[Bug]: @openclaw/bluebubbles 2026.5.2 webhook auth crashes on SecretRef password — TypeError in monitor.ts

[JakubOleksy]

Summary

After upgrading to OpenClaw 2026.5.2 and installing the now-external @openclaw/bluebubbles plugin, inbound iMessages are dropped when channels.bluebubbles.password is configured as a SecretRef (e.g. {source: "exec", provider: "...", id: "value"}). The webhook route registers and listens, but every POST is rejected with:

plugin http route failed (bluebubbles): TypeError: target.account.config.password?.trim is not a function

Outbound sends and the BlueBubbles HTTP API still work (they go through createBlueBubblesClientFromParts which calls normalizeSecretInputString). Only the webhook auth path is broken.

Root cause

extensions/bluebubbles/src/monitor.ts line ~196 (in the new external @openclaw/bluebubbles plugin v2026.5.2):

const token = target.account.config.password?.trim() ?? "";
return safeEqualAuthToken(guid, token);

When password is a SecretRef object, .trim is undefined and the route handler throws. Every other consumer of account.config.password in this plugin (monitor-processing.ts:780, actions.ts:159, account-resolve.ts:49) uses normalizeSecretInputString(account.config.password) to coerce SecretRef → string before use. The webhook auth path missed it.

Reproduction

1. OpenClaw 2026.5.2, install plugin: openclaw plugins install @openclaw/bluebubbles
2. ~/.openclaw/openclaw.json:

   "channels": {
     "bluebubbles": {
       "enabled": true,
       "webhookPath": "/bluebubbles-webhook",
       "serverUrl": "http://localhost:1234",
       "password": { "source": "exec", "provider": "op-bb-password", "id": "value" }
     }
   }

3. Restart gateway. Logs show BlueBubbles webhook listening on /bluebubbles-webhook.
4. Send an iMessage to the bridged number. BlueBubbles fires its webhook → gateway logs plugin http route failed (bluebubbles): TypeError: target.account.config.password?.trim is not a function. Message never reaches the agent.

Also at startup:

[default] BlueBubbles catchup: cannot resolve server account: Error: channels.bluebubbles.password: unresolved SecretRef "exec:op-bb-password:value". Resolve this command against an active gateway runtime snapshot before reading it.

— suggests catchup may have the same issue (resolving SecretRef without going through the runtime resolver).

Suggested fix

In monitor.ts, replace the raw .trim() with normalizeSecretInputString(target.account.config.password)?.trim() ?? "" (or use whatever the runtime-resolved password helper is — same one createBlueBubblesClientFromParts uses on the outbound side). Audit other call sites for the same pattern; catchup.ts:405 and monitor.ts:342 also pass account.config.password raw.

Workaround

Replace the SecretRef with the literal password string in openclaw.json. Survives until plugin updates.

Environment

• OpenClaw 2026.5.2 (8b2a6e5)
• @openclaw/bluebubbles 2026.5.2 (npm install, stable channel)
• macOS 26.4.1 (Tahoe)
• BlueBubbles server 1.9.9
• Single-host loopback gateway, password sourced via 1Password service-account exec wrapper

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep this issue open. Current main still calls .trim() directly on the BlueBubbles webhook password while the same plugin schema and public SecretRef surface allow channels.bluebubbles.password to be a SecretRef object, so the reported TypeError is a real plugin-owned bug.

Reproducibility: yes. from source inspection: a registered BlueBubbles webhook target whose account config keeps password as a SecretRef object will reach target.account.config.password?.trim() and throw before normal auth rejection or message handling. I did not execute the webhook path because this pass is read-only.

Next step
This is a narrow valid plugin bug with clear files, expected behavior, and a focused regression-test path.

Review details

Best possible solution:

Make the BlueBubbles plugin consistently use the runtime-resolved secret-aware password value for webhook auth and catchup, then add regression coverage for SecretRef-shaped account config.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: a registered BlueBubbles webhook target whose account config keeps password as a SecretRef object will reach target.account.config.password?.trim() and throw before normal auth rejection or message handling. I did not execute the webhook path because this pass is read-only.

Is this the best way to solve the issue?

Yes: the narrow maintainable fix is plugin-local, reusing the existing SecretRef/runtime-resolved password path instead of changing core SecretRef policy or adding configuration.

Acceptance criteria:

• pnpm test extensions/bluebubbles/src/monitor.webhook-auth.test.ts extensions/bluebubbles/src/catchup.test.ts
• pnpm test extensions/bluebubbles
• pnpm check:changed

What I checked:

• Webhook auth still dereferences raw password as string: handleBlueBubblesWebhookRequest compares auth by evaluating target.account.config.password?.trim(), which throws when password is a structured SecretRef object. (extensions/bluebubbles/src/monitor.ts:196, d520fa6229ae)
• BlueBubbles password schema accepts SecretInput: The BlueBubbles account schema defines password with buildSecretInputSchema().optional(), so string-only use in the webhook path does not match the accepted config contract. (extensions/bluebubbles/src/config-schema.ts:78, d520fa6229ae)
• Public SecretRef surface includes BlueBubbles password: The canonical SecretRef credential surface lists both channels.bluebubbles.password and channels.bluebubbles.accounts.*.password as supported targets. Public docs: docs/reference/secretref-credential-surface.md. (docs/reference/secretref-credential-surface.md:85, d520fa6229ae)
• SecretInput can be an object, and string normalization does not resolve it: SecretInput is string | SecretRef; normalizeSecretInputString returns a string only for actual string values, so a raw SecretRef object must not be used with string methods. (src/config/types.secrets.ts:18, d520fa6229ae)
• Catchup path has the same unresolved SecretRef symptom: Startup catchup passes target.account.config.password as a raw override to resolveBlueBubblesServerAccount; that helper throws the same unresolved SecretRef error the report quotes when it sees a raw object. (extensions/bluebubbles/src/catchup.ts:486, d520fa6229ae)
• Current line provenance: git blame attributes the current webhook auth lines to the plugin externalization/release-prep commit 550d6f5c4345f6733def7dd2fbcf8a38e32e7695, which is contained in v2026.5.2. (extensions/bluebubbles/src/monitor.ts:196, 550d6f5c4345)

Likely related people:

• steipete: Blame and release-history checks show the current externalized BlueBubbles plugin files, the exact webhook auth line, and the BlueBubbles SecretRef surface were added during the v2026.5.2 release preparation path. (role: recent maintainer and current-line introducer; confidence: high; commits: 550d6f5c4345, 8b2a6e57fef6; files: extensions/bluebubbles/src/monitor.ts, extensions/bluebubbles/src/secret-contract.ts, docs/reference/secretref-credential-surface.md)
• Jacob Tomlinson: Recent history for the BlueBubbles webhook area includes auth/rate-limit and SSRF hardening work, making this a relevant routing candidate for auth-path regressions. (role: adjacent webhook-auth maintainer; confidence: medium; commits: 5e08ce36d522, f92c92515bd4; files: extensions/bluebubbles/src/monitor.ts, extensions/bluebubbles/src/webhook-ingress.ts)
• tyler6204: History shows substantial merged BlueBubbles message-processing and webhook behavior work across the plugin, so this is a useful secondary routing candidate for plugin behavior review. (role: BlueBubbles feature-history owner; confidence: medium; commits: 1007d71f0cec, 9c0c5866dbf3, 445b58550c49; files: extensions/bluebubbles/src/monitor.ts, extensions/bluebubbles/src/monitor-processing.ts, extensions/bluebubbles/src/actions.ts)

Remaining risk / open question:

• This review did not run a live BlueBubbles server or Vitest reproduction because the checkout review was constrained to read-only inspection; the reproduction basis is current-source control flow.

Codex review notes: model gpt-5.5, reasoning high; reviewed against d520fa6229ae.

[neeravmakwana]

Draft PR with the fix: #76410

[joshavant]

Thanks @JakubOleksy for the report. The merged fix in #76449 updates BlueBubbles webhook auth to treat SecretRef-backed passwords safely instead of calling string methods on unresolved refs, so webhook auth now fails closed rather than crashing. Closing this out.