docs(secrets): fix bws resolver runtime behavior

docs/gateway/secrets.md

@@ -219,6 +219,7 @@ This example uses a small wrapper script that implements the exec provider proto
 
 - Script: `scripts/secrets/openclaw-bws-resolver`
 - `bws` must be installed and authenticated via `BWS_ACCESS_TOKEN`
+- `bws` is resolved from `PATH` by default (set `BWS_BIN` for an absolute override)
 
 ```json5
 {
@@ -229,7 +230,7 @@ This example uses a small wrapper script that implements the exec provider proto
         // Point this at wherever you install the resolver.
         command: "/usr/local/bin/openclaw-bws-resolver",
         args: [],
-        passEnv: ["BWS_ACCESS_TOKEN", "PATH"],
+        passEnv: ["BWS_ACCESS_TOKEN", "PATH", "BWS_BIN"],
         jsonOnly: true,
       },
     },

scripts/secrets/openclaw-bws-resolver

@@ -4,9 +4,9 @@
 // Protocol v1: reads JSON from stdin, returns JSON on stdout.
 //
 
-const { execFileSync } = require("child_process");
+import { execFileSync } from "node:child_process";
 
-const BWS = "/usr/local/bin/bws";
+const BWS = process.env.BWS_BIN?.trim() || "bws";
 
 async function main() {
   let input = "";
@@ -24,14 +24,20 @@ async function main() {
     return;
   }
 
+  if (!process.env.BWS_ACCESS_TOKEN) {
+    process.stderr.write("BWS_ACCESS_TOKEN is required\n");
+    process.exit(1);
+  }
+
   let secrets;
   try {
     const raw = execFileSync(BWS, ["secret", "list"], {
       env: { BWS_ACCESS_TOKEN: process.env.BWS_ACCESS_TOKEN, PATH: process.env.PATH || "" },
       timeout: 15000,
       maxBuffer: 1024 * 1024,
+      encoding: "utf8",
     });
-    secrets = JSON.parse(raw.toString());
+    secrets = JSON.parse(raw);
   } catch (err) {
     process.stderr.write(`bws secret list failed: ${err.message}\n`);
     process.exit(1);