Files
openclaw/src/plugin-sdk/secret-ref-runtime.ts
Sally O'Malley e595a8c0ac Add Vault SecretRef plugin (#89255)
* Add Vault SecretRef plugin

Signed-off-by: sallyom <somalley@redhat.com>

* expand Vault setup to registered SecretRef targets

Signed-off-by: sallyom <somalley@redhat.com>

* fix(vault): use sdk secret target seam

* fix(vault): preserve auth profile target paths

* docs(vault): document plugin enable step

* fix(vault): make status provider-alias aware

* fix(vault): reject noncanonical secret ids

* fix(vault): separate resolver timeout deadlines

* fix(vault): forward private CA trust settings

* fix(secrets): preserve plugin policy boundaries

---------

Signed-off-by: sallyom <somalley@redhat.com>
Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com>
2026-07-09 05:30:12 -05:00

30 lines
1.1 KiB
TypeScript

// Narrow shared secret-ref helpers for plugin config and secret-contract paths.
import { resolveSecretPlanTargetByPath as resolveSecretPlanTargetByPathInternal } from "../secrets/target-registry-query.js";
export { coerceSecretRef } from "../config/types.secrets.js";
export type { SecretInput, SecretRef } from "../config/types.secrets.js";
export { resolveSecretRefValues } from "../secrets/resolve.js";
export { applyResolvedAssignments, createResolverContext } from "../secrets/runtime-shared.js";
export type ResolvedSecretPlanTarget = {
targetType: string;
providerId?: string;
accountId?: string;
};
export function resolveSecretPlanTargetByPath(params: {
configFile: "openclaw.json" | "auth-profiles.json";
pathSegments: string[];
}): ResolvedSecretPlanTarget | null {
const resolved = resolveSecretPlanTargetByPathInternal(params);
if (!resolved) {
return null;
}
return {
targetType: resolved.entry.targetType,
...(resolved.providerId ? { providerId: resolved.providerId } : {}),
...(resolved.accountId ? { accountId: resolved.accountId } : {}),
};
}