You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Problem: Windows CI test shard fails in src/secrets/runtime.test.ts with ACL verification unavailable on Windows for temp-file secret providers, because file secret providers cannot opt out of strict path ACL verification.
Why it matters: This breaks CI on main and causes unrelated PRs to fail and block merges.
What changed: File secret providers now accept allowInsecurePath?: boolean (schema + types); the resolver passes it through to the secure-path audit; the secrets runtime tests enable it on Windows for temp-home secret files.
What did NOT change (scope boundary): Default behavior remains strict; symlink restrictions and other path validation remain unchanged; no runtime behavior changes unless users explicitly set allowInsecurePath: true.
Note: This PR’s checks currently also include an upstream formatting failure in src/cli/daemon-cli/lifecycle.test.ts, which is addressed separately in fix: format daemon lifecycle test #40450.
User-visible / Behavior Changes
File secret providers may now set allowInsecurePath: true to bypass path permission/ACL verification when the path is trusted (notably when Windows ACL verification is unavailable).
Security Impact (required)
New permissions/capabilities? (No)
Secrets/tokens handling changed? (No)
New/changed network calls? (No)
Command/tool execution surface changed? (No)
Data access scope changed? (No)
If any Yes, explain risk + mitigation: N/A
Repro + Verification
Environment
OS: macOS (local)
Runtime/container: Node 22 + pnpm
Model/provider: N/A
Integration/channel (if any): N/A
Relevant config (redacted): N/A
Steps
On Windows CI, run pnpm test (sharded).
Observe src/secrets/runtime.test.ts failing with ACL verification unavailable on Windows ... Set allowInsecurePath=true ....
Expected
Windows test shards should not fail due to ACL-audit unavailability when the secrets file path is trusted and explicitly opted out.
Actual
Before fix: file secret providers cannot set allowInsecurePath, so the secure-path audit fails when ACL verification is unavailable.
This PR fixes a Windows CI shard failure in src/secrets/runtime.test.ts by extending the existing allowInsecurePath escape hatch — already present on exec secret providers — to file secret providers as well. The change threads through the Zod schema, the TypeScript type, and the resolver, and updates the two affected test cases to conditionally opt out of ACL verification only on Windows where it is unavailable.
Schema & type: allowInsecurePath?: boolean added to SecretsFileProviderSchema and FileSecretProviderConfig, consistent with the identical field already present on ExecSecretProviderConfig.
Resolver: readFileProviderPayload now forwards providerConfig.allowInsecurePath to assertSecurePath, which already supported the flag — symlink and absolute-path enforcement remain unchanged.
Tests: The two runtime snapshot test cases that create temp-file secret providers conditionally enable allowInsecurePath: true on process.platform === "win32" to prevent the ACL verification unavailable on Windows failure; non-Windows paths remain unaffected.
Default behavior: Unchanged — the flag is strictly opt-in, and all security guards (symlink rejection, absolute-path requirement) continue to apply regardless of the flag value.
Confidence Score: 5/5
This PR is safe to merge — it is a minimal, well-scoped bug fix that wires up an already-implemented and tested escape hatch to a second provider type.
All five changed files make targeted, internally consistent changes. The assertSecurePath function already handled allowInsecurePath correctly; this PR simply exposes the option at the file provider level. Default behavior is strictly unchanged, the flag is explicit opt-in, and the test changes are conservatively scoped to Windows only. No logic was restructured and no new execution paths were introduced.
This looks like it fixes the current Windows CI failure (SecretProviderResolutionError: ... ACL verification unavailable on Windows ... Set allowInsecurePath=true).
In particular, threading allowInsecurePath through FileSecretProviderConfig + assertSecurePath, and setting it in src/secrets/runtime.test.ts for win32, should unblock checks-windows shard runs.
Thanks for tackling this — seems worth merging to get main green again.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
src/secrets/runtime.test.tswithACL verification unavailable on Windowsfor temp-file secret providers, because file secret providers cannot opt out of strict path ACL verification.mainand causes unrelated PRs to fail and block merges.allowInsecurePath?: boolean(schema + types); the resolver passes it through to the secure-path audit; the secrets runtime tests enable it on Windows for temp-home secret files.allowInsecurePath: true.Change Type (select all)
Scope (select all touched areas)
Linked Issue/PR
SecretProviderResolutionError: ... ACL verification unavailable on Windows(examplemainrun: https://github.com/openclaw/openclaw/actions/runs/22834544630)src/cli/daemon-cli/lifecycle.test.ts, which is addressed separately in fix: format daemon lifecycle test #40450.User-visible / Behavior Changes
allowInsecurePath: trueto bypass path permission/ACL verification when the path is trusted (notably when Windows ACL verification is unavailable).Security Impact (required)
Repro + Verification
Environment
Steps
pnpm test(sharded).src/secrets/runtime.test.tsfailing withACL verification unavailable on Windows ... Set allowInsecurePath=true ....Expected
Actual
allowInsecurePath, so the secure-path audit fails when ACL verification is unavailable.Evidence
Human Verification (required)
What you personally verified (not just CI), and how:
Verified scenarios:
pnpm tsgopnpm exec vitest run src/secrets/runtime.test.tsWhat you did not verify:
Compatibility / Migration
Failure Recovery (if this breaks)
allowInsecurePathoption for file secret providers.Risks and Mitigations
Risk:
Mitigation:
allowInsecurePath: true) and defaults to strict behavior.