Secrets Apply Plan Contract
Secrets apply plan contract
Section titled “Secrets apply plan contract”This page defines the strict contract enforced by openclaw secrets apply.
If a target does not match these rules, apply fails before mutating configuration.
Plan file shape
Section titled “Plan file shape”openclaw secrets apply --from <plan.json> expects a targets array of plan targets:
{ version: 1, protocolVersion: 1, targets: [ { type: "models.providers.apiKey", path: "models.providers.openai.apiKey", pathSegments: ["models", "providers", "openai", "apiKey"], providerId: "openai", ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" }, }, { type: "auth-profiles.api_key.key", path: "profiles.openai:default.key", pathSegments: ["profiles", "openai:default", "key"], agentId: "main", ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" }, }, ],}Supported target scope
Section titled “Supported target scope”Plan targets are accepted for supported credential paths in:
Target type behavior
Section titled “Target type behavior”General rule:
target.typemust be recognized and must match the normalizedtarget.pathshape.
Compatibility aliases remain accepted for existing plans:
models.providers.apiKeyskills.entries.apiKeychannels.googlechat.serviceAccount
Path validation rules
Section titled “Path validation rules”Each target is validated with all of the following:
typemust be a recognized target type.pathmust be a non-empty dot path.pathSegmentscan be omitted. If provided, it must normalize to exactly the same path aspath.- Forbidden segments are rejected:
__proto__,prototype,constructor. - The normalized path must match the registered path shape for the target type.
- If
providerIdoraccountIdis set, it must match the id encoded in the path. auth-profiles.jsontargets requireagentId.- When creating a new
auth-profiles.jsonmapping, includeauthProfileProvider.
Failure behavior
Section titled “Failure behavior”If a target fails validation, apply exits with an error like:
Invalid plan target path for models.providers.apiKey: models.providers.openai.baseUrlNo writes are committed for an invalid plan.
Exec provider consent behavior
Section titled “Exec provider consent behavior”--dry-runskips exec SecretRef checks by default.- Plans containing exec SecretRefs/providers are rejected in write mode unless
--allow-execis set. - When validating/applying exec-containing plans, pass
--allow-execin both dry-run and write commands.
Runtime and audit scope notes
Section titled “Runtime and audit scope notes”- Ref-only
auth-profiles.jsonentries (keyRef/tokenRef) are included in runtime resolution and audit coverage. secrets applywrites supportedopenclaw.jsontargets, supportedauth-profiles.jsontargets, and optional scrub targets.
Operator checks
Section titled “Operator checks”# Validate plan without writesopenclaw secrets apply --from /tmp/openclaw-secrets-plan.json --dry-run
# Then apply for realopenclaw secrets apply --from /tmp/openclaw-secrets-plan.json
# For exec-containing plans, opt in explicitly in both modesopenclaw secrets apply --from /tmp/openclaw-secrets-plan.json --dry-run --allow-execopenclaw secrets apply --from /tmp/openclaw-secrets-plan.json --allow-execIf apply fails with an invalid target path message, regenerate the plan with openclaw secrets configure or fix the target path to a supported shape above.