Title: openclaw doctor reports unresolved Telegram SecretRef, but gateway/runtime resolves it correctly
Version / Environment
- OpenClaw:
2026.3.13 (61d171a)
- OS: macOS (LaunchAgent mode)
- Config path:
~/.openclaw/openclaw.json
- Secrets provider: file provider (
filemain) with ~/.openclaw/secrets.json
Problem
openclaw doctor exits with:
channels.telegram.accounts.default.botToken: unresolved SecretRef "file:filemain:/channels/telegram/accounts/default/botToken". Resolve this command against an active gateway runtime snapshot before reading it.
But runtime checks show the same SecretRef is actually resolved and in use.
Repro
- Configure Telegram account token via SecretRef:
channels.telegram.accounts.default.botToken = { source: "file", provider: "filemain", id: "/channels/telegram/accounts/default/botToken" }
- Ensure
~/.openclaw/secrets.json contains the matching path.
- Start/restart gateway:
- Run doctor:
Actual
openclaw doctor fails with unresolved SecretRef for default.botToken.
Expected
openclaw doctor should pass SecretRef resolution for the same config/runtime.
Evidence that runtime is healthy
openclaw config validate => validopenclaw gateway status --json => service running, rpc ok (outside restricted sandbox)openclaw gateway call status => Telegram channels/accounts loaded, token source shown as config/runtime~/.openclaw/secrets.json contains /channels/telegram/accounts/default/botToken
Notes
- Also saw inconsistent doctor hint: "2/5 recent sessions missing transcripts", while
openclaw sessions cleanup --store ... --dry-run reports Would prune missing transcripts: 0.
- This looks like a doctor-side validation mismatch (possibly not using active runtime snapshot consistently), not a runtime SecretRef failure.
Title:
openclaw doctorreports unresolved Telegram SecretRef, but gateway/runtime resolves it correctlyVersion / Environment
2026.3.13 (61d171a)~/.openclaw/openclaw.jsonfilemain) with~/.openclaw/secrets.jsonProblem
openclaw doctorexits with:channels.telegram.accounts.default.botToken: unresolved SecretRef "file:filemain:/channels/telegram/accounts/default/botToken". Resolve this command against an active gateway runtime snapshot before reading it.But runtime checks show the same SecretRef is actually resolved and in use.
Repro
channels.telegram.accounts.default.botToken = { source: "file", provider: "filemain", id: "/channels/telegram/accounts/default/botToken" }~/.openclaw/secrets.jsoncontains the matching path.openclaw gateway restartopenclaw doctorActual
openclaw doctorfails with unresolved SecretRef fordefault.botToken.Expected
openclaw doctorshould pass SecretRef resolution for the same config/runtime.Evidence that runtime is healthy
openclaw config validate=> validopenclaw gateway status --json=> service running, rpc ok (outside restricted sandbox)openclaw gateway call status=> Telegram channels/accounts loaded, token source shown as config/runtime~/.openclaw/secrets.jsoncontains/channels/telegram/accounts/default/botTokenNotes
openclaw sessions cleanup --store ... --dry-runreportsWould prune missing transcripts: 0.