`openclaw doctor` crashes with TypeError on SecretRef/vault-resolved apiKey values

[jmzlx]

Description

openclaw doctor crashes at the end of its run with:

TypeError: resolved?.remote?.apiKey?.trim is not a function

This happens when the configuration uses SecretRef values (e.g., $OPENCLAW_GATEWAY_TOKEN env var references or vault-resolved secrets) for API keys. The gateway runtime resolves these correctly, but the doctor diagnostic tool attempts to call .trim() on the resolved object, which is not a string.

Reproduction

1. Configure openclaw.json with environment variable references for API keys (e.g., memory search remote API key, or any field that resolves through SecretRef)
2. Run openclaw doctor
3. The diagnostic completes all checks successfully, then crashes on the final line with the TypeError

Output

┌  OpenClaw doctor
│
◇  State integrity ─────────────────────╮
│  ...                                   │
├────────────────────────────────────────╯
│
[... all checks pass normally ...]

Telegram: ok (@jmzlx_bot) (334ms)
WhatsApp: linked (auth age 4916m)
Discord: ok (@clemente) (524ms)
Agents: main (default), inbox, creative, voice

TypeError: resolved?.remote?.apiKey?.trim is not a function

Impact

• openclaw doctor cannot be used for pre-flight config validation (exits with error)
• Does not affect runtime — the gateway starts and operates normally
• Prevents using openclaw doctor --fix for automated config repair

Expected behavior

openclaw doctor should handle SecretRef objects the same way the runtime does — either resolve them before calling string methods, or skip the .trim() call when the value is not a plain string.

Environment

• OpenClaw: 2026.3.2
• OS: macOS (arm64), Darwin 25.3.0
• Node: v25.6.1

[newcodebook]

Thanks for the detailed repro — this looks like a doctor-only type mismatch in the memory-search health check.

Workaround (keeps runtime behavior, unblocks doctor --fix):

1. In openclaw.json, remove the SecretRef/object value from agents.defaults.memorySearch.remote.apiKey (leave it unset).
2. Provide the key via the normal provider env var / auth flow instead (so doctor reads a string):
   • e.g. export the provider key in the shell before running openclaw doctor, or run openclaw configure --section model to store credentials in the supported way.
3. Re-run:
   • openclaw doctor (and openclaw doctor --fix if you need repairs)
   • Verify memory search: openclaw memory status --deep

Why this works: openclaw doctor currently does resolved?.remote?.apiKey?.trim() (expects a string). When apiKey is a SecretRef/vault-resolved object, .trim() throws, even though the gateway runtime can resolve and use it.

Recommended reading:

• OpenClaw Configuration Guide: openclaw.json, Models, Gateway, Channels, and Plugins
• OpenClaw State, Workspace, and Memory: Persistence & Permissions Troubleshooting

If you paste the exact memorySearch block you’re using (just that JSON; you can redact the secret value), I can suggest the minimal edit that preserves your SecretRef strategy everywhere else while avoiding the doctor crash.