Docs: note secrets audit header-name heuristic

joshavant · joshavant · commit 146e82f8fa7f · 2026-03-07T10:27:05.000-06:00
diff --git a/docs/cli/secrets.md b/docs/cli/secrets.md
@@ -65,6 +65,10 @@ Scan OpenClaw state for:
 - generated `agents/*/agent/models.json` residues (provider `apiKey` values and sensitive provider headers)
 - legacy residues (legacy auth store entries, OAuth reminders)
 
+Header residue note:
+
+- Sensitive provider header detection is name-heuristic based (common auth/credential header names and fragments such as `authorization`, `x-api-key`, `token`, `secret`, `password`, and `credential`).
+
 ```bash
 openclaw secrets audit
 openclaw secrets audit --check
diff --git a/docs/gateway/secrets.md b/docs/gateway/secrets.md
@@ -378,6 +378,10 @@ Findings include:
 - precedence shadowing (`auth-profiles.json` taking priority over `openclaw.json` refs)
 - legacy residues (`auth.json`, OAuth reminders)
 
+Header residue note:
+
+- Sensitive provider header detection is name-heuristic based (common auth/credential header names and fragments such as `authorization`, `x-api-key`, `token`, `secret`, `password`, and `credential`).
+
 ### `secrets configure`
 
 Interactive helper that:
