
























@@ -13,7 +13,7 @@ import {
1313shouldDeferProviderSyntheticProfileAuthWithPlugin,
1414} from "../plugins/provider-runtime.js";
1515import { resolveOwningPluginIdsForProvider } from "../plugins/providers.js";
16-import type { ProviderAuthEvidence } from "../secrets/provider-env-vars.js";
16+import { resolveRuntimeSyntheticAuthProviderRefState } from "../plugins/synthetic-auth.runtime.js";
1717import { resolveDefaultSecretProviderAlias } from "../secrets/ref-contract.js";
1818import {
1919normalizeLowercaseStringOrEmpty,
@@ -33,7 +33,15 @@ import {
3333resolveAuthStorePathForDisplay,
3434} from "./auth-profiles.js";
3535import * as cliCredentials from "./cli-credentials.js";
36-import { resolveEnvApiKey, type EnvApiKeyResult } from "./model-auth-env.js";
36+import {
37+resolveProviderEnvApiKeyCandidates,
38+resolveProviderEnvAuthEvidence,
39+} from "./model-auth-env-vars.js";
40+import {
41+resolveEnvApiKey,
42+type EnvApiKeyLookupOptions,
43+type EnvApiKeyResult,
44+} from "./model-auth-env.js";
3745import {
3846CUSTOM_LOCAL_AUTH_MARKER,
3947isKnownEnvApiKeyMarker,
@@ -42,6 +50,7 @@ import {
4250} from "./model-auth-markers.js";
4351import { type ResolvedProviderAuth } from "./model-auth-runtime-shared.js";
4452import { normalizeProviderId } from "./model-selection.js";
53+import { resolveProviderAuthAliasMap } from "./provider-auth-aliases.js";
45544655export {
4756ensureAuthProfileStore,
@@ -56,6 +65,11 @@ export {
5665export type { ResolvedProviderAuth } from "./model-auth-runtime-shared.js";
5766export type ProviderCredentialPrecedence = "profile-first" | "env-first";
586768+export type RuntimeProviderAuthLookup = {
69+envApiKey: Pick<EnvApiKeyLookupOptions, "aliasMap" | "candidateMap" | "authEvidenceMap">;
70+syntheticAuthProviderRefs?: readonly string[];
71+};
72+5973const log = createSubsystemLogger("model-auth");
60746175function resolveConfigAwareEnvApiKey(
@@ -88,6 +102,30 @@ function resolveProviderConfig(
88102);
89103}
90104105+export function createRuntimeProviderAuthLookup(params: {
106+cfg?: OpenClawConfig;
107+workspaceDir?: string;
108+env?: NodeJS.ProcessEnv;
109+}): RuntimeProviderAuthLookup {
110+const env = params.env ?? process.env;
111+const lookupParams = {
112+config: params.cfg,
113+workspaceDir: params.workspaceDir,
114+ env,
115+};
116+const syntheticAuthProviderRefs = resolveRuntimeSyntheticAuthProviderRefState(lookupParams);
117+return {
118+envApiKey: {
119+aliasMap: resolveProviderAuthAliasMap(lookupParams),
120+candidateMap: resolveProviderEnvApiKeyCandidates(lookupParams),
121+authEvidenceMap: resolveProviderEnvAuthEvidence(lookupParams),
122+},
123+syntheticAuthProviderRefs: syntheticAuthProviderRefs.complete
124+ ? syntheticAuthProviderRefs.refs
125+ : undefined,
126+};
127+}
128+91129export function getCustomProviderApiKey(
92130cfg: OpenClawConfig | undefined,
93131provider: string,
@@ -344,17 +382,51 @@ export function hasSyntheticLocalProviderAuthConfig(params: {
344382return Boolean(providerConfig.baseUrl && isLocalBaseUrl(providerConfig.baseUrl));
345383}
346384385+function listProviderSyntheticAuthRefs(params: {
386+cfg: OpenClawConfig | undefined;
387+provider: string;
388+modelApi?: string;
389+}): string[] {
390+const refs = [params.provider];
391+const providerConfig = resolveProviderConfig(params.cfg, params.provider);
392+if (params.modelApi) {
393+refs.push(params.modelApi);
394+}
395+if (providerConfig?.api) {
396+refs.push(providerConfig.api);
397+}
398+return [...new Set(refs.map((ref) => normalizeProviderId(ref)).filter(Boolean))];
399+}
400+401+function shouldResolvePluginSyntheticAuth(params: {
402+cfg: OpenClawConfig | undefined;
403+provider: string;
404+modelApi?: string;
405+runtimeLookup?: RuntimeProviderAuthLookup;
406+}): boolean {
407+const syntheticAuthProviderRefs = params.runtimeLookup?.syntheticAuthProviderRefs;
408+if (!syntheticAuthProviderRefs) {
409+return true;
410+}
411+if (resolveProviderConfig(params.cfg, params.provider)) {
412+return true;
413+}
414+const eligibleRefs = new Set(
415+syntheticAuthProviderRefs.map((ref) => normalizeProviderId(ref)).filter(Boolean),
416+);
417+if (eligibleRefs.size === 0) {
418+return false;
419+}
420+return listProviderSyntheticAuthRefs(params).some((ref) => eligibleRefs.has(ref));
421+}
422+347423export function hasRuntimeAvailableProviderAuth(params: {
348424provider: string;
349425cfg?: OpenClawConfig;
350426workspaceDir?: string;
351427env?: NodeJS.ProcessEnv;
352428allowPluginSyntheticAuth?: boolean;
353-envAuthLookup?: {
354-aliasMap?: Readonly<Record<string, string>>;
355-candidateMap?: Readonly<Record<string, readonly string[]>>;
356-authEvidenceMap?: Readonly<Record<string, readonly ProviderAuthEvidence[]>>;
357-};
429+runtimeLookup?: RuntimeProviderAuthLookup;
358430}): boolean {
359431const provider = normalizeProviderId(params.provider);
360432const authOverride = resolveProviderAuthOverride(params.cfg, provider);
@@ -368,9 +440,7 @@ export function hasRuntimeAvailableProviderAuth(params: {
368440resolveEnvApiKey(provider, params.env, {
369441config: params.cfg,
370442workspaceDir: params.workspaceDir,
371-aliasMap: params.envAuthLookup?.aliasMap,
372-candidateMap: params.envAuthLookup?.candidateMap,
373-authEvidenceMap: params.envAuthLookup?.authEvidenceMap,
443+ ...params.runtimeLookup?.envApiKey,
374444})
375445) {
376446return true;
@@ -383,6 +453,11 @@ export function hasRuntimeAvailableProviderAuth(params: {
383453}
384454if (
385455params.allowPluginSyntheticAuth !== false &&
456+shouldResolvePluginSyntheticAuth({
457+cfg: params.cfg,
458+ provider,
459+runtimeLookup: params.runtimeLookup,
460+}) &&
386461resolveSyntheticLocalProviderAuth({ cfg: params.cfg, provider })
387462) {
388463return true;
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。