doctor crashes with 'unresolved SecretRef' when config uses exec:pass: tokens

[adamlabadorf]

Summary

openclaw doctor crashes with an unresolved SecretRef error when the config uses exec:pass: SecretRefs for secrets (e.g. Discord bot token). This prevents the doctor from completing any checks or applying fixes, even when the GPG agent is unlocked and pass resolves correctly.

Environment

• OpenClaw version: 2026.3.13 (61d171a)
• OS: Linux (ARM64, Ubuntu)
• Gateway: running and fully functional (Discord works)

Config (relevant excerpt)

{
  "channels": {
    "discord": {
      "token": "exec:pass:discord/servers/renegadeparrot-server-token"
    }
  }
}

Steps to Reproduce

1. Configure a channel token as a exec:pass: SecretRef
2. Ensure GPG agent is unlocked and pass resolves the secret correctly (verified: pass discord/servers/... returns the token)
3. Run openclaw doctor or openclaw doctor --fix

Actual Behavior

Error: channels.discord.token: unresolved SecretRef "exec:pass:discord/servers/renegadeparrot-server-token". Resolve this command against an active gateway runtime snapshot before reading it.

Doctor exits immediately after session lock checks, before completing the full health check or applying any repairs.

Expected Behavior

Doctor should resolve exec:pass: SecretRefs the same way the gateway does at startup — by running the command — so it can complete health checks when the GPG agent is active.

Alternatively, doctor should gracefully skip or redact unresolved SecretRef fields rather than crashing, so the rest of the health check still runs.

Additional Notes

• openclaw config validate passes cleanly (no error)
• The gateway itself starts and runs correctly — Discord is fully functional
• Only openclaw doctor is affected
• The error occurs even when pass is explicitly verified to work in the same shell session

[Ryce]

The doctor tool is in a different state resolution path than the gateway runtime. Gateway resolves exec:pass: at startup via the GPG agent session, but doctor runs standalone and tries to resolve SecretRefs through a different (or missing) resolver chain — then crashes instead of surfacing the resolution failure gracefully.

This is config state drift between subsystems: your gateway has live-resolved credentials but the diagnostic tool can't see the same resolution state. The config says one thing, doctor reads another.

If you snapshot config state before running diagnostics — what the gateway actually has loaded vs what doctor tries to resolve — you'd see the gap immediately. That's what a config backup catches: not just your openclaw.json, but the resolved runtime state that different subsystems consume differently: https://keepmyclaw.com

[Artyomkun]

Comment: Root cause — different resolution paths for the same config

I've analyzed this issue and found the problem.

What's happening:

1. Gateway resolves exec:pass: secrets at startup using the active GPG session
2. Doctor tries to resolve the same secrets but runs in a different process without access to that GPG session
3. When doctor can't resolve, it crashes instead of skipping the check

Why this is a problem:

This is the same pattern we've seen across OpenClaw — components interpret the same config differently because they use separate resolution logic.

The fix:

// 1. Create a shared SecretResolver that all components use
class SecretResolver {
  constructor(private context: { gpgSession?: GPGSession }) {}

  async resolve(ref: SecretRef): Promise<string | null> {
    if (ref.type === 'exec:pass' && !this.context.gpgSession) {
      return null; // Can't resolve, skip
    }
    // ... resolution logic
  }
}

// 2. Gateway passes its GPG session
const resolver = new SecretResolver({ gpgSession: activeGpgSession });

// 3. Doctor attempts to connect to existing session or skips
const resolver = new SecretResolver({ 
  gpgSession: await connectToGatewayGpg() // or undefined
});

Expected behavior after fix:

✅ Doctor doesn't crash
✅ Secret checks are skipped if unresolvable
✅ Other health checks still run
✅ Clear warning: "Can't resolve secrets, skipping credential checks"

[joshavant]

Thanks for the detailed exec:pass SecretRef report. #48728 hardens doctor SecretRef handling so unresolved command-path refs no longer abort the whole flow, and diagnostics are surfaced without blocking unrelated checks. Closing as superseded by #48728.