fix(secrets): harden sops migration sops rule matching

2026-05-06 01:00:23 +00:00 · 2026-02-24 20:34:47 -06:00
parent 0e69660c41
commit e8637c79b3
5 changed files with 60 additions and 3 deletions
--- a/docs/cli/secrets.md
+++ b/docs/cli/secrets.md
@@ -57,7 +57,7 @@ openclaw secrets migrate --write --no-scrub-env
 - Scrub target is `<config-dir>/.env`.
 - Only known secret env keys are considered.
 - Entries are removed only when the value exactly matches a migrated plaintext secret.
- If `<config-dir>/.sops.yaml` or `<config-dir>/.sops.yml` exists, migrate passes it explicitly to `sops` so command behavior is cwd-independent.
+- If `<config-dir>/.sops.yaml` or `<config-dir>/.sops.yml` exists, migrate passes it explicitly to `sops`, runs `sops` with `cwd=<config-dir>`, and sets `--filename-override` to the absolute target secrets path (for example `/home/user/.openclaw/secrets.enc.json`) so strict `creation_rules` continue to match when OpenClaw encrypts through a temp file.

 Common migrate write failure:

--- a/docs/gateway/secrets.md
+++ b/docs/gateway/secrets.md
@@ -93,7 +93,7 @@ Contract:

 - OpenClaw shells out to `sops` for decrypt/encrypt.
 - Minimum supported version: `sops >= 3.9.0`.
- For migration, OpenClaw explicitly passes `--config <config-dir>/.sops.yaml` (or `.sops.yml`) when present, so behavior is not dependent on current working directory.
+- For migration, OpenClaw explicitly passes `--config <config-dir>/.sops.yaml` (or `.sops.yml`), runs `sops` with `cwd=<config-dir>`, and sets `--filename-override` to the absolute target secrets path (for example `/home/user/.openclaw/secrets.enc.json`) so strict `creation_rules` still match even though encryption uses a temp input file.
 - Decrypted payload must be a JSON object.
 - `id` is resolved as JSON pointer into decrypted payload.
 - Default timeout is `5000ms`.