[Bug]: v2026.3.2: openclaw status fails to resolve Telegram env SecretRef even when env is present

[samtxxx]

Bug type

Behavior bug (incorrect output/state without crash)

Summary

On OpenClaw v2026.3.2, the openclaw status command fails with unresolved Telegram SecretRef errors even though:

• the required environment variables are present in the process environment
• the same variables are also present in $OPENCLAW_STATE_DIR/.env
• other commands and runtime behavior indicate the configuration is otherwise valid

This looks like a command-path / read-only status resolution bug specific to status (possibly in its security-audit / Telegram account resolution path).

Steps to reproduce

1. Telegram bot tokens are configured via env SecretRef in openclaw.json
   Example:
   "channels": {
   "telegram": {
   "accounts": {
   "stock_expert": {
   "botToken": {
   "source": "env",
   "provider": "default",
   "id": "TG_TOKEN_1"
   }
   }
   }
   }
   }

2. Export the variables before invoking the command
   Example:
   set -a
   . /etc/openclaw/secrets.env
   set +a

sudo -u samtxxx env
HOME=/home/samtxxx
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
OPENCLAW_STATE_DIR=/opt/openclaw/state
OPENCLAW_CONFIG_PATH=/opt/openclaw/state/openclaw.json
OPENCLAW_GATEWAY_PASSWORD="$OPENCLAW_GATEWAY_PASSWORD"
TG_TOKEN_LEE="$TG_TOKEN_1"
TG_TOKEN_WONG="$TG_TOKEN_2"
TG_TOKEN_CUILIAN="$TG_TOKEN_3"
TG_TOKEN_DANA="$TG_TOKEN_4"
GEMINI_API_KEY_1="$GEMINI_API_KEY_1"
GEMINI_API_KEY_2="$GEMINI_API_KEY_2"
/usr/bin/openclaw status

3. Also tested with $OPENCLAW_STATE_DIR/.env

   A copy of /etc/openclaw/secrets.env was written to:
   /opt/openclaw/state/.env

with correct ownership/permissions, but openclaw status still failed with the same unresolved Telegram SecretRef error.

Expected behavior

openclaw status should succeed when:
1. TG_TOKEN_* variables are present in the process environment, or
2. the same variables are present in $OPENCLAW_STATE_DIR/.env

At minimum, status should not fail with unresolved SecretRef errors if the runtime environment already contains the required variables.

Actual behavior

openclaw status fails with:

[openclaw] Failed to start CLI: Error: channels.telegram.accounts.stock_expert.botToken: unresolved SecretRef "env:default:TG_TOKEN_1". Resolve this command against an active gateway runtime snapshot before reading it.

Stack trace points into the status -> security audit -> Telegram account resolve path, for example:

at assertSecretInputResolved (...)
at normalizeResolvedSecretInputString (...)
at resolveTelegramToken (...)
at resolveAccountWithDefaultFallback (...)
at resolveTelegramAccount (...)
at Object.resolveAccount (...)
at collectChannelSecurityFindings (...)
at runSecurityAudit (...)
at async .../status-....js

OpenClaw version

2026.3.2

Operating system

Debian12

Install method

npm global

Logs, screenshots, and evidence

**Additional evidence**

A wrapper self-check confirms the variables are present before launching OpenClaw CLI:

TG_TOKEN_1=SET
TG_TOKEN_2=SET
TG_TOKEN_3=SET
TG_TOKEN_4=SET
OPENCLAW_GATEWAY_PASSWORD=SET
OPENCLAW_STATE_DIR=SET
OPENCLAW_CONFIG_PATH=SET
HOME=SET
PATH=SET

So this does not appear to be caused by missing/empty environment variables.

**Observations**
	•	The failure is specific to openclaw status
	•	It appears during the security-audit / Telegram account resolution path
	•	The error message suggests resolving against an active gateway runtime snapshot, which implies this may be a read-only command-path bug rather than a true configuration error
	•	Other OpenClaw command paths do not necessarily fail in the same way

Impact and severity

This breaks normal CLI operations and day-2 ops workflows, because openclaw status becomes unusable for deployments that use Telegram env-backed SecretRef configuration, even when the environment is correctly present.

Additional information

Version / Environment

• OpenClaw: 2026.3.2
• Install method: global npm install
• OS: Debian 12
• Runtime: systemd service
• State dir: /opt/openclaw/state
• Config path: /opt/openclaw/state/openclaw.json

---

Telegram config pattern

Telegram accounts are configured with standard env-backed SecretRef values, e.g.:

"botToken": {
  "source": "env",
  "provider": "default",
  "id": "TG_TOKEN_1"
}

---
This same pattern is used for multiple Telegram accounts.

[mdlmarkham]

Triage: SecretRef Resolution in openclaw status

Severity: P2 — Status command fails but runtime may work

Possible Regression

This may be related to PR #38955 (Secrets hardening for models.json). The PR adds new resolution paths for SecretRef-managed credentials.

Key questions:

1. Does openclaw gateway start work correctly?
2. Do other commands (openclaw models status) resolve correctly?

Root Cause Hypothesis

openclaw status uses a read-only path that:

1. Reads config
2. Resolves SecretRefs
3. Displays status

If step 2 fails to access environment variables (due to process isolation or sudo context switch), resolution fails.

Why set -a; source secrets.env; set +a might not help:

• sudo -u samtxxx creates a new process
• Environment variables from sourcing may not propagate to the sudo'd process
• Need to pass env explicitly or use sudo -E

Investigation Steps

For reporter (@calvinmoltbot):

1. Check if env vars propagate:

   sudo -u samtxxx env | grep TG_TOKEN

2. Try with explicit env passing:

   sudo -u samtxxx TG_TOKEN_1="$TG_TOKEN_1" openclaw status

3. Check if runtime works:

   openclaw gateway start
   # Does Telegram bot respond?

4. Check the exact error:

   openclaw status 2>&1 | head -20

For developers:

Check the status command resolution path:

• src/commands/status.ts or similar
• How does it read environment for SecretRef resolution?
• Does it use process.env directly or a different context?

Workaround

Until fixed:

# Pass env explicitly
TG_TOKEN_1="$TG_TOKEN_1" openclaw status

# Or use gateway status instead
openclaw gateway status

---

Related: #38955 (Secrets hardening) — may have introduced or exposed this issue.

[samtxxx]

Triage: SecretRef Resolution in openclaw status

Severity: P2 — Status command fails but runtime may work

......

Or use gateway status instead

openclaw gateway status
Related: #38955 (Secrets hardening) — may have introduced or exposed this issue.

Thanks — I investigated the env propagation angle further, and I do not think this is caused by missing env vars or sudo context loss.

What I verified:

• Telegram bot tokens are configured as standard env SecretRefs (source: "env", provider: "default", id: "TG_TOKEN_*").
• The required env vars are definitely present and non-empty.
• A wrapper self-check confirms all TG_TOKEN_*, OPENCLAW_GATEWAY_PASSWORD, LLM_API_KEY, etc. are set before invoking OpenClaw.
• I also tested explicit env injection directly in the command invocation, and openclaw status still failed with the same unresolved SecretRef error.
• I also copied the same values into $OPENCLAW_STATE_DIR/.env, and openclaw status still failed the same way.

So this seems less like an env propagation issue and more like a status command-path issue in the read-only/security-audit/Telegram resolution path.

The failure stack consistently points into:

• runSecurityAudit
• collectChannelSecurityFindings
• resolveTelegramAccount
• resolveTelegramToken

This may be related to the recent SecretRef/source-snapshot work (for example PR #38757 and #38955), but in my case the visible symptom is specifically that openclaw status cannot resolve Telegram env SecretRefs even when the env is present.

[joshavant]

Retested on current main (87d939be793675952d50de4722b8f5ee6434d001) with Telegram account token configured as env SecretRef (channels.telegram.accounts.stock_expert.botToken).

Quick repro result:

• openclaw status --json exits 0
• no unresolved SecretRef crash in status/security-audit path

This no longer reproduces on latest main. Closing as fixed.