Bug: CLI web search does not resolve plugin-scoped webSearch SecretRefs

[aounakram]

Summary

openclaw infer web search does not resolve plugin-scoped web search SecretRefs before reading config, even when the active gateway runtime has a healthy secrets snapshot and secrets audit reports no unresolved refs.

This breaks CLI web search with SecretRef-managed provider keys.

Version

• OpenClaw: 2026.5.12 (f066dd2)
• OS: macOS 26.3.1 arm64
• Node: 25.8.1

Config shape

Relevant config is using the documented structured SecretRef shape:

{
  "secrets": {
    "providers": {
      "default": { "source": "env" }
    },
    "defaults": { "env": "default" }
  },
  "tools": {
    "web": {
      "search": {
        "enabled": true,
        "provider": "tavily"
      }
    }
  },
  "plugins": {
    "entries": {
      "tavily": {
        "enabled": true,
        "config": {
          "webSearch": {
            "apiKey": { "source": "env", "provider": "default", "id": "TAVILY_API_KEY" }
          }
        }
      },
      "google": {
        "enabled": true,
        "config": {
          "webSearch": {
            "apiKey": { "source": "env", "provider": "default", "id": "GEMINI_API_KEY" },
            "model": "gemini-2.5-flash"
          }
        }
      },
      "brave": {
        "enabled": true,
        "config": {
          "webSearch": {
            "apiKey": { "source": "env", "provider": "default", "id": "BRAVE_API_KEY" }
          }
        }
      }
    }
  }
}

The relevant env vars exist in the gateway service env.

Expected behavior

With tools.web.search.provider = "tavily", openclaw infer web search --provider tavily ... should resolve plugins.entries.tavily.config.webSearch.apiKey from the active gateway runtime snapshot and run the search.

Non-selected provider refs such as plugins.entries.google.config.webSearch.apiKey should remain inactive/non-fatal, per docs.

Actual behavior

Repro command:

openclaw infer web search --provider tavily --query 'ping' --limit 1 --json

Output:

Error: plugins.entries.tavily.config.webSearch.apiKey unresolved SecretRef "env:default:TAVILY_API_KEY=*** Resolve this command against an active gateway runtime snapshot before reading it.

Exit code: 1

For comparison:

openclaw secrets audit --check --json

Reports:

{
  "status": "findings",
  "summary": {
    "plaintextCount": 13,
    "unresolvedRefCount": 0,
    "shadowedRefCount": 0,
    "legacyResidueCount": 1
  },
  "resolution": {
    "refsChecked": 8,
    "skippedExecRefs": 0,
    "resolvabilityComplete": true
  }
}

So the configured SecretRefs are resolvable at audit/runtime level; the failure is specific to this CLI web-search path.

Log evidence

For an exact repro, I marked the gateway log offset, ran the command once, then captured the gateway log window. The window contained only the local exec lines and no matching secrets.resolve RPC for this command.

That suggests infer web search is reading config before successfully resolving command secrets against the active gateway snapshot, or otherwise not attempting the expected gateway secret resolution path.

Separate related noise observed earlier:

[secrets] plugins.entries.google.config.webSearch.apiKey: tools.web.search.provider is "tavily".
[secrets] agent: gateway secrets.resolve unavailable (secrets.resolve failed); attempted local command-secret resolution.

The Google/Gemini ref is inactive because Tavily is explicitly selected, which matches docs, but it still appears in diagnostics/noise around command SecretRef resolution.

Notes

• openclaw config validate passes.
• openclaw status --all shows channels OK and no secret diagnostics.
• openclaw secrets audit reports unresolvedRefCount: 0.
• The Tavily SecretRef is on the documented canonical surface: plugins.entries.tavily.config.webSearch.apiKey.

[clawsweeper]

ClawSweeper status: review started.

I am starting a fresh review of this issue: Bug: CLI web search does not resolve plugin-scoped webSearch SecretRefs This is item 1/1 in the current shard. Shard 0/28.

This placeholder means the worker is alive and reading the current context. I will edit this same comment with the actual review when the claws are done clicking.

Crustacean status: shell secured, claws on keyboard, evidence pebbles being sorted.

[hclsys]

Quick locator for whoever picks this up: the CLI path runs through src/cli/capability-cli.ts:1529 runWebSearchCommand, which calls getRuntimeConfig() and passes the result to runWebSearch in src/web-search/runtime.ts:404. getRuntimeConfig returns the parsed JSON config without applying the SecretRef → plaintext resolution that the gateway runtime does at startup.

The gateway runtime uses a secrets snapshot (secrets/snapshot.ts family) plus per-plugin resolveSecretRefDeep/materializePluginSecretRefs passes before handing the config to consumers. The CLI's runCommandWithRuntime initializes the runtime but doesn't appear to apply the same materialisation pass for plugins.entries.<provider>.config.webSearch.apiKey shaped SecretRefs.

Likely fix shape: inside runWebSearchCommand (and the parallel runWebFetchCommand at line 1550), before invoking runWebSearch/resolveWebFetchDefinition, run the active gateway's secrets snapshot through the selected provider's plugin config — or pass a resolveProviderApiKey callback into runWebSearch so it asks the runtime to materialise the SecretRef on demand. The CLI's secrets audit already proves the snapshot is reachable, so it's specifically the consumer-side resolution that's missing here.

[joshavant]

Thanks for the detailed report, @aounakram.

This was a real bug in the local openclaw infer command path. infer web search was reading the raw config before command-time SecretRef resolution had materialized plugins.entries.<provider>.config.webSearch.apiKey, so the Tavily SecretRef you showed was still an object when the web-search runtime tried to use it. That also explains why secrets audit could report the ref as resolvable while the CLI command still failed: audit and the gateway runtime used the right secret-resolution path, but this local infer path bypassed it.

The fix landed in #82798. It resolves command SecretRefs before local provider-backed infer commands run, scopes resolution to the selected provider/family so unrelated provider refs are not fatal, and applies the same pattern beyond web search where the same raw-config path existed.

Proof included focused regression tests plus an AWS Crabbox E2E run showing the command no longer passed an unresolved SecretRef into web search.

[steipete]

Fixed on main by #82819 / 9e67f53.

Proof:

• Focused command-secret/web tests passed after rebase: 8 files / 141 tests.
• Live repro passed with redacted command-time SecretRef resolution.
• Crabbox live E2E passed provider override/plugin install paths on AWS lease cbx_aebcfe04e4bc, run run_e442983bbd8d.
• CI run 25978408516 is green after rerunning one unrelated timeout shard.