openclaw-ynabro 2.2.4 → 2.2.6

package/README.md

@@ -29,25 +29,61 @@ openclaw plugins install openclaw-ynabro
 
 ## Configuration
 
-Set your YNAB Personal Access Token in `openclaw.json`:
-
-```json
-{
-  "plugins": {
-    "entries": {
-      "openclaw-ynabro": {
-        "config": {
-          "token": "your-ynab-personal-access-token"
-        }
-      }
-    }
-  }
-}
+Generate a YNAB Personal Access Token at https://app.ynab.com/settings/developer.
+
+`openclaw-ynabro` integrates with [OpenClaw's secrets system](https://docs.openclaw.ai/gateway/secrets) — the token is registered as a SecretRef-eligible surface at `plugins.entries.openclaw-ynabro.config.token`. Store it with one of the supported flows; no environment variable fallback is implemented in the plugin.
+
+### Interactive (recommended)
+
+```bash
+openclaw secrets configure
+```
+
+In the wizard:
+
+1. Add or reuse a secrets provider (`env`, `file`, or `exec`).
+2. From the target picker, select `plugins.entries.openclaw-ynabro.config.token`.
+3. Provide the `source` / `provider` / `id` for your chosen backend.
+4. Run preflight and apply the plan.
+
+### Non-interactive
+
+Examples — pick whichever provider matches your secret backend:
+
+```bash
+# env provider (token loaded from ~/.openclaw/.env or shell env)
+openclaw config set plugins.entries.openclaw-ynabro.config.token \
+  --ref-source env --ref-provider default --ref-id YNAB_TOKEN
+
+# file provider (token stored in a JSON secrets file)
+openclaw config set plugins.entries.openclaw-ynabro.config.token \
+  --ref-source file --ref-provider filemain --ref-id /plugins/openclaw-ynabro/token
+
+# exec provider (token retrieved from an external secret manager)
+openclaw config set plugins.entries.openclaw-ynabro.config.token \
+  --ref-source exec --ref-provider vault --ref-id providers/ynab/token
+
+openclaw secrets reload
+openclaw secrets audit | grep -i ynab
 ```
 
-OpenClaw also surfaces this as a sensitive field in its settings UI (labeled "YNAB Personal Access Token"). Generate a token at https://app.ynab.com/settings/developer.
+The plugin reads the resolved token from `api.pluginConfig.token`; OpenClaw resolves the SecretRef before the plugin sees it.
+
+The "YNAB Personal Access Token" field is also surfaced as a sensitive entry in OpenClaw's settings UI.
+
+### Plaintext (not recommended)
+
+If you must, you can set the token in plaintext:
+
+```bash
+openclaw config set plugins.entries.openclaw-ynabro.config.token "<your-ynab-pat>"
+```
+
+This will surface in `openclaw secrets audit` as a plaintext finding — prefer a SecretRef.
+
+## Default Plan
 
-No environment variable fallback is supported.
+The selected default plan id is persisted (non-secret) at `plugins.entries.openclaw-ynabro.config.defaultPlanId` by `ynabro_save_default_plan`. See **Onboarding** below.
 
 ## Onboarding
 

package/openclaw.plugin.json

@@ -8,8 +8,8 @@
     "additionalProperties": false,
     "properties": {
       "token": {
-        "type": "string",
-        "description": "YNAB Personal Access Token"
+        "type": ["string", "object"],
+        "description": "YNAB Personal Access Token. May be a plaintext string or a SecretRef object { source, provider, id } configured via `openclaw secrets configure` or `openclaw config set ... --ref-source ...`."
       },
       "defaultPlanId": {
         "type": "string",
@@ -22,16 +22,13 @@
       "label": "YNAB Personal Access Token",
       "placeholder": "your-ynab-personal-access-token",
       "sensitive": true,
-      "help": "Generate at https://app.ynab.com/settings/developer. Falls back to YNAB_TOKEN env var if not set here."
+      "help": "Generate at https://app.ynab.com/settings/developer. Store via `openclaw secrets configure` or `openclaw config set plugins.entries.openclaw-ynabro.config.token --ref-source env|file|exec --ref-provider <provider> --ref-id <id>`."
     }
   },
-  "setup": {
-    "providers": [
-      {
-        "id": "ynab",
-        "envVars": ["YNAB_TOKEN"]
-      }
-    ]
+  "configContracts": {
+    "secretInputs": {
+      "paths": [{ "path": "token", "expected": "string" }]
+    }
   },
   "contracts": {
     "tools": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-ynabro",
-  "version": "2.2.4",
+  "version": "2.2.6",
   "description": "OpenClaw plugin that registers YNABro tools for YNAB integration",
   "type": "module",
   "main": "./dist/index.js",
@@ -48,6 +48,7 @@
   },
   "scripts": {
     "build": "tsc -p tsconfig.build.json",
+    "test": "vitest run",
     "typecheck": "tsc --noEmit"
   }
 }

package/skills/ynabro/prompts/ynabro.md

@@ -18,8 +18,13 @@ If `ready` is `false`, walk the user through setup:
    - **pi:** Call `ynabro_setup` — it presents a native TUI input popup where the
      user enters the token directly. It goes straight to pi's AuthStorage and
      never appears in the conversation.
-   - **OpenClaw:** Instruct the user to add the token to `openclaw.json` or via
-     the OpenClaw settings UI, then ask them to confirm when done.
+   - **OpenClaw:** Instruct the user to store the token using
+     `openclaw secrets configure` (recommended) and select the
+     `plugins.entries.openclaw-ynabro.config.token` target. As alternatives,
+     they can set it non-interactively with
+     `openclaw config set plugins.entries.openclaw-ynabro.config.token --ref-source env|file|exec ...`,
+     or via the OpenClaw settings UI's sensitive "YNAB Personal Access Token"
+     field. Ask them to confirm when done.
 
 2. **Missing plan:** Call `ynabro_setup` to list available plans. Help the user
    pick one. On OpenClaw, follow up with `ynabro_save_default_plan`.