vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 07:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(secrets): align provider model and add exec resolver coverage

Browse Source
This commit is contained in:
joshavant
2026-02-25 17:58:10 -06:00
committed by Peter Steinberger
parent 4e7a833a24
commit bde9cbb058
18 changed files with 321 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/cli/onboard.md
View File

@@ -50,7 +50,7 @@ openclaw onboard --non-interactive \
```
With `--secret-input-mode ref`, onboarding writes env-backed refs instead of plaintext key values.
For auth-profile backed providers this writes `keyRef` entries; for custom providers this writes `models.providers.<id>.apiKey` as an env ref (for example `{ source: "env", id: "CUSTOM_API_KEY" }`).
For auth-profile backed providers this writes `keyRef` entries; for custom providers this writes `models.providers.<id>.apiKey` as an env ref (for example `{ source: "env", provider: "default", id: "CUSTOM_API_KEY" }`).
Non-interactive `ref` mode contract:
@@ -63,7 +63,7 @@ Interactive onboarding behavior with reference mode:
- Choose **Use secret reference** when prompted.
- Then choose either:
- Environment variable
- Encrypted `sops` file (JSON pointer)
- Configured secret provider (`file` or `exec`)
- Onboarding performs a fast preflight validation before saving the ref.
- If validation fails, onboarding shows the error and lets you retry.

12
docs/cli/secrets.md
View File

@@ -57,17 +57,7 @@ openclaw secrets migrate --write --no-scrub-env
- Scrub target is `<config-dir>/.env`.
- Only known secret env keys are considered.
- Entries are removed only when the value exactly matches a migrated plaintext secret.
- If `<config-dir>/.sops.yaml` or `<config-dir>/.sops.yml` exists, migrate passes it explicitly to `sops`, runs `sops` with `cwd=<config-dir>`, and sets `--filename-override` to the absolute target secrets path (for example `/home/user/.openclaw/secrets.enc.json`) so strict `creation_rules` continue to match when OpenClaw encrypts through a temp file.
Common migrate write failure:
- `config file not found, or has no creation rules, and no keys provided through command line options`
If you hit this:
- Add or fix `<config-dir>/.sops.yaml` / `.sops.yml` with valid `creation_rules`.
- Ensure key access is available in the command environment (for example `SOPS_AGE_KEY_FILE`).
- Re-run `openclaw secrets migrate --write`.
- Migration writes to the configured default `file` provider path when present; otherwise `<state-dir>/secrets.json`.
Rollback a previous migration: