[Bug] @openclaw/discord 2026.5.2 channel startup crashes on SecretRef-backed token (env:default:DISCORD_BOT_TOKEN unresolved)

[mogglemoss]

Bug type

Regression (worked in 2026.4.29, fails in 2026.5.2)

Beta release blocker

No

Summary

After upgrading to OpenClaw 2026.4.29 → 2026.5.2, the now-externalized @openclaw/discord@2026.5.2 plugin fails to start the Discord channel when channels.discord.token is configured as a SecretRef (e.g. { id: "DISCORD_BOT_TOKEN", provider: "default", source: "env" }). Telegram with the same SecretRef pattern is unaffected.

The error fires before gateway ready:

[discord] channel startup failed: channels.discord.token: unresolved SecretRef
"env:default:DISCORD_BOT_TOKEN". Resolve this command against an active gateway
runtime snapshot before reading it.

The same config worked on 2026.4.29 (bundled dist/extensions/discord).

Steps to reproduce

1. Install OpenClaw 2026.5.2 (which auto-installs @openclaw/discord@2026.5.2 from npm via the doctor repair step).
2. ~/.openclaw/openclaw.json:

   "channels": {
     "discord": {
       "enabled": true,
       "token": {
         "id": "DISCORD_BOT_TOKEN",
         "provider": "default",
         "source": "env"
       }
     }
   },
   "secrets": {
     "providers": { "default": { "source": "env" } }
   }

3. Ensure DISCORD_BOT_TOKEN is in process.env (verified via dotenv autoload from ~/.openclaw/.env and directly via the LaunchAgent env file — both fail the same way).
4. Restart the gateway.
5. Observe [discord] channel startup failed: ... unresolved SecretRef "env:default:DISCORD_BOT_TOKEN" at startup. Channel does not come up. Across multiple restarts: same error every time, not transient.

Expected behavior

Discord channel starts using the env-resolved DISCORD_BOT_TOKEN, same as on 2026.4.29 and same as Telegram with an analogous SecretRef config on 2026.5.2.

Actual behavior

Channel startup throws synchronously inside resolveDiscordToken because normalizeDiscordToken invokes normalizeResolvedSecretInputString (strict mode), which calls assertSecretInputResolved and throws when cfg.channels.discord.token is still a SecretRef object at startup time.

Root cause analysis (from inspecting the installed plugin source)

@openclaw/discord/src/token.ts resolveDiscordToken → normalizeDiscordToken:

export function normalizeDiscordToken(raw: unknown, path: string): string | undefined {
  const trimmed = normalizeResolvedSecretInputString({ value: raw, path });
  ...
}

normalizeResolvedSecretInputString is the strict variant — it throws createUnresolvedSecretInputError ("Resolve this command against an active gateway runtime snapshot before reading it.") on unresolved SecretRefs.

Compare to @openclaw/discord/src/setup-account-state.ts inspectConfiguredToken:

function inspectConfiguredToken(value: unknown): {...} | null {
  const normalized = normalizeSecretInputString(value);   // ← safe variant; returns undefined on SecretRef
  if (normalized) { return { ..., tokenStatus: "available" }; }
  if (hasConfiguredSecretInput(value)) {
    return { ..., tokenStatus: "configured_unavailable" };
  }
  return null;
}

The inspect path correctly distinguishes "string token" / "SecretRef present but unresolved" / "absent". The startup path does not — it goes through resolveDiscordToken with the raw OpenClawConfig and crashes.

Both hits in the channel startup chain are reachable:

• @openclaw/discord/src/accounts.ts:110 — resolveDiscordAccount(...) calls resolveDiscordToken(params.cfg, { accountId }).
• @openclaw/discord/src/setup-account-state.ts:122 — falls through to resolveDiscordToken(params.cfg, { accountId }) only when inspectConfiguredToken returns null, but the throw can also originate elsewhere depending on call path.

The error message itself ("Resolve this command against an active gateway runtime snapshot before reading it.") is the explicit contract violation: the channel startup code is reading from raw config instead of from a runtime snapshot whose secrets have been pre-resolved.

This is the same family as #75433 ("source/raw channel config instead of a resolved active runtime snapshot, then calling Telegram/Discord channel discovery helpers that synchronously resolve channel credentials"), but on the channel STARTUP path rather than the embedded reply path. Sister-bug to #76369 (@openclaw/bluebubbles 2026.5.2 webhook auth crashes on SecretRef password) — same externalization-induced SecretRef regression family.

Suggested fixes (not exhaustive)

1. In @openclaw/discord/src/token.ts — make normalizeDiscordToken use the gentle normalizeSecretInputString, and have resolveDiscordToken follow the inspectConfiguredToken pattern (treat unresolved SecretRef as "fall through to env / return none" rather than throw). This matches Telegram's behavior.
2. In the core gateway startup — resolve channels.* SecretRef-backed tokens before invoking startChannel(plugin.id) so the runtime snapshot the plugin sees has only string tokens. This is the contract the error message implies.

(2) is the architecturally correct fix; (1) is a defensive backstop that would also prevent this class of crash in any other startup-path consumer of resolveDiscordToken.

Workarounds attempted (none effective)

• Adding DISCORD_BOT_TOKEN to the LaunchAgent env file (~/.openclaw/service-env/ai.openclaw.gateway.env) so it is in process.env from the very first instruction — same crash. The bug is not env-availability; it is the strict SecretRef resolver throwing on the SecretRef object itself.
• Multiple gateway restarts (launchctl kickstart -k) — same crash every time. Not a startup race, fully deterministic.
• Setting plugins.allow explicitly to ["discord"] to silence the "non-bundled plugins may auto-load" warning — no effect on the channel startup error (different code path).

Effective workaround

Roll back to 2026.4.29 (which still ships dist/extensions/discord bundled). Discord channel starts cleanly.

Environment

• macOS 26.2 (arm64), Node 25.9.0
• OpenClaw 2026.5.2 (commit 8b2a6e5), installed via npm i -g openclaw
• @openclaw/discord@2026.5.2 (auto-installed by openclaw doctor step of openclaw update)
• Gateway managed via launchd (gui/502/ai.openclaw.gateway), local mode
• ~/.openclaw/.env populated via dotenv (DISCORD_BOT_TOKEN, TELEGRAM_BOT_TOKEN, etc.)
• Telegram channel with the same SecretRef pattern (channels.telegram.botToken: { id: "TELEGRAM_BOT_TOKEN", provider: "default", source: "env" }) starts and runs without issue on the same gateway boot.

Related

• BUG: Embedded channel reply runs crash on SecretRef-backed Telegram/Discord credentials #75433 (open) — embedded reply path SecretRef crash, same root pattern.
• [Bug]: @openclaw/bluebubbles 2026.5.2 webhook auth crashes on SecretRef password — TypeError in monitor.ts #76369 (open) — @openclaw/bluebubbles@2026.5.2 webhook auth SecretRef crash, sister bug from the 2026.5.2 externalization wave.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: the report matches a credible current source-level SecretRef startup gap for the externalized Discord channel, and the central Discord/token and channel-secret collector paths have not changed since v2026.5.2.

Reproducibility: yes. source-level reproduction is high confidence: a raw channels.discord.token SecretRef reaches the strict Discord resolver and the current unit test asserts that it throws. This pass did not run a live external-package gateway boot.

Next step
Safe fix candidate: the failure is narrow, source-backed, and has clear Discord/core startup files plus related SecretRef reports.

Review details

Best possible solution:

Materialize installed/external channel plugin SecretRefs into the active runtime snapshot before channel startup, with a Discord regression and changelog entry.

Do we have a high-confidence way to reproduce the issue?

Yes, source-level reproduction is high confidence: a raw channels.discord.token SecretRef reaches the strict Discord resolver and the current unit test asserts that it throws. This pass did not run a live external-package gateway boot.

Is this the best way to solve the issue?

Yes, the best fix is the generic runtime-snapshot path for installed channel plugin secret contracts; a Discord-only gentle-token fallback can be a defensive backstop, but it should not replace startup materialization.

Acceptance criteria:

• pnpm test src/secrets/runtime-config-collectors-channels.test.ts src/secrets/runtime-discord-surface.test.ts extensions/discord/src/token.test.ts
• pnpm test src/gateway/server-startup-config.secrets.test.ts src/gateway/server-channels.test.ts
• pnpm check:changed

What I checked:

• detailed release reproduction: The issue describes a deterministic v2026.5.2 startup failure with channels.discord.token as an env SecretRef, while Telegram with an analogous SecretRef starts on the same boot.
• strict Discord token resolver: normalizeDiscordToken still calls the strict normalizeResolvedSecretInputString, so a raw SecretRef object throws instead of falling through to env or degraded state. (extensions/discord/src/token.ts:13, 3d64fcaf1f2a)
• regression shape is asserted in source tests: The current Discord token unit test explicitly expects resolveDiscordToken to throw for an unresolved channels.discord.token SecretRef object. (extensions/discord/src/token.test.ts:94, 3d64fcaf1f2a)
• startup reaches Discord account resolution: Channel startup resolves the account before starting it; for Discord that reaches resolveDiscordAccount and then resolveDiscordToken. (src/gateway/server-channels.ts:426, 3d64fcaf1f2a)
• externalized channel secret contract gap: The runtime channel secret collector only asks bundled/public-artifact and bootstrap channel secrets for channels.*; this does not establish that installed external channel plugin secret contracts are applied before startup. (src/secrets/runtime-config-collectors-channels.ts:16, 3d64fcaf1f2a)
• documented runtime contract: Plugin runtime docs say provider and channel execution paths must use the active runtime config snapshot rather than source/file snapshots that preserve SecretRef markers. Public docs: docs/plugins/sdk-runtime.md. (docs/plugins/sdk-runtime.md:55, 3d64fcaf1f2a)

Likely related people:

• Peter Steinberger: Current blame attributes the strict Discord token resolver, the channel secret collector, and the read-only channel secret rebind helper to commit 15bbf4f2f3, which is the most relevant available feature-history point for this path. (role: recent maintainer / likely follow-up owner; confidence: medium; commits: 15bbf4f2f304; files: extensions/discord/src/token.ts, src/secrets/runtime-config-collectors-channels.ts, src/channels/plugins/read-only.ts)

Remaining risk / open question:

• The exact installed npm-plugin startup path still needs an executable regression because the source checkout also contains the Discord extension artifacts.
• A durable fix may need to cover other externalized channel plugins rather than hardcoding Discord-only startup behavior.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 3d64fcaf1f2a.

[neeravmakwana]

Fix proposed in #76383 — now mirrors Telegram’s env-backed resolution (inspect → env lookup with the same provider/allowlist rules).

[neeravmakwana]

Fix proposed in #76383 — Discord startup token resolution now matches Telegram for env-backed SecretRef objects (inspect plus env lookup under the same secrets.providers / allowlist rules).

[mogglemoss]

Update — competing fix exists: PR #76383 (@neeravmakwana) was opened ~4 minutes before #76385 with a broader Telegram-style env-SecretRef resolver covering both top-level and account-level tokens. I've closed #76385 in favor of it; Codex review on #76383 marks it "needs maintainer review" rather than "needs changes". Cross-link added on both sides.

Workaround for anyone hitting this on 2026.5.2 while waiting for either fix to merge: remove channels.discord.token from ~/.openclaw/openclaw.json so the existing env fallback in resolveDiscordToken fires unconditionally. Verified on a live 2026.5.2 install — Discord channel starts cleanly with DISCORD_BOT_TOKEN autoloaded via dotenv from ~/.openclaw/.env.

[vincent-peng]

I’m also seeing Discord fail after the 2026.5.2 upgrade, but with a plain string token rather than a SecretRef.

Config has:

"channels": {
  "discord": {
    "enabled": true,
    "token": "...",
    "groupPolicy": "allowlist",
    "dmPolicy": "allowlist"
  }
}

openclaw status --deep shows no Discord channel at all. The plugin registry says discord is installed/enabled, but locally:

dist/extensions/discord: missing
@openclaw/discord dist: missing
@openclaw/discord package has no main/module/exports

So there may be two related Discord startup failures in 2026.5.2: SecretRef resolution in this issue, plus the missing compiled bundle / source-only npm fallback tracked in #76405.

[joshavant]

Thanks @mogglemoss for the report. The merged fix in #76449 restores channel SecretRef resolution for externalized Discord by loading the plugin secret contract through the generic external channel path before startup uses the token. Closing this out.