hzhang
db323a2118
The original tokenFor() only overrode AGENT_ID, relying on the openclaw parent process's environment to carry AGENT_VERIFY and AGENT_WORKSPACE. In practice the openclaw daemon process is started without those env vars, so the child secret-mgr call fails with "must be invoked via pcexec" and the plugin silently falls back to the plugin-level apiKey. Synthesize all three env vars explicitly: the verify sentinel is constant, AGENT_ID gates which agent's store secret-mgr looks at, and AGENT_WORKSPACE only needs to be a syntactically valid path because get-secret indexes by AGENT_ID alone. Verified in dind-t2: with a clean parent env, spawnSync now successfully retrieves the per-agent hf-token from /root/.openclaw/pc-pass-store/<agent>/.
40 KiB
40 KiB