityData", }), ]), ); }); it("fails when an active exec ref id contains traversal segments", async () => { await expect( prepareSecretsRuntimeSnapshot({ config: asConfig({ talk: { apiKey: { source: "exec", provider: "vault", id: "a/../b" }, }, secrets: { providers: { vault: { source: "exec", command: process.execPath, }, }, }, }), env: {}, includeAuthStoreRefs: false, agentDirs: ["/tmp/openclaw-agent-main"], loadAuthStore: () => ({ version: 1, profiles: {} }), loadablePluginOrigins: EMPTY_LOADABLE_PLUGIN_ORIGINS, }), ).rejects.toThrow(/must not include "\." or "\.\." path segments/i); }); });