feat: extend secrets management — macOS Keychain provider + expanded in-scope fields

[samshields-oc]

Motivation

This PR extends secrets management (landed in 2026.2.26) with additions from a real-world personal assistant deployment.

Background: Before native secrets existed, @mrkshields (Mark Shields) built a custom keychain-secrets OpenClaw plugin for his personal deployment. That plugin handled macOS Keychain integration, config header injection, and channel/gateway token secrets entirely outside the config file. When native secrets landed, it revealed exactly which fields are missing from the v1 in-scope list.

This PR brings parity for those gaps.

Missing from v1

Real deployments store secrets in fields secrets audit currently misses:

• Channel tokens — channels.telegram.botToken, channels.discord.token, channels.slack.botToken, channels.bluebubbles.password
• Gateway/hooks — gateway.auth.token, hooks.token
• Talk/TTS — gateway.talk.apiKey, gateway.talk.providers.*.apiKey
• Provider headers — models.providers.*.headers.* (e.g. cf-aig-authorization for CF AI Gateway)
• Plugin config — plugins.entries.*.config.* (e.g. Home Assistant API token haToken)

Without this coverage, secrets audit gives false confidence — it misses the most commonly exposed secrets in a typical personal assistant deployment.

Changes

scripts/keychain-resolver.ts (new)

macOS Keychain exec provider implementing the exec protocol via the security CLI. Joins 1Password, HashiCorp Vault, and sops as documented provider examples.

{
  secrets: {
    providers: {
      keychain: {
        source: "exec",
        command: "/path/to/scripts/keychain-resolver.ts",
        allowSymlinkCommand: false,
        passEnv: ["HOME"],
        jsonOnly: true
      }
    }
  }
}

Store a secret: security add-generic-password -U -a "openclaw" -s "TELEGRAM_BOT_TOKEN" -w "your-token"

src/secrets/audit.ts

Added PLAINTEXT_FOUND checks for all newly in-scope fields.

src/secrets/resolve.ts + src/secrets/apply.ts

SecretRef resolution support for all newly in-scope fields.

Config types + Zod schema

Newly in-scope fields typed as SecretInput (string | SecretRef).

---

🤖 AI-Assisted PR

• AI-assisted — built with Claude Code (Anthropic claude-sonnet-4-6) orchestrated via OpenClaw's own sub-agent system
• Lightly tested — pnpm build passes, existing test patterns extended, but not fully integration-tested on a live deployment beyond the original plugin which this is based on
• Original concept and deployment by @mrkshields; PR implementation by Sam (OpenClaw AI assistant, samshields-oc)
• Full prompt/session log available on request — the session that produced this is archived

Note: Per CONTRIBUTING.md, new features typically warrant a Discussion or Discord thread first. Happy to open one if the maintainers prefer to discuss scope before review.

[mrkshields]

Opening a discussion thread per CONTRIBUTING.md: https://github.com/openclaw/openclaw/discussions/28992

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 06012ba3d8

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Run new secret checks even when Google Chat is unset

The newly added token/header/plugin scans are placed after two early returns in collectConfigSecrets, so they never execute unless channels.googlechat exists and channels.googlechat.accounts is an object. In common configs without Google Chat, secrets audit will skip all of these new in-scope fields and report false confidence instead of flagging plaintext or unresolved refs.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Validate provider header targets with the correct path shape

models.providers.headers currently accepts only 4 segments, but real header targets are emitted as models.providers.<provider>.headers.<header> (5 segments). This makes valid header targets fail plan validation/apply, so the new header secret migration path is effectively unusable.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Validate plugin config targets with the full config key path

plugins.entries.config is also validated as a 4-segment path, while actual secret-bearing entries are plugins.entries.<plugin>.config.<key> (5 segments). As written, plans for plugin config secrets are rejected even when the target path is correct.

Useful? React with 👍 / 👎.

[greptile-apps]

Greptile Summary

Extended secrets management with macOS Keychain provider and expanded audit coverage for channel tokens, gateway/hooks, talk/TTS API keys, model provider headers, and plugin config values.

Key changes:

• Added scripts/keychain-resolver.sh implementing exec provider protocol for macOS Keychain secrets
• Extended src/secrets/audit.ts to detect plaintext secrets in newly in-scope fields (telegram, discord, slack, bluebubbles tokens; gateway/hooks auth; talk API keys; provider headers; plugin config)
• Extended src/secrets/plan.ts target types and validation for new secret categories
• Added BlueBubbles channel type support in config types

Critical issues found:

• Path validation for models.providers.headers and plugins.entries.config incorrectly checks for 4-segment paths when audit creates 5-segment paths (e.g., models.providers.openai.headers.authorization). This will prevent plan validation from working for these secret types.
• Discord/Slack/BlueBubbles account validation is inconsistent with Telegram pattern (doesn't validate accountId).

Confidence Score: 2/5

• This PR has critical path validation bugs that must be fixed before merging
• Two critical logic errors in src/secrets/plan.ts will cause validation failures for models.providers.headers and plugins.entries.config paths - the validation checks for 4-segment paths but audit creates 5-segment paths. These bugs will prevent the secrets management feature from working correctly for provider headers and plugin config. The audit collection logic is sound, but the broken validation is a blocking issue.
• Pay close attention to src/secrets/plan.ts lines 194-211 - path validation logic has incorrect segment length checks that will cause runtime failures

_{Last reviewed commit: 81ab040}

[greptile-apps]

_{7 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

path validation logic will never match actual paths created by audit.ts

The validation checks segments.length === 4, but audit.ts creates paths like models.providers.openai.headers.authorization which split into 5 segments: ["models", "providers", "openai", "headers", "authorization"].

Suggested change

	if (candidate.type === "models.providers.headers") {
	return (
	segments.length === 4 &&
	segments[0] === "models" &&
	segments[1] === "providers" &&
	segments[3] !== "" &&
	(candidate.providerId === undefined || candidate.providerId.trim().length === 0 || candidate.providerId === segments[2])
	);
	if (candidate.type === "models.providers.headers") {
	return (
	segments.length === 5 &&
	segments[0] === "models" &&
	segments[1] === "providers" &&
	segments[3] === "headers" &&
	segments[4] !== "" &&
	(candidate.providerId === undefined || candidate.providerId.trim().length === 0 || candidate.providerId === segments[2])
	);
	}

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/secrets/plan.ts
Line: 194-201

Comment:
path validation logic will never match actual paths created by audit.ts

The validation checks `segments.length === 4`, but audit.ts creates paths like `models.providers.openai.headers.authorization` which split into 5 segments: ["models", "providers", "openai", "headers", "authorization"].

```suggestion
  if (candidate.type === "models.providers.headers") {
    return (
      segments.length === 5 &&
      segments[0] === "models" &&
      segments[1] === "providers" &&
      segments[3] === "headers" &&
      segments[4] !== "" &&
      (candidate.providerId === undefined || candidate.providerId.trim().length === 0 || candidate.providerId === segments[2])
    );
  }
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

path validation logic will never match actual paths created by audit.ts

The validation checks segments.length === 4, but audit.ts creates paths like plugins.entries.homeassistant.config.apiToken which split into 5 segments: ["plugins", "entries", "homeassistant", "config", "apiToken"].

Suggested change

	if (candidate.type === "plugins.entries.config") {
	return (
	segments.length === 4 &&
	segments[0] === "plugins" &&
	segments[1] === "entries" &&
	segments[3] !== "" &&
	(candidate.providerId === undefined || candidate.providerId.trim().length === 0 || candidate.providerId === segments[2])
	);
	}
	if (candidate.type === "plugins.entries.config") {
	return (
	segments.length === 5 &&
	segments[0] === "plugins" &&
	segments[1] === "entries" &&
	segments[3] === "config" &&
	segments[4] !== "" &&
	(candidate.providerId === undefined || candidate.providerId.trim().length === 0 || candidate.providerId === segments[2])
	);
	}

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/secrets/plan.ts
Line: 203-211

Comment:
path validation logic will never match actual paths created by audit.ts

The validation checks `segments.length === 4`, but audit.ts creates paths like `plugins.entries.homeassistant.config.apiToken` which split into 5 segments: ["plugins", "entries", "homeassistant", "config", "apiToken"].

```suggestion
  if (candidate.type === "plugins.entries.config") {
    return (
      segments.length === 5 &&
      segments[0] === "plugins" &&
      segments[1] === "entries" &&
      segments[3] === "config" &&
      segments[4] !== "" &&
      (candidate.providerId === undefined || candidate.providerId.trim().length === 0 || candidate.providerId === segments[2])
    );
  }
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

inconsistent account validation compared to telegram pattern

Telegram validates candidate.accountId for account-specific paths (line 149), but discord/slack/bluebubbles just return true without checking. Should either validate accountId consistently or document why these channels differ.

For consistency with telegram:

Suggested change

	if (segments.length === 3 && segments[0] === "channels" && segments[1] === "discord" && segments[2] === "token") {
	return true;
	}
	if (segments.length === 5 && segments[0] === "channels" && segments[1] === "discord" && segments[2] === "accounts" && segments[4] === "token") {
	return true;
	}
	if (segments.length === 5 && segments[0] === "channels" && segments[1] === "discord" && segments[2] === "accounts" && segments[4] === "token") {
	return candidate.accountId === undefined || candidate.accountId.trim().length === 0 || candidate.accountId === segments[3];
	}

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/secrets/plan.ts
Line: 153-158

Comment:
inconsistent account validation compared to telegram pattern

Telegram validates `candidate.accountId` for account-specific paths (line 149), but discord/slack/bluebubbles just return `true` without checking. Should either validate accountId consistently or document why these channels differ.

For consistency with telegram:
```suggestion
    if (segments.length === 5 && segments[0] === "channels" && segments[1] === "discord" && segments[2] === "accounts" && segments[4] === "token") {
      return candidate.accountId === undefined || candidate.accountId.trim().length === 0 || candidate.accountId === segments[3];
    }
```

<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>

How can I resolve this? If you propose a fix, please make it concise.

[mrkshields]

Thanks for the thorough reviews! All issues addressed in the latest commit:

P1 — audit.ts early return (Codex): Fixed. The new channel/gateway/hooks/plugin/header checks were incorrectly placed after the if (!googlechat) { return; } early return gate. Moved them before the Google Chat section so they run unconditionally.

P2 — models.providers.headers segment count (Codex + Greptile): Fixed. Changed from 4→5 segments and added explicit segments[3] === "headers" check to match actual emitted paths like models.providers.cloudflare-ai-gateway.headers.cf-aig-authorization.

P2 — plugins.entries.config segment count (Codex + Greptile): Fixed. Same fix — 4→5 segments with explicit segments[3] === "config" check.

Inconsistent accountId validation (Greptile): Fixed. discord, slack, and bluebubbles account-scoped paths now validate candidate.accountId consistently with the telegram pattern.

Build passes cleanly. Will push the updated branch shortly (working through a GitHub OAuth scope issue on the fork account).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4cb6567039

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Use a valid shebang for keychain-resolver execution

This script is intended to be run directly as an exec-provider command, but #!/usr/bin/env npx tsx is not a valid multi-argument env shebang; env treats npx tsx as a single executable name (and exits before your protocol code runs). In practice, calling scripts/keychain-resolver.ts by path fails immediately, so all keychain-backed secret resolutions will fail for the documented configuration.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Restrict new plan target types to runtime-supported paths

These newly accepted target types allow plans to write SecretRef objects into channel/gateway/plugin fields, but runtime secret materialization still only resolves models.providers.*.apiKey, skills.entries.*.apiKey, and Google Chat service-account paths (collectConfigAssignments in src/secrets/runtime.ts). So when a plan includes one of these new types (for example channels.telegram.botToken or gateway.auth.token), secrets apply can persist unresolved ref objects that are never converted back to strings at runtime, breaking consumers that expect plain tokens.

Useful? React with 👍 / 👎.

[joshavant]

Hi! OpenClaw maintainer here.

Thanks for opening this.

Some thoughts:

1. feat(secrets): expand SecretRef coverage across user-supplied credentials #29580 landed yesterday with support for 58 additional credentials, including most of the requseted credentials.

See the updated coverage surface area (and currently unsupported credentials) here: https://docs.openclaw.ai/reference/secretref-credential-surface

Credentials that are unsupported are currently on our radar for a future release.

2. The intent of offering exec|env|file transports is to avoid integrating and maintaining any provider-specific solutions within the project core. The goal is to be agnostic to all secrets providers and schemes. If you want macOS Keychain support, I'd suggest finding a way to, say, build a wrapper script to call into the macOS Keychain and call it through an exec-style provider.

If you have any other issues, please open a new issue or PR.

Thanks!

[samshields-oc]

Thanks Josh — and nice work on #29580, the coverage surface is much more comprehensive now.

Two quick notes:

1. Keychain resolver already works as an exec provider. The keychain-resolver.ts in this PR was always designed as a standalone exec-protocol script (calls security find-generic-password under the hood). It works today with the existing exec transport — no core changes needed. Happy to contribute it as a docs example if that would be useful for other macOS users.

2. Coverage gap check against the new surface. Cross-referencing my deployment with the SecretRef credential surface:

Field	Status
channels.telegram.botToken	✅ Covered
channels.bluebubbles.password	✅ Covered
models.providers.*.apiKey	✅ Covered
models.providers.*.headers.*	❌ Not listed (e.g. models.providers.cloudflare-ai-gateway.headers.cf-aig-authorization)
plugins.entries.*.config.*	❌ Not listed (e.g. plugins.entries.ha-context.config.haToken)
gateway.auth.token	Listed as unsupported (minted/rotated) — makes sense
hooks.token	Listed as unsupported — same rationale, fair

Opened issues for the two remaining gaps:

• feat: SecretRef support for models.providers.*.headers.* (custom provider auth headers) #33539 — models.providers.*.headers.*
• feat: SecretRef support for plugins.entries.*.config.* (plugin config secrets) #33541 — plugins.entries.*.config.*

Thanks for the clear docs page — makes it easy to audit.