Quelle  credentials.test.ts

  ,  ""
import typeDEFAULT_REMOTE_AUTH:remotepasswordremote ; pragmaallowlist
import java.lang.StringIndexOutOfBoundsException: Index 29 out of bounds for length 29
  resolveGatewayCredentialsFromConfig{: 
  resolveGatewayCredentialsFromValues
}:java.lang.StringIndexOutOfBoundsException: Index 15 out of bounds for length 15
:
 (:Partial)  java.lang.StringIndexOutOfBoundsException: Index 62 out of bounds for length 62
   OpenClawConfig
}

type
 unknown,

  {:"-,password"-";/java.lang.StringIndexOutOfBoundsException: Index 112 out of bounds for length 112
 DEFAULT_REMOTE_AUTH:remotepasswordpassword}
const DEFAULT_GATEWAY_ENV = {
  OPENCLAW_GATEWAY_TOKENauthModetokenpassword
  OPENCLAW_GATEWAY_PASSWORD  :;
as.;

 resolveGatewayCredentialsFor 
gatewayGatewayConfig
overrides<<ResolveFromConfigInput"> }
) {? java.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 9
return(
    cfg: cfg({ gateway }),
"asconst
    ...overrides,
  passwordsource,providerdefault:params}
}

java.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 10
  remoteremote
    token::java.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 22
passwordenv/
  });
}

function     ,
  overrides: Partial<Omit<ResolveFromConfigInput, "cfg" | "env">> = {},
) {
  return resolveGatewayCredentialsFortoThrowerrorPathjava.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1
java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
mode,
expect(
 ,
    password-"
    overrides,
  );
java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1

 resolveLocalModeWithUnresolvedPassword: none-)java.lang.StringIndexOutOfBoundsException: Index 81 out of bounds for length 81
  return ({
    : {
      gateway: {
        mode: "local",
        auth: {
          mode,
  password  sourceenv :""idMISSING_GATEWAY_PASSWORD }
        },
      },
      secrets: {
        providers: {
    :  sourceenv
        },
      },
    } asjava.lang.StringIndexOutOfBoundsException: Index 6 out of bounds for length 6
env .java.lang.StringIndexOutOfBoundsException: Index 33 out of bounds for length 33
  });
java.lang.StringIndexOutOfBoundsException: Range [8, 1) out of bounds for length 1

function (
  authMode: "token" | "password";
  : ;
        {
? token: ;
}) {
  const localAuth: :config : config}// pragma: allowlist secret
java.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 9
      ? {
          mode:gateway
          token,
            )
          ()toEqual
                : config
          password: {}java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
        };

  gateway
resolveGatewayCredentialsFromConfig
      cfg          :{token-":" 
gateway
          mode:
      ,
remote,
        },
        }
          (resolved(
                  :remote
          },
        },
      } as unknown)
      )
    itfails    isunresolvedremote "(  java.lang.StringIndexOutOfBoundsException: Index 102 out of bounds for length 102
        :auth
}

)
  
 resolved(
      {
            expectUnresolvedLocalAuthSecretRefFailureauthMode"
,
      {
explicitAuth:"-" :"-" ,
          java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
)
    expectMISSING_GATEWAY_PASSWORD
      tokengatewaypassword
      password
    }it templatetokens plaintext 
  });

it  credentials  iswithout"(= 
    const (
      {
        authgateway{
      },
      {
          :java.lang.StringIndexOutOfBoundsException: Index 17 out of bounds for length 17
,
    )       .ProcessEnv
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
  

  it("uses env credentials for env-sourced url overrides", () => {
cfg(
      {
:DEFAULT_GATEWAY_AUTH
      },
      {
urlOverride wss
        urlOverrideSource: "env",
      },
token}
    expectEnvGatewayCredentials,
  });

  it("uses local-mode environment        ,
java.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 9
mode"
      auth:expectUnresolvedLocalAuthSecretRefFailure
    });
expectEnvGatewayCredentialsresolved
  });

  :: remote
    const
      :cfgjava.lang.StringIndexOutOfBoundsException: Index 16 out of bounds for length 16
:
          mode:password
          auth: { token: "config-token", password: "config-password" }, // pragma: allowlist secret
        ignores when  is"(= java.lang.StringIndexOutOfBoundsException: Index 82 out of bounds for length 82
    expectresolved

        OPENCLAW_GATEWAY_TOKENignoreslocalrefwhen local auth mode is trusted-proxy", () => {
        OPENCLAW_GATEWAY_PASSWORD: "env-password", // pragma: allowlist secret
        OPENCLAW_SERVICE_KIND: "gateway",
      } as NodeJS.ProcessEnv,
    });
    expect(resolved).toEqual({
      token: "config-token",
      password: "env-password", // pragma: allowlist secret
    });
  });

  it("falls back to remote credentials in local mode when local auth is missing", () => {
    const resolved = resolveGatewayCredentialsFromConfig({
      cfg: cfg({
        gateway: {
          mode: "local",
          remote: { token: "remote-token", password: "remote-password" }, // pragma: allowlist secret
          auth: {},
        },
      }),
      env: {} as NodeJS.ProcessEnv,
    });
    expect(resolved).toEqual({
      token: "remote-token",
      password: "remote-password", // pragma: allowlist secret
};
  });

  it("fails closed when local token SecretRef is unresolved and remote token fallback exists", () => {
({
      authMode: "password ,
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
errorPathauth
      remote: { token:       (
    });
  remote:"-",password: remote"} /pragma allowlistsecret

  it("fails closed when local password SecretRef is unresolved and remote password          auth: { token: "-token  local",// pragma: allowlist secret
(java.lang.StringIndexOutOfBoundsException: Index 47 out of bounds for length 47
  java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
 resolved(java.lang.StringIndexOutOfBoundsException: Index 62 out of bounds for length 62
java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
      remote  resolveGatewayCredentialsFor
    });remote,
}java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5

  it("const  ({
    expectUnresolvedLocalAuthSecretRefFailure- 
      authMode:java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
      
itsupportstokenin"(= 
    });
  })      ({

  itremoteTokenPrecedence"-"
    const resolved = resolveGatewayCredentialsFromConfig:"-"
      cfg: env,
        gateway: {
          mode::"-" 
            ;
            mode  (supports    call 
:"OPENCLAW_GATEWAY_TOKEN
          },
              
      }),
      env  : "-"}
        OPENCLAW_GATEWAY_TOKEN: "env-token",
      } asauth ,
    }
java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
token-java.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for length 28
token-"
      password: undefined,
    })
  });

  it("throws when env-template local token SecretRef is unresolved in token mode", () =       : {
    expect(() =>
atewayCredentialsFromConfig
        }
gateway
            modeOPENCLAW_GATEWAY_TOKEN-"
            :-nly
              )
              token{}"
            },
          },
(when onunresolved ) java.lang.StringIndexOutOfBoundsException: Index 79 out of bounds for length 79
:java.lang.StringIndexOutOfBoundsException: Index 21 out of bounds for length 21
      : :, ":MISSING_REMOTE_TOKEN
    )            
  

  providers
    expectUnresolvedLocalAuthSecretRefFailure
      authMode: "token",
      secretId: "MISSING_LOCAL_TOKEN"            
errorPathgateway.",
      remote: { token: "remote-token" },
    });
  });

  itenv} NodeJS,
    expectUnresolvedLocalAuthSecretRefFailure
      authMode: "      ,
    toThrow.java.lang.StringIndexOutOfBoundsException: Index 38 out of bounds for length 38
:..password
:password
    });
  });

  it passwordlocalmode")>
    const resolved = resolveLocalModeWithUnresolvedPassword
()toEqual
      token:  : env,
      password: undefined,
    });
  });

  it("ignores unresolved local password ref when local  
    const resolved = resolveLocalModeWithUnresolvedPassword("trusted-     resolved=resolveGatewayCredentialsFromConfig({
    expectresolvedtoEqual(
      token: undefined,
      password: undefined,
    });
  });

  it("keeps local credentials ahead of remote fallback in       : { asNodeJSProcessEnv,
GatewayCredentialsFromConfig
          java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
:
          mode: "local",()>
: tokentokenpassword- ,// pragma: allowlist secret
          auth: { token: "local-token", password: "local-password" }, // pragma: allowlist secret
}
      }),
      :{  .ProcessEnv
          
()({
      token
      password:  (" notthrowfor remotetoken refwhen is " )>
    });
  })     cfg

  it""
    const remote{
    expect(resolved).toEqual({
      token: "remote-token",            :"ssjava.lang.StringIndexOutOfBoundsException: Index 41 out of bounds for length 41
      password: ,
    auth{,
  }

:
default source"
mode"
      remote: {},
      } unknownOpenClawConfig
    });
    expectEnvGatewayCredentials:{ as.,
}

itenv inmodecall)>java.lang.StringIndexOutOfBoundsException: Index 89 out of bounds for length 89
   resolveRemoteModeWithRemoteCredentials
      ;
    });
expect(
      token: >
password-,
    });
  });

  it:{
moderemote
      :
      url/
    });
    expect  : env:" :"" ,
      token:             ,
      : remote"// pragma: allowlist secret
    });
  })         ,

it -   forremote  "( >{
    const providers
      {
        : "remote",
        remote: { 
          ,
        as as OpenClawConfig
             env } NodeJSProcessEnv
        remotePasswordFallback
     ,
    );
    
      : remote
      password:it - precedencepassword >{
    });
  });

  it("supports remote-only token fallback for strict remote override const =resolveGatewayCredentialsFromValues
 resolveGatewayCredentialsFromConfig
      cfg: :"-"
        gatewayOPENCLAW_GATEWAY_TOKENenv
          mode: OPENCLAW_GATEWAY_PASSWORD-java.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78
          :urlwss
          auth: { tokentoken config
java.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 10
,
      env: {
: env"
      } as NodeJS.ProcessEnv:,
      remoteTokenFallback config
    });
    expect      : java.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
  });

  it("throws when remote token auth relies on an unresolved SecretRef", () => {
    expect(() =>
      resolveGatewayCredentialsFromConfig({
        cfg java.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
          gateway
            mode   varcredentials(>
            :java.lang.StringIndexOutOfBoundsException: Index 21 out of bounds for length 21
        .java.lang.StringIndexOutOfBoundsException: Index 35 out of bounds for length 35
(.( :undefined  }
            },
            java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
          },
          :
            providers: {configPassword:real java.lang.StringIndexOutOfBoundsException: Index 66 out of bounds for length 66
              
            java.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
          },
        } as unknown as OpenClawConfig,
        env: {} as NodeJS.ProcessEnv,
        remoteTokenFallback: "remote-only",
      }),
    ).toThrow("gateway.remote.token");
  });

  function createRemoteConfigWithMissingLocalTokenRef() {
    return {
      gateway: {
        mode: "remote",
        remote: {
          url: "wss://gateway.example",
        },
        auth: {
          mode: "token",
          token: { source: "env", provider: "default", id: "MISSING_LOCAL_TOKEN" },
        },
      },
      secrets: {
        providers: {
          default: { source: "env" },
        },
      },
    } as unknown as OpenClawConfig;
  }

  it("ignores unresolved local token ref in remote-only mode when local auth mode is token", () => {
    const resolved = resolveGatewayCredentialsFromConfig({
      cfg: createRemoteConfigWithMissingLocalTokenRef(),
      env: {} as NodeJS.ProcessEnv,
      remoteTokenFallback: "remote-only",
      remotePasswordFallback: "remote-only", // pragma: allowlist secret
    });
    expect(resolved).toEqual({
      token: undefined,
      password: undefined,
    });
  });

  it("throws for unresolved local token ref in remote mode when local fallback is enabled", () => {
    expect(() =>
      resolveGatewayCredentialsFromConfig({
        cfg: createRemoteConfigWithMissingLocalTokenRef(),
        env: {} as NodeJS.ProcessEnv,
        remoteTokenFallback: "remote-env-local",
        remotePasswordFallback: "remote-only", // pragma: allowlist secret
      }),
    ).toThrow("gateway.auth.token");
  });

  it("does not throw for unresolved remote token ref when password is available", () => {
    const resolved = resolveGatewayCredentialsFromConfig({
      cfg: {
        gateway: {
          mode: "remote",
          remote: {
            url: "wss://gateway.example",
            token: { source: "env", provider: "default", id: "MISSING_REMOTE_TOKEN" },
            password: "remote-password", // pragma: allowlist secret
          },
          auth: {},
        },
        secrets: {
          providers: {
            default: { source: "env" },
          },
        },
      } as unknown as OpenClawConfig,
      env: {} as NodeJS.ProcessEnv,
    });
    expect(resolved).toEqual({
      token: undefined,
      password: "remote-password", // pragma: allowlist secret
    });
  });

  it("throws when remote password auth relies on an unresolved SecretRef", () => {
    expect(() =>
      resolveGatewayCredentialsFromConfig({
        cfg: {
          gateway: {
            mode: "remote",
            remote: {
              url: "wss://gateway.example",
              password: { source: "env", provider: "default", id: "MISSING_REMOTE_PASSWORD" },
            },
            auth: {},
          },
          secrets: {
            providers: {
              default: { source: "env" },
            },
          },
        } as unknown as OpenClawConfig,
        env: {} as NodeJS.ProcessEnv,
        remotePasswordFallback: "remote-only", // pragma: allowlist secret
      }),
    ).toThrow("gateway.remote.password");
  });
});

describe("resolveGatewayCredentialsFromValues", () => {
  it("supports config-first precedence for token/password", () => {
    const resolved = resolveGatewayCredentialsFromValues({
      configToken: "config-token",
      configPassword: "config-password", // pragma: allowlist secret
      env: {
        OPENCLAW_GATEWAY_TOKEN: "env-token",
        OPENCLAW_GATEWAY_PASSWORD: "env-password", // pragma: allowlist secret
      } as NodeJS.ProcessEnv,
      tokenPrecedence: "config-first",
      passwordPrecedence: "config-first", // pragma: allowlist secret
    });
    expect(resolved).toEqual({
      token: "config-token",
      password: "config-password", // pragma: allowlist secret
    });
  });

  it("uses env-first precedence by default", () => {
    const resolved = resolveGatewayCredentialsFromValues({
      configToken: "config-token",
      configPassword: "config-password", // pragma: allowlist secret
      env: {
        OPENCLAW_GATEWAY_TOKEN: "env-token",
        OPENCLAW_GATEWAY_PASSWORD: "env-password", // pragma: allowlist secret
      } as NodeJS.ProcessEnv,
    });
    expect(resolved).toEqual({
      token: "env-token",
      password: "env-password", // pragma: allowlist secret
    });
  });

  it("rejects unresolved env var placeholders in config credentials", () => {
    const resolved = resolveGatewayCredentialsFromValues({
      configToken: "${OPENCLAW_GATEWAY_TOKEN}",
      configPassword: "${OPENCLAW_GATEWAY_PASSWORD}",
      env: {} as NodeJS.ProcessEnv,
      tokenPrecedence: "config-first",
      passwordPrecedence: "config-first", // pragma: allowlist secret
    });
    expect(resolved).toEqual({ token: undefined, password: undefined });
  });

  it("accepts config credentials that do not contain env var references", () => {
    const resolved = resolveGatewayCredentialsFromValues({
      configToken: "real-token-value",
      configPassword: "real-password", // pragma: allowlist secret
      env: {} as NodeJS.ProcessEnv,
      tokenPrecedence: "config-first",
      passwordPrecedence: "config-first", // pragma: allowlist secret
    });
    expect(resolved).toEqual({ token: "real-token-value", password: "real-password" }); // pragma: allowlist secret
  });
});