




















@@ -582,6 +582,101 @@ describe("secrets audit", () => {
582582expect(report.filesScanned).toContain(externalModelsPath);
583583});
584584585+it("does not flag $VAR shorthand env refs in auth profiles as plaintext", async () => {
586+await writeJsonFile(fixture.authStorePath, {
587+version: 1,
588+profiles: {
589+"openai:default": {
590+type: "api_key",
591+provider: "openai",
592+key: "$OPENAI_API_KEY", // pragma: allowlist secret
593+},
594+},
595+});
596+597+const report = await runSecretsAudit({ env: fixture.env });
598+expect(
599+hasFinding(
600+report,
601+(entry) => entry.code === "PLAINTEXT_FOUND" && entry.file === fixture.authStorePath,
602+),
603+).toBe(false);
604+});
605+606+it("does not flag ${VAR} env refs in auth profiles as plaintext", async () => {
607+await writeJsonFile(fixture.authStorePath, {
608+version: 1,
609+profiles: {
610+"openai:default": {
611+type: "api_key",
612+provider: "openai",
613+key: "${OPENAI_API_KEY}", // pragma: allowlist secret
614+},
615+},
616+});
617+618+const report = await runSecretsAudit({ env: fixture.env });
619+expect(
620+hasFinding(
621+report,
622+(entry) => entry.code === "PLAINTEXT_FOUND" && entry.file === fixture.authStorePath,
623+),
624+).toBe(false);
625+});
626+627+it("still flags auth profile plaintext when an explicit ref is also configured", async () => {
628+await writeJsonFile(fixture.authStorePath, {
629+version: 1,
630+profiles: {
631+"openai:default": {
632+type: "api_key",
633+provider: "openai",
634+key: "sk-leftover-plaintext", // pragma: allowlist secret
635+keyRef: { source: "env", id: "OPENAI_API_KEY" },
636+},
637+},
638+});
639+640+const report = await runSecretsAudit({ env: fixture.env });
641+expect(
642+hasFinding(
643+report,
644+(entry) =>
645+entry.code === "PLAINTEXT_FOUND" &&
646+entry.file === fixture.authStorePath &&
647+entry.jsonPath === "profiles.openai:default.key",
648+),
649+).toBe(true);
650+});
651+652+it.each(["$OPENAI_API_KEY", "${OPENAI_API_KEY}"])(
653+"does not flag %s auth profile env refs when an explicit ref is also configured",
654+async (value) => {
655+await writeJsonFile(fixture.authStorePath, {
656+version: 1,
657+profiles: {
658+"openai:default": {
659+type: "api_key",
660+provider: "openai",
661+key: value,
662+keyRef: { source: "env", id: "OPENAI_API_KEY" },
663+},
664+},
665+});
666+667+const report = await runSecretsAudit({ env: fixture.env });
668+expect(
669+hasFinding(
670+report,
671+(entry) =>
672+entry.code === "PLAINTEXT_FOUND" &&
673+entry.file === fixture.authStorePath &&
674+entry.jsonPath === "profiles.openai:default.key",
675+),
676+).toBe(false);
677+},
678+);
679+585680it("does not flag non-sensitive routing headers in openclaw config", async () => {
586681await writeJsonFile(fixture.configPath, {
587682models: {
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。