From 67bb95a7ce9c992a51ebbd4169ee40c2b16b1005 Mon Sep 17 00:00:00 2001
From: Mariano Belinky <mbelinky@gmail.com>
Date: Fri, 27 Feb 2026 20:23:22 +0000
Subject: [PATCH] docs(secrets): fix bws resolver runtime behavior

---
 docs/gateway/secrets.md               |  3 ++-
 scripts/secrets/openclaw-bws-resolver | 12 +++++++++---
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/docs/gateway/secrets.md b/docs/gateway/secrets.md
index f727e4d0726..6c97fbbc0ce 100644
--- a/docs/gateway/secrets.md
+++ b/docs/gateway/secrets.md
@@ -219,6 +219,7 @@ This example uses a small wrapper script that implements the exec provider proto
 
 - Script: `scripts/secrets/openclaw-bws-resolver`
 - `bws` must be installed and authenticated via `BWS_ACCESS_TOKEN`
+- `bws` is resolved from `PATH` by default (set `BWS_BIN` for an absolute override)
 
 ```json5
 {
@@ -229,7 +230,7 @@ This example uses a small wrapper script that implements the exec provider proto
         // Point this at wherever you install the resolver.
         command: "/usr/local/bin/openclaw-bws-resolver",
         args: [],
-        passEnv: ["BWS_ACCESS_TOKEN", "PATH"],
+        passEnv: ["BWS_ACCESS_TOKEN", "PATH", "BWS_BIN"],
         jsonOnly: true,
       },
     },
diff --git a/scripts/secrets/openclaw-bws-resolver b/scripts/secrets/openclaw-bws-resolver
index 35dce64f5f6..78639dbca24 100755
--- a/scripts/secrets/openclaw-bws-resolver
+++ b/scripts/secrets/openclaw-bws-resolver
@@ -4,9 +4,9 @@
 // Protocol v1: reads JSON from stdin, returns JSON on stdout.
 //
 
-const { execFileSync } = require("child_process");
+import { execFileSync } from "node:child_process";
 
-const BWS = "/usr/local/bin/bws";
+const BWS = process.env.BWS_BIN?.trim() || "bws";
 
 async function main() {
   let input = "";
@@ -24,14 +24,20 @@ async function main() {
     return;
   }
 
+  if (!process.env.BWS_ACCESS_TOKEN) {
+    process.stderr.write("BWS_ACCESS_TOKEN is required\n");
+    process.exit(1);
+  }
+
   let secrets;
   try {
     const raw = execFileSync(BWS, ["secret", "list"], {
       env: { BWS_ACCESS_TOKEN: process.env.BWS_ACCESS_TOKEN, PATH: process.env.PATH || "" },
       timeout: 15000,
       maxBuffer: 1024 * 1024,
+      encoding: "utf8",
     });
-    secrets = JSON.parse(raw.toString());
+    secrets = JSON.parse(raw);
   } catch (err) {
     process.stderr.write(`bws secret list failed: ${err.message}\n`);
     process.exit(1);