Draft GitHub Issue - openclaw status false-negative with gateway.auth.token SecretRef
Title
[Bug]: openclaw status / openclaw status --json fail to resolve gateway.auth.token env SecretRef even when runtime is healthy and env is present
Body
Bug type
Behavior bug (incorrect output/state without crash)
Summary
On OpenClaw 2026.3.13, openclaw status and openclaw status --json report a false-negative gateway auth failure when gateway.auth.token is configured as an env-backed SecretRef.
The gateway itself is healthy and the same SecretRef-backed configuration works at runtime. The failure appears specific to the status command's gateway probe/auth resolution path.
Config pattern
gateway.auth.token is configured as:
"gateway": {
"auth": {
"mode": "token",
"token": {
"source": "env",
"provider": "default",
"id": "OPENCLAW_GATEWAY_TOKEN"
}
}
}The token value is present in:
- process environment
~/.openclaw/.env
Steps to reproduce
- Configure local gateway token auth using an env SecretRef for
gateway.auth.token
- Ensure
OPENCLAW_GATEWAY_TOKEN is present in the shell environment and/or ~/.openclaw/.env
- Restart the gateway
- Run:
openclaw gateway status
openclaw status
openclaw status --json
Expected behavior
openclaw status and openclaw status --json should resolve the env SecretRef and successfully probe the local gateway, or at minimum should not claim the SecretRef is unresolved when it is available and runtime is healthy.
Actual behavior
openclaw gateway status reports the gateway as healthy, including successful RPC probe.
But openclaw status reports the gateway as unreachable with an error like:
connect failed: device identity required; gateway.auth.token SecretRef is unresolved in this command path; probing without configured auth credentials.
And openclaw status --json includes equivalent false-negative gateway error output.
What was verified
- Gateway runtime is healthy
openclaw gateway status reports RPC probe: ok- Telegram channel remains healthy
- Brave search still works
openclaw secrets audit --json reports:
plaintextCount: 0unresolvedRefCount: 0
- The variable is present in the CLI process environment
- Even explicitly injecting the variable inline for the command invocation still reproduces the issue:
OPENCLAW_GATEWAY_TOKEN=... openclaw status --json
Likely cause
This appears to be a status command-path bug in gateway probe auth / SecretRef resolution rather than a runtime configuration problem.
Local inspection suggests the issue is in the status gateway probe path, around:
resolveGatewayProbeSnapshot(...)resolveGatewayProbeAuthResolution(...)resolveGatewayProbeAuthSafe(...)
The exact warning string appears to come from the probe-auth path that says the SecretRef is unresolved in the current command path, even when the env is present.
Related issues
This looks related to other CLI-vs-runtime SecretRef gaps:
Environment
- OpenClaw:
2026.3.13
- OS: macOS arm64
- Gateway mode: local / loopback
- Auth mode: token
- Secret provider: env (
default)
Impact
This undermines operational trust in openclaw status after SecretRef hardening, because the runtime is healthy while the status surface reports a misleading auth failure.
Draft GitHub Issue -
openclaw statusfalse-negative withgateway.auth.tokenSecretRefTitle
[Bug]:
openclaw status/openclaw status --jsonfail to resolvegateway.auth.tokenenv SecretRef even when runtime is healthy and env is presentBody
Bug type
Behavior bug (incorrect output/state without crash)
Summary
On OpenClaw
2026.3.13,openclaw statusandopenclaw status --jsonreport a false-negative gateway auth failure whengateway.auth.tokenis configured as an env-backed SecretRef.The gateway itself is healthy and the same SecretRef-backed configuration works at runtime. The failure appears specific to the
statuscommand's gateway probe/auth resolution path.Config pattern
gateway.auth.tokenis configured as:The token value is present in:
~/.openclaw/.envSteps to reproduce
gateway.auth.tokenOPENCLAW_GATEWAY_TOKENis present in the shell environment and/or~/.openclaw/.envExpected behavior
openclaw statusandopenclaw status --jsonshould resolve the env SecretRef and successfully probe the local gateway, or at minimum should not claim the SecretRef is unresolved when it is available and runtime is healthy.Actual behavior
openclaw gateway statusreports the gateway as healthy, including successful RPC probe.But
openclaw statusreports the gateway as unreachable with an error like:And
openclaw status --jsonincludes equivalent false-negative gateway error output.What was verified
openclaw gateway statusreportsRPC probe: okopenclaw secrets audit --jsonreports:plaintextCount: 0unresolvedRefCount: 0Likely cause
This appears to be a
statuscommand-path bug in gateway probe auth / SecretRef resolution rather than a runtime configuration problem.Local inspection suggests the issue is in the
statusgateway probe path, around:resolveGatewayProbeSnapshot(...)resolveGatewayProbeAuthResolution(...)resolveGatewayProbeAuthSafe(...)The exact warning string appears to come from the probe-auth path that says the SecretRef is unresolved in the current command path, even when the env is present.
Related issues
This looks related to other CLI-vs-runtime SecretRef gaps:
openclaw statusopenclaw statusfails to resolve Telegram env SecretRef even when env is presentopenclaw message sendfails to resolve SecretRef botToken #39415 —openclaw message sendfails to resolve SecretRef botTokenmissing scope: operator.readfor local loopback probes #49730 — stable2026.3.13-1still reports false local loopback probe auth/scope failuresEnvironment
2026.3.13default)Impact
This undermines operational trust in
openclaw statusafter SecretRef hardening, because the runtime is healthy while the status surface reports a misleading auth failure.