github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-18 21:27:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

CLI: prevent agent-path models.json secret persistence

Browse Source
This commit is contained in:
joshavant
2026-03-07 09:09:36 -06:00
parent 0f6f2482fd
commit a16606d379
5 changed files with 108 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/cli/agent.md
View File

@@ -22,3 +22,7 @@ openclaw agent --agent ops --message "Summarize logs"
openclaw agent --session-id 1234 --message "Summarize inbox" --thinking medium
openclaw agent --agent ops --message "Generate report" --deliver --reply-channel slack --reply-to "#reports"
```
## Notes
- When this command triggers `models.json` regeneration, SecretRef-managed provider credentials are persisted as non-secret markers (for example env var names or `secretref-managed`), not resolved secret plaintext.

2
docs/concepts/models.md
View File

@@ -217,3 +217,5 @@ Merge mode precedence for matching provider IDs:
- SecretRef-managed provider `apiKey` values are refreshed from source markers (`ENV_VAR_NAME` for env refs, `secretref-managed` for file/exec refs) instead of persisting resolved secrets.
- Empty or missing agent `apiKey`/`baseUrl` fall back to config `models.providers`.
- Other provider fields are refreshed from config and normalized catalog data.
This marker-based persistence applies whenever OpenClaw regenerates `models.json`, including command-driven paths like `openclaw agent`.