gloves is a secure secrets control plane for multi-agent runtimes and human operators.
It provides:
- agent-owned encrypted secrets
- human approval workflows
- access/audit controls
- vault and daemon operations
- an interactive TUI navigator
- OpenClaw-safe plugin tooling plus a private Docker bridge for sandbox file delivery
Start here: Documentation Index
API and crate docs: docs.rs/gloves
Browse guides
Primary command groups:
gloves run ...: run a process with explicit secret-ref bindingsgloves exec ...: run a process with an explicit delivery mechanicgloves secrets ...: set/get/grant/revoke/statusgloves request ...: create one pending human requestgloves requests ...: list/approve/deny pending requestsgloves vault ...: encrypted vault operationsgloves gpg ...: per-agent GPG key workflowsgloves tui: interactive command center
Recursive help is supported:
gloves help
gloves help secrets
gloves help secrets set
gloves secrets help set
gloves requests help approve# fresh OpenClaw setup
gloves bootstrap --profile openclaw \
--root .openclaw/secrets \
--config .openclaw/.gloves.toml \
--agents main,relationships,coder
# create one namespaced secret
gloves --root .openclaw/secrets set shared/github-token --value ghp_example_token
# run one command with an explicit secret ref
gloves --root .openclaw/secrets run --env API_KEY=gloves://shared/github-token -- env
# read secret
gloves --root .openclaw/secrets get shared/github-token
# list entries
gloves --root .openclaw/secrets listgloves bootstrap is intentionally a thin fresh-setup command. It initializes the runtime layout, creates agent identities, writes .gloves.toml, writes store/.gloves.yaml, and validates the result. It does not migrate existing secrets, patch OpenClaw config files, mutate Docker, or bootstrap GPG by default.
If you omit --ttl, gloves uses defaults.secret_ttl_days from config; the built-in default is 30 days. Use --ttl never for a non-expiring secret. gloves secrets set prints the expiry timestamp for expiring secrets and says never expires otherwise.
gloves run is the top-level process execution UX. It is the closest gloves equivalent to op run, doppler run, and aws-vault exec.
Examples:
gloves run --env API_KEY=gloves://shared/github-token -- curl -H "Authorization: Bearer $API_KEY" https://api.example.com
gloves run --env DB_URL=gloves://shared/db-url -- ./migrate.sh
gloves run --env API_KEY=gloves://shared/github-token --env DB_URL=gloves://shared/db-url -- env
gloves exec env --env API_KEY=gloves://shared/github-token -- envgloves run accepts only explicit NAME=gloves://namespace/secret-path bindings in v1. It does not accept bare secret paths, comma-separated lists, or implicit "load this whole scope" behavior.
Use gloves run when you want the generic "run this command with secrets" flow.
Use gloves exec env when you want the lower-level env-delivery primitive directly.
Use gloves vault exec when you specifically need the lower-level vault workflow that mounts a vault, executes a command, and unmounts it afterward.
Current delivery model:
runis the high-level UXexec envis the shipped explicit delivery mechanic- explicit secret refs are the stable contract between CLI intent and runtime delivery
Planned follow-on strategies:
exec filefor tmpfs-style file deliveryrun --profile ...for reviewed bundles of refs and delivery policy- brokered or session-based delivery for backends that can avoid raw env injection entirely
For complete setup and human/agent workflows, use Quickstart.
The repository now includes:
@gloves/openclawas the real OpenClaw-native plugin package for safe metadata and approval toolsgloves-mcpas the preferred future stdio transport for first-class runtime integrationsgloves-docker-bridgeas a private operator-controlled Docker wrapper for/run/secrets/...deliveryintegrations/openclaw/gloves.json5as the official safe plugin config snippetintegrations/openclaw/docker-bridge.tomlandintegrations/openclaw/launch-openclaw-with-gloves.shas the private bridge examples
If you are setting up OpenClaw today, install @gloves/openclaw for safe list/status/request tools. Treat the Docker bridge as a private last-mile hack that you operate at process start.
Guaranteed-safe official support:
- install
@gloves/openclawon the Gateway host - point the plugin at a host-local
glovesbinary and runtime root - allow plugin id
glovesper agent - use only:
gloves_listgloves_statusgloves_requests_listgloves_request_approvegloves_request_deny
Preferred future transport:
gloves-mcpover stdio for OpenClaw-facing integrations that can safely consume a runtime secret side-channel
Private operator bridge:
gloves-docker-bridgeresolvesgloves://...refs on the host- it injects tmpfs files under
/run/secrets/... - it does not require bind mounts of host secret dirs,
~/.cargo/bin, token files, or daemon sockets - it is not an official OpenClaw API integration
Compatibility transports:
- Unix sockets remain available for non-OpenClaw or legacy runtime integrations
gloves daemonremains available for direct host-side automation- neither transport is the preferred OpenClaw deployment path
curl -fsSL https://raw.githubusercontent.com/openclaw/gloves/main/scripts/setup-openclaw.sh | bashOther install options
cargo install glovesgit clone https://github.com/openclaw/gloves
cd gloves
cargo install --path .- Use least-privilege agent access in
.gloves.toml - Prefer
gloves secrets get --pipe-to <command>over raw stdout in automation - Keep secrets root and config permissions private
- Use
gloves audit --json --limit 100for machine-readable audit export
Details:
cargo fmt --all
cargo clippy --all-targets --all-features -- -D warnings
cargo test --all-features --locked
cargo doc --no-depsWhen Docker is available, the OpenClaw sandbox harness can be exercised with:
bun run docker:e2eThe bridge regression coverage in cargo test covers the private Docker wrapper flow with /run/secrets/... injection and cleanup. The example Docker harness remains an operator-oriented validation path rather than an official OpenClaw support contract.