openclaw/src/agents/model-auth-label.test.ts

import { beforeEach, describe, expect, it, vi } from "vitest";

const ensureAuthProfileStoreMock = vi.hoisted(() => vi.fn());
const resolveAuthProfileOrderMock = vi.hoisted(() => vi.fn());
const resolveAuthProfileDisplayLabelMock = vi.hoisted(() => vi.fn());

vi.mock("./auth-profiles.js", () => ({
  ensureAuthProfileStore: (...args: unknown[]) => ensureAuthProfileStoreMock(...args),
  resolveAuthProfileOrder: (...args: unknown[]) => resolveAuthProfileOrderMock(...args),
  resolveAuthProfileDisplayLabel: (...args: unknown[]) =>
    resolveAuthProfileDisplayLabelMock(...args),
}));

vi.mock("./model-auth.js", () => ({
  getCustomProviderApiKey: () => undefined,
  resolveEnvApiKey: () => null,
}));

const { resolveModelAuthLabel } = await import("./model-auth-label.js");

describe("resolveModelAuthLabel", () => {
  beforeEach(() => {
    ensureAuthProfileStoreMock.mockReset();
    resolveAuthProfileOrderMock.mockReset();
    resolveAuthProfileDisplayLabelMock.mockReset();
  });

  it("does not include token value in label for token profiles", () => {
    ensureAuthProfileStoreMock.mockReturnValue({
      version: 1,
      profiles: {
        "github-copilot:default": {
          type: "token",
          provider: "github-copilot",
          token: "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
          tokenRef: { source: "env", provider: "default", id: "GITHUB_TOKEN" },
        },
      },
    } as never);
    resolveAuthProfileOrderMock.mockReturnValue(["github-copilot:default"]);
    resolveAuthProfileDisplayLabelMock.mockReturnValue("github-copilot:default");

    const label = resolveModelAuthLabel({
      provider: "github-copilot",
      cfg: {},
      sessionEntry: { authProfileOverride: "github-copilot:default" } as never,
    });

    expect(label).toBe("token (github-copilot:default)");
    expect(label).not.toContain("ghp_");
    expect(label).not.toContain("ref(");
  });

  it("does not include api-key value in label for api-key profiles", () => {
    const shortSecret = "abc123";
    ensureAuthProfileStoreMock.mockReturnValue({
      version: 1,
      profiles: {
        "openai:default": {
          type: "api_key",
          provider: "openai",
          key: shortSecret,
        },
      },
    } as never);
    resolveAuthProfileOrderMock.mockReturnValue(["openai:default"]);
    resolveAuthProfileDisplayLabelMock.mockReturnValue("openai:default");

    const label = resolveModelAuthLabel({
      provider: "openai",
      cfg: {},
      sessionEntry: { authProfileOverride: "openai:default" } as never,
    });

    expect(label).toBe("api-key (openai:default)");
    expect(label).not.toContain(shortSecret);
    expect(label).not.toContain("...");
  });

  it("shows oauth type with profile label", () => {
    ensureAuthProfileStoreMock.mockReturnValue({
      version: 1,
      profiles: {
        "anthropic:oauth": {
          type: "oauth",
          provider: "anthropic",
        },
      },
    } as never);
    resolveAuthProfileOrderMock.mockReturnValue(["anthropic:oauth"]);
    resolveAuthProfileDisplayLabelMock.mockReturnValue("anthropic:oauth");

    const label = resolveModelAuthLabel({
      provider: "anthropic",
      cfg: {},
      sessionEntry: { authProfileOverride: "anthropic:oauth" } as never,
    });

    expect(label).toBe("oauth (anthropic:oauth)");
  });
});
Auth labels: handle token refs and share Pi credential conversion 2026-02-22 14:40:16 -08:00			`import { beforeEach, describe, expect, it, vi } from "vitest";`

			`const ensureAuthProfileStoreMock = vi.hoisted(() => vi.fn());`
			`const resolveAuthProfileOrderMock = vi.hoisted(() => vi.fn());`
			`const resolveAuthProfileDisplayLabelMock = vi.hoisted(() => vi.fn());`

			`vi.mock("./auth-profiles.js", () => ({`
			`ensureAuthProfileStore: (...args: unknown[]) => ensureAuthProfileStoreMock(...args),`
			`resolveAuthProfileOrder: (...args: unknown[]) => resolveAuthProfileOrderMock(...args),`
			`resolveAuthProfileDisplayLabel: (...args: unknown[]) =>`
			`resolveAuthProfileDisplayLabelMock(...args),`
			`}));`

			`vi.mock("./model-auth.js", () => ({`
			`getCustomProviderApiKey: () => undefined,`
			`resolveEnvApiKey: () => null,`
			`}));`

			`const { resolveModelAuthLabel } = await import("./model-auth-label.js");`

			`describe("resolveModelAuthLabel", () => {`
			`beforeEach(() => {`
			`ensureAuthProfileStoreMock.mockReset();`
			`resolveAuthProfileOrderMock.mockReset();`
			`resolveAuthProfileDisplayLabelMock.mockReset();`
			`});`

fix(security): strip partial API token from status labels (#33262) Merged via squash. Prepared head SHA: 5fe81704e678dc5b18ca9416e5eb0750cfe49fb6 Co-authored-by: cu1ch3n <80438676+cu1ch3n@users.noreply.github.com> Co-authored-by: grp06 <1573959+grp06@users.noreply.github.com> Reviewed-by: @grp06 2026-03-04 07:11:49 +08:00			`it("does not include token value in label for token profiles", () => {`
Auth labels: handle token refs and share Pi credential conversion 2026-02-22 14:40:16 -08:00			`ensureAuthProfileStoreMock.mockReturnValue({`
			`version: 1,`
			`profiles: {`
			`"github-copilot:default": {`
			`type: "token",`
			`provider: "github-copilot",`
fix(security): strip partial API token from status labels (#33262) Merged via squash. Prepared head SHA: 5fe81704e678dc5b18ca9416e5eb0750cfe49fb6 Co-authored-by: cu1ch3n <80438676+cu1ch3n@users.noreply.github.com> Co-authored-by: grp06 <1573959+grp06@users.noreply.github.com> Reviewed-by: @grp06 2026-03-04 07:11:49 +08:00			`token: "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",`
feat(security): add provider-based external secrets management 2026-02-25 17:39:31 -06:00			`tokenRef: { source: "env", provider: "default", id: "GITHUB_TOKEN" },`
Auth labels: handle token refs and share Pi credential conversion 2026-02-22 14:40:16 -08:00			`},`
			`},`
			`} as never);`
			`resolveAuthProfileOrderMock.mockReturnValue(["github-copilot:default"]);`
			`resolveAuthProfileDisplayLabelMock.mockReturnValue("github-copilot:default");`

			`const label = resolveModelAuthLabel({`
			`provider: "github-copilot",`
			`cfg: {},`
			`sessionEntry: { authProfileOverride: "github-copilot:default" } as never,`
			`});`

fix(security): strip partial API token from status labels (#33262) Merged via squash. Prepared head SHA: 5fe81704e678dc5b18ca9416e5eb0750cfe49fb6 Co-authored-by: cu1ch3n <80438676+cu1ch3n@users.noreply.github.com> Co-authored-by: grp06 <1573959+grp06@users.noreply.github.com> Reviewed-by: @grp06 2026-03-04 07:11:49 +08:00			`expect(label).toBe("token (github-copilot:default)");`
			`expect(label).not.toContain("ghp_");`
			`expect(label).not.toContain("ref(");`
Auth labels: handle token refs and share Pi credential conversion 2026-02-22 14:40:16 -08:00			`});`
feat(secrets): finalize external secrets runtime and migration hardening 2026-02-24 19:34:29 -06:00
fix(security): strip partial API token from status labels (#33262) Merged via squash. Prepared head SHA: 5fe81704e678dc5b18ca9416e5eb0750cfe49fb6 Co-authored-by: cu1ch3n <80438676+cu1ch3n@users.noreply.github.com> Co-authored-by: grp06 <1573959+grp06@users.noreply.github.com> Reviewed-by: @grp06 2026-03-04 07:11:49 +08:00			`it("does not include api-key value in label for api-key profiles", () => {`
feat(secrets): finalize external secrets runtime and migration hardening 2026-02-24 19:34:29 -06:00			`const shortSecret = "abc123";`
			`ensureAuthProfileStoreMock.mockReturnValue({`
			`version: 1,`
			`profiles: {`
			`"openai:default": {`
			`type: "api_key",`
			`provider: "openai",`
			`key: shortSecret,`
			`},`
			`},`
			`} as never);`
			`resolveAuthProfileOrderMock.mockReturnValue(["openai:default"]);`
			`resolveAuthProfileDisplayLabelMock.mockReturnValue("openai:default");`

			`const label = resolveModelAuthLabel({`
			`provider: "openai",`
			`cfg: {},`
			`sessionEntry: { authProfileOverride: "openai:default" } as never,`
			`});`

fix(security): strip partial API token from status labels (#33262) Merged via squash. Prepared head SHA: 5fe81704e678dc5b18ca9416e5eb0750cfe49fb6 Co-authored-by: cu1ch3n <80438676+cu1ch3n@users.noreply.github.com> Co-authored-by: grp06 <1573959+grp06@users.noreply.github.com> Reviewed-by: @grp06 2026-03-04 07:11:49 +08:00			`expect(label).toBe("api-key (openai:default)");`
feat(secrets): finalize external secrets runtime and migration hardening 2026-02-24 19:34:29 -06:00			`expect(label).not.toContain(shortSecret);`
fix(security): strip partial API token from status labels (#33262) Merged via squash. Prepared head SHA: 5fe81704e678dc5b18ca9416e5eb0750cfe49fb6 Co-authored-by: cu1ch3n <80438676+cu1ch3n@users.noreply.github.com> Co-authored-by: grp06 <1573959+grp06@users.noreply.github.com> Reviewed-by: @grp06 2026-03-04 07:11:49 +08:00			`expect(label).not.toContain("...");`
			`});`

			`it("shows oauth type with profile label", () => {`
			`ensureAuthProfileStoreMock.mockReturnValue({`
			`version: 1,`
			`profiles: {`
			`"anthropic:oauth": {`
			`type: "oauth",`
			`provider: "anthropic",`
			`},`
			`},`
			`} as never);`
			`resolveAuthProfileOrderMock.mockReturnValue(["anthropic:oauth"]);`
			`resolveAuthProfileDisplayLabelMock.mockReturnValue("anthropic:oauth");`

			`const label = resolveModelAuthLabel({`
			`provider: "anthropic",`
			`cfg: {},`
			`sessionEntry: { authProfileOverride: "anthropic:oauth" } as never,`
			`});`

			`expect(label).toBe("oauth (anthropic:oauth)");`
feat(secrets): finalize external secrets runtime and migration hardening 2026-02-24 19:34:29 -06:00			`});`
Auth labels: handle token refs and share Pi credential conversion 2026-02-22 14:40:16 -08:00			`});`