Telegram: handle unresolved SecretRefs gracefully in token resolution

[Sathvik-Chowdary-Veerapaneni]

Summary

• resolveTelegramToken threw on unresolved SecretRef objects (e.g. file-based providers), causing openclaw doctor --fix to fail even though the gateway runtime resolved the same ref correctly.
• Replaced normalizeResolvedSecretInputString (throws on unresolved refs) with normalizeSecretInputString + hasConfiguredSecretInput (returns configured-unavailable result), matching the existing pattern in account-inspect.ts.

Fixes #47686

Test plan

• extensions/telegram/src/token.test.ts — 14/14 passed (updated existing throw test, added file SecretRef test)

• extensions/telegram/src/accounts.test.ts — 23/23 passed

• src/commands/doctor-config-flow.test.ts — 24/24 passed

• pnpm build passes

• pnpm format:check passes

• Manual: configure Telegram botToken as a file SecretRef, run openclaw doctor --fix, verify no throw

• AI-assisted (Claude)

• Fully tested locally

[greptile-apps]

Greptile Summary

This PR fixes a crash in resolveTelegramToken (and therefore openclaw doctor --fix) when a botToken is configured as an unresolved SecretRef object (e.g. a file-based secret provider). The old normalizeResolvedSecretInputString helper throws on any unresolved ref, while the gateway runtime can resolve these refs fine at runtime.

Changes:

• extensions/telegram/src/token.ts — swaps normalizeResolvedSecretInputString for normalizeSecretInputString + hasConfiguredSecretInput at both the account-level and top-level botToken resolution points. An unresolved SecretRef now yields { token: "", source: "config" } instead of throwing.
• extensions/telegram/src/token.test.ts — updates the existing throw-expectation test and adds a new case for an account-scoped file SecretRef.

The fix is consistent with the existing pattern used in account-inspect.ts and correctly passes cfg?.secrets?.defaults so that legacy refs without an explicit provider are still coerced properly. No issues found.

Confidence Score: 5/5

• This PR is safe to merge — the change is targeted, well-tested, and consistent with established patterns in the codebase.
• The fix is minimal and surgical: two call-site swaps in token.ts, matching the existing pattern from account-inspect.ts. The helper functions (normalizeSecretInputString, hasConfiguredSecretInput, coerceSecretRef) are well-understood with no side effects. All 14 token tests pass, the type signatures align correctly, and the fallback precedence (account token → top-level token → env) is preserved unchanged for every case except the previously-crashing unresolved SecretRef path.
• No files require special attention.

_{Last reviewed commit: 16b88d9}

[joshavant]

Thanks for the contribution and for targeting the Telegram unresolved-SecretRef failure path. We merged #48728 as the cluster-wide fix, and it includes this doctor/Telegram robustness surface plus related status/message isolation changes in one unified path. Closing this PR as superseded by #48728.