diff --git a/scripts/src/agentrun.ts b/scripts/src/agentrun.ts index ecb13078..748e6873 100644 --- a/scripts/src/agentrun.ts +++ b/scripts/src/agentrun.ts @@ -7312,15 +7312,21 @@ function agentRunExecutionPolicyWithLaneCredentials(basePolicy: Record { +const AGENTRUN_DEFAULT_TOOL_CREDENTIALS = new Set(["unidesk-ssh"]); + +function agentRunToolCredentialRefs(spec: AgentRunLaneSpec, options: { includeUnsupported?: boolean } = {}): Array<{ tool: string; sourceId: string; secretRef: { namespace: string; name: string; key: string }; valuesPrinted: false }> { return spec.secrets .filter((secret) => secret.providerCredentialProfile === null && secret.id.startsWith("tool-")) - .map((secret) => ({ - tool: secret.id.replace(/^tool-/u, "").replace(/-token$/u, ""), - sourceId: secret.id, - secretRef: secret.targetRef, - valuesPrinted: false, - })); + .map((secret) => { + const tool = secret.id.replace(/^tool-/u, "").replace(/-token$/u, ""); + return { + tool, + sourceId: secret.id, + secretRef: secret.targetRef, + valuesPrinted: false as const, + }; + }) + .filter((credential) => options.includeUnsupported === true || AGENTRUN_DEFAULT_TOOL_CREDENTIALS.has(credential.tool)); } function renderAgentRunSessionPolicyExplanation(args: string[] = [], options: AgentRunRestTargetOptions = { node: null, lane: null }): string { @@ -7338,7 +7344,7 @@ function renderAgentRunSessionPolicyExplanation(args: string[] = [], options: Ag secretRef: credential.secretRef, valuesPrinted: false, })); - const toolCredentialSources = agentRunToolCredentialRefs(spec); + const toolCredentialSources = agentRunToolCredentialRefs(spec, { includeUnsupported: true }); return [ "KIND: session-policy", `CONFIG: ${config.sourcePath}`,