From 967c0981e3fd8923d22609d8ecbfaa12765fd5d3 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 4 May 2026 17:42:44 -0700
Subject: [PATCH] docs(help,security): cross-reference auth list and
 trusted-env-proxy

Two missing cross-references uncovered by the 24-hour doc audit:

- docs/help/faq-models.md: link to `openclaw models auth list` from the
  "What is an auth profile?" accordion. The command was added in
  23eb44b045 but the FAQ never pointed users at it.
- docs/security/network-proxy.md: list `tools.web.fetch.useTrustedEnvProxy`
  in Related Proxy Terms. The opt-in is fully documented in
  docs/tools/web-fetch.md but the proxy reference page omitted the
  cross-reference, leaving the page incomplete for proxy-state triage.
---
 docs/help/faq-models.md        | 2 ++
 docs/security/network-proxy.md | 1 +
 2 files changed, 3 insertions(+)

diff --git a/docs/help/faq-models.md b/docs/help/faq-models.md
index e308029a98f..6e70d9ce76f 100644
--- a/docs/help/faq-models.md
+++ b/docs/help/faq-models.md
@@ -466,6 +466,8 @@ Related: [/concepts/oauth](/concepts/oauth) (OAuth flows, token storage, multi-a
     ~/.openclaw/agents/<agentId>/agent/auth-profiles.json
     ```
 
+    To inspect saved profiles without dumping secrets, run `openclaw models auth list` (optionally `--provider <id>` or `--json`). See [Models CLI](/cli/models#openclaw-models-auth-list) for details.
+
   </Accordion>
 
   <Accordion title="What are typical profile IDs?">
diff --git a/docs/security/network-proxy.md b/docs/security/network-proxy.md
index 741e4c4badc..190c9df8895 100644
--- a/docs/security/network-proxy.md
+++ b/docs/security/network-proxy.md
@@ -56,6 +56,7 @@ On shutdown, OpenClaw restores the previous proxy environment and resets cached
 - `proxy.enabled` / `proxy.proxyUrl`: outbound forward-proxy routing for OpenClaw runtime egress. This page documents that feature.
 - `gateway.auth.mode: "trusted-proxy"`: inbound identity-aware reverse-proxy authentication for Gateway access. See [Trusted proxy auth](/gateway/trusted-proxy-auth).
 - `openclaw proxy`: local debug proxy and capture inspector for development and support. See [openclaw proxy](/cli/proxy).
+- `tools.web.fetch.useTrustedEnvProxy`: opt-in for `web_fetch` to let an operator-controlled HTTP(S) env proxy resolve DNS while keeping default strict DNS pinning and hostname policy. See [Web fetch](/tools/web-fetch#trusted-env-proxy).
 - Channel or provider-specific proxy settings: owner-specific overrides for a particular transport. Prefer the managed network proxy when the goal is central egress control across the runtime.
 
 ## Configuration