fix(infra): restore symlink rejection in tryReadSecretFileSync

RomneyDa · RomneyDa · commit 46495863d01d · 2026-05-20T14:51:44.000-07:00
The local wrapper added in 9e4eca0 swallowed all errors from @openclaw/fs-safe@0.2.7's tryReadSecretFileSync via a bare try/catch, silently downgrading every rejectSymlink: true caller (Telegram, LINE, Zalo, IRC, Nextcloud Talk credential files) to accept symlinked credential files. It also broke the infra-state CI shard's symlink expectation that #84595 had just realigned with the new fail-closed upstream contract. Restore the direct re-export so the upstream contract surfaces: undefined for blank/missing/not-found, FsSafeError for symlink, oversize, non-regular file, and hardlink validation failures.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ Docs: https://docs.openclaw.ai
 
 - WhatsApp: update Baileys to `7.0.0-rc12`.
 - Dependencies: update `@openclaw/fs-safe` to `0.2.7` so OpenClaw's default Python-helper-off policy keeps best-effort Node write fallbacks for private stores, secret writes, run logs, and media attachments on Linux/macOS.
+- Infra/secrets: restore the fail-closed contract for `tryReadSecretFileSync` so credential loaders that pass `rejectSymlink: true` (Telegram, LINE, Zalo, IRC, Nextcloud Talk tokens) refuse symlinked credential files instead of silently accepting them, and the infra-state CI shard's secret-file symlink test passes again. Thanks @romneyda.
 - Browser: honor the configured image sanitization limit for screenshots and labeled snapshots so browser-captured images follow the same resize policy as other image results. (#84595)
 - Doctor: remove unrecognized `models.providers.*.models[*].compat.thinkingFormat` values during `doctor --fix` so stale provider model config can validate after upgrade. Fixes #77803.
 - Status: show the configured default, session-selected model, reason, clear hint, and docs link when a session remains pinned to a model that differs from `agents.defaults.model.primary`.
diff --git a/src/infra/secret-file.ts b/src/infra/secret-file.ts
@@ -1,31 +1,17 @@
 import "./fs-safe-defaults.js";
-import {
-  readSecretFileSync as readSecretFileSyncImpl,
-  tryReadSecretFileSync as tryReadSecretFileSyncImpl,
-} from "@openclaw/fs-safe/secret";
+import { readSecretFileSync as readSecretFileSyncImpl } from "@openclaw/fs-safe/secret";
 import { resolveUserPath } from "../utils.js";
 
 export {
   DEFAULT_SECRET_FILE_MAX_BYTES,
   PRIVATE_SECRET_DIR_MODE,
   PRIVATE_SECRET_FILE_MODE,
   readSecretFileSync,
+  tryReadSecretFileSync,
   type SecretFileReadOptions,
 } from "@openclaw/fs-safe/secret";
 export { writeSecretFileAtomic as writePrivateSecretFileAtomic } from "@openclaw/fs-safe/secret";
 
-export function tryReadSecretFileSync(
-  filePath: string | undefined,
-  label: string,
-  options: Parameters<typeof tryReadSecretFileSyncImpl>[2] = {},
-): string | undefined {
-  try {
-    return tryReadSecretFileSyncImpl(filePath, label, options);
-  } catch {
-    return undefined;
-  }
-}
-
 export type SecretFileReadResult =
   | {
       ok: true;
