Add 1Password option for configuring CAPI_DEV_KEY

Author: d10c

extensions/ql-vscode/src/config.ts

@@ -961,3 +961,9 @@ export const AUTOFIX_MODEL = new Setting("model", AUTOFIX_SETTING);
 export function getAutofixModel(): string | undefined {
   return AUTOFIX_MODEL.getValue<string>() || undefined;
 }
+
+export const AUTOFIX_CAPI_DEV_KEY = new Setting("capiDevKey", AUTOFIX_SETTING);
+
+export function getAutofixCapiDevKey(): string | undefined {
+  return AUTOFIX_CAPI_DEV_KEY.getValue<string>() || undefined;
+}

extensions/ql-vscode/src/variant-analysis/view-autofixes.ts

@@ -38,9 +38,11 @@ import type { VariantAnalysisResultsManager } from "./variant-analysis-results-m
 import {
   getAutofixPath,
   getAutofixModel,
+  getAutofixCapiDevKey,
   downloadTimeout,
   AUTOFIX_PATH,
   AUTOFIX_MODEL,
+  AUTOFIX_CAPI_DEV_KEY,
 } from "../config";
 import { asError, getErrorMessage } from "../common/helpers-pure";
 import { createTimeoutSignal } from "../common/fetch-stream";
@@ -155,6 +157,39 @@ async function findLocalAutofix(): Promise<string> {
   return localAutofixPath;
 }
 
+/**
+ * Finds and resolves the Copilot API dev key from the `codeQL.autofix.capiDevKey` setting.
+ * The key can be specified as an environment variable reference (e.g., `env:MY_ENV_VAR`)
+ * or a 1Password secret reference (e.g., `op://vault/item/field`). By default, it uses
+ * the environment variable `CAPI_DEV_KEY`.
+ *
+ * @returns The resolved Copilot API dev key.
+ * @throws Error if the Copilot API dev key is not found or invalid.
+ */
+async function findCapiDevKey(): Promise<string> {
+  let capiDevKey = getAutofixCapiDevKey() || "env:CAPI_DEV_KEY";
+
+  if (!capiDevKey.startsWith("env:") && !capiDevKey.startsWith("op://")) {
+    // Don't allow literal keys in config.json for security reasons
+    throw new Error(
+      `Invalid CAPI dev key format. Use 'env:<ENV_VAR_NAME>' or 'op://<1PASSWORD_SECRET_REFERENCE>'.`,
+    );
+  }
+  if (capiDevKey.startsWith("env:")) {
+    const envVarName = capiDevKey.substring("env:".length);
+    capiDevKey = process.env[envVarName] || "";
+  }
+  if (capiDevKey.startsWith("op://")) {
+    capiDevKey = await opRead(capiDevKey);
+  }
+  if (!capiDevKey) {
+    throw new Error(
+      `Copilot API dev key not found. Make sure ${AUTOFIX_CAPI_DEV_KEY.qualifiedName} is set correctly.`,
+    );
+  }
+  return capiDevKey;
+}
+
 /**
  * Overrides the query help from a given variant analysis
  * at a location within the `localAutofixPath` directory .
@@ -758,7 +793,7 @@ async function runAutofixOnResults(
     {
       cwd: workDir,
       env: {
-        CAPI_DEV_KEY: process.env.CAPI_DEV_KEY,
+        CAPI_DEV_KEY: await findCapiDevKey(),
         PATH: process.env.PATH,
       },
     },
@@ -828,6 +863,42 @@ function execAutofix(
   });
 }
 
+/** Execute the 1Password CLI command `op read <secretReference>`, if the `op` command exists on the PATH. */
+async function opRead(secretReference: string): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const opProcess = spawn("op", ["read", secretReference], {
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+
+    let stdoutBuffer = "";
+    let stderrBuffer = "";
+
+    opProcess.stdout?.on("data", (data) => {
+      stdoutBuffer += data.toString();
+    });
+
+    opProcess.stderr?.on("data", (data) => {
+      stderrBuffer += data.toString();
+    });
+
+    opProcess.on("error", (error) => {
+      reject(error);
+    });
+
+    opProcess.on("exit", (code) => {
+      if (code === 0) {
+        resolve(stdoutBuffer.trim());
+      } else {
+        reject(
+          new Error(
+            `1Password CLI exited with code ${code}. Stderr: ${stderrBuffer.trim()}`,
+          ),
+        );
+      }
+    });
+  });
+}
+
 /**
  * Creates a new file path by appending the given suffix.
  * @param filePath The original file path.