feat(config): 废弃 settings.json 中的 API Key 配置

jqknono · jqknono · commit ac9f2ab6732c · 2026-05-14T17:43:05.000+08:00
- 在 `coding-plans.vendors` 中添加 `apiKey` 字段，标记为已废弃，仅保留兼容用途。
- 建议优先使用 VS Code Secret Storage 存储 API Key 以提升安全性。
- 更新配置逻辑：若 `settings.json` 中配置了 `apiKey`，其优先级高于 Secret Storage 中的密钥。
- 更新版本号至 0.8.4。
diff --git a/DEV.md b/DEV.md
@@ -158,6 +158,7 @@ npm run test:pages
 ## 多协议供应商接入说明
 
 - 配置入口优先使用 `Coding Plans: Manage Vendor Configuration`。该命令从 `coding-plans.vendors` 动态生成供应商 QuickPick，选择供应商后可设置 API Key、刷新模型或打开供应商设置。
+- `coding-plans.vendors[].apiKey` 已标记为 deprecated，仅保留兼容用途；为保证 API Key 安全，建议优先使用 VS Code Secret Storage，而不是写入 `settings.json`。若此处仍配置了值，它会覆盖 Secret Storage 中同名供应商的 key。
 - Copilot Chat 的原生 Add Models 表单只用于添加 `Coding Plans` provider group 和填写 Group Name；`vendorName/apiKey` 字段保留为旧 group 配置兼容项，不再作为必填交互。
 - 调试请求链路时，可通过 `coding-plans.logLevel` 控制输出面板日志级别；需要完整追踪时切到 `debug`，日常建议保持 `info`。
 - `coding-plans.vendors[].defaultApiStyle` 用于声明供应商默认协议风格，模型也可以通过 `coding-plans.vendors[].models[].apiStyle` 单独覆盖：
diff --git a/README.md b/README.md
@@ -105,6 +105,7 @@ code --install-extension techfetch-dev.coding-plans-for-copilot
     {
       "name": "my-openai-vendor",
       "baseUrl": "https://api.example.com/v1",
+      "apiKey": "sk-example",
       "defaultApiStyle": "openai-chat",
       "useModelsEndpoint": true,
       "models": []
@@ -143,6 +144,7 @@ code --install-extension techfetch-dev.coding-plans-for-copilot
 | `coding-plans.vendors` | `array` | 内置供应商模板 | 供应商配置列表。 |
 | `coding-plans.vendors[].name` | `string` | 必填 | 供应商唯一名称。 |
 | `coding-plans.vendors[].baseUrl` | `string` | 必填 | API 基础地址。 |
+| `coding-plans.vendors[].apiKey` | `string` | 空 | 已废弃。仅兼容使用；为保证安全，建议优先通过 VS Code Secret Storage 保存 API Key。若此处配置了值，会覆盖 Secret Storage 中同名供应商的 key。 |
 | `coding-plans.vendors[].usageUrl` | `string` | 空 | 套餐 usage 接口地址，配置后状态栏显示额度百分比。 |
 | `coding-plans.vendors[].defaultApiStyle` | `string` | `openai-chat` | 协议风格：`openai-chat` / `openai-responses` / `anthropic`。 |
 | `coding-plans.vendors[].defaultTemperature` | `number` | `0.2` | 供应商默认 temperature。 |
@@ -171,7 +173,8 @@ code --install-extension techfetch-dev.coding-plans-for-copilot
 | `coding-plans.commitMessage.options.requireConventionalType` | `boolean` | `true` | 是否强制 Conventional Commits 类型。 |
 | `coding-plans.commitMessage.options.warnOnValidationFailure` | `boolean` | `true` | 校验失败时是否提示告警。 |
 
-`API Key` 不在 `settings.json` 明文存储，请通过「设置 API Key」写入 VS Code Secret Storage。
+`coding-plans.vendors[].apiKey` 已标记为 deprecated，仅保留兼容用途。
+建议优先通过「设置 API Key」写入 VS Code Secret Storage，避免将密钥保存在 `settings.json` 中；若仍配置 `coding-plans.vendors[].apiKey`，它会覆盖 Secret Storage 中同名供应商的 key。
 
 ### 上下文窗口展示
 
diff --git a/README_en.md b/README_en.md
@@ -108,6 +108,7 @@ The built-in Xiaomi MiMo default uses the Token Plan endpoint. If you want pay-a
     {
       "name": "my-openai-vendor",
       "baseUrl": "https://api.example.com/v1",
+      "apiKey": "sk-example",
       "defaultApiStyle": "openai-chat",
       "useModelsEndpoint": true,
       "models": []
@@ -146,6 +147,7 @@ The built-in Xiaomi MiMo default uses the Token Plan endpoint. If you want pay-a
 | `coding-plans.vendors` | `array` | Built-in vendor templates | Vendor configuration list. |
 | `coding-plans.vendors[].name` | `string` | Required | Vendor unique name. |
 | `coding-plans.vendors[].baseUrl` | `string` | Required | API base address. |
+| `coding-plans.vendors[].apiKey` | `string` | Empty | Deprecated. Kept for compatibility only; prefer VS Code Secret Storage for safer API key handling. When set, it overrides the same vendor key in Secret Storage. |
 | `coding-plans.vendors[].usageUrl` | `string` | Empty | Plan usage API address; when configured, status bar displays quota percentage. |
 | `coding-plans.vendors[].defaultApiStyle` | `string` | `openai-chat` | Protocol style: `openai-chat` / `openai-responses` / `anthropic`. |
 | `coding-plans.vendors[].defaultTemperature` | `number` | `0.2` | Vendor default temperature. |
@@ -174,7 +176,8 @@ The built-in Xiaomi MiMo default uses the Token Plan endpoint. If you want pay-a
 | `coding-plans.commitMessage.options.requireConventionalType` | `boolean` | `true` | Whether to enforce Conventional Commits type. |
 | `coding-plans.commitMessage.options.warnOnValidationFailure` | `boolean` | `true` | Whether to show warning on validation failure. |
 
-`API Key` is not stored in plaintext in `settings.json`. Please write it to VS Code Secret Storage via "Set API Key".
+`coding-plans.vendors[].apiKey` is deprecated and kept only for compatibility.
+Prefer "Set API Key" so the key stays in VS Code Secret Storage instead of `settings.json`; if `coding-plans.vendors[].apiKey` is still set, it overrides the same vendor key in Secret Storage.
 
 ### Context Window Display
 
diff --git a/package.json b/package.json
@@ -2,7 +2,7 @@
     "name": "coding-plans-for-copilot",
     "displayName": "%displayName%",
     "description": "%description%",
-    "version": "0.8.1",
+    "version": "0.8.4",
     "publisher": "techfetch-dev",
     "repository": {
         "type": "git",
@@ -237,6 +237,12 @@
                             "baseUrl": {
                                 "type": "string"
                             },
+                            "apiKey": {
+                                "type": "string",
+                                "secret": true,
+                                "description": "%configuration.coding-plans.vendors.apiKey.description%",
+                                "deprecationMessage": "%configuration.coding-plans.vendors.apiKey.deprecationMessage%"
+                            },
                             "usageUrl": {
                                 "type": "string",
                                 "description": "Optional vendor usage endpoint. When configured, the extension fetches coding-plan quota usage and shows percentage summaries in the status bar. Currently verified for Zhipu usage APIs."
diff --git a/package.nls.json b/package.nls.json
@@ -8,12 +8,14 @@
   "configuration.coding-plans.vendors.description": "Configure AI model vendors with their endpoints and models.",
   "configuration.coding-plans.vendors.defaultTemperature.description": "Default temperature for this vendor. Models can override it individually. Recommended: 0.1-0.3 for coding, 0.3-0.5 for more creative output.",
   "configuration.coding-plans.vendors.defaultTopP.description": "Default top-p for this vendor. Models can override it individually. `0` means omit `top_p`, and is also the runtime default. Set a positive value only when you want to explicitly control nucleus sampling. `anthropic` requests ignore this value and do not send `top_p`.",
+  "configuration.coding-plans.vendors.apiKey.description": "Deprecated vendor API key in settings. Prefer Secret Storage for better security. When set, this value overrides the same vendor key in Secret Storage.",
+  "configuration.coding-plans.vendors.apiKey.deprecationMessage": "Deprecated: prefer Secret Storage to keep API keys out of settings.json.",
   "configuration.coding-plans.vendors.models.temperature.description": "Per-model temperature override. Inherits vendor defaultTemperature when omitted.",
   "configuration.coding-plans.vendors.models.topP.description": "Per-model top-p override. Inherits vendor defaultTopP when omitted. `0` means omit `top_p`. `anthropic` requests ignore this value and do not send `top_p`.",
-  "providers.codingPlans.config.vendorName.title": "Vendor Name (legacy optional)",
-  "providers.codingPlans.config.vendorName.description": "Optional legacy filter. Prefer Coding Plans: Manage Vendor Configuration to pick a vendor from coding-plans.vendors.",
+  "providers.codingPlans.config.vendorName.title": "Vendor Name (optional)",
+  "providers.codingPlans.config.vendorName.description": "Pick from settings.json coding-plans.vendors.name.",
   "providers.codingPlans.config.apiKey.title": "API Key",
-  "providers.codingPlans.config.apiKey.description": "Optional legacy API key input. Prefer Coding Plans: Manage Vendor Configuration so the key is stored by vendor name.",
+  "providers.codingPlans.config.apiKey.description": "Optional API key. Prefer Secret Storage for better security.",
   "providers.codingPlans.displayName": "Coding Plan",
   "commands.coding-plans.generateCommitMessage.title": "Generate Commit Message",
   "commands.coding-plans.selectCommitMessageModel.title": "Select Commit Message Model",
diff --git a/package.nls.zh-cn.json b/package.nls.zh-cn.json
@@ -8,12 +8,14 @@
   "configuration.coding-plans.vendors.description": "配置 AI 模型供应商及其端点和模型。",
   "configuration.coding-plans.vendors.defaultTemperature.description": "该供应商的默认 temperature，模型可单独覆盖。建议：代码生成/重构用 0.1-0.3，需更灵活表达时可用 0.3-0.5。",
   "configuration.coding-plans.vendors.defaultTopP.description": "该供应商的默认 topP，模型可单独覆盖。`0` 表示不发送 `top_p`，也是运行时默认值。仅当你需要显式控制 nucleus sampling 时再设置为正数。`anthropic` 风格请求会忽略该值，不发送 `top_p`。",
+  "configuration.coding-plans.vendors.apiKey.description": "已废弃的供应商 API Key 配置。为保证安全，建议优先使用 Secret Storage。若此处配置了值，会覆盖 Secret Storage 中同名供应商的 key。",
+  "configuration.coding-plans.vendors.apiKey.deprecationMessage": "已废弃：建议优先使用 Secret Storage，避免将 API Key 保存在 settings.json 中。",
   "configuration.coding-plans.vendors.models.temperature.description": "模型级 temperature 覆盖项；未配置时继承供应商 defaultTemperature。",
   "configuration.coding-plans.vendors.models.topP.description": "模型级 topP 覆盖项；未配置时继承供应商 defaultTopP。`0` 表示不发送 `top_p`。`anthropic` 风格请求会忽略该值，不发送 `top_p`。",
-  "providers.codingPlans.config.vendorName.title": "供应商名称（旧版可选）",
-  "providers.codingPlans.config.vendorName.description": "旧版可选过滤项。建议使用“管理编码套餐配置”从 coding-plans.vendors 中选择供应商。",
+  "providers.codingPlans.config.vendorName.title": "供应商名称（可选）",
+  "providers.codingPlans.config.vendorName.description": "从 settings.json 的 coding-plans.vendors.name 中选择。",
   "providers.codingPlans.config.apiKey.title": "API Key",
-  "providers.codingPlans.config.apiKey.description": "旧版可选 API Key 输入项。建议使用“管理编码套餐配置”按供应商名称安全存储。",
+  "providers.codingPlans.config.apiKey.description": "可选 API Key。为保证安全，建议优先使用 Secret Storage。",
   "providers.codingPlans.displayName": "Coding Plan",
   "commands.coding-plans.generateCommitMessage.title": "生成提交消息",
   "commands.coding-plans.selectCommitMessageModel.title": "选择提交消息模型",
diff --git a/src/config/configStore.ts b/src/config/configStore.ts
@@ -38,6 +38,7 @@ export interface VendorModelConfig {
 export interface VendorConfig {
   name: string;
   baseUrl: string;
+  apiKey?: string;
   usageUrl?: string;
   defaultApiStyle: VendorApiStyle;
   defaultTemperature?: number;
@@ -88,6 +89,10 @@ export class ConfigStore implements vscode.Disposable {
   }
 
   async getApiKey(vendorName: string): Promise<string> {
+    const configuredApiKey = this.getConfiguredVendorApiKey(vendorName);
+    if (configuredApiKey) {
+      return configuredApiKey;
+    }
     const key = await this.context.secrets.get(VENDOR_API_KEY_PREFIX + vendorName);
     return (key || '').trim();
   }
@@ -486,6 +491,9 @@ export class ConfigStore implements vscode.Disposable {
       return undefined;
     }
     const baseUrl = typeof obj.baseUrl === 'string' ? obj.baseUrl.trim() : '';
+    const apiKey = typeof obj.apiKey === 'string' && obj.apiKey.trim().length > 0
+      ? obj.apiKey.trim()
+      : undefined;
     const usageUrl = typeof obj.usageUrl === 'string' && obj.usageUrl.trim().length > 0
       ? obj.usageUrl.trim()
       : undefined;
@@ -499,7 +507,17 @@ export class ConfigStore implements vscode.Disposable {
           .map(m => this.normalizeModel(m, defaultVision, defaultApiStyle))
           .filter((m): m is VendorModelConfig => m !== undefined)
       : [];
-    return { name, baseUrl, usageUrl, defaultApiStyle, defaultTemperature, defaultTopP, useModelsEndpoint, defaultVision, models };
+    return { name, baseUrl, apiKey, usageUrl, defaultApiStyle, defaultTemperature, defaultTopP, useModelsEndpoint, defaultVision, models };
+  }
+
+  private getConfiguredVendorApiKey(vendorName: string): string {
+    const normalizedVendorName = vendorName.trim().toLowerCase();
+    if (normalizedVendorName.length === 0) {
+      return '';
+    }
+
+    const vendor = this.getVendors().find(candidate => candidate.name.trim().toLowerCase() === normalizedVendorName);
+    return vendor?.apiKey?.trim() ?? '';
   }
 
   private normalizeModel(
diff --git a/src/test/runTest.ts b/src/test/runTest.ts
@@ -26,6 +26,7 @@ type VendorModelRecord = {
 type VendorRecord = {
   name: string;
   baseUrl: string;
+  apiKey?: string;
   usageUrl?: string;
   defaultApiStyle?: 'openai-chat' | 'openai-responses' | 'anthropic';
   defaultTemperature?: number;
@@ -804,21 +805,39 @@ async function runConfigNormalizationTests(configStoreCtor: ConfigStoreCtor): Pr
     }]
   }]);
 
-  configStore = new configStoreCtor(createExtensionContext() as never);
-  try {
-    const vendor = configStore.getVendors()[0];
-    assert.equal(vendor?.models[0]?.apiStyle, 'anthropic');
-    assert.deepEqual(vendor?.models[0]?.capabilities, { tools: false, vision: false });
-    assert.equal(vendor?.models[0]?.temperature, undefined);
-    assert.equal(vendor?.models[0]?.topP, undefined);
-    console.log('PASS 模型级 apiStyle 覆盖供应商默认值');
-  } finally {
-    configStore.dispose();
-  }
-
-  activeState = createState([{
-    name: 'Vendor',
-    baseUrl: 'https://example.test/v1',
+  configStore = new configStoreCtor(createExtensionContext() as never);
+  try {
+    const vendor = configStore.getVendors()[0];
+    assert.equal(vendor?.models[0]?.apiStyle, 'anthropic');
+    assert.deepEqual(vendor?.models[0]?.capabilities, { tools: false, vision: false });
+    assert.equal(vendor?.models[0]?.temperature, undefined);
+    assert.equal(vendor?.models[0]?.topP, undefined);
+    console.log('PASS 模型级 apiStyle 覆盖供应商默认值');
+  } finally {
+    configStore.dispose();
+  }
+
+  activeState = createState([{
+    name: 'Vendor',
+    baseUrl: 'https://example.test/v1',
+    apiKey: '  configured-in-settings  ',
+    defaultApiStyle: 'openai-chat',
+    defaultVision: false,
+    models: []
+  }]);
+
+  configStore = new configStoreCtor(createExtensionContext() as never);
+  try {
+    const vendor = configStore.getVendors()[0];
+    assert.equal(vendor?.apiKey, 'configured-in-settings');
+    console.log('PASS vendors[].apiKey 可被正确归一化');
+  } finally {
+    configStore.dispose();
+  }
+
+  activeState = createState([{
+    name: 'Vendor',
+    baseUrl: 'https://example.test/v1',
     defaultApiStyle: 'openai-responses',
     defaultVision: true,
     models: []
@@ -956,7 +975,45 @@ async function runConfigNormalizationTests(configStoreCtor: ConfigStoreCtor): Pr
     configStore.dispose();
   }
 }
-
+
+async function runConfigStoreVendorApiKeyPriorityTests(configStoreCtor: ConfigStoreCtor): Promise<void> {
+  activeState = createState([{
+    name: 'Vendor',
+    baseUrl: 'https://example.test/v1',
+    apiKey: 'settings-key',
+    defaultApiStyle: 'openai-chat',
+    models: []
+  }]);
+
+  let secretContext = createExtensionContextWithSecrets();
+  secretContext.secrets.set('coding-plans.vendor.apiKey.Vendor', 'secret-key');
+  let configStore = new configStoreCtor(secretContext.context as never);
+  try {
+    assert.equal(await configStore.getApiKey('Vendor'), 'settings-key');
+    console.log('PASS vendors[].apiKey 优先于 Secret Storage');
+  } finally {
+    configStore.dispose();
+  }
+
+  activeState = createState([{
+    name: 'Vendor',
+    baseUrl: 'https://example.test/v1',
+    apiKey: '   ',
+    defaultApiStyle: 'openai-chat',
+    models: []
+  }]);
+
+  secretContext = createExtensionContextWithSecrets();
+  secretContext.secrets.set('coding-plans.vendor.apiKey.Vendor', 'secret-key');
+  configStore = new configStoreCtor(secretContext.context as never);
+  try {
+    assert.equal(await configStore.getApiKey('Vendor'), 'secret-key');
+    console.log('PASS vendors[].apiKey 为空时回退到 Secret Storage');
+  } finally {
+    configStore.dispose();
+  }
+}
+
 function runTokenWindowResolutionTests(baseProviderModule: BaseProviderModule): void {
   const { BaseAIProvider } = baseProviderModule;
   const vscode = require('vscode') as typeof import('vscode');
@@ -3558,6 +3615,7 @@ async function main(): Promise<void> {
       await runTestCase(ConfigStore, testCase);
     }
     await runConfigNormalizationTests(ConfigStore);
+    await runConfigStoreVendorApiKeyPriorityTests(ConfigStore);
     runTokenWindowResolutionTests(baseProviderModule);
     runGenericProviderContextSizeTests(ConfigStore, genericProviderModule);
     await runGenericProviderDiscoveryDefaultVisionTests(ConfigStore, genericProviderModule);
