feat(secrets): finalize mode rename and validated exec docs

docs/cli/index.md

@@ -271,7 +271,7 @@ Note: plugins can add additional top-level commands (for example `openclaw voice
 
 - `openclaw secrets reload` — re-resolve refs and atomically swap the runtime snapshot.
 - `openclaw secrets audit` — scan for plaintext residues, unresolved refs, and precedence drift.
-- `openclaw secrets configure` — interactive helper to build SecretRef plan and preflight/apply safely.
+- `openclaw secrets configure` — interactive helper for provider setup + SecretRef mapping + preflight/apply.
 - `openclaw secrets apply --from <plan.json>` — apply a previously generated plan (`--dry-run` supported).
 
 ## Plugins

docs/cli/secrets.md

@@ -53,15 +53,28 @@ Exit behavior:
 
 ## Configure (interactive helper)
 
-Build SecretRef changes interactively, run preflight, and optionally apply:
+Build provider + SecretRef changes interactively, run preflight, and optionally apply:
 
 ```bash
 openclaw secrets configure
 openclaw secrets configure --plan-out /tmp/openclaw-secrets-plan.json
 openclaw secrets configure --apply --yes
+openclaw secrets configure --providers-only
+openclaw secrets configure --skip-provider-setup
 openclaw secrets configure --json
 ```
 
+Flow:
+
+- Provider setup first (`add/edit/remove` for `secrets.providers` aliases).
+- Credential mapping second (select fields and assign `{source, provider, id}` refs).
+- Preflight and optional apply last.
+
+Flags:
+
+- `--providers-only`: configure `secrets.providers` only, skip credential mapping.
+- `--skip-provider-setup`: skip provider setup and map credentials to existing providers.
+
 Notes:
 
 - `configure` targets secret-bearing fields in `openclaw.json`.