gloves supports bootstrap configuration through .gloves.toml.
Full schema: GLOVES_CONFIG_SPEC.md
Config source precedence:
--no-config(skip all config loading)--config <path>GLOVES_CONFIG- parent-directory discovery of
.gloves.toml - built-in defaults
version = 1
[paths]
root = ".openclaw/secrets"
[defaults]
agent_id = "default-agent"
secret_ttl_days = 30
[vault]
mode = "auto"For a fresh OpenClaw setup, prefer generating this with:
gloves bootstrap --profile openclaw \
--root .openclaw/secrets \
--config .openclaw/.gloves.toml \
--agents main,relationships,coderThe bootstrap command is intentionally thin. It writes the initial config and creation rules, creates agent identities, validates the result, and stops there.
Built-in default secret_ttl_days is 30. Override it when you need shorter or longer retention. For one-off secrets that should not expire, use gloves secrets set ... --ttl never. The create command prints the resolved expiry timestamp for expiring secrets and reports never expires otherwise.
[private_paths]
runtime_root = ".openclaw/secrets"
workspace_private = "./.private"
[agents.agent-main]
paths = ["runtime_root", "workspace_private"]
operations = ["read", "write", "list", "mount"]Inspect one agent's view:
gloves access paths --agent agent-main --json[secrets.acl.agent-main]
paths = ["shared/*", "svc/*"]
operations = ["read", "write", "list", "request", "status"]
[secrets.acl.human-ops]
paths = ["*"]
operations = ["read", "write", "list", "revoke", "request", "status", "approve", "deny"][secrets.pipe.commands.curl]
require_url = true
url_prefixes = ["https://api.example.com/v1/"]This restricts URL arguments to approved prefixes.
gloves config validateUse this in CI and before deploy.