diff --git a/bootstraps/essential/BOOTSTRAP-CODING-GUIDELINES.md b/bootstraps/essential/BOOTSTRAP-CODING-GUIDELINES.md index d5f9221..89db96a 100644 --- a/bootstraps/essential/BOOTSTRAP-CODING-GUIDELINES.md +++ b/bootstraps/essential/BOOTSTRAP-CODING-GUIDELINES.md @@ -39,8 +39,8 @@ ## ✅ DOs **Secrets & Config** -- All secrets → AWS Secrets Manager (`/faststart//`) -- All config → SSM Parameter Store (`/faststart//`) +- All secrets → AWS Secrets Manager (`faststart//` — no leading `/`; some agents reject it) +- All config → SSM Parameter Store (`/faststart//` — leading `/` is fine here) - Lambda config injected via CFN `Environment.Variables` using `!Ref`/`!Sub` - Frontend config injected as `VITE_*` build vars from CodeBuild SSM params - Use `AWS::AccountId`, `AWS::Region`, `AWS::StackName` pseudo-refs in CFN @@ -75,7 +75,8 @@ - Resources: `{project}-{resource}` (e.g. `outline-alb`) - IAM roles: `{project}-{purpose}-role` - Security groups: `{project}-{layer}-sg` -- SSM params: `/faststart/{project}/{key}` +- Secrets: `faststart/{project}/{key}` (no leading slash — OpenClaw's exec secret reference rejects it) +- SSM params: `/faststart/{project}/{key}` (leading slash is the SSM convention) --- diff --git a/bootstraps/optional/BOOTSTRAP-PIPELINE-NOTIFICATIONS.md b/bootstraps/optional/BOOTSTRAP-PIPELINE-NOTIFICATIONS.md index 14c0361..f584e87 100644 --- a/bootstraps/optional/BOOTSTRAP-PIPELINE-NOTIFICATIONS.md +++ b/bootstraps/optional/BOOTSTRAP-PIPELINE-NOTIFICATIONS.md @@ -32,7 +32,7 @@ CodePipeline state change ```bash aws secretsmanager create-secret \ - --name /faststart/telegram-bot-token \ + --name faststart/telegram-bot-token \ --secret-string "YOUR_BOT_TOKEN" \ --region us-east-1 ``` @@ -51,7 +51,7 @@ const cp = new CodePipelineClient({ region: "us-east-1" }); const ssm = new SSMClient({ region: "us-east-1" }); const CHAT_ID = process.env.TELEGRAM_CHAT_ID; -const SECRET_NAME = "/faststart/telegram-bot-token"; +const SECRET_NAME = "faststart/telegram-bot-token"; const INSTANCE_ID = process.env.OPENCLAW_INSTANCE_ID; let cachedToken = null; @@ -156,7 +156,7 @@ The role needs: { "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", - "Resource": "arn:aws:secretsmanager:us-east-1:ACCOUNT_ID:secret:/faststart/telegram-bot-token-*" + "Resource": "arn:aws:secretsmanager:us-east-1:ACCOUNT_ID:secret:faststart/telegram-bot-token-*" }, { "Effect": "Allow", @@ -357,7 +357,7 @@ echo "Webhook URL: https://${API_ID}.execute-api.us-east-1.amazonaws.com/webhook ```bash export GH_TOKEN=$(aws secretsmanager get-secret-value \ - --secret-id /faststart/github-token --query SecretString --output text --region us-east-1) + --secret-id faststart/github-token --query SecretString --output text --region us-east-1) WEBHOOK_URL="https://API_ID.execute-api.us-east-1.amazonaws.com/webhook" diff --git a/bootstraps/telegram/BOOTSTRAP-TELEGRAM.md b/bootstraps/telegram/BOOTSTRAP-TELEGRAM.md index a107102..8c80295 100644 --- a/bootstraps/telegram/BOOTSTRAP-TELEGRAM.md +++ b/bootstraps/telegram/BOOTSTRAP-TELEGRAM.md @@ -21,18 +21,20 @@ Store it immediately in Secrets Manager — don't leave it in chat history: ```bash aws secretsmanager create-secret \ - --name /faststart/telegram-bot-token \ + --name faststart/telegram-bot-token \ --secret-string "YOUR_BOT_TOKEN_HERE" \ --region us-east-1 ``` +> **Note:** No leading `/` in the secret name. OpenClaw's exec secret reference (`exec:aws-sm:`) requires the name to start with an alphanumeric character; `/faststart/...` will fail gateway startup with a `SECRETS_RELOADER_DEGRADED` error. Slashes are allowed *inside* the name as separators. + ### Step 2: Get Your Telegram Chat ID Start a conversation with your new bot (send it any message). Then fetch your chat ID: ```bash BOT_TOKEN=$(aws secretsmanager get-secret-value \ - --secret-id /faststart/telegram-bot-token \ + --secret-id faststart/telegram-bot-token \ --query SecretString --output text --region us-east-1) curl -s "https://api.telegram.org/bot${BOT_TOKEN}/getUpdates" \ @@ -53,7 +55,7 @@ Add the Telegram channel to OpenClaw config. Ask Loki to run: ``` /config patch channels.telegram with: enabled: true - botToken: + botToken: dmPolicy: allowlist allowFrom: [YOUR_CHAT_ID] groupPolicy: allowlist @@ -64,7 +66,7 @@ Or use `openclaw config patch` directly: ```bash BOT_TOKEN=$(aws secretsmanager get-secret-value \ - --secret-id /faststart/telegram-bot-token \ + --secret-id faststart/telegram-bot-token \ --query SecretString --output text --region us-east-1) openclaw config patch <> ~/.hermes/.env @@ -148,7 +150,7 @@ Send your bot a message. You should get a response from the agent within a few s ```bash BOT_TOKEN=$(aws secretsmanager get-secret-value \ - --secret-id /faststart/telegram-bot-token \ + --secret-id faststart/telegram-bot-token \ --query SecretString --output text --region us-east-1) curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage" \ @@ -285,7 +287,7 @@ To fetch the token from Secrets Manager: ```bash BOT_TOKEN=$(aws secretsmanager get-secret-value \ - --secret-id /faststart/telegram-bot-token \ + --secret-id faststart/telegram-bot-token \ --query SecretString --output text --region us-east-1) echo "TELEGRAM_BOT_TOKEN=${BOT_TOKEN}" >> ~/.ironclaw/.env diff --git a/packs/kiro-cli/install.sh b/packs/kiro-cli/install.sh index ab6e1a8..11fca13 100755 --- a/packs/kiro-cli/install.sh +++ b/packs/kiro-cli/install.sh @@ -58,7 +58,7 @@ Post-install authentication: Examples: ./install.sh ./install.sh --region eu-west-1 - ./install.sh --from-secret /faststart/kiro-api-key + ./install.sh --from-secret faststart/kiro-api-key SECURITY NOTE: Don't pass raw API keys on the command line. Store your key in AWS