Harden runtime export after review

Default export output now omits registry passwords unless the caller explicitly passes --include-secrets. Empty endpoint lists are omitted so apply keeps its default endpoint behavior, and the file-output test closes handles explicitly.

Constraint: Review feedback identified secret leakage and empty-endpoint semantic drift risks.

Rejected: Always exporting passwords with only documentation warnings | stdout/file exports can leak secrets by default.

Confidence: high

Scope-risk: narrow

Directive: Keep sensitive fields opt-in for future export surfaces.

Tested: ruff check src/ tests/; ruff format --check src/ tests/; mypy src/agentrun_cli; pytest tests/integration/test_runtime_cmd.py -v; pytest tests/unit tests/integration --cov=agentrun_cli --cov-fail-under=95
Signed-off-by: congxiao.wxx <congxiao.wxx@alibaba-inc.com>

Change-Id: I3fb430af1fc41cf581911a5b84a1dd1c0941760b
Co-developed-by: Codex <noreply@openai.com>

Author: congxiao-wxx

docs/en/runtime.md

@@ -161,7 +161,7 @@ before `apply`.
 ## export
 
 ```
-ar runtime export NAME [-f FILE]
+ar runtime export NAME [-f FILE] [--include-secrets]
 ```
 
 Export an existing Agent Runtime and its endpoints as `ar runtime apply` YAML.
@@ -170,14 +170,16 @@ exports only fields supported by the CLI YAML schema and intentionally omits
 server-owned state such as IDs, ARNs, versions, status, and timestamps.
 `cloudBuild` cannot be reconstructed from a remote runtime because it depends on
 local source/build settings.
-If the service returns registry authentication details, the exported YAML may
-contain sensitive values; review it before committing or sharing.
+Registry authentication secrets such as passwords are omitted by default. Use
+`--include-secrets` only when you explicitly need a full-fidelity export, and
+review the YAML before committing or sharing it.
 
 ### Options
 
 | Flag | Type | Required | Default | Description |
 |------|------|----------|---------|-------------|
 | `-f`, `--file` | path | no |  | Write YAML to a file instead of stdout. |
+| `--include-secrets` | flag | no | `false` | Include sensitive registry authentication fields in exported YAML. |
 
 ### Examples
 

docs/zh/runtime.md

@@ -152,20 +152,22 @@ ar runtime render -f FILE
 ## export
 
 ```
-ar runtime export NAME [-f FILE]
+ar runtime export NAME [-f FILE] [--include-secrets]
 ```
 
 读取一个存量 Agent Runtime 及其 endpoints，并导出为 `ar runtime apply` 可消费的
 YAML。默认输出到 stdout；传入 `--file` 时写入文件。命令只导出当前 CLI YAML
 schema 支持的字段，会刻意省略 ID、ARN、version、status、时间戳等服务端状态字段。
 `cloudBuild` 依赖本地源码目录和构建参数，无法从远端 runtime 反推，因此不会导出。
-如果服务端返回镜像仓库认证信息，导出的 YAML 可能包含敏感值；提交或共享前请先检查。
+镜像仓库认证密码等敏感字段默认不导出。只有明确需要完整导出时才使用
+`--include-secrets`，提交或共享前请先检查 YAML。
 
 ### Options
 
 | Flag | Type | Required | Default | Description |
 |------|------|----------|---------|-------------|
 | `-f`, `--file` | path | no |  | 将 YAML 写入文件，而不是 stdout。 |
+| `--include-secrets` | flag | no | `false` | 在导出 YAML 中包含敏感的镜像仓库认证字段。 |
 
 ### Examples
 

src/agentrun_cli/commands/runtime/export_cmd.py

@@ -42,9 +42,14 @@ def _lazy_sdk() -> Any:
     type=click.Path(dir_okay=False, writable=True),
     help="Write YAML to a file instead of stdout.",
 )
+@click.option(
+    "--include-secrets",
+    is_flag=True,
+    help="Include sensitive registry authentication fields in exported YAML.",
+)
 @click.pass_context
 @handle_errors
-def export_cmd(ctx, name, file_path):
+def export_cmd(ctx, name, file_path, include_secrets):
     rt_cls = _lazy_sdk()
     profile, region = ctx_cfg(ctx)
     build_sdk_config(profile_name=profile, region=region)
@@ -53,7 +58,7 @@ def export_cmd(ctx, name, file_path):
         echo_error("ResourceNotFound", f"AgentRuntime {name!r} not found.")
         raise SystemExit(EXIT_NOT_FOUND)
     try:
-        data = runtime_to_yaml_doc(runtime)
+        data = runtime_to_yaml_doc(runtime, include_secrets=include_secrets)
     except RuntimeExportError as exc:
         echo_error("UnsupportedRuntime", str(exc))
         raise SystemExit(EXIT_BAD_INPUT) from exc
@@ -66,7 +71,9 @@ def export_cmd(ctx, name, file_path):
     click.echo(text, nl=False)
 
 
-def runtime_to_yaml_doc(runtime: Any) -> dict[str, Any]:
+def runtime_to_yaml_doc(
+    runtime: Any, *, include_secrets: bool = False
+) -> dict[str, Any]:
     artifact_type = _enum_value(_get(runtime, "artifact_type", "artifactType"))
     if artifact_type and artifact_type != "Container":
         raise RuntimeExportError(
@@ -91,7 +98,9 @@ def runtime_to_yaml_doc(runtime: Any) -> dict[str, Any]:
             metadata, "workspace", _get(runtime, "workspace_name", "workspaceName")
         )
 
-    spec: dict[str, Any] = {"container": _export_container(container)}
+    spec: dict[str, Any] = {
+        "container": _export_container(container, include_secrets=include_secrets)
+    }
     for yaml_key, attr in [
         ("cpu", "cpu"),
         ("memory", "memory"),
@@ -145,7 +154,9 @@ def runtime_to_yaml_doc(runtime: Any) -> dict[str, Any]:
     )
 
     if hasattr(runtime, "list_endpoints"):
-        spec["endpoints"] = [_export_endpoint(ep) for ep in runtime.list_endpoints()]
+        endpoints = [_export_endpoint(ep) for ep in runtime.list_endpoints()]
+        if endpoints:
+            spec["endpoints"] = endpoints
 
     return {
         "apiVersion": "agentrun/v1",
@@ -155,7 +166,7 @@ def runtime_to_yaml_doc(runtime: Any) -> dict[str, Any]:
     }
 
 
-def _export_container(container: Any) -> dict[str, Any]:
+def _export_container(container: Any, *, include_secrets: bool) -> dict[str, Any]:
     out: dict[str, Any] = {"image": _get(container, "image")}
     command = _get(container, "command")
     if command:
@@ -172,19 +183,23 @@ def _export_container(container: Any) -> dict[str, Any]:
     _set_if_present(
         out,
         "registryConfig",
-        _export_registry(_get(container, "registry_config", "registryConfig")),
+        _export_registry(
+            _get(container, "registry_config", "registryConfig"),
+            include_secrets=include_secrets,
+        ),
     )
     return out
 
 
-def _export_registry(registry: Any) -> dict[str, Any] | None:
+def _export_registry(registry: Any, *, include_secrets: bool) -> dict[str, Any] | None:
     if registry is None:
         return None
     out: dict[str, Any] = {}
     auth = _get(registry, "auth_config", "authConfig", "auth")
     auth_out: dict[str, Any] = {}
     _set_if_present(auth_out, "userName", _get(auth, "user_name", "userName"))
-    _set_if_present(auth_out, "password", _get(auth, "password"))
+    if include_secrets:
+        _set_if_present(auth_out, "password", _get(auth, "password"))
     _set_if_present(out, "auth", auth_out)
 
     cert = _get(registry, "cert_config", "certConfig", "cert")

tests/integration/test_runtime_cmd.py

@@ -729,7 +729,7 @@ def test_export_runtime_outputs_apply_yaml():
     }
     assert out["spec"]["container"]["image"] == "registry.example.com/ns/app:v1"
     assert out["spec"]["container"]["registryConfig"]["auth"]["userName"] == "repo-user"
-    assert out["spec"]["container"]["registryConfig"]["auth"]["password"] == "repo-pass"
+    assert "password" not in out["spec"]["container"]["registryConfig"]["auth"]
     assert out["spec"]["protocol"]["settings"][0]["path"] == "/invoke"
     assert out["spec"]["nas"]["mountPoints"][0]["mountDir"] == "/mnt/nas"
     assert out["spec"]["ossMount"]["mountPoints"][0]["bucketName"] == "bucket-1"
@@ -776,10 +776,48 @@ def test_export_runtime_writes_file():
             )
             assert result.exit_code == 0, result.output
             assert result.output == ""
-            out = yaml.safe_load(open("runtime.yaml", encoding="utf-8"))
+            with open("runtime.yaml", encoding="utf-8") as f:
+                out = yaml.safe_load(f)
     assert out["metadata"]["name"] == "my-agent"
 
 
+def test_export_runtime_can_include_secrets_explicitly():
+    rt = _make_export_runtime()
+    rt_cls = MagicMock()
+    rt_cls.list_all.return_value = [rt]
+    with (
+        patch(
+            "agentrun_cli.commands.runtime.export_cmd.build_sdk_config",
+            return_value=MagicMock(),
+        ),
+        patch("agentrun_cli.commands.runtime.export_cmd.AgentRuntime", rt_cls),
+    ):
+        result = CliRunner().invoke(
+            _root(), ["runtime", "export", "my-agent", "--include-secrets"]
+        )
+    assert result.exit_code == 0, result.output
+    out = yaml.safe_load(result.output)
+    assert out["spec"]["container"]["registryConfig"]["auth"]["password"] == "repo-pass"
+
+
+def test_export_runtime_omits_empty_endpoint_list():
+    rt = _make_export_runtime()
+    rt.list_endpoints = MagicMock(return_value=[])
+    rt_cls = MagicMock()
+    rt_cls.list_all.return_value = [rt]
+    with (
+        patch(
+            "agentrun_cli.commands.runtime.export_cmd.build_sdk_config",
+            return_value=MagicMock(),
+        ),
+        patch("agentrun_cli.commands.runtime.export_cmd.AgentRuntime", rt_cls),
+    ):
+        result = CliRunner().invoke(_root(), ["runtime", "export", "my-agent"])
+    assert result.exit_code == 0, result.output
+    out = yaml.safe_load(result.output)
+    assert "endpoints" not in out["spec"]
+
+
 def test_export_runtime_not_found_exit_1():
     rt_cls = MagicMock()
     rt_cls.list_all.return_value = []