Merged
Conversation
Phase 5 delivers secrets management (SEC-01, SEC-02, SEC-03): - Plan 01: Core secrets module with fcntl locking, atomic writes, mode 600 - Plan 02: CLI commands (set, list, remove) with masked input Wave structure: - Wave 1: 05-01 (core module, manifest extension) - Wave 2: 05-02 (CLI commands, depends on 05-01) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add secrets.py with CRUD operations for secret storage - Use fcntl.flock for concurrent access protection - Atomic writes with temp file + rename pattern - File permissions enforced at 0o600 - ISO 8601 timestamps for created_at and updated_at - SecretEntry TypedDict with key, value, description, timestamps - All tests passing Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add required_secrets and optional_secrets to openclaw manifest - Add SecretDefinition TypedDict for secret metadata - Extend ClawManifest to include secrets fields - Add get_required_secrets() and get_optional_secrets() helpers - All existing tests still pass Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Test secret set with masked input - Test secret set with description - Test secret set overwrite confirmation - Test secret set --yes flag - Test secret list shows keys not values - Test secret list shows missing required secrets - Test secret remove with confirmation - Test secret remove --force flag - Test secret remove non-existent key error Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create secret.py with set, list, remove commands - set_cmd: prompts for masked input, handles overwrite confirmation - list_cmd: shows keys/metadata table, displays missing required secrets - remove_cmd: prompts for confirmation, --force flag to skip - Register secret_app in main.py - All 14 CLI tests pass Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add validate_secret_key() with env-var-safe pattern (issue 3) - Implement DuplicateSecretError strict mode (issue 5) - Add test for non-dict JSON in load_secrets (issue 6) - Update CLI to handle InvalidSecretKeyError Co-Authored-By: @atx-ci <269048218+atx-ci@users.noreply.github.com>
Co-Authored-By: @atx-ci <269048218+atx-ci@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 05 implements secure secrets storage and CLI management for Clawrium.
Features:
clm secret set KEY— Store secrets with masked input (getpass)clm secret list— Show keys/metadata (never values), plus missing required secrets by clawclm secret remove KEY— Remove with confirmation promptImplementation:
^[A-Z][A-Z0-9_]{0,127}$(env-var-safe)required_secrets/optional_secretsTests: 255 passing (28 new for this phase)
ATX Review Summary
Review 2: Rating 2/5
Blocking issues addressed:
remove_secret()test_cli_secret.pyWarnings acknowledged, suggestions logged for future improvement.
Co-Authored-By: @atx-ci 269048218+atx-ci@users.noreply.github.com
🤖 Generated with Claude Code