[Bug]: `models status --probe` reports "missing or expired" for exec-based SecretRef auth profiles

[rmarr]

Summary

openclaw models status --probe reports auth profile credentials as "missing or expired" when profiles use keyRef/tokenRef with source: "exec" SecretRefs. The credentials resolve and authenticate correctly at runtime — the probe display is wrong.

Steps to reproduce

1. Set up an exec-based SecretRef provider

{
  "secrets": {
    "providers": {
      "keychain": {
        "source": "exec",
        "command": "/path/to/keychain-resolver.sh",
        "jsonOnly": true,
        "passEnv": ["PATH"]
      }
    }
  }
}

2. Configure auth-profiles.json with exec-based refs

{
  "profiles": {
    "anthropic:default": {
      "type": "api_key",
      "provider": "anthropic",
      "keyRef": {
        "source": "exec",
        "provider": "keychain",
        "id": "openclaw-anthropic-default"
      }
    },
    "anthropic:claude-oauth-token": {
      "type": "token",
      "provider": "anthropic",
      "tokenRef": {
        "source": "exec",
        "provider": "keychain",
        "id": "openclaw-anthropic-oauth"
      }
    }
  }
}

3. Verify secrets resolve correctly

openclaw secrets reload
# Output: Secrets reloaded.

openclaw secrets audit --check
# Output: Secrets audit: clean. plaintext=0, unresolved=0, shadowed=0, legacy=0.

4. Run probe

openclaw models status --probe --probe-provider anthropic

Expected behavior

Probe should show credentials as available/ok, since:

• secrets reload succeeds
• secrets audit is clean
• Gateway started successfully (fail-fast would block on unresolved refs)
• The model is actively in use and authenticating

Actual behavior

┌────────────────────────┬─────────────────────────────────┬──────────────────────────────────────────────────────────┐
│ Model                  │ Profile                         │ Status                                                   │
├────────────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ anthropic/claude-      │ anthropic:claude-oauth-token    │ unknown · -                                              │
│ sonnet-4-6             │ (token)                         │ ↳ Auth profile credentials are missing or expired.       │
│ anthropic/claude-      │ anthropic:default (api_key)     │ unknown · -                                              │
│ sonnet-4-6             │                                 │ ↳ Auth profile credentials are missing or expired.       │
└────────────────────────┴─────────────────────────────────┴──────────────────────────────────────────────────────────┘

This also affects other providers with exec-based keyRef. For example, moonshot reports:

│ moonshot/kimi-k2.5     │ moonshot:default (api_key)      │ unknown · 16ms                                          │
│                        │                                 │ ↳ Auth profile "moonshot:default" is not configured      │
│                        │                                 │   for moonshot.                                          │

OpenClaw version

2026.2.26

Operating system

macOS (arm64)

Install method

No response

Logs, screenshots, and evidence

Impact and severity

Cosmetic/operational — no runtime impact. Credentials work correctly for actual API calls.

• Makes it difficult for operators to verify auth health after migrating to SecretRefs
• Could cause confusion during secrets migration when operators expect probe to confirm credentials are working

Additional information

Context

This bug was introduced by the external secrets management feature landed in PR #26155 (feat(security): add external secrets management), merged 3 days ago. That PR introduced provider-based SecretRefs (env, file, exec) for static credentials, including auth-profiles.api_key.key and auth-profiles.token.token as initial targets.

PR #29580 (feat(secrets): expand SecretRef coverage across user-supplied credentials) is currently in progress, expanding coverage from the initial 6 credential targets to 64. Neither PR appears to update the models status --probe command to resolve credentials through the SecretRef runtime — the probe still checks for plaintext fields only.

This means any operator who migrates from plaintext to exec-based SecretRefs — the recommended upgrade path — will see false "missing or expired" warnings from the probe command.

Related Issues / PRs

• feat(security): add external secrets management #26155 — feat(security): add external secrets management (merged) — introduced the SecretRef system and exec provider
• feat(secrets): expand SecretRef coverage across user-supplied credentials #29580 — feat(secrets): expand SecretRef coverage across user-supplied credentials (open) — expanding to 64 credential targets
• Secrets: expand SecretRef scope to channel credentials (botToken, webhookSecret) #28306 — Secrets: expand SecretRef scope to channel credentials (open) — further scope expansion

Likely Cause

The probe command checks for plaintext key/token/access fields in auth-profiles.json directly, rather than resolving through the SecretRef → secrets runtime snapshot path. Profiles that only have keyRef/tokenRef (no plaintext) are reported as "missing."

The probe's credential check predates the SecretRef system (#26155) and was not updated when exec-based providers were introduced.

Workaround

Verify credentials manually:

• openclaw secrets audit --check (confirms refs resolve)
• openclaw secrets reload (confirms runtime snapshot is valid)
• Direct API calls to the provider (confirms authentication works)

[Sid-Qin]

Submitted a fix in PR #30384. now treats SecretRef-backed profiles ( / ) as valid auth candidates, so no longer pre-flags them as missing/expired when plaintext key/token fields are intentionally absent.

[Sid-Qin]

Correction: PR #30384 fixes probe false negatives by treating SecretRef-backed auth profiles (keyRef/tokenRef) as valid order candidates in resolveAuthProfileOrder. This prevents models status --probe from pre-labeling those profiles as missing or expired when plaintext key/token fields are intentionally absent.

[newcodebook]

Yep — this is a probe/UX false negative, not a runtime auth failure.

Until the probe path is updated to treat SecretRef-backed keyRef/tokenRef as “present”, the most reliable checks are:

1. openclaw secrets audit --check (confirms refs resolve in the current snapshot)
2. a real provider call (e.g. openclaw models status / sending a quick prompt) to prove auth works end-to-end.

Looks like there’s already an upstream fix in progress (see the note about #30384) to stop models status --probe from pre-labeling SecretRef-only profiles as “missing or expired”. Once that’s in a released version, upgrading should clear the misleading warning.

If you want to help validate, the most useful extra data is:

• output of openclaw models status --probe --probe-provider <provider>
• plus openclaw secrets audit --check from the same machine

Related CoClaw pages:

• https://coclaw.com/troubleshooting/solutions/models-all-models-failed/
• https://coclaw.com/troubleshooting/solutions/config-migration-env-var-resolved-to-plaintext/

[rmarr]

@newcodebook Thanks for the detailed response — this matches exactly what I observed. The secrets audit --check + live provider call combo was indeed the workaround I landed on to confirm auth was working end-to-end despite the probe warning.

Good to have it confirmed as a UX false negative rather than a runtime issue. Great to see the fast turnaround on fixes too — #30445 for the probe warning and #31288 for keeping SecretRef-only profiles eligible in auth order both look like they address the root issues here. I'll track those through to a release.

For the validation data you mentioned:

• openclaw secrets audit --check → clean (0 plaintext, 0 unresolved, 0 shadowed, 0 legacy)
• openclaw models status --probe --probe-provider anthropic → shows "missing or expired" for both keyRef- and tokenRef-backed profiles
• Live inference calls to the same provider → working correctly

Appreciate the pointer to the CoClaw troubleshooting pages, and thanks to everyone who jumped on this quickly. 👍

[joshavant]

Retested on current main (87d939be793675952d50de4722b8f5ee6434d001) and this no longer reproduces.

What I verified:

• buildProbeTargets now resolves ref-only profile credentials via resolveSecretRefString before deciding missing/expired output.
• The probe path emits unresolved_ref only when resolution truly fails, instead of treating configured keyRef/tokenRef as missing.
• Regression coverage is present in src/commands/models/list.probe.targets.test.ts and passes on current main.

Result: closing as fixed.