vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-05 08:30:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(secrets): harden sops migration sops rule matching

Browse Source
This commit is contained in:
joshavant
2026-02-24 20:34:47 -06:00
committed by Peter Steinberger
parent 0e69660c41
commit e8637c79b3
5 changed files with 60 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/cli/secrets.md
View File

@@ -57,7 +57,7 @@ openclaw secrets migrate --write --no-scrub-env
- Scrub target is `<config-dir>/.env`.
- Only known secret env keys are considered.
- Entries are removed only when the value exactly matches a migrated plaintext secret.
- If `<config-dir>/.sops.yaml` or `<config-dir>/.sops.yml` exists, migrate passes it explicitly to `sops` so command behavior is cwd-independent.
- If `<config-dir>/.sops.yaml` or `<config-dir>/.sops.yml` exists, migrate passes it explicitly to `sops`, runs `sops` with `cwd=<config-dir>`, and sets `--filename-override` to the absolute target secrets path (for example `/home/user/.openclaw/secrets.enc.json`) so strict `creation_rules` continue to match when OpenClaw encrypts through a temp file.
Common migrate write failure: