Skip to content

fix: correct credential injection claims — messaging tokens use .env, not providers#129

Open
htekdev wants to merge 1 commit intoarticle/safe-openclaw-cron-iac-openshellfrom
fix/credential-injection-accuracy
Open

fix: correct credential injection claims — messaging tokens use .env, not providers#129
htekdev wants to merge 1 commit intoarticle/safe-openclaw-cron-iac-openshellfrom
fix/credential-injection-accuracy

Conversation

@htekdev
Copy link
Copy Markdown
Owner

@htekdev htekdev commented Apr 10, 2026

Summary

The article's 'Credential Injection Without Files' section made two inaccurate claims:

  1. \ ind / -name '*.env'\ would find nothing — False. \sandbox-setup.sh\ creates a .env\ file containing \TELEGRAM_BOT_TOKEN, \SLACK_BOT_TOKEN, and \SLACK_APP_TOKEN.
  2. 'All credentials go into OpenShell providers, never into files' — Overstated. Six API/service credentials use providers, but messaging platform tokens go through
    aw-secrets.env\ → .env\ file.

Changes

  • IaC section: Changed 'all credentials' → 'API and service credentials'. Added Slack tokens alongside Telegram as exceptions.
  • Credential Injection Without Files: Corrected the \ ind\ claim. Now accurately states which credentials are on disk (messaging) vs runtime-injected (providers). Added note that messaging tokens are scoped to bot-level access.
  • ASCII diagram: Updated from 'never on disk' to '6 providers (runtime), messaging (.env)'.

Why

Since part one was written, the project added Slack support. The .env\ now contains three messaging tokens, not just one. The original claim was defensible when only Telegram existed, but no longer accurate.

@htekdev
fix: correct credential injection claims to reflect .env for messagin…
9cd2534 
…g tokens

The article previously stated that no .env file exists in the sandbox and
that all credentials are provider-injected. This was inaccurate — Telegram
and Slack tokens (TELEGRAM_BOT_TOKEN, SLACK_BOT_TOKEN, SLACK_APP_TOKEN) are
uploaded via raw-secrets.env and written to a .env file by sandbox-setup.sh.

Updates three sections:
- IaC design decision paragraph: clarifies providers vs messaging exceptions
- Credential Injection Without Files: corrects the find / claim, explains
  which credentials are on disk vs runtime-injected
- ASCII architecture diagram: shows split between providers and .env

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@htekdev