doctor --fix crashes on env-source SecretRef for Discord token

[protomota]

Summary

openclaw doctor --fix crashes with an unresolved SecretRef error when channels.discord.accounts.default.token is configured as an env-source SecretRef. The gateway resolves the token correctly at runtime (Discord is fully functional), but doctor fails before completing checks.

This is the same class of bug as #48195 and #45416 (both closed), but for env:default: SecretRefs rather than exec:pass: refs. The fix for those issues apparently did not cover the env-source path.

Environment

• OpenClaw version: 2026.3.13 (61d171a)
• OS: macOS (Darwin 25.3.0)
• Gateway: running, RPC probe ok, Discord connected and working

Config (relevant excerpt)

{
  "secrets": {
    "providers": {
      "default": {
        "source": "env"
      }
    }
  },
  "channels": {
    "discord": {
      "accounts": {
        "default": {
          "token": {
            "source": "env",
            "provider": "default",
            "id": "DISCORD_BOT_TOKEN"
          }
        }
      }
    }
  }
}

The token is stored in ~/.openclaw/.env and loaded by the gateway via shellEnv. The env var is NOT in the shell profile.

Steps to Reproduce

1. Configure Discord token as an env-source SecretRef (as above)
2. Store the token in ~/.openclaw/.env (loaded by gateway shellEnv, not shell profile)
3. Confirm gateway is running and Discord works: openclaw channels status shows connected
4. Run openclaw doctor --fix

Actual Behavior

Error: channels.discord.accounts.default.token: unresolved SecretRef "env:default:DISCORD_BOT_TOKEN". Resolve this command against an active gateway runtime snapshot before reading it.

Doctor exits immediately. Exporting the env var in the shell before running doctor does NOT help — the error persists even with DISCORD_BOT_TOKEN in the environment.

Expected Behavior

Doctor should resolve env-source SecretRefs via the gateway RPC (secrets.resolve) — which is already working (confirmed by openclaw channels status succeeding) — or degrade gracefully with a warning instead of crashing.

Additional context

• openclaw channels status works fine (resolves via gateway RPC)
• openclaw gateway status --deep reports RPC probe ok
• Exporting the env var before running doctor does not resolve the issue, suggesting doctor is hitting assertSecretInputResolved() before attempting gateway RPC resolution
• Related closed issues: doctor crashes with 'unresolved SecretRef' when config uses exec:pass: tokens #48195, [Bug]: openclaw doctor crashes on exec SecretRef channel credentials (exit 1) #45416 — same bug class for exec:pass: SecretRefs, reportedly fixed but env-source path was not covered

[Hollychou924]

Root Cause Analysis

This is the same assertSecretInputResolved() guard hit before the gateway RPC resolution path is attempted — but specifically in the env-source code path that was not covered by the fix for #48195/#45416.

How it likely works:

The doctor command reads config before connecting to the gateway. During config parsing, it encounters:

{"source": "env", "provider": "default", "id": "DISCORD_BOT_TOKEN"}

The env-source SecretRef resolver tries to read the var from process.env directly. But the env var lives in ~/.openclaw/.env (loaded via shellEnv at gateway startup, not at CLI startup), so it's not in the CLI process's environment.

Why exporting the env var before running doctor doesn't help:

The error says "Resolve this command against an active gateway runtime snapshot" — this suggests the code path calls assertSecretInputResolved() after a failed env lookup, rather than falling back to gateway RPC. The exec-source fix likely added a gateway RPC fallback for exec:pass: refs but left the env-source path going straight to assertSecretInputResolved().

Expected fix location:

In the env-source SecretRef resolver (probably src/infra/secrets/env-resolver.ts or similar), the failure path should:

1. Check if a gateway connection is available
2. Attempt gateway RPC secrets.resolve as a fallback (same as the exec-source fix)
3. Only call assertSecretInputResolved() if gateway RPC also fails

Workaround (immediate):
Export the token in the shell profile (not just .env) before running openclaw doctor --fix:

export DISCORD_BOT_TOKEN=$(grep DISCORD_BOT_TOKEN ~/.openclaw/.env | cut -d= -f2)
openclaw doctor --fix

The gateway works correctly because it loads .env via shellEnv at startup — the CLI just needs the same resolution path.

[joshavant]

Thanks again for the detailed report and reproducible config.

We re-validated this on current main using the same env SecretRef shape for channels.discord.accounts.default.token, and we can no longer reproduce the doctor --fix crash with unresolved SecretRef.

Current behavior is that Discord account inspection in doctor’s read-only/security path treats unresolved configured SecretRefs as configured_unavailable and continues, rather than aborting the run.

Given that, we’re planning to close this as fixed. If you still see the crash on the latest build, please share your exact openclaw --version and full command output.