feat: 装配 UniDesk SSH 工具凭证

This commit is contained in:
Codex
2026-06-02 15:40:48 +08:00
parent 16b32af9b5
commit 458d814fa2
7 changed files with 99 additions and 21 deletions
+13 -1
View File
@@ -8,6 +8,18 @@ import { stableHash, validateEnvName } from "../common/validation.js";
import { renderRunnerJobManifest } from "../runner/k8s-job.js";
import type { RunnerTransientEnv } from "../runner/k8s-job.js";
const reusableCredentialEnvNames = new Set([
"AUTH_PASSWORD",
"CODEX_API_KEY",
"GH_TOKEN",
"GITHUB_TOKEN",
"OPENAI_API_KEY",
"PROVIDER_TOKEN",
"UNIDESK_AUTH_PASSWORD",
"UNIDESK_PROVIDER_TOKEN",
"UNIDESK_SSH_CLIENT_TOKEN",
]);
export interface RunnerJobDefaults {
namespace: string;
managerUrl: string;
@@ -165,7 +177,7 @@ function transientEnvField(value: unknown): RunnerTransientEnv[] {
const record = entry as JsonRecord;
const name = stringField(record, "name");
validateEnvName(name, `transientEnv[${index}].name`);
if (name === "GH_TOKEN" || name === "GITHUB_TOKEN" || name === "OPENAI_API_KEY" || name === "CODEX_API_KEY") throw new AgentRunError("tenant-policy-denied", `transientEnv ${name} must use tool/provider credential assembly instead`, { httpStatus: 403 });
if (reusableCredentialEnvNames.has(name)) throw new AgentRunError("tenant-policy-denied", `transientEnv ${name} must use tool/provider credential assembly instead`, { httpStatus: 403 });
if (seen.has(name)) throw new AgentRunError("schema-invalid", `transientEnv name ${name} is duplicated`, { httpStatus: 400 });
seen.add(name);
const rawValue = record.value;