mirror of
https://github.com/moltbot/moltbot.git
synced 2026-03-21 16:41:56 +00:00
42e3d8d693
* Secrets: add inline allowlist review set * Secrets: narrow detect-secrets file exclusions * Secrets: exclude Docker fingerprint false positive * Secrets: allowlist test and docs false positives * Secrets: refresh baseline after allowlist updates * Secrets: fix gateway chat fixture pragma * Secrets: format pre-commit config * Android: keep talk mode fixture JSON valid * Feishu: rely on client timeout injection * Secrets: allowlist provider auth test fixtures * Secrets: allowlist onboard search fixtures * Secrets: allowlist onboard mode fixture * Secrets: allowlist gateway auth mode fixture * Secrets: allowlist APNS wake test key * Secrets: allowlist gateway reload fixtures * Secrets: allowlist moonshot video fixture * Secrets: allowlist auto audio fixture * Secrets: allowlist tiny audio fixture * Secrets: allowlist embeddings fixtures * Secrets: allowlist resolve fixtures * Secrets: allowlist target registry pattern fixtures * Secrets: allowlist gateway chat env fixture * Secrets: refresh baseline after fixture allowlists * Secrets: reapply gateway chat env allowlist * Secrets: reapply gateway chat env allowlist * Secrets: stabilize gateway chat env allowlist * Secrets: allowlist runtime snapshot save fixture * Secrets: allowlist oauth profile fixtures * Secrets: allowlist compaction identifier fixture * Secrets: allowlist model auth fixture * Secrets: allowlist model status fixtures * Secrets: allowlist custom onboarding fixture * Secrets: allowlist mattermost token summary fixtures * Secrets: allowlist gateway auth suite fixtures * Secrets: allowlist channel summary fixture * Secrets: allowlist provider usage auth fixtures * Secrets: allowlist media proxy fixture * Secrets: allowlist secrets audit fixtures * Secrets: refresh baseline after final fixture allowlists * Feishu: prefer explicit client timeout * Feishu: test direct timeout precedence
90 lines
2.6 KiB
TypeScript
90 lines
2.6 KiB
TypeScript
import type { OpenClawConfig } from "../config/types.js";
|
|
import { resolveSecretInputRef } from "../config/types.secrets.js";
|
|
import { secretRefKey } from "../secrets/ref-contract.js";
|
|
import { resolveSecretRefValues } from "../secrets/resolve.js";
|
|
|
|
export type SecretInputUnresolvedReasonStyle = "generic" | "detailed"; // pragma: allowlist secret
|
|
|
|
function trimToUndefined(value: unknown): string | undefined {
|
|
if (typeof value !== "string") {
|
|
return undefined;
|
|
}
|
|
const trimmed = value.trim();
|
|
return trimmed.length > 0 ? trimmed : undefined;
|
|
}
|
|
|
|
function buildUnresolvedReason(params: {
|
|
path: string;
|
|
style: SecretInputUnresolvedReasonStyle;
|
|
kind: "unresolved" | "non-string" | "empty";
|
|
refLabel: string;
|
|
}): string {
|
|
if (params.style === "generic") {
|
|
return `${params.path} SecretRef is unresolved (${params.refLabel}).`;
|
|
}
|
|
if (params.kind === "non-string") {
|
|
return `${params.path} SecretRef resolved to a non-string value.`;
|
|
}
|
|
if (params.kind === "empty") {
|
|
return `${params.path} SecretRef resolved to an empty value.`;
|
|
}
|
|
return `${params.path} SecretRef is unresolved (${params.refLabel}).`;
|
|
}
|
|
|
|
export async function resolveConfiguredSecretInputString(params: {
|
|
config: OpenClawConfig;
|
|
env: NodeJS.ProcessEnv;
|
|
value: unknown;
|
|
path: string;
|
|
unresolvedReasonStyle?: SecretInputUnresolvedReasonStyle;
|
|
}): Promise<{ value?: string; unresolvedRefReason?: string }> {
|
|
const style = params.unresolvedReasonStyle ?? "generic";
|
|
const { ref } = resolveSecretInputRef({
|
|
value: params.value,
|
|
defaults: params.config.secrets?.defaults,
|
|
});
|
|
if (!ref) {
|
|
return { value: trimToUndefined(params.value) };
|
|
}
|
|
|
|
const refLabel = `${ref.source}:${ref.provider}:${ref.id}`;
|
|
try {
|
|
const resolved = await resolveSecretRefValues([ref], {
|
|
config: params.config,
|
|
env: params.env,
|
|
});
|
|
const resolvedValue = resolved.get(secretRefKey(ref));
|
|
if (typeof resolvedValue !== "string") {
|
|
return {
|
|
unresolvedRefReason: buildUnresolvedReason({
|
|
path: params.path,
|
|
style,
|
|
kind: "non-string",
|
|
refLabel,
|
|
}),
|
|
};
|
|
}
|
|
const trimmed = resolvedValue.trim();
|
|
if (trimmed.length === 0) {
|
|
return {
|
|
unresolvedRefReason: buildUnresolvedReason({
|
|
path: params.path,
|
|
style,
|
|
kind: "empty",
|
|
refLabel,
|
|
}),
|
|
};
|
|
}
|
|
return { value: trimmed };
|
|
} catch {
|
|
return {
|
|
unresolvedRefReason: buildUnresolvedReason({
|
|
path: params.path,
|
|
style,
|
|
kind: "unresolved",
|
|
refLabel,
|
|
}),
|
|
};
|
|
}
|
|
}
|