Fix API Key Interpolation: Support SecretStr in SecretManager

nadeem4 · nadeem4 · commit 766f782aa9dc · 2026-01-12T20:50:44.000-06:00
- Updated SecretManager.resolve_object to unwrap, resolve, and re-wrap SecretStr objects
- Updated tests/unit/test_secrets.py to verify SecretManager resolution
- Ensures \ patterns in SecretStr fields (like api_key) are correctly resolved
diff --git a/packages/core/src/nl2sql/secrets/manager.py b/packages/core/src/nl2sql/secrets/manager.py
@@ -82,24 +82,35 @@ def resolve(self, secret_ref: str) -> str:
         
         raise ValueError(f"Secret not found: {secret_ref}")
 
+        return obj
+
     def resolve_object(self, obj: Any) -> Any:
         """
-        Recursively resolves secret references in a generic object (Pydantic model, dict, list, str).
+        Recursively resolves secret references in a generic object (Pydantic model, dict, list, str, SecretStr).
         Returns a new object with secrets resolved.
         """
-        from pydantic import BaseModel
+        from pydantic import BaseModel, SecretStr
 
         # Base case: String
         if isinstance(obj, str):
             if obj.startswith("${") and obj.endswith("}"):
                 return self.resolve(obj)
             return obj
+            
+        # Handle SecretStr
+        if isinstance(obj, SecretStr):
+            secret_val = obj.get_secret_value()
+            if secret_val and secret_val.startswith("${") and secret_val.endswith("}"):
+                resolved_val = self.resolve(secret_val)
+                return SecretStr(resolved_val)
+            return obj
         
         # Pydantic Model
         if isinstance(obj, BaseModel):
             # Recursively resolve fields
             updates = {}
-            for field_name in obj.model_fields.keys():
+            # Access model_fields from the class, not the instance
+            for field_name in type(obj).model_fields.keys():
                 val = getattr(obj, field_name)
                 resolved = self.resolve_object(val)
                 # Only update if changed (optimization)
diff --git a/packages/core/tests/unit/test_secrets.py b/packages/core/tests/unit/test_secrets.py
@@ -55,5 +55,30 @@ def test_config_hides_secrets():
         database="db"
     )
     
+
     assert "hidden_password" not in str(config)
     assert "**********" in str(config)
+
+def test_llm_registry_resolves_secrets():
+    """Verify SecretManager resolves SecretStr within Pydantic models."""
+    from nl2sql.secrets import secret_manager
+    from nl2sql.configs import LLMFileConfig, AgentConfig
+
+    config = LLMFileConfig(
+        default=AgentConfig(
+            provider="openai",
+            model="gpt-4o",
+            api_key=SecretStr("${env:TEST_LLM_KEY}")
+        )
+    )
+    
+    # Mock resolve
+    with patch("nl2sql.secrets.manager.SecretManager.resolve") as mock_resolve:
+        mock_resolve.return_value = "sk-resolved-key"
+        
+        # Test resolve_object directly (ConfigManager uses this)
+        resolved_config = secret_manager.resolve_object(config)
+        
+        # Verify resolution happened inside SecretStr
+        assert resolved_config.default.api_key.get_secret_value() == "sk-resolved-key"
+        mock_resolve.assert_called_with("${env:TEST_LLM_KEY}")
