feat: Bitwarden secret resolver and async register#398
Open
Coke1120 wants to merge 3 commits intoCortexReach:masterfrom
Open
feat: Bitwarden secret resolver and async register#398Coke1120 wants to merge 3 commits intoCortexReach:masterfrom
Coke1120 wants to merge 3 commits intoCortexReach:masterfrom
Conversation
Add src/secret-resolver.ts supporting ${ENV_VAR} and bws://<secret-id>
Bitwarden CLI secret references for embedding, rerank, and LLM API keys.
Make plugin register() async to support async secret resolution.
Update openclaw.plugin.json docs to advertise bws:// support.
Fix all tests to await plugin.register().
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
4 tasks
With async register() now awaited, selfImprovement defaults to enabled and registers command:new before the sessionMemory assertion runs. Explicitly disable it in the base test config to isolate the assertion. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
AliceLJY
approved these changes
Mar 29, 2026
3 tasks
Collaborator
Review: REQUEST-CHANGESThe Bitwarden secret resolver addresses a real operational gap (issue #349). Two issues need fixing before merge: Must fix:
Worth considering (not blocking):
|
…t resolution
Make register() synchronous again (OpenClaw loader does not await it).
All hook/tool registrations happen immediately; embedder, retriever, and
smartExtractor are initialized in a fire-and-forget initPromise that
resolves async secrets. Every hook that uses these awaits initPromise
before proceeding. register() returns initPromise so awaiting callers
(tests, host implementations that do support async) can still wait.
Also fix:
- bws access token passed via BWS_ACCESS_TOKEN env var instead of
--access-token CLI arg to avoid exposure in process listings
- embedder double-resolveEnvVars: skip expansion if key lacks ${}
- selfImprovement: { enabled: false } in sessionDefaultApi,
sessionEnabledApi, and session-summary harness to isolate assertions
from the now-default-true selfImprovement feature
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
src/secret-resolver.tssupporting${ENV_VAR}andbws://<secret-id>Bitwarden Secrets Manager refs for embedding, rerank, and LLM API keysplugin.register()async to support async secret resolutionopenclaw.plugin.jsondocs to advertisebws://support on all API key fieldsawait plugin.register()Test plan
node --test test/secret-resolver.test.mjs— verify Bitwarden and env-var resolution pathsnpm test— full test suite passes with async registerSplit from #349.
🤖 Generated with Claude Code