Skip to content

fix(models): avoid false missing auth warning for SecretRef probe#30445

Closed
liuxiaopai-ai wants to merge 1 commit intoopenclaw:mainfrom
liuxiaopai-ai:codex/issue-30311-probe-secretref-auth
Closed

fix(models): avoid false missing auth warning for SecretRef probe#30445
liuxiaopai-ai wants to merge 1 commit intoopenclaw:mainfrom
liuxiaopai-ai:codex/issue-30311-probe-secretref-auth

Conversation

@liuxiaopai-ai
Copy link
Copy Markdown
Contributor

@liuxiaopai-ai liuxiaopai-ai commented Mar 1, 2026
edited
Loading

Summary

  • fix models status --probe false negatives for keyRef/tokenRef auth profiles when explicit auth order exists
  • when a profile is excluded by legacy resolveAuthProfileOrder filtering, attempt deferred credential resolution via resolveApiKeyForProfile
  • if deferred resolution succeeds, include the profile in probe targets instead of emitting a premature "missing or expired" warning
  • add regression tests for both success and failure paths of deferred SecretRef resolution

Testing

  • pnpm vitest src/commands/models/list.probe.test.ts src/commands/models/list.probe.targets.test.ts
  • pnpm exec oxfmt --check src/commands/models/list.probe.ts src/commands/models/list.probe.targets.test.ts
  • pnpm exec oxlint --type-aware src/commands/models/list.probe.ts src/commands/models/list.probe.targets.test.ts

Closes #30311

@openclaw-barnacle openclaw-barnacle bot added commands Command implementations size: M labels Mar 1, 2026
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 1, 2026

Greptile Summary

Fixed false missing or expired auth warnings for SecretRef profiles by attempting deferred credential resolution when profiles are excluded by legacy auth order filtering. When a profile has keyRef or tokenRef configured, the code now attempts to resolve credentials via resolveApiKeyForProfile before emitting the warning. If resolution succeeds, the profile is included in probe targets; if it fails, the original warning behavior is preserved.

  • Refactored buildProbeTargets to async/await and exported it for testing
  • Added canResolveDeferredProfileCredential helper to identify profiles eligible for deferred resolution
  • Comprehensive test coverage for both success and failure paths of SecretRef resolution
  • Empty catch block at src/commands/models/list.probe.ts:249 intentionally preserves legacy error messaging when resolution fails

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk
  • Score reflects well-structured logic, comprehensive test coverage, and correct async/await refactoring. The deferred resolution logic properly handles both success and failure paths, maintains backward compatibility, and follows the project's TypeScript conventions. No security vulnerabilities or logical errors identified.
  • No files require special attention

Last reviewed commit: 31d3a95

@rmarr rmarr mentioned this pull request Mar 2, 2026
Closed
@joshavant joshavant mentioned this pull request Mar 4, 2026
Merged
@joshavant
Copy link
Copy Markdown
Contributor

joshavant commented Mar 4, 2026

Thanks for the report! Superseded by #33733.

@joshavant joshavant closed this Mar 4, 2026
@joshavant joshavant mentioned this pull request Mar 16, 2026
Merged
20 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

commands Command implementations size: M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: models status --probe reports "missing or expired" for exec-based SecretRef auth profiles

2 participants

@liuxiaopai-ai @joshavant