From b93c80950c90fc4bfd54ba1b98096bcfab0cbd14 Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Wed, 29 Apr 2026 11:26:29 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@f79553bef61f7b28a848d0c7dd6b04db99503083 --- .openclaw-sync/source.json | 4 ++-- docs/auth-credential-semantics.md | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 1cc0d2eee..d27e83624 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "dc9f1b8525b18fc2ec2db6c2d6d90be68e4495f8", - "syncedAt": "2026-04-29T11:20:06.052Z" + "sha": "f79553bef61f7b28a848d0c7dd6b04db99503083", + "syncedAt": "2026-04-29T11:24:58.782Z" } diff --git a/docs/auth-credential-semantics.md b/docs/auth-credential-semantics.md index 2027a1bc4..3c1f81ba3 100644 --- a/docs/auth-credential-semantics.md +++ b/docs/auth-credential-semantics.md @@ -80,6 +80,14 @@ the target agent signs in separately and creates its own local profile. candidate for it, `models status --probe` reports `status: no_model` with `reasonCode: no_model`. +## External CLI credential discovery + +- Runtime-only credentials owned by external CLIs are discovered only when the + provider, runtime, or auth profile is in scope for the current operation, or + when a stored local profile for that external source already exists. +- Read-only/status paths pass `allowKeychainPrompt: false`; they use file-backed + external CLI credentials only and do not read or reuse macOS Keychain results. + ## OAuth SecretRef Policy Guard - SecretRef input is for static credentials only.