Migrate away from using GPTScript for credentials#6677
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates Obot’s credential handling away from GPTScript’s built-in credential stores and into the gateway database/client, adding a temporary HTTP credential-store shim for GPTScript while updating controllers/API paths to use the new gateway credential APIs.
Changes:
- Add a gateway-backed
Credentialmodel + client APIs (list/reveal/upsert/delete) with encryption support and GPTScript-credential migration. - Update controllers, gateway server, and API handlers to use the gateway credential client instead of
gptscript.GPTScriptfor credentials. - Introduce temporary
/api/credentials/*endpoints and update service/server startup to support the new embedded-start flow.
Reviewed changes
Copilot reviewed 64 out of 65 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/tools/resolve.go | Removes old tool-reference resolution helper (moved). |
| pkg/services/config.go | Reworks service wiring, credstore init, GPTScript start, and credential migration. |
| pkg/server/server.go | Adjusts server startup to run HTTP server async and call embedded GPTScript start(). |
| pkg/proxy/proxy.go | Removes GPTScript dependency from proxy manager/provider URL resolution. |
| pkg/messagepolicy/helper.go | Switches message policy helper to gateway credential client. |
| pkg/messagepolicy/evaluate.go | Uses gateway client for model provider creds/env resolution. |
| pkg/jwt/persistent/persistent.go | Stores/retrieves JWK via gateway credential APIs. |
| pkg/invoke/system.go | Removes GPTScript parameter from SystemTask path. |
| pkg/invoke/invoker.go | Stores GPTScript client on Invoker; simplifies call sites. |
| pkg/gateway/types/credentials.go | Adds gateway DB Credential model. |
| pkg/gateway/server/user.go | Removes GPTScript from auth-provider URL resolution. |
| pkg/gateway/server/tokenreview.go | Removes GPTScript from token review context population. |
| pkg/gateway/server/llmproxy.go | Uses gateway client to load model-provider credential env. |
| pkg/gateway/server/dispatcher/dispatcher.go | Dispatcher now starts providers without needing GPTScript param; uses gateway creds. |
| pkg/gateway/server/dispatcher/availablemodels.go | Models discovery no longer requires GPTScript param. |
| pkg/gateway/db/db.go | Auto-migrates new types.Credential table. |
| pkg/gateway/client/credential.go | Implements gateway credential CRUD + (de/en)cryption helpers. |
| pkg/gateway/client/credential_migration.go | Migrates old GPTScript credentials table into gateway credentials. |
| pkg/encryption/encryption.go | Simplifies Init return signature (drops config file path). |
| pkg/credstores/credstore.go | Replaces DB-backed GPTScript credstore with HTTP shim tool; adds SQLite file helper. |
| pkg/controller/routes.go | Rewires controller handlers to use gateway credentials. |
| pkg/controller/migrate.go | Migrates MCP server manifest values using gateway credentials. |
| pkg/controller/handlers/toolreference/toolreference.go | Inlines tool-ref resolving; switches credential ops to gateway client. |
| pkg/controller/handlers/systemmcpserver/systemmcpserver.go | Switches system MCP server credential management to gateway client. |
| pkg/controller/handlers/secret/nanobotagent.go | Reads nanobot creds from gateway credentials. |
| pkg/controller/handlers/oauthclients/oauthclients.go | Deletes OAuth client creds via gateway client. |
| pkg/controller/handlers/nanobotagent/nanobotagent.go | Stores/reads nanobot agent credentials via gateway client. |
| pkg/controller/handlers/mcpwebhookvalidation/mcpwebhookvalidation.go | Uses gateway credentials for webhook validation server config. |
| pkg/controller/handlers/mcpservercatalogentry/mcpservercatalogentry.go | Manages OAuth creds via gateway credentials. |
| pkg/controller/handlers/mcpserver/mcpserver.go | Manages MCP server secret info and config via gateway credentials. |
| pkg/controller/handlers/mcpcatalog/mcpcatalog.go | Uses gateway credentials for catalog source tokens. |
| pkg/controller/handlers/imagepullsecret/imagepullsecret.go | Uses gateway credentials for image pull secret passwords. |
| pkg/controller/handlers/cleanup/credentials.go | Cleans up credentials via gateway client APIs. |
| pkg/controller/handlers/auditlogexport/auditlogexport.go | Updates auditlogexport credential provider to use gateway client. |
| pkg/controller/controller.go | Uses gateway credentials for pre-start migration and local secret handler wiring. |
| pkg/bootstrap/bootstrap.go | Stores bootstrap token in gateway credentials. |
| pkg/auditlogexport/credentials.go | Reads/writes storage creds via gateway credentials. |
| pkg/api/server/server.go | Removes GPTScript from API request context; gateway client is the credential source. |
| pkg/api/router/router.go | Adds temporary credential endpoints; updates handler wiring for gateway creds. |
| pkg/api/request.go | Removes GPTClient from api.Context. |
| pkg/api/handlers/systemmcpserver.go | Switches system MCP server credential ops to gateway client. |
| pkg/api/handlers/systemmcpcatalogs.go | Switches system catalog token storage to gateway client. |
| pkg/api/handlers/serverinstances.go | Switches instance configuration creds to gateway client. |
| pkg/api/handlers/registry/handler.go | Uses gateway credentials when resolving server configs/registry results. |
| pkg/api/handlers/poweruserworkspace.go | Uses gateway credentials when listing servers with config. |
| pkg/api/handlers/modelprovider.go | Uses gateway credentials for model provider configuration/reveal/list. |
| pkg/api/handlers/mcpwebhookvalidation.go | Uses gateway credentials for webhook validation CRUD/config/reveal. |
| pkg/api/handlers/mcphelpers.go | Updates helper functions to use gateway credential APIs. |
| pkg/api/handlers/mcpgateway/oauth/mcpoauthhandler.go | OAuth flow uses gateway credentials for static OAuth client lookup. |
| pkg/api/handlers/mcpgateway/handler.go | Uses gateway credentials when ensuring system server deployment. |
| pkg/api/handlers/mcpcatalogs.go | Uses gateway credentials for catalog tokens, temp servers, and OAuth creds. |
| pkg/api/handlers/mcp.go | Uses gateway credentials throughout MCP server CRUD/config/reveal flows. |
| pkg/api/handlers/mcp_oauth_debugger.go | Uses gateway credentials for static OAuth client lookup. |
| pkg/api/handlers/imagepullsecrets.go | Uses gateway credentials for image pull secret password flows. |
| pkg/api/handlers/credential.go | Adds temporary HTTP credential-store shim endpoints for GPTScript. |
| pkg/api/handlers/availablemodels.go | Uses gateway creds + updated dispatcher for model listing. |
| pkg/api/handlers/authprovider.go | Uses gateway credentials for auth provider configuration/reveal/list. |
| pkg/api/handlers/auditlogexport.go | Uses gateway creds for storage credential retrieval/test behavior. |
| pkg/api/authz/authz.go | Whitelists temporary credential endpoints (handler-enforced auth). |
| go.sum | Updates module checksums for new dependencies and forked gptscript. |
| go.mod | Adds sqlite driver + replaces gptscript module with fork. |
| gcp-encryption.yaml | Updates encryption config to resource-qualified credential name. |
| chart/templates/deployment.yaml | Updates Helm encryption config resource name for credentials. |
| azure-encryption.yaml | Updates encryption config to resource-qualified credential name. |
| aws-encryption.yaml | Updates encryption config to resource-qualified credential name. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
6ff31ce to
4cfe6fb
Compare
4cfe6fb to
8070f38
Compare
8070f38 to
7274c3f
Compare
njhale
reviewed
May 22, 2026
7274c3f to
f8574af
Compare
g-linville
approved these changes
May 26, 2026
f8574af to
5dd3603
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 65 out of 66 changed files in this pull request and generated 4 comments.
Comments suppressed due to low confidence (3)
pkg/api/handlers/availablemodels.go:62
- AvailableModelsHandler.List builds a credMap from GatewayClient.ListCredentials, but ListCredentials intentionally blanks out secret values (it only preserves keys). Passing these blanked secrets into ConvertModelProviderToolRef will generally make providers look unconfigured and cause available model listing to be empty/incorrect. Consider switching to RevealCredential per provider (e.g., ordered contexts [uid, system.GenericModelProviderCredentialContext]) or providing a safe internal-only path to fetch decrypted secrets for server-side use.
credCtxs := make([]string, 0, len(modelProviderReferences.Items))
for _, ref := range modelProviderReferences.Items {
credCtxs = append(credCtxs, string(ref.UID))
}
creds, err := req.GatewayClient.ListCredentials(req.Context(), gateway.ListCredentialsOptions{
CredentialContexts: credCtxs,
})
if err != nil {
return fmt.Errorf("failed to list model provider credentials: %w", err)
}
credMap := make(map[string]map[string]string, len(creds))
for _, cred := range creds {
credMap[cred.Context+cred.Name] = cred.Secrets
}
var oModels openai.ModelsList
for _, modelProvider := range modelProviderReferences.Items {
convertedModelProvider, err := providers.ConvertModelProviderToolRef(modelProvider, credMap[string(modelProvider.UID)+modelProvider.Name])
if err != nil {
pkg/api/handlers/modelprovider.go:113
- ModelProviderHandler.List populates env from GatewayClient.ListCredentials, but ListCredentials blanks secret values by design. Feeding these blank values into convertToolReferenceToModelProvider will likely mark configured providers as missing required configuration and mislead the UI. Consider using RevealCredential per provider (ordered contexts [uid, system.GenericModelProviderCredentialContext]) when you need configuration values, or adjust the conversion logic to determine "configured" without needing secret values.
credCtxs := make([]string, 0, len(refList.Items)+1)
for _, ref := range refList.Items {
credCtxs = append(credCtxs, string(ref.UID))
}
credCtxs = append(credCtxs, system.GenericModelProviderCredentialContext)
creds, err := req.GatewayClient.ListCredentials(req.Context(), gateway.ListCredentialsOptions{
CredentialContexts: credCtxs,
})
if err != nil {
return fmt.Errorf("failed to list model provider credentials: %w", err)
}
credMap := make(map[string]map[string]string, len(creds))
for _, cred := range creds {
credMap[cred.Context+cred.Name] = cred.Secrets
}
resp := make([]types.ModelProvider, 0, len(refList.Items))
var env map[string]string
for _, ref := range refList.Items {
env = credMap[string(ref.UID)+ref.Name]
if env == nil {
env = credMap[system.GenericModelProviderCredentialContext+ref.Name]
}
modelProvider, err := convertToolReferenceToModelProvider(ref, env)
if err != nil {
pkg/api/handlers/authprovider.go:120
- AuthProviderHandler.listAuthProviders builds an env map from GatewayClient.ListCredentials, but ListCredentials blanks secret values by design. Passing these blank values into convertToolReferenceToAuthProvider will likely make configured auth providers appear unconfigured/missing parameters. Use RevealCredential per provider (ordered contexts [uid, system.GenericAuthProviderCredentialContext]) when configuration values are needed, or change the list response to compute configured status without reading secret values.
credCtxs := make([]string, 0, len(refList.Items)+1)
for _, ref := range refList.Items {
credCtxs = append(credCtxs, string(ref.UID))
}
credCtxs = append(credCtxs, system.GenericAuthProviderCredentialContext)
creds, err := req.GatewayClient.ListCredentials(req.Context(), gateway.ListCredentialsOptions{
CredentialContexts: credCtxs,
})
if err != nil {
return nil, fmt.Errorf("failed to list auth provider credentials: %w", err)
}
credMap := make(map[string]map[string]string, len(creds))
for _, cred := range creds {
credMap[cred.Context+cred.Name] = cred.Secrets
}
resp := make([]types.AuthProvider, 0, len(refList.Items))
for _, ref := range refList.Items {
env, ok := credMap[string(ref.UID)+ref.Name]
if !ok {
env = credMap[system.GenericAuthProviderCredentialContext+ref.Name]
}
authProvider, err := convertToolReferenceToAuthProvider(ref, env)
if err != nil {
njhale
approved these changes
May 27, 2026
5dd3603 to
567e0cf
Compare
This change moves credentials into Obot itself, migrating any existing credentials from GPTScript. Signed-off-by: Donnie Adams <donnie@obot.ai>
All of this code will be removed once we no longer need GPTScript for auth and model providers. Signed-off-by: Donnie Adams <donnie@obot.ai>
567e0cf to
6984480
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Depends on gptscript-ai/gptscript#1020