GigaChat: preserve env TLS fallback

2026-03-20 18:06:08 +03:00 · 2026-03-20 18:06:08 +03:00 · fb4e368174
commit fb4e368174
parent 5dd96c970a
5 changed files with 42 additions and 7 deletions
--- a/src/agents/gigachat-auth.ts
+++ b/src/agents/gigachat-auth.ts
@ -22,6 +22,18 @@ export function resolveGigachatAuthProfileMetadata(
  return undefined;
 }

+export function resolveGigachatInsecureTlsOverride(
+  metadata?: GigachatAuthMetadata,
+): boolean | undefined {
+  if (metadata?.insecureTls === "true") {
+    return true;
+  }
+  if (metadata?.insecureTls === "false") {
+    return false;
+  }
+  return undefined;
+}
+
 function looksLikeGigachatBasicCredentials(apiKey: string | undefined): boolean {
  const trimmed = apiKey?.trim();
  if (!trimmed) {
--- a/src/agents/pi-embedded-runner/compact.hooks.test.ts
+++ b/src/agents/pi-embedded-runner/compact.hooks.test.ts
@ -1040,7 +1040,7 @@ describe("compactEmbeddedPiSessionDirect hooks", () => {
      expect(createGigachatStreamFnMock).toHaveBeenCalledWith({
        baseUrl: "https://gigachat.devices.sberbank.ru/api/v1",
        authMode: "basic",
-        insecureTls: false,
+        insecureTls: undefined,
        scope: undefined,
      });
      return {
@ -1100,7 +1100,7 @@ describe("compactEmbeddedPiSessionDirect hooks", () => {
      expect(createGigachatStreamFnMock).toHaveBeenCalledWith({
        baseUrl: "https://gigachat.devices.sberbank.ru/api/v1",
        authMode: "oauth",
-        insecureTls: false,
+        insecureTls: undefined,
        scope: undefined,
      });
      return {
--- a/src/agents/pi-embedded-runner/compact.ts
+++ b/src/agents/pi-embedded-runner/compact.ts
@ -43,7 +43,11 @@ import { ensureCustomApiRegistered } from "../custom-api-registry.js";
 import { formatUserTime, resolveUserTimeFormat, resolveUserTimezone } from "../date-time.js";
 import { DEFAULT_CONTEXT_TOKENS, DEFAULT_MODEL, DEFAULT_PROVIDER } from "../defaults.js";
 import { resolveOpenClawDocsPath } from "../docs-path.js";
-import { resolveGigachatAuthMode, resolveGigachatAuthProfileMetadata } from "../gigachat-auth.js";
+import {
+  resolveGigachatAuthMode,
+  resolveGigachatAuthProfileMetadata,
+  resolveGigachatInsecureTlsOverride,
+} from "../gigachat-auth.js";
 import { createGigachatStreamFn } from "../gigachat-stream.js";
 import { resolveMemorySearchConfig } from "../memory-search.js";
 import {
@ -868,7 +872,7 @@ export async function compactEmbeddedPiSessionDirect(
            apiKey: apiKeyInfo?.apiKey,
            authProfileId: resolvedGigachatProfileId,
          }),
-          insecureTls: gigachatMeta?.insecureTls === "true",
+          insecureTls: resolveGigachatInsecureTlsOverride(gigachatMeta),
          scope: gigachatMeta?.scope,
        });
      }
--- a/src/agents/pi-embedded-runner/run/attempt.test.ts
+++ b/src/agents/pi-embedded-runner/run/attempt.test.ts
@ -1,7 +1,10 @@
 import { describe, expect, it, vi } from "vitest";
 import type { OpenClawConfig } from "../../../config/config.js";
 import { appendBootstrapPromptWarning } from "../../bootstrap-budget.js";
-import { resolveGigachatAuthMode } from "../../gigachat-auth.js";
+import {
+  resolveGigachatAuthMode,
+  resolveGigachatInsecureTlsOverride,
+} from "../../gigachat-auth.js";
 import { resolveOllamaBaseUrlForRun } from "../../ollama-stream.js";
 import { buildAgentSystemPrompt } from "../../system-prompt.js";
 import {
@ -253,6 +256,18 @@ describe("resolveGigachatAuthMode", () => {
  });
 });

+describe("resolveGigachatInsecureTlsOverride", () => {
+  it("maps explicit metadata flags to boolean overrides", () => {
+    expect(resolveGigachatInsecureTlsOverride({ insecureTls: "true" })).toBe(true);
+    expect(resolveGigachatInsecureTlsOverride({ insecureTls: "false" })).toBe(false);
+  });
+
+  it("leaves the override unset when metadata does not specify TLS behavior", () => {
+    expect(resolveGigachatInsecureTlsOverride(undefined)).toBeUndefined();
+    expect(resolveGigachatInsecureTlsOverride({ scope: "GIGACHAT_API_PERS" })).toBeUndefined();
+  });
+});
+
 describe("resolveGigachatApiKeyForRun", () => {
  it("falls back to config-backed GigaChat API keys when authStorage has no key", async () => {
    const resolved = await resolveGigachatApiKeyForRun({
--- a/src/agents/pi-embedded-runner/run/attempt.ts
+++ b/src/agents/pi-embedded-runner/run/attempt.ts
@ -55,6 +55,7 @@ import { DEFAULT_CONTEXT_TOKENS } from "../../defaults.js";
 import { resolveOpenClawDocsPath } from "../../docs-path.js";
 import { isTimeoutError } from "../../failover-error.js";
 import {
+  resolveGigachatInsecureTlsOverride,
  resolveGigachatAuthMode,
  resolveGigachatAuthProfileMetadata,
 } from "../../gigachat-auth.js";
@ -228,7 +229,10 @@ function createYieldAbortedResponse(model: { api?: string; provider?: string; id
    result: async () => message,
  };
 }
-export { resolveGigachatAuthProfileMetadata } from "../../gigachat-auth.js";
+export {
+  resolveGigachatAuthProfileMetadata,
+  resolveGigachatInsecureTlsOverride,
+} from "../../gigachat-auth.js";

 export async function resolveGigachatApiKeyForRun(params: {
  model: EmbeddedRunAttemptParams["model"];
@ -2035,7 +2039,7 @@ export async function runEmbeddedAttempt(
            apiKey: resolvedGigachatAuth.apiKey,
            authProfileId: resolvedGigachatAuth.authProfileId,
          }),
-          insecureTls: gigachatMeta?.insecureTls === "true",
+          insecureTls: resolveGigachatInsecureTlsOverride(gigachatMeta),
          scope: gigachatMeta?.scope,
        });
        activeSession.agent.streamFn = gigachatStreamFn;