#16961: docs: warn against storing secrets in injected workspace files

## Summary - Problem: Workspace bootstrap files (`AGENTS.md`, `TOOLS.md`, `SOUL.md`, etc.) are injected into model context during runs. Users who store API keys, passwords, or tokens in these files unknowingly expose them to the model. - Why it matters: Security risk — credentials end up in prompt context and may leak via model outputs, logs, or context compaction artifacts. - What changed: Added explicit "do not store secrets here" warnings across all documentation pages and templates where users are likely to paste credentials. - What did NOT change (scope boundary): No runtime behavior changes. Pure documentation/template updates. lobster-biscuit ## Change Type (select all) - [ ] Bug fix - [ ] Feature - [ ] Refactor - [x] Docs - [x] Security hardening - [ ] Chore/infra ## Scope (select all touched areas) - [ ] Gateway / orchestration - [ ] Skills / tool execution - [ ] Auth / tokens - [ ] Memory / storage - [ ] Integrations - [ ] API / contracts - [x] UI / DX - [ ] CI/CD / infra ## Linked Issue/PR - Supersedes #13290 (closed for fresh resubmission) ## User-visible / Behavior Changes - New security warnings visible in documentation and workspace templates. - Dev workspace fallback template string now includes a one-line secrets warning. ## Security Impact (required) - New permissions/capabilities? `No` - Secrets/tokens handling changed? `No` - New/changed network calls? `No` - Command/tool execution surface changed? `No` - Data access scope changed? `No` - This PR *prevents* a security footgun by making the risk visible to users. ## Repro + Verification ### Environment - OS: Any - Runtime/container: N/A (documentation) - Model/provider: N/A - Integration/channel (if any): N/A ### Steps 1. Read any workspace template or docs page about TOOLS.md / workspace files 2. Look for guidance about secrets ### Expected - Clear warnings that these files are injected into model context and must not contain secrets ### Actual - No warnings (before this PR) ## Evidence - [x] Trace/log snippets: Verified all 8 files render correctly with warnings in place ## Human Verification (required) - Verified scenarios: Read each modified file to confirm warnings are clear and non-disruptive - Edge cases checked: Ensured dev workspace fallback string in `dev.ts` renders correctly as a one-liner - What you did **not** verify: Docs build rendering (no local docs build available) ## Compatibility / Migration - Backward compatible? `Yes` - Config/env changes? `No` - Migration needed? `No` ## Failure Recovery (if this breaks) - How to disable/revert this change quickly: Revert the single commit - Files/config to restore: 7 docs files + `src/cli/gateway-cli/dev.ts` - Known bad symptoms reviewers should watch for: Broken markdown rendering in docs ## Risks and Mitigations None — pure documentation additions. --- - [x] Mark as AI-assisted in the PR title or description - [x] Note the degree of testing: fully tested (8 files verified), all code understood by author - [x] Confirm understanding: all code understood by author 🤖 AI-assisted PR (Claude Code) — fully tested, all code understood by author <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR adds security warnings across workspace documentation and templates to prevent users from storing credentials in files that get injected into model context during runs. The changes are purely additive documentation updates with no behavioral changes. The warnings are consistent, clear, and strategically placed: - Template files (`TOOLS.md`, `TOOLS.dev.md`) include prominent "Security First" sections - Concept documentation (`agent-workspace.md`, `system-prompt.md`) adds contextual warnings about injection behavior - Reference documentation (`AGENTS.default.md`, templates) adds inline reminders where users are most likely to paste credentials - Runtime fallback string in `dev.ts:71` now includes a one-line security warning All warnings correctly explain that workspace files are injected into model context and direct users toward proper credential management (environment variables, secret managers like `op://...`, or `~/.openclaw/credentials/`). The messaging aligns with existing security documentation patterns in `SECURITY.md` and `docs/gateway/security/index.md`. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with no risk - All changes are documentation-only additions with zero runtime behavior modifications. The warnings are well-placed, consistent with existing security documentation patterns, and address a real security footgun. No code logic was altered, no tests need updating, and the changes are backward compatible. - No files require special attention _{Last reviewed commit: b9b3956} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->