Skip to content

Migrate away from using GPTScript for credentials#6677

Merged
thedadams merged 2 commits into
obot-platform:mainfrom
thedadams:push-morqponqzkwz
May 29, 2026
Merged

Migrate away from using GPTScript for credentials#6677
thedadams merged 2 commits into
obot-platform:mainfrom
thedadams:push-morqponqzkwz

Conversation

@thedadams

@thedadams thedadams commented May 22, 2026

Copy link
Copy Markdown
Contributor

Copilot AI review requested due to automatic review settings May 22, 2026 14:46
@thedadams thedadams changed the title Push morqponqzkwz Migrate away from using GPTScript for credentials May 22, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates Obot’s credential handling away from GPTScript’s built-in credential stores and into the gateway database/client, adding a temporary HTTP credential-store shim for GPTScript while updating controllers/API paths to use the new gateway credential APIs.

Changes:

  • Add a gateway-backed Credential model + client APIs (list/reveal/upsert/delete) with encryption support and GPTScript-credential migration.
  • Update controllers, gateway server, and API handlers to use the gateway credential client instead of gptscript.GPTScript for credentials.
  • Introduce temporary /api/credentials/* endpoints and update service/server startup to support the new embedded-start flow.

Reviewed changes

Copilot reviewed 64 out of 65 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
pkg/tools/resolve.go Removes old tool-reference resolution helper (moved).
pkg/services/config.go Reworks service wiring, credstore init, GPTScript start, and credential migration.
pkg/server/server.go Adjusts server startup to run HTTP server async and call embedded GPTScript start().
pkg/proxy/proxy.go Removes GPTScript dependency from proxy manager/provider URL resolution.
pkg/messagepolicy/helper.go Switches message policy helper to gateway credential client.
pkg/messagepolicy/evaluate.go Uses gateway client for model provider creds/env resolution.
pkg/jwt/persistent/persistent.go Stores/retrieves JWK via gateway credential APIs.
pkg/invoke/system.go Removes GPTScript parameter from SystemTask path.
pkg/invoke/invoker.go Stores GPTScript client on Invoker; simplifies call sites.
pkg/gateway/types/credentials.go Adds gateway DB Credential model.
pkg/gateway/server/user.go Removes GPTScript from auth-provider URL resolution.
pkg/gateway/server/tokenreview.go Removes GPTScript from token review context population.
pkg/gateway/server/llmproxy.go Uses gateway client to load model-provider credential env.
pkg/gateway/server/dispatcher/dispatcher.go Dispatcher now starts providers without needing GPTScript param; uses gateway creds.
pkg/gateway/server/dispatcher/availablemodels.go Models discovery no longer requires GPTScript param.
pkg/gateway/db/db.go Auto-migrates new types.Credential table.
pkg/gateway/client/credential.go Implements gateway credential CRUD + (de/en)cryption helpers.
pkg/gateway/client/credential_migration.go Migrates old GPTScript credentials table into gateway credentials.
pkg/encryption/encryption.go Simplifies Init return signature (drops config file path).
pkg/credstores/credstore.go Replaces DB-backed GPTScript credstore with HTTP shim tool; adds SQLite file helper.
pkg/controller/routes.go Rewires controller handlers to use gateway credentials.
pkg/controller/migrate.go Migrates MCP server manifest values using gateway credentials.
pkg/controller/handlers/toolreference/toolreference.go Inlines tool-ref resolving; switches credential ops to gateway client.
pkg/controller/handlers/systemmcpserver/systemmcpserver.go Switches system MCP server credential management to gateway client.
pkg/controller/handlers/secret/nanobotagent.go Reads nanobot creds from gateway credentials.
pkg/controller/handlers/oauthclients/oauthclients.go Deletes OAuth client creds via gateway client.
pkg/controller/handlers/nanobotagent/nanobotagent.go Stores/reads nanobot agent credentials via gateway client.
pkg/controller/handlers/mcpwebhookvalidation/mcpwebhookvalidation.go Uses gateway credentials for webhook validation server config.
pkg/controller/handlers/mcpservercatalogentry/mcpservercatalogentry.go Manages OAuth creds via gateway credentials.
pkg/controller/handlers/mcpserver/mcpserver.go Manages MCP server secret info and config via gateway credentials.
pkg/controller/handlers/mcpcatalog/mcpcatalog.go Uses gateway credentials for catalog source tokens.
pkg/controller/handlers/imagepullsecret/imagepullsecret.go Uses gateway credentials for image pull secret passwords.
pkg/controller/handlers/cleanup/credentials.go Cleans up credentials via gateway client APIs.
pkg/controller/handlers/auditlogexport/auditlogexport.go Updates auditlogexport credential provider to use gateway client.
pkg/controller/controller.go Uses gateway credentials for pre-start migration and local secret handler wiring.
pkg/bootstrap/bootstrap.go Stores bootstrap token in gateway credentials.
pkg/auditlogexport/credentials.go Reads/writes storage creds via gateway credentials.
pkg/api/server/server.go Removes GPTScript from API request context; gateway client is the credential source.
pkg/api/router/router.go Adds temporary credential endpoints; updates handler wiring for gateway creds.
pkg/api/request.go Removes GPTClient from api.Context.
pkg/api/handlers/systemmcpserver.go Switches system MCP server credential ops to gateway client.
pkg/api/handlers/systemmcpcatalogs.go Switches system catalog token storage to gateway client.
pkg/api/handlers/serverinstances.go Switches instance configuration creds to gateway client.
pkg/api/handlers/registry/handler.go Uses gateway credentials when resolving server configs/registry results.
pkg/api/handlers/poweruserworkspace.go Uses gateway credentials when listing servers with config.
pkg/api/handlers/modelprovider.go Uses gateway credentials for model provider configuration/reveal/list.
pkg/api/handlers/mcpwebhookvalidation.go Uses gateway credentials for webhook validation CRUD/config/reveal.
pkg/api/handlers/mcphelpers.go Updates helper functions to use gateway credential APIs.
pkg/api/handlers/mcpgateway/oauth/mcpoauthhandler.go OAuth flow uses gateway credentials for static OAuth client lookup.
pkg/api/handlers/mcpgateway/handler.go Uses gateway credentials when ensuring system server deployment.
pkg/api/handlers/mcpcatalogs.go Uses gateway credentials for catalog tokens, temp servers, and OAuth creds.
pkg/api/handlers/mcp.go Uses gateway credentials throughout MCP server CRUD/config/reveal flows.
pkg/api/handlers/mcp_oauth_debugger.go Uses gateway credentials for static OAuth client lookup.
pkg/api/handlers/imagepullsecrets.go Uses gateway credentials for image pull secret password flows.
pkg/api/handlers/credential.go Adds temporary HTTP credential-store shim endpoints for GPTScript.
pkg/api/handlers/availablemodels.go Uses gateway creds + updated dispatcher for model listing.
pkg/api/handlers/authprovider.go Uses gateway credentials for auth provider configuration/reveal/list.
pkg/api/handlers/auditlogexport.go Uses gateway creds for storage credential retrieval/test behavior.
pkg/api/authz/authz.go Whitelists temporary credential endpoints (handler-enforced auth).
go.sum Updates module checksums for new dependencies and forked gptscript.
go.mod Adds sqlite driver + replaces gptscript module with fork.
gcp-encryption.yaml Updates encryption config to resource-qualified credential name.
chart/templates/deployment.yaml Updates Helm encryption config resource name for credentials.
azure-encryption.yaml Updates encryption config to resource-qualified credential name.
aws-encryption.yaml Updates encryption config to resource-qualified credential name.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/server/server.go Outdated
Comment thread pkg/server/server.go Outdated
Comment thread pkg/api/handlers/credential.go
Comment thread pkg/services/config.go
Comment thread pkg/gateway/client/credential.go
@thedadams thedadams force-pushed the push-morqponqzkwz branch from 6ff31ce to 4cfe6fb Compare May 22, 2026 15:12
Copilot AI review requested due to automatic review settings May 22, 2026 15:17
@thedadams thedadams force-pushed the push-morqponqzkwz branch from 4cfe6fb to 8070f38 Compare May 22, 2026 15:17

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 65 out of 66 changed files in this pull request and generated 3 comments.

Comment thread pkg/services/config.go
Comment thread pkg/server/server.go Outdated
Comment thread pkg/server/server.go Outdated
Comment thread pkg/gateway/server/dispatcher/availablemodels.go Outdated
@thedadams thedadams force-pushed the push-morqponqzkwz branch from 7274c3f to f8574af Compare May 26, 2026 13:48
Copilot AI review requested due to automatic review settings May 27, 2026 17:22
@thedadams thedadams force-pushed the push-morqponqzkwz branch from f8574af to 5dd3603 Compare May 27, 2026 17:22

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 65 out of 66 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (3)

pkg/api/handlers/availablemodels.go:62

  • AvailableModelsHandler.List builds a credMap from GatewayClient.ListCredentials, but ListCredentials intentionally blanks out secret values (it only preserves keys). Passing these blanked secrets into ConvertModelProviderToolRef will generally make providers look unconfigured and cause available model listing to be empty/incorrect. Consider switching to RevealCredential per provider (e.g., ordered contexts [uid, system.GenericModelProviderCredentialContext]) or providing a safe internal-only path to fetch decrypted secrets for server-side use.
	credCtxs := make([]string, 0, len(modelProviderReferences.Items))
	for _, ref := range modelProviderReferences.Items {
		credCtxs = append(credCtxs, string(ref.UID))
	}

	creds, err := req.GatewayClient.ListCredentials(req.Context(), gateway.ListCredentialsOptions{
		CredentialContexts: credCtxs,
	})
	if err != nil {
		return fmt.Errorf("failed to list model provider credentials: %w", err)
	}

	credMap := make(map[string]map[string]string, len(creds))
	for _, cred := range creds {
		credMap[cred.Context+cred.Name] = cred.Secrets
	}

	var oModels openai.ModelsList
	for _, modelProvider := range modelProviderReferences.Items {
		convertedModelProvider, err := providers.ConvertModelProviderToolRef(modelProvider, credMap[string(modelProvider.UID)+modelProvider.Name])
		if err != nil {

pkg/api/handlers/modelprovider.go:113

  • ModelProviderHandler.List populates env from GatewayClient.ListCredentials, but ListCredentials blanks secret values by design. Feeding these blank values into convertToolReferenceToModelProvider will likely mark configured providers as missing required configuration and mislead the UI. Consider using RevealCredential per provider (ordered contexts [uid, system.GenericModelProviderCredentialContext]) when you need configuration values, or adjust the conversion logic to determine "configured" without needing secret values.
	credCtxs := make([]string, 0, len(refList.Items)+1)
	for _, ref := range refList.Items {
		credCtxs = append(credCtxs, string(ref.UID))
	}

	credCtxs = append(credCtxs, system.GenericModelProviderCredentialContext)
	creds, err := req.GatewayClient.ListCredentials(req.Context(), gateway.ListCredentialsOptions{
		CredentialContexts: credCtxs,
	})
	if err != nil {
		return fmt.Errorf("failed to list model provider credentials: %w", err)
	}

	credMap := make(map[string]map[string]string, len(creds))
	for _, cred := range creds {
		credMap[cred.Context+cred.Name] = cred.Secrets
	}

	resp := make([]types.ModelProvider, 0, len(refList.Items))
	var env map[string]string
	for _, ref := range refList.Items {
		env = credMap[string(ref.UID)+ref.Name]
		if env == nil {
			env = credMap[system.GenericModelProviderCredentialContext+ref.Name]
		}

		modelProvider, err := convertToolReferenceToModelProvider(ref, env)
		if err != nil {

pkg/api/handlers/authprovider.go:120

  • AuthProviderHandler.listAuthProviders builds an env map from GatewayClient.ListCredentials, but ListCredentials blanks secret values by design. Passing these blank values into convertToolReferenceToAuthProvider will likely make configured auth providers appear unconfigured/missing parameters. Use RevealCredential per provider (ordered contexts [uid, system.GenericAuthProviderCredentialContext]) when configuration values are needed, or change the list response to compute configured status without reading secret values.
	credCtxs := make([]string, 0, len(refList.Items)+1)
	for _, ref := range refList.Items {
		credCtxs = append(credCtxs, string(ref.UID))
	}
	credCtxs = append(credCtxs, system.GenericAuthProviderCredentialContext)

	creds, err := req.GatewayClient.ListCredentials(req.Context(), gateway.ListCredentialsOptions{
		CredentialContexts: credCtxs,
	})
	if err != nil {
		return nil, fmt.Errorf("failed to list auth provider credentials: %w", err)
	}

	credMap := make(map[string]map[string]string, len(creds))
	for _, cred := range creds {
		credMap[cred.Context+cred.Name] = cred.Secrets
	}

	resp := make([]types.AuthProvider, 0, len(refList.Items))
	for _, ref := range refList.Items {
		env, ok := credMap[string(ref.UID)+ref.Name]
		if !ok {
			env = credMap[system.GenericAuthProviderCredentialContext+ref.Name]
		}
		authProvider, err := convertToolReferenceToAuthProvider(ref, env)
		if err != nil {

Comment thread pkg/gateway/types/credentials.go
Comment thread pkg/api/authz/authz.go
Comment thread pkg/gateway/client/credential.go
Comment thread pkg/gateway/client/credential_migration.go
@thedadams thedadams force-pushed the push-morqponqzkwz branch from 5dd3603 to 567e0cf Compare May 28, 2026 13:41
thedadams added 2 commits May 28, 2026 14:42
This change moves credentials into Obot itself, migrating any existing
credentials from GPTScript.

Signed-off-by: Donnie Adams <donnie@obot.ai>
All of this code will be removed once we no longer need GPTScript for
auth and model providers.

Signed-off-by: Donnie Adams <donnie@obot.ai>
Copilot AI review requested due to automatic review settings May 28, 2026 18:42
@thedadams thedadams force-pushed the push-morqponqzkwz branch from 567e0cf to 6984480 Compare May 28, 2026 18:42

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@thedadams thedadams merged commit 0c644c0 into obot-platform:main May 29, 2026
5 checks passed
@thedadams thedadams deleted the push-morqponqzkwz branch May 29, 2026 10:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants