From 07cf1fb8a5eea3a38eb91a04bb0e54b389cf25a9 Mon Sep 17 00:00:00 2001
From: NanoClaw <nanoclaw@srv1304843.hstgr.cloud>
Date: Tue, 24 Mar 2026 13:47:52 +0000
Subject: [PATCH 1/2] docs: add OneCLI secrets management section to CLAUDE.md

Gives Claude context on how credentials/API keys/OAuth tokens are managed via the OneCLI gateway, so it doesn't suggest storing secrets in .env or passing them to containers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 CLAUDE.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CLAUDE.md b/CLAUDE.md
index 6351ff4..9b3ae27 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -21,6 +21,10 @@ Single Node.js process with skill-based channel system. Channels (WhatsApp, Tele
 | `groups/{name}/CLAUDE.md` | Per-group memory (isolated) |
 | `container/skills/` | Skills loaded inside agent containers (browser, status, formatting) |
 
+## Secrets / Credentials / Proxy (OneCLI)
+
+API keys, secret keys, OAuth tokens, and auth credentials are managed by the OneCLI gateway — which replaces the old credential proxy and handles secret injection into containers at request time, so no keys or tokens are ever passed to containers directly. Run `onecli --help` to manage secrets, agents, and gateway config.
+
 ## Skills
 
 Four types of skills exist in NanoClaw. See [CONTRIBUTING.md](CONTRIBUTING.md) for the full taxonomy and guidelines.

From 7366b0d7dbd1a48e74c26f2778e053db3a1490f7 Mon Sep 17 00:00:00 2001
From: NanoClaw <nanoclaw@srv1304843.hstgr.cloud>
Date: Tue, 24 Mar 2026 15:44:30 +0000
Subject: [PATCH 2/2] docs: trim OneCLI section wording

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 CLAUDE.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 9b3ae27..2084578 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -23,7 +23,7 @@ Single Node.js process with skill-based channel system. Channels (WhatsApp, Tele
 
 ## Secrets / Credentials / Proxy (OneCLI)
 
-API keys, secret keys, OAuth tokens, and auth credentials are managed by the OneCLI gateway — which replaces the old credential proxy and handles secret injection into containers at request time, so no keys or tokens are ever passed to containers directly. Run `onecli --help` to manage secrets, agents, and gateway config.
+API keys, secret keys, OAuth tokens, and auth credentials are managed by the OneCLI gateway — which handles secret injection into containers at request time, so no keys or tokens are ever passed to containers directly. Run `onecli --help`.
 
 ## Skills