Skip to content

Reject SecretRef placeholders from runtime auth fallbacks#39898

Closed
HeMuling wants to merge 6 commits intoopenclaw:mainfrom
HeMuling:fix/39823-secretref-marker-auth
Closed

Reject SecretRef placeholders from runtime auth fallbacks#39898
HeMuling wants to merge 6 commits intoopenclaw:mainfrom
HeMuling:fix/39823-secretref-marker-auth

Conversation

@HeMuling
Copy link
Copy Markdown
Contributor

@HeMuling HeMuling commented Mar 8, 2026

Closes #39823

Summary

  • reject non-secret SecretRef markers as runtime provider API keys
  • scrub placeholder auth headers from discovered PI model registry fallbacks
  • add regression coverage for both model-auth and discoverModels paths

Reproduction

  • origin/main could carry apiKey: "secretref-managed" through custom provider fallback resolution
  • PI model discovery could then expose Authorization: Bearer secretref-managed from registry fallbacks

Validation

  • npx -y [email protected] exec vitest run src/agents/model-auth.profiles.test.ts src/agents/pi-model-discovery.auth.test.ts src/agents/pi-embedded-runner/model.test.ts src/media-understanding/providers/image.test.ts

@openclaw-barnacle openclaw-barnacle bot added agents Agent runtime and tooling size: S labels Mar 8, 2026
@HeMuling HeMuling force-pushed the fix/39823-secretref-marker-auth branch from a224683 to e972da6 Compare March 8, 2026 14:02
@openclaw-barnacle openclaw-barnacle bot added app: macos App: macos size: L scripts Repository scripts and removed size: S labels Mar 8, 2026
@HeMuling HeMuling force-pushed the fix/39823-secretref-marker-auth branch from eb6ab6f to 165c829 Compare March 8, 2026 14:35
@openclaw-barnacle openclaw-barnacle bot added size: S and removed app: macos App: macos size: L labels Mar 8, 2026
@openclaw-barnacle openclaw-barnacle bot added app: macos App: macos size: M and removed size: S labels Mar 8, 2026
@openclaw-barnacle openclaw-barnacle bot added size: S and removed app: macos App: macos size: M labels Mar 9, 2026
@joshavant joshavant mentioned this pull request Mar 10, 2026
Merged
@joshavant
Copy link
Copy Markdown
Contributor

joshavant commented Mar 10, 2026

Thanks @HeMuling for the contribution and for pushing this forward.

This work is now superseded by #42554 (#42554), which has merged and covers the full aggregated SecretRef surface area for this cluster.

Closing this PR to keep follow-up and history centralized in #42554.

@joshavant joshavant closed this Mar 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

agents Agent runtime and tooling scripts Repository scripts size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: custom provider SecretRef marker leaks into Authorization header as Bearer secretref-managed

2 participants

@HeMuling @joshavant