Secrets#272
Merged
Merged
Conversation
Introduce a runtime-owned OAuth helper for refresh-token backed providers instead of putting provider-specific token semantics on SecretManager. The helper owns provider metadata, aliases, expiry checks, env overlay construction, and the actor-facing get_oauth_access_token(...) documentation surface. This gives generated Python a clear way to request an explicit provider-scoped access token when an SDK or HTTP client requires one, while preserving the normal environment-based credential path for SDKs that can read credentials directly.
Keep SecretManager focused on mirroring allowlisted runtime OAuth secrets from Orchestra into local Secrets, .env, and os.environ, while keeping OAuth provider semantics in the runtime helper. The sync path now has a single debounced gate so frequent runtime callers can ask for freshness without forcing a network round trip on every operation. Assistant update events and secret inspection still force sync because those paths represent explicit freshness boundaries. Normal runtime execution can use the same gate with a TTL, which keeps credentials reasonably current without making every actor step pay the full Orchestra sync cost.
Route in-process Python, venv-backed Python, persistent shell sessions, and runtime RPC through the OAuth runtime helper. The execute_code boundary now asks the debounced secret sync gate for freshness, and long-lived subprocesses receive OAuth env overlays so SDK/default-env credential paths do not keep stale inherited values. Explicit get_oauth_access_token(...) calls in venv and shell route back to the parent runtime, which keeps token freshness checks centralized instead of trusting child process environment snapshots. The actor integration test covers Microsoft and Google in the same sandbox to prevent accidental global-token behavior.
Expose the runtime OAuth helper in the CodeAct prompt using the same signature-and-docstring pattern as reason(...). The guidance distinguishes SDK/default environment behavior from cases that require an explicit access token, and warns against printing, logging, storing, or baking concrete token values into reusable functions or guidance. The prompt test locks in the exact helper signature, multi-provider examples, and anti-pattern guidance so future prompt edits do not accidentally regress the actor's understanding of refreshed OAuth credentials.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.