resolveExecRef handles {source:"exec"} SecretRef resolution. It audits the command path, runs the child under a timeout with a hard stdout cap, and extracts the secret from the JSON response. providerName is the caller- resolved effective alias (honours secrets.defaults.exec from openclaw.json).
(ref *SecretRef, providerName string, pc *ProviderConfig, getenv func(string) string)
| 50 | // extracts the secret from the JSON response. providerName is the caller- |
| 51 | // resolved effective alias (honours secrets.defaults.exec from openclaw.json). |
| 52 | func resolveExecRef(ref *SecretRef, providerName string, pc *ProviderConfig, getenv func(string) string) (string, error) { |
| 53 | prep, err := prepareExecRun(ref, providerName, pc, getenv) |
| 54 | if err != nil { |
| 55 | return "", err |
| 56 | } |
| 57 | stdout, err := runExecCommand(prep) |
| 58 | if err != nil { |
| 59 | return "", err |
| 60 | } |
| 61 | return extractExecSecret(stdout, ref.ID, effectiveJSONOnly(pc)) |
| 62 | } |
| 63 | |
| 64 | // prepareExecRun audits the command path, marshals the JSON request, |
| 65 | // assembles the minimal child env, and resolves timeout / output limits. |