openclaw
diff --git a/‎docs/channels/sms.md‎
Lines changed: 64 additions & 4 deletions b/‎docs/channels/sms.md‎
Lines changed: 64 additions & 4 deletions
diff --git a/‎docs/reference/secretref-credential-surface.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/reference/secretref-credential-surface.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/reference/secretref-user-supplied-credentials-matrix.json‎
Lines changed: 14 additions & 0 deletions b/‎docs/reference/secretref-user-supplied-credentials-matrix.json‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎extensions/sms/contract-api.ts‎
Lines changed: 4 additions & 0 deletions b/‎extensions/sms/contract-api.ts‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎extensions/sms/secret-contract-api.ts‎
Lines changed: 5 additions & 0 deletions b/‎extensions/sms/secret-contract-api.ts‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎extensions/sms/src/channel.test.ts‎
Lines changed: 6 additions & 0 deletions b/‎extensions/sms/src/channel.test.ts‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎extensions/sms/src/channel.ts‎
Lines changed: 9 additions & 1 deletion b/‎extensions/sms/src/channel.ts‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎extensions/sms/src/secret-contract.test.ts‎
Lines changed: 162 additions & 0 deletions b/‎extensions/sms/src/secret-contract.test.ts‎
Lines changed: 162 additions & 0 deletions
@@ -84,6 +84,18 @@ https://gateway.example.com/webhooks/sms
 
   </Step>
 
+  <Step title="Expose the exact SMS webhook path">
+    Your public URL must route the SMS path to the Gateway process. If you use Tailscale Funnel for local testing, expose `/webhooks/sms` explicitly:
+
+```bash
+tailscale funnel --bg --set-path /webhooks/sms http://127.0.0.1:<gateway-port>/webhooks/sms
+tailscale funnel status
+```
+
+    Voice Call and SMS use separate webhook paths. If the same Twilio number handles both, keep both routes configured in Twilio and in your tunnel.
+
+  </Step>
+
   <Step title="Start the Gateway and approve first sender">
 
 ```bash
@@ -149,6 +161,27 @@ Then enable the channel in config:
 
 `TWILIO_SMS_FROM` is accepted as an alias for `TWILIO_PHONE_NUMBER`. Use `TWILIO_MESSAGING_SERVICE_SID` instead of a phone-number sender when Twilio should choose the sender from a Messaging Service.
 
+### SecretRef auth token
+
+`authToken` can be a SecretRef. Use this when the Gateway should resolve the Twilio Auth Token from the OpenClaw secrets runtime instead of storing plaintext config:
+
+```json5
+{
+  channels: {
+    sms: {
+      enabled: true,
+      accountSid: "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+      authToken: { source: "env", provider: "default", id: "TWILIO_AUTH_TOKEN" },
+      fromNumber: "+15551234567",
+      publicWebhookUrl: "https://gateway.example.com/webhooks/sms",
+      dmPolicy: "pairing",
+    },
+  },
+}
+```
+
+The referenced environment variable or secret provider must be visible to the Gateway runtime. Restart managed Gateway processes after changing host environment variables.
+
 ### Allowlist-only private number
 
 Use `allowlist` when only known phone numbers should be able to talk to the agent:
@@ -245,17 +278,37 @@ SMS output is plain text. OpenClaw strips markdown, flattens fenced code blocks,
 After the Gateway starts:
 
 1. Confirm the Gateway log shows the SMS webhook route.
-2. Send an SMS to the Twilio number from your phone.
-3. Run `openclaw pairing list sms`.
-4. Approve the pairing code with `openclaw pairing approve sms <CODE>`.
-5. Send another SMS and confirm the agent replies.
+2. Run a Twilio-side probe:
+
+```bash
+openclaw channels capabilities --channel sms
+openclaw channels status --channel sms --probe --json
+```
+
+3. Send an SMS to the Twilio number from your phone.
+4. Run `openclaw pairing list sms`.
+5. Approve the pairing code with `openclaw pairing approve sms <CODE>`.
+6. Send another SMS and confirm the agent replies.
 
 For outbound-only testing, use:
 
 ```bash
 openclaw message send --channel sms --target sms:+15557654321 --message "OpenClaw SMS test"
 ```
 
+### End-to-end test from macOS iMessage/SMS
+
+On a Mac that can send carrier SMS through Messages, you can use `imsg` to drive the sender side without touching your phone:
+
+```bash
+imsg send --to "+15551234567" --service sms --text "OpenClaw SMS E2E $(date -u +%Y%m%dT%H%M%SZ)" --json
+openclaw pairing list sms
+openclaw pairing approve sms <CODE>
+imsg send --to "+15551234567" --service sms --text "reply exactly SMS pong" --json
+```
+
+The first message should create a pairing request. The second message should receive the agent reply through Twilio.
+
 ## Webhook security
 
 By default, OpenClaw validates `X-Twilio-Signature` using `publicWebhookUrl` and `authToken`. Keep `publicWebhookUrl` byte-for-byte aligned with the URL configured in Twilio, including scheme, host, path, and query string.
@@ -311,6 +364,13 @@ Check that `publicWebhookUrl` exactly matches the URL configured in Twilio, incl
 
 Check the Twilio number's **Messaging** webhook URL and method. It must point to the SMS webhook URL and use `POST`. Also confirm the Gateway is reachable from the public internet or through your tunnel.
 
+If the Twilio message log shows error `11200`, Twilio accepted the inbound SMS but could not reach your webhook. Check:
+
+- Twilio **Messaging > A message comes in** points at `publicWebhookUrl`.
+- The method is `POST`.
+- The tunnel or reverse proxy exposes the exact `webhookPath`; for Tailscale Funnel, run `tailscale funnel status` and confirm `/webhooks/sms` is listed.
+- `publicWebhookUrl` uses the same scheme, host, path, and query string Twilio sends, so signature validation can reproduce the signed URL.
+
 ### Outbound sends fail
 
 Confirm `accountSid`, `authToken`, and either `fromNumber` or `messagingServiceSid` are resolved. If you use a trial Twilio account, the destination number may need to be verified in Twilio before outbound SMS will send.
 
@@ -73,6 +73,8 @@ Scope intent:
 - `channels.slack.accounts.*.appToken`
 - `channels.slack.accounts.*.userToken`
 - `channels.slack.accounts.*.signingSecret`
+- `channels.sms.authToken`
+- `channels.sms.accounts.*.authToken`
 - `channels.discord.token`
 - `channels.discord.pluralkit.token`
 - `channels.discord.voice.tts.providers.*.apiKey`
 
@@ -337,6 +337,20 @@
       "secretShape": "secret_input",
       "optIn": true
     },
+    {
+      "id": "channels.sms.accounts.*.authToken",
+      "configFile": "openclaw.json",
+      "path": "channels.sms.accounts.*.authToken",
+      "secretShape": "secret_input",
+      "optIn": true
+    },
+    {
+      "id": "channels.sms.authToken",
+      "configFile": "openclaw.json",
+      "path": "channels.sms.authToken",
+      "secretShape": "secret_input",
+      "optIn": true
+    },
     {
       "id": "channels.telegram.accounts.*.botToken",
       "configFile": "openclaw.json",
 
@@ -0,0 +1,4 @@
+export {
+  collectRuntimeConfigAssignments,
+  secretTargetRegistryEntries,
+} from "./src/secret-contract.js";
@@ -0,0 +1,5 @@
+export {
+  channelSecrets,
+  collectRuntimeConfigAssignments,
+  secretTargetRegistryEntries,
+} from "./src/secret-contract.js";
@@ -65,6 +65,12 @@ describe("smsPlugin status", () => {
 describe("smsPlugin outbound", () => {
   it("declares an active text chunker and account-aware chunk limit", () => {
     expect(smsPlugin.configSchema).toBeDefined();
+    expect(smsPlugin.status?.probeAccount).toBeDefined();
+    expect(smsPlugin.status?.formatCapabilitiesProbe).toBeDefined();
+    expect(smsPlugin.secrets?.secretTargetRegistryEntries?.map((entry) => entry.id)).toEqual([
+      "channels.sms.accounts.*.authToken",
+      "channels.sms.authToken",
+    ]);
     expect(smsPlugin.messaging?.targetPrefixes).toEqual(["twilio-sms"]);
     expect(smsPlugin.outbound?.chunker?.("alpha beta", 6)).toEqual(["alpha", "beta"]);
     expect(
 
@@ -28,7 +28,9 @@ import {
   normalizeSmsAllowFrom,
   normalizeSmsPhoneNumber,
 } from "./phone.js";
+import { collectRuntimeConfigAssignments, secretTargetRegistryEntries } from "./secret-contract.js";
 import { sendSmsTextChunks, toSmsPlainText } from "./send.js";
+import { formatSmsProbeLines, probeSmsAccount, type SmsProbe } from "./status.js";
 import type { ResolvedSmsAccount } from "./types.js";
 
 const CHANNEL_ID = "sms";
@@ -227,7 +229,7 @@ const smsMessageAdapter = defineChannelMessageAdapter({
   },
 });
 
-export const smsPlugin: ChannelPlugin<ResolvedSmsAccount> = createChatChannelPlugin({
+export const smsPlugin: ChannelPlugin<ResolvedSmsAccount, SmsProbe> = createChatChannelPlugin({
   base: {
     id: CHANNEL_ID,
     meta: {
@@ -302,11 +304,17 @@ export const smsPlugin: ChannelPlugin<ResolvedSmsAccount> = createChatChannelPlu
         lastInboundAt: null,
         lastOutboundAt: null,
       },
+      probeAccount: async ({ account, timeoutMs }) => await probeSmsAccount({ account, timeoutMs }),
+      formatCapabilitiesProbe: ({ probe }) => formatSmsProbeLines(probe),
       buildAccountSnapshot: buildSmsAccountSnapshot,
       buildCapabilitiesDiagnostics: async ({ account }) => ({
         lines: collectSmsStartupWarnings(account).map((text) => ({ text, tone: "warn" })),
       }),
     },
+    secrets: {
+      secretTargetRegistryEntries,
+      collectRuntimeConfigAssignments,
+    },
     agentPrompt: {
       messageToolHints: () => [
         "",
 
@@ -0,0 +1,162 @@
+import type { OpenClawConfig } from "openclaw/plugin-sdk/config-contracts";
+import {
+  applyResolvedAssignments,
+  createResolverContext,
+  resolveSecretRefValues,
+} from "openclaw/plugin-sdk/secret-ref-runtime";
+import { describe, expect, it } from "vitest";
+import { collectRuntimeConfigAssignments, secretTargetRegistryEntries } from "./secret-contract.js";
+
+async function resolveSmsSecretAssignments(
+  sourceConfig: OpenClawConfig,
+  env: NodeJS.ProcessEnv,
+): Promise<{
+  config: OpenClawConfig;
+  warnings: ReturnType<typeof createResolverContext>["warnings"];
+}> {
+  const resolvedConfig: OpenClawConfig = structuredClone(sourceConfig);
+  const context = createResolverContext({ sourceConfig, env });
+
+  collectRuntimeConfigAssignments({
+    config: resolvedConfig,
+    defaults: sourceConfig.secrets?.defaults,
+    context,
+  });
+
+  const resolved = await resolveSecretRefValues(
+    context.assignments.map((assignment) => assignment.ref),
+    {
+      config: sourceConfig,
+      env: context.env,
+      cache: context.cache,
+    },
+  );
+  applyResolvedAssignments({ assignments: context.assignments, resolved });
+
+  return { config: resolvedConfig, warnings: context.warnings };
+}
+
+describe("sms secret contract", () => {
+  it("publishes SMS auth token targets", () => {
+    expect(secretTargetRegistryEntries.map((entry) => entry.id)).toEqual([
+      "channels.sms.accounts.*.authToken",
+      "channels.sms.authToken",
+    ]);
+  });
+
+  it("resolves top-level authToken SecretRefs for SMS accounts", async () => {
+    const resolved = await resolveSmsSecretAssignments(
+      {
+        channels: {
+          sms: {
+            enabled: true,
+            accountSid: "AC123",
+            authToken: { source: "env", provider: "default", id: "TWILIO_AUTH_TOKEN" },
+            fromNumber: "+15557654321",
+          },
+        },
+      } as OpenClawConfig,
+      { TWILIO_AUTH_TOKEN: "resolved-token" },
+    );
+
+    expect(resolved.config.channels?.sms?.authToken).toBe("resolved-token");
+    expect(resolved.warnings).toStrictEqual([]);
+  });
+
+  it("keeps top-level authToken active for an implicit default sender plus named accounts", async () => {
+    const resolved = await resolveSmsSecretAssignments(
+      {
+        channels: {
+          sms: {
+            enabled: true,
+            accountSid: "AC123",
+            authToken: { source: "env", provider: "default", id: "TWILIO_DEFAULT_TOKEN" },
+            fromNumber: "+15557654321",
+            accounts: {
+              support: {
+                enabled: true,
+                accountSid: "AC456",
+                authToken: { source: "env", provider: "default", id: "TWILIO_SUPPORT_TOKEN" },
+                fromNumber: "+15558675309",
+              },
+            },
+          },
+        },
+      } as OpenClawConfig,
+      {
+        TWILIO_DEFAULT_TOKEN: "resolved-default-token",
+        TWILIO_SUPPORT_TOKEN: "resolved-support-token",
+      },
+    );
+
+    expect(resolved.config.channels?.sms?.authToken).toBe("resolved-default-token");
+    expect(resolved.config.channels?.sms?.accounts?.support?.authToken).toBe(
+      "resolved-support-token",
+    );
+    expect(resolved.warnings).toStrictEqual([]);
+  });
+
+  it("keeps top-level authToken active for env-backed default senders plus named accounts", async () => {
+    const resolved = await resolveSmsSecretAssignments(
+      {
+        channels: {
+          sms: {
+            enabled: true,
+            authToken: { source: "env", provider: "default", id: "TWILIO_DEFAULT_TOKEN" },
+            accounts: {
+              support: {
+                enabled: true,
+                accountSid: "AC456",
+                authToken: { source: "env", provider: "default", id: "TWILIO_SUPPORT_TOKEN" },
+                fromNumber: "+15558675309",
+              },
+            },
+          },
+        },
+      } as OpenClawConfig,
+      {
+        TWILIO_ACCOUNT_SID: "AC-env",
+        TWILIO_PHONE_NUMBER: "+15550001111",
+        TWILIO_DEFAULT_TOKEN: "resolved-default-token",
+        TWILIO_SUPPORT_TOKEN: "resolved-support-token",
+      },
+    );
+
+    expect(resolved.config.channels?.sms?.authToken).toBe("resolved-default-token");
+    expect(resolved.config.channels?.sms?.accounts?.support?.authToken).toBe(
+      "resolved-support-token",
+    );
+    expect(resolved.warnings).toStrictEqual([]);
+  });
+
+  it("treats top-level authToken refs as inactive when all enabled accounts override them", async () => {
+    const resolved = await resolveSmsSecretAssignments(
+      {
+        channels: {
+          sms: {
+            authToken: { source: "env", provider: "default", id: "UNUSED_TWILIO_TOKEN" },
+            accounts: {
+              support: {
+                enabled: true,
+                accountSid: "AC456",
+                authToken: { source: "env", provider: "default", id: "TWILIO_SUPPORT_TOKEN" },
+                fromNumber: "+15558675309",
+              },
+            },
+          },
+        },
+      } as OpenClawConfig,
+      { TWILIO_SUPPORT_TOKEN: "resolved-support-token" },
+    );
+
+    expect(resolved.config.channels?.sms?.authToken).toEqual({
+      source: "env",
+      provider: "default",
+      id: "UNUSED_TWILIO_TOKEN",
+    });
+    expect(resolved.config.channels?.sms?.accounts?.support?.authToken).toBe(
+      "resolved-support-token",
+    );
+    expect(resolved.warnings.map((warning) => warning.path)).toContain("channels.sms.authToken");
+  });
+});