docs(openclaw): purge stale XPR_PRIVATE_KEY from npm README + A2A example#19
Merged
Conversation
…mple
The npm-package README that ships to npmjs.com still showed the legacy
`XPR_PRIVATE_KEY=PVT_K1_...` config block. An operator's agent reading
the package page would have followed that example and immediately
booted into the agent runner's hard refusal:
[FATAL] XPR_PRIVATE_KEY is set but is no longer supported.
This commit replaces the env block with the proton CLI keychain setup
(install, `chain:set`, `key:add`, with the `echo "no" | …` hosted-
console form) and adds an `A2A_SIGNING_KEY` note for the separate
limited-blast-radius A2A key. Bumps `@xpr-agents/openclaw` to 0.3.2 so
the corrected README ships to npm.
Two other docs also pointed operators at the wrong env var:
- `docs/A2A.md` SDK example: switched `XPR_PRIVATE_KEY` →
`A2A_SIGNING_KEY` (proton CLI can't sign arbitrary digests, so A2A
always needed a separate in-process key — the example was just
reusing the old name)
- `docs/infrastructure.md` CF Gateway Worker section: added a legacy
banner noting that `XPR_PRIVATE_KEY` only exists in the deprecated
CF sandbox path and is **rejected** on the standalone scaffold and
Pinata harness paths
No code changes — paperwork that should have shipped with #7.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The published
@xpr-agents/openclawREADME on npm still shows the legacyXPR_PRIVATE_KEY=PVT_K1_...block in its Configuration section. An operator reading the package page would have followed that example and immediately hit the agent runner's hard refusal:Changes
openclaw/README.md(the npm package README):npm i -g @proton/cli,chain:set,key:add, plus theecho "no" | ...hosted-console form for Pinata)A2A_SIGNING_KEYnote (separate key, custom permission, limited blast radius)XPR_PRIVATE_KEYenv var" callout referencing the charliebot incidentopenclaw/package.json— bump to 0.3.2 so the corrected README actually ships to npmdocs/A2A.md— SDK example switchedXPR_PRIVATE_KEY→A2A_SIGNING_KEY(proton CLI can't sign arbitrary digests, so A2A always needed a separate in-process key; the example was just reusing the old name)docs/infrastructure.md— added a legacy banner to the CF Gateway Worker section noting that theXPR_PRIVATE_KEYshown there only exists in the deprecated CF sandbox path and is rejected on the standalone scaffold and Pinata harness pathsWhy a separate PR?
I was mid-flight on Tier C (moving the 12 domain skills into the npm tarball, bumping to 0.4.0) when this surfaced via an operator's agent reading the live npm page. Shipping a narrow patch release first gets the corrected docs onto npmjs.com immediately; the Tier C work follows on a separate branch.
No code changes — paperwork that should have shipped with #7.