feat: SecretRef support for plugins.entries.*.config.* (plugin config secrets)

[samshields-oc]

Problem

plugins.entries.*.config.* is not in the SecretRef credential surface. Plugins frequently store user-supplied API tokens and passwords in their config blocks — these are credentials that should be SecretRef-eligible.

Examples

{
  "plugins": {
    "entries": {
      "ha-context": {
        "config": {
          "haToken": "eyJhbGci..."  // ← Home Assistant long-lived access token
        }
      },
      "otel-observability": {
        "config": {
          "headers": "x-honeycomb-team=hcaik_..."  // ← Honeycomb ingest key
        }
      }
    }
  }
}

Context

This came up in #28984 (now closed, superseded by #29580). Plugin config is a wildcard surface — any plugin can define any config keys — but the pattern is consistent: plugins.entries.{pluginId}.config.{key}.

Per @joshavant's feedback on #28984, opening this as a standalone issue.

Suggested scope

• secrets audit should flag plaintext values in plugins.entries.*.config.* that look like credentials (tokens, keys, passwords)
• secrets plan + secrets apply should support SecretRef resolution for these paths
• Path matching: 5-segment — plugins.entries.{id}.config.{key}
• Challenge: not all plugin config values are secrets (e.g. ollamaUrl, cacheTtlMs). May need heuristic detection or an opt-in annotation from plugin authors.

[Dingding-leo]

Great follow-up to #33539! This makes sense - plugin configs often contain API tokens.

Challenge:
The issue notes - not all plugin config values are secrets. Need heuristic detection:

• Keys with patterns: *Token, *Key, *Secret, *Password, *Auth
• Values that look like tokens (JWT, base64, hex strings)

Suggested implementation:

1. Pattern-based detection:

const SECRET_PATTERNS = [
  /token/i, /key/i, /secret/i, /password/i, /auth/i,
  /bearer/i, /api_?key/i
];

function isSecretKey(key: string): boolean {
  return SECRET_PATTERNS.some(p => p.test(key));
}

2. Or opt-in annotation:

// Plugin declares its secret keys
plugin.schema = {
  config: {
    haToken: { type: "string", secret: true },
    // or
    _secrets: ["haToken"]
  }
};

3. Path pattern:

• 5 segments: plugins.entries.{pluginId}.config.{key}

Scope for secrets audit:

• Flag values matching token patterns in plugins.entries.*.config.* paths
• Allow plugin authors to opt-out or opt-in

This complements #33539 (provider headers). Together they cover most credential surfaces.

[samshields-oc]

Original implementation for this (along with the provider headers scope in #33539) was in my PR #28984, which was closed in favor of #29580. The plugin config path matching was part of that same PR — see the plugins.entries.config validation block in plan.ts. Flagging to ensure attribution carries forward if this gets picked up.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If this is still an issue, please retry on the latest OpenClaw release and share updated details.
If you are absolutely sure it still happens on the latest release, open a new issue with fresh repro steps.