@openclaw/nextcloud-talk 2026.3.1 → 2026.3.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/nextcloud-talk",
-  "version": "2026.3.1",
+  "version": "2026.3.2",
   "description": "OpenClaw Nextcloud Talk channel plugin",
   "type": "module",
   "openclaw": {

package/src/accounts.ts

@@ -1,9 +1,14 @@
 import { readFileSync } from "node:fs";
+import {
+  listConfiguredAccountIds as listConfiguredAccountIdsFromSection,
+  resolveAccountWithDefaultFallback,
+} from "openclaw/plugin-sdk";
 import {
   DEFAULT_ACCOUNT_ID,
   normalizeAccountId,
   normalizeOptionalAccountId,
 } from "openclaw/plugin-sdk/account-id";
+import { normalizeResolvedSecretInputString } from "./secret-input.js";
 import type { CoreConfig, NextcloudTalkAccountConfig } from "./types.js";
 
 function isTruthyEnvValue(value?: string): boolean {
@@ -28,18 +33,10 @@ export type ResolvedNextcloudTalkAccount = {
 };
 
 function listConfiguredAccountIds(cfg: CoreConfig): string[] {
-  const accounts = cfg.channels?.["nextcloud-talk"]?.accounts;
-  if (!accounts || typeof accounts !== "object") {
-    return [];
-  }
-  const ids = new Set<string>();
-  for (const key of Object.keys(accounts)) {
-    if (!key) {
-      continue;
-    }
-    ids.add(normalizeAccountId(key));
-  }
-  return [...ids];
+  return listConfiguredAccountIdsFromSection({
+    accounts: cfg.channels?.["nextcloud-talk"]?.accounts as Record<string, unknown> | undefined,
+    normalizeAccountId,
+  });
 }
 
 export function listNextcloudTalkAccountIds(cfg: CoreConfig): string[] {
@@ -123,8 +120,12 @@ function resolveNextcloudTalkSecret(
     }
   }
 
-  if (merged.botSecret?.trim()) {
-    return { secret: merged.botSecret.trim(), source: "config" };
+  const inlineSecret = normalizeResolvedSecretInputString({
+    value: merged.botSecret,
+    path: `channels.nextcloud-talk.accounts.${opts.accountId ?? DEFAULT_ACCOUNT_ID}.botSecret`,
+  });
+  if (inlineSecret) {
+    return { secret: inlineSecret, source: "config" };
   }
 
   return { secret: "", source: "none" };
@@ -134,7 +135,6 @@ export function resolveNextcloudTalkAccount(params: {
   cfg: CoreConfig;
   accountId?: string | null;
 }): ResolvedNextcloudTalkAccount {
-  const hasExplicitAccountId = Boolean(params.accountId?.trim());
   const baseEnabled = params.cfg.channels?.["nextcloud-talk"]?.enabled !== false;
 
   const resolve = (accountId: string) => {
@@ -162,24 +162,13 @@ export function resolveNextcloudTalkAccount(params: {
     } satisfies ResolvedNextcloudTalkAccount;
   };
 
-  const normalized = normalizeAccountId(params.accountId);
-  const primary = resolve(normalized);
-  if (hasExplicitAccountId) {
-    return primary;
-  }
-  if (primary.secretSource !== "none") {
-    return primary;
-  }
-
-  const fallbackId = resolveDefaultNextcloudTalkAccountId(params.cfg);
-  if (fallbackId === primary.accountId) {
-    return primary;
-  }
-  const fallback = resolve(fallbackId);
-  if (fallback.secretSource === "none") {
-    return primary;
-  }
-  return fallback;
+  return resolveAccountWithDefaultFallback({
+    accountId: params.accountId,
+    normalizeAccountId,
+    resolvePrimary: resolve,
+    hasCredential: (account) => account.secretSource !== "none",
+    resolveDefaultAccountId: () => resolveDefaultNextcloudTalkAccountId(params.cfg),
+  });
 }
 
 export function listEnabledNextcloudTalkAccounts(cfg: CoreConfig): ResolvedNextcloudTalkAccount[] {

package/src/channel.startup.test.ts

@@ -1,10 +1,5 @@
-import type {
-  ChannelAccountSnapshot,
-  ChannelGatewayContext,
-  OpenClawConfig,
-} from "openclaw/plugin-sdk";
 import { afterEach, describe, expect, it, vi } from "vitest";
-import { createRuntimeEnv } from "../../test-utils/runtime-env.js";
+import { createStartAccountContext } from "../../test-utils/start-account-context.js";
 import type { ResolvedNextcloudTalkAccount } from "./accounts.js";
 
 const hoisted = vi.hoisted(() => ({
@@ -21,30 +16,6 @@ vi.mock("./monitor.js", async () => {
 
 import { nextcloudTalkPlugin } from "./channel.js";
 
-function createStartAccountCtx(params: {
-  account: ResolvedNextcloudTalkAccount;
-  abortSignal: AbortSignal;
-}): ChannelGatewayContext<ResolvedNextcloudTalkAccount> {
-  const snapshot: ChannelAccountSnapshot = {
-    accountId: params.account.accountId,
-    configured: true,
-    enabled: true,
-    running: false,
-  };
-  return {
-    accountId: params.account.accountId,
-    account: params.account,
-    cfg: {} as OpenClawConfig,
-    runtime: createRuntimeEnv(),
-    abortSignal: params.abortSignal,
-    log: { info: vi.fn(), warn: vi.fn(), error: vi.fn(), debug: vi.fn() },
-    getStatus: () => snapshot,
-    setStatus: (next) => {
-      Object.assign(snapshot, next);
-    },
-  };
-}
-
 function buildAccount(): ResolvedNextcloudTalkAccount {
   return {
     accountId: "default",
@@ -72,22 +43,19 @@ describe("nextcloudTalkPlugin gateway.startAccount", () => {
     const abort = new AbortController();
 
     const task = nextcloudTalkPlugin.gateway!.startAccount!(
-      createStartAccountCtx({
+      createStartAccountContext({
         account: buildAccount(),
         abortSignal: abort.signal,
       }),
     );
-
-    await new Promise((resolve) => setTimeout(resolve, 20));
-
     let settled = false;
     void task.then(() => {
       settled = true;
     });
-
-    await new Promise((resolve) => setTimeout(resolve, 20));
+    await vi.waitFor(() => {
+      expect(hoisted.monitorNextcloudTalkProvider).toHaveBeenCalledOnce();
+    });
     expect(settled).toBe(false);
-    expect(hoisted.monitorNextcloudTalkProvider).toHaveBeenCalledOnce();
     expect(stop).not.toHaveBeenCalled();
 
     abort.abort();
@@ -103,7 +71,7 @@ describe("nextcloudTalkPlugin gateway.startAccount", () => {
     abort.abort();
 
     await nextcloudTalkPlugin.gateway!.startAccount!(
-      createStartAccountCtx({
+      createStartAccountContext({
         account: buildAccount(),
         abortSignal: abort.signal,
       }),

package/src/config-schema.test.ts

@@ -0,0 +1,36 @@
+import { describe, expect, it } from "vitest";
+import { NextcloudTalkConfigSchema } from "./config-schema.js";
+
+describe("NextcloudTalkConfigSchema SecretInput", () => {
+  it("accepts SecretRef botSecret and apiPassword at top-level", () => {
+    const result = NextcloudTalkConfigSchema.safeParse({
+      baseUrl: "https://cloud.example.com",
+      botSecret: { source: "env", provider: "default", id: "NEXTCLOUD_TALK_BOT_SECRET" },
+      apiUser: "bot",
+      apiPassword: { source: "env", provider: "default", id: "NEXTCLOUD_TALK_API_PASSWORD" },
+    });
+    expect(result.success).toBe(true);
+  });
+
+  it("accepts SecretRef botSecret and apiPassword on account", () => {
+    const result = NextcloudTalkConfigSchema.safeParse({
+      accounts: {
+        main: {
+          baseUrl: "https://cloud.example.com",
+          botSecret: {
+            source: "env",
+            provider: "default",
+            id: "NEXTCLOUD_TALK_MAIN_BOT_SECRET",
+          },
+          apiUser: "bot",
+          apiPassword: {
+            source: "env",
+            provider: "default",
+            id: "NEXTCLOUD_TALK_MAIN_API_PASSWORD",
+          },
+        },
+      },
+    });
+    expect(result.success).toBe(true);
+  });
+});

package/src/config-schema.ts

@@ -9,6 +9,7 @@ import {
   requireOpenAllowFrom,
 } from "openclaw/plugin-sdk";
 import { z } from "zod";
+import { buildSecretInputSchema } from "./secret-input.js";
 
 export const NextcloudTalkRoomSchema = z
   .object({
@@ -27,10 +28,10 @@ export const NextcloudTalkAccountSchemaBase = z
     enabled: z.boolean().optional(),
     markdown: MarkdownConfigSchema,
     baseUrl: z.string().optional(),
-    botSecret: z.string().optional(),
+    botSecret: buildSecretInputSchema().optional(),
     botSecretFile: z.string().optional(),
     apiUser: z.string().optional(),
-    apiPassword: z.string().optional(),
+    apiPassword: buildSecretInputSchema().optional(),
     apiPasswordFile: z.string().optional(),
     dmPolicy: DmPolicySchema.optional().default("pairing"),
     webhookPort: z.number().int().positive().optional(),

package/src/monitor.backend.test.ts

@@ -1,6 +1,6 @@
 import { describe, expect, it, vi } from "vitest";
+import { createSignedCreateMessageRequest } from "./monitor.test-fixtures.js";
 import { startWebhookServer } from "./monitor.test-harness.js";
-import { generateNextcloudTalkSignature } from "./signature.js";
 
 describe("createNextcloudTalkWebhookServer backend allowlist", () => {
   it("rejects requests from unexpected backend origins", async () => {
@@ -11,31 +11,12 @@ describe("createNextcloudTalkWebhookServer backend allowlist", () => {
       onMessage,
     });
 
-    const payload = {
-      type: "Create",
-      actor: { type: "Person", id: "alice", name: "Alice" },
-      object: {
-        type: "Note",
-        id: "msg-1",
-        name: "hello",
-        content: "hello",
-        mediaType: "text/plain",
-      },
-      target: { type: "Collection", id: "room-1", name: "Room 1" },
-    };
-    const body = JSON.stringify(payload);
-    const { random, signature } = generateNextcloudTalkSignature({
-      body,
-      secret: "nextcloud-secret",
+    const { body, headers } = createSignedCreateMessageRequest({
+      backend: "https://nextcloud.unexpected",
     });
     const response = await fetch(harness.webhookUrl, {
       method: "POST",
-      headers: {
-        "content-type": "application/json",
-        "x-nextcloud-talk-random": random,
-        "x-nextcloud-talk-signature": signature,
-        "x-nextcloud-talk-backend": "https://nextcloud.unexpected",
-      },
+      headers,
       body,
     });
 

package/src/monitor.replay.test.ts

@@ -1,15 +1,8 @@
 import { describe, expect, it, vi } from "vitest";
+import { createSignedCreateMessageRequest } from "./monitor.test-fixtures.js";
 import { startWebhookServer } from "./monitor.test-harness.js";
-import { generateNextcloudTalkSignature } from "./signature.js";
 import type { NextcloudTalkInboundMessage } from "./types.js";
 
-function createSignedRequest(body: string): { random: string; signature: string } {
-  return generateNextcloudTalkSignature({
-    body,
-    secret: "nextcloud-secret",
-  });
-}
-
 describe("createNextcloudTalkWebhookServer replay handling", () => {
   it("acknowledges replayed requests and skips onMessage side effects", async () => {
     const seen = new Set<string>();
@@ -27,26 +20,7 @@ describe("createNextcloudTalkWebhookServer replay handling", () => {
       onMessage,
     });
 
-    const payload = {
-      type: "Create",
-      actor: { type: "Person", id: "alice", name: "Alice" },
-      object: {
-        type: "Note",
-        id: "msg-1",
-        name: "hello",
-        content: "hello",
-        mediaType: "text/plain",
-      },
-      target: { type: "Collection", id: "room-1", name: "Room 1" },
-    };
-    const body = JSON.stringify(payload);
-    const { random, signature } = createSignedRequest(body);
-    const headers = {
-      "content-type": "application/json",
-      "x-nextcloud-talk-random": random,
-      "x-nextcloud-talk-signature": signature,
-      "x-nextcloud-talk-backend": "https://nextcloud.example",
-    };
+    const { body, headers } = createSignedCreateMessageRequest();
 
     const first = await fetch(harness.webhookUrl, {
       method: "POST",

package/src/monitor.test-fixtures.ts

@@ -0,0 +1,30 @@
+import { generateNextcloudTalkSignature } from "./signature.js";
+
+export function createSignedCreateMessageRequest(params?: { backend?: string }) {
+  const payload = {
+    type: "Create",
+    actor: { type: "Person", id: "alice", name: "Alice" },
+    object: {
+      type: "Note",
+      id: "msg-1",
+      name: "hello",
+      content: "hello",
+      mediaType: "text/plain",
+    },
+    target: { type: "Collection", id: "room-1", name: "Room 1" },
+  };
+  const body = JSON.stringify(payload);
+  const { random, signature } = generateNextcloudTalkSignature({
+    body,
+    secret: "nextcloud-secret",
+  });
+  return {
+    body,
+    headers: {
+      "content-type": "application/json",
+      "x-nextcloud-talk-random": random,
+      "x-nextcloud-talk-signature": signature,
+      "x-nextcloud-talk-backend": params?.backend ?? "https://nextcloud.example",
+    },
+  };
+}

package/src/onboarding.ts

@@ -1,10 +1,13 @@
 import {
   addWildcardAllowFrom,
   formatDocsLink,
+  hasConfiguredSecretInput,
   mergeAllowFromEntries,
+  promptSingleChannelSecretInput,
   promptAccountId,
   DEFAULT_ACCOUNT_ID,
   normalizeAccountId,
+  type SecretInput,
   type ChannelOnboardingAdapter,
   type ChannelOnboardingDmPolicy,
   type OpenClawConfig,
@@ -216,7 +219,8 @@ export const nextcloudTalkOnboardingAdapter: ChannelOnboardingAdapter = {
     const allowEnv = accountId === DEFAULT_ACCOUNT_ID;
     const canUseEnv = allowEnv && Boolean(process.env.NEXTCLOUD_TALK_BOT_SECRET?.trim());
     const hasConfigSecret = Boolean(
-      resolvedAccount.config.botSecret || resolvedAccount.config.botSecretFile,
+      hasConfiguredSecretInput(resolvedAccount.config.botSecret) ||
+      resolvedAccount.config.botSecretFile,
     );
 
     let baseUrl = resolvedAccount.baseUrl;
@@ -238,17 +242,30 @@ export const nextcloudTalkOnboardingAdapter: ChannelOnboardingAdapter = {
       ).trim();
     }
 
-    let secret: string | null = null;
+    let secret: SecretInput | null = null;
     if (!accountConfigured) {
       await noteNextcloudTalkSecretHelp(prompter);
     }
 
-    if (canUseEnv && !resolvedAccount.config.botSecret) {
-      const keepEnv = await prompter.confirm({
-        message: "NEXTCLOUD_TALK_BOT_SECRET detected. Use env var?",
-        initialValue: true,
-      });
-      if (keepEnv) {
+    const secretResult = await promptSingleChannelSecretInput({
+      cfg: next,
+      prompter,
+      providerHint: "nextcloud-talk",
+      credentialLabel: "bot secret",
+      accountConfigured,
+      canUseEnv: canUseEnv && !hasConfigSecret,
+      hasConfigToken: hasConfigSecret,
+      envPrompt: "NEXTCLOUD_TALK_BOT_SECRET detected. Use env var?",
+      keepPrompt: "Nextcloud Talk bot secret already configured. Keep it?",
+      inputPrompt: "Enter Nextcloud Talk bot secret",
+      preferredEnvVar: "NEXTCLOUD_TALK_BOT_SECRET",
+    });
+    if (secretResult.action === "set") {
+      secret = secretResult.value;
+    }
+
+    if (secretResult.action === "use-env" || secret || baseUrl !== resolvedAccount.baseUrl) {
+      if (accountId === DEFAULT_ACCOUNT_ID) {
         next = {
           ...next,
           channels: {
@@ -257,40 +274,65 @@ export const nextcloudTalkOnboardingAdapter: ChannelOnboardingAdapter = {
               ...next.channels?.["nextcloud-talk"],
               enabled: true,
               baseUrl,
+              ...(secret ? { botSecret: secret } : {}),
             },
           },
         };
       } else {
-        secret = String(
-          await prompter.text({
-            message: "Enter Nextcloud Talk bot secret",
-            validate: (value) => (value?.trim() ? undefined : "Required"),
-          }),
-        ).trim();
-      }
-    } else if (hasConfigSecret) {
-      const keep = await prompter.confirm({
-        message: "Nextcloud Talk secret already configured. Keep it?",
-        initialValue: true,
-      });
-      if (!keep) {
-        secret = String(
-          await prompter.text({
-            message: "Enter Nextcloud Talk bot secret",
-            validate: (value) => (value?.trim() ? undefined : "Required"),
-          }),
-        ).trim();
+        next = {
+          ...next,
+          channels: {
+            ...next.channels,
+            "nextcloud-talk": {
+              ...next.channels?.["nextcloud-talk"],
+              enabled: true,
+              accounts: {
+                ...next.channels?.["nextcloud-talk"]?.accounts,
+                [accountId]: {
+                  ...next.channels?.["nextcloud-talk"]?.accounts?.[accountId],
+                  enabled:
+                    next.channels?.["nextcloud-talk"]?.accounts?.[accountId]?.enabled ?? true,
+                  baseUrl,
+                  ...(secret ? { botSecret: secret } : {}),
+                },
+              },
+            },
+          },
+        };
       }
-    } else {
-      secret = String(
+    }
+
+    const existingApiUser = resolvedAccount.config.apiUser?.trim();
+    const existingApiPasswordConfigured = Boolean(
+      hasConfiguredSecretInput(resolvedAccount.config.apiPassword) ||
+      resolvedAccount.config.apiPasswordFile,
+    );
+    const configureApiCredentials = await prompter.confirm({
+      message: "Configure optional Nextcloud Talk API credentials for room lookups?",
+      initialValue: Boolean(existingApiUser && existingApiPasswordConfigured),
+    });
+    if (configureApiCredentials) {
+      const apiUser = String(
         await prompter.text({
-          message: "Enter Nextcloud Talk bot secret",
-          validate: (value) => (value?.trim() ? undefined : "Required"),
+          message: "Nextcloud Talk API user",
+          initialValue: existingApiUser,
+          validate: (value) => (String(value ?? "").trim() ? undefined : "Required"),
         }),
       ).trim();
-    }
-
-    if (secret || baseUrl !== resolvedAccount.baseUrl) {
+      const apiPasswordResult = await promptSingleChannelSecretInput({
+        cfg: next,
+        prompter,
+        providerHint: "nextcloud-talk-api",
+        credentialLabel: "API password",
+        accountConfigured: Boolean(existingApiUser && existingApiPasswordConfigured),
+        canUseEnv: false,
+        hasConfigToken: existingApiPasswordConfigured,
+        envPrompt: "",
+        keepPrompt: "Nextcloud Talk API password already configured. Keep it?",
+        inputPrompt: "Enter Nextcloud Talk API password",
+        preferredEnvVar: "NEXTCLOUD_TALK_API_PASSWORD",
+      });
+      const apiPassword = apiPasswordResult.action === "set" ? apiPasswordResult.value : undefined;
       if (accountId === DEFAULT_ACCOUNT_ID) {
         next = {
           ...next,
@@ -299,8 +341,8 @@ export const nextcloudTalkOnboardingAdapter: ChannelOnboardingAdapter = {
             "nextcloud-talk": {
               ...next.channels?.["nextcloud-talk"],
               enabled: true,
-              baseUrl,
-              ...(secret ? { botSecret: secret } : {}),
+              apiUser,
+              ...(apiPassword ? { apiPassword } : {}),
             },
           },
         };
@@ -318,8 +360,8 @@ export const nextcloudTalkOnboardingAdapter: ChannelOnboardingAdapter = {
                   ...next.channels?.["nextcloud-talk"]?.accounts?.[accountId],
                   enabled:
                     next.channels?.["nextcloud-talk"]?.accounts?.[accountId]?.enabled ?? true,
-                  baseUrl,
-                  ...(secret ? { botSecret: secret } : {}),
+                  apiUser,
+                  ...(apiPassword ? { apiPassword } : {}),
                 },
               },
             },

package/src/room-info.ts

@@ -1,6 +1,8 @@
 import { readFileSync } from "node:fs";
+import { fetchWithSsrFGuard } from "openclaw/plugin-sdk";
 import type { RuntimeEnv } from "openclaw/plugin-sdk";
 import type { ResolvedNextcloudTalkAccount } from "./accounts.js";
+import { normalizeResolvedSecretInputString } from "./secret-input.js";
 
 const ROOM_CACHE_TTL_MS = 5 * 60 * 1000;
 const ROOM_CACHE_ERROR_TTL_MS = 30 * 1000;
@@ -15,11 +17,15 @@ function resolveRoomCacheKey(params: { accountId: string; roomToken: string }) {
 }
 
 function readApiPassword(params: {
-  apiPassword?: string;
+  apiPassword?: unknown;
   apiPasswordFile?: string;
 }): string | undefined {
-  if (params.apiPassword?.trim()) {
-    return params.apiPassword.trim();
+  const inlinePassword = normalizeResolvedSecretInputString({
+    value: params.apiPassword,
+    path: "channels.nextcloud-talk.apiPassword",
+  });
+  if (inlinePassword) {
+    return inlinePassword;
   }
   if (!params.apiPasswordFile) {
     return undefined;
@@ -89,31 +95,40 @@ export async function resolveNextcloudTalkRoomKind(params: {
   const auth = Buffer.from(`${apiUser}:${apiPassword}`, "utf-8").toString("base64");
 
   try {
-    const response = await fetch(url, {
-      method: "GET",
-      headers: {
-        Authorization: `Basic ${auth}`,
-        "OCS-APIRequest": "true",
-        Accept: "application/json",
+    const { response, release } = await fetchWithSsrFGuard({
+      url,
+      init: {
+        method: "GET",
+        headers: {
+          Authorization: `Basic ${auth}`,
+          "OCS-APIRequest": "true",
+          Accept: "application/json",
+        },
       },
+      auditContext: "nextcloud-talk.room-info",
     });
+    try {
+      if (!response.ok) {
+        roomCache.set(key, {
+          fetchedAt: Date.now(),
+          error: `status:${response.status}`,
+        });
+        runtime?.log?.(
+          `nextcloud-talk: room lookup failed (${response.status}) token=${roomToken}`,
+        );
+        return undefined;
+      }
 
-    if (!response.ok) {
-      roomCache.set(key, {
-        fetchedAt: Date.now(),
-        error: `status:${response.status}`,
-      });
-      runtime?.log?.(`nextcloud-talk: room lookup failed (${response.status}) token=${roomToken}`);
-      return undefined;
+      const payload = (await response.json()) as {
+        ocs?: { data?: { type?: number | string } };
+      };
+      const type = coerceRoomType(payload.ocs?.data?.type);
+      const kind = resolveRoomKindFromType(type);
+      roomCache.set(key, { fetchedAt: Date.now(), kind });
+      return kind;
+    } finally {
+      await release();
     }
-
-    const payload = (await response.json()) as {
-      ocs?: { data?: { type?: number | string } };
-    };
-    const type = coerceRoomType(payload.ocs?.data?.type);
-    const kind = resolveRoomKindFromType(type);
-    roomCache.set(key, { fetchedAt: Date.now(), kind });
-    return kind;
   } catch (err) {
     roomCache.set(key, {
       fetchedAt: Date.now(),

package/src/secret-input.ts

@@ -0,0 +1,19 @@
+import {
+  hasConfiguredSecretInput,
+  normalizeResolvedSecretInputString,
+  normalizeSecretInputString,
+} from "openclaw/plugin-sdk";
+import { z } from "zod";
+
+export { hasConfiguredSecretInput, normalizeResolvedSecretInputString, normalizeSecretInputString };
+
+export function buildSecretInputSchema() {
+  return z.union([
+    z.string(),
+    z.object({
+      source: z.enum(["env", "file", "exec"]),
+      provider: z.string().min(1),
+      id: z.string().min(1),
+    }),
+  ]);
+}

package/src/types.ts

@@ -3,6 +3,7 @@ import type {
   DmConfig,
   DmPolicy,
   GroupPolicy,
+  SecretInput,
 } from "openclaw/plugin-sdk";
 
 export type { DmPolicy, GroupPolicy };
@@ -29,13 +30,13 @@ export type NextcloudTalkAccountConfig = {
   /** Base URL of the Nextcloud instance (e.g., "https://cloud.example.com"). */
   baseUrl?: string;
   /** Bot shared secret from occ talk:bot:install output. */
-  botSecret?: string;
+  botSecret?: SecretInput;
   /** Path to file containing bot secret (for secret managers). */
   botSecretFile?: string;
   /** Optional API user for room lookups (DM detection). */
   apiUser?: string;
   /** Optional API password/app password for room lookups. */
-  apiPassword?: string;
+  apiPassword?: SecretInput;
   /** Path to file containing API password/app password. */
   apiPasswordFile?: string;
   /** Direct message policy (default: pairing). */