fix: 限定 Aipod 工具凭据最小集合

This commit is contained in:
Codex
2026-07-12 09:28:56 +02:00
parent 54f4379511
commit 1fbb3c9660
2 changed files with 77 additions and 32 deletions
+11 -5
View File
@@ -579,8 +579,10 @@ export function agentRunExecutionPolicyWithLaneCredentials(basePolicy: Record<st
},
};
});
const toolCredentialRefs = includeToolCredentials ? agentRunToolCredentialRefs(spec) : [];
if (includeToolCredentials) validateBasePolicyToolCredentials(basePolicy, toolCredentialRefs, target);
const laneToolCredentialRefs = includeToolCredentials ? agentRunToolCredentialRefs(spec) : [];
const toolCredentialRefs = includeToolCredentials
? selectBasePolicyToolCredentials(basePolicy, laneToolCredentialRefs, target)
: [];
const toolCredentials = toolCredentialRefs.map((credential) => {
if (credential.secretRef.namespace !== spec.runtime.namespace) {
throw new AgentRunRestError("validation-failed", `toolCredential ${credential.tool} Secret ${credential.secretRef.name} is in namespace ${credential.secretRef.namespace}, expected target lane namespace ${spec.runtime.namespace}`);
@@ -626,14 +628,16 @@ export function agentRunToolCredentialRefs(spec: AgentRunLaneSpec): AgentRunTool
}));
}
function validateBasePolicyToolCredentials(basePolicy: Record<string, unknown>, laneCredentials: readonly AgentRunToolCredentialRef[], target: AgentRunSessionPolicyTarget): void {
const rawCredentials = record(basePolicy.secretScope).toolCredentials;
if (rawCredentials === undefined || rawCredentials === null) return;
function selectBasePolicyToolCredentials(basePolicy: Record<string, unknown>, laneCredentials: readonly AgentRunToolCredentialRef[], target: AgentRunSessionPolicyTarget): AgentRunToolCredentialRef[] {
const secretScope = record(basePolicy.secretScope);
if (!Object.hasOwn(secretScope, "toolCredentials")) return [...laneCredentials];
const rawCredentials = secretScope.toolCredentials;
if (!Array.isArray(rawCredentials)) {
throw new AgentRunRestError("validation-failed", "executionPolicy.secretScope.toolCredentials must be an array when lane tool credentials are enabled");
}
const laneByIdentity = new Map(laneCredentials.map((credential) => [`${credential.tool}\0${credential.purpose}`, credential]));
const seen = new Set<string>();
const selected: AgentRunToolCredentialRef[] = [];
for (const [index, rawCredential] of rawCredentials.entries()) {
const credential = record(rawCredential);
const tool = stringOrNull(credential.tool);
@@ -664,7 +668,9 @@ function validateBasePolicyToolCredentials(basePolicy: Record<string, unknown>,
if (!toolCredentialProjectionMatches(record(credential.projection), laneCredential.projection)) {
throw new AgentRunRestError("validation-failed", `executionPolicy toolCredential ${tool}/${purpose} projection conflicts with YAML lane ${target.spec.nodeId}/${target.spec.lane}`);
}
selected.push(laneCredential);
}
return selected;
}
function normalizedCredentialKeys(value: unknown): string[] | null {