Add 1Password SecretRef plugin#102293
Conversation
|
Codex review: found issues before merge. Reviewed July 11, 2026, 11:09 AM ET / 15:09 UTC. Summary PR surface: Source +828, Tests +543, Docs +284, Config +28, Other +6. Total +1689 across 26 files. Reproducibility: yes. for both patch defects: a multi-ID request directly enters all-at-once child-process creation, and a setup plan using a custom alias is invisible to the hard-coded status reader. Review metrics: 4 noteworthy metrics.
Stored data model Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Risk before merge
Maintainer options:
Next step before merge
Maintainer decision needed
Security Review findings
Review detailsBest possible solution: Bound resolver concurrency, make status discover the configured plugin-integration alias with deterministic ambiguity handling, preserve core and gateway validation parity, and obtain exact-head security and dependency approval before landing the opt-in plugin. Do we have a high-confidence way to reproduce the issue? Yes for both patch defects: a multi-ID request directly enters all-at-once child-process creation, and a setup plan using a custom alias is invisible to the hard-coded status reader. Is this the best way to solve the issue? No in its current form; the plugin-managed architecture follows an established sibling pattern, but resolver concurrency and alias consistency must be fixed before maintainers decide whether to accept the bundled trust model. Full review comments:
Overall correctness: patch is incorrect AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against b3136854f0ed. Label changesLabel changes:
Label justifications:
Evidence reviewedPR surface: Source +828, Tests +543, Docs +284, Config +28, Other +6. Total +1689 across 26 files. View PR surface stats
Security concerns:
What I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
Review history (8 earlier review cycles)
|
Dependency GuardThis PR changes dependency-related files. Maintainers should confirm these changes are intentional. Changed files:
Maintainer follow-up:
|
Dependency graph changes are blockedOpenClaw does not accept dependency graph changes through PRs unless a repository admin or security explicitly authorizes the current head SHA. Dependency updates are generated internally by maintainers so external PRs cannot change the resolved graph. Detected dependency graph changes:
Auto-scrub was not attempted because this PR changes package manifest dependency graph fields:
Dependency graph changes must be reviewed by security or handled by maintainers internally. Please remove lockfile changes manually if they are not needed. To remove lockfile changes, restore them from the target branch: git fetch origin
git checkout 'origin/main' -- 'pnpm-lock.yaml'
git commit -m 'chore: remove dependency lockfile change'
git pushIf this PR intentionally needs a dependency graph change, ask a repository admin or member of The action will approve the current head SHA ( |
7988dd2 to
ccdf464
Compare
1b66dca to
9bb6c9a
Compare
9bb6c9a to
292efb4
Compare
292efb4 to
f63830b
Compare
Signed-off-by: sallyom <somalley@redhat.com>
Expose the reusable SecretRef target helpers through the plugin SDK so 1Password does not import core src/secrets internals. This matches the reusable seam from vault-plugin commit 7b04710; the generated baseline is branch-local.
f63830b to
5b5971e
Compare
Summary
1passwordplugin that provides a managed SecretRef exec provider for 1Password.op) using service account or Connect auth env, while keeping resolved secrets out of OpenClaw config.openclaw 1password statusandopenclaw 1password setuphelpers for local and server workflows.opCLI remains a runtime dependency.Linked context
Companion to the bundled Vault SecretRef plugin work in #89255, adding the same plugin-managed SecretRef provider pattern for 1Password.
Real behavior proof
1passwordSecretRef provider to resolve model provider credentials from 1Password without storing plaintext provider keys in OpenClaw config.1passwordextension, a mounted OpenClaw data volume, a maintainer-provided 1Password service account token, and default vaultopenclaw.opbinary fromdocker.io/1password/op:2, validated it with2.34.1, and started the Gateway withCLAW_1PASSWORD_OP=/home/node/.openclaw/bin/op-wrapper.onepasswordprovider was configured as a plugin-managed exec provider; the runtime saw theopwrapper; service account auth was present; the default vault was set.From local run:
{ "providerAlias": "onepassword", "provider": { "configured": true, "source": "exec", "pluginIntegration": { "pluginId": "1password", "integrationId": "onepassword" } }, "opCommand": "/home/node/.openclaw/bin/op-wrapper", "opCommandAvailable": true, "authMode": "service-account", "hasServiceAccountToken": true, "hasConnectHost": false, "hasConnectToken": false, "defaultVault": "openclaw" }and
opbinary is intentionally not bundled into the plugin package; direct users and custom container images must provide a compatible 1Password CLI in the Gateway runtime.Tests and validation
Commands run locally:
CLI smoke checks:
Notes:
openclaw 1password --helpcorrectly reports that the bundled plugin must be enabled first withopenclaw plugins enable 1password, matching the Vault plugin behavior.secrets applyplan containing a plugin-managedonepasswordexec provider and a model provider SecretRef target.Regression coverage added:
op://references, shorthand references withCLAW_1PASSWORD_VAULT, missing CLI diagnostics, andCLAW_1PASSWORD_VALUES_JSONnot being passed through the manifest.What failed before this fix:
Risk checklist
YesYesYesop, and the Gateway runtime must provide a trustworthy 1Password CLI plus scoped 1Password auth env.openclaw plugins enable 1password, resolver execution is plugin-managed through manifest metadata, secret values are returned only through the SecretRef protocol, setup writes SecretRefs rather than plaintext, tests cover resolver and CLI plan behavior, and docs call out host/containeropruntime requirements.Current review state
Next action: maintainer/security review for the bundled exec resolver trust model and runtime
opdependency.Reviewer focus:
op://<vault>/<item>/<field>,<vault>/<item>/<field>,<vault>/<item>/<section>/<field>, and<item>/<field>withCLAW_1PASSWORD_VAULT.CLAW_1PASSWORD_OPcan pin the CLI path, and failures avoid printing secret values.opbinary.