Gloves CLI
Overview
Use this skill to run gloves commands safely and predictably, with behavior grounded in the real CLI implementation and tests.
Primary implementation and behavior sources:
- •
src/cli/mod.rs - •
src/manager.rs - •
src/paths.rs - •
tests/cli_integration.rs
Command details and examples:
- •
references/commands.md
Workflow
- •Identify the user goal.
- •Choose a secrets root (
--root) and initialize layout if needed (init). - •Run the minimal command sequence for that goal.
- •Validate the result using
list,status, or command output. - •Report results with exact command(s) executed and key output.
Task Playbooks
Agent Secret Lifecycle
- •Initialize:
bash
gloves --root <root> init
- •Store:
bash
gloves --root <root> set <secret-name> --generate --ttl <days> # or: --stdin / --value (ttl days must be > 0)
- •Read (only when user explicitly wants secret output):
bash
gloves --root <root> get <secret-name>
- •Inspect:
bash
gloves --root <root> list
- •Revoke if requested:
bash
gloves --root <root> revoke <secret-name>
Human Access Request Lifecycle
- •Create request:
bash
gloves --root <root> request <secret-name> --reason "<why>"
- •Check request status by secret:
bash
gloves --root <root> status <secret-name>
- •Resolve request:
bash
gloves --root <root> approve <request-uuid> # or: gloves --root <root> deny <request-uuid>
- •Verify status transition:
bash
gloves --root <root> status <secret-name>
Expiry and Maintenance
- •Run expiry reaper and integrity checks:
bash
gloves --root <root> verify
- •Inspect combined state:
bash
gloves --root <root> list
Sidecar Daemon (TCP)
- •Verify strict startup checks:
bash
gloves --root <root> daemon --check --bind 127.0.0.1:7788 # validates root permissions, loopback policy, and bind availability
- •Start daemon:
bash
gloves --root <root> daemon --bind 127.0.0.1:7788
Guardrails
- •Prefer
--stdinor--generateover--valuewhen possible. - •Avoid printing raw secrets unless the user explicitly requests it.
- •Keep commands scoped to the selected
--root; avoid touching unrelated paths. - •Use valid secret identifiers only (no traversal patterns like
..or leading/). - •Expect
setto fail on duplicates (already exists); do not assume overwrite behavior. - •For daemon mode, bind only to loopback addresses (
127.0.0.1or::1). - •Ensure agent memory/index excludes cover secret paths:
- •
~/.password-store/**(or$PASSWORD_STORE_DIR/**) - •
.openclaw/secrets/**and any custom--rootdirectory
- •
- •Never save raw secret values from CLI output into agent memory or notes.
Troubleshooting
- •
not found: Secret or request does not exist. - •
already exists: Secret name is already present. - •
unauthorized/forbidden: Caller lacks required permissions or approval state. - •
expired: Secret/request TTL elapsed. - •
integrity check failed: Ciphertext checksum mismatch. - •
invalid input: ...: Most often malformed UUID or invalid argument value. - •
gpg denied:pass/GPG access denied for human backend reads.
Verification
When changing CLI behavior or docs tied to CLI behavior, run:
bash
cargo fmt --all cargo clippy --all-targets --all-features -- -D warnings cargo test --all-features cargo doc --no-deps