feat: 支持 runner tool credential 装配

This commit is contained in:
Codex
2026-06-02 00:22:38 +08:00
parent ac14a06436
commit 159b99e763
10 changed files with 163 additions and 14 deletions
+21 -2
View File
@@ -4,7 +4,7 @@ import { redactJson, redactText } from "../common/redaction.js";
import { isTerminalCommandState, isTerminalRunStatus, summarizeResourceBundleRef, summarizeSessionRef } from "./store.js";
import type { AgentRunStore } from "./store.js";
import type { JsonRecord } from "../common/types.js";
import { stableHash } from "../common/validation.js";
import { stableHash, validateEnvName } from "../common/validation.js";
import { renderRunnerJobManifest } from "../runner/k8s-job.js";
import type { RunnerTransientEnv } from "../runner/k8s-job.js";
@@ -106,6 +106,7 @@ export async function createKubernetesRunnerJob(options: { store: AgentRunStore;
logPath: `kubectl -n ${render.namespace} logs job/${render.jobName}`,
},
secretRefs: render.secretRefs.map((item) => ({ profile: item.profile, name: item.secretRef.name, namespace: item.secretRef.namespace ?? render.namespace, keys: item.secretRef.keys ?? [], mountPath: item.runtimeMountPath, projectionPath: item.projectionMountPath, writableCopy: true, valuesPrinted: false })),
toolCredentials: summarizeToolCredentials(render.toolCredentials, render.namespace),
transientEnv: summarizeTransientEnv(transientEnv),
retention: {
ttlSecondsAfterFinished: render.ttlSecondsAfterFinished,
@@ -148,6 +149,7 @@ export async function createKubernetesRunnerJob(options: { store: AgentRunStore;
jobName: saved.jobName,
idempotencyKey: idempotencyKey ? "present" : null,
transientEnv: summarizeTransientEnv(transientEnv),
toolCredentials: summarizeToolCredentials(render.toolCredentials, render.namespace),
sessionRef: summarizeSessionRef(run.sessionRef ?? null),
resourceBundleRef: summarizeResourceBundleRef(run.resourceBundleRef ?? null),
});
@@ -163,7 +165,8 @@ function transientEnvField(value: unknown): RunnerTransientEnv[] {
if (!entry || typeof entry !== "object" || Array.isArray(entry)) throw new AgentRunError("schema-invalid", `transientEnv[${index}] must be an object`, { httpStatus: 400 });
const record = entry as JsonRecord;
const name = stringField(record, "name");
if (!/^[A-Z_][A-Z0-9_]{0,63}$/u.test(name)) throw new AgentRunError("schema-invalid", `transientEnv[${index}].name must be an uppercase env name`, { httpStatus: 400 });
validateEnvName(name, `transientEnv[${index}].name`);
if (name === "GH_TOKEN" || name === "GITHUB_TOKEN" || name === "OPENAI_API_KEY" || name === "CODEX_API_KEY") throw new AgentRunError("tenant-policy-denied", `transientEnv ${name} must use tool/provider credential assembly instead`, { httpStatus: 403 });
if (seen.has(name)) throw new AgentRunError("schema-invalid", `transientEnv name ${name} is duplicated`, { httpStatus: 400 });
seen.add(name);
const rawValue = record.value;
@@ -173,6 +176,22 @@ function transientEnvField(value: unknown): RunnerTransientEnv[] {
});
}
function summarizeToolCredentials(items: Array<{ tool: string; purpose: string | null; secretRef: { namespace?: string; name: string; keys?: string[] }; envName: string; secretKey: string }>, namespace: string): JsonRecord {
return {
count: items.length,
items: items.map((item) => ({
tool: item.tool,
purpose: item.purpose,
name: item.secretRef.name,
namespace: item.secretRef.namespace ?? namespace,
keys: item.secretRef.keys ?? [],
projection: { kind: "env", envName: item.envName, secretKey: item.secretKey },
valuesPrinted: false,
})),
valuesPrinted: false,
};
}
function summarizeTransientEnv(items: RunnerTransientEnv[]): JsonRecord {
return {
count: items.length,