@@ -4,6 +4,7 @@ import type { AuthProfileStore } from "../agents/auth-profiles/types.js";
44import { formatCliCommand } from "../cli/command-format.js";
55import { collectDurableServiceEnvVars } from "../config/state-dir-dotenv.js";
66import type { OpenClawConfig } from "../config/types.js";
7+import { resolveSecretInputRef } from "../config/types.secrets.js";
78import { resolveGatewayLaunchAgentLabel } from "../daemon/constants.js";
89import { resolveGatewayStateDir } from "../daemon/paths.js";
910import {
@@ -22,6 +23,7 @@ import {
2223isDangerousHostEnvVarName,
2324normalizeEnvVarKey,
2425} from "../infra/host-env-security.js";
26+import { discoverConfigSecretTargets } from "../secrets/target-registry.js";
2527import {
2628emitDaemonInstallRuntimeWarning,
2729resolveDaemonInstallRuntimeInputs,
@@ -45,6 +47,11 @@ let daemonInstallAuthProfileStoreRuntimePromise:
4547| Promise<typeof import("./daemon-install-auth-profiles-store.runtime.js")>
4648| undefined;
474950+const NON_PERSISTED_CONFIG_SECRET_ENV_TARGET_IDS = new Set([
51+"gateway.auth.password",
52+"gateway.auth.token",
53+]);
54+4855function loadDaemonInstallAuthProfileSourceRuntime() {
4956daemonInstallAuthProfileSourceRuntimePromise ??=
5057import("./daemon-install-auth-profiles-source.runtime.js");
@@ -109,6 +116,58 @@ async function collectAuthProfileServiceEnvVars(params: {
109116return entries;
110117}
111118119+function collectConfigSecretRefServiceEnvVars(params: {
120+env: Record<string, string | undefined>;
121+config?: OpenClawConfig;
122+durableEnvironment: Record<string, string | undefined>;
123+warn?: DaemonInstallWarnFn;
124+}): Record<string, string> {
125+if (!params.config) {
126+return {};
127+}
128+const entries: Record<string, string> = {};
129+for (const target of discoverConfigSecretTargets(params.config)) {
130+if (!target.entry.includeInPlan) {
131+continue;
132+}
133+if (NON_PERSISTED_CONFIG_SECRET_ENV_TARGET_IDS.has(target.entry.id)) {
134+continue;
135+}
136+const { ref } = resolveSecretInputRef({
137+value: target.value,
138+refValue: target.refValue,
139+defaults: params.config.secrets?.defaults,
140+});
141+if (!ref || ref.source !== "env") {
142+continue;
143+}
144+const key = normalizeEnvVarKey(ref.id, { portable: true });
145+if (!key) {
146+params.warn?.(
147+`Config SecretRef env id "${ref.id}" is not portable and was not added to the service environment`,
148+"Config SecretRef",
149+);
150+continue;
151+}
152+if (isDangerousHostEnvVarName(key) || isDangerousHostEnvOverrideVarName(key)) {
153+params.warn?.(
154+`Config SecretRef env ref "${key}" blocked by host-env security policy`,
155+"Config SecretRef",
156+);
157+continue;
158+}
159+if (Object.hasOwn(params.durableEnvironment, key)) {
160+continue;
161+}
162+const value = params.env[key]?.trim();
163+if (!value) {
164+continue;
165+}
166+entries[key] = value;
167+}
168+return entries;
169+}
170+112171function mergeServicePath(
113172nextPath: string | undefined,
114173existingPath: string | undefined,
@@ -213,6 +272,12 @@ async function buildGatewayInstallEnvironment(params: {
213272env: params.env,
214273config: params.config,
215274});
275+const configSecretRefEnvironment = collectConfigSecretRefServiceEnvVars({
276+env: params.env,
277+config: params.config,
278+ durableEnvironment,
279+warn: params.warn,
280+});
216281const authProfileEnvironment = await collectAuthProfileServiceEnvVars({
217282env: params.env,
218283authStore: params.authStore,
@@ -224,6 +289,7 @@ async function buildGatewayInstallEnvironment(params: {
224289readManagedServiceEnvKeysFromEnvironment(params.existingEnvironment),
225290),
226291 ...durableEnvironment,
292+ ...configSecretRefEnvironment,
227293 ...authProfileEnvironment,
228294};
229295const managedServiceEnvKeys = formatManagedServiceEnvKeys(durableEnvironment, {
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。