mirror of https://github.com/openclaw/openclaw.git
107 lines
3.3 KiB
Markdown
107 lines
3.3 KiB
Markdown
---
|
|
summary: "Contract for `secrets apply` plans: target validation, path matching, and `auth-profiles.json` target scope"
|
|
read_when:
|
|
- Generating or reviewing `openclaw secrets apply` plans
|
|
- Debugging `Invalid plan target path` errors
|
|
- Understanding target type and path validation behavior
|
|
title: "Secrets Apply Plan Contract"
|
|
---
|
|
|
|
# Secrets apply plan contract
|
|
|
|
This page defines the strict contract enforced by `openclaw secrets apply`.
|
|
|
|
If a target does not match these rules, apply fails before mutating configuration.
|
|
|
|
## Plan file shape
|
|
|
|
`openclaw secrets apply --from <plan.json>` expects a `targets` array of plan targets:
|
|
|
|
```json5
|
|
{
|
|
version: 1,
|
|
protocolVersion: 1,
|
|
targets: [
|
|
{
|
|
type: "models.providers.apiKey",
|
|
path: "models.providers.openai.apiKey",
|
|
pathSegments: ["models", "providers", "openai", "apiKey"],
|
|
providerId: "openai",
|
|
ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
|
|
},
|
|
{
|
|
type: "auth-profiles.api_key.key",
|
|
path: "profiles.openai:default.key",
|
|
pathSegments: ["profiles", "openai:default", "key"],
|
|
agentId: "main",
|
|
ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
|
|
},
|
|
],
|
|
}
|
|
```
|
|
|
|
## Supported target scope
|
|
|
|
Plan targets are accepted for supported credential paths in:
|
|
|
|
- [SecretRef Credential Surface](/reference/secretref-credential-surface)
|
|
|
|
## Target type behavior
|
|
|
|
General rule:
|
|
|
|
- `target.type` must be recognized and must match the normalized `target.path` shape.
|
|
|
|
Compatibility aliases remain accepted for existing plans:
|
|
|
|
- `models.providers.apiKey`
|
|
- `skills.entries.apiKey`
|
|
- `channels.googlechat.serviceAccount`
|
|
|
|
## Path validation rules
|
|
|
|
Each target is validated with all of the following:
|
|
|
|
- `type` must be a recognized target type.
|
|
- `path` must be a non-empty dot path.
|
|
- `pathSegments` can be omitted. If provided, it must normalize to exactly the same path as `path`.
|
|
- Forbidden segments are rejected: `__proto__`, `prototype`, `constructor`.
|
|
- The normalized path must match the registered path shape for the target type.
|
|
- If `providerId` or `accountId` is set, it must match the id encoded in the path.
|
|
- `auth-profiles.json` targets require `agentId`.
|
|
- When creating a new `auth-profiles.json` mapping, include `authProfileProvider`.
|
|
|
|
## Failure behavior
|
|
|
|
If a target fails validation, apply exits with an error like:
|
|
|
|
```text
|
|
Invalid plan target path for models.providers.apiKey: models.providers.openai.baseUrl
|
|
```
|
|
|
|
No writes are committed for an invalid plan.
|
|
|
|
## Runtime and audit scope notes
|
|
|
|
- Ref-only `auth-profiles.json` entries (`keyRef`/`tokenRef`) are included in runtime resolution and audit coverage.
|
|
- `secrets apply` writes supported `openclaw.json` targets, supported `auth-profiles.json` targets, and optional scrub targets.
|
|
|
|
## Operator checks
|
|
|
|
```bash
|
|
# Validate plan without writes
|
|
openclaw secrets apply --from /tmp/openclaw-secrets-plan.json --dry-run
|
|
|
|
# Then apply for real
|
|
openclaw secrets apply --from /tmp/openclaw-secrets-plan.json
|
|
```
|
|
|
|
If apply fails with an invalid target path message, regenerate the plan with `openclaw secrets configure` or fix the target path to a supported shape above.
|
|
|
|
## Related docs
|
|
|
|
- [Secrets Management](/gateway/secrets)
|
|
- [CLI `secrets`](/cli/secrets)
|
|
- [SecretRef Credential Surface](/reference/secretref-credential-surface)
|
|
- [Configuration Reference](/gateway/configuration-reference)
|