feat(provider): per-credential custom placeholders and passthrough opt-in

[laitingsheng]

Summary

Groundwork for NVIDIA/NemoClaw#2031, whose Slack/Discord/Telegram provider integrations need SDK-format-passing placeholders (Slack's xoxb- prefix check) and in-process passthrough (Slack signing-secret HMAC, Discord interaction-signature verification) that the canonical placeholder form cannot satisfy.

Related Issue

Fixes #894

Changes

Adds two new optional fields to Provider in proto/datamodel.proto:

• credential_placeholders: map<string, string> keyed by credential env var name. When set, the supervisor injects the literal override string into the agent's environment instead of the canonical openshell:resolve:env: placeholder, and registers the override with the secret resolver so the L7 proxy substitutes the real value on the wire by exact-match lookup. Used for SDKs that validate credential format in-process before any network call (e.g. Slack's xoxb- prefix check, AWS access-key prefixes, OAuth libraries).
• passthrough_credentials: repeated string of env var names whose REAL value is injected directly into the agent process, bypassing placeholder/L7-proxy substitution entirely. Required for credentials consumed in-process (signature computation, checksum verification, non-HTTP transports) where no on-the-wire substitution is possible. Drops the "agent never sees the real value" invariant for the listed keys; treated as a per-credential security trade-off.

A key MUST NOT appear in both maps; validation rejects overlaps and keys not present in credentials. Custom-format placeholders are substituted in HTTP header values (full-value, Bearer prefix, Basic-decoded) and query parameter values, but NOT in URL path segments — path extraction relies on the canonical env-var-name grammar. The fail-closed post-rewrite scan covers both canonical and custom-registered placeholders, so an override that ends up in a path is rejected before egress.

Server changes (crates/openshell-server):

• grpc/provider.rs: round-trip the two new fields on create/update/get, validate non-empty / no CR/LF/NUL / no key overlap, plumb through to GetSandboxProviderEnvironmentResponse as placeholder_overrides and passthrough_keys.
• grpc/validation.rs: shared helpers for placeholder string validation and overlap detection.
• grpc/policy.rs, inference.rs: respect passthrough keys when assembling resolver registrations and policy rules.

Sandbox changes (crates/openshell-sandbox):

• grpc_client.rs: surface placeholder_overrides and passthrough_keys on the supervisor side.
• secrets.rs: register override strings with the resolver, inject overrides (or real passthrough values) into the child environment in place of canonical placeholders, with the fail-closed invariant preserved for canonical and custom forms.
• lib.rs: wire the new env construction into the supervisor launch path.

CLI changes (crates/openshell-cli):

• main.rs, run.rs: add per-credential --placeholder KEY=VALUE and --passthrough KEY flags on provider create/update; surface readback in provider get/list output.
• integration tests: cover round-trip, overlap rejection, empty/CRLF override rejection, passthrough opt-in.

TUI: render override and passthrough markers in the provider detail view.

Architecture docs (architecture/sandbox-providers.md): new "Custom Placeholder Formats" section covering motivation, semantics, substitution scope, validation rules, and the security trade-off vs the canonical form.

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.