Commit 85f36e8
fix(auth): include legacy OAuth sidecars in secrets-runtime store load
The embedded agent runner — Telegram replies, cron invocations, any
sub-agent dispatch — calls into the secrets runtime to resolve provider
auth. That path goes through `loadAuthProfileStoreForSecretsRuntime`,
which hardcoded `resolveLegacyOAuthSidecars: false`. As a result, OAuth
profiles whose credential material lives in the legacy sidecar layout
(`oauthRef.source: "openclaw-credentials"`, hash-named files under
`<state>/credentials/auth-profiles/<id>.json`) were loaded without their
access/refresh tokens, and `resolveApiKeyForProfile()` fell through to
the "No API key found for provider" error.
The OAuth-manager-internal helper added in openclaw#83312 already sets this to
`true`, but the secrets-runtime path is a parallel entry point: when the
embedded agent resolves provider auth for a model turn, it loads the
store through this helper, *before* the OAuth manager's own reload would
have a chance to compensate. Direct CLI inference is unaffected because
it routes through a different store-load path that still sees the
material.
Repro (against v2026.5.19 stock):
1. Have an `openai-codex:default` profile with type=oauth and
`oauthRef.source = "openclaw-credentials"` (typical for users who
onboarded before the sidecar runtime was removed in openclaw#82777).
2. Send a Telegram message to the bot, or wait for any cron with an
embedded payload to fire.
3. Gateway logs:
[diagnostic] lane task error: ... error="Error: No API key found
for provider \"openai-codex\". Auth store: .../auth-profiles.json
... Configure auth for this agent (openclaw agents add <id>) or
copy only portable static auth profiles from the main agentDir."
4. Meanwhile, `openclaw infer model run --model openai/gpt-5.5
--prompt "say OK"` returns a normal completion using the same
OAuth profile.
Fix: flip the hardcoded default in
`loadAuthProfileStoreForSecretsRuntime` from `false` to `true`, matching
the OAuth-manager helper's choice. Sidecar resolution is read-only and
already gated by per-process feature gates downstream, so this is safe
to enable unconditionally for the secrets-runtime load.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent fefdf52 commit 85f36e8
1 file changed
Lines changed: 11 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
590 | 590 | | |
591 | 591 | | |
592 | 592 | | |
593 | | - | |
| 593 | + | |
| 594 | + | |
| 595 | + | |
| 596 | + | |
| 597 | + | |
| 598 | + | |
| 599 | + | |
| 600 | + | |
| 601 | + | |
| 602 | + | |
| 603 | + | |
594 | 604 | | |
595 | 605 | | |
596 | 606 | | |
| |||
0 commit comments