Secrets: hard-fail unsupported SecretRef policy and fix gateway restart token drift (#58141)

* Secrets: enforce C2 SecretRef policy and drift resolution * Tests: add gateway auth startup/reload SecretRef runtime coverage * Docs: sync C2 SecretRef policy and coverage matrix * Config: hard-fail parent SecretRef policy writes * Secrets: centralize unsupported SecretRef policy metadata * Daemon: test service-env precedence for token drift refs * Config: keep per-ref dry-run resolvability errors * Docs: clarify config-set parent-object policy checks * Gateway: fix drift fallback and schema-key filtering * Gateway: align drift fallback with credential planner * changelog Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com> --------- Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com>
2026-05-05 00:20:22 +00:00 · 2026-03-31 02:37:31 -05:00
parent 8d942000c9
commit 788f56f30f
27 changed files with 1244 additions and 56 deletions
--- a/docs/reference/secretref-credential-surface.md
+++ b/docs/reference/secretref-credential-surface.md
@@ -99,8 +99,8 @@ Scope intent:

 ### `auth-profiles.json` targets (`secrets configure` + `secrets apply` + `secrets audit`)

- `profiles.*.keyRef` (`type: "api_key"`)
- `profiles.*.tokenRef` (`type: "token"`)
+- `profiles.*.keyRef` (`type: "api_key"`; unsupported when `auth.profiles.<id>.mode = "oauth"`)
+- `profiles.*.tokenRef` (`type: "token"`; unsupported when `auth.profiles.<id>.mode = "oauth"`)

 [//]: # "secretref-supported-list-end"

@@ -109,6 +109,7 @@ Notes:
 - Auth-profile plan targets require `agentId`.
 - Plan entries target `profiles.*.key` / `profiles.*.token` and write sibling refs (`keyRef` / `tokenRef`).
 - Auth-profile refs are included in runtime resolution and audit coverage.
+- OAuth policy guard: `auth.profiles.<id>.mode = "oauth"` cannot be combined with SecretRef inputs for that profile. Startup/reload and auth-profile resolution fail fast when this policy is violated.
 - For SecretRef-managed model providers, generated `agents/*/agent/models.json` entries persist non-secret markers (not resolved secret values) for `apiKey`/header surfaces.
 - Marker persistence is source-authoritative: OpenClaw writes markers from the active source config snapshot (pre-resolution), not from resolved runtime secret values.
 - For web search:
@@ -128,8 +129,10 @@ Out-of-scope credentials include:
 - `hooks.gmail.pushToken`
 - `hooks.mappings[].sessionKey`
 - `auth-profiles.oauth.*`
- `discord.threadBindings.*.webhookToken`
- `whatsapp.creds.json`
+- `channels.discord.threadBindings.webhookToken`
+- `channels.discord.accounts.*.threadBindings.webhookToken`
+- `channels.whatsapp.creds.json`
+- `channels.whatsapp.accounts.*.creds.json`

 [//]: # "secretref-unsupported-list-end"

--- a/docs/reference/secretref-user-supplied-credentials-matrix.json
+++ b/docs/reference/secretref-user-supplied-credentials-matrix.json
@@ -9,8 +9,10 @@
    "hooks.gmail.pushToken",
    "hooks.mappings[].sessionKey",
    "auth-profiles.oauth.*",
-    "discord.threadBindings.*.webhookToken",
-    "whatsapp.creds.json"
+    "channels.discord.threadBindings.webhookToken",
+    "channels.discord.accounts.*.threadBindings.webhookToken",
+    "channels.whatsapp.creds.json",
+    "channels.whatsapp.accounts.*.creds.json"
  ],
  "entries": [
    {