refactor: drop legacy auth json secret audit

steipete · steipete · commit eb5d4f6b0bc6 · 2026-05-10T06:12:29.000+01:00
diff --git a/docs/refactor/database-first.md b/docs/refactor/database-first.md
@@ -192,6 +192,8 @@ The branch already has a real shared SQLite base:
 - Secret target metadata now talks about stores instead of pretending every
   credential target is a config file. `openclaw.json` remains the config store;
   auth-profile targets use the SQLite auth profile store.
+- Secret audit no longer scans retired per-agent `auth.json` files. Doctor owns
+  warning about, importing, and removing that legacy file.
 - Legacy auth profile path helpers now live in doctor legacy code. Core auth
   profile path helpers expose SQLite KV store identity and display locations,
   not `auth-profiles.json` or `auth-state.json` runtime paths.
diff --git a/src/secrets/audit.test.ts b/src/secrets/audit.test.ts
@@ -12,7 +12,6 @@ type AuditFixture = {
   stateDir: string;
   configPath: string;
   legacyAuthProfilePath: string;
-  authJsonPath: string;
   agentDir: string;
   modelCatalogSource: string;
   envPath: string;
@@ -129,10 +128,6 @@ function expectFindingCode(report: Awaited<ReturnType<typeof runSecretsAudit>>,
   expect(hasFinding(report, (entry) => entry.code === code)).toBe(true);
 }
 
-function expectFindingFile(report: Awaited<ReturnType<typeof runSecretsAudit>>, filePath: string) {
-  expect(hasFinding(report, (entry) => entry.file === filePath)).toBe(true);
-}
-
 async function expectPathMissing(filePath: string): Promise<void> {
   try {
     await fs.stat(filePath);
@@ -148,7 +143,6 @@ async function createAuditFixture(): Promise<AuditFixture> {
   const configPath = path.join(stateDir, "openclaw.json");
   const agentDir = path.join(stateDir, "agents", "main", "agent");
   const legacyAuthProfilePath = path.join(agentDir, "auth-profiles.json");
-  const authJsonPath = path.join(stateDir, "agents", "main", "agent", "auth.json");
   const modelCatalogSource = `stored model catalog: ${agentDir}`;
   const envPath = path.join(stateDir, ".env");
 
@@ -160,7 +154,6 @@ async function createAuditFixture(): Promise<AuditFixture> {
     stateDir,
     configPath,
     legacyAuthProfilePath,
-    authJsonPath,
     agentDir,
     modelCatalogSource,
     envPath,
@@ -276,30 +269,6 @@ describe("secrets audit", () => {
     expectFindingCode(report, "PLAINTEXT_FOUND");
   });
 
-  it("does not mutate legacy auth.json during audit", async () => {
-    await fs.rm(fixture.legacyAuthProfilePath, { force: true });
-    await writeJsonFile(fixture.authJsonPath, {
-      openai: {
-        type: "api_key",
-        key: "sk-legacy-auth-json",
-      },
-    });
-
-    const report = await runSecretsAudit({ env: fixture.env });
-    expectFindingCode(report, "LEGACY_RESIDUE");
-    const authJsonStat = await fs.stat(fixture.authJsonPath);
-    expect(authJsonStat.isFile()).toBe(true);
-    await expectPathMissing(fixture.legacyAuthProfilePath);
-  });
-
-  it("reports malformed sidecar JSON as findings instead of crashing", async () => {
-    await fs.writeFile(fixture.authJsonPath, "{invalid-json", "utf8");
-
-    const report = await runSecretsAudit({ env: fixture.env });
-    expectFindingFile(report, fixture.authJsonPath);
-    expectFindingCode(report, "REF_UNRESOLVED");
-  });
-
   it("skips exec ref resolution during audit unless explicitly allowed", async () => {
     if (process.platform === "win32") {
       return;
diff --git a/src/secrets/audit.ts b/src/secrets/audit.ts
@@ -35,9 +35,7 @@ import { isNonEmptyString, isRecord } from "./shared.js";
 import {
   listAgentModelCatalogDirs,
   listAuthProfileStoreAgentDirs,
-  listLegacyAuthJsonPaths,
   parseEnvAssignmentValue,
-  readJsonObjectIfExists,
 } from "./storage-scan.js";
 import { discoverConfigSecretTargets } from "./target-registry.js";
 
@@ -324,42 +322,6 @@ function collectAuthStoreSecrets(params: {
   }
 }
 
-function collectAuthJsonResidue(params: { stateDir: string; collector: AuditCollector }): void {
-  for (const authJsonPath of listLegacyAuthJsonPaths(params.stateDir)) {
-    params.collector.filesScanned.add(authJsonPath);
-    const parsedResult = readJsonObjectIfExists(authJsonPath);
-    if (parsedResult.error) {
-      addFinding(params.collector, {
-        code: "REF_UNRESOLVED",
-        severity: "error",
-        file: authJsonPath,
-        jsonPath: "<root>",
-        message: `Invalid JSON in legacy auth.json: ${parsedResult.error}`,
-      });
-      continue;
-    }
-    const parsed = parsedResult.value;
-    if (!parsed) {
-      continue;
-    }
-    for (const [providerId, value] of Object.entries(parsed)) {
-      if (!isRecord(value)) {
-        continue;
-      }
-      if (value.type === "api_key" && isNonEmptyString(value.key)) {
-        addFinding(params.collector, {
-          code: "LEGACY_RESIDUE",
-          severity: "warn",
-          file: authJsonPath,
-          jsonPath: providerId,
-          message: "Legacy auth.json contains static api_key credentials.",
-          provider: providerId,
-        });
-      }
-    }
-  }
-}
-
 function collectStoredModelCatalogSecrets(params: {
   agentDir: string;
   env: NodeJS.ProcessEnv;
@@ -721,11 +683,6 @@ export async function runSecretsAudit(
     envPath,
     collector,
   });
-  collectAuthJsonResidue({
-    stateDir,
-    collector,
-  });
-
   const summary = summarizeFindings(collector.findings);
   const status: SecretsAuditStatus =
     summary.unresolvedRefCount > 0
diff --git a/src/secrets/storage-scan.ts b/src/secrets/storage-scan.ts
@@ -2,15 +2,10 @@ import fs from "node:fs";
 import path from "node:path";
 import { listAgentIds, resolveAgentDir } from "../agents/agent-scope.js";
 import type { OpenClawConfig } from "../config/types.openclaw.js";
-import { formatErrorMessage } from "../infra/errors.js";
 import { resolveUserPath } from "../utils.js";
 import { listAuthProfileStoreAgentDirs as listAuthProfileStoreAgentDirsFromAuthStorePaths } from "./auth-store-paths.js";
 import { parseEnvValue } from "./shared.js";
 
-function isJsonObject(value: unknown): value is Record<string, unknown> {
-  return typeof value === "object" && value !== null && !Array.isArray(value);
-}
-
 export function parseEnvAssignmentValue(raw: string): string {
   return parseEnvValue(raw);
 }
@@ -19,24 +14,6 @@ export function listAuthProfileStoreAgentDirs(config: OpenClawConfig, stateDir:
   return listAuthProfileStoreAgentDirsFromAuthStorePaths(config, stateDir);
 }
 
-export function listLegacyAuthJsonPaths(stateDir: string): string[] {
-  const out: string[] = [];
-  const agentsRoot = path.join(resolveUserPath(stateDir), "agents");
-  if (!fs.existsSync(agentsRoot)) {
-    return out;
-  }
-  for (const entry of fs.readdirSync(agentsRoot, { withFileTypes: true })) {
-    if (!entry.isDirectory()) {
-      continue;
-    }
-    const candidate = path.join(agentsRoot, entry.name, "agent", "auth.json");
-    if (fs.existsSync(candidate)) {
-      out.push(candidate);
-    }
-  }
-  return out;
-}
-
 function resolveActiveAgentDir(stateDir: string, env: NodeJS.ProcessEnv = process.env): string {
   const override = env.OPENCLAW_AGENT_DIR?.trim() || env.PI_CODING_AGENT_DIR?.trim();
   if (override) {
@@ -76,62 +53,3 @@ export function listAgentModelCatalogDirs(
 
   return [...dirs];
 }
-
-export type ReadJsonObjectOptions = {
-  maxBytes?: number;
-  requireRegularFile?: boolean;
-};
-
-export function readJsonObjectIfExists(filePath: string): {
-  value: Record<string, unknown> | null;
-  error?: string;
-};
-export function readJsonObjectIfExists(
-  filePath: string,
-  options: ReadJsonObjectOptions,
-): {
-  value: Record<string, unknown> | null;
-  error?: string;
-};
-export function readJsonObjectIfExists(
-  filePath: string,
-  options: ReadJsonObjectOptions = {},
-): {
-  value: Record<string, unknown> | null;
-  error?: string;
-} {
-  if (!fs.existsSync(filePath)) {
-    return { value: null };
-  }
-  try {
-    const stats = fs.statSync(filePath);
-    if (options.requireRegularFile && !stats.isFile()) {
-      return {
-        value: null,
-        error: `Refusing to read non-regular file: ${filePath}`,
-      };
-    }
-    if (
-      typeof options.maxBytes === "number" &&
-      Number.isFinite(options.maxBytes) &&
-      options.maxBytes >= 0 &&
-      stats.size > options.maxBytes
-    ) {
-      return {
-        value: null,
-        error: `Refusing to read oversized JSON (${stats.size} bytes): ${filePath}`,
-      };
-    }
-    const raw = fs.readFileSync(filePath, "utf8");
-    const parsed: unknown = JSON.parse(raw);
-    if (!isJsonObject(parsed)) {
-      return { value: null };
-    }
-    return { value: parsed };
-  } catch (err) {
-    return {
-      value: null,
-      error: formatErrorMessage(err),
-    };
-  }
-}
