Skip to content

openclaw status (text mode) fails on Mattermost exec:keychain SecretRef — other channels with same pattern work #70942

Closed as not planned
#71024
Closed as not planned
openclaw status (text mode) fails on Mattermost exec:keychain SecretRef — other channels with same pattern work#70942
#71024
@djgeorg3

Description

@djgeorg3
djgeorg3
opened on Apr 24, 2026

Bug: openclaw status text mode crashes with unresolved Mattermost SecretRef

Version: 2026.4.22 (00bd2cf), macOS (darwin 25.4.0, arm64), Node v22.22.2

Summary

openclaw status (default text mode) crashes while building the channels table when Mattermost is configured with an exec:keychain: SecretRef for botToken. Other channels (Telegram, Discord) use the same SecretRef shape and work fine. Gateway itself is healthy — Mattermost delivers messages normally — only the CLI renderer is affected.

Repro

  1. Configure channels.mattermost.botToken with an exec/keychain SecretRef: 
    "mattermost": {
  "enabled": true,
  "botToken": {
    "source": "exec",
    "provider": "keychain",
    "id": "openclaw/mattermost-bottoken"
  },
  "baseUrl": "https://…",
  "dmPolicy": "allowlist",
  "groupPolicy": "allowlist"
}
  2. Start the gateway normally (openclaw gateway start). Gateway resolves the secret and connects fine.
  3. Run openclaw status.

Expected

Text-mode status prints the channel table including Mattermost, same as --json (which works).

Actual

[openclaw] Failed to start CLI: Error: channels.mattermost.accounts.default.botToken: unresolved SecretRef "exec:keychain:openclaw/mattermost-bottoken". Resolve this command against an active gateway runtime snapshot before reading it.
    at createUnresolvedSecretInputError (file:///…/dist/types.secrets-BZ6RGKR0.js:55:25)
    at resolveSecretInputString (file:///…/dist/types.secrets-BZ6RGKR0.js:86:52)
    at normalizeResolvedSecretInputString (file:///…/dist/types.secrets-BZ6RGKR0.js:97:19)
    at resolveMattermostAccount (file:///…/dist/accounts-DsoCYhtx.js:328:102)
    at Object.resolveAccount (file:///…/dist/channel-config-helpers-DprVFCfq.js:39:29)
    at Object.resolveAccount (file:///…/dist/channel-config-helpers-DprVFCfq.js:74:18)
    at resolveInspectedChannelAccount (file:///…/dist/account-inspection-4shU54zH.js:55:75)
    at async resolveChannelAccountRow (file:///…/dist/status.scan.runtime-PBE84ne9.js:191:43)
    at async buildChannelsTable (file:///…/dist/status.scan.runtime-PBE84ne9.js:293:61)

Notes

  • openclaw status --json works (no channels table built).
  • openclaw status --all also fails with the same error.
  • openclaw doctor and openclaw doctor --fix succeed; Mattermost probe reports ok (@daneel) (193ms).
  • Telegram and Discord use the same exec:keychain SecretRef pattern and do not trigger this in the CLI status renderer — suggests resolveMattermostAccount takes a different, stricter code path than resolveTelegramAccount / resolveDiscordAccount.
  • Config is recognized both as top-level (channels.mattermost.botToken) and under accounts.default.botToken per schema; the error always references the normalized accounts.default path.

Suggested fix

In the CLI status renderer / resolveInspectedChannelAccount path, catch UnresolvedSecretInputError for SecretRef-style values and either:

  1. Render the channel row with secret: pending (from keychain) instead of throwing, or
  2. Fall back to the gateway runtime snapshot the error message already tells the user to use.

Happy to test a patch.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions