import { mkdtempSync } from "node:fs"; import { writeFile } from "node:fs/promises"; import { tmpdir } from "node:os"; import { join } from "node:path"; import { describe, expect, it } from "vitest"; import { captureEnv } from "../test-utils/env.js"; import { resolveCloudflareAiGatewayBaseUrl } from "./cloudflare-ai-gateway.js"; import { NON_ENV_SECRETREF_MARKER } from "./model-auth-markers.js"; import { resolveImplicitProvidersForTest } from "./models-config.e2e-harness.js"; describe("cloudflare-ai-gateway profile provenance", () => { it("prefers env keyRef marker over runtime plaintext for persistence", async () => { const agentDir = mkdtempSync(join(tmpdir(), "openclaw-test-")); const envSnapshot = captureEnv(["CLOUDFLARE_AI_GATEWAY_API_KEY"]); delete process.env.CLOUDFLARE_AI_GATEWAY_API_KEY; await writeFile( join(agentDir, "auth-profiles.json"), JSON.stringify( { version: 1, profiles: { "cloudflare-ai-gateway:default": { type: "api_key", provider: "cloudflare-ai-gateway", key: "sk-runtime-cloudflare", keyRef: { source: "env", provider: "default", id: "CLOUDFLARE_AI_GATEWAY_API_KEY" }, metadata: { accountId: "acct_123", gatewayId: "gateway_456", }, }, }, }, null, 2, ), "utf8", ); try { const providers = await resolveImplicitProvidersForTest({ agentDir }); expect(providers?.["cloudflare-ai-gateway"]?.apiKey).toBe("CLOUDFLARE_AI_GATEWAY_API_KEY"); } finally { envSnapshot.restore(); } }); it("uses non-env marker for non-env keyRef cloudflare profiles", async () => { const agentDir = mkdtempSync(join(tmpdir(), "openclaw-test-")); await writeFile( join(agentDir, "auth-profiles.json"), JSON.stringify( { version: 1, profiles: { "cloudflare-ai-gateway:default": { type: "api_key", provider: "cloudflare-ai-gateway", key: "sk-runtime-cloudflare", keyRef: { source: "file", provider: "vault", id: "/cloudflare/apiKey" }, metadata: { accountId: "acct_123", gatewayId: "gateway_456", }, }, }, }, null, 2, ), "utf8", ); const providers = await resolveImplicitProvidersForTest({ agentDir }); expect(providers?.["cloudflare-ai-gateway"]?.apiKey).toBe(NON_ENV_SECRETREF_MARKER); }); it("keeps Cloudflare gateway metadata and apiKey from the same auth profile", async () => { const agentDir = mkdtempSync(join(tmpdir(), "openclaw-test-")); await writeFile( join(agentDir, "auth-profiles.json"), JSON.stringify( { version: 1, profiles: { "cloudflare-ai-gateway:key-only": { type: "api_key", provider: "cloudflare-ai-gateway", key: "sk-first", }, "cloudflare-ai-gateway:gateway": { type: "api_key", provider: "cloudflare-ai-gateway", key: "sk-second", metadata: { accountId: "acct_456", gatewayId: "gateway_789", }, }, }, }, null, 2, ), "utf8", ); const providers = await resolveImplicitProvidersForTest({ agentDir }); expect(providers?.["cloudflare-ai-gateway"]?.apiKey).toBe("sk-second"); expect(providers?.["cloudflare-ai-gateway"]?.baseUrl).toBe( resolveCloudflareAiGatewayBaseUrl({ accountId: "acct_456", gatewayId: "gateway_789", }), ); }); it("prefers the runtime env marker over stored profile secrets", async () => { const agentDir = mkdtempSync(join(tmpdir(), "openclaw-test-")); const envSnapshot = captureEnv(["CLOUDFLARE_AI_GATEWAY_API_KEY"]); process.env.CLOUDFLARE_AI_GATEWAY_API_KEY = "rotated-secret"; // pragma: allowlist secret await writeFile( join(agentDir, "auth-profiles.json"), JSON.stringify( { version: 1, profiles: { "cloudflare-ai-gateway:default": { type: "api_key", provider: "cloudflare-ai-gateway", key: "stale-stored-secret", metadata: { accountId: "acct_123", gatewayId: "gateway_456", }, }, }, }, null, 2, ), "utf8", ); try { const providers = await resolveImplicitProvidersForTest({ agentDir }); expect(providers?.["cloudflare-ai-gateway"]?.apiKey).toBe("CLOUDFLARE_AI_GATEWAY_API_KEY"); expect(providers?.["cloudflare-ai-gateway"]?.baseUrl).toBe( resolveCloudflareAiGatewayBaseUrl({ accountId: "acct_123", gatewayId: "gateway_456", }), ); } finally { envSnapshot.restore(); } }); });