Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.xpertai.cn/llms.txt

Use this file to discover all available pages before exploring further.

The UOSE system manages external resource connections through Secret Manager. A resource does not directly store passwords, tokens, or certificates. Instead, it stores an immutable Secret version reference. This separates resource configuration from sensitive credentials and supports credential rotation.

Connection Ref

Resources reference Secret versions through connectionRef. A common form is: 
secret://sap%2Fprod%2Fmain?version=1
The reference contains:
  • Secret key: the logical secret name.
  • Version: the immutable version number.
When a Secret is updated, the system creates a new version and does not overwrite the old one. A resource reads the new credential only after its connectionRef is updated to the new version.

Secret Payload

Different resource types require different payloads. Common fields include:
  • baseUrl: service root URL of the source system.
  • authMode: authentication mode, such as current_user_oidc, basic, static_bearer, or api_key.
  • username, password, token, apiKey: credentials used by different authentication modes.
  • headers: fixed request headers; sensitive headers are filtered.
  • queryParams: fixed query parameters required by the source system.
  • tls: private CA, SNI, or certificate validation configuration.
  • timeoutMs: source system request timeout.
Secret payloads must contain only connection-related content. Business policies or sync scope should be placed in resource capabilities instead.

Current User Credentials

Some resources support current_user_oidc. This mode uses the OIDC token of the current request user to access the external system, which is suitable when the source system must inherit user permissions. When using it, note that:
  • REST calls can reuse the current logged-in user’s token.
  • MCP scenarios must explicitly forward the business user token.
  • Background queues cannot depend on short-lived user tokens for long periods.
  • Audits should record actor and task context, but must not write tokens into logs.
If a resource needs stable background sync, prefer static API keys, service accounts, or source-system authorization tokens.

Versioned Rotation

Recommended rotation flow:
  1. Load a draft from the existing Secret version.
  2. Update the token, password, or certificate.
  3. Save it as a new version.
  4. Update the resource connectionRef to the new version in resource settings.
  5. Trigger a sync or connection validation.
  6. After confirming the new version works, retire the old credential according to the organization’s process.
Versioning ensures online resources are not immediately affected by editing a draft.

Security Boundaries

UOSE follows these principles for secret management:
  • Secret payloads do not enter ontology snapshots.
  • Sensitive fields such as password, token, and username are not written to RDF, entity attributes, or logs.
  • Resource pages display only connectionRef, not plaintext credentials.
  • Relaxed TLS settings should only be used for temporary troubleshooting and are not recommended for long-term production use.
  • Connection information should be split by resource and environment to avoid multiple production resources sharing one high-privilege secret.