From ca4672458c2d841bec290fba6f23566892df3ad0 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Wed, 13 May 2026 11:54:45 +0100 Subject: [PATCH] docs: stop referencing shell profile secrets --- .agents/skills/crabbox/SKILL.md | 18 +++++------ .agents/skills/openclaw-debugging/SKILL.md | 5 +-- .../skills/openclaw-parallels-smoke/SKILL.md | 2 +- .agents/skills/openclaw-qa-testing/SKILL.md | 4 ++- .../openclaw-release-maintainer/SKILL.md | 17 ++++------ AGENTS.md | 5 ++- docs/help/testing-live.md | 32 ++++++++----------- docs/help/testing.md | 12 +++---- docs/providers/cerebras.md | 2 +- docs/providers/cloudflare-ai-gateway.md | 2 +- docs/providers/fireworks.md | 2 +- docs/providers/groq.md | 2 +- docs/providers/perplexity-provider.md | 8 ++--- docs/providers/tencent.md | 2 +- docs/providers/vercel-ai-gateway.md | 8 ++--- docs/providers/xai.md | 5 ++- docs/reference/test.md | 4 +-- docs/tools/music-generation.md | 7 ++-- docs/tools/video-generation.md | 5 ++- 19 files changed, 65 insertions(+), 77 deletions(-) diff --git a/.agents/skills/crabbox/SKILL.md b/.agents/skills/crabbox/SKILL.md index 58e49ef1355..5b2106547e8 100644 --- a/.agents/skills/crabbox/SKILL.md +++ b/.agents/skills/crabbox/SKILL.md @@ -31,13 +31,12 @@ pnpm crabbox:run -- --help | sed -n '1,120p' - Check `.crabbox.yaml` for repo defaults, but override provider explicitly. Even if config still says AWS, maintainer validation should normally pass `--provider blacksmith-testbox`. -- For live/provider bugs, check keys on the local Mac before downgrading to - mocks: source local `~/.profile` and test only presence/length. If Crabbox - does not already have the key, copy only the exact needed key into the remote - process environment for that one command. Do not print it, do not sync it as a - repo file, and do not leave it in remote shell history or logs. If no - secret-safe injection path is available, say true live provider auth is - blocked instead of silently using a fake key. +- For live/provider bugs, use the configured secret workflow before downgrading + to mocks. Copy only the exact needed key into the remote process environment + for that one command. Do not print it, do not sync it as a repo file, and do + not leave it in remote shell history or logs. If no secret-safe injection path + is available, say true live provider auth is blocked instead of silently using + a fake key. - Prefer local targeted tests for tight edit loops. Broad gates belong remote. - Do not treat inherited shell env as operator intent. In particular, `OPENCLAW_LOCAL_CHECK_MODE=throttled` from the local shell is not permission @@ -191,7 +190,6 @@ Live-provider debug template for direct AWS/Hetzner leases: mkdir -p .crabbox/logs pnpm crabbox:run -- --provider aws \ --preflight \ - --env-from-profile ~/.profile \ --allow-env OPENAI_API_KEY,OPENAI_BASE_URL \ --timing-json \ --capture-stdout .crabbox/logs/live-provider.stdout.log \ @@ -217,8 +215,8 @@ Pick the lane by symptom: - Docker/setup/install bug: build a package tarball and run the matching `scripts/e2e/*-docker.sh` or package script. This proves npm packaging, install paths, runtime deps, config writes, and container behavior. -- Provider/model/auth bug: prefer true live E2E. First source local Mac - `~/.profile`, then inject the single needed key into Crabbox if needed. Scrub +- Provider/model/auth bug: prefer true live E2E. Use the configured secret + workflow, then inject the single needed key into Crabbox if needed. Scrub unrelated provider env vars in the child command so interactive defaults do not drift to another provider. If only a dummy key is used, label the proof narrowly, e.g. "UI/install path only; live provider auth not exercised." diff --git a/.agents/skills/openclaw-debugging/SKILL.md b/.agents/skills/openclaw-debugging/SKILL.md index ba240dc315c..f81dabe790a 100644 --- a/.agents/skills/openclaw-debugging/SKILL.md +++ b/.agents/skills/openclaw-debugging/SKILL.md @@ -73,8 +73,9 @@ openclaw logs --follow tool execution. - **Worker/dist:** run `pnpm build` when touching workers, dynamic imports, package exports, lazy runtime boundaries, or published paths. -- **Live keys:** check local `~/.profile` for key presence/length before saying - live proof is blocked. Never print secrets. +- **Live keys:** use the configured secret workflow for missing provider keys + before saying live proof is blocked. Env checks are presence-only; never print + secrets. ## Code Pointers diff --git a/.agents/skills/openclaw-parallels-smoke/SKILL.md b/.agents/skills/openclaw-parallels-smoke/SKILL.md index eed885a7797..4346c32a70b 100644 --- a/.agents/skills/openclaw-parallels-smoke/SKILL.md +++ b/.agents/skills/openclaw-parallels-smoke/SKILL.md @@ -56,7 +56,7 @@ Use this skill for Parallels guest workflows and smoke interpretation. Do not lo - For unpublished targets, pack the candidate on the host, serve the `.tgz` over the harness HTTP server, and point the guest updater at that served package. Prefer `openclaw update --tag http://:/openclaw-.tgz --yes --json`; when channel persistence also matters, pass `--channel ` and set `OPENCLAW_UPDATE_PACKAGE_SPEC` to the same served URL in the guest update environment. The command under test must still be `openclaw update`, not direct npm. - For unpublished local-fix validation, remember the old baseline updater code still controls the first hop. A fix that lives only in the new updater code cannot change that already-running old process; the served candidate must either keep package/plugin metadata compatible with the baseline host or the baseline itself must include the updater fix. - For beta/stable verification, resolve the tag immediately before the run (`npm view openclaw@beta version dist.tarball` or `npm view openclaw@latest ...`). Tags can move while a long VM matrix is already running; restart the matrix when the intended prerelease appears after an earlier registry 404/tag-lag check. -- Source Peter's profile in the host shell (`set -a; source "$HOME/.profile"; set +a`) before OpenAI/Anthropic lanes. Do not print profile contents or env dumps; pass provider secrets through the guest exec environment. +- Use the configured secret workflow to inject only the provider keys needed by OpenAI/Anthropic lanes. Do not print secrets or env dumps; pass provider secrets through the guest exec environment. - Same-guest update verification should set the default model explicitly to `openai/gpt-5.4` before the agent turn and use a fresh explicit `--session-id` so old session model state does not leak into the check. - The aggregate npm-update wrapper must resolve the Linux VM with the same Ubuntu fallback policy as `parallels-linux-smoke.sh` before both fresh and update lanes. Treat any Ubuntu guest with major version `>= 24` as acceptable when the exact default VM is missing, preferring the closest version match. On Peter's current host today, missing `Ubuntu 24.04.3 ARM64` should fall back to `Ubuntu 25.10`. - On macOS same-guest update checks, restart the gateway after the npm upgrade before `gateway status` / `agent`; launchd can otherwise report a loaded service while the old process has exited and the fresh process is not RPC-ready yet. diff --git a/.agents/skills/openclaw-qa-testing/SKILL.md b/.agents/skills/openclaw-qa-testing/SKILL.md index 16f616dc468..2d21cf6059c 100644 --- a/.agents/skills/openclaw-qa-testing/SKILL.md +++ b/.agents/skills/openclaw-qa-testing/SKILL.md @@ -227,7 +227,9 @@ pnpm openclaw qa manual \ - Treat the concrete Codex model name as user/config input; do not hardcode it in source, docs examples, or scenarios. - Live QA preserves `CODEX_HOME` so Codex CLI auth/config works while keeping `HOME` and `OPENCLAW_HOME` sandboxed. - Mock QA should scrub `CODEX_HOME`. -- If Codex returns fallback/auth text every turn, first check `CODEX_HOME`, `~/.profile`, and gateway child logs before changing scenario assertions. +- If Codex returns fallback/auth text every turn, first check `CODEX_HOME`, + relevant secret-backed auth, and gateway child logs before changing + scenario assertions. - For model comparison, include `codex-cli/` as another candidate in `qa character-eval`; the report should label it as an opaque model name. ## Repo facts diff --git a/.agents/skills/openclaw-release-maintainer/SKILL.md b/.agents/skills/openclaw-release-maintainer/SKILL.md index bedf46f8479..902ab0112c0 100644 --- a/.agents/skills/openclaw-release-maintainer/SKILL.md +++ b/.agents/skills/openclaw-release-maintainer/SKILL.md @@ -65,8 +65,8 @@ Use this skill for release and publish-time workflow. Keep ordinary development stable base version section, for example `v2026.4.20-beta.1` uses `## 2026.4.20` release notes. - When any beta or stable release is live, make a best-effort Discord - announcement using Peter's bot token from `.profile`; do not block or roll - back the release if the announcement fails. + announcement using the configured secret workflow; do not block or roll back + the release if the announcement fails. - When asked to announce on X, use `~/Projects/bird/bird` and follow the release tweet style below. @@ -288,13 +288,11 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts ## Check all relevant release builds - Always validate the OpenClaw npm release path before creating the tag. -- Source Peter's profile before live release validation so OpenAI and Anthropic - credentials are available without printing secrets: - `set -a; source "$HOME/.profile"; set +a`. +- Use the configured secret workflow before live release validation so OpenAI + and Anthropic credentials are available without printing secrets. - Parallels validation and any local live model QA for this train must use both - `OPENAI_API_KEY` and `ANTHROPIC_API_KEY`. If either is missing after sourcing - `.profile`, stop before starting those local long lanes and report the - missing key. + `OPENAI_API_KEY` and `ANTHROPIC_API_KEY`. If either cannot be injected, stop + before starting those local long lanes and report the missing key. - Live credentialed channel QA is the GitHub Actions workflow `QA-Lab - All Lanes` (`.github/workflows/qa-live-telegram-convex.yml`), not a local substitute. Dispatch it from Actions against the release tag and wait @@ -592,8 +590,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts If a pre-npm lane fails before any tag/package leaves the machine, fix and rerun the same intended beta attempt. Repeat up to the operator's authorized beta-attempt limit, normally 4. -24. Announce the beta/stable release on Discord best-effort using Peter's bot - token from `.profile`. +24. Announce the beta/stable release on Discord best-effort using the configured secret workflow. 25. If the operator requested beta only, stop after beta verification and the announcement. 26. If the stable release was published to `beta`, use the light stable diff --git a/AGENTS.md b/AGENTS.md index 3a882b46929..c666c8556ea 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -10,12 +10,12 @@ Skills own workflows; root owns hard policy and routing. - Docs/user-visible work: `pnpm docs:list`, then read relevant docs only. - Fix/triage answers need source, tests, current/shipped behavior, and dependency contract proof. - Dependency-backed behavior: read upstream docs/source/types first. No API/default/error/timing guesses. -- Live-verify when feasible. Check env/`~/.profile` for keys before saying blocked; never print secrets. +- Live-verify when feasible. Never print secrets. - Missing deps: `pnpm install`, retry once, then report first actionable error. - CODEOWNERS: maint/refactor/tests ok. Larger behavior/product/security/ownership: owner ask/review. - Product/docs/UI/changelog wording: "plugin/plugins"; `extensions/` is internal. - New channel/plugin/app/doc surface: update `.github/labeler.yml` + GH labels. -- New `AGENTS.md`: add sibling `CLAUDE.md` symlink. +- New `AGENTS.md`: add sibling `CLAUDE.md` symlink; edit `AGENTS.md` only. ## Map @@ -136,7 +136,6 @@ Skills own workflows; root owns hard policy and routing. - Never commit real phone numbers, videos, credentials, live config. - Secrets: channel/provider creds in `~/.openclaw/credentials/`; model auth profiles in `~/.openclaw/agents//agent/auth-profiles.json`. -- Env keys: check `~/.profile`; redact output. - Dependency patches/overrides/vendor changes need explicit approval. `pnpm-workspace.yaml` patched dependencies use exact versions only. - Carbon pins owner-only: do not change `@buape/carbon` unless Shadow (`@thewilloftheshadow`, verified by `gh`) asks. - Releases/publish/version bumps need explicit approval. Use `$openclaw-release-maintainer`. diff --git a/docs/help/testing-live.md b/docs/help/testing-live.md index fd17c6faa69..4d4f750d349 100644 --- a/docs/help/testing-live.md +++ b/docs/help/testing-live.md @@ -13,14 +13,10 @@ For quick start, QA runners, unit/integration suites, and Docker flows, see suites: model matrix, CLI backends, ACP, and media-provider live tests, plus credential handling. -## Live: local profile smoke commands +## Live: local smoke commands -Source `~/.profile` before ad hoc live checks so provider keys and local tool -paths match your shell: - -```bash -source ~/.profile -``` +Export the needed provider key in the process environment before ad hoc live +checks. Safe media smoke: @@ -275,9 +271,9 @@ Docker notes: - The Docker runner lives at `scripts/test-live-acp-bind-docker.sh`. - By default, it runs the ACP bind smoke against the aggregate live CLI agents in sequence: `claude`, `codex`, then `gemini`. - Use `OPENCLAW_LIVE_ACP_BIND_AGENTS=claude`, `OPENCLAW_LIVE_ACP_BIND_AGENTS=codex`, `OPENCLAW_LIVE_ACP_BIND_AGENTS=droid`, `OPENCLAW_LIVE_ACP_BIND_AGENTS=gemini`, or `OPENCLAW_LIVE_ACP_BIND_AGENTS=opencode` to narrow the matrix. -- It sources `~/.profile`, stages the matching CLI auth material into the container, then installs the requested live CLI (`@anthropic-ai/claude-code`, `@openai/codex`, Factory Droid via `https://app.factory.ai/cli`, `@google/gemini-cli`, or `opencode-ai`) if missing. The ACP backend itself is the embedded `acpx/runtime` package from the official `acpx` plugin. +- It stages the matching CLI auth material into the container, then installs the requested live CLI (`@anthropic-ai/claude-code`, `@openai/codex`, Factory Droid via `https://app.factory.ai/cli`, `@google/gemini-cli`, or `opencode-ai`) if missing. The ACP backend itself is the embedded `acpx/runtime` package from the official `acpx` plugin. - The Droid Docker variant stages `~/.factory` for settings, forwards `FACTORY_API_KEY`, and requires that API key because local Factory OAuth/keyring auth is not portable into the container. It uses ACPX's built-in `droid exec --output-format acp` registry entry. -- The OpenCode Docker variant is a strict single-agent regression lane. It writes a temporary `OPENCODE_CONFIG_CONTENT` default model from `OPENCLAW_LIVE_ACP_BIND_OPENCODE_MODEL` (default `opencode/kimi-k2.6`) after sourcing `~/.profile`, and `pnpm test:docker:live-acp-bind:opencode` requires a bound assistant transcript instead of accepting the generic post-bind skip. +- The OpenCode Docker variant is a strict single-agent regression lane. It writes a temporary `OPENCODE_CONFIG_CONTENT` default model from `OPENCLAW_LIVE_ACP_BIND_OPENCODE_MODEL` (default `opencode/kimi-k2.6`), and `pnpm test:docker:live-acp-bind:opencode` requires a bound assistant transcript instead of accepting the generic post-bind skip. - Direct `acpx` CLI calls are only a manual/workaround path for comparing behavior outside the Gateway. The Docker ACP bind smoke exercises OpenClaw's embedded `acpx` runtime backend. ## Live: Codex app-server harness smoke @@ -309,7 +305,6 @@ Docker notes: Local recipe: ```bash -source ~/.profile OPENCLAW_LIVE_CODEX_HARNESS=1 \ OPENCLAW_LIVE_CODEX_HARNESS_IMAGE_PROBE=1 \ OPENCLAW_LIVE_CODEX_HARNESS_MCP_PROBE=1 \ @@ -321,15 +316,14 @@ OPENCLAW_LIVE_CODEX_HARNESS=1 \ Docker recipe: ```bash -source ~/.profile pnpm test:docker:live-codex-harness ``` Docker notes: - The Docker runner lives at `scripts/test-live-codex-harness-docker.sh`. -- It sources the mounted `~/.profile`, passes `OPENAI_API_KEY`, copies Codex CLI - auth files when present, installs `@openai/codex` into a writable mounted npm +- It passes `OPENAI_API_KEY`, copies Codex CLI auth files when present, installs + `@openai/codex` into a writable mounted npm prefix, stages the source tree, then runs only the Codex-harness live test. - Docker enables the image, MCP/tool, and Guardian probes by default. Set `OPENCLAW_LIVE_CODEX_HARNESS_IMAGE_PROBE=0` or @@ -357,7 +351,6 @@ Narrow, explicit allowlists are fastest and least flaky: - Antigravity (OAuth): `OPENCLAW_LIVE_GATEWAY_MODELS="google-antigravity/claude-opus-4-6-thinking,google-antigravity/gemini-3-pro-high" pnpm test:live src/gateway/gateway-models.profiles.live.test.ts` - Google adaptive thinking smoke: - - If local keys live in shell profile: `source ~/.profile` - Gemini 3 dynamic default: `pnpm openclaw qa manual --provider-mode live-frontier --model google/gemini-3.1-pro-preview --alt-model google/gemini-3.1-pro-preview --message '/think adaptive Reply exactly: GEMINI_ADAPTIVE_OK' --timeout-ms 180000` - Gemini 2.5 dynamic budget: `pnpm openclaw qa manual --provider-mode live-frontier --model google/gemini-2.5-flash --alt-model google/gemini-2.5-flash --message '/think adaptive Reply exactly: GEMINI25_ADAPTIVE_OK' --timeout-ms 180000` @@ -440,7 +433,8 @@ Live tests discover credentials the same way the CLI does. Practical implication - Legacy state dir: `~/.openclaw/credentials/` (copied into the staged live home when present, but not the main profile-key store) - Live local runs copy the active config, per-agent `auth-profiles.json` files, legacy `credentials/`, and supported external CLI auth dirs into a temp test home by default; staged live homes skip `workspace/` and `sandboxes/`, and `agents.*.workspace` / `agentDir` path overrides are stripped so probes stay off your real host workspace. -If you want to rely on env keys (e.g. exported in your `~/.profile`), run local tests after `source ~/.profile`, or use the Docker runners below (they can mount `~/.profile` into the container). +If you want to rely on env keys, export them before local tests or use the +Docker runners below with an explicit `OPENCLAW_PROFILE_FILE`. ## Deepgram live (audio transcription) @@ -469,7 +463,7 @@ If you want to rely on env keys (e.g. exported in your `~/.profile`), run local - Harness: `pnpm test:live:media image` - Scope: - Enumerates every registered image-generation provider plugin - - Loads missing provider env vars from your login shell (`~/.profile`) before probing + - Uses already-exported provider env vars before probing - Uses live/env API keys ahead of stored auth profiles by default, so stale test keys in `auth-profiles.json` do not mask real shell credentials - Skips providers with no usable auth/profile/model - Runs each configured provider through the shared image-generation runtime: @@ -517,7 +511,7 @@ request. Plugin dependencies are expected to be present before runtime load. - Scope: - Exercises the shared bundled music-generation provider path - Currently covers Google and MiniMax - - Loads provider env vars from your login shell (`~/.profile`) before probing + - Uses already-exported provider env vars before probing - Uses live/env API keys ahead of stored auth profiles by default, so stale test keys in `auth-profiles.json` do not mask real shell credentials - Skips providers with no usable auth/profile/model - Runs both declared runtime modes when available: @@ -542,7 +536,7 @@ request. Plugin dependencies are expected to be present before runtime load. - Exercises the shared bundled video-generation provider path - Defaults to the release-safe smoke path: non-FAL providers, one text-to-video request per provider, one-second lobster prompt, and a per-provider operation cap from `OPENCLAW_LIVE_VIDEO_GENERATION_TIMEOUT_MS` (`180000` by default) - Skips FAL by default because provider-side queue latency can dominate release time; pass `--video-providers fal` or `OPENCLAW_LIVE_VIDEO_GENERATION_PROVIDERS="fal"` to run it explicitly - - Loads provider env vars from your login shell (`~/.profile`) before probing + - Uses already-exported provider env vars before probing - Uses live/env API keys ahead of stored auth profiles by default, so stale test keys in `auth-profiles.json` do not mask real shell credentials - Skips providers with no usable auth/profile/model - Runs only `generate` by default @@ -573,7 +567,7 @@ request. Plugin dependencies are expected to be present before runtime load. - Command: `pnpm test:live:media` - Purpose: - Runs the shared image, music, and video live suites through one repo-native entrypoint - - Auto-loads missing provider env vars from `~/.profile` + - Uses already-exported provider env vars - Auto-narrows each suite to providers that currently have usable auth by default - Reuses `scripts/test-live.mjs`, so heartbeat and quiet-mode behavior stay consistent - Examples: diff --git a/docs/help/testing.md b/docs/help/testing.md index defc0b7c704..15388d5ea75 100644 --- a/docs/help/testing.md +++ b/docs/help/testing.md @@ -721,10 +721,10 @@ Native dependency policy: - Not CI-stable by design (real networks, real provider policies, quotas, outages) - Costs money / uses rate limits - Prefer running narrowed subsets instead of "everything" -- Live runs source `~/.profile` to pick up missing API keys. +- Live runs use already-exported API keys and staged auth profiles. - By default, live runs still isolate `HOME` and copy config/auth material into a temp test home so unit fixtures cannot mutate your real `~/.openclaw`. - Set `OPENCLAW_LIVE_USE_REAL_HOME=1` only when you intentionally need live tests to use your real home directory. -- `pnpm test:live` now defaults to a quieter mode: it keeps `[live] ...` progress output, but suppresses the extra `~/.profile` notice and mutes gateway bootstrap logs/Bonjour chatter. Set `OPENCLAW_LIVE_TEST_QUIET=0` if you want the full startup logs back. +- `pnpm test:live` defaults to a quieter mode: it keeps `[live] ...` progress output and mutes gateway bootstrap logs/Bonjour chatter. Set `OPENCLAW_LIVE_TEST_QUIET=0` if you want the full startup logs back. - API key rotation (provider-specific): set `*_API_KEYS` with comma/semicolon format or `*_API_KEY_1`, `*_API_KEY_2` (for example `OPENAI_API_KEYS`, `ANTHROPIC_API_KEYS`, `GEMINI_API_KEYS`) or per-live override via `OPENCLAW_LIVE_*_KEY`; tests retry on rate limit responses. - Progress/heartbeat output: - Live suites now emit progress lines to stderr so long provider calls are visibly active even when Vitest console capture is quiet. @@ -753,7 +753,7 @@ plugin validation checklist, see These Docker runners split into two buckets: -- Live-model runners: `test:docker:live-models` and `test:docker:live-gateway` run only their matching profile-key live file inside the repo Docker image (`src/agents/models.profiles.live.test.ts` and `src/gateway/gateway-models.profiles.live.test.ts`), mounting your local config dir and workspace (and sourcing `~/.profile` if mounted). The matching local entrypoints are `test:live:models-profiles` and `test:live:gateway-profiles`. +- Live-model runners: `test:docker:live-models` and `test:docker:live-gateway` run only their matching profile-key live file inside the repo Docker image (`src/agents/models.profiles.live.test.ts` and `src/gateway/gateway-models.profiles.live.test.ts`), mounting your local config dir, workspace, and optional profile env file. The matching local entrypoints are `test:live:models-profiles` and `test:live:gateway-profiles`. - Docker live runners default to a smaller smoke cap so a full Docker sweep stays practical: `test:docker:live-models` defaults to `OPENCLAW_LIVE_MAX_MODELS=12`, and `test:docker:live-gateway` defaults to `OPENCLAW_LIVE_GATEWAY_SMOKE=1`, @@ -831,8 +831,8 @@ after Open WebUI sign-in and model discovery, without waiting on a live model completion. The first run can be noticeably slower because Docker may need to pull the Open WebUI image and Open WebUI may need to finish its own cold-start setup. -This lane expects a usable live model key, and `OPENCLAW_PROFILE_FILE` -(`~/.profile` by default) is the primary way to provide it in Dockerized runs. +This lane expects a usable live model key. Provide it through the process +environment, staged auth profiles, or an explicit `OPENCLAW_PROFILE_FILE`. Successful runs print a small JSON payload like `{ "ok": true, "model": "openclaw/default", ... }`. `test:docker:mcp-channels` is intentionally deterministic and does not need a @@ -862,7 +862,7 @@ Useful env vars: - `OPENCLAW_CONFIG_DIR=...` (default: `~/.openclaw`) mounted to `/home/node/.openclaw` - `OPENCLAW_WORKSPACE_DIR=...` (default: `~/.openclaw/workspace`) mounted to `/home/node/.openclaw/workspace` -- `OPENCLAW_PROFILE_FILE=...` (default: `~/.profile`) mounted to `/home/node/.profile` and sourced before running tests +- `OPENCLAW_PROFILE_FILE=...` mounted and sourced before running tests - `OPENCLAW_DOCKER_PROFILE_ENV_ONLY=1` to verify only env vars sourced from `OPENCLAW_PROFILE_FILE`, using temporary config/workspace dirs and no external CLI auth mounts - `OPENCLAW_DOCKER_CLI_TOOLS_DIR=...` (default: `~/.cache/openclaw/docker-cli-tools`) mounted to `/home/node/.npm-global` for cached CLI installs inside Docker - External CLI auth dirs/files under `$HOME` are mounted read-only under `/host-auth...`, then copied into `/home/node/...` before tests start diff --git a/docs/providers/cerebras.md b/docs/providers/cerebras.md index 3998dd20166..2031f374b56 100644 --- a/docs/providers/cerebras.md +++ b/docs/providers/cerebras.md @@ -109,7 +109,7 @@ The bundled plugin usually means you only need the API key. Use explicit `models ``` - If the Gateway runs as a daemon (launchd, systemd, Docker), make sure `CEREBRAS_API_KEY` is available to that process — for example in `~/.openclaw/.env` or through `env.shellEnv`. A key sitting only in `~/.profile` will not help a managed service unless the env is imported separately. + If the Gateway runs as a daemon (launchd, systemd, Docker), make sure `CEREBRAS_API_KEY` is available to that process — for example in `~/.openclaw/.env` or through `env.shellEnv`. A key exported only in an interactive shell will not help a managed service unless the env is imported separately. ## Related diff --git a/docs/providers/cloudflare-ai-gateway.md b/docs/providers/cloudflare-ai-gateway.md index f0552e5281f..df8bca88ef5 100644 --- a/docs/providers/cloudflare-ai-gateway.md +++ b/docs/providers/cloudflare-ai-gateway.md @@ -101,7 +101,7 @@ openclaw onboard --non-interactive \ If the Gateway runs as a daemon (launchd/systemd), make sure `CLOUDFLARE_AI_GATEWAY_API_KEY` is available to that process. - A key sitting only in `~/.profile` will not help a launchd/systemd daemon unless that environment is imported there as well. Set the key in `~/.openclaw/.env` or via `env.shellEnv` to ensure the gateway process can read it. + A key exported only in an interactive shell will not help a launchd/systemd daemon unless that environment is imported there as well. Set the key in `~/.openclaw/.env` or via `env.shellEnv` to ensure the gateway process can read it. diff --git a/docs/providers/fireworks.md b/docs/providers/fireworks.md index 6a9bb3234a6..0ee3c172b6b 100644 --- a/docs/providers/fireworks.md +++ b/docs/providers/fireworks.md @@ -118,7 +118,7 @@ OpenClaw accepts any Fireworks model or router id at runtime. Use the exact id s If the Gateway runs as a managed service (launchd, systemd, Docker), the Fireworks key must be visible to that process — not just to your interactive shell. - A key sitting only in `~/.profile` will not help a launchd or systemd daemon unless that environment is imported there too. Set the key in `~/.openclaw/.env` or via `env.shellEnv` to make it readable from the gateway process. + A key exported only in an interactive shell will not help a launchd or systemd daemon unless that environment is imported there too. Set the key in `~/.openclaw/.env` or via `env.shellEnv` to make it readable from the gateway process. On macOS, `openclaw gateway install` already wires `~/.openclaw/.env` into the LaunchAgent environment file. Re-run install (or `openclaw doctor --fix`) after rotating the key. diff --git a/docs/providers/groq.md b/docs/providers/groq.md index 7c21d076556..2019058753f 100644 --- a/docs/providers/groq.md +++ b/docs/providers/groq.md @@ -141,7 +141,7 @@ To make Groq the default audio backend: If the Gateway runs as a managed service (launchd, systemd, Docker), `GROQ_API_KEY` must be visible to that process — not just to your interactive shell. - A key sitting only in `~/.profile` will not help a launchd or systemd daemon unless that environment is imported there too. Set the key in `~/.openclaw/.env` or via `env.shellEnv` to make it readable from the gateway process. + A key exported only in an interactive shell will not help a launchd or systemd daemon unless that environment is imported there too. Set the key in `~/.openclaw/.env` or via `env.shellEnv` to make it readable from the gateway process. diff --git a/docs/providers/perplexity-provider.md b/docs/providers/perplexity-provider.md index 5a9ed0c02b3..50975a97e99 100644 --- a/docs/providers/perplexity-provider.md +++ b/docs/providers/perplexity-provider.md @@ -89,10 +89,10 @@ When using the native Perplexity API, searches support the following filters: `PERPLEXITY_API_KEY` is available to that process. - A key set only in `~/.profile` will not be visible to a launchd/systemd - daemon unless that environment is explicitly imported. Set the key in - `~/.openclaw/.env` or via `env.shellEnv` to ensure the gateway process can - read it. + A key exported only in an interactive shell will not be visible to a + launchd/systemd daemon unless that environment is explicitly imported. Set + the key in `~/.openclaw/.env` or via `env.shellEnv` to ensure the gateway + process can read it. diff --git a/docs/providers/tencent.md b/docs/providers/tencent.md index ae97e8eed93..7b425ed27c9 100644 --- a/docs/providers/tencent.md +++ b/docs/providers/tencent.md @@ -106,7 +106,7 @@ Rates are per million tokens in USD as advertised by Tencent. Override pricing u If the Gateway runs as a managed service (launchd, systemd, Docker), `TOKENHUB_API_KEY` must be visible to that process. Set it in `~/.openclaw/.env` or via `env.shellEnv` so launchd, systemd, or Docker exec environments can read it. - Keys set only in `~/.profile` are not visible to managed gateway processes. Use the env file or config seam for persistent availability. + Keys exported only in an interactive shell are not visible to managed gateway processes. Use the env file or config seam for persistent availability. diff --git a/docs/providers/vercel-ai-gateway.md b/docs/providers/vercel-ai-gateway.md index c0df6c9a9fa..65febfbdd66 100644 --- a/docs/providers/vercel-ai-gateway.md +++ b/docs/providers/vercel-ai-gateway.md @@ -89,10 +89,10 @@ configuration. OpenClaw resolves the canonical form automatically. `AI_GATEWAY_API_KEY` is available to that process. - A key set only in `~/.profile` will not be visible to a launchd/systemd - daemon unless that environment is explicitly imported. Set the key in - `~/.openclaw/.env` or via `env.shellEnv` to ensure the gateway process can - read it. + A key exported only in an interactive shell will not be visible to a + launchd/systemd daemon unless that environment is explicitly imported. Set + the key in `~/.openclaw/.env` or via `env.shellEnv` to ensure the gateway + process can read it. diff --git a/docs/providers/xai.md b/docs/providers/xai.md index 86c5fe1a58e..5deda09a760 100644 --- a/docs/providers/xai.md +++ b/docs/providers/xai.md @@ -448,9 +448,8 @@ Legacy aliases still normalize to the canonical bundled ids: ## Live testing -The xAI media paths are covered by unit tests and opt-in live suites. The live -commands load secrets from your login shell, including `~/.profile`, before -probing `XAI_API_KEY`. +The xAI media paths are covered by unit tests and opt-in live suites. Export +`XAI_API_KEY` in the process environment before running live probes. ```bash pnpm test extensions/xai diff --git a/docs/reference/test.md b/docs/reference/test.md index fee7c273c01..08f37ec5b54 100644 --- a/docs/reference/test.md +++ b/docs/reference/test.md @@ -43,7 +43,7 @@ title: "Tests" - `pnpm test:docker:browser-cdp-snapshot`: Builds a Chromium-backed source E2E container, starts raw CDP plus an isolated Gateway, runs `browser doctor --deep`, and verifies CDP role snapshots include link URLs, cursor-promoted clickables, iframe refs, and frame metadata. - `pnpm test:docker:skill-install`: Installs the packed OpenClaw tarball in a bare Docker runner, disables `skills.install.allowUploadedArchives`, resolves a current skill slug from live ClawHub search, installs it through `openclaw skills install`, and verifies `SKILL.md`, `.clawhub/origin.json`, `.clawhub/lock.json`, and `skills info --json`. - CLI backend live Docker probes can be run as focused lanes, for example `pnpm test:docker:live-cli-backend:codex`, `pnpm test:docker:live-cli-backend:codex:resume`, or `pnpm test:docker:live-cli-backend:codex:mcp`. Claude and Gemini have matching `:resume` and `:mcp` aliases. -- `pnpm test:docker:openwebui`: Starts Dockerized OpenClaw + Open WebUI, signs in through Open WebUI, checks `/api/models`, then runs a real proxied chat through `/api/chat/completions`. Requires a usable live model key (for example OpenAI in `~/.profile`), pulls an external Open WebUI image, and is not expected to be CI-stable like the normal unit/e2e suites. +- `pnpm test:docker:openwebui`: Starts Dockerized OpenClaw + Open WebUI, signs in through Open WebUI, checks `/api/models`, then runs a real proxied chat through `/api/chat/completions`. Requires a usable live model key, pulls an external Open WebUI image, and is not expected to be CI-stable like the normal unit/e2e suites. - `pnpm test:docker:mcp-channels`: Starts a seeded Gateway container and a second client container that spawns `openclaw mcp serve`, then verifies routed conversation discovery, transcript reads, attachment metadata, live event queue behavior, outbound send routing, and Claude-style channel + permission notifications over the real stdio bridge. The Claude notification assertion reads the raw stdio MCP frames directly so the smoke reflects what the bridge actually emits. - `pnpm test:docker:upgrade-survivor`: Installs the packed OpenClaw tarball over a dirty old-user fixture, runs package update plus non-interactive doctor without live provider or channel keys, then starts a loopback Gateway and checks that agents, channel config, plugin allowlists, workspace/session files, stale legacy plugin dependency state, startup, and RPC status survive. - `pnpm test:docker:published-upgrade-survivor`: Installs `openclaw@latest` by default, seeds realistic existing-user files without live provider or channel keys, configures that baseline with a baked `openclaw config set` command recipe, updates that published install to the packed OpenClaw tarball, runs non-interactive doctor, writes `.artifacts/upgrade-survivor/summary.json`, then starts a loopback Gateway and checks that configured intents, workspace/session files, stale plugin config and legacy dependency state, startup, `/healthz`, `/readyz`, and RPC status survive or repair cleanly. Override one baseline with `OPENCLAW_UPGRADE_SURVIVOR_BASELINE_SPEC`, expand an exact local matrix with `OPENCLAW_UPGRADE_SURVIVOR_BASELINE_SPECS` such as `openclaw@2026.5.2 openclaw@2026.4.23 openclaw@2026.4.15`, or add scenario fixtures with `OPENCLAW_UPGRADE_SURVIVOR_SCENARIOS=reported-issues`; the reported-issues set includes `configured-plugin-installs` to verify configured external OpenClaw plugins install automatically during upgrade and `stale-source-plugin-shadow` to keep source-only plugin shadows from breaking startup. Package Acceptance exposes those as `published_upgrade_survivor_baseline`, `published_upgrade_survivor_baselines`, and `published_upgrade_survivor_scenarios`, and resolves meta baseline tokens such as `last-stable-4` or `all-since-2026.4.23` before handing exact package specs to Docker lanes. @@ -72,7 +72,7 @@ Script: [`scripts/bench-model.ts`](https://github.com/openclaw/openclaw/blob/mai Usage: -- `source ~/.profile && pnpm tsx scripts/bench-model.ts --runs 10` +- `pnpm tsx scripts/bench-model.ts --runs 10` - Optional env: `MINIMAX_API_KEY`, `MINIMAX_BASE_URL`, `MINIMAX_MODEL`, `ANTHROPIC_API_KEY` - Default prompt: "Reply with a single word: ok. No punctuation or extra text." diff --git a/docs/tools/music-generation.md b/docs/tools/music-generation.md index cabc7a5256f..01d05424801 100644 --- a/docs/tools/music-generation.md +++ b/docs/tools/music-generation.md @@ -322,10 +322,9 @@ Repo wrapper: pnpm test:live:media music ``` -This live file loads missing provider env vars from `~/.profile`, prefers -live/env API keys ahead of stored auth profiles by default, and runs both -`generate` and declared `edit` coverage when the provider enables edit -mode. Coverage today: +This live file uses already-exported provider env vars ahead of stored auth +profiles by default, and runs both `generate` and declared `edit` coverage when +the provider enables edit mode. Coverage today: - `google`: `generate` plus `edit` - `minimax`: `generate` only diff --git a/docs/tools/video-generation.md b/docs/tools/video-generation.md index 6deb55469bb..3996b43c4dc 100644 --- a/docs/tools/video-generation.md +++ b/docs/tools/video-generation.md @@ -483,9 +483,8 @@ Repo wrapper: pnpm test:live:media video ``` -This live file loads missing provider env vars from `~/.profile`, prefers -live/env API keys ahead of stored auth profiles by default, and runs a -release-safe smoke by default: +This live file uses already-exported provider env vars ahead of stored auth +profiles by default, and runs a release-safe smoke by default: - `generate` for every non-FAL provider in the sweep. - One-second lobster prompt.