@@ -7,11 +7,10 @@ import {
77 resolveAcpClientSpawnEnv ,
88 resolveAcpClientSpawnInvocation ,
99 resolvePermissionRequest ,
10+ shouldStripProviderAuthEnvVarsForAcpServer ,
1011} from "./client.js" ;
1112import { extractAttachmentsFromPrompt , extractTextFromPrompt } from "./event-mapper.js" ;
1213
13- const envVar = ( ...parts : string [ ] ) => parts . join ( "_" ) ;
14-
1514function makePermissionRequest (
1615 overrides : Partial < RequestPermissionRequest > = { } ,
1716) : RequestPermissionRequest {
@@ -63,52 +62,50 @@ describe("resolveAcpClientSpawnEnv", () => {
6362 expect ( env . OPENCLAW_SHELL ) . toBe ( "acp-client" ) ;
6463 } ) ;
6564
66- it ( "strips skill-injected env keys when stripKeys is provided" , ( ) => {
67- const openAiApiKeyEnv = envVar ( "OPENAI" , "API" , "KEY" ) ;
68- const elevenLabsApiKeyEnv = envVar ( "ELEVENLABS" , "API" , "KEY" ) ;
69- const anthropicApiKeyEnv = envVar ( "ANTHROPIC" , "API" , "KEY" ) ;
70- const stripKeys = new Set ( [ openAiApiKeyEnv , elevenLabsApiKeyEnv ] ) ;
65+ it ( "strips provider auth env vars for the default OpenClaw bridge" , ( ) => {
66+ const stripKeys = new Set ( [ "OPENAI_API_KEY" , "GITHUB_TOKEN" , "HF_TOKEN" ] ) ;
7167 const env = resolveAcpClientSpawnEnv (
7268 {
69+ OPENAI_API_KEY : "openai-secret" ,
70+ GITHUB_TOKEN : "gh-secret" ,
71+ HF_TOKEN : "hf-secret" ,
72+ OPENCLAW_API_KEY : "keep-me" ,
7373 PATH : "/usr/bin" ,
74- [ openAiApiKeyEnv ] : "openai-test-value" , // pragma: allowlist secret
75- [ elevenLabsApiKeyEnv ] : "elevenlabs-test-value" , // pragma: allowlist secret
76- [ anthropicApiKeyEnv ] : "anthropic-test-value" , // pragma: allowlist secret
7774 } ,
7875 { stripKeys } ,
7976 ) ;
8077
78+ expect ( env . OPENAI_API_KEY ) . toBeUndefined ( ) ;
79+ expect ( env . GITHUB_TOKEN ) . toBeUndefined ( ) ;
80+ expect ( env . HF_TOKEN ) . toBeUndefined ( ) ;
81+ expect ( env . OPENCLAW_API_KEY ) . toBe ( "keep-me" ) ;
8182 expect ( env . PATH ) . toBe ( "/usr/bin" ) ;
8283 expect ( env . OPENCLAW_SHELL ) . toBe ( "acp-client" ) ;
83- expect ( env . ANTHROPIC_API_KEY ) . toBe ( "anthropic-test-value" ) ;
84- expect ( env . OPENAI_API_KEY ) . toBeUndefined ( ) ;
85- expect ( env . ELEVENLABS_API_KEY ) . toBeUndefined ( ) ;
8684 } ) ;
8785
88- it ( "does not modify the original baseEnv when stripping keys" , ( ) => {
89- const openAiApiKeyEnv = envVar ( "OPENAI" , "API" , "KEY" ) ;
90- const baseEnv : NodeJS . ProcessEnv = {
91- [ openAiApiKeyEnv ] : "openai-original" , // pragma: allowlist secret
92- PATH : "/usr/bin" ,
93- } ;
94- const stripKeys = new Set ( [ openAiApiKeyEnv ] ) ;
95- resolveAcpClientSpawnEnv ( baseEnv , { stripKeys } ) ;
86+ it ( "preserves provider auth env vars for explicit custom ACP servers" , ( ) => {
87+ const env = resolveAcpClientSpawnEnv ( {
88+ OPENAI_API_KEY : "openai-secret" ,
89+ GITHUB_TOKEN : "gh-secret" ,
90+ HF_TOKEN : "hf-secret" ,
91+ OPENCLAW_API_KEY : "keep-me" ,
92+ } ) ;
9693
97- expect ( baseEnv . OPENAI_API_KEY ) . toBe ( "openai-original" ) ;
94+ expect ( env . OPENAI_API_KEY ) . toBe ( "openai-secret" ) ;
95+ expect ( env . GITHUB_TOKEN ) . toBe ( "gh-secret" ) ;
96+ expect ( env . HF_TOKEN ) . toBe ( "hf-secret" ) ;
97+ expect ( env . OPENCLAW_API_KEY ) . toBe ( "keep-me" ) ;
98+ expect ( env . OPENCLAW_SHELL ) . toBe ( "acp-client" ) ;
9899 } ) ;
100+ } ) ;
99101
100- it ( "preserves OPENCLAW_SHELL even when stripKeys contains it" , ( ) => {
101- const openAiApiKeyEnv = envVar ( "OPENAI" , "API" , "KEY" ) ;
102- const env = resolveAcpClientSpawnEnv (
103- {
104- OPENCLAW_SHELL : "skill-overridden" ,
105- [ openAiApiKeyEnv ] : "openai-leaked" , // pragma: allowlist secret
106- } ,
107- { stripKeys : new Set ( [ "OPENCLAW_SHELL" , openAiApiKeyEnv ] ) } ,
108- ) ;
102+ describe ( "shouldStripProviderAuthEnvVarsForAcpServer" , ( ) => {
103+ it ( "strips provider auth env vars for the default bridge" , ( ) => {
104+ expect ( shouldStripProviderAuthEnvVarsForAcpServer ( ) ) . toBe ( true ) ;
105+ } ) ;
109106
110- expect ( env . OPENCLAW_SHELL ) . toBe ( "acp-client" ) ;
111- expect ( env . OPENAI_API_KEY ) . toBeUndefined ( ) ;
107+ it ( "preserves provider auth env vars for explicit custom ACP servers" , ( ) => {
108+ expect ( shouldStripProviderAuthEnvVarsForAcpServer ( "custom-acp-server" ) ) . toBe ( false ) ;
112109 } ) ;
113110} ) ;
114111
0 commit comments