Discord plugin: channels.discord.*.token ref resolution silently fails (plus companion config patch recursive-merge bug)

[Jimcatsos]

Bug 1: Discord plugin's resolveDiscordToken ignores secrets.providers; documented ref syntax silently fails

Summary

OpenClaw 2026.5.7 documents openclaw config set channels.discord.token --ref-provider <name> --ref-source env --ref-id <ENV_VAR> as the canonical way to bind the Discord bot token to an environment variable (see openclaw config set --help output, examples block). In practice, this ref structure is silently rejected by the Discord plugin and the bot never attempts a WebSocket connection. No journal lines appear after [gateway] http server listening (... discord ...), and no resolver error is logged.

The workaround is to leave both channels.discord.token and channels.discord.accounts.<id>.token unset entirely; the plugin then falls back to reading process.env.DISCORD_BOT_TOKEN directly (when the account id is DEFAULT_ACCOUNT_ID). This works but contradicts the documented ref-based configuration path and effectively requires the env var to be set in the gateway process, which only works if the gateway's systemd unit is wrapped in a process-level secrets injector like doppler run --.

Reproduction

OpenClaw 2026.5.7 on Linux (Ubuntu 24.04). Gateway running under user-systemd, ExecStart wrapped in doppler run --silent --. DISCORD_BOT_TOKEN exposed via Doppler to the gateway process (verified 72-char value present in process.env).

1. Create an openclaw.json with the channel binding:

   openclaw config set channels.discord.token --ref-provider default --ref-source env --ref-id DISCORD_BOT_TOKEN
   openclaw config set channels.discord.accounts.default.token --ref-provider default --ref-source env --ref-id DISCORD_BOT_TOKEN
   

2. Restart the gateway.
3. Observe journal: gateway boots, plugin loads (http server listening (... discord ...)), but Discord plugin never logs [discord] [default] starting provider. No error appears.

Adding secrets.providers.default = {source: "env"} to the config does not change behavior — this is the key finding (see Root cause below).

Expected behavior

The Discord plugin should resolve the ref through secrets.providers.<name> (and secrets.defaults.env as documented in resolveDefaultSecretProviderAlias), then attempt to connect with the resolved token.

Actual behavior

The plugin's token-resolution function returns status configured_unavailable and the channel-startup code treats this as "configured but unusable," silently skipping the WebSocket connection attempt. No error log emitted at the channel layer.

Root cause (from reading the source)

In OpenClaw 2026.5.7, the Discord plugin's token handling is in @openclaw/discord/dist/token-BZtonk7d.js, function resolveDiscordToken:

function resolveDiscordTokenValue(params) {
    const resolved = resolveSecretInputString({
        value: params.value,
        path: params.path,
        defaults: params.cfg.secrets?.defaults,
        mode: "inspect"
    });
    if (resolved.status === "available") return { ... };
    if (resolved.status === "configured_unavailable") return { status: "configured_unavailable" };
    return { status: "missing" };
}

Two design choices combine to break ref resolution:

1. mode: "inspect" — resolveSecretInputString is called in inspect mode, not resolve mode. This appears to be a check-without-side-effects path that returns availability status rather than actual values.

2. Only defaults is passed, not providers — the function passes params.cfg.secrets?.defaults, but resolveSecretInputString likely also needs secrets.providers to find configured providers like default. With defaults only, ref resolution cannot find the provider definition.

The core resolver in the openclaw core dist (resolveConfiguredProvider function) requires either config.secrets.providers[ref.provider] to exist OR ref.provider === resolveDefaultSecretProviderAlias(config, "env"). The inspect-mode call from the Discord plugin appears to lack the context to satisfy either path.

The plugin then has a built-in env fallback at the bottom of resolveDiscordToken:

const envToken = accountId === DEFAULT_ACCOUNT_ID
    ? normalizeDiscordToken(opts.envToken ?? process.env.DISCORD_BOT_TOKEN, "DISCORD_BOT_TOKEN")
    : void 0;
if (envToken) return { token: envToken, source: "env", tokenStatus: "available" };

This fallback works correctly. But it ONLY fires when both the account-level and channel-level token fields are unset; if either is set as a ref, the configured_unavailable short-circuit returns before reaching the fallback.

Suggested fixes (one of)

A. Have the Discord plugin's resolveDiscordTokenValue pass the entire cfg.secrets (or at least cfg.secrets?.providers in addition to defaults) so the resolver can find configured providers.

B. Change the inspect-mode short-circuit so configured_unavailable only fires after the env fallback has been attempted, not before. The current order is "configured but can't resolve → bail" which prevents the documented env path from running.

C. Update openclaw config set --help to mark channels.discord.*.token as an unsupported ref target, and document the env-fallback as the canonical path: "to use Doppler/env injection for the Discord bot token, leave channels.discord.*.token unset and ensure DISCORD_BOT_TOKEN is in the gateway process env."

Option A is the cleanest from a user-of-refs perspective. Option B is the most backwards-compatible. Option C is the lowest-cost but locks the env-fallback in as the documented path.

Environment

• OpenClaw 2026.5.7 (eeef486)
• Plugin: @openclaw/discord
• Linux (Ubuntu 24.04.4 LTS, kernel 6.8.0-111-generic)
• Gateway under user-systemd, ExecStart wrapped in doppler run --silent --

Workaround (current)

1. Ensure DISCORD_BOT_TOKEN is present in the gateway process env at runtime (via doppler, sops, or whatever secrets injector you use).
2. Unset both Discord token fields:

   openclaw config unset channels.discord.accounts.default.token
   openclaw config unset channels.discord.token
   

3. Restart the gateway. Plugin's env fallback at the bottom of resolveDiscordToken takes over.

Verified successful via journal log signature:

[discord] [default] starting provider
[discord] client initialized as <bot-app-id>; awaiting gateway readiness
[discord] [default] Discord bot probe resolved @<botname>

Related observations

• Discord intents schema (channels.discord.intents and channels.discord.accounts.<id>.intents) only accepts presence, guildMembers, voiceStates as properties. messageContent is NOT a configurable intent in the OpenClaw schema — the plugin always requests it. This is fine in practice (Discord Dev Portal toggle is the actual gate) but the schema rejection of messageContent is surprising given that some prior guidance suggested setting channels.discord.accounts.default.intents.messageContent = true. The schema rejection message was clear (additional properties), but the documentation should probably note that messageContent is always requested.

• The "configured_unavailable" branch in resolveDiscordToken returns status only, never logs at warn-level. A [discord] token ref resolution failed: ... warning here would have saved ~30 minutes of investigation.

---

Bug 2: openclaw config patch recursive-merge mishandles object values with 19-digit-numeric-string keys

Initially misdiagnosed as a JSON5 parser bug. The actual bug is in the patch tool's recursive-merge logic. Confirmed by: openclaw config patch --replace-path channels.discord.guilds (which forces full replacement instead of recursive merge) VALIDATES the same patch that fails without the flag.

OpenClaw 2026.5.7's openclaw config patch (and openclaw config set --strict-json) reports a misleading validation error when the patch contains an object value with a 19-digit numeric-string key (Discord snowflake guild IDs are 18-19 digits) AND the patch path is recursively merged into existing config. Reproducible:

Fails:

{"channels":{"discord":{"groupPolicy":"allowlist","guilds":{"1468687940984115202":{"requireMention":false}},"accounts":{"default":{"groupPolicy":"allowlist"}}}}}

Validator error: channels.discord.guilds: invalid config: must be object. But the value clearly IS an object.

Validates fine: same patch with "testkey" instead of "1468687940984115202".

The 19-digit numeric-string key is the only variable. JavaScript's Number type can safely represent integers only up to 2^53-1 (= 9007199254740991, 16 digits). The 19-digit Discord guild ID exceeds this. The recursive merger appears to coerce the key into a Number somewhere, then misclassify the resulting structure.

Suggested fix

• Audit the recursive-merge code path in openclaw config patch. Ensure object keys are preserved as strings throughout the merge pipeline regardless of whether they look numeric.
• Test case to add: a config that includes a Discord guild ID like 1468687940984115202 as an object key under channels.discord.guilds. Should validate without --replace-path.

Workaround — VERIFIED WORKING

Use openclaw config patch --replace-path <path> --file <patch> instead of bare openclaw config patch --file <patch>. The --replace-path flag forces the path to be REPLACED instead of recursively merged, bypassing the bug.

Example that previously failed with "must be object" but works with --replace-path:

openclaw config patch --file /tmp/guilds.json5 --replace-path channels.discord.guilds

After applying this with a Zeus guild ID 1468687940984115202, the journal showed:

[discord] channels resolved: 1468687940984115202 (guild:ZeusMoltbot; aliases:guild:1468687940984115202)

Confirming the patch landed correctly AND the runtime can read the 19-digit key fine. The JSON5 parser is innocent; the recursive merger is the bug.

Environment

Same as Bug 1 above.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still has a source-level config patch path bug for Discord guild IDs that look numeric, and the Discord token SecretRef report needs a focused current-main gateway/runtime-snapshot check before deciding whether token fallback or diagnostics should change.

Reproducibility: Partly: the config patch failure is source-reproducible from buildConfigPatchOperations plus setAtPath creating arrays for numeric-looking path segments. The Discord token failure still needs a focused current-main gateway/runtime-snapshot reproduction because current secrets runtime registers Discord token SecretRef assignments.

Next step
The config patch defect is narrow, but the issue also touches Discord SecretRef runtime semantics and should be split or scoped by a maintainer before repair automation.

Review details

Best possible solution:

Preserve numeric-looking map keys as object keys in config patch operations, add regression coverage for Discord snowflake guild IDs, and separately verify the Discord token SecretRef path through runtime snapshot activation with clearer diagnostics if unresolved refs skip startup.

Do we have a high-confidence way to reproduce the issue?

Partly: the config patch failure is source-reproducible from buildConfigPatchOperations plus setAtPath creating arrays for numeric-looking path segments. The Discord token failure still needs a focused current-main gateway/runtime-snapshot reproduction because current secrets runtime registers Discord token SecretRef assignments.

Is this the best way to solve the issue?

Unclear for the bundled issue as a whole. The config patch fix should be a narrow path/merge repair that keeps map keys as strings, while the Discord token side should first prove whether runtime snapshot activation or direct token inspection is the failing layer.

Acceptance criteria:

• node scripts/run-vitest.mjs src/cli/config-cli.test.ts extensions/discord/src/token.test.ts src/secrets/runtime-discord-surface.test.ts

What I checked:

• Discord docs advertise SecretRef token configuration: The Discord setup docs show channels.discord.token as an env SecretRef and state that SecretRef values are supported for channels.discord.token across env/file/exec providers. Public docs: docs/channels/discord.md. (docs/channels/discord.md:96, 079bf9967165)
• Discord token resolver treats unresolved configured refs as unavailable before env fallback: resolveDiscordTokenValue uses inspect mode for configured values, and resolveDiscordToken returns configured_unavailable for account or top-level token refs before reaching the default-account DISCORD_BOT_TOKEN fallback. (extensions/discord/src/token.ts:41, 079bf9967165)
• Current secrets runtime has a Discord token assignment contract: The bundled Discord secret contract registers channels.discord.token and account token paths and collects runtime assignments, so the first bug should be reproduced against runtime snapshot activation rather than judged from token.ts alone. (extensions/discord/src/secret-config-contract.ts:61, 079bf9967165)
• Config patch flattens object patches into leaf path operations: buildConfigPatchOperations recursively visits object entries and emits leaf operations, so a guild map object like guilds.{snowflake}.requireMention becomes a path with the snowflake as a path segment unless --replace-path channels.discord.guilds stops recursion. (src/cli/config-cli.ts:1170, 079bf9967165)
• Numeric-looking path segments create arrays for missing parents: setAtPath chooses [] for a missing parent whenever the next segment matches /^[0-9]+$/; for a missing channels.discord.guilds object followed by a Discord snowflake key, this creates an array where the schema requires an object. (src/cli/config-cli.ts:456, 079bf9967165)
• Discord schema requires guilds to be an object record: The config schema defines channels.discord.guilds as z.record(z.string(), DiscordGuildSchema.optional()).optional(), matching the reporter's must be object failure when patching creates an array. (src/config/zod-schema.providers-core.ts:670, 079bf9967165)

Likely related people:

• Vincent Koc: Local git blame in this checkout attributes the current Discord token resolver and config path helper lines to commit 79bd0185f5d399959633a6d5f4b28812305f238f. (role: current-line provenance; confidence: medium; commits: 79bd0185f5d3; files: extensions/discord/src/token.ts, src/cli/config-cli.ts)
• Peter Steinberger: git log --follow for the Discord/config paths shows repeated recent release, SDK, and config/docs baseline work touching the same surfaces. (role: recent area contributor; confidence: medium; commits: f066dd2f31c2, 9ece252a65af, 64bf80d4d50c; files: extensions/discord/src/token.ts, extensions/discord/src/secret-config-contract.ts, src/cli/config-cli.ts)
• Marcus Castro: Recent config CLI history includes raw/resolved config write behavior work that is adjacent to the config patch persistence path. (role: adjacent config write contributor; confidence: low; commits: 3189e2f11ba8, 9e8d9f114d95; files: src/cli/config-cli.ts, src/config/io.write-prepare.ts)
• Gustavo Madeira Santana: Recent config CLI history includes validation/error-reporting work in the same command family, relevant to the reported misleading schema failure. (role: adjacent config validation contributor; confidence: low; commits: f26853f14c9b; files: src/cli/config-cli.ts)

Remaining risk / open question:

• The Discord token SecretRef part may depend on whether gateway startup is using the active resolved runtime snapshot or a source config snapshot in the reporter's path; I did not run a live gateway reproduction in this read-only review.
• The issue bundles two distinct bugs, so a maintainer may want to split the config patch repair from any Discord secrets-runtime change.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 079bf9967165.

[steipete]

Fixed on main.

Landed fixes:

• fix(config): preserve numeric patch object keys #81999 / 0dc8552: openclaw config patch now preserves numeric-looking object keys such as Discord guild IDs during recursive merges.
• fix(discord): report unresolved token refs at startup #82009 / 6623444: Discord startup now treats configured-but-unresolved bot-token SecretRefs as configured and fails loudly before provider startup with an actionable resolver error.
• 66ba611f5b374d9e56c439e7c88e1a31f0474445: changelog entries added with contributor credit.

Proof:

• Codex review clean on both PR branches.
• fix(config): preserve numeric patch object keys #81999: node scripts/run-vitest.mjs src/cli/config-cli.test.ts passed locally; CI run 25905478666 succeeded for 2ec2352.
• fix(discord): report unresolved token refs at startup #82009: node scripts/run-vitest.mjs extensions/discord/src/shared.test.ts extensions/discord/src/channel.test.ts src/secrets/runtime-discord-surface.test.ts passed locally; CI run 25905546275 succeeded for f6bb520.

Duplicate sweep: gitcrawl/thread lookup plus live GitHub open-issue search found no additional open duplicates for this Discord token SecretRef / numeric guild-id config patch cluster.