From fb4e368174a52ae6f8e1b6bafec7f5522a69839a Mon Sep 17 00:00:00 2001 From: Alexander Davydov Date: Fri, 20 Mar 2026 18:06:08 +0300 Subject: [PATCH] GigaChat: preserve env TLS fallback --- src/agents/gigachat-auth.ts | 12 ++++++++++++ .../pi-embedded-runner/compact.hooks.test.ts | 4 ++-- src/agents/pi-embedded-runner/compact.ts | 8 ++++++-- .../pi-embedded-runner/run/attempt.test.ts | 17 ++++++++++++++++- src/agents/pi-embedded-runner/run/attempt.ts | 8 ++++++-- 5 files changed, 42 insertions(+), 7 deletions(-) diff --git a/src/agents/gigachat-auth.ts b/src/agents/gigachat-auth.ts index b4ffce7526a..a8676c4b64c 100644 --- a/src/agents/gigachat-auth.ts +++ b/src/agents/gigachat-auth.ts @@ -22,6 +22,18 @@ export function resolveGigachatAuthProfileMetadata( return undefined; } +export function resolveGigachatInsecureTlsOverride( + metadata?: GigachatAuthMetadata, +): boolean | undefined { + if (metadata?.insecureTls === "true") { + return true; + } + if (metadata?.insecureTls === "false") { + return false; + } + return undefined; +} + function looksLikeGigachatBasicCredentials(apiKey: string | undefined): boolean { const trimmed = apiKey?.trim(); if (!trimmed) { diff --git a/src/agents/pi-embedded-runner/compact.hooks.test.ts b/src/agents/pi-embedded-runner/compact.hooks.test.ts index 0d855004ac3..6b3b92bf4b5 100644 --- a/src/agents/pi-embedded-runner/compact.hooks.test.ts +++ b/src/agents/pi-embedded-runner/compact.hooks.test.ts @@ -1040,7 +1040,7 @@ describe("compactEmbeddedPiSessionDirect hooks", () => { expect(createGigachatStreamFnMock).toHaveBeenCalledWith({ baseUrl: "https://gigachat.devices.sberbank.ru/api/v1", authMode: "basic", - insecureTls: false, + insecureTls: undefined, scope: undefined, }); return { @@ -1100,7 +1100,7 @@ describe("compactEmbeddedPiSessionDirect hooks", () => { expect(createGigachatStreamFnMock).toHaveBeenCalledWith({ baseUrl: "https://gigachat.devices.sberbank.ru/api/v1", authMode: "oauth", - insecureTls: false, + insecureTls: undefined, scope: undefined, }); return { diff --git a/src/agents/pi-embedded-runner/compact.ts b/src/agents/pi-embedded-runner/compact.ts index e5c802b64d9..1d76cf6a11f 100644 --- a/src/agents/pi-embedded-runner/compact.ts +++ b/src/agents/pi-embedded-runner/compact.ts @@ -43,7 +43,11 @@ import { ensureCustomApiRegistered } from "../custom-api-registry.js"; import { formatUserTime, resolveUserTimeFormat, resolveUserTimezone } from "../date-time.js"; import { DEFAULT_CONTEXT_TOKENS, DEFAULT_MODEL, DEFAULT_PROVIDER } from "../defaults.js"; import { resolveOpenClawDocsPath } from "../docs-path.js"; -import { resolveGigachatAuthMode, resolveGigachatAuthProfileMetadata } from "../gigachat-auth.js"; +import { + resolveGigachatAuthMode, + resolveGigachatAuthProfileMetadata, + resolveGigachatInsecureTlsOverride, +} from "../gigachat-auth.js"; import { createGigachatStreamFn } from "../gigachat-stream.js"; import { resolveMemorySearchConfig } from "../memory-search.js"; import { @@ -868,7 +872,7 @@ export async function compactEmbeddedPiSessionDirect( apiKey: apiKeyInfo?.apiKey, authProfileId: resolvedGigachatProfileId, }), - insecureTls: gigachatMeta?.insecureTls === "true", + insecureTls: resolveGigachatInsecureTlsOverride(gigachatMeta), scope: gigachatMeta?.scope, }); } diff --git a/src/agents/pi-embedded-runner/run/attempt.test.ts b/src/agents/pi-embedded-runner/run/attempt.test.ts index 781dda22529..9c8912a12a1 100644 --- a/src/agents/pi-embedded-runner/run/attempt.test.ts +++ b/src/agents/pi-embedded-runner/run/attempt.test.ts @@ -1,7 +1,10 @@ import { describe, expect, it, vi } from "vitest"; import type { OpenClawConfig } from "../../../config/config.js"; import { appendBootstrapPromptWarning } from "../../bootstrap-budget.js"; -import { resolveGigachatAuthMode } from "../../gigachat-auth.js"; +import { + resolveGigachatAuthMode, + resolveGigachatInsecureTlsOverride, +} from "../../gigachat-auth.js"; import { resolveOllamaBaseUrlForRun } from "../../ollama-stream.js"; import { buildAgentSystemPrompt } from "../../system-prompt.js"; import { @@ -253,6 +256,18 @@ describe("resolveGigachatAuthMode", () => { }); }); +describe("resolveGigachatInsecureTlsOverride", () => { + it("maps explicit metadata flags to boolean overrides", () => { + expect(resolveGigachatInsecureTlsOverride({ insecureTls: "true" })).toBe(true); + expect(resolveGigachatInsecureTlsOverride({ insecureTls: "false" })).toBe(false); + }); + + it("leaves the override unset when metadata does not specify TLS behavior", () => { + expect(resolveGigachatInsecureTlsOverride(undefined)).toBeUndefined(); + expect(resolveGigachatInsecureTlsOverride({ scope: "GIGACHAT_API_PERS" })).toBeUndefined(); + }); +}); + describe("resolveGigachatApiKeyForRun", () => { it("falls back to config-backed GigaChat API keys when authStorage has no key", async () => { const resolved = await resolveGigachatApiKeyForRun({ diff --git a/src/agents/pi-embedded-runner/run/attempt.ts b/src/agents/pi-embedded-runner/run/attempt.ts index b5a9a5a7576..f1873d0c5a4 100644 --- a/src/agents/pi-embedded-runner/run/attempt.ts +++ b/src/agents/pi-embedded-runner/run/attempt.ts @@ -55,6 +55,7 @@ import { DEFAULT_CONTEXT_TOKENS } from "../../defaults.js"; import { resolveOpenClawDocsPath } from "../../docs-path.js"; import { isTimeoutError } from "../../failover-error.js"; import { + resolveGigachatInsecureTlsOverride, resolveGigachatAuthMode, resolveGigachatAuthProfileMetadata, } from "../../gigachat-auth.js"; @@ -228,7 +229,10 @@ function createYieldAbortedResponse(model: { api?: string; provider?: string; id result: async () => message, }; } -export { resolveGigachatAuthProfileMetadata } from "../../gigachat-auth.js"; +export { + resolveGigachatAuthProfileMetadata, + resolveGigachatInsecureTlsOverride, +} from "../../gigachat-auth.js"; export async function resolveGigachatApiKeyForRun(params: { model: EmbeddedRunAttemptParams["model"]; @@ -2035,7 +2039,7 @@ export async function runEmbeddedAttempt( apiKey: resolvedGigachatAuth.apiKey, authProfileId: resolvedGigachatAuth.authProfileId, }), - insecureTls: gigachatMeta?.insecureTls === "true", + insecureTls: resolveGigachatInsecureTlsOverride(gigachatMeta), scope: gigachatMeta?.scope, }); activeSession.agent.streamFn = gigachatStreamFn;