docs: document gateway auth helpers · openclaw/openclaw@d72184d
steipete
·
2026-06-05
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Gateway auth surface resolver. |
| 2 | +// Centralizes credential precedence for probes and interactive clients. |
1 | 3 | import type { OpenClawConfig } from "../config/types.js"; |
2 | 4 | import { hasConfiguredSecretInput } from "../config/types.secrets.js"; |
3 | 5 | import { trimToUndefined, type ExplicitGatewayAuth } from "./credentials.js"; |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Gateway auth-token source conflict detector. |
| 2 | +// Warns when local env auth can diverge from managed gateway config auth. |
1 | 3 | import { normalizeOptionalString } from "@openclaw/normalization-core/string-coerce"; |
2 | 4 | import type { OpenClawConfig } from "../config/types.openclaw.js"; |
3 | 5 | import { normalizeSecretInputString, resolveSecretInputRef } from "../config/types.secrets.js"; |
@@ -27,6 +29,8 @@ export function resolveGatewayAuthTokenSourceConflict(params: {
|
27 | 29 | } |
28 | 30 | |
29 | 31 | if (params.env.OPENCLAW_SERVICE_KIND?.trim() === GATEWAY_SERVICE_KIND) { |
| 32 | +// The managed gateway process intentionally uses its service env. The |
| 33 | +// warning is for client shells where env precedence can surprise users. |
30 | 34 | return null; |
31 | 35 | } |
32 | 36 | |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Gateway control-reply text classifier. |
| 2 | +// Suppresses internal auto-reply tokens before they leak to chat surfaces. |
1 | 3 | import { isSilentReplyText, SILENT_REPLY_TOKEN } from "../auto-reply/tokens.js"; |
2 | 4 | |
3 | 5 | const SUPPRESSED_CONTROL_REPLY_TOKENS = [ |
@@ -57,6 +59,8 @@ export function isSuppressedControlReplyLeadFragment(text: string): boolean {
|
57 | 59 | if (token !== SILENT_REPLY_TOKEN && trimmed !== trimmed.toUpperCase()) { |
58 | 60 | return false; |
59 | 61 | } |
| 62 | +// Bare fragments are common while streaming. Require a minimum prefix so |
| 63 | +// ordinary words do not disappear just because they start like a token. |
60 | 64 | return normalized.length >= MIN_BARE_PREFIX_LENGTH_BY_TOKEN[token]; |
61 | 65 | }); |
62 | 66 | } |
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Gateway legacy environment warning. |
| 2 | +// Emits a one-shot notice for ignored pre-OpenClaw environment prefixes. |
1 | 3 | import { isVitestRuntimeEnv } from "../infra/env.js"; |
2 | 4 | |
3 | 5 | // Legacy env warnings are process-wide and intentionally one-shot so normal |
@@ -15,6 +17,8 @@ export function warnLegacyOpenClawEnvVars(env: NodeJS.ProcessEnv = process.env):
|
15 | 17 | |
16 | 18 | const prefixCounts = new Map<LegacyEnvPrefix, number>(); |
17 | 19 | for (const key of Object.keys(env)) { |
| 20 | +// Count by prefix only; never print env names or values because some legacy |
| 21 | +// names may still encode account/provider secrets. |
18 | 22 | const prefix = LEGACY_ENV_PREFIXES.find((candidate) => key.startsWith(candidate)); |
19 | 23 | if (prefix) { |
20 | 24 | prefixCounts.set(prefix, (prefixCounts.get(prefix) ?? 0) + 1); |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Gateway known-weak credential guard. |
| 2 | +// Rejects published placeholder auth values before the gateway starts. |
1 | 3 | import type { ResolvedGatewayAuth } from "./auth.js"; |
2 | 4 | |
3 | 5 | export const KNOWN_WEAK_GATEWAY_TOKEN_PLACEHOLDERS = [ |
@@ -25,6 +27,8 @@ const KNOWN_WEAK_GATEWAY_PASSWORDS: ReadonlySet<string> = new Set(
|
25 | 27 | |
26 | 28 | export function assertGatewayAuthNotKnownWeak(auth: ResolvedGatewayAuth): void { |
27 | 29 | if (auth.mode === "token") { |
| 30 | +// Token/password checks stay separate because auth mode is exclusive and |
| 31 | +// error text should name the credential the operator must rotate. |
28 | 32 | const token = auth.token?.trim() ?? ""; |
29 | 33 | if (token && KNOWN_WEAK_GATEWAY_TOKENS.has(token)) { |
30 | 34 | throw new Error( |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Local embedded Gateway request context. |
| 2 | +// Lets local agent paths reuse Gateway server methods without starting a server. |
1 | 3 | import { loadManifestModelCatalog } from "../agents/model-catalog.js"; |
2 | 4 | import type { CliDeps } from "../cli/deps.types.js"; |
3 | 5 | import type { OpenClawConfig } from "../config/types.openclaw.js"; |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Gateway operator scope constants. |
| 2 | +// Defines the closed set accepted by connection auth and method policy. |
1 | 3 | export const ADMIN_SCOPE = "operator.admin" as const; |
2 | 4 | export const READ_SCOPE = "operator.read" as const; |
3 | 5 | export const WRITE_SCOPE = "operator.write" as const; |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Gateway connection role policy. |
| 2 | +// Separates node-role RPCs from operator RPCs before method scope checks. |
1 | 3 | import { isNodeRoleMethod } from "./method-scopes.js"; |
2 | 4 | |
3 | 5 | const GATEWAY_ROLES = ["operator", "node"] as const; |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。