mirror of
https://github.com/openclaw/openclaw.git
synced 2026-04-01 12:21:25 +00:00
42e3d8d693
* Secrets: add inline allowlist review set * Secrets: narrow detect-secrets file exclusions * Secrets: exclude Docker fingerprint false positive * Secrets: allowlist test and docs false positives * Secrets: refresh baseline after allowlist updates * Secrets: fix gateway chat fixture pragma * Secrets: format pre-commit config * Android: keep talk mode fixture JSON valid * Feishu: rely on client timeout injection * Secrets: allowlist provider auth test fixtures * Secrets: allowlist onboard search fixtures * Secrets: allowlist onboard mode fixture * Secrets: allowlist gateway auth mode fixture * Secrets: allowlist APNS wake test key * Secrets: allowlist gateway reload fixtures * Secrets: allowlist moonshot video fixture * Secrets: allowlist auto audio fixture * Secrets: allowlist tiny audio fixture * Secrets: allowlist embeddings fixtures * Secrets: allowlist resolve fixtures * Secrets: allowlist target registry pattern fixtures * Secrets: allowlist gateway chat env fixture * Secrets: refresh baseline after fixture allowlists * Secrets: reapply gateway chat env allowlist * Secrets: reapply gateway chat env allowlist * Secrets: stabilize gateway chat env allowlist * Secrets: allowlist runtime snapshot save fixture * Secrets: allowlist oauth profile fixtures * Secrets: allowlist compaction identifier fixture * Secrets: allowlist model auth fixture * Secrets: allowlist model status fixtures * Secrets: allowlist custom onboarding fixture * Secrets: allowlist mattermost token summary fixtures * Secrets: allowlist gateway auth suite fixtures * Secrets: allowlist channel summary fixture * Secrets: allowlist provider usage auth fixtures * Secrets: allowlist media proxy fixture * Secrets: allowlist secrets audit fixtures * Secrets: refresh baseline after final fixture allowlists * Feishu: prefer explicit client timeout * Feishu: test direct timeout precedence
73 lines
2.4 KiB
TypeScript
73 lines
2.4 KiB
TypeScript
import fs from "node:fs/promises";
|
|
import os from "node:os";
|
|
import path from "node:path";
|
|
import { describe, expect, it } from "vitest";
|
|
import {
|
|
activateSecretsRuntimeSnapshot,
|
|
clearSecretsRuntimeSnapshot,
|
|
prepareSecretsRuntimeSnapshot,
|
|
} from "../secrets/runtime.js";
|
|
import { ensureAuthProfileStore, markAuthProfileUsed } from "./auth-profiles.js";
|
|
|
|
describe("auth profile runtime snapshot persistence", () => {
|
|
it("does not write resolved plaintext keys during usage updates", async () => {
|
|
const stateDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-auth-runtime-save-"));
|
|
const agentDir = path.join(stateDir, "agents", "main", "agent");
|
|
const authPath = path.join(agentDir, "auth-profiles.json");
|
|
try {
|
|
await fs.mkdir(agentDir, { recursive: true });
|
|
await fs.writeFile(
|
|
authPath,
|
|
`${JSON.stringify(
|
|
{
|
|
version: 1,
|
|
profiles: {
|
|
"openai:default": {
|
|
type: "api_key",
|
|
provider: "openai",
|
|
keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
|
|
},
|
|
},
|
|
},
|
|
null,
|
|
2,
|
|
)}\n`,
|
|
"utf8",
|
|
);
|
|
|
|
const snapshot = await prepareSecretsRuntimeSnapshot({
|
|
config: {},
|
|
env: { OPENAI_API_KEY: "sk-runtime-openai" }, // pragma: allowlist secret
|
|
agentDirs: [agentDir],
|
|
});
|
|
activateSecretsRuntimeSnapshot(snapshot);
|
|
|
|
const runtimeStore = ensureAuthProfileStore(agentDir);
|
|
expect(runtimeStore.profiles["openai:default"]).toMatchObject({
|
|
type: "api_key",
|
|
key: "sk-runtime-openai",
|
|
keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
|
|
});
|
|
|
|
await markAuthProfileUsed({
|
|
store: runtimeStore,
|
|
profileId: "openai:default",
|
|
agentDir,
|
|
});
|
|
|
|
const persisted = JSON.parse(await fs.readFile(authPath, "utf8")) as {
|
|
profiles: Record<string, { key?: string; keyRef?: unknown }>;
|
|
};
|
|
expect(persisted.profiles["openai:default"]?.key).toBeUndefined();
|
|
expect(persisted.profiles["openai:default"]?.keyRef).toEqual({
|
|
source: "env",
|
|
provider: "default",
|
|
id: "OPENAI_API_KEY",
|
|
});
|
|
} finally {
|
|
clearSecretsRuntimeSnapshot();
|
|
await fs.rm(stateDir, { recursive: true, force: true });
|
|
}
|
|
});
|
|
});
|