feat: env-based credential injection, primaryEnv frontmatter, desensitize config, test coverage

- auth.py: add env_token (PAYWALLFETCHER_TOKEN) and env_cookie_header
  (PAYWALLFETCHER_COOKIE_*) as priority 1/2 auth sources
- auth.py: resolve() never prints; warnings stored in config['_warnings']
- cli.py: _emit_warnings() emits to stderr in human mode, silent in JSON
- cli.py: auth print-openclaw-snippet subcommand
- cli.py: auth check --json includes candidate_sources + missing_env
- SKILL.md: add primaryEnv + skillKey to openclaw metadata
- config.example.json: remove cookies section (secrets out of tracked files)
- config.debug-cookies.example.json: debug-only cookie fallback template
- TOOLS.md: Credentials section with priority order, remove cookie-in-config advice
- README.md: OpenClaw-native credential config section with skills.entries snippet
- AGENTS.md: canonical entrypoints updated to src/paywallfetcher/
- tests/test_auth_env.py: 15 tests for env priority, no-print contract, redaction
- tests/test_cli.py: 10 tests for --json position, output purity, domain allowlist

Author: Ang

AGENTS.md

@@ -18,10 +18,13 @@ Use it when an agent must:
 - **Repository landing page**: README.md
 - **Config template**: config.example.json
 - **Workspace-specific config**: TOOLS.md
-- **Article fetcher**: downloader.py
-- **Q&A fetcher**: qa/qa_downloader.py
-- **Q&A browser-assist**: qa/qa_unlock.py
-- **Auth layer**: auth_utils.py
+- **Core package**: src/paywallfetcher/
+- **CLI entrypoint**: `py -m paywallfetcher`
+- **Auth layer**: src/paywallfetcher/auth.py
+
+> Legacy wrapper scripts (`downloader.py`, `qa/qa_downloader.py`, `qa/qa_unlock.py`,
+> `auth_utils.py`) remain for backward compatibility but are not canonical.
+> Prefer `py -m paywallfetcher` for all new agent tasks.
 
 ## Agent operating assumptions
 

README.md

@@ -67,6 +67,67 @@ Create a daily cron job at 09:00 that runs:
 Set the working directory to this workspace.
 ```
 
+## OpenClaw-native credential configuration
+
+This skill supports env-based credential injection. The preferred path for
+OpenClaw users is to configure credentials via `skills.entries` rather than
+editing `config.json` directly.
+
+Add this to your `openclaw.json`:
+
+```json
+{
+  "skills": {
+    "entries": {
+      "paywall_fetcher": {
+        "apiKey": {
+          "source": "env",
+          "provider": "default",
+          "id": "PAYWALLFETCHER_TOKEN"
+        },
+        "env": {
+          "PAYWALLFETCHER_BASE_URL": "https://target.example",
+          "PAYWALLFETCHER_TARGET_UID": "YOUR_TARGET_UID"
+        }
+      }
+    }
+  }
+}
+```
+
+Then set the token env var (cookie string format):
+
+```
+PAYWALLFETCHER_TOKEN="SESSION=<value>; XSRF-TOKEN=<value>"
+```
+
+Or inject individual cookies:
+
+```
+PAYWALLFETCHER_COOKIE_SESSION=<value>
+PAYWALLFETCHER_COOKIE_XSRF-TOKEN=<value>
+```
+
+> **Note**: The Python CLI reads `PAYWALLFETCHER_TOKEN` and
+> `PAYWALLFETCHER_COOKIE_*` env vars directly. It does **not** auto-read
+> `skills.entries.*.config` from `openclaw.json` — OpenClaw injects those
+> values into the process environment before the CLI runs.
+
+Generate a ready-to-paste snippet at any time:
+
+```powershell
+py -m paywallfetcher auth print-openclaw-snippet
+```
+
+### Credential priority order
+
+| Priority | Source | How to supply |
+|---|---|---|
+| 1 | `env_token` | `PAYWALLFETCHER_TOKEN` env var |
+| 2 | `env_cookie_header` | `PAYWALLFETCHER_COOKIE_<NAME>` env vars |
+| 3 | `browser_auto` | logged-in Chrome or Edge session |
+| 4 | `config_cookies` | `cookies` in `config.json` — debug-only, do not commit |
+
 ## Capability map
 
 | Capability | Preferred command | Transport |

TOOLS.md

@@ -16,7 +16,7 @@ Edit this file when you set up PaywallFetcher for a specific target site.
 | Site kind | (set `site.kind` in config.json — e.g., `generic`) |
 | Base URL | (set `site.base_url` in config.json) |
 | Target UID | (set `site.target_uid` in config.json) |
-| Auth mode | `browser_auto` (reads Chrome or Edge session) |
+| Auth mode | `browser_auto` / `env_token` / `env_cookie_header` (see Credentials below) |
 | Output root | `./output` |
 | Q&A output | `./qa/output` |
 
@@ -37,14 +37,25 @@ Override these under `site.api_paths` in `config.json` if the target site uses d
 
 ---
 
-## Required cookies
+## Credentials
 
-Populate these under `cookies` in `config.json` as a fallback if browser auth is unavailable:
+Preferred resolution order (highest priority first):
 
-- `SESSION`
-- `XSRF-TOKEN`
+1. **`PAYWALLFETCHER_TOKEN` env var** — cookie string injected by OpenClaw `apiKey`:
+   ```
+   PAYWALLFETCHER_TOKEN="SESSION=<value>; XSRF-TOKEN=<value>"
+   ```
+2. **`PAYWALLFETCHER_COOKIE_<NAME>` env vars** — individual cookie injection:
+   ```
+   PAYWALLFETCHER_COOKIE_SESSION=<value>
+   ```
+3. **Browser session (`browser_auto`)** — reads logged-in Chrome or Edge automatically.
+4. **`config.json` cookies** — debug-only fallback. See `config.debug-cookies.example.json`.
 
-Preferred: keep `auth.mode = browser_auto` and stay logged in through Chrome or Edge.
+> **Do not store production cookies in tracked files.**
+> Do not paste secrets into issues, artifacts, or screenshots.
+
+Run `py -m paywallfetcher auth print-openclaw-snippet` to generate the OpenClaw config snippet.
 
 ---
 

config.debug-cookies.example.json

@@ -0,0 +1,8 @@
+{
+  "_comment": "DEBUG-ONLY. Do not commit real cookies. Use env vars (PAYWALLFETCHER_TOKEN or PAYWALLFETCHER_COOKIE_*) for production.",
+
+  "cookies": {
+    "SESSION": "PASTE_YOUR_SESSION_COOKIE_VALUE_HERE",
+    "XSRF-TOKEN": "PASTE_YOUR_XSRF_TOKEN_VALUE_HERE"
+  }
+}

config.example.json

@@ -19,11 +19,6 @@
     "xsrf_cookie_names": ["XSRF-TOKEN", "XSRF_TOKEN"]
   },
 
-  "cookies": {
-    "SESSION": "",
-    "XSRF-TOKEN": ""
-  },
-
   "network": {
     "proxy": null,
     "request_timeout": 20,

skills/site-content-downloader/SKILL.md

@@ -4,7 +4,7 @@ version: "1.1.0"
 description: Fetch articles and Q&A from the configured target site using the logged-in browser session. Do not ask the user to copy cookies. Supports one-off download, incremental polling, and scheduled collection via OpenClaw cron or Windows Task Scheduler.
 user-invocable: true
 tags: ["content-fetching", "browser-auth", "windows", "polling", "scheduled"]
-metadata: {"openclaw":{"emoji":"📰","homepage":"https://github.com/HzaCode/PaywallFetcher","os":["win32"],"requires":{"anyBins":["py","python"]}}}
+metadata: {"openclaw":{"emoji":"📰","homepage":"https://github.com/HzaCode/PaywallFetcher","os":["win32"],"requires":{"anyBins":["py","python"]},"primaryEnv":"PAYWALLFETCHER_TOKEN","skillKey":"paywall_fetcher"}}
 ---
 
 # PaywallFetcher
@@ -82,10 +82,18 @@ Treat this repository as an agent-operated workspace for:
 
 ## Flag reference
 
-> **Important**: `--json` and `--config FILE` are **global flags** that must appear **before** the subcommand.
-> Correct: `py -m paywallfetcher --json article fetch --new-only`
-> Correct: `py -m paywallfetcher --config path/config.json article fetch`
-> Wrong:   `py -m paywallfetcher article fetch --new-only --json`
+### Global flags (must appear before the subcommand)
+
+| Flag | Type | Description |
+|---|---|---|
+| `--json` | bool | Machine-readable JSON output — must precede the subcommand |
+| `--config FILE` | str | Path to config file — must precede the subcommand |
+
+```
+Correct: py -m paywallfetcher --json article fetch --new-only
+Correct: py -m paywallfetcher --config path/config.json article fetch
+Wrong:   py -m paywallfetcher article fetch --new-only --json
+```
 
 ### `py -m paywallfetcher article fetch`
 
@@ -96,17 +104,13 @@ Treat this repository as an agent-operated workspace for:
 | `--no-images` | bool | Skip image downloads |
 | `--dry-run` | bool | List without saving |
 | `--fail-on-empty` | bool | Exit 10 if no new content in incremental mode |
-| `--json` | bool | Machine-readable JSON output |
-| `--config FILE` | str | Path to config file |
 
 ### `py -m paywallfetcher qa fetch`
 
 | Flag | Type | Description |
 |---|---|---|
 | `--new-only` | bool | Incremental mode |
 | `--start N` | int | Start from Nth item |
-| `--json` | bool | Machine-readable JSON output |
-| `--config FILE` | str | Path to config file |
 
 ### `py -m paywallfetcher qa browser-fetch`
 

src/paywallfetcher/auth.py

@@ -1,14 +1,19 @@
 """Authentication layer.
 
-Resolves browser session cookies from Chrome / Edge automatically.
-Falls back to manually configured cookies only after browser auth failure.
-Proxy credentials are redacted from all log output.
+Priority order for credential resolution:
+  1. env_token        — PAYWALLFETCHER_TOKEN env var (cookie string or bearer token)
+  2. env_cookie_header — PAYWALLFETCHER_COOKIE_<NAME> env vars (individual cookies)
+  3. browser_auto     — local Chrome / Edge logged-in session
+  4. config_cookies   — cookies field in config.json (debug-only fallback)
+
+resolve() never prints. All warnings are stored in config['_warnings'] and
+emitted by the caller (cli.py) according to output mode.
 """
 
 from __future__ import annotations
 
+import os
 import re
-import sys
 from typing import Any, Dict, List, Optional, Tuple
 from urllib.parse import urlparse
 
@@ -26,53 +31,80 @@
 _DEFAULT_BROWSER_ORDER = ("chrome", "edge")
 _DEFAULT_XSRF_NAMES = ("XSRF-TOKEN", "XSRF_TOKEN", "xsrf-token", "x-xsrf-token", "_xsrf")
 
+ENV_TOKEN_VAR = "PAYWALLFETCHER_TOKEN"
+ENV_COOKIE_PREFIX = "PAYWALLFETCHER_COOKIE_"
+
 
 def resolve(config: Dict[str, Any]) -> Dict[str, Any]:
-    """Resolve auth and inject _auth_source / _cookie_records / _cookies / _xsrf_token into config."""
+    """Resolve auth. Never prints. Warnings are stored in config['_warnings'].
+
+    Injects into config:
+      _auth_source, _cookie_records, _cookies, _xsrf_token, _warnings
+    """
+    warnings: List[str] = []
     auth = config.get("auth", {})
     mode = (auth.get("mode") or "browser_auto").lower()
 
     cookie_domains = auth.get("cookie_domains") or _derive_domains(config["base_url"])
     xsrf_names = auth.get("xsrf_cookie_names") or list(_DEFAULT_XSRF_NAMES)
     required = auth.get("required_cookies") or []
 
-    manual = _manual_records(config)
-    browser_records: List[Dict] = []
-    browser_name: Optional[str] = None
-    browser_errors: List[str] = []
-
-    if mode in {"browser", "browser_auto"}:
-        browser_records, browser_name, browser_errors = _load_browser_records(
-            auth.get("browser", "auto"), cookie_domains
-        )
-
-    if browser_records:
-        records = _merge(manual, browser_records)
-        config["_auth_source"] = f"browser:{browser_name}"
-    elif manual:
-        records = manual
-        config["_auth_source"] = "config"
-        if mode in {"browser", "browser_auto"} and browser_errors:
-            print(f"[Warn] Browser auth unavailable, using config cookies: {' | '.join(browser_errors)}", file=sys.stderr)
-    elif mode == "config":
-        raise AuthError("No cookies found in config.json under 'cookies'.")
+    # ── Priority 1: env_token ──────────────────────────────────────────────
+    records = _env_token_records(config)
+    if records:
+        config["_auth_source"] = "env_token"
     else:
-        detail = " | ".join(browser_errors) if browser_errors else "No matching cookies in local browser profiles."
-        raise AuthError(
-            f"Failed to load browser cookies automatically. {detail}\n"
-            "  Ensure you are already logged into the target site in Chrome or Edge."
-        )
+        # ── Priority 2: env_cookie_header ──────────────────────────────────
+        records = _env_cookie_records(config)
+        if records:
+            config["_auth_source"] = "env_cookie_header"
+        else:
+            # ── Priority 3: browser_auto ───────────────────────────────────
+            manual = _manual_records(config)
+            browser_records: List[Dict] = []
+            browser_name: Optional[str] = None
+            browser_errors: List[str] = []
+
+            if mode in {"browser", "browser_auto"}:
+                browser_records, browser_name, browser_errors = _load_browser_records(
+                    auth.get("browser", "auto"), cookie_domains
+                )
+
+            if browser_records:
+                records = _merge(manual, browser_records)
+                config["_auth_source"] = f"browser:{browser_name}"
+            elif manual:
+                # ── Priority 4: config_cookies (debug-only) ────────────────
+                records = manual
+                config["_auth_source"] = "config_cookies"
+                if mode in {"browser", "browser_auto"} and browser_errors:
+                    warnings.append(
+                        f"Browser auth unavailable, falling back to config cookies "
+                        f"(debug-only): {' | '.join(browser_errors)}"
+                    )
+            elif mode == "config":
+                raise AuthError("No cookies found in config.json under 'cookies'.")
+            else:
+                detail = " | ".join(browser_errors) if browser_errors else "No matching cookies in local browser profiles."
+                raise AuthError(
+                    f"Failed to load browser cookies automatically. {detail}\n"
+                    "  Ensure you are already logged into the target site in Chrome or Edge.\n"
+                    f"  Alternatively, set {ENV_TOKEN_VAR} or {ENV_COOKIE_PREFIX}<NAME> env vars."
+                )
 
     cookies_dict = {r["name"]: r["value"] for r in records}
     xsrf = _find_xsrf(cookies_dict, xsrf_names)
 
     missing = [n for n in required if n not in cookies_dict]
     if missing and config.get("_auth_source", "").startswith("browser"):
-        print(f"[Warn] Browser auth loaded but missing required cookies: {', '.join(missing)}", file=sys.stderr)
+        warnings.append(
+            f"Browser auth loaded but missing required cookies: {', '.join(missing)}"
+        )
 
     config["_cookie_records"] = records
     config["_cookies"] = cookies_dict
     config["_xsrf_token"] = xsrf
+    config["_warnings"] = warnings
     return config
 
 
@@ -164,6 +196,65 @@ def doctor_auth(config: Dict[str, Any]) -> Dict[str, Any]:
     return result
 
 
+# ── env credential helpers ─────────────────────────────────────────────────
+
+
+def _env_token_records(config: Dict[str, Any]) -> List[Dict]:
+    """Parse PAYWALLFETCHER_TOKEN env var into cookie records.
+
+    Accepts a semicolon-separated cookie string: ``SESSION=abc; XSRF-TOKEN=xyz``
+    Each ``NAME=value`` pair becomes one cookie record bound to the config host.
+    Returns an empty list if the env var is unset or empty.
+    """
+    token = os.environ.get(ENV_TOKEN_VAR, "").strip()
+    if not token:
+        return []
+
+    host = _normalize_domain(urlparse(config["base_url"]).netloc.split(":")[0])
+    domain = f".{host}" if host else None
+
+    records: List[Dict] = []
+    for part in token.split(";"):
+        part = part.strip()
+        if "=" not in part:
+            continue
+        name, _, value = part.partition("=")
+        name = name.strip()
+        value = value.strip()
+        if name:
+            records.append({
+                "name": name, "value": value,
+                "domain": domain, "path": "/",
+                "secure": True, "expires": None,
+            })
+    return records
+
+
+def _env_cookie_records(config: Dict[str, Any]) -> List[Dict]:
+    """Collect PAYWALLFETCHER_COOKIE_<NAME>=value env vars as cookie records.
+
+    Each env var whose name starts with ``PAYWALLFETCHER_COOKIE_`` contributes
+    one cookie; the cookie name is the suffix after the prefix.
+    Returns an empty list if no matching env vars are set.
+    """
+    host = _normalize_domain(urlparse(config["base_url"]).netloc.split(":")[0])
+    domain = f".{host}" if host else None
+
+    records: List[Dict] = []
+    for key, value in os.environ.items():
+        if not key.startswith(ENV_COOKIE_PREFIX):
+            continue
+        name = key[len(ENV_COOKIE_PREFIX):]
+        value = value.strip()
+        if name and value:
+            records.append({
+                "name": name, "value": value,
+                "domain": domain, "path": "/",
+                "secure": True, "expires": None,
+            })
+    return records
+
+
 # ── internals ──────────────────────────────────────────────────────────────