fix(security): use providers for messaging credential injection

bin/lib/onboard.js

@@ -844,6 +844,15 @@ async function promptValidationRecovery(label, recovery, credentialEnv = null, h
   return "selection";
 }
 
+/**
+ * Build the argument array for an `openshell provider create` or `update` command.
+ * @param {"create"|"update"} action - Whether to create or update.
+ * @param {string} name - Provider name.
+ * @param {string} type - Provider type (e.g. "openai", "anthropic", "generic").
+ * @param {string} credentialEnv - Credential environment variable name.
+ * @param {string|null} baseUrl - Optional base URL for API-compatible endpoints.
+ * @returns {string[]} Argument array for runOpenshell().
+ */
 function buildProviderArgs(action, name, type, credentialEnv, baseUrl) {
   const args =
     action === "create"
@@ -857,6 +866,18 @@ function buildProviderArgs(action, name, type, credentialEnv, baseUrl) {
   return args;
 }
 
+/**
+ * Create or update an OpenShell provider in the gateway.
+ *
+ * Attempts `openshell provider create`; if that fails (provider already exists),
+ * falls back to `openshell provider update` with the same credential.
+ * @param {string} name - Provider name (e.g. "discord-bridge", "inference").
+ * @param {string} type - Provider type ("openai", "anthropic", "generic").
+ * @param {string} credentialEnv - Environment variable name for the credential.
+ * @param {string|null} baseUrl - Optional base URL for the provider endpoint.
+ * @param {Record<string, string>} [env={}] - Environment variables for the openshell command.
+ * @returns {{ ok: boolean, status?: number, message?: string }}
+ */
 function upsertProvider(name, type, credentialEnv, baseUrl, env = {}) {
   const createArgs = buildProviderArgs("create", name, type, credentialEnv, baseUrl);
   const runOpts = { ignoreError: true, env, stdio: ["ignore", "pipe", "pipe"] };
@@ -882,6 +903,20 @@ function upsertProvider(name, type, credentialEnv, baseUrl, env = {}) {
   return { ok: true };
 }
 
+/**
+ * Check whether an OpenShell provider exists in the gateway.
+ *
+ * Queries the gateway-level provider registry via `openshell provider get`.
+ * Does NOT verify that the provider is attached to a specific sandbox —
+ * OpenShell CLI does not currently expose a sandbox-scoped provider query.
+ * @param {string} name - Provider name to look up (e.g. "discord-bridge").
+ * @returns {boolean} True if the provider exists in the gateway.
+ */
+function providerExistsInGateway(name) {
+  const result = runOpenshell(["provider", "get", name], { ignoreError: true });
+  return result.status === 0;
+}
+
 function verifyInferenceRoute(_provider, _model) {
   const output = runCaptureOpenshell(["inference", "get"], { ignoreError: true });
   if (!output || /Gateway inference:\s*[\r\n]+\s*Not configured/i.test(output)) {
@@ -2178,26 +2213,56 @@ async function createSandbox(gpu, model, provider, preferredInferenceApi = null,
   ];
   // --gpu is intentionally omitted. See comment in startGateway().
 
-  console.log(`  Creating sandbox '${sandboxName}' (this takes a few minutes on first run)...`);
-  const chatUiUrl = process.env.CHAT_UI_URL || "http://127.0.0.1:18789";
-  patchStagedDockerfile(stagedDockerfile, model, chatUiUrl, String(Date.now()), provider, preferredInferenceApi);
-  // Only pass non-sensitive env vars to the sandbox. NVIDIA_API_KEY is NOT
-  // needed inside the sandbox — inference is proxied through the OpenShell
-  // gateway which injects the stored credential server-side. The gateway
-  // also strips any Authorization headers sent by the sandbox client.
-  // See: crates/openshell-sandbox/src/proxy.rs (header stripping),
-  //      crates/openshell-router/src/backend.rs (server-side auth injection).
-  const envArgs = [formatEnvAssignment("CHAT_UI_URL", chatUiUrl)];
-  const sandboxEnv = { ...process.env };
-  delete sandboxEnv.NVIDIA_API_KEY;
+  // Create OpenShell providers for messaging credentials so they flow through
+  // the provider/placeholder system instead of raw env vars. The L7 proxy
+  // rewrites Authorization headers (Bearer/Bot) with real secrets at egress.
+  // Telegram provider is created for credential storage but the host-side bridge
+  // still reads from host env — Telegram uses URL-path auth (/bot{TOKEN}/) which
+  // the proxy can't rewrite yet.
+  const messagingProviders = [];
   const discordToken = getCredential("DISCORD_BOT_TOKEN") || process.env.DISCORD_BOT_TOKEN;
   if (discordToken) {
-    sandboxEnv.DISCORD_BOT_TOKEN = discordToken;
+    upsertProvider("discord-bridge", "generic", "DISCORD_BOT_TOKEN", null, { DISCORD_BOT_TOKEN: discordToken });
+    messagingProviders.push("discord-bridge");
   }
   const slackToken = getCredential("SLACK_BOT_TOKEN") || process.env.SLACK_BOT_TOKEN;
   if (slackToken) {
-    sandboxEnv.SLACK_BOT_TOKEN = slackToken;
+    upsertProvider("slack-bridge", "generic", "SLACK_BOT_TOKEN", null, { SLACK_BOT_TOKEN: slackToken });
+    messagingProviders.push("slack-bridge");
   }
+  const telegramToken = hydrateCredentialEnv("TELEGRAM_BOT_TOKEN") || process.env.TELEGRAM_BOT_TOKEN;
+  if (telegramToken) {
+    upsertProvider("telegram-bridge", "generic", "TELEGRAM_BOT_TOKEN", null, { TELEGRAM_BOT_TOKEN: telegramToken });
+    messagingProviders.push("telegram-bridge");
+  }
+  for (const p of messagingProviders) {
+    createArgs.push("--provider", p);
+  }
+
+  console.log(`  Creating sandbox '${sandboxName}' (this takes a few minutes on first run)...`);
+  const chatUiUrl = process.env.CHAT_UI_URL || "http://127.0.0.1:18789";
+  patchStagedDockerfile(stagedDockerfile, model, chatUiUrl, String(Date.now()), provider, preferredInferenceApi);
+  // Only pass non-sensitive env vars to the sandbox. Credentials flow through
+  // OpenShell providers — the gateway injects them as placeholders and the L7
+  // proxy rewrites Authorization headers with real secrets at egress.
+  // See: crates/openshell-sandbox/src/secrets.rs (placeholder rewriting),
+  //      crates/openshell-router/src/backend.rs (inference auth injection).
+  const envArgs = [formatEnvAssignment("CHAT_UI_URL", chatUiUrl)];
+  const blockedSandboxEnvNames = new Set([
+    "NVIDIA_API_KEY",
+    "OPENAI_API_KEY",
+    "ANTHROPIC_API_KEY",
+    "GEMINI_API_KEY",
+    "BEDROCK_API_KEY",
+    "COMPATIBLE_API_KEY",
+    "COMPATIBLE_ANTHROPIC_API_KEY",
+    "DISCORD_BOT_TOKEN",
+    "SLACK_BOT_TOKEN",
+    "TELEGRAM_BOT_TOKEN",
+  ]);
+  const sandboxEnv = Object.fromEntries(
+    Object.entries(process.env).filter(([name]) => !blockedSandboxEnvNames.has(name))
+  );
   // Run without piping through awk — the pipe masked non-zero exit codes
   // from openshell because bash returns the status of the last pipeline
   // command (awk, always 0) unless pipefail is set. Removing the pipe
@@ -2299,6 +2364,16 @@ async function createSandbox(gpu, model, provider, preferredInferenceApi = null,
   console.log("  Setting up sandbox DNS proxy...");
   run(`bash "${path.join(SCRIPTS, "setup-dns-proxy.sh")}" ${GATEWAY_NAME} "${sandboxName}" 2>&1 || true`, { ignoreError: true });
 
+  // Check that messaging providers exist in the gateway (sandbox attachment
+  // cannot be verified via CLI yet — only gateway-level existence is checked).
+  for (const p of messagingProviders) {
+    if (!providerExistsInGateway(p)) {
+      console.error(`  ⚠ Messaging provider '${p}' was not found in the gateway.`);
+      console.error(`    The credential may not be available inside the sandbox.`);
+      console.error(`    To fix: openshell provider create --name ${p} --type generic --credential <KEY>`);
+    }
+  }
+
   console.log(`  ✓ Sandbox '${sandboxName}' created`);
   return sandboxName;
 }
@@ -3648,13 +3723,17 @@ async function onboard(opts = {}) {
 }
 
 module.exports = {
+  buildProviderArgs,
   buildSandboxConfigSyncScript,
+  compactText,
   copyBuildContextDir,
   classifySandboxCreateFailure,
   createSandbox,
+  formatEnvAssignment,
   getFutureShellPathHint,
   getGatewayStartEnv,
   getGatewayReuseState,
+  getNavigationChoice,
   getSandboxInferenceConfig,
   getInstalledOpenshellVersion,
   getRequestedModelHint,
@@ -3673,6 +3752,8 @@ module.exports = {
   onboard,
   onboardSession,
   printSandboxCreateRecoveryHints,
+  providerExistsInGateway,
+  parsePolicyPresetEnv,
   pruneStaleSandboxEntry,
   repairRecordedSandbox,
   recoverGatewayRuntime,
@@ -3684,6 +3765,9 @@ module.exports = {
   isOpenclawReady,
   arePolicyPresetsApplied,
   setupPoliciesWithSelection,
+  summarizeCurlFailure,
+  summarizeProbeFailure,
+  upsertProvider,
   hydrateCredentialEnv,
   shouldIncludeBuildContextPath,
   writeSandboxConfigSyncFile,

test/credential-exposure.test.js

@@ -76,7 +76,13 @@ describe("credential exposure in process arguments", () => {
   it("onboard.js does not embed sandbox secrets in the sandbox create command line", () => {
     const src = fs.readFileSync(ONBOARD_JS, "utf-8");
 
-    expect(src).toMatch(/const sandboxEnv = \{ \.\.\.process\.env \};/);
+    // sandboxEnv must be built with a blocklist that strips all credential env vars
+    expect(src).toMatch(/blockedSandboxEnvNames/);
+    expect(src).toMatch(/NVIDIA_API_KEY/);
+    expect(src).toMatch(/BEDROCK_API_KEY/);
+    expect(src).toMatch(/DISCORD_BOT_TOKEN/);
+    expect(src).toMatch(/SLACK_BOT_TOKEN/);
+    expect(src).toMatch(/TELEGRAM_BOT_TOKEN/);
     expect(src).toMatch(/streamSandboxCreate\(createCommand, sandboxEnv(?:, \{)?/);
     expect(src).not.toMatch(/envArgs\.push\(formatEnvAssignment\("NVIDIA_API_KEY"/);
     expect(src).not.toMatch(/envArgs\.push\(formatEnvAssignment\("DISCORD_BOT_TOKEN"/);