Fix invalid owner-address bug

cmd/secrets/common/handler.go

@@ -274,15 +274,18 @@ func (h *Handler) fetchVaultMasterPublicKeyHex() (string, error) {
 
 // ResolveEffectiveOwner returns the owner string to use for vault secret identifiers.
 // When SecretsOrgOwned is enabled, the org ID (from auth validation) is used;
-// otherwise, the workflow owner address is used.
+// otherwise, the workflow owner address is used and must be a valid hex address.
 func (h *Handler) ResolveEffectiveOwner() (string, error) {
 	if h.EnvironmentSet != nil && h.EnvironmentSet.SecretsOrgOwned {
 		if h.Credentials == nil || h.Credentials.OrgID == "" {
 			return "", fmt.Errorf("org ID required when CRE_CLI_SECRETS_ORG_OWNED is enabled; ensure auth validation succeeds")
 		}
 		return h.Credentials.OrgID, nil
 	}
-	return h.OwnerAddress, nil
+	if !common.IsHexAddress(h.OwnerAddress) {
+		return "", fmt.Errorf("owner address %q is not a valid hex address", h.OwnerAddress)
+	}
+	return common.HexToAddress(h.OwnerAddress).Hex(), nil
 }
 
 // EncryptSecrets takes the raw secrets and encrypts them, returning pointers.

cmd/secrets/common/handler_test.go

@@ -127,19 +127,39 @@ func TestEncryptSecrets(t *testing.T) {
 }
 
 func TestResolveEffectiveOwner(t *testing.T) {
-	t.Run("returns owner address when SecretsOrgOwned is false", func(t *testing.T) {
+	t.Run("returns canonicalized address when SecretsOrgOwned is false", func(t *testing.T) {
 		h, _, _ := newMockHandler(t)
-		h.OwnerAddress = "0xabc"
+		h.OwnerAddress = "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266"
 		h.EnvironmentSet.SecretsOrgOwned = false
 
 		owner, err := h.ResolveEffectiveOwner()
 		require.NoError(t, err)
-		require.Equal(t, "0xabc", owner)
+		require.Equal(t, "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266", owner)
+	})
+
+	t.Run("errors when SecretsOrgOwned is false and owner address is empty", func(t *testing.T) {
+		h, _, _ := newMockHandler(t)
+		h.OwnerAddress = ""
+		h.EnvironmentSet.SecretsOrgOwned = false
+
+		_, err := h.ResolveEffectiveOwner()
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "not a valid hex address")
+	})
+
+	t.Run("errors when SecretsOrgOwned is false and owner address is malformed", func(t *testing.T) {
+		h, _, _ := newMockHandler(t)
+		h.OwnerAddress = "not-an-address"
+		h.EnvironmentSet.SecretsOrgOwned = false
+
+		_, err := h.ResolveEffectiveOwner()
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "not a valid hex address")
 	})
 
 	t.Run("returns org ID when SecretsOrgOwned is true and org ID is set", func(t *testing.T) {
 		h, _, _ := newMockHandler(t)
-		h.OwnerAddress = "0xabc"
+		h.OwnerAddress = "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266"
 		h.EnvironmentSet.SecretsOrgOwned = true
 		h.Credentials.OrgID = "org-123"
 
@@ -150,7 +170,7 @@ func TestResolveEffectiveOwner(t *testing.T) {
 
 	t.Run("errors when SecretsOrgOwned is true but org ID is empty", func(t *testing.T) {
 		h, _, _ := newMockHandler(t)
-		h.OwnerAddress = "0xabc"
+		h.OwnerAddress = "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266"
 		h.EnvironmentSet.SecretsOrgOwned = true
 		h.Credentials.OrgID = ""
 

cmd/secrets/delete/delete.go

@@ -127,10 +127,6 @@ func Execute(h *common.Handler, inputs DeleteSecretsInputs, duration time.Durati
 	if err != nil {
 		return err
 	}
-	// When not using org-owned secrets, canonicalize the address
-	if ethcommon.IsHexAddress(owner) {
-		owner = ethcommon.HexToAddress(owner).Hex()
-	}
 
 	ptrIDs := make([]*vault.SecretIdentifier, len(inputs))
 	for i, item := range inputs {

cmd/secrets/list/list.go

@@ -101,9 +101,6 @@ func Execute(h *common.Handler, namespace string, duration time.Duration, secret
 	if err != nil {
 		return err
 	}
-	if ethcommon.IsHexAddress(owner) {
-		owner = ethcommon.HexToAddress(owner).Hex()
-	}
 
 	// Fresh request ID
 	requestID := uuid.New().String()