fix(cli): resolve scoped web command SecretRefs

[steipete]

Summary

• Resolve command-scoped SecretRefs for local infer web search/fetch without activating unrelated provider/plugin secrets.
• Preserve provider-specific and fallback credential paths across active Gateway secret resolution, including Firecrawl search/fetch shared keys.
• Add docs/changelog/protocol coverage for the legacy web search SecretRef surface.

Verification

• /Users/steipete/Projects/agent-scripts/skills/codex-review/scripts/codex-review --mode branch
• pnpm protocol:check
• env -u FIRECRAWL_API_KEY -u GOOGLE_API_KEY node scripts/run-vitest.mjs src/cli/command-secret-targets.test.ts src/cli/command-secret-gateway.test.ts src/secrets/runtime-command-secrets.test.ts
• node scripts/run-vitest.mjs src/secrets/runtime-web-tools.test.ts src/web-fetch/runtime.test.ts extensions/firecrawl/src/firecrawl-tools.test.ts src/cli/capability-cli.test.ts src/gateway/server-methods/secrets.test.ts
• git diff --check

Real behavior proof

Behavior addressed: openclaw infer web search/fetch now resolves only the selected command credential SecretRefs, including plugin-owned and fallback Firecrawl paths.
Real environment tested: local source checkout with bundled plugin test env.
Exact steps or command run after this patch: TAVILY_API_KEY=resolved-live-proof pnpm exec tsx scripts/repro/cli-web-search-secret-refs-live-proof.mjs
Evidence after fix:
console output from live repro:
unresolved apiKey is SecretRef object = true
resolveCommandConfigWithSecrets apiKey is string = true
resolved apiKey remains redacted = true
diagnostics count = 1
Observed result after fix: selected/fallback web provider SecretRefs resolve while non-selected, disabled, or later auto-detect provider refs stay inactive or optional.
What was not tested: full pnpm check locally; PR CI runs the broad check shards.

Fixes #82621.
Recreates #82699 because maintainer edits are disabled on the contributor fork branch.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
The PR scopes local infer web search/fetch SecretRef resolution to selected command credential paths, adds Firecrawl shared credential fallbacks, and updates gateway protocol, tests, docs, and changelog coverage.

Reproducibility: yes. source-level and report evidence are strong: the linked bug gives a concrete openclaw infer web search --provider tavily --query 'ping' --limit 1 --json failure on v2026.5.12, and current main has the implicated command SecretRef path. I did not execute the repro because this review was read-only.

Real behavior proof
Not applicable: The PR carries the protected maintainer label, so the external-contributor real behavior proof gate is not applied; the body still lists focused local test commands rather than a live command transcript.

Next step before merge
Protected maintainer label and XL secrets/gateway surface require human maintainer review and landing; no narrow automated repair is indicated.

Security
Cleared: The diff is security-sensitive because it touches SecretRef and gateway RPC handling, but this review found no concrete supply-chain or auth-boundary regression in the patch shape.

Review details

Best possible solution:

Land a maintainer-reviewed version that keeps command-time SecretRef resolution limited to the selected web search/fetch provider and documented fallback credential surfaces, with focused regression coverage for gateway and local resolution.

Do we have a high-confidence way to reproduce the issue?

Yes, source-level and report evidence are strong: the linked bug gives a concrete openclaw infer web search --provider tavily --query 'ping' --limit 1 --json failure on v2026.5.12, and current main has the implicated command SecretRef path. I did not execute the repro because this review was read-only.

Is this the best way to solve the issue?

Yes, the proposed direction is the right owner-boundary fix: scope command-time web SecretRef resolution to the selected provider and its fallback credential paths instead of activating unrelated plugin secrets. The remaining decision is maintainer review and landing, not an automated rewrite.

What I checked:

• Protected label: The GitHub context lists the protected maintainer label on this open PR, so this review must keep it open for explicit maintainer handling.
• Affected command path on current main: Current main routes infer web search and infer web fetch through command SecretRef target selection and gateway resolution; this PR changes that same path to scoped capability target helpers. (src/cli/capability-cli.ts:1630, 58f1db1bc8eb)
• Target selection provenance: The current web command secret target selection helpers were introduced in commit 58f1db1, and the PR replaces them with provider-scoped capability helpers plus forced/optional active path metadata. (src/cli/command-secret-targets.ts:374, 58f1db1bc8eb)
• Gateway secrets surface: secrets.resolve is an admin-scoped gateway method on current main; the PR extends its params for scoped resolution without adding dependencies, lifecycle hooks, or new unauthenticated surfaces. (src/gateway/methods/core-descriptors.ts:121, 7b96109920c5)
• Related context: The PR body links the closed user bug Bug: CLI web search does not resolve plugin-scoped webSearch SecretRefs #82621 and says it recreates the prior unmerged contributor fix at fix(cli): resolve plugin web search SecretRefs for infer web search #82699 because maintainer edits were disabled on the contributor fork branch. (880060fd9a2c)
• Supplied verification: The PR body reports focused node scripts/run-vitest.mjs suites for command-secret targets, gateway resolution, runtime web tools, web fetch, Firecrawl tools, capability CLI, gateway secrets, plus git diff --check; it also notes full pnpm check was not run due an unrelated current-main type error. (880060fd9a2c)

Likely related people:

• ragesaq: Blame and history show commit 58f1db1 introduced the current command secret target, gateway SecretRef, runtime command secrets, and Firecrawl web provider code that this PR changes. (role: recent area contributor; confidence: high; commits: 58f1db1bc8eb; files: src/cli/command-secret-targets.ts, src/cli/command-secret-gateway.ts, src/secrets/runtime-command-secrets.ts)
• steipete: Git history shows Peter Steinberger recently touched src/cli/capability-cli.ts, one of the central files in this PR, and the PR author is using the same maintainer-labeled path. (role: recent adjacent contributor; confidence: medium; commits: 5d1f7bf05894; files: src/cli/capability-cli.ts)

Remaining risk / open question:

• Full pnpm check was not supplied in the PR body; verification is focused suites plus diff check.
• The diff is XL and touches secrets/gateway behavior, so maintainer review should confirm the scoped SecretRef contract before landing.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7b96109920c5.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 95d14dd11c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Validate forcedActivePaths before forwarding secrets.resolve

secrets.resolve now forwards client-supplied forcedActivePaths/optionalActivePaths directly, but there is no check that those paths are command-scoped web paths (or even constrained to allowedPaths). In src/secrets/runtime-command-secrets.ts, resolveForcedActiveCommandSecretTargets resolves any matching SecretRef in targetIds as active, so an authenticated caller can force resolution of otherwise inactive credentials by choosing target IDs plus forced paths. This broadens secret exposure beyond the prior inactive-surface guard and should be rejected unless the forced paths are explicitly validated and tightly scoped.

Useful? React with 👍 / 👎.

[steipete]

Verification before merge:

• codex-review: /Users/steipete/Projects/agent-scripts/skills/codex-review/scripts/codex-review --mode branch -> clean, no accepted/actionable findings.
• Protocol: pnpm protocol:check.
• Targeted tests: env -u FIRECRAWL_API_KEY -u GOOGLE_API_KEY node scripts/run-vitest.mjs src/cli/command-secret-targets.test.ts src/cli/command-secret-gateway.test.ts src/secrets/runtime-command-secrets.test.ts.
• Targeted tests: node scripts/run-vitest.mjs src/secrets/runtime-web-tools.test.ts src/web-fetch/runtime.test.ts extensions/firecrawl/src/firecrawl-tools.test.ts src/cli/capability-cli.test.ts src/gateway/server-methods/secrets.test.ts.
• Live proof: TAVILY_API_KEY=resolved-live-proof pnpm exec tsx scripts/repro/cli-web-search-secret-refs-live-proof.mjs -> resolved SecretRef object to string, redacted output, diagnostics count 1.
• CI: current head 95d14dd. CI run 25987285105 green, CodeQL/Critical Quality green or skipped as selected, Real behavior proof run 25987393905 green.

Known proof gap: no separate full local pnpm check; GitHub CI run 25987285105 covered the broad check shards.