





















@@ -38,6 +38,51 @@ If a target does not match these rules, apply fails before mutating configuratio
3838}
3939```
404041+## Provider upserts and deletes
42+43+Plans may also include two optional top-level fields that mutate the
44+`secrets.providers` map alongside the per-target writes:
45+46+- `providerUpserts` — an object keyed by provider alias. Each value is a
47+ provider definition (the same shape accepted under
48+`secrets.providers.<alias>` in `openclaw.json`, e.g. an `exec` or `file`
49+ provider).
50+- `providerDeletes` — an array of provider aliases to remove.
51+52+`providerUpserts` runs before `targets`, so a `target.ref.provider` may
53+reference a provider alias that the same plan introduces in
54+`providerUpserts`. Without this, plans that reference an alias not yet
55+configured in `openclaw.json` fail with `provider "<alias>" is not
56+configured`.
57+58+```json5
59+{
60+ version: 1,
61+ protocolVersion: 1,
62+ providerUpserts: {
63+ onepassword_anthropic: {
64+ source: "exec",
65+ command: "/usr/bin/op",
66+ args: ["read", "op://Vault/Anthropic/credential"],
67+ },
68+ },
69+ providerDeletes: ["legacy_unused_alias"],
70+ targets: [
71+ {
72+ type: "models.providers.apiKey",
73+ path: "models.providers.anthropic.apiKey",
74+ pathSegments: ["models", "providers", "anthropic", "apiKey"],
75+ providerId: "anthropic",
76+ ref: { source: "exec", provider: "onepassword_anthropic", id: "credential" },
77+ },
78+ ],
79+}
80+```
81+82+Exec providers introduced via `providerUpserts` are still subject to the
83+exec consent rules in [Exec provider consent behavior](#exec-provider-consent-behavior):
84+plans containing exec providers require `--allow-exec` in write mode.
85+4186## Supported target scope
42874388Plan targets are accepted for supported credential paths in:
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。