From f96ee99bbc8bd13863f7a5109ac8755a70bb73d5 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Wed, 18 Mar 2026 02:28:55 -0700 Subject: [PATCH] Plugin SDK: harden provider auth seams --- extensions/openrouter/index.ts | 2 +- extensions/venice/index.ts | 2 +- extensions/xai/index.ts | 2 +- extensions/zai/index.ts | 2 +- package.json | 4 ++ scripts/lib/plugin-sdk-entrypoints.json | 1 + src/plugin-sdk/agent-runtime.ts | 50 ++++++++++++++++++++++++- src/plugin-sdk/provider-auth-api-key.ts | 21 +++++++++++ 8 files changed, 79 insertions(+), 5 deletions(-) create mode 100644 src/plugin-sdk/provider-auth-api-key.ts diff --git a/extensions/openrouter/index.ts b/extensions/openrouter/index.ts index bcb75ecb49d..6b9ffbd2a1a 100644 --- a/extensions/openrouter/index.ts +++ b/extensions/openrouter/index.ts @@ -4,7 +4,7 @@ import { type ProviderResolveDynamicModelContext, type ProviderRuntimeModel, } from "openclaw/plugin-sdk/core"; -import { createProviderApiKeyAuthMethod } from "openclaw/plugin-sdk/provider-auth"; +import { createProviderApiKeyAuthMethod } from "openclaw/plugin-sdk/provider-auth-api-key"; import { applyXaiModelCompat, DEFAULT_CONTEXT_TOKENS } from "openclaw/plugin-sdk/provider-models"; import { getOpenRouterModelCapabilities, diff --git a/extensions/venice/index.ts b/extensions/venice/index.ts index cdf984bb99e..2cef47dc3c3 100644 --- a/extensions/venice/index.ts +++ b/extensions/venice/index.ts @@ -1,5 +1,5 @@ import { definePluginEntry } from "openclaw/plugin-sdk/core"; -import { createProviderApiKeyAuthMethod } from "openclaw/plugin-sdk/provider-auth"; +import { createProviderApiKeyAuthMethod } from "openclaw/plugin-sdk/provider-auth-api-key"; import { buildSingleProviderApiKeyCatalog } from "openclaw/plugin-sdk/provider-catalog"; import { applyXaiModelCompat } from "openclaw/plugin-sdk/provider-models"; import { applyVeniceConfig, VENICE_DEFAULT_MODEL_REF } from "./onboard.js"; diff --git a/extensions/xai/index.ts b/extensions/xai/index.ts index 6fa925637b8..0f0784c315f 100644 --- a/extensions/xai/index.ts +++ b/extensions/xai/index.ts @@ -1,5 +1,5 @@ import { definePluginEntry } from "openclaw/plugin-sdk/core"; -import { createProviderApiKeyAuthMethod } from "openclaw/plugin-sdk/provider-auth"; +import { createProviderApiKeyAuthMethod } from "openclaw/plugin-sdk/provider-auth-api-key"; import { buildSingleProviderApiKeyCatalog } from "openclaw/plugin-sdk/provider-catalog"; import { applyXaiModelCompat } from "openclaw/plugin-sdk/provider-models"; import { createToolStreamWrapper } from "openclaw/plugin-sdk/provider-stream"; diff --git a/extensions/zai/index.ts b/extensions/zai/index.ts index 79ae3a9d8aa..ee4aa0b30bc 100644 --- a/extensions/zai/index.ts +++ b/extensions/zai/index.ts @@ -15,7 +15,7 @@ import { type SecretInput, upsertAuthProfile, validateApiKeyInput, -} from "openclaw/plugin-sdk/provider-auth"; +} from "openclaw/plugin-sdk/provider-auth-api-key"; import { DEFAULT_CONTEXT_TOKENS, normalizeModelCompat } from "openclaw/plugin-sdk/provider-models"; import { createZaiToolStreamWrapper } from "openclaw/plugin-sdk/provider-stream"; import { fetchZaiUsage, resolveLegacyPiAgentAccessToken } from "openclaw/plugin-sdk/provider-usage"; diff --git a/package.json b/package.json index a181861c2ae..e3dfda5cd75 100644 --- a/package.json +++ b/package.json @@ -414,6 +414,10 @@ "types": "./dist/plugin-sdk/provider-auth.d.ts", "default": "./dist/plugin-sdk/provider-auth.js" }, + "./plugin-sdk/provider-auth-api-key": { + "types": "./dist/plugin-sdk/provider-auth-api-key.d.ts", + "default": "./dist/plugin-sdk/provider-auth-api-key.js" + }, "./plugin-sdk/provider-auth-login": { "types": "./dist/plugin-sdk/provider-auth-login.d.ts", "default": "./dist/plugin-sdk/provider-auth-login.js" diff --git a/scripts/lib/plugin-sdk-entrypoints.json b/scripts/lib/plugin-sdk-entrypoints.json index 7378f3b4d9d..ac54dabe731 100644 --- a/scripts/lib/plugin-sdk-entrypoints.json +++ b/scripts/lib/plugin-sdk-entrypoints.json @@ -93,6 +93,7 @@ "json-store", "keyed-async-queue", "provider-auth", + "provider-auth-api-key", "provider-auth-login", "provider-catalog", "provider-models", diff --git a/src/plugin-sdk/agent-runtime.ts b/src/plugin-sdk/agent-runtime.ts index c5313f681cc..a7191fd5a01 100644 --- a/src/plugin-sdk/agent-runtime.ts +++ b/src/plugin-sdk/agent-runtime.ts @@ -1,7 +1,6 @@ // Public agent/model/runtime helpers for plugins that integrate with core agent flows. export * from "../agents/agent-scope.js"; -export * from "../agents/auth-profiles.js"; export * from "../agents/current-time.js"; export * from "../agents/date-time.js"; export * from "../agents/defaults.js"; @@ -25,3 +24,52 @@ export * from "../agents/vllm-defaults.js"; // Intentional public runtime surface: channel plugins use ingress agent helpers directly. export * from "../agents/agent-command.js"; export * from "../tts/tts.js"; + +export { + CLAUDE_CLI_PROFILE_ID, + CODEX_CLI_PROFILE_ID, + dedupeProfileIds, + listProfilesForProvider, + markAuthProfileGood, + setAuthProfileOrder, + upsertAuthProfile, + upsertAuthProfileWithLock, + repairOAuthProfileIdMismatch, + suggestOAuthProfileIdForLegacyDefault, + clearRuntimeAuthProfileStoreSnapshots, + ensureAuthProfileStore, + loadAuthProfileStoreForSecretsRuntime, + loadAuthProfileStoreForRuntime, + replaceRuntimeAuthProfileStoreSnapshots, + loadAuthProfileStore, + saveAuthProfileStore, + calculateAuthProfileCooldownMs, + clearAuthProfileCooldown, + clearExpiredCooldowns, + getSoonestCooldownExpiry, + isProfileInCooldown, + markAuthProfileCooldown, + markAuthProfileFailure, + markAuthProfileUsed, + resolveProfilesUnavailableReason, + resolveProfileUnusableUntilForDisplay, + resolveApiKeyForProfile, + resolveAuthProfileDisplayLabel, + formatAuthDoctorHint, + resolveAuthProfileEligibility, + resolveAuthProfileOrder, + resolveAuthStorePathForDisplay, +} from "../agents/auth-profiles.js"; +export type { + ApiKeyCredential, + AuthCredentialReasonCode, + AuthProfileCredential, + AuthProfileEligibilityReasonCode, + AuthProfileFailureReason, + AuthProfileIdRepairResult, + AuthProfileStore, + OAuthCredential, + ProfileUsageStats, + TokenCredential, + TokenExpiryState, +} from "../agents/auth-profiles.js"; diff --git a/src/plugin-sdk/provider-auth-api-key.ts b/src/plugin-sdk/provider-auth-api-key.ts new file mode 100644 index 00000000000..b083d8e27cb --- /dev/null +++ b/src/plugin-sdk/provider-auth-api-key.ts @@ -0,0 +1,21 @@ +// Public API-key onboarding helpers for provider plugins. + +export type { OpenClawConfig } from "../config/config.js"; +export type { SecretInput } from "../config/types.secrets.js"; + +export { upsertAuthProfile } from "../agents/auth-profiles.js"; +export { + formatApiKeyPreview, + normalizeApiKeyInput, + validateApiKeyInput, + ensureApiKeyFromOptionEnvOrPrompt, + normalizeSecretInputModeInput, + promptSecretRefForSetup, + resolveSecretInputModeForEnvSelection, +} from "../plugins/provider-auth-input.js"; +export { applyAuthProfileConfig, buildApiKeyCredential } from "../plugins/provider-auth-helpers.js"; +export { createProviderApiKeyAuthMethod } from "../plugins/provider-api-key-auth.js"; +export { + normalizeOptionalSecretInput, + normalizeSecretInput, +} from "../utils/normalize-secret-input.js";