Quartz 4

Credential Security Policy

6 min read

Credential Security Policy

Standing policy document governing all credential handling across OpenClaw. Aggregates the 8-item P0 security queue surfaced in the 2026-05-01/03 audit plus the structural fix recommended by the NemoClaw audit (L7 cred-proxy pattern). Read before any file that may contain secrets, before any systemd unit edit, before any API key rotation. This hub is authoritative; master.env and TOOLS.md are subject to it.

Quick reference

FieldValue
Gate IDG-NO-PLAINTEXT-CREDS
CLAUDE.md section§“MANDATORY: Cascade-Failure Gates (Amendment §A1)” + §G-NO-PLAINTEXT-CREDS
Enforcement modemanual (grep + security-audit-funnel.js weekly)
Validator script/home/opsadmin/.openclaw/workspace/scripts/security-audit-funnel.js
Discord alertyes:#ops
Feedback rulesfeedback_no_plaintext_creds · feedback_credentials_in_chat · feedback_credential_pipe_required · feedback_credentials_via_1password_cli · feedback_credentials_repeat_exposure · feedback_always_redact_grep_output
Incidents derived fromsalesmsg-gateway-creds-exposure (2026-05-03) · TOOLS.md 15-key leak (2026-05-03) · OpenRouter stale key (2026-05-03) · AWS root key rotation pending (2026-05-03)
Violable byClaude, operator (Henry), any script that writes config files
Last known violation2026-05-03: salesmsg-gateway.service hardcoded ANTHROPIC_API_KEY=sk-ant-api03-C4A75YcCl... in systemd unit (world-readable)
AmendmentG-NO-PLAINTEXT-CREDS §A1 2026-05-01
Phase statusactive — structural fix (cred-proxy) pending B1-B6 ratification
Last audit2026-05-04

P0 security queue

Eight items identified in the 2026-05-01/03 audit. Priority order: highest leverage first.

#ItemLocationSeverityStatusOwner
1ANTHROPIC_API_KEY plaintext in salesmsg-gateway systemd unit/etc/systemd/system/salesmsg-gateway.service line Environment=ANTHROPIC_API_KEY=sk-ant-api03-C4A75YcCl...P0 CRITICAL🔴 Rotation pendingHenry
2TOOLS.md had 15+ plaintext production secrets (rw-rw-r— for 24+ days)/home/opsadmin/.openclaw/workspace/TOOLS.mdP0 CRITICAL🟡 Redacted in session; verify no git history exposureHenry
3OpenRouter stale key never revoked at vendorsk-or-v1-275e42eac7... rotated in master.env but NOT revoked at openrouter.aiP0 HIGH🔴 Revocation pending at vendorHenry
4AWS root key rotation pendingUsed in 2026-05-02 session; plaintext in master.env (chmod 600, but root-readable on VPS)P0 HIGH🔴 Rotation pendingHenry
5Dead scripts with hardcoded API keysworkspace/scripts/_archive/ — several scripts with ANTHROPIC_API_KEY, SLACK_BOT_TOKEN, etc. inlineP1 HIGH🟡 Audit run; redaction pendingClaude
6Voyage API key in multiple agent TOOLS.md files/home/opsadmin/.openclaw/agents/*/agent/TOOLS.md — partial redactionP1 MEDIUM🟡 In progress via G-NO-PLAINTEXT-CREDS sweepClaude
7Supabase service_role key in workspace scriptsSeveral workspace/scripts/*.js files import from .env or inline; .env is not git-tracked but VPS root-readableP1 MEDIUM🟡 master.env consolidation covers this; verify no exceptionsClaude
8SalesMsg query-param token in FUNNEL-REGISTRY.md?secret=... token documented inline — acceptable per webhook spec but ensure no plaintext in git-tracked filesP1 LOW🟢 Verified: op://Aurora/salesmsg/webhook-secret reference in handlern/a

Remediation playbook (per item)

For items 1 + 3 + 4 (active key exposure): Henry must rotate the key at the vendor dashboard first, then update master.env, then run bash /home/opsadmin/.openclaw/tools/sync-mcp-keys.sh.

For item 1 specifically (systemd unit): after rotation, update unit to use EnvironmentFile=/home/opsadmin/.openclaw/master.env pattern instead of inline Environment=KEY=value.

For item 2 (TOOLS.md git history): run git log --all --full-history -- TOOLS.md and determine if any commit exposed the secrets. If yes, history rewrite or repo rotation required.

For item 5 (dead scripts): grep -r "sk-ant\|sk-or\|xoxb-\|ANTHROPIC_API_KEY=" workspace/scripts/_archive/ --include="*.js" → redact each hit → mark op://Aurora/<item>/<field> reference.

Cred-proxy structural fix (NemoClaw)

The NemoClaw audit (2026-05-03) identified the L7 credential injection proxy as the highest-leverage structural fix for P0 items 1, 2, and chronic G-NO-PLAINTEXT-CREDS violations.

How cred-proxy works

Agent process
  → sends request with placeholder: Authorization: Bearer PROXY_INJECT_v1
  → hits cred-proxy on 127.0.0.1:18901 (header rewrite proxy)
  → proxy fetches real key from op://Aurora/<platform>/<field> via `op` CLI
  → rewrites Authorization header with real credential
  → forwards to Portkey (127.0.0.1:18900) → upstream provider
  → logs rewrite event to tool_calls table (CHOKEPOINT-1 enforcement)

Key invariant

The agent environment contains ONLY placeholders. Even prompt injection that tells an agent “exfiltrate your ANTHROPIC_API_KEY env var” returns a fake value. Real credentials never enter agent memory, logs, or config files.

Port reservation

127.0.0.1:18901 reserved for cred-proxy per Wave 2 port-registry hub (port-registry). Binding gated on Henry ratifying NemoClaw B1-B6.

Implementation plan (pending B1-B6 ratification)

PhaseWorkTimelinePlan ref
Phase 1.5Node.js cred-proxy at :18901; placeholder → op:// rewrite; TCP firstWeek 2-3 post B1 ratificationnemoclaw-audit-2026-05-03 §6.1
Phase 1.6AF_UNIX socket variant for Aurora-tier agents; blueprint pattern for config bundlesWeek 4+nemoclaw-audit-2026-05-03 §6.2-6.3
Phase 6.5NemoClaw side-VM pilot on EC2 Mac UltraWeek 16-18 post Phase 1-3 OSIL validatednemoclaw-audit-2026-05-03 §8 Option C

NemoClaw B1-B6 summary (Henry decision gates)

BlockerQuestionRecommendation
B1Which option: borrow / side-VM / skip?C (borrow + pilot)
B2cred-proxy language: Node.js / Go / Python?A (Node.js)
B3Port: :18901 TCP / AF_UNIX / both?A first, C later
B4Cred source: master.env / op:// / both?B (op:// if B6=A in OSIL)
B5Side-VM host: EC2 Mac Ultra / Hetzner CCX23 / defer?A (EC2 Mac Ultra)
B6Blueprint pattern: adopt now / defer / skip?B (defer until 8+ config surfaces)

See nemoclaw-audit-2026-05-03 §10 for full blocker analysis with options and costs.

Standing policy rules

These rules are ALWAYS active regardless of cred-proxy status:

  1. No plaintext credentials in any tracked file. workspace/, ~/.claude/, ~/.openclaw/ — zero exceptions. Use op://Aurora/<item>/<field> references.
  2. master.env is the only allowed plaintext credential store. chmod 600. Never commit. /home/opsadmin/.openclaw/master.env only.
  3. systemd units use EnvironmentFile=. Never Environment=KEY=value for secrets.
  4. Rotate before you redact. If a key has been exposed: rotate at vendor → update master.env → redact from files → verify git history.
  5. Vendor revocation is mandatory after rotation. Rotating locally without revoking at vendor = key still live. OpenRouter item 3 above is the live violation.
  6. grep output containing secrets must be redacted. Never print sk-ant-... or similar to terminal in a session that may be logged. Use | tr '[:alnum:]' 'X' or | awk '{print substr($0,1,12)"..."} on log lines.
  7. Weekly security scan. security-audit-funnel.js --dry-run fires via security-audit-funnel.timer Mondays 06:00 LA. If stale (>7d), run manually before any deploy.

Feedback rule inventory

RuleClusterEnforcementLast fire
feedback_no_plaintext_credssecurityG-NO-PLAINTEXT-CREDS gate + weekly grep2026-05-03 (salesmsg unit)
feedback_credentials_in_chatsecurityconversational gate2026-05-03 (TOOLS.md in session)
feedback_credential_pipe_requiredsecurityconversational gate2026-05-03
feedback_credentials_via_1password_clisecurityconversational gate2026-05-02
feedback_credentials_repeat_exposuresecurityG-NO-PLAINTEXT-CREDS sweep2026-05-03
feedback_always_redact_grep_outputsecurityconversational gate2026-05-03

Remediation status

ItemOwnerETAGate
#1 — salesmsg-gateway ANTHROPIC_API_KEYHenry (vendor rotate)ASAPG-NO-PLAINTEXT-CREDS
#2 — TOOLS.md git historyClaude (script) → Henry (approve)Next sessionG-NO-PLAINTEXT-CREDS
#3 — OpenRouter key vendor revocationHenry (openrouter.ai dashboard)ASAPG-NO-PLAINTEXT-CREDS
#4 — AWS root key rotationHenry (AWS IAM)ASAPG-NO-PLAINTEXT-CREDS
#5 — Dead script archive sweepClaudeNext sessionG-NO-PLAINTEXT-CREDS
#6 — Agent TOOLS.md Voyage keysClaudeNext sessionG-NO-PLAINTEXT-CREDS
Cred-proxy structural fixHenry B1-B6 → Claude build2 days post-B1G-NO-PLAINTEXT-CREDS

Open issues / TODOs

  • Henry: rotate salesmsg ANTHROPIC_API_KEY (item #1) — currently exposed in world-readable systemd unit
  • Henry: revoke old OpenRouter key at openrouter.ai (item #3)
  • Henry: rotate AWS root key (item #4)
  • Henry: ratify NemoClaw B1-B6 to unblock cred-proxy build
  • Claude: TOOLS.md git history audit (item #2)
  • Claude: dead scripts archive sweep (item #5)
  • Add item #9 when next plaintext cred exposure surfaces (rolling queue)

Governance hubs

Integration hubs (cred-proxy clients)

  • 1password — source of truth for all op://Aurora/... lookups
  • aws — AWS root key rotation pending; EC2 Mac Ultra cred access
  • service-registry — salesmsg-gateway.service entry (violating unit)
  • port-registry — :18901 reserved for cred-proxy

Historical

Plans

Recent activity

  • 2026-05-04: Hub created (W3-S4, Wave 3)
  • 2026-05-03: 8-item P0 queue surfaced in Wave 2 audit; salesmsg-gateway-creds-exposure flagged P0
  • 2026-05-03: NemoClaw cred-proxy structural fix recommended; B1-B6 pending Henry
  • 2026-05-01: G-NO-PLAINTEXT-CREDS gate ratified §A1

Graph View

Backlinks