[Feature]: support to use plugin to implement secret ref provider and cover core schemas

[Colstuwjx]

Summary

Currently, if we want to cover some Zod fields to mask them as secret ref object, it would need to change their schema definition accordingly, e.g. the following fields might need to be masked as secret ref object:

  - channels.wea.* credentials                                                                                                                     
  - skills.entries.*.env values                                                                                                                    
  - plugins.entries.*.config sensitive paths   

As a result, it may need to change the core schema fields frequently, which is not a good way. Instead, we could introduce an unified solution like K8s CNI did, just let the end users define their own secret ref provider and it could cover all of the schema fields, which is more complete solution.

Problem to solve

The end users don't need to submit PR to change the core code any more, just define their own plugin to mask the openclaw json config fields to secret ref objects.

Proposed solution

Use OpenClaw Plugin implementation.

Alternatives considered

No response

Impact

It would still change the core code to support to use plugin to render the configurations by using secret ref objects.

Evidence/examples

No response

Additional information

No response

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main still has only built-in env/file/exec SecretRef sources, while the plugin manifest secretInputs path support is only partial field coverage. The open linked implementation at #72548 and the related narrower manifest-preset PR at #82326 still need maintainer API and security selection before this feature can close.

Reproducibility: not applicable. as a bug reproduction; this is a feature/API request. Source and docs inspection gives a high-confidence current-main status: SecretRef provider sources remain env/file/exec-only, while selected manifest-declared plugin config SecretInput paths already exist.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.

Next step
No new repair lane: the issue is security-sensitive, has open implementation candidates, and needs maintainer API/product selection rather than an autonomous narrow fix.

Security
Needs attention: This issue is security-sensitive because it would let plugin-owned or plugin-described logic participate in resolving credential material.

Review details

Best possible solution:

Keep this issue open until maintainers choose and land a security-reviewed provider contract, then split any remaining field-widening work into focused follow-ups for skill env values, plugin config paths, and channel credentials.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction; this is a feature/API request. Source and docs inspection gives a high-confidence current-main status: SecretRef provider sources remain env/file/exec-only, while selected manifest-declared plugin config SecretInput paths already exist.

Is this the best way to solve the issue?

Unclear until maintainers choose the contract. A plugin or manifest seam fits OpenClaw's plugin architecture, but secret resolution through plugins is security-sensitive and should be separated from broader field-coverage expansion.

Label changes:

• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• remove clawsweeper:linked-pr-open: Current issue advisory state no longer selects this label.

Label justifications:

• P2: This is a normal-priority feature/API request with security-sensitive design work but no current outage or regression.
• impact:security: The request changes how OpenClaw resolves and materializes sensitive credential data.
• impact:auth-provider: The affected surface is SecretRef provider resolution for tokens, API keys, and plugin or channel credentials.

Security concerns:

• [medium] Define plugin secret-resolution trust boundaries — src/secrets/resolve.ts:766
  A plugin SecretRef provider contract needs explicit activation checks, provider/source ownership validation, redaction behavior, fallback rules for built-in sources, dependency policy, and limits on where resolved secret material may flow.
  Confidence: 0.9
• [medium] Bound plaintext materialization for widened fields — src/secrets/runtime-config-collectors-plugins.ts:16
  Widening env or plugin config records to accept SecretRefs must prevent resolved plaintext from leaking into durable service metadata, logs, generated files, snapshots, diagnostics, or config writes.
  Confidence: 0.86

What I checked:

• Current SecretRef source contract is built-in-only: SecretRefSource is exactly "env" | "file" | "exec", and isSecretRef only accepts those literals. (src/config/types.secrets.ts:3, 384451343191)
• Current provider config union has no plugin arm: SecretProviderConfig is a union of env, file, and exec provider configs only. (src/config/types.secrets.ts:289, 384451343191)
• Current config schema is closed to built-in SecretRef providers: SecretRefSchema and SecretProviderSchema are discriminated unions over env, file, and exec schemas. (src/config/zod-schema.core.ts:79, 384451343191)
• Current gateway protocol schema is built-in-only: The gateway protocol SecretRefSourceSchema enumerates env, file, and exec only. (src/gateway/protocol/schema/primitives.ts:39, 384451343191)
• Current resolver has no plugin-provider dispatch: resolveProviderRefs dispatches env, file, and exec provider configs and otherwise throws an unsupported-source error. (src/secrets/resolve.ts:766, 384451343191)
• Core schemas still leave broad skill/plugin config as raw values: skills.entries.*.env remains a string record and plugins.entries.*.config remains an unknown record, so blanket SecretInput field coverage is not implemented. (src/config/zod-schema.ts:226, 384451343191)

Likely related people:

• joshavant: History ties Josh Avant to the provider-based external secrets foundation and later broad SecretRef credential coverage that this issue would extend. (role: SecretRef feature-history contributor; confidence: high; commits: 4e7a833a24e7, 806803b7efe2, 1769fb2aa1d6; files: src/config/types.secrets.ts, src/config/zod-schema.core.ts, src/secrets/resolve.ts)
• vincentkoc: History ties Vincent Koc to manifest config-contract and secretInputs work that provides the current partial plugin config SecretRef coverage. (role: plugin config-contract contributor; confidence: high; commits: e6117618095c, 7198a9f0eeed, 74e7b8d47b18; files: src/plugins/manifest.ts, src/plugins/config-contracts.ts, src/secrets/runtime-config-collectors-plugins.ts)
• steipete: Recent history shows repeated plugin manifest and SecretRef-adjacent work, including acpx MCP secret input materialization and plugin metadata refactors near this surface. (role: recent adjacent contributor; confidence: medium; commits: 694bc082a8c4, 8ddd9b8aac69, 2d593958839c; files: src/secrets/runtime-config-collectors-plugins.ts, src/plugins/manifest.ts, docs/gateway/secrets.md)
• akoscz: AkosCz authored the open pluggable SecretRef-source implementation linked with closing syntax for this issue. (role: active adjacent implementation proposer; confidence: medium; commits: d8a06bf12b22; files: src/config/types.secrets.ts, src/config/zod-schema.core.ts, src/gateway/protocol/schema/primitives.ts)
• sallyom: Sally O'Malley authored the open manifest-level SecretRef provider integration proposal that overlaps this issue's plugin-owned provider direction. (role: active adjacent implementation proposer; confidence: medium; commits: a8c22e50d014; files: src/plugins/manifest.ts, src/plugin-sdk/secret-provider-integration.ts, src/secrets/provider-integrations.ts)

Remaining risk / open question:

• Plugin-owned secret resolution would let plugin-described or plugin-loaded logic participate in credential materialization, so activation, source ownership, redaction, caching, disablement, fallback, and dependency rules need explicit review.
• Expanding field coverage can move resolved plaintext into plugin config, env vars, snapshots, diagnostics, generated metadata, or config writes unless persistence boundaries are designed first.
• There are multiple open implementation directions, so closing this issue before maintainers choose and land one would lose the API decision point.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 384451343191.

[maximus-dss]

Concrete user-visible motivation: engram authToken

Filing a comment to add a user-side data point for this feature request.

The engram plugin (@joshuaswarren/openclaw-engram, repo now joshuaswarren/remnic) requires plugins.entries["openclaw-engram"].config.agentAccessHttp.authToken to be a literal string. Setting it to a {source:"exec", provider:"...", id:"value"} SecretRef object causes engram to fail at startup. I filed an engram-side request at remnic#757 today, but a unified plugin-defined-resolver pattern (this issue) would generalize across every plugin's plugins.entries.*.config rather than fixing them one at a time.

Operationally on my fleet (8 OpenClaw agents): engram is the only field in my otherwise-SecretRef-clean openclaw.json that ships cleartext. I can mitigate via per-file Time Machine exclusion + token rotation, but the gap is real.

Happy to test a fix candidate when implementation lands.