wangjunxiao/nanoclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: slim credential docs in group CLAUDE.md and add onecli-gateway container skill

Browse Source
This commit is contained in:
johnnyfish
2026-05-07 13:09:20 +03:00
parent d8d6f6bd65
commit 4305c6a87d
3 changed files with 77 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
container/skills/onecli-gateway/SKILL.md Normal file
View File

@@ -0,0 +1,67 @@
---
name: onecli-gateway
description: >-
Handle credentials and authentication for external services. Use when you
hit a 401, 403, or app_not_connected error, or when the user asks you to
access an external service (Gmail, GitHub, Slack, Calendar, Stripe, etc.).
Do NOT use browser extensions or manual auth flows — make HTTP requests
directly; the OneCLI proxy injects credentials automatically.
---
# OneCLI Gateway: Credentials & Authentication
Your container routes all HTTPS traffic through the OneCLI proxy, which
injects stored credentials (API keys, OAuth tokens) at the proxy boundary.
You never see or handle credential values directly.
## Making Requests
Call the real API URL. The proxy intercepts and injects credentials automatically.
```bash
curl -s "https://gmail.googleapis.com/gmail/v1/users/me/messages?maxResults=5"
curl -s "https://api.github.com/user/repos?per_page=10"
curl -s "https://api.stripe.com/v1/charges?limit=5"
```
Any HTTP client (curl, fetch, axios, Python requests, Go net/http, git) honors
`HTTPS_PROXY` automatically. You do not need to set auth headers.
If a tool or library validates credentials locally before making the request,
pass any placeholder value (a fake string). The proxy replaces it with real
credentials at request time.
## When a Request Fails (401 / 403 / app_not_connected)
### Step 1 — Show the user a connect link
If the error response includes a `connect_url`, share it directly:
> To connect [service], open this link:
> [connect_url from the error response]
If there's no `connect_url`, tell the user to open the OneCLI dashboard and
connect the service there.
Do NOT ask the user for API keys or tokens. Do NOT suggest pasting credentials
into chat. The fix is always connecting the service in OneCLI.
### Step 2 — Retry after the user connects
After showing the link, let the user know you'll retry once they've connected.
When they confirm (or after a reasonable pause), retry the original request.
If the retry still fails, ask the user if they need help with the OneCLI setup.
## Rules
- **Never** say "I don't have access to X" without first making the HTTP
request through the proxy.
- **Never** use browser extensions, gcloud, or manual auth flows. The proxy
handles credentials for you.
- **Never** ask the user for API keys, tokens, or passwords directly.
- **Never** suggest the user open Gmail/Calendar/GitHub in their browser
when they ask you to read or interact with those services. You have API
access — use it.
- If the proxy returns a policy error (403 with a JSON body), respect the
block. Do not retry or circumvent it.

7
container/skills/onecli-gateway/instructions.md Normal file
View File

@@ -0,0 +1,7 @@
# Credentials & External Services
Your HTTP requests go through the OneCLI proxy, which injects real credentials automatically. Just call any API directly (Gmail, GitHub, Slack, etc.) — the proxy adds auth before it reaches the service.
Use any method: curl, Python, a CLI tool, whatever fits. If a tool checks for credentials locally, pass any placeholder value — the proxy replaces it with real credentials at request time.
If you get a `401`/`403`/`app_not_connected`, run `/onecli-gateway` for the full error-handling flow. Never ask the user for API keys or tokens — if credentials are missing, the fix is connecting the service in OneCLI.