carverauto/serviceradar

Fork 0

fix: wasm plugin updates #3080

Merged

mfreeman451 merged 2 commits from refs/pull/3080/head into staging

2026-03-26 00:31:48 +00:00

mfreeman451 commented

2026-03-25 23:55:16 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #3081
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/3081
Original created: 2026-03-25T23:55:16Z
Original updated: 2026-03-26T00:31:50Z
Original head: carverauto/serviceradar:update/wasm-updates-plugins
Original base: staging
Original merged: 2026-03-26T00:31:48Z by @mfreeman451

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

Imported from GitHub pull request. Original GitHub pull request: #3081 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/3081 Original created: 2026-03-25T23:55:16Z Original updated: 2026-03-26T00:31:50Z Original head: carverauto/serviceradar:update/wasm-updates-plugins Original base: staging Original merged: 2026-03-26T00:31:48Z by @mfreeman451 --- ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test?

Copilot commented

2026-03-25 23:59:49 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR review comment.

Original author: @Copilot
Original URL: https://github.com/carverauto/serviceradar/pull/3081#discussion_r2991738748
Original created: 2026-03-25T23:59:49Z
Original path: go/cmd/wasm-plugins/axis/config.stream.schema.json
Original line: 19

The streaming config schema defines a plain password field. Without secretRef: true (and the _secret_ref naming pattern used elsewhere), the UI will render/store the password as a normal text value, which can expose credentials. Consider changing this to password_secret_ref with secretRef: true so runtime params still resolve to password while keeping secrets encrypted/redacted in storage/UI.

    "password_secret_ref": {
      "type": "string",
      "description": "Camera API password",
      "secretRef": true

Imported GitHub PR review comment. Original author: @Copilot Original URL: https://github.com/carverauto/serviceradar/pull/3081#discussion_r2991738748 Original created: 2026-03-25T23:59:49Z Original path: go/cmd/wasm-plugins/axis/config.stream.schema.json Original line: 19 --- The streaming config schema defines a plain `password` field. Without `secretRef: true` (and the `_secret_ref` naming pattern used elsewhere), the UI will render/store the password as a normal text value, which can expose credentials. Consider changing this to `password_secret_ref` with `secretRef: true` so runtime params still resolve to `password` while keeping secrets encrypted/redacted in storage/UI. ```suggestion "password_secret_ref": { "type": "string", "description": "Camera API password", "secretRef": true ```

Copilot commented

2026-03-25 23:59:50 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR review comment.

Original author: @Copilot
Original URL: https://github.com/carverauto/serviceradar/pull/3081#discussion_r2991738780
Original created: 2026-03-25T23:59:50Z
Original path: go/cmd/wasm-plugins/axis/README.md
Original line: 37

The README still references manifest.stream.json earlier in the file, but this section now documents plugin.stream.yaml. Please update the remaining manifest.stream.json mention(s) to avoid confusing users about the expected package artifacts.

Imported GitHub PR review comment. Original author: @Copilot Original URL: https://github.com/carverauto/serviceradar/pull/3081#discussion_r2991738780 Original created: 2026-03-25T23:59:50Z Original path: go/cmd/wasm-plugins/axis/README.md Original line: 37 --- The README still references `manifest.stream.json` earlier in the file, but this section now documents `plugin.stream.yaml`. Please update the remaining `manifest.stream.json` mention(s) to avoid confusing users about the expected package artifacts.

Copilot commented

2026-03-25 23:59:50 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR review comment.

Original author: @Copilot
Original URL: https://github.com/carverauto/serviceradar/pull/3081#discussion_r2991738800
Original created: 2026-03-25T23:59:50Z
Original path: go/cmd/wasm-plugins/unifi-protect/config.schema.json
Original line: 27

This schema models credentials as plain string fields (password, and also api_key/cookie). Since config schemas drive UI rendering and stored params, this can expose secrets as normal text values. Consider using secret refs instead (e.g., password_secret_ref / api_key_secret_ref / cookie_secret_ref with secretRef: true) so runtime params still resolve to password/api_key/cookie while keeping secrets encrypted/redacted.

    "password_secret_ref": {
      "type": "string",
      "description": "Reference to Protect local account password",
      "secretRef": true,
      "runtimeParam": "password"
    },
    "api_key_secret_ref": {
      "type": "string",
      "description": "Reference to optional Protect API key",
      "secretRef": true,
      "runtimeParam": "api_key"
    },
    "cookie_secret_ref": {
      "type": "string",
      "description": "Reference to optional pre-provisioned controller Cookie header value",
      "secretRef": true,
      "runtimeParam": "cookie"

Imported GitHub PR review comment. Original author: @Copilot Original URL: https://github.com/carverauto/serviceradar/pull/3081#discussion_r2991738800 Original created: 2026-03-25T23:59:50Z Original path: go/cmd/wasm-plugins/unifi-protect/config.schema.json Original line: 27 --- This schema models credentials as plain string fields (`password`, and also `api_key`/`cookie`). Since config schemas drive UI rendering and stored params, this can expose secrets as normal text values. Consider using secret refs instead (e.g., `password_secret_ref` / `api_key_secret_ref` / `cookie_secret_ref` with `secretRef: true`) so runtime params still resolve to `password`/`api_key`/`cookie` while keeping secrets encrypted/redacted. ```suggestion "password_secret_ref": { "type": "string", "description": "Reference to Protect local account password", "secretRef": true, "runtimeParam": "password" }, "api_key_secret_ref": { "type": "string", "description": "Reference to optional Protect API key", "secretRef": true, "runtimeParam": "api_key" }, "cookie_secret_ref": { "type": "string", "description": "Reference to optional pre-provisioned controller Cookie header value", "secretRef": true, "runtimeParam": "cookie" ```

Copilot commented

2026-03-25 23:59:50 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR review comment.

Original author: @Copilot
Original URL: https://github.com/carverauto/serviceradar/pull/3081#discussion_r2991738825
Original created: 2026-03-25T23:59:50Z
Original path: go/cmd/wasm-plugins/unifi-protect/config.stream.schema.json
Original line: 27

This streaming schema includes plain-text credential fields (password, and also api_key/cookie). Because schemas are used for UI + stored params, these should be modeled as secret refs (e.g., *_secret_ref with secretRef: true) to avoid credential exposure while still resolving to runtime fields.

    "password_secret_ref": {
      "type": "string",
      "description": "Reference to Protect local account password",
      "secretRef": true
    },
    "api_key_secret_ref": {
      "type": "string",
      "description": "Reference to optional Protect API key",
      "secretRef": true
    },
    "cookie_secret_ref": {
      "type": "string",
      "description": "Reference to optional pre-provisioned controller Cookie header value",
      "secretRef": true

Imported GitHub PR review comment. Original author: @Copilot Original URL: https://github.com/carverauto/serviceradar/pull/3081#discussion_r2991738825 Original created: 2026-03-25T23:59:50Z Original path: go/cmd/wasm-plugins/unifi-protect/config.stream.schema.json Original line: 27 --- This streaming schema includes plain-text credential fields (`password`, and also `api_key`/`cookie`). Because schemas are used for UI + stored params, these should be modeled as secret refs (e.g., `*_secret_ref` with `secretRef: true`) to avoid credential exposure while still resolving to runtime fields. ```suggestion "password_secret_ref": { "type": "string", "description": "Reference to Protect local account password", "secretRef": true }, "api_key_secret_ref": { "type": "string", "description": "Reference to optional Protect API key", "secretRef": true }, "cookie_secret_ref": { "type": "string", "description": "Reference to optional pre-provisioned controller Cookie header value", "secretRef": true ```