addressing review-skill

pgondhi987 · pgondhi987 · commit 2827f61c82ca · 2026-05-07T16:27:43.000Z
diff --git a/src/agents/auth-profiles/persisted.ts b/src/agents/auth-profiles/persisted.ts
@@ -50,6 +50,10 @@ type OAuthProfileSecretPayload = {
   idToken?: string;
 };
 
+type LoadPersistedAuthProfileStoreOptions = {
+  rewriteInlineOAuthSecrets?: boolean;
+};
+
 function normalizeSecretBackedField(params: {
   entry: Record<string, unknown>;
   valueField: "key" | "token";
@@ -185,6 +189,10 @@ function omitInlineOAuthSecrets(params: {
   return sanitized as AuthProfileCredential;
 }
 
+function hasInlinePersistableOAuthSecrets(credential: AuthProfileCredential): boolean {
+  return shouldPersistOAuthWithoutInlineSecrets(credential) && hasInlineOAuthSecrets(credential);
+}
+
 function parseCredentialEntry(
   raw: unknown,
   fallbackProvider?: string,
@@ -787,7 +795,39 @@ function resolvePersistedOAuthProfileSecrets(store: AuthProfileStore): AuthProfi
   };
 }
 
-export function loadPersistedAuthProfileStore(agentDir?: string): AuthProfileStore | null {
+function buildPersistedAuthProfileFilePayload(params: {
+  store: AuthProfileStore;
+  raw: unknown;
+  agentDir?: string;
+}): AuthProfileSecretsStore & Partial<AuthProfileStore> {
+  const payload = buildPersistedAuthProfileSecretsStore(params.store, undefined, {
+    agentDir: params.agentDir,
+  }) as AuthProfileSecretsStore & Partial<AuthProfileStore>;
+  const state = coerceAuthProfileState(params.raw);
+  return {
+    ...payload,
+    ...(state.order ? { order: state.order } : {}),
+    ...(state.lastGood ? { lastGood: state.lastGood } : {}),
+    ...(state.usageStats ? { usageStats: state.usageStats } : {}),
+  };
+}
+
+function rewritePersistedInlineOAuthSecrets(params: {
+  authPath: string;
+  raw: unknown;
+  store: AuthProfileStore;
+  agentDir?: string;
+}): void {
+  if (!Object.values(params.store.profiles).some(hasInlinePersistableOAuthSecrets)) {
+    return;
+  }
+  saveJsonFile(params.authPath, buildPersistedAuthProfileFilePayload(params));
+}
+
+export function loadPersistedAuthProfileStore(
+  agentDir?: string,
+  options?: LoadPersistedAuthProfileStoreOptions,
+): AuthProfileStore | null {
   const authPath = resolveAuthStorePath(agentDir);
   const raw = loadJsonFile(authPath);
   const store = coercePersistedAuthProfileStore(raw);
@@ -798,6 +838,13 @@ export function loadPersistedAuthProfileStore(agentDir?: string): AuthProfileSto
     ...store,
     ...mergeAuthProfileState(coerceAuthProfileState(raw), loadPersistedAuthProfileState(agentDir)),
   };
+  if (options?.rewriteInlineOAuthSecrets !== false) {
+    try {
+      rewritePersistedInlineOAuthSecrets({ authPath, raw, store: merged, agentDir });
+    } catch (err) {
+      log.warn("failed to rewrite inline oauth auth profile secrets", { err, authPath });
+    }
+  }
   return resolvePersistedOAuthProfileSecrets(merged);
 }
 
diff --git a/src/agents/auth-profiles/profiles.test.ts b/src/agents/auth-profiles/profiles.test.ts
@@ -110,6 +110,97 @@ describe("promoteAuthProfileInOrder", () => {
     }
   });
 
+  it("rewrites existing inline openai-codex oauth secrets during runtime load", () => {
+    const stateDir = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-auth-profile-rewrite-"));
+    const agentDir = path.join(stateDir, "agents", "main", "agent");
+    const previousStateDir = process.env.OPENCLAW_STATE_DIR;
+    process.env.OPENCLAW_STATE_DIR = stateDir;
+    try {
+      fs.mkdirSync(agentDir, { recursive: true });
+      const profileId = "openai-codex:default";
+      const expires = Date.now() + 60 * 60 * 1000;
+      fs.writeFileSync(
+        resolveAuthStorePath(agentDir),
+        `${JSON.stringify(
+          {
+            version: AUTH_STORE_VERSION,
+            profiles: {
+              [profileId]: {
+                type: "oauth",
+                provider: "openai-codex",
+                access: "existing-access-token",
+                refresh: "existing-refresh-token",
+                idToken: "existing-id-token",
+                expires,
+                accountId: "acct-existing",
+              },
+            },
+            order: {
+              "openai-codex": [profileId],
+            },
+          },
+          null,
+          2,
+        )}\n`,
+      );
+
+      expect(
+        loadAuthProfileStoreForRuntime(agentDir, { externalCli: { mode: "none" } }).profiles[
+          profileId
+        ],
+      ).toMatchObject({
+        type: "oauth",
+        provider: "openai-codex",
+        access: "existing-access-token",
+        refresh: "existing-refresh-token",
+        idToken: "existing-id-token",
+      });
+
+      const persisted = JSON.parse(fs.readFileSync(resolveAuthStorePath(agentDir), "utf8")) as {
+        profiles: Record<string, Record<string, unknown>>;
+        order?: Record<string, string[]>;
+      };
+      const credential = persisted.profiles[profileId];
+      expect(credential).toMatchObject({
+        type: "oauth",
+        provider: "openai-codex",
+        expires,
+        accountId: "acct-existing",
+        oauthRef: {
+          source: "openclaw-credentials",
+          provider: "openai-codex",
+          id: expect.any(String),
+        },
+      });
+      expect(persisted.order?.["openai-codex"]).toEqual([profileId]);
+      expect(credential).not.toHaveProperty("access");
+      expect(credential).not.toHaveProperty("refresh");
+      expect(credential).not.toHaveProperty("idToken");
+      const persistedAgentTree = readPersistedAgentTree(agentDir);
+      expect(persistedAgentTree).not.toContain("existing-access-token");
+      expect(persistedAgentTree).not.toContain("existing-refresh-token");
+      expect(persistedAgentTree).not.toContain("existing-id-token");
+
+      clearRuntimeAuthProfileStoreSnapshots();
+      expect(
+        loadAuthProfileStoreWithoutExternalProfiles(agentDir).profiles[profileId],
+      ).toMatchObject({
+        type: "oauth",
+        provider: "openai-codex",
+        access: "existing-access-token",
+        refresh: "existing-refresh-token",
+        idToken: "existing-id-token",
+      });
+    } finally {
+      if (previousStateDir === undefined) {
+        delete process.env.OPENCLAW_STATE_DIR;
+      } else {
+        process.env.OPENCLAW_STATE_DIR = previousStateDir;
+      }
+      fs.rmSync(stateDir, { recursive: true, force: true });
+    }
+  });
+
   it("moves a relogin profile to the front of an existing per-agent provider order", async () => {
     const stateDir = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-auth-order-promote-"));
     const agentDir = path.join(stateDir, "agents", "main", "agent");
diff --git a/src/agents/auth-profiles/store.ts b/src/agents/auth-profiles/store.ts
@@ -371,7 +371,9 @@ function loadAuthProfileStoreForAgent(
       return cached;
     }
   }
-  const asStore = loadPersistedAuthProfileStore(agentDir);
+  const asStore = loadPersistedAuthProfileStore(agentDir, {
+    rewriteInlineOAuthSecrets: !readOnly && process.env.OPENCLAW_AUTH_STORE_READONLY !== "1",
+  });
   if (asStore) {
     if (!readOnly) {
       writeCachedAuthProfileStore({

Original file line number	Diff line number	Diff line change
`@@ -371,7 +371,9 @@ function loadAuthProfileStoreForAgent(`
`371`	`371`	`return cached;`
`372`	`372`	`}`
`373`	`373`	`}`
`374`		`- const asStore = loadPersistedAuthProfileStore(agentDir);`
	`374`	`+ const asStore = loadPersistedAuthProfileStore(agentDir, {`
	`375`	`+ rewriteInlineOAuthSecrets: !readOnly && process.env.OPENCLAW_AUTH_STORE_READONLY !== "1",`
	`376`	`+ });`
`375`	`377`	`if (asStore) {`
`376`	`378`	`if (!readOnly) {`
`377`	`379`	`writeCachedAuthProfileStore({`