mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-19 15:01:38 +00:00
* fix(crestodian): keep onboarding RPCs restart-safe * fix(profiles): isolate approval state migrations * fix(crestodian): bypass configured gateway setup * test(crestodian): type onboarding mocks * fix(onboarding): require inference before Crestodian * fix(onboarding): enforce verified inference handoff * fix(macos): reset setup on gateway endpoint edits * chore(i18n): refresh native source inventory * fix(gateway): keep socket on request cancellation * test(packaging): require workspace templates * fix(onboarding): bind setup to verified inference * fix(onboarding): align inference gate contracts * fix(crestodian): classify concurrent policy rejection * test(crestodian): expect registry restoration * fix(onboarding): bind setup to configured gateways * fix(codex): preserve startup phase deadlines * test(crestodian): match fail-closed policy ordering * test(onboarding): assert bound gateway handoff * fix(codex): bind runtime resolution to spawn cwd * test(crestodian): assert policy rejection order * fix(cli): preserve gateway routing across restarts * fix(macos): fail closed during gateway edits * test(macos): cover gateway route generation races * chore: keep release notes out of onboarding PR * fix(ci): refresh onboarding generated checks * style(swift): align gateway channel formatting * fix(ci): refresh plugin SDK surface budgets * fix(ci): resync native string inventory * refactor(swift): split gateway channel support * test(doctor): isolate plugin compatibility registry * test(macos): isolate gateway onboarding fixtures * test(macos): assert gateway lease health ordering * fix(codex): reconcile computer-use startup changes
79 lines
2.6 KiB
TypeScript
79 lines
2.6 KiB
TypeScript
import {
|
|
fingerprintResolvedAuthProfileCredential,
|
|
type AgentHarnessAuthBindingFingerprintParams,
|
|
} from "openclaw/plugin-sdk/agent-harness-runtime";
|
|
import {
|
|
resolveApiKeyForProfile,
|
|
type AuthProfileCredential,
|
|
type AuthProfileStore,
|
|
} from "openclaw/plugin-sdk/agent-runtime";
|
|
|
|
export type CodexAppServerPreparedAuthBinding = {
|
|
authProfileStore: AuthProfileStore;
|
|
fingerprint: string;
|
|
};
|
|
|
|
function withMaterializedCredential(params: {
|
|
store: AuthProfileStore;
|
|
profileId: string;
|
|
credential: AuthProfileCredential;
|
|
value: string;
|
|
}): AuthProfileStore {
|
|
const store = structuredClone(params.store);
|
|
if (params.credential.type === "api_key") {
|
|
const { keyRef: _keyRef, ...credential } = params.credential;
|
|
store.profiles[params.profileId] = { ...credential, key: params.value };
|
|
} else if (params.credential.type === "token") {
|
|
const { tokenRef: _tokenRef, ...credential } = params.credential;
|
|
store.profiles[params.profileId] = { ...credential, token: params.value };
|
|
}
|
|
return store;
|
|
}
|
|
|
|
/** Resolves one forwarded profile once so attestation and execution share exact material. */
|
|
export async function prepareCodexAppServerAuthBinding(
|
|
params: AgentHarnessAuthBindingFingerprintParams,
|
|
): Promise<CodexAppServerPreparedAuthBinding | undefined> {
|
|
const credential = params.authProfileStore.profiles[params.authProfileId];
|
|
if (!credential || credential.type === "oauth") {
|
|
return undefined;
|
|
}
|
|
const resolved = await resolveApiKeyForProfile({
|
|
cfg: params.config,
|
|
store: params.authProfileStore,
|
|
profileId: params.authProfileId,
|
|
agentDir: params.agentDir,
|
|
});
|
|
if (!resolved?.apiKey) {
|
|
throw new Error(`Codex could not resolve auth profile "${params.authProfileId}".`);
|
|
}
|
|
const fingerprint = fingerprintResolvedAuthProfileCredential({
|
|
profileId: params.authProfileId,
|
|
credential,
|
|
resolvedAuth: {
|
|
apiKey: resolved.apiKey,
|
|
profileId: params.authProfileId,
|
|
source: `profile:${params.authProfileId}`,
|
|
mode: credential.type === "api_key" ? "api-key" : "token",
|
|
},
|
|
});
|
|
if (!fingerprint) {
|
|
throw new Error(`Codex could not attest auth profile "${params.authProfileId}".`);
|
|
}
|
|
return {
|
|
fingerprint,
|
|
authProfileStore: withMaterializedCredential({
|
|
store: params.authProfileStore,
|
|
profileId: params.authProfileId,
|
|
credential,
|
|
value: resolved.apiKey,
|
|
}),
|
|
};
|
|
}
|
|
|
|
export async function fingerprintCodexAppServerAuthBinding(
|
|
params: AgentHarnessAuthBindingFingerprintParams,
|
|
): Promise<string | undefined> {
|
|
return (await prepareCodexAppServerAuthBinding(params))?.fingerprint;
|
|
}
|