feat(security): add provider-based external secrets management

2026-04-26 16:06:16 +00:00 · 2026-02-25 17:39:31 -06:00
parent bb60cab76d
commit 4e7a833a24
35 changed files with 1779 additions and 669 deletions
--- a/src/gateway/config-reload.test.ts
+++ b/src/gateway/config-reload.test.ts
@@ -153,6 +153,12 @@ describe("buildGatewayReloadPlan", () => {
    expect(plan.noopPaths).toContain("gateway.remote.url");
  });

+  it("treats secrets config changes as no-op for gateway restart planning", () => {
+    const plan = buildGatewayReloadPlan(["secrets.providers.default.path"]);
+    expect(plan.restartGateway).toBe(false);
+    expect(plan.noopPaths).toContain("secrets.providers.default.path");
+  });
+
  it("defaults unknown paths to restart", () => {
    const plan = buildGatewayReloadPlan(["unknownField"]);
    expect(plan.restartGateway).toBe(true);
--- a/src/gateway/config-reload.ts
+++ b/src/gateway/config-reload.ts
@@ -82,6 +82,7 @@ const BASE_RELOAD_RULES_TAIL: ReloadRule[] = [
  { prefix: "session", kind: "none" },
  { prefix: "talk", kind: "none" },
  { prefix: "skills", kind: "none" },
+  { prefix: "secrets", kind: "none" },
  { prefix: "plugins", kind: "restart" },
  { prefix: "ui", kind: "none" },
  { prefix: "gateway", kind: "restart" },
--- a/src/gateway/server.reload.test.ts
+++ b/src/gateway/server.reload.test.ts
@@ -222,7 +222,7 @@ describe("gateway hot reload", () => {
            providers: {
              openai: {
                baseUrl: "https://api.openai.com/v1",
-                apiKey: { source: "env", id: "OPENAI_API_KEY" },
+                apiKey: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
                models: [],
              },
            },
@@ -251,7 +251,7 @@ describe("gateway hot reload", () => {
            missing: {
              type: "api_key",
              provider: "openai",
-              keyRef: { source: "env", id: "MISSING_OPENCLAW_AUTH_REF" },
+              keyRef: { source: "env", provider: "default", id: "MISSING_OPENCLAW_AUTH_REF" },
            },
          },
          selectedProfileId: "missing",
@@ -425,7 +425,7 @@ describe("gateway hot reload", () => {
          providers: {
            openai: {
              baseUrl: "https://api.openai.com/v1",
-              apiKey: { source: "env", id: "OPENAI_API_KEY" },
+              apiKey: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
              models: [],
            },
          },