fix(secrets): stabilize credential matrix docs

2026-05-06 05:10:44 +00:00 · 2026-05-03 12:16:05 +01:00
parent c850d1bb0d
commit 1584acb124
4 changed files with 49 additions and 13 deletions
--- a/docs/reference/secretref-credential-surface.md
+++ b/docs/reference/secretref-credential-surface.md
@@ -90,6 +90,8 @@ Scope intent:
 - `channels.feishu.accounts.*.appSecret`
 - `channels.feishu.accounts.*.encryptKey`
 - `channels.feishu.accounts.*.verificationToken`
+- `channels.qqbot.clientSecret`
+- `channels.qqbot.accounts.*.clientSecret`
 - `channels.msteams.appPassword`
 - `channels.mattermost.botToken`
 - `channels.mattermost.accounts.*.botToken`
--- a/docs/reference/secretref-user-supplied-credentials-matrix.json
+++ b/docs/reference/secretref-user-supplied-credentials-matrix.json
@@ -281,6 +281,20 @@
      "secretShape": "secret_input",
      "optIn": true
    },
+    {
+      "id": "channels.qqbot.accounts.*.clientSecret",
+      "configFile": "openclaw.json",
+      "path": "channels.qqbot.accounts.*.clientSecret",
+      "secretShape": "secret_input",
+      "optIn": true
+    },
+    {
+      "id": "channels.qqbot.clientSecret",
+      "configFile": "openclaw.json",
+      "path": "channels.qqbot.clientSecret",
+      "secretShape": "secret_input",
+      "optIn": true
+    },
    {
      "id": "channels.slack.accounts.*.appToken",
      "configFile": "openclaw.json",
--- a/src/secrets/credential-matrix.ts
+++ b/src/secrets/credential-matrix.ts
@@ -1,4 +1,4 @@
-import { listSecretTargetRegistryEntries } from "./target-registry.js";
+import { getSourceSecretTargetRegistry } from "./target-registry-data.js";
 import { getUnsupportedSecretRefSurfacePatterns } from "./unsupported-surface-policy.js";

 type CredentialMatrixEntry = {
@@ -22,7 +22,7 @@ export type SecretRefCredentialMatrixDocument = {
 };

 export function buildSecretRefCredentialMatrix(): SecretRefCredentialMatrixDocument {
-  const entries: CredentialMatrixEntry[] = listSecretTargetRegistryEntries()
+  const entries: CredentialMatrixEntry[] = getSourceSecretTargetRegistry()
    .map((entry) => {
      const isCanonicalFirecrawlWebFetchEntry =
        entry.id === "plugins.entries.firecrawl.config.webFetch.apiKey";
--- a/src/secrets/target-registry-data.ts
+++ b/src/secrets/target-registry-data.ts
@@ -441,6 +441,25 @@ const CORE_SECRET_TARGET_REGISTRY: SecretTargetRegistryEntry[] = [

 let cachedSecretTargetRegistry: SecretTargetRegistryEntry[] | null = null;

+function loadSecretTargetRegistryFromPluginMetadata(params: {
+  env: NodeJS.ProcessEnv;
+  preferPersisted?: boolean;
+}): SecretTargetRegistryEntry[] {
+  const plugins = loadPluginMetadataSnapshot({
+    config: {},
+    env: params.env,
+    ...(params.preferPersisted !== undefined ? { preferPersisted: params.preferPersisted } : {}),
+  }).plugins;
+  const bundledPlugins = plugins.filter((record) => record.origin === "bundled");
+  const channelPlugins = plugins.filter((record) => record.channels.length > 0);
+  return [
+    ...CORE_SECRET_TARGET_REGISTRY,
+    ...listBundledWebProviderSecretTargetRegistryEntries(bundledPlugins),
+    ...listBundledPluginConfigSecretTargetRegistryEntries(bundledPlugins),
+    ...listChannelSecretTargetRegistryEntries(channelPlugins),
+  ];
+}
+
 export function getCoreSecretTargetRegistry(): SecretTargetRegistryEntry[] {
  return CORE_SECRET_TARGET_REGISTRY;
 }
@@ -449,17 +468,18 @@ export function getSecretTargetRegistry(): SecretTargetRegistryEntry[] {
  if (cachedSecretTargetRegistry) {
    return cachedSecretTargetRegistry;
  }
-  const plugins = loadPluginMetadataSnapshot({
-    config: {},
+  cachedSecretTargetRegistry = loadSecretTargetRegistryFromPluginMetadata({
    env: process.env,
-  }).plugins;
-  const bundledPlugins = plugins.filter((record) => record.origin === "bundled");
-  const channelPlugins = plugins.filter((record) => record.channels.length > 0);
-  cachedSecretTargetRegistry = [
-    ...CORE_SECRET_TARGET_REGISTRY,
-    ...listBundledWebProviderSecretTargetRegistryEntries(bundledPlugins),
-    ...listBundledPluginConfigSecretTargetRegistryEntries(bundledPlugins),
-    ...listChannelSecretTargetRegistryEntries(channelPlugins),
-  ];
+  });
  return cachedSecretTargetRegistry;
 }
+
+export function getSourceSecretTargetRegistry(): SecretTargetRegistryEntry[] {
+  return loadSecretTargetRegistryFromPluginMetadata({
+    env: {
+      ...process.env,
+      OPENCLAW_BUNDLED_PLUGINS_DIR: process.env.OPENCLAW_BUNDLED_PLUGINS_DIR ?? "extensions",
+    },
+    preferPersisted: false,
+  });
+}