[Feature]: support SecretRef for env.vars

[edlevin6612]

Summary

Include SecretRef support for openclaw.json env block to allow a workflow where secrets stored as environment variables can be resolved at runtime (e.g. from 1Password)

Problem to solve

Currently, secretRef is not supported for the env block in openclaw.json. This makes setting/passing environment variables where the value is not static but rather derived dynamically (e.g. from 1Password) difficult.

Proposed solution

Extend SectrerRef support for the env block, similar to API keys:

  "secrets": {
    "providers": {
      "default": { "source": "env" },
      "op-my-sectet": {
        "source": "exec",
        "command": "/usr/bin/op",
        "allowInsecurePath": true,
        "args": ["read", "--no-newline", "op://MyVault/MySecret/credential"],
        "passEnv": ["HOME", "OP_SERVICE_ACCOUNT_TOKEN"],
        "jsonOnly": false
      },
  "env": {
    "vars": {
      "MY_SECRET_VAR": { "source": "exec", "provider": "op-my-secret", "id": "value" }
    }

Alternatives considered

Alternative is to define environment variables in .env as static values but that is counterproductive to having all secrets stored in an external values like 1Password. One can then have Gateway and Model tokens/passwords in 1Password but then still have to keep other secrets (e.g. ones used by Skills requiring environment vars) on the filesystem.

Impact

Someone wishing to offload all secret storage to an external secret management system for a better security posture.

Example: https://prokopov.me/posts/securing-openclaw-with-1password/

Evidence/examples

No response

Additional information

No response

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open. Current main and v2026.5.18 still treat top-level env.vars as string-only config, while the related pluggable SecretRef provider work explicitly defers widening raw env/config records such as this one.

Reproducibility: yes. via source inspection: zod/types accept top-level env.vars strings only, runtime collection drops non-string values, and tests lock in that skip behavior. This reproduces the missing capability, but it is a feature expansion rather than a broken existing contract.

Next step
Needs maintainer security/product review before implementation because the fix changes config schema and secret materialization boundaries.

Security
Needs attention: The issue is security-sensitive because it would materialize externally resolved secrets into environment handling that can also feed durable service metadata.

Review details

Best possible solution:

Define a top-level env.vars SecretInput contract with explicit runtime and durable-service-env semantics, then update schema/types/docs, runtime collection/resolution, and focused regression coverage.

Do we have a high-confidence way to reproduce the issue?

Yes, via source inspection: zod/types accept top-level env.vars strings only, runtime collection drops non-string values, and tests lock in that skip behavior. This reproduces the missing capability, but it is a feature expansion rather than a broken existing contract.

Is this the best way to solve the issue?

Unclear because there is no patch yet. Reusing the existing SecretInput resolution pipeline is plausible, but maintainers first need to decide whether resolved env secrets may enter only runtime env, durable service env metadata, or both.

Label changes:

• add P2: This is a normal-priority security/auth-provider feature request with limited blast radius, not a current outage or regression.
• add impact:security: The request changes how OpenClaw resolves and may materialize sensitive credential values into environment handling.
• add impact:auth-provider: The affected behavior is SecretRef resolution for externally managed secret values used by config-provided environment variables.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P2: This is a normal-priority security/auth-provider feature request with limited blast radius, not a current outage or regression.
• impact:security: The request changes how OpenClaw resolves and may materialize sensitive credential values into environment handling.
• impact:auth-provider: The affected behavior is SecretRef resolution for externally managed secret values used by config-provided environment variables.

Security concerns:

• [medium] Define env SecretRef materialization boundaries — src/config/state-dir-dotenv.ts:68
  A future implementation must decide whether resolved env.vars SecretRefs enter runtime env, durable service env, or both, and must prevent plaintext leakage into service metadata, logs, generated files, snapshots, or config writes.
  Confidence: 0.9

Acceptance criteria:

• node scripts/run-vitest.mjs src/config/config.env-vars.test.ts
• node scripts/run-vitest.mjs src/config/config.secrets-schema.test.ts
• node scripts/run-vitest.mjs src/secrets/runtime.coverage.test.ts
• node scripts/run-vitest.mjs src/commands/daemon-install-helpers.test.ts

What I checked:

• live-issue-state: Live issue data shows this issue is open, has only the enhancement label, has no closing pull request, and has a prior ClawSweeper review keeping the same env.vars SecretRef gap open.
• schema-string-only-current-main: Current main declares top-level env.vars as z.record(z.string(), z.string()) and direct env sugar as .catchall(z.string()), so structured SecretRef objects are not accepted by this config surface. (src/config/zod-schema.ts:438, 1a7669bc63a0)
• public-type-string-only: The public OpenClawConfig type exposes env.vars?: Record<string, string> and describes direct env entries as string-only sugar. (src/config/types.openclaw.ts:73, 1a7669bc63a0)
• runtime-skips-non-string-env-vars: Runtime env collection explicitly skips any env.vars value that is not a non-empty string, so a raw SecretRef object would not be materialized on current main. (src/config/config-env-vars.ts:23, 1a7669bc63a0)
• test-locks-current-skip-behavior: Focused coverage asserts that non-string env.vars values from runtime JSON configs are skipped rather than resolved. (src/config/config.env-vars.test.ts:38, 1a7669bc63a0)
• durable-service-env-boundary: Config env vars are also collected into durable service env sources, so widening env.vars to resolve SecretRefs needs an explicit persistence boundary decision. (src/config/state-dir-dotenv.ts:68, 1a7669bc63a0)

Likely related people:

• MiltonHeYan: Authored the guard and regression coverage that skip non-string env.vars values, which is the current behavior this request would change. (role: recent env-vars contributor; confidence: high; commits: 170a96174477; files: src/config/config-env-vars.ts, src/config/config.env-vars.test.ts)
• steipete: Split durable service env helpers and later landed env-backed config SecretRef service-env preservation, both relevant to the persistence boundary for resolved env.vars secrets. (role: durable service-env and adjacent SecretRef contributor; confidence: high; commits: c15282062f04, 3ed3248d7bf5; files: src/config/state-dir-dotenv.ts, src/commands/daemon-install-helpers.ts, src/commands/daemon-install-helpers.test.ts)
• joshavant: Authored broad SecretRef coverage, runtime collectors, and credential surface docs that a new env.vars SecretInput target would likely extend. (role: SecretRef feature-history contributor; confidence: high; commits: 806803b7efe2, c3a4251a602f; files: src/config/types.secrets.ts, src/config/zod-schema.core.ts, src/secrets/runtime-config-collectors-core.ts)

Remaining risk / open question:

• Resolved SecretRefs under top-level env.vars could flow into both runtime process env and managed service env metadata unless maintainers define runtime-only versus durable-service semantics first.
• The related broader SecretRef provider work at [Feature]: support to use plugin to implement secret ref provider and cover core schemas #71593 and feat(secrets): pluggable SecretRef sources via plugin SDK seam #72548 does not currently implement this field-widening request.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1a7669bc63a0.