Ayuriel/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
openclaw/src/cli/secrets-cli.ts

252 lines
8.9 KiB
TypeScript
Raw Normal View History

feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
import fs from "node:fs";
import { confirm } from "@clack/prompts";
Gateway: add manual secrets reload command
2026-02-21 13:57:49 -08:00
import type { Command } from "commander";
import { danger } from "../globals.js";
import { defaultRuntime } from "../runtime.js";
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
import { runSecretsApply } from "../secrets/apply.js";
import { resolveSecretsAuditExitCode, runSecretsAudit } from "../secrets/audit.js";
import { runSecretsConfigureInteractive } from "../secrets/configure.js";
import { isSecretsApplyPlan, type SecretsApplyPlan } from "../secrets/plan.js";
Gateway: add manual secrets reload command
2026-02-21 13:57:49 -08:00
import { formatDocsLink } from "../terminal/links.js";
import { theme } from "../terminal/theme.js";
import { addGatewayClientOptions, callGatewayFromCli, type GatewayRpcOpts } from "./gateway-rpc.js";
type SecretsReloadOptions = GatewayRpcOpts & { json?: boolean };
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
type SecretsAuditOptions = {
check?: boolean;
json?: boolean;
};
type SecretsConfigureOptions = {
apply?: boolean;
yes?: boolean;
planOut?: string;
feat(secrets): finalize mode rename and validated exec docs
2026-02-25 23:17:31 -06:00
providersOnly?: boolean;
skipProviderSetup?: boolean;
feat(secrets): expand SecretRef coverage across user-supplied credentials (#29580) * feat(secrets): expand secret target coverage and gateway tooling * docs(secrets): align gateway and CLI secret docs * chore(protocol): regenerate swift gateway models for secrets methods * fix(config): restore talk apiKey fallback and stabilize runner test * ci(windows): reduce test worker count for shard stability * ci(windows): raise node heap for test shard stability * test(feishu): make proxy env precedence assertion windows-safe * fix(gateway): resolve auth password SecretInput refs for clients * fix(gateway): resolve remote SecretInput credentials for clients * fix(secrets): skip inactive refs in command snapshot assignments * fix(secrets): scope gateway.remote refs to effective auth surfaces * fix(secrets): ignore memory defaults when enabled agents disable search * fix(secrets): honor Google Chat serviceAccountRef inheritance * fix(secrets): address tsgo errors in command and gateway collectors * fix(secrets): avoid auth-store load in providers-only configure * fix(gateway): defer local password ref resolution by precedence * fix(secrets): gate telegram webhook secret refs by webhook mode * fix(secrets): gate slack signing secret refs to http mode * fix(secrets): skip telegram botToken refs when tokenFile is set * fix(secrets): gate discord pluralkit refs by enabled flag * fix(secrets): gate discord voice tts refs by voice enabled * test(secrets): make runtime fixture modes explicit * fix(cli): resolve local qr password secret refs * fix(cli): fail when gateway leaves command refs unresolved * fix(gateway): fail when local password SecretRef is unresolved * fix(gateway): fail when required remote SecretRefs are unresolved * fix(gateway): resolve local password refs only when password can win * fix(cli): skip local password SecretRef resolution on qr token override * test(gateway): cast SecretRef fixtures to OpenClawConfig * test(secrets): activate mode-gated targets in runtime coverage fixture * fix(cron): support SecretInput webhook tokens safely * fix(bluebubbles): support SecretInput passwords across config paths * fix(msteams): make appPassword SecretInput-safe in onboarding/token paths * fix(bluebubbles): align SecretInput schema helper typing * fix(cli): clarify secrets.resolve version-skew errors * refactor(secrets): return structured inactive paths from secrets.resolve * refactor(gateway): type onboarding secret writes as SecretInput * chore(protocol): regenerate swift models for secrets.resolve * feat(secrets): expand extension credential secretref support * fix(secrets): gate web-search refs by active provider * fix(onboarding): detect SecretRef credentials in extension status * fix(onboarding): allow keeping existing ref in secret prompt * fix(onboarding): resolve gateway password SecretRefs for probe and tui * fix(onboarding): honor secret-input-mode for local gateway auth * fix(acp): resolve gateway SecretInput credentials * fix(secrets): gate gateway.remote refs to remote surfaces * test(secrets): cover pattern matching and inactive array refs * docs(secrets): clarify secrets.resolve and remote active surfaces * fix(bluebubbles): keep existing SecretRef during onboarding * fix(tests): resolve CI type errors in new SecretRef coverage * fix(extensions): replace raw fetch with SSRF-guarded fetch * test(secrets): mark gateway remote targets active in runtime coverage * test(infra): normalize home-prefix expectation across platforms * fix(cli): only resolve local qr password refs in password mode * test(cli): cover local qr token mode with unresolved password ref * docs(cli): clarify local qr password ref resolution behavior * refactor(extensions): reuse sdk SecretInput helpers * fix(wizard): resolve onboarding env-template secrets before plaintext * fix(cli): surface secrets.resolve diagnostics in memory and qr * test(secrets): repair post-rebase runtime and fixtures * fix(gateway): skip remote password ref resolution when token wins * fix(secrets): treat tailscale remote gateway refs as active * fix(gateway): allow remote password fallback when token ref is unresolved * fix(gateway): ignore stale local password refs for none and trusted-proxy * fix(gateway): skip remote secret ref resolution on local call paths * test(cli): cover qr remote tailscale secret ref resolution * fix(secrets): align gateway password active-surface with auth inference * fix(cli): resolve inferred local gateway password refs in qr * fix(gateway): prefer resolvable remote password over token ref pre-resolution * test(gateway): cover none and trusted-proxy stale password refs * docs(secrets): sync qr and gateway active-surface behavior * fix: restore stability blockers from pre-release audit * Secrets: fix collector/runtime precedence contradictions * docs: align secrets and web credential docs * fix(rebase): resolve integration regressions after main rebase * fix(node-host): resolve gateway secret refs for auth * fix(secrets): harden secretinput runtime readers * gateway: skip inactive auth secretref resolution * cli: avoid gateway preflight for inactive secret refs * extensions: allow unresolved refs in onboarding status * tests: fix qr-cli module mock hoist ordering * Security: align audit checks with SecretInput resolution * Gateway: resolve local-mode remote fallback secret refs * Node host: avoid resolving inactive password secret refs * Secrets runtime: mark Slack appToken inactive for HTTP mode * secrets: keep inactive gateway remote refs non-blocking * cli: include agent memory secret targets in runtime resolution * docs(secrets): sync docs with active-surface and web search behavior * fix(secrets): keep telegram top-level token refs active for blank account tokens * fix(daemon): resolve gateway password secret refs for probe auth * fix(secrets): skip IRC NickServ ref resolution when NickServ is disabled * fix(secrets): align token inheritance and exec timeout defaults * docs(secrets): clarify active-surface notes in cli docs * cli: require secrets.resolve gateway capability * gateway: log auth secret surface diagnostics * secrets: remove dead provider resolver module * fix(secrets): restore gateway auth precedence and fallback resolution * fix(tests): align plugin runtime mock typings --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-03-02 20:58:20 -06:00
agent?: string;
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
json?: boolean;
};
type SecretsApplyOptions = {
from: string;
dryRun?: boolean;
Secrets: add migrate rollback and skill ref support
2026-02-21 14:23:44 -08:00
json?: boolean;
};
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
function readPlanFile(pathname: string): SecretsApplyPlan {
const raw = fs.readFileSync(pathname, "utf8");
const parsed = JSON.parse(raw) as unknown;
if (!isSecretsApplyPlan(parsed)) {
throw new Error(`Invalid secrets plan file: ${pathname}`);
Secrets: add migrate rollback and skill ref support
2026-02-21 14:23:44 -08:00
}
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
return parsed;
Secrets: add migrate rollback and skill ref support
2026-02-21 14:23:44 -08:00
}
Gateway: add manual secrets reload command
2026-02-21 13:57:49 -08:00
export function registerSecretsCli(program: Command) {
const secrets = program
.command("secrets")
.description("Secrets runtime controls")
.addHelpText(
"after",
() =>
`\n${theme.muted("Docs:")} ${formatDocsLink("/gateway/security", "docs.openclaw.ai/gateway/security")}\n`,
);
addGatewayClientOptions(
secrets
.command("reload")
.description("Re-resolve secret references and atomically swap runtime snapshot")
.option("--json", "Output JSON", false),
).action(async (opts: SecretsReloadOptions) => {
try {
const result = await callGatewayFromCli("secrets.reload", opts, undefined, {
expectFinal: false,
});
if (opts.json) {
defaultRuntime.log(JSON.stringify(result, null, 2));
return;
}
const warningCount = Number(
(result as { warningCount?: unknown } | undefined)?.warningCount ?? 0,
);
if (Number.isFinite(warningCount) && warningCount > 0) {
defaultRuntime.log(`Secrets reloaded with ${warningCount} warning(s).`);
return;
}
defaultRuntime.log("Secrets reloaded.");
} catch (err) {
defaultRuntime.error(danger(String(err)));
defaultRuntime.exit(1);
}
});
Secrets: add migrate rollback and skill ref support
2026-02-21 14:23:44 -08:00
secrets
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
.command("audit")
.description("Audit plaintext secrets, unresolved refs, and precedence drift")
.option("--check", "Exit non-zero when findings are present", false)
Secrets: add migrate rollback and skill ref support
2026-02-21 14:23:44 -08:00
.option("--json", "Output JSON", false)
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
.action(async (opts: SecretsAuditOptions) => {
Secrets: add migrate rollback and skill ref support
2026-02-21 14:23:44 -08:00
try {
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
const report = await runSecretsAudit();
if (opts.json) {
defaultRuntime.log(JSON.stringify(report, null, 2));
} else {
defaultRuntime.log(
`Secrets audit: ${report.status}. plaintext=${report.summary.plaintextCount}, unresolved=${report.summary.unresolvedRefCount}, shadowed=${report.summary.shadowedRefCount}, legacy=${report.summary.legacyResidueCount}.`,
);
if (report.findings.length > 0) {
for (const finding of report.findings.slice(0, 20)) {
defaultRuntime.log(
`- [${finding.code}] ${finding.file}:${finding.jsonPath} ${finding.message}`,
);
}
if (report.findings.length > 20) {
defaultRuntime.log(`... ${report.findings.length - 20} more finding(s).`);
}
}
}
const exitCode = resolveSecretsAuditExitCode(report, Boolean(opts.check));
if (exitCode !== 0) {
defaultRuntime.exit(exitCode);
}
} catch (err) {
defaultRuntime.error(danger(String(err)));
defaultRuntime.exit(2);
}
});
secrets
.command("configure")
feat(secrets): finalize mode rename and validated exec docs
2026-02-25 23:17:31 -06:00
.description("Interactive secrets helper (provider setup + SecretRef mapping + preflight)")
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
.option("--apply", "Apply changes immediately after preflight", false)
.option("--yes", "Skip apply confirmation prompt", false)
feat(secrets): finalize mode rename and validated exec docs
2026-02-25 23:17:31 -06:00
.option("--providers-only", "Configure secrets.providers only, skip credential mapping", false)
.option(
"--skip-provider-setup",
"Skip provider setup and only map credential fields to existing providers",
false,
)
feat(secrets): expand SecretRef coverage across user-supplied credentials (#29580) * feat(secrets): expand secret target coverage and gateway tooling * docs(secrets): align gateway and CLI secret docs * chore(protocol): regenerate swift gateway models for secrets methods * fix(config): restore talk apiKey fallback and stabilize runner test * ci(windows): reduce test worker count for shard stability * ci(windows): raise node heap for test shard stability * test(feishu): make proxy env precedence assertion windows-safe * fix(gateway): resolve auth password SecretInput refs for clients * fix(gateway): resolve remote SecretInput credentials for clients * fix(secrets): skip inactive refs in command snapshot assignments * fix(secrets): scope gateway.remote refs to effective auth surfaces * fix(secrets): ignore memory defaults when enabled agents disable search * fix(secrets): honor Google Chat serviceAccountRef inheritance * fix(secrets): address tsgo errors in command and gateway collectors * fix(secrets): avoid auth-store load in providers-only configure * fix(gateway): defer local password ref resolution by precedence * fix(secrets): gate telegram webhook secret refs by webhook mode * fix(secrets): gate slack signing secret refs to http mode * fix(secrets): skip telegram botToken refs when tokenFile is set * fix(secrets): gate discord pluralkit refs by enabled flag * fix(secrets): gate discord voice tts refs by voice enabled * test(secrets): make runtime fixture modes explicit * fix(cli): resolve local qr password secret refs * fix(cli): fail when gateway leaves command refs unresolved * fix(gateway): fail when local password SecretRef is unresolved * fix(gateway): fail when required remote SecretRefs are unresolved * fix(gateway): resolve local password refs only when password can win * fix(cli): skip local password SecretRef resolution on qr token override * test(gateway): cast SecretRef fixtures to OpenClawConfig * test(secrets): activate mode-gated targets in runtime coverage fixture * fix(cron): support SecretInput webhook tokens safely * fix(bluebubbles): support SecretInput passwords across config paths * fix(msteams): make appPassword SecretInput-safe in onboarding/token paths * fix(bluebubbles): align SecretInput schema helper typing * fix(cli): clarify secrets.resolve version-skew errors * refactor(secrets): return structured inactive paths from secrets.resolve * refactor(gateway): type onboarding secret writes as SecretInput * chore(protocol): regenerate swift models for secrets.resolve * feat(secrets): expand extension credential secretref support * fix(secrets): gate web-search refs by active provider * fix(onboarding): detect SecretRef credentials in extension status * fix(onboarding): allow keeping existing ref in secret prompt * fix(onboarding): resolve gateway password SecretRefs for probe and tui * fix(onboarding): honor secret-input-mode for local gateway auth * fix(acp): resolve gateway SecretInput credentials * fix(secrets): gate gateway.remote refs to remote surfaces * test(secrets): cover pattern matching and inactive array refs * docs(secrets): clarify secrets.resolve and remote active surfaces * fix(bluebubbles): keep existing SecretRef during onboarding * fix(tests): resolve CI type errors in new SecretRef coverage * fix(extensions): replace raw fetch with SSRF-guarded fetch * test(secrets): mark gateway remote targets active in runtime coverage * test(infra): normalize home-prefix expectation across platforms * fix(cli): only resolve local qr password refs in password mode * test(cli): cover local qr token mode with unresolved password ref * docs(cli): clarify local qr password ref resolution behavior * refactor(extensions): reuse sdk SecretInput helpers * fix(wizard): resolve onboarding env-template secrets before plaintext * fix(cli): surface secrets.resolve diagnostics in memory and qr * test(secrets): repair post-rebase runtime and fixtures * fix(gateway): skip remote password ref resolution when token wins * fix(secrets): treat tailscale remote gateway refs as active * fix(gateway): allow remote password fallback when token ref is unresolved * fix(gateway): ignore stale local password refs for none and trusted-proxy * fix(gateway): skip remote secret ref resolution on local call paths * test(cli): cover qr remote tailscale secret ref resolution * fix(secrets): align gateway password active-surface with auth inference * fix(cli): resolve inferred local gateway password refs in qr * fix(gateway): prefer resolvable remote password over token ref pre-resolution * test(gateway): cover none and trusted-proxy stale password refs * docs(secrets): sync qr and gateway active-surface behavior * fix: restore stability blockers from pre-release audit * Secrets: fix collector/runtime precedence contradictions * docs: align secrets and web credential docs * fix(rebase): resolve integration regressions after main rebase * fix(node-host): resolve gateway secret refs for auth * fix(secrets): harden secretinput runtime readers * gateway: skip inactive auth secretref resolution * cli: avoid gateway preflight for inactive secret refs * extensions: allow unresolved refs in onboarding status * tests: fix qr-cli module mock hoist ordering * Security: align audit checks with SecretInput resolution * Gateway: resolve local-mode remote fallback secret refs * Node host: avoid resolving inactive password secret refs * Secrets runtime: mark Slack appToken inactive for HTTP mode * secrets: keep inactive gateway remote refs non-blocking * cli: include agent memory secret targets in runtime resolution * docs(secrets): sync docs with active-surface and web search behavior * fix(secrets): keep telegram top-level token refs active for blank account tokens * fix(daemon): resolve gateway password secret refs for probe auth * fix(secrets): skip IRC NickServ ref resolution when NickServ is disabled * fix(secrets): align token inheritance and exec timeout defaults * docs(secrets): clarify active-surface notes in cli docs * cli: require secrets.resolve gateway capability * gateway: log auth secret surface diagnostics * secrets: remove dead provider resolver module * fix(secrets): restore gateway auth precedence and fallback resolution * fix(tests): align plugin runtime mock typings --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-03-02 20:58:20 -06:00
.option(
"--agent <id>",
"Agent id for auth-profiles targets (default: configured default agent)",
)
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
.option("--plan-out <path>", "Write generated plan JSON to a file")
.option("--json", "Output JSON", false)
.action(async (opts: SecretsConfigureOptions) => {
try {
feat(secrets): finalize mode rename and validated exec docs
2026-02-25 23:17:31 -06:00
const configured = await runSecretsConfigureInteractive({
providersOnly: Boolean(opts.providersOnly),
skipProviderSetup: Boolean(opts.skipProviderSetup),
feat(secrets): expand SecretRef coverage across user-supplied credentials (#29580) * feat(secrets): expand secret target coverage and gateway tooling * docs(secrets): align gateway and CLI secret docs * chore(protocol): regenerate swift gateway models for secrets methods * fix(config): restore talk apiKey fallback and stabilize runner test * ci(windows): reduce test worker count for shard stability * ci(windows): raise node heap for test shard stability * test(feishu): make proxy env precedence assertion windows-safe * fix(gateway): resolve auth password SecretInput refs for clients * fix(gateway): resolve remote SecretInput credentials for clients * fix(secrets): skip inactive refs in command snapshot assignments * fix(secrets): scope gateway.remote refs to effective auth surfaces * fix(secrets): ignore memory defaults when enabled agents disable search * fix(secrets): honor Google Chat serviceAccountRef inheritance * fix(secrets): address tsgo errors in command and gateway collectors * fix(secrets): avoid auth-store load in providers-only configure * fix(gateway): defer local password ref resolution by precedence * fix(secrets): gate telegram webhook secret refs by webhook mode * fix(secrets): gate slack signing secret refs to http mode * fix(secrets): skip telegram botToken refs when tokenFile is set * fix(secrets): gate discord pluralkit refs by enabled flag * fix(secrets): gate discord voice tts refs by voice enabled * test(secrets): make runtime fixture modes explicit * fix(cli): resolve local qr password secret refs * fix(cli): fail when gateway leaves command refs unresolved * fix(gateway): fail when local password SecretRef is unresolved * fix(gateway): fail when required remote SecretRefs are unresolved * fix(gateway): resolve local password refs only when password can win * fix(cli): skip local password SecretRef resolution on qr token override * test(gateway): cast SecretRef fixtures to OpenClawConfig * test(secrets): activate mode-gated targets in runtime coverage fixture * fix(cron): support SecretInput webhook tokens safely * fix(bluebubbles): support SecretInput passwords across config paths * fix(msteams): make appPassword SecretInput-safe in onboarding/token paths * fix(bluebubbles): align SecretInput schema helper typing * fix(cli): clarify secrets.resolve version-skew errors * refactor(secrets): return structured inactive paths from secrets.resolve * refactor(gateway): type onboarding secret writes as SecretInput * chore(protocol): regenerate swift models for secrets.resolve * feat(secrets): expand extension credential secretref support * fix(secrets): gate web-search refs by active provider * fix(onboarding): detect SecretRef credentials in extension status * fix(onboarding): allow keeping existing ref in secret prompt * fix(onboarding): resolve gateway password SecretRefs for probe and tui * fix(onboarding): honor secret-input-mode for local gateway auth * fix(acp): resolve gateway SecretInput credentials * fix(secrets): gate gateway.remote refs to remote surfaces * test(secrets): cover pattern matching and inactive array refs * docs(secrets): clarify secrets.resolve and remote active surfaces * fix(bluebubbles): keep existing SecretRef during onboarding * fix(tests): resolve CI type errors in new SecretRef coverage * fix(extensions): replace raw fetch with SSRF-guarded fetch * test(secrets): mark gateway remote targets active in runtime coverage * test(infra): normalize home-prefix expectation across platforms * fix(cli): only resolve local qr password refs in password mode * test(cli): cover local qr token mode with unresolved password ref * docs(cli): clarify local qr password ref resolution behavior * refactor(extensions): reuse sdk SecretInput helpers * fix(wizard): resolve onboarding env-template secrets before plaintext * fix(cli): surface secrets.resolve diagnostics in memory and qr * test(secrets): repair post-rebase runtime and fixtures * fix(gateway): skip remote password ref resolution when token wins * fix(secrets): treat tailscale remote gateway refs as active * fix(gateway): allow remote password fallback when token ref is unresolved * fix(gateway): ignore stale local password refs for none and trusted-proxy * fix(gateway): skip remote secret ref resolution on local call paths * test(cli): cover qr remote tailscale secret ref resolution * fix(secrets): align gateway password active-surface with auth inference * fix(cli): resolve inferred local gateway password refs in qr * fix(gateway): prefer resolvable remote password over token ref pre-resolution * test(gateway): cover none and trusted-proxy stale password refs * docs(secrets): sync qr and gateway active-surface behavior * fix: restore stability blockers from pre-release audit * Secrets: fix collector/runtime precedence contradictions * docs: align secrets and web credential docs * fix(rebase): resolve integration regressions after main rebase * fix(node-host): resolve gateway secret refs for auth * fix(secrets): harden secretinput runtime readers * gateway: skip inactive auth secretref resolution * cli: avoid gateway preflight for inactive secret refs * extensions: allow unresolved refs in onboarding status * tests: fix qr-cli module mock hoist ordering * Security: align audit checks with SecretInput resolution * Gateway: resolve local-mode remote fallback secret refs * Node host: avoid resolving inactive password secret refs * Secrets runtime: mark Slack appToken inactive for HTTP mode * secrets: keep inactive gateway remote refs non-blocking * cli: include agent memory secret targets in runtime resolution * docs(secrets): sync docs with active-surface and web search behavior * fix(secrets): keep telegram top-level token refs active for blank account tokens * fix(daemon): resolve gateway password secret refs for probe auth * fix(secrets): skip IRC NickServ ref resolution when NickServ is disabled * fix(secrets): align token inheritance and exec timeout defaults * docs(secrets): clarify active-surface notes in cli docs * cli: require secrets.resolve gateway capability * gateway: log auth secret surface diagnostics * secrets: remove dead provider resolver module * fix(secrets): restore gateway auth precedence and fallback resolution * fix(tests): align plugin runtime mock typings --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-03-02 20:58:20 -06:00
agentId: typeof opts.agent === "string" ? opts.agent : undefined,
feat(secrets): finalize mode rename and validated exec docs
2026-02-25 23:17:31 -06:00
});
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
if (opts.planOut) {
fs.writeFileSync(opts.planOut, `${JSON.stringify(configured.plan, null, 2)}\n`, "utf8");
}
if (opts.json) {
defaultRuntime.log(
JSON.stringify(
{
plan: configured.plan,
preflight: configured.preflight,
},
null,
2,
),
);
} else {
defaultRuntime.log(
`Preflight: changed=${configured.preflight.changed}, files=${configured.preflight.changedFiles.length}, warnings=${configured.preflight.warningCount}.`,
);
if (configured.preflight.warningCount > 0) {
for (const warning of configured.preflight.warnings) {
defaultRuntime.log(`- warning: ${warning}`);
}
}
feat(secrets): finalize mode rename and validated exec docs
2026-02-25 23:17:31 -06:00
const providerUpserts = Object.keys(configured.plan.providerUpserts ?? {}).length;
const providerDeletes = configured.plan.providerDeletes?.length ?? 0;
defaultRuntime.log(
`Plan: targets=${configured.plan.targets.length}, providerUpserts=${providerUpserts}, providerDeletes=${providerDeletes}.`,
);
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
if (opts.planOut) {
defaultRuntime.log(`Plan written to ${opts.planOut}`);
}
Secrets: add migrate rollback and skill ref support
2026-02-21 14:23:44 -08:00
}
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
let shouldApply = Boolean(opts.apply);
if (!shouldApply && !opts.json) {
const approved = await confirm({
message: "Apply this plan now?",
initialValue: true,
});
if (typeof approved === "boolean") {
shouldApply = approved;
}
}
if (shouldApply) {
const needsIrreversiblePrompt = Boolean(opts.apply);
if (needsIrreversiblePrompt && !opts.yes && !opts.json) {
const confirmed = await confirm({
message:
"This migration is one-way for migrated plaintext values. Continue with apply?",
initialValue: true,
});
if (confirmed !== true) {
defaultRuntime.log("Apply cancelled.");
return;
}
}
const result = await runSecretsApply({
plan: configured.plan,
write: true,
});
if (opts.json) {
defaultRuntime.log(JSON.stringify(result, null, 2));
return;
}
defaultRuntime.log(
result.changed
? `Secrets applied. Updated ${result.changedFiles.length} file(s).`
: "Secrets apply: no changes.",
);
}
} catch (err) {
defaultRuntime.error(danger(String(err)));
defaultRuntime.exit(1);
}
});
secrets
.command("apply")
.description("Apply a previously generated secrets plan")
.requiredOption("--from <path>", "Path to plan JSON")
.option("--dry-run", "Validate/preflight only", false)
.option("--json", "Output JSON", false)
.action(async (opts: SecretsApplyOptions) => {
try {
const plan = readPlanFile(opts.from);
const result = await runSecretsApply({
plan,
write: !opts.dryRun,
Secrets: add migrate rollback and skill ref support
2026-02-21 14:23:44 -08:00
});
feat(secrets): replace migrate flow with audit/configure/apply
2026-02-25 20:29:39 -06:00
if (opts.json) {
defaultRuntime.log(JSON.stringify(result, null, 2));
return;
}
if (opts.dryRun) {
defaultRuntime.log(
result.changed
? `Secrets apply dry run: ${result.changedFiles.length} file(s) would change.`
: "Secrets apply dry run: no changes.",
);
return;
}
defaultRuntime.log(
result.changed
? `Secrets applied. Updated ${result.changedFiles.length} file(s).`
: "Secrets apply: no changes.",
);
Secrets: add migrate rollback and skill ref support
2026-02-21 14:23:44 -08:00
} catch (err) {
defaultRuntime.error(danger(String(err)));
defaultRuntime.exit(1);
}
});
Gateway: add manual secrets reload command
2026-02-21 13:57:49 -08:00
}
Reference in New Issue Copy Permalink