





















@@ -170,6 +170,61 @@ function collectConfigSecretRefServiceEnvVars(params: {
170170return entries;
171171}
172172173+function collectExecSecretRefPassEnvServiceEnvVars(params: {
174+env: Record<string, string | undefined>;
175+config?: OpenClawConfig;
176+durableEnvironment: Record<string, string | undefined>;
177+warn?: DaemonInstallWarnFn;
178+}): Record<string, string> {
179+if (!params.config) {
180+return {};
181+}
182+const entries: Record<string, string> = {};
183+for (const target of discoverConfigSecretTargets(params.config)) {
184+if (!target.entry.includeInPlan) {
185+continue;
186+}
187+const { ref } = resolveSecretInputRef({
188+value: target.value,
189+refValue: target.refValue,
190+defaults: params.config.secrets?.defaults,
191+});
192+if (!ref || ref.source !== "exec") {
193+continue;
194+}
195+const provider = params.config.secrets?.providers?.[ref.provider];
196+if (!provider || provider.source !== "exec") {
197+continue;
198+}
199+for (const rawKey of provider.passEnv ?? []) {
200+const key = normalizeEnvVarKey(rawKey, { portable: true });
201+if (!key) {
202+params.warn?.(
203+`Exec SecretRef passEnv id "${rawKey}" is not portable and was not added to the service environment`,
204+"Config SecretRef",
205+);
206+continue;
207+}
208+if (isDangerousHostEnvVarName(key) || isDangerousHostEnvOverrideVarName(key)) {
209+params.warn?.(
210+`Exec SecretRef passEnv ref "${key}" blocked by host-env security policy`,
211+"Config SecretRef",
212+);
213+continue;
214+}
215+if (Object.hasOwn(params.durableEnvironment, key)) {
216+continue;
217+}
218+const value = params.env[key]?.trim();
219+if (!value) {
220+continue;
221+}
222+entries[key] = value;
223+}
224+}
225+return entries;
226+}
227+173228function mergeServicePath(
174229nextPath: string | undefined,
175230existingPath: string | undefined,
@@ -338,6 +393,12 @@ async function buildGatewayInstallEnvironment(params: {
338393 durableEnvironment,
339394warn: params.warn,
340395});
396+const execSecretRefPassEnvEnvironment = collectExecSecretRefPassEnvServiceEnvVars({
397+env: params.env,
398+config: params.config,
399+ durableEnvironment,
400+warn: params.warn,
401+});
341402const authProfileEnvironment = await collectAuthProfileServiceEnvVars({
342403env: params.env,
343404authStore: params.authStore,
@@ -350,6 +411,7 @@ async function buildGatewayInstallEnvironment(params: {
350411),
351412 ...durableEnvironment,
352413 ...configSecretRefEnvironment,
414+ ...execSecretRefPassEnvEnvironment,
353415 ...authProfileEnvironment,
354416};
355417const managedServiceEnvKeys = formatManagedServiceEnvKeys(durableEnvironment, {
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。