Independent OpenClaw reporting, releases, guides, and community coverage
OpenClaw News

OpenClaw Adds Secret Sentinel Egress

OpenClaw now keeps SecretRef-backed model credentials as process-local sentinels until guarded provider egress.

Filed under Posts 3 min read Updated Jul 8, 2026
OpenClaw Adds Secret Sentinel Egress

OpenClaw merged PR #102009, "feat(secrets): egress-time credential injection with process-local sentinels", a P0 security-boundary change aimed at reducing how far provider credentials travel inside the runtime.

The problem is subtle but important. SecretRefs already keep provider keys out of openclaw.json, but once a key is resolved, plaintext can still move through auth storage, stream options, SDK client configuration, logs, debug captures, and error objects. PR #102009 moves OpenClaw toward a narrower model: hold opaque sentinel values through most of that path, then substitute the real credential at guarded provider egress.

What Changed

The new flow turns SecretRef-managed model credentials into process-local sentinel strings during model-auth resolution. Those sentinel values are what auth storage, stream options, SDK config, logs, and error paths see.

At the final outbound provider request boundary, OpenClaw's guarded model fetch substitutes known sentinels in headers and supported URL auth shapes immediately before the SSRF-guarded send. If a value looks like a sentinel but was not registered by the current process, it fails closed before network activity.

The PR also adds an exact-value redaction registry. Resolved secret values and their percent-encoded forms are registered for masking by the runtime's redaction paths, adding a second layer of protection if plaintext ever reaches a log-like surface.

Provider Adapter Coverage

The implementation also tightens adapter behavior across the provider stack. The PR says Anthropic, OpenAI responses and completions, Azure, and Mistral now use SDK-supported custom fetch hooks or HTTP client fetchers.

Google Gemini and Google Vertex are handled differently because the installed @google/genai path does not expose the same fetch hook. For those, OpenClaw unwraps at construction through an inert host port. In-house transports and plugin-stream handoffs use core-owned unwrap points.

That matters because a sentinel design only works when every model-call path has a known place to swap the sentinel for the real credential.

User Impact

For operators, the headline is simple: no configuration change is required. SecretRef-backed model credentials in auth profiles and model-provider API key paths are protected automatically.

The PR also documents an incident-response kill switch, OPENCLAW_SECRET_SENTINELS=off|0|false. Exact-value redaction remains active even when that switch disables sentinel injection.

The boundary is intentionally specific. Plain environment credentials without SecretRefs are unchanged, and same-process memory still contains the secret at the final adapter boundary. Channel tokens, MCP headers, skill environment variables, and sandbox egress proxying are listed as follow-up areas rather than part of this PR.

Validation

The evidence is unusually broad for a secrets change. The PR reports focused Vitest coverage for sentinel behavior, logging redaction, and provider transport fetch behavior, plus a larger matrix of 900-plus tests, a build, and pnpm check:changed.

It also includes a live-path proof: an isolated OpenClaw home and state directory used an Anthropic API key stored as a file SecretRef, completed a local model call, and then found the raw key only in the staged key file. The debug log, generated model metadata, session files, trajectory files, and state artifacts had zero occurrences.

Bottom Line

SecretRefs are more useful when plaintext does not become the runtime's default credential representation after resolution. PR #102009 makes the guarded egress boundary the place where model credentials become real again, which is the right direction for a system that increasingly runs agents across logs, captures, providers, and long-lived sessions.

Daily Briefing

Get the Open-Source Briefing

The stories that matter, delivered to your inbox every morning. Free, no spam, unsubscribe anytime.

Join 45,000+ developers. No spam. Unsubscribe anytime.