fix: prevent false positive in Secret.get_plaintext() for plaintext values (#6566)

When a Secret is created from plaintext (was_encrypted=False), the is_encrypted() heuristic can incorrectly identify long API keys as encrypted. This causes get_plaintext() to return None when no encryption key is available, even though the value was explicitly stored as plaintext. Fix: Check was_encrypted flag before trusting is_encrypted() heuristic. If was_encrypted=False, trust the cached plaintext value. This is a port of https://github.com/letta-ai/letta/pull/3078 to letta-cloud. 👾 Generated with [Letta Code](https://letta.com) Co-authored-by: Letta Bot <noreply@letta.com>
2025-12-08 17:17:58 -08:00
parent 8c616a2093
commit fd14657e84
1 changed files with 7 additions and 1 deletions
--- a/letta/schemas/secret.py
+++ b/letta/schemas/secret.py
@@ -143,8 +143,14 @@ class Secret(BaseModel):
        if self.encrypted_value is None:
            return None

-        # Use cached value if available
+        # Use cached value if available, but only if it looks like plaintext
+        # or we're confident we can decrypt it
        if self._plaintext_cache is not None:
+            # If this was explicitly created as plaintext, trust the cache
+            # This prevents false positives from is_encrypted() heuristic
+            if not self.was_encrypted:
+                return self._plaintext_cache
+            # For encrypted values, trust the cache (already decrypted previously)
            return self._plaintext_cache

        # Try to decrypt