inceptionstack · royosherove · May 13, 2026 · May 13, 2026 · May 13, 2026
diff --git a/bootstraps/essential/BOOTSTRAP-CODING-GUIDELINES.md b/bootstraps/essential/BOOTSTRAP-CODING-GUIDELINES.md
@@ -39,8 +39,8 @@
 ## ✅ DOs
 
 **Secrets & Config**
-- All secrets → AWS Secrets Manager (`/faststart/<project>/<key>`)
-- All config → SSM Parameter Store (`/faststart/<project>/<key>`)
+- All secrets → AWS Secrets Manager (`faststart/<project>/<key>` — no leading `/`; some agents reject it)
+- All config → SSM Parameter Store (`/faststart/<project>/<key>` — leading `/` is fine here)
 - Lambda config injected via CFN `Environment.Variables` using `!Ref`/`!Sub`
 - Frontend config injected as `VITE_*` build vars from CodeBuild SSM params
 - Use `AWS::AccountId`, `AWS::Region`, `AWS::StackName` pseudo-refs in CFN
@@ -75,7 +75,8 @@
 - Resources: `{project}-{resource}` (e.g. `outline-alb`)
 - IAM roles: `{project}-{purpose}-role`
 - Security groups: `{project}-{layer}-sg`
-- SSM params: `/faststart/{project}/{key}`
+- Secrets: `faststart/{project}/{key}` (no leading slash — OpenClaw's exec secret reference rejects it)
+- SSM params: `/faststart/{project}/{key}` (leading slash is the SSM convention)
 
 ---
 

diff --git a/bootstraps/optional/BOOTSTRAP-PIPELINE-NOTIFICATIONS.md b/bootstraps/optional/BOOTSTRAP-PIPELINE-NOTIFICATIONS.md
@@ -32,7 +32,7 @@ CodePipeline state change
 
 ```bash
 aws secretsmanager create-secret \
-  --name /faststart/telegram-bot-token \
+  --name faststart/telegram-bot-token \
   --secret-string "YOUR_BOT_TOKEN" \
   --region us-east-1
 ```
@@ -51,7 +51,7 @@ const cp = new CodePipelineClient({ region: "us-east-1" });
 const ssm = new SSMClient({ region: "us-east-1" });
 
 const CHAT_ID = process.env.TELEGRAM_CHAT_ID;
-const SECRET_NAME = "/faststart/telegram-bot-token";
+const SECRET_NAME = "faststart/telegram-bot-token";
 const INSTANCE_ID = process.env.OPENCLAW_INSTANCE_ID;
 
 let cachedToken = null;
@@ -156,7 +156,7 @@ The role needs:
     {
       "Effect": "Allow",
       "Action": "secretsmanager:GetSecretValue",
-      "Resource": "arn:aws:secretsmanager:us-east-1:ACCOUNT_ID:secret:/faststart/telegram-bot-token-*"
+      "Resource": "arn:aws:secretsmanager:us-east-1:ACCOUNT_ID:secret:faststart/telegram-bot-token-*"
     },
     {
       "Effect": "Allow",
@@ -357,7 +357,7 @@ echo "Webhook URL: https://${API_ID}.execute-api.us-east-1.amazonaws.com/webhook
 
 ```bash
 export GH_TOKEN=$(aws secretsmanager get-secret-value \
-  --secret-id /faststart/github-token --query SecretString --output text --region us-east-1)
+  --secret-id faststart/github-token --query SecretString --output text --region us-east-1)
 
 WEBHOOK_URL="https://API_ID.execute-api.us-east-1.amazonaws.com/webhook"
 

diff --git a/bootstraps/telegram/BOOTSTRAP-TELEGRAM.md b/bootstraps/telegram/BOOTSTRAP-TELEGRAM.md
@@ -21,18 +21,20 @@ Store it immediately in Secrets Manager — don't leave it in chat history:
 
 ```bash
 aws secretsmanager create-secret \
-  --name /faststart/telegram-bot-token \
+  --name faststart/telegram-bot-token \
   --secret-string "YOUR_BOT_TOKEN_HERE" \
   --region us-east-1
 ```
 
+> **Note:** No leading `/` in the secret name. OpenClaw's exec secret reference (`exec:aws-sm:<name>`) requires the name to start with an alphanumeric character; `/faststart/...` will fail gateway startup with a `SECRETS_RELOADER_DEGRADED` error. Slashes are allowed *inside* the name as separators.
+
 ### Step 2: Get Your Telegram Chat ID
 
 Start a conversation with your new bot (send it any message). Then fetch your chat ID:
 
 ```bash
 BOT_TOKEN=$(aws secretsmanager get-secret-value \
-  --secret-id /faststart/telegram-bot-token \
+  --secret-id faststart/telegram-bot-token \
   --query SecretString --output text --region us-east-1)
 
 curl -s "https://api.telegram.org/bot${BOT_TOKEN}/getUpdates" \
@@ -53,7 +55,7 @@ Add the Telegram channel to OpenClaw config. Ask Loki to run:
 ```
 /config patch channels.telegram with:
   enabled: true
-  botToken: <fetched from /faststart/telegram-bot-token>
+  botToken: <fetched from faststart/telegram-bot-token>
   dmPolicy: allowlist
   allowFrom: [YOUR_CHAT_ID]
   groupPolicy: allowlist
@@ -64,7 +66,7 @@ Or use `openclaw config patch` directly:
 
 ```bash
 BOT_TOKEN=$(aws secretsmanager get-secret-value \
-  --secret-id /faststart/telegram-bot-token \
+  --secret-id faststart/telegram-bot-token \
   --query SecretString --output text --region us-east-1)
 
 openclaw config patch <<EOF
@@ -115,7 +117,7 @@ To fetch the token from Secrets Manager:
 
 ```bash
 BOT_TOKEN=$(aws secretsmanager get-secret-value \
-  --secret-id /faststart/telegram-bot-token \
+  --secret-id faststart/telegram-bot-token \
   --query SecretString --output text --region us-east-1)
 
 echo "TELEGRAM_BOT_TOKEN=${BOT_TOKEN}" >> ~/.hermes/.env
@@ -148,7 +150,7 @@ Send your bot a message. You should get a response from the agent within a few s
 
 ```bash
 BOT_TOKEN=$(aws secretsmanager get-secret-value \
-  --secret-id /faststart/telegram-bot-token \
+  --secret-id faststart/telegram-bot-token \
   --query SecretString --output text --region us-east-1)
 
 curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage" \
@@ -285,7 +287,7 @@ To fetch the token from Secrets Manager:
 
 ```bash
 BOT_TOKEN=$(aws secretsmanager get-secret-value \
-  --secret-id /faststart/telegram-bot-token \
+  --secret-id faststart/telegram-bot-token \
   --query SecretString --output text --region us-east-1)
 
 echo "TELEGRAM_BOT_TOKEN=${BOT_TOKEN}" >> ~/.ironclaw/.env

diff --git a/packs/kiro-cli/install.sh b/packs/kiro-cli/install.sh
@@ -58,7 +58,7 @@ Post-install authentication:
 Examples:
   ./install.sh
   ./install.sh --region eu-west-1
-  ./install.sh --from-secret /faststart/kiro-api-key
+  ./install.sh --from-secret faststart/kiro-api-key
 
 SECURITY NOTE:
   Don't pass raw API keys on the command line. Store your key in AWS