fix(auth): treat keyRef/tokenRef profiles as valid in auth order resolution#30384
fix(auth): treat keyRef/tokenRef profiles as valid in auth order resolution#30384Sid-Qin wants to merge 1 commit intoopenclaw:mainfrom
Conversation
…lution resolveAuthProfileOrder previously treated profiles without plaintext key/token as invalid, even when they were backed by SecretRef fields (keyRef/tokenRef). This caused probe flows with explicit auth.order to mark those profiles as "missing or expired" before probing, despite runtime secret resolution working. Profiles backed by keyRef/tokenRef are now considered valid candidates for ordering, so models status --probe no longer produces false negatives for exec-based SecretRef auth profiles. Closes openclaw#30311
openclaw-barnacle
bot
added
agents
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ddbfb04e60
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (cred.tokenRef) { | ||
| return true; |
There was a problem hiding this comment.
Returning true as soon as tokenRef exists makes this profile-order filter treat expired token profiles as usable, but resolveApiKeyForProfile still rejects type: "token" credentials when expires is in the past (even after resolving tokenRef). In stores that carry stale expires metadata alongside tokenRef (for example after migrating from plaintext token storage), this now admits profiles that are guaranteed to fail at use-time, so probes/selection repeatedly attempt a dead credential instead of filtering it out consistently.
Useful? React with 👍 / 👎.
Greptile SummaryThis PR correctly fixes auth profile validation to support SecretRef-backed credentials ( Key improvements:
Technical correctness:
Confidence Score: 5/5
Last reviewed commit: ddbfb04 |
|
Thanks for the report! Superseded by #33733. |
2 participants
Summary
models status --probecan report "Auth profile credentials are missing or expired" for profiles that usekeyRef/tokenRef(especially with explicitauth.order), even though runtime secret resolution works.source: exec).resolveAuthProfileOrderinsrc/agents/auth-profiles/order.tsso profiles backed bykeyRefortokenRefare treated as valid candidates (not dropped as empty plaintext credentials). Added regression tests insrc/agents/auth-profiles.resolve-auth-profile-order.uses-stored-profiles-no-config-exists.test.tsfor bothapi_key + keyRefandtoken + tokenRef.Change Type (select all)
Scope (select all touched areas)
Linked Issue/PR
models status --probereports "missing or expired" for exec-based SecretRef auth profiles #30311User-visible / Behavior Changes
models status --probeno longer prematurely marks SecretRef-backed auth profiles as "missing or expired" just because plaintext key/token fields are absent.Security Impact (required)
NoNo(validation semantics only)NoNoNoRepro + Verification
Environment
openclaw models status --probe)Steps
keyRef/tokenRefwith explicitauth.orderopenclaw models status --probeExpected
Actual
Evidence
Targeted tests passing:
New regression assertions:
api_keyprofile withkeyRefand no plaintext keytokenprofile withtokenRefeven when token field is blank/expiredHuman Verification (required)
Compatibility / Migration
YesNoNoFailure Recovery (if this breaks)
src/agents/auth-profiles/order.tsRisks and Mitigations