42e3d8d693
* Secrets: add inline allowlist review set * Secrets: narrow detect-secrets file exclusions * Secrets: exclude Docker fingerprint false positive * Secrets: allowlist test and docs false positives * Secrets: refresh baseline after allowlist updates * Secrets: fix gateway chat fixture pragma * Secrets: format pre-commit config * Android: keep talk mode fixture JSON valid * Feishu: rely on client timeout injection * Secrets: allowlist provider auth test fixtures * Secrets: allowlist onboard search fixtures * Secrets: allowlist onboard mode fixture * Secrets: allowlist gateway auth mode fixture * Secrets: allowlist APNS wake test key * Secrets: allowlist gateway reload fixtures * Secrets: allowlist moonshot video fixture * Secrets: allowlist auto audio fixture * Secrets: allowlist tiny audio fixture * Secrets: allowlist embeddings fixtures * Secrets: allowlist resolve fixtures * Secrets: allowlist target registry pattern fixtures * Secrets: allowlist gateway chat env fixture * Secrets: refresh baseline after fixture allowlists * Secrets: reapply gateway chat env allowlist * Secrets: reapply gateway chat env allowlist * Secrets: stabilize gateway chat env allowlist * Secrets: allowlist runtime snapshot save fixture * Secrets: allowlist oauth profile fixtures * Secrets: allowlist compaction identifier fixture * Secrets: allowlist model auth fixture * Secrets: allowlist model status fixtures * Secrets: allowlist custom onboarding fixture * Secrets: allowlist mattermost token summary fixtures * Secrets: allowlist gateway auth suite fixtures * Secrets: allowlist channel summary fixture * Secrets: allowlist provider usage auth fixtures * Secrets: allowlist media proxy fixture * Secrets: allowlist secrets audit fixtures * Secrets: refresh baseline after final fixture allowlists * Feishu: prefer explicit client timeout * Feishu: test direct timeout precedence
61 lines
2.1 KiB
TypeScript
61 lines
2.1 KiB
TypeScript
import { listSecretTargetRegistryEntries } from "./target-registry.js";
|
|
|
|
type CredentialMatrixEntry = {
|
|
id: string;
|
|
configFile: "openclaw.json" | "auth-profiles.json";
|
|
path: string;
|
|
refPath?: string;
|
|
when?: { type: "api_key" | "token" };
|
|
secretShape: "secret_input" | "sibling_ref"; // pragma: allowlist secret
|
|
optIn: true;
|
|
notes?: string;
|
|
};
|
|
|
|
export type SecretRefCredentialMatrixDocument = {
|
|
version: 1;
|
|
matrixId: "strictly-user-supplied-credentials";
|
|
pathSyntax: 'Dot path with "*" for map keys and "[]" for arrays.';
|
|
scope: "Credentials that are strictly user-supplied and not minted/rotated by OpenClaw runtime.";
|
|
excludedMutableOrRuntimeManaged: string[];
|
|
entries: CredentialMatrixEntry[];
|
|
};
|
|
|
|
const EXCLUDED_MUTABLE_OR_RUNTIME_MANAGED = [
|
|
"commands.ownerDisplaySecret",
|
|
"channels.matrix.accessToken",
|
|
"channels.matrix.accounts.*.accessToken",
|
|
"hooks.token",
|
|
"hooks.gmail.pushToken",
|
|
"hooks.mappings[].sessionKey",
|
|
"auth-profiles.oauth.*",
|
|
"discord.threadBindings.*.webhookToken",
|
|
"whatsapp.creds.json",
|
|
];
|
|
|
|
export function buildSecretRefCredentialMatrix(): SecretRefCredentialMatrixDocument {
|
|
const entries: CredentialMatrixEntry[] = listSecretTargetRegistryEntries()
|
|
.map((entry) => ({
|
|
id: entry.id,
|
|
configFile: entry.configFile,
|
|
path: entry.pathPattern,
|
|
...(entry.refPathPattern ? { refPath: entry.refPathPattern } : {}),
|
|
...(entry.authProfileType ? { when: { type: entry.authProfileType } } : {}),
|
|
secretShape: entry.secretShape,
|
|
optIn: true as const,
|
|
...(entry.id.startsWith("channels.googlechat.")
|
|
? { notes: "Google Chat compatibility exception: sibling ref field remains canonical." }
|
|
: {}),
|
|
}))
|
|
.toSorted((a, b) => a.id.localeCompare(b.id));
|
|
|
|
return {
|
|
version: 1,
|
|
matrixId: "strictly-user-supplied-credentials",
|
|
pathSyntax: 'Dot path with "*" for map keys and "[]" for arrays.',
|
|
scope:
|
|
"Credentials that are strictly user-supplied and not minted/rotated by OpenClaw runtime.",
|
|
excludedMutableOrRuntimeManaged: [...EXCLUDED_MUTABLE_OR_RUNTIME_MANAGED],
|
|
entries,
|
|
};
|
|
}
|