mirror of
https://github.com/openclaw/openclaw.git
synced 2026-04-20 13:41:30 +00:00
806803b7ef
* feat(secrets): expand secret target coverage and gateway tooling * docs(secrets): align gateway and CLI secret docs * chore(protocol): regenerate swift gateway models for secrets methods * fix(config): restore talk apiKey fallback and stabilize runner test * ci(windows): reduce test worker count for shard stability * ci(windows): raise node heap for test shard stability * test(feishu): make proxy env precedence assertion windows-safe * fix(gateway): resolve auth password SecretInput refs for clients * fix(gateway): resolve remote SecretInput credentials for clients * fix(secrets): skip inactive refs in command snapshot assignments * fix(secrets): scope gateway.remote refs to effective auth surfaces * fix(secrets): ignore memory defaults when enabled agents disable search * fix(secrets): honor Google Chat serviceAccountRef inheritance * fix(secrets): address tsgo errors in command and gateway collectors * fix(secrets): avoid auth-store load in providers-only configure * fix(gateway): defer local password ref resolution by precedence * fix(secrets): gate telegram webhook secret refs by webhook mode * fix(secrets): gate slack signing secret refs to http mode * fix(secrets): skip telegram botToken refs when tokenFile is set * fix(secrets): gate discord pluralkit refs by enabled flag * fix(secrets): gate discord voice tts refs by voice enabled * test(secrets): make runtime fixture modes explicit * fix(cli): resolve local qr password secret refs * fix(cli): fail when gateway leaves command refs unresolved * fix(gateway): fail when local password SecretRef is unresolved * fix(gateway): fail when required remote SecretRefs are unresolved * fix(gateway): resolve local password refs only when password can win * fix(cli): skip local password SecretRef resolution on qr token override * test(gateway): cast SecretRef fixtures to OpenClawConfig * test(secrets): activate mode-gated targets in runtime coverage fixture * fix(cron): support SecretInput webhook tokens safely * fix(bluebubbles): support SecretInput passwords across config paths * fix(msteams): make appPassword SecretInput-safe in onboarding/token paths * fix(bluebubbles): align SecretInput schema helper typing * fix(cli): clarify secrets.resolve version-skew errors * refactor(secrets): return structured inactive paths from secrets.resolve * refactor(gateway): type onboarding secret writes as SecretInput * chore(protocol): regenerate swift models for secrets.resolve * feat(secrets): expand extension credential secretref support * fix(secrets): gate web-search refs by active provider * fix(onboarding): detect SecretRef credentials in extension status * fix(onboarding): allow keeping existing ref in secret prompt * fix(onboarding): resolve gateway password SecretRefs for probe and tui * fix(onboarding): honor secret-input-mode for local gateway auth * fix(acp): resolve gateway SecretInput credentials * fix(secrets): gate gateway.remote refs to remote surfaces * test(secrets): cover pattern matching and inactive array refs * docs(secrets): clarify secrets.resolve and remote active surfaces * fix(bluebubbles): keep existing SecretRef during onboarding * fix(tests): resolve CI type errors in new SecretRef coverage * fix(extensions): replace raw fetch with SSRF-guarded fetch * test(secrets): mark gateway remote targets active in runtime coverage * test(infra): normalize home-prefix expectation across platforms * fix(cli): only resolve local qr password refs in password mode * test(cli): cover local qr token mode with unresolved password ref * docs(cli): clarify local qr password ref resolution behavior * refactor(extensions): reuse sdk SecretInput helpers * fix(wizard): resolve onboarding env-template secrets before plaintext * fix(cli): surface secrets.resolve diagnostics in memory and qr * test(secrets): repair post-rebase runtime and fixtures * fix(gateway): skip remote password ref resolution when token wins * fix(secrets): treat tailscale remote gateway refs as active * fix(gateway): allow remote password fallback when token ref is unresolved * fix(gateway): ignore stale local password refs for none and trusted-proxy * fix(gateway): skip remote secret ref resolution on local call paths * test(cli): cover qr remote tailscale secret ref resolution * fix(secrets): align gateway password active-surface with auth inference * fix(cli): resolve inferred local gateway password refs in qr * fix(gateway): prefer resolvable remote password over token ref pre-resolution * test(gateway): cover none and trusted-proxy stale password refs * docs(secrets): sync qr and gateway active-surface behavior * fix: restore stability blockers from pre-release audit * Secrets: fix collector/runtime precedence contradictions * docs: align secrets and web credential docs * fix(rebase): resolve integration regressions after main rebase * fix(node-host): resolve gateway secret refs for auth * fix(secrets): harden secretinput runtime readers * gateway: skip inactive auth secretref resolution * cli: avoid gateway preflight for inactive secret refs * extensions: allow unresolved refs in onboarding status * tests: fix qr-cli module mock hoist ordering * Security: align audit checks with SecretInput resolution * Gateway: resolve local-mode remote fallback secret refs * Node host: avoid resolving inactive password secret refs * Secrets runtime: mark Slack appToken inactive for HTTP mode * secrets: keep inactive gateway remote refs non-blocking * cli: include agent memory secret targets in runtime resolution * docs(secrets): sync docs with active-surface and web search behavior * fix(secrets): keep telegram top-level token refs active for blank account tokens * fix(daemon): resolve gateway password secret refs for probe auth * fix(secrets): skip IRC NickServ ref resolution when NickServ is disabled * fix(secrets): align token inheritance and exec timeout defaults * docs(secrets): clarify active-surface notes in cli docs * cli: require secrets.resolve gateway capability * gateway: log auth secret surface diagnostics * secrets: remove dead provider resolver module * fix(secrets): restore gateway auth precedence and fallback resolution * fix(tests): align plugin runtime mock typings --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
592 lines
18 KiB
TypeScript
592 lines
18 KiB
TypeScript
import fs from "node:fs/promises";
|
|
import os from "node:os";
|
|
import path from "node:path";
|
|
import { afterEach, beforeEach, describe, expect, it } from "vitest";
|
|
import { runSecretsApply } from "./apply.js";
|
|
import type { SecretsApplyPlan } from "./plan.js";
|
|
|
|
const OPENAI_API_KEY_ENV_REF = {
|
|
source: "env",
|
|
provider: "default",
|
|
id: "OPENAI_API_KEY",
|
|
} as const;
|
|
|
|
type ApplyFixture = {
|
|
rootDir: string;
|
|
stateDir: string;
|
|
configPath: string;
|
|
authStorePath: string;
|
|
authJsonPath: string;
|
|
envPath: string;
|
|
env: NodeJS.ProcessEnv;
|
|
};
|
|
|
|
function stripVolatileConfigMeta(input: string): Record<string, unknown> {
|
|
const parsed = JSON.parse(input) as Record<string, unknown>;
|
|
const meta =
|
|
parsed.meta && typeof parsed.meta === "object" && !Array.isArray(parsed.meta)
|
|
? { ...(parsed.meta as Record<string, unknown>) }
|
|
: undefined;
|
|
if (meta && "lastTouchedAt" in meta) {
|
|
delete meta.lastTouchedAt;
|
|
}
|
|
if (meta) {
|
|
parsed.meta = meta;
|
|
}
|
|
return parsed;
|
|
}
|
|
|
|
async function writeJsonFile(filePath: string, value: unknown): Promise<void> {
|
|
await fs.writeFile(filePath, `${JSON.stringify(value, null, 2)}\n`, "utf8");
|
|
}
|
|
|
|
function createOpenAiProviderConfig(apiKey: unknown = "sk-openai-plaintext") {
|
|
return {
|
|
baseUrl: "https://api.openai.com/v1",
|
|
api: "openai-completions",
|
|
apiKey,
|
|
models: [{ id: "gpt-5", name: "gpt-5" }],
|
|
};
|
|
}
|
|
|
|
function buildFixturePaths(rootDir: string) {
|
|
const stateDir = path.join(rootDir, ".openclaw");
|
|
return {
|
|
rootDir,
|
|
stateDir,
|
|
configPath: path.join(stateDir, "openclaw.json"),
|
|
authStorePath: path.join(stateDir, "agents", "main", "agent", "auth-profiles.json"),
|
|
authJsonPath: path.join(stateDir, "agents", "main", "agent", "auth.json"),
|
|
envPath: path.join(stateDir, ".env"),
|
|
};
|
|
}
|
|
|
|
async function createApplyFixture(): Promise<ApplyFixture> {
|
|
const paths = buildFixturePaths(
|
|
await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-secrets-apply-")),
|
|
);
|
|
await fs.mkdir(path.dirname(paths.configPath), { recursive: true });
|
|
await fs.mkdir(path.dirname(paths.authStorePath), { recursive: true });
|
|
return {
|
|
...paths,
|
|
env: {
|
|
OPENCLAW_STATE_DIR: paths.stateDir,
|
|
OPENCLAW_CONFIG_PATH: paths.configPath,
|
|
OPENAI_API_KEY: "sk-live-env",
|
|
},
|
|
};
|
|
}
|
|
|
|
async function seedDefaultApplyFixture(fixture: ApplyFixture): Promise<void> {
|
|
await writeJsonFile(fixture.configPath, {
|
|
models: {
|
|
providers: {
|
|
openai: createOpenAiProviderConfig(),
|
|
},
|
|
},
|
|
});
|
|
await writeJsonFile(fixture.authStorePath, {
|
|
version: 1,
|
|
profiles: {
|
|
"openai:default": {
|
|
type: "api_key",
|
|
provider: "openai",
|
|
key: "sk-openai-plaintext",
|
|
},
|
|
},
|
|
});
|
|
await writeJsonFile(fixture.authJsonPath, {
|
|
openai: {
|
|
type: "api_key",
|
|
key: "sk-openai-plaintext",
|
|
},
|
|
});
|
|
await fs.writeFile(
|
|
fixture.envPath,
|
|
"OPENAI_API_KEY=sk-openai-plaintext\nUNRELATED=value\n",
|
|
"utf8",
|
|
);
|
|
}
|
|
|
|
async function applyPlanAndReadConfig<T>(
|
|
fixture: ApplyFixture,
|
|
plan: SecretsApplyPlan,
|
|
): Promise<T> {
|
|
const result = await runSecretsApply({ plan, env: fixture.env, write: true });
|
|
expect(result.changed).toBe(true);
|
|
return JSON.parse(await fs.readFile(fixture.configPath, "utf8")) as T;
|
|
}
|
|
|
|
function createPlan(params: {
|
|
targets: SecretsApplyPlan["targets"];
|
|
options?: SecretsApplyPlan["options"];
|
|
providerUpserts?: SecretsApplyPlan["providerUpserts"];
|
|
providerDeletes?: SecretsApplyPlan["providerDeletes"];
|
|
}): SecretsApplyPlan {
|
|
return {
|
|
version: 1,
|
|
protocolVersion: 1,
|
|
generatedAt: new Date().toISOString(),
|
|
generatedBy: "manual",
|
|
targets: params.targets,
|
|
...(params.options ? { options: params.options } : {}),
|
|
...(params.providerUpserts ? { providerUpserts: params.providerUpserts } : {}),
|
|
...(params.providerDeletes ? { providerDeletes: params.providerDeletes } : {}),
|
|
};
|
|
}
|
|
|
|
function createOpenAiProviderTarget(params?: {
|
|
path?: string;
|
|
pathSegments?: string[];
|
|
providerId?: string;
|
|
}): SecretsApplyPlan["targets"][number] {
|
|
return {
|
|
type: "models.providers.apiKey",
|
|
path: params?.path ?? "models.providers.openai.apiKey",
|
|
...(params?.pathSegments ? { pathSegments: params.pathSegments } : {}),
|
|
providerId: params?.providerId ?? "openai",
|
|
ref: OPENAI_API_KEY_ENV_REF,
|
|
};
|
|
}
|
|
|
|
function createOneWayScrubOptions(): NonNullable<SecretsApplyPlan["options"]> {
|
|
return {
|
|
scrubEnv: true,
|
|
scrubAuthProfilesForProviderTargets: true,
|
|
scrubLegacyAuthJson: true,
|
|
};
|
|
}
|
|
|
|
describe("secrets apply", () => {
|
|
let fixture: ApplyFixture;
|
|
|
|
beforeEach(async () => {
|
|
fixture = await createApplyFixture();
|
|
await seedDefaultApplyFixture(fixture);
|
|
});
|
|
|
|
afterEach(async () => {
|
|
await fs.rm(fixture.rootDir, { recursive: true, force: true });
|
|
});
|
|
|
|
it("preflights and applies one-way scrub without plaintext backups", async () => {
|
|
const plan = createPlan({
|
|
targets: [createOpenAiProviderTarget()],
|
|
options: createOneWayScrubOptions(),
|
|
});
|
|
|
|
const dryRun = await runSecretsApply({ plan, env: fixture.env, write: false });
|
|
expect(dryRun.mode).toBe("dry-run");
|
|
expect(dryRun.changed).toBe(true);
|
|
|
|
const applied = await runSecretsApply({ plan, env: fixture.env, write: true });
|
|
expect(applied.mode).toBe("write");
|
|
expect(applied.changed).toBe(true);
|
|
|
|
const nextConfig = JSON.parse(await fs.readFile(fixture.configPath, "utf8")) as {
|
|
models: { providers: { openai: { apiKey: unknown } } };
|
|
};
|
|
expect(nextConfig.models.providers.openai.apiKey).toEqual(OPENAI_API_KEY_ENV_REF);
|
|
|
|
const nextAuthStore = JSON.parse(await fs.readFile(fixture.authStorePath, "utf8")) as {
|
|
profiles: { "openai:default": { key?: string; keyRef?: unknown } };
|
|
};
|
|
expect(nextAuthStore.profiles["openai:default"].key).toBeUndefined();
|
|
expect(nextAuthStore.profiles["openai:default"].keyRef).toBeUndefined();
|
|
|
|
const nextAuthJson = JSON.parse(await fs.readFile(fixture.authJsonPath, "utf8")) as Record<
|
|
string,
|
|
unknown
|
|
>;
|
|
expect(nextAuthJson.openai).toBeUndefined();
|
|
|
|
const nextEnv = await fs.readFile(fixture.envPath, "utf8");
|
|
expect(nextEnv).not.toContain("sk-openai-plaintext");
|
|
expect(nextEnv).toContain("UNRELATED=value");
|
|
});
|
|
|
|
it("applies auth-profiles sibling ref targets to the scoped agent store", async () => {
|
|
const plan: SecretsApplyPlan = {
|
|
version: 1,
|
|
protocolVersion: 1,
|
|
generatedAt: new Date().toISOString(),
|
|
generatedBy: "manual",
|
|
targets: [
|
|
{
|
|
type: "auth-profiles.api_key.key",
|
|
path: "profiles.openai:default.key",
|
|
pathSegments: ["profiles", "openai:default", "key"],
|
|
agentId: "main",
|
|
ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
|
|
},
|
|
],
|
|
options: {
|
|
scrubEnv: false,
|
|
scrubAuthProfilesForProviderTargets: false,
|
|
scrubLegacyAuthJson: false,
|
|
},
|
|
};
|
|
|
|
const result = await runSecretsApply({ plan, env: fixture.env, write: true });
|
|
expect(result.changed).toBe(true);
|
|
expect(result.changedFiles).toContain(fixture.authStorePath);
|
|
|
|
const nextAuthStore = JSON.parse(await fs.readFile(fixture.authStorePath, "utf8")) as {
|
|
profiles: { "openai:default": { key?: string; keyRef?: unknown } };
|
|
};
|
|
expect(nextAuthStore.profiles["openai:default"].key).toBeUndefined();
|
|
expect(nextAuthStore.profiles["openai:default"].keyRef).toEqual({
|
|
source: "env",
|
|
provider: "default",
|
|
id: "OPENAI_API_KEY",
|
|
});
|
|
});
|
|
|
|
it("creates a new auth-profiles mapping when provider metadata is supplied", async () => {
|
|
const plan: SecretsApplyPlan = {
|
|
version: 1,
|
|
protocolVersion: 1,
|
|
generatedAt: new Date().toISOString(),
|
|
generatedBy: "manual",
|
|
targets: [
|
|
{
|
|
type: "auth-profiles.token.token",
|
|
path: "profiles.openai:bot.token",
|
|
pathSegments: ["profiles", "openai:bot", "token"],
|
|
agentId: "main",
|
|
authProfileProvider: "openai",
|
|
ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
|
|
},
|
|
],
|
|
options: {
|
|
scrubEnv: false,
|
|
scrubAuthProfilesForProviderTargets: false,
|
|
scrubLegacyAuthJson: false,
|
|
},
|
|
};
|
|
|
|
await runSecretsApply({ plan, env: fixture.env, write: true });
|
|
const nextAuthStore = JSON.parse(await fs.readFile(fixture.authStorePath, "utf8")) as {
|
|
profiles: {
|
|
"openai:bot": {
|
|
type: string;
|
|
provider: string;
|
|
tokenRef?: unknown;
|
|
};
|
|
};
|
|
};
|
|
expect(nextAuthStore.profiles["openai:bot"]).toEqual({
|
|
type: "token",
|
|
provider: "openai",
|
|
tokenRef: {
|
|
source: "env",
|
|
provider: "default",
|
|
id: "OPENAI_API_KEY",
|
|
},
|
|
});
|
|
});
|
|
|
|
it("is idempotent on repeated write applies", async () => {
|
|
const plan = createPlan({
|
|
targets: [createOpenAiProviderTarget()],
|
|
options: createOneWayScrubOptions(),
|
|
});
|
|
|
|
const first = await runSecretsApply({ plan, env: fixture.env, write: true });
|
|
expect(first.changed).toBe(true);
|
|
const configAfterFirst = await fs.readFile(fixture.configPath, "utf8");
|
|
const authStoreAfterFirst = await fs.readFile(fixture.authStorePath, "utf8");
|
|
const authJsonAfterFirst = await fs.readFile(fixture.authJsonPath, "utf8");
|
|
const envAfterFirst = await fs.readFile(fixture.envPath, "utf8");
|
|
|
|
await fs.chmod(fixture.configPath, 0o400);
|
|
await fs.chmod(fixture.authStorePath, 0o400);
|
|
|
|
const second = await runSecretsApply({ plan, env: fixture.env, write: true });
|
|
expect(second.mode).toBe("write");
|
|
const configAfterSecond = await fs.readFile(fixture.configPath, "utf8");
|
|
expect(stripVolatileConfigMeta(configAfterSecond)).toEqual(
|
|
stripVolatileConfigMeta(configAfterFirst),
|
|
);
|
|
await expect(fs.readFile(fixture.authStorePath, "utf8")).resolves.toBe(authStoreAfterFirst);
|
|
await expect(fs.readFile(fixture.authJsonPath, "utf8")).resolves.toBe(authJsonAfterFirst);
|
|
await expect(fs.readFile(fixture.envPath, "utf8")).resolves.toBe(envAfterFirst);
|
|
});
|
|
|
|
it("applies targets safely when map keys contain dots", async () => {
|
|
await writeJsonFile(fixture.configPath, {
|
|
models: {
|
|
providers: {
|
|
"openai.dev": createOpenAiProviderConfig(),
|
|
},
|
|
},
|
|
});
|
|
|
|
const plan = createPlan({
|
|
targets: [
|
|
createOpenAiProviderTarget({
|
|
path: "models.providers.openai.dev.apiKey",
|
|
pathSegments: ["models", "providers", "openai.dev", "apiKey"],
|
|
providerId: "openai.dev",
|
|
}),
|
|
],
|
|
options: {
|
|
scrubEnv: false,
|
|
scrubAuthProfilesForProviderTargets: false,
|
|
scrubLegacyAuthJson: false,
|
|
},
|
|
});
|
|
|
|
const nextConfig = await applyPlanAndReadConfig<{
|
|
models?: {
|
|
providers?: Record<string, { apiKey?: unknown }>;
|
|
};
|
|
}>(fixture, plan);
|
|
expect(nextConfig.models?.providers?.["openai.dev"]?.apiKey).toEqual(OPENAI_API_KEY_ENV_REF);
|
|
expect(nextConfig.models?.providers?.openai).toBeUndefined();
|
|
});
|
|
|
|
it("migrates skills entries apiKey targets alongside provider api keys", async () => {
|
|
await writeJsonFile(fixture.configPath, {
|
|
models: {
|
|
providers: {
|
|
openai: createOpenAiProviderConfig(),
|
|
},
|
|
},
|
|
skills: {
|
|
entries: {
|
|
"qa-secret-test": {
|
|
enabled: true,
|
|
apiKey: "sk-skill-plaintext",
|
|
},
|
|
},
|
|
},
|
|
});
|
|
|
|
const plan = createPlan({
|
|
targets: [
|
|
createOpenAiProviderTarget({ pathSegments: ["models", "providers", "openai", "apiKey"] }),
|
|
{
|
|
type: "skills.entries.apiKey",
|
|
path: "skills.entries.qa-secret-test.apiKey",
|
|
pathSegments: ["skills", "entries", "qa-secret-test", "apiKey"],
|
|
ref: OPENAI_API_KEY_ENV_REF,
|
|
},
|
|
],
|
|
options: createOneWayScrubOptions(),
|
|
});
|
|
|
|
const nextConfig = await applyPlanAndReadConfig<{
|
|
models: { providers: { openai: { apiKey: unknown } } };
|
|
skills: { entries: { "qa-secret-test": { apiKey: unknown } } };
|
|
}>(fixture, plan);
|
|
expect(nextConfig.models.providers.openai.apiKey).toEqual(OPENAI_API_KEY_ENV_REF);
|
|
expect(nextConfig.skills.entries["qa-secret-test"].apiKey).toEqual(OPENAI_API_KEY_ENV_REF);
|
|
|
|
const rawConfig = await fs.readFile(fixture.configPath, "utf8");
|
|
expect(rawConfig).not.toContain("sk-openai-plaintext");
|
|
expect(rawConfig).not.toContain("sk-skill-plaintext");
|
|
});
|
|
|
|
it("applies non-legacy target types", async () => {
|
|
await fs.writeFile(
|
|
fixture.configPath,
|
|
`${JSON.stringify(
|
|
{
|
|
talk: {
|
|
apiKey: "sk-talk-plaintext",
|
|
},
|
|
},
|
|
null,
|
|
2,
|
|
)}\n`,
|
|
"utf8",
|
|
);
|
|
|
|
const plan: SecretsApplyPlan = {
|
|
version: 1,
|
|
protocolVersion: 1,
|
|
generatedAt: new Date().toISOString(),
|
|
generatedBy: "manual",
|
|
targets: [
|
|
{
|
|
type: "talk.apiKey",
|
|
path: "talk.apiKey",
|
|
pathSegments: ["talk", "apiKey"],
|
|
ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
|
|
},
|
|
],
|
|
options: {
|
|
scrubEnv: false,
|
|
scrubAuthProfilesForProviderTargets: false,
|
|
scrubLegacyAuthJson: false,
|
|
},
|
|
};
|
|
|
|
const result = await runSecretsApply({ plan, env: fixture.env, write: true });
|
|
expect(result.changed).toBe(true);
|
|
|
|
const nextConfig = JSON.parse(await fs.readFile(fixture.configPath, "utf8")) as {
|
|
talk?: { apiKey?: unknown };
|
|
};
|
|
expect(nextConfig.talk?.apiKey).toEqual({
|
|
source: "env",
|
|
provider: "default",
|
|
id: "OPENAI_API_KEY",
|
|
});
|
|
});
|
|
|
|
it("applies array-indexed targets for agent memory search", async () => {
|
|
await fs.writeFile(
|
|
fixture.configPath,
|
|
`${JSON.stringify(
|
|
{
|
|
agents: {
|
|
list: [
|
|
{
|
|
id: "main",
|
|
memorySearch: {
|
|
remote: {
|
|
apiKey: "sk-memory-plaintext",
|
|
},
|
|
},
|
|
},
|
|
],
|
|
},
|
|
},
|
|
null,
|
|
2,
|
|
)}\n`,
|
|
"utf8",
|
|
);
|
|
|
|
const plan: SecretsApplyPlan = {
|
|
version: 1,
|
|
protocolVersion: 1,
|
|
generatedAt: new Date().toISOString(),
|
|
generatedBy: "manual",
|
|
targets: [
|
|
{
|
|
type: "agents.list[].memorySearch.remote.apiKey",
|
|
path: "agents.list.0.memorySearch.remote.apiKey",
|
|
pathSegments: ["agents", "list", "0", "memorySearch", "remote", "apiKey"],
|
|
ref: { source: "env", provider: "default", id: "MEMORY_REMOTE_API_KEY" },
|
|
},
|
|
],
|
|
options: {
|
|
scrubEnv: false,
|
|
scrubAuthProfilesForProviderTargets: false,
|
|
scrubLegacyAuthJson: false,
|
|
},
|
|
};
|
|
|
|
fixture.env.MEMORY_REMOTE_API_KEY = "sk-memory-live-env";
|
|
const result = await runSecretsApply({ plan, env: fixture.env, write: true });
|
|
expect(result.changed).toBe(true);
|
|
|
|
const nextConfig = JSON.parse(await fs.readFile(fixture.configPath, "utf8")) as {
|
|
agents?: {
|
|
list?: Array<{
|
|
memorySearch?: {
|
|
remote?: {
|
|
apiKey?: unknown;
|
|
};
|
|
};
|
|
}>;
|
|
};
|
|
};
|
|
expect(nextConfig.agents?.list?.[0]?.memorySearch?.remote?.apiKey).toEqual({
|
|
source: "env",
|
|
provider: "default",
|
|
id: "MEMORY_REMOTE_API_KEY",
|
|
});
|
|
});
|
|
|
|
it("rejects plan targets that do not match allowed secret-bearing paths", async () => {
|
|
const plan: SecretsApplyPlan = {
|
|
version: 1,
|
|
protocolVersion: 1,
|
|
generatedAt: new Date().toISOString(),
|
|
generatedBy: "manual",
|
|
targets: [
|
|
{
|
|
type: "models.providers.apiKey",
|
|
path: "models.providers.openai.baseUrl",
|
|
pathSegments: ["models", "providers", "openai", "baseUrl"],
|
|
providerId: "openai",
|
|
ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
|
|
},
|
|
],
|
|
};
|
|
|
|
await expect(runSecretsApply({ plan, env: fixture.env, write: false })).rejects.toThrow(
|
|
"Invalid plan target path",
|
|
);
|
|
});
|
|
|
|
it("rejects plan targets with forbidden prototype-like path segments", async () => {
|
|
const plan: SecretsApplyPlan = {
|
|
version: 1,
|
|
protocolVersion: 1,
|
|
generatedAt: new Date().toISOString(),
|
|
generatedBy: "manual",
|
|
targets: [
|
|
{
|
|
type: "skills.entries.apiKey",
|
|
path: "skills.entries.__proto__.apiKey",
|
|
pathSegments: ["skills", "entries", "__proto__", "apiKey"],
|
|
ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
|
|
},
|
|
],
|
|
};
|
|
|
|
await expect(runSecretsApply({ plan, env: fixture.env, write: false })).rejects.toThrow(
|
|
"Invalid plan target path",
|
|
);
|
|
});
|
|
|
|
it("applies provider upserts and deletes from plan", async () => {
|
|
await writeJsonFile(fixture.configPath, {
|
|
secrets: {
|
|
providers: {
|
|
envmain: { source: "env" },
|
|
fileold: { source: "file", path: "/tmp/old-secrets.json", mode: "json" },
|
|
},
|
|
},
|
|
models: {
|
|
providers: {
|
|
openai: {
|
|
baseUrl: "https://api.openai.com/v1",
|
|
api: "openai-completions",
|
|
models: [{ id: "gpt-5", name: "gpt-5" }],
|
|
},
|
|
},
|
|
},
|
|
});
|
|
|
|
const plan = createPlan({
|
|
providerUpserts: {
|
|
filemain: {
|
|
source: "file",
|
|
path: "/tmp/new-secrets.json",
|
|
mode: "json",
|
|
},
|
|
},
|
|
providerDeletes: ["fileold"],
|
|
targets: [],
|
|
});
|
|
|
|
const nextConfig = await applyPlanAndReadConfig<{
|
|
secrets?: {
|
|
providers?: Record<string, unknown>;
|
|
};
|
|
}>(fixture, plan);
|
|
expect(nextConfig.secrets?.providers?.fileold).toBeUndefined();
|
|
expect(nextConfig.secrets?.providers?.filemain).toEqual({
|
|
source: "file",
|
|
path: "/tmp/new-secrets.json",
|
|
mode: "json",
|
|
});
|
|
});
|
|
});
|