Files
openclaw/extensions/vault/vault-secret-id.js
Sally O'Malley e595a8c0ac Add Vault SecretRef plugin (#89255)
* Add Vault SecretRef plugin

Signed-off-by: sallyom <somalley@redhat.com>

* expand Vault setup to registered SecretRef targets

Signed-off-by: sallyom <somalley@redhat.com>

* fix(vault): use sdk secret target seam

* fix(vault): preserve auth profile target paths

* docs(vault): document plugin enable step

* fix(vault): make status provider-alias aware

* fix(vault): reject noncanonical secret ids

* fix(vault): separate resolver timeout deadlines

* fix(vault): forward private CA trust settings

* fix(secrets): preserve plugin policy boundaries

---------

Signed-off-by: sallyom <somalley@redhat.com>
Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com>
2026-07-09 05:30:12 -05:00

24 lines
826 B
JavaScript

const EXEC_SECRET_REF_ID_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._:/#-]{0,255}$/;
export function parseVaultSecretId(id) {
const parts = id.split("/");
if (parts.some((part) => part.length === 0)) {
throw new Error(`Vault SecretRef id "${id}" must not contain empty path segments.`);
}
if (!EXEC_SECRET_REF_ID_PATTERN.test(id)) {
throw new Error(`Vault SecretRef id "${id}" contains unsupported characters.`);
}
if (parts.length < 2) {
throw new Error(
`Vault SecretRef id "${id}" must use "<path>/<field>", for example "providers/openai/apiKey".`,
);
}
if (parts.some((part) => part === "." || part === "..")) {
throw new Error(`Vault SecretRef id "${id}" must not contain dot path segments.`);
}
return {
secretPath: parts.slice(0, -1).join("/"),
field: parts.at(-1),
};
}