Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix [Bug]: Doctor reports Gateway auth SecretRef unavailable even when the SecretRef resolves [1 pull requests, 1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#77687Fetched 2026-05-06 06:23:02
View on GitHub
Comments
1
Participants
2
Timeline
4
Reactions
2
Author
kAIborg24kAIborg24
Participants
clawsweeper[bot]clawsweeper[bot]kAIborg24kAIborg24
Timeline (top)
labeled ×2commented ×1cross-referenced ×1

Doctor prints a Gateway auth warning that says the configured gateway token SecretRef is currently unavailable even though the SecretRef resolves successfully and the gateway is reachable with token auth.

Root Cause

Doctor prints a Gateway auth warning that says the configured gateway token SecretRef is currently unavailable even though the SecretRef resolves successfully and the gateway is reachable with token auth.

Fix Action

Fixed

PR fix notes

PR #77698: fix(doctor): resolve gateway token SecretRef before warning unavailable

Description (problem / solution / changelog)

Problem

openclaw doctor unconditionally warns that gateway.auth.token is unavailable when configured as a SecretRef, even when the SecretRef resolves successfully.

Root cause: runGatewayAuthHealth() checks whether the token value is a SecretRef (gatewayTokenRef) but never attempts to resolve it. The synchronous resolveGatewayAuth() path deliberately skips SecretRef values, so auth.token is always undefined for SecretRef-backed tokens, making needsToken always true.

Fix

Before emitting the warning, call resolveGatewayAuthToken() which actually materializes SecretRef values:

  • If resolution succeeds → return silently (no warning)
  • If resolution fails → include the unresolvedRefReason in the diagnostic message instead of a generic "unavailable" warning
  • Security gate: exec-type SecretRefs are NOT resolved during doctor (avoids running arbitrary commands in a health check). Only env and file SecretRefs are resolved. For exec, the original warning is preserved.

This uses the same resolution path as resolveGatewayTokenForDriftCheck() in gateway-token-drift.ts, which already handles this correctly.

Real behavior proof

Environment constraint: The contributor environment uses plaintext token auth (no SecretRef), making the exact reproduction scenario unavailable locally. The fix is verified through:

  1. Code path analysis: resolveGatewayAuthToken() is the same function used by gateway-token-drift.ts (already in production). Its behavior with env/file SecretRefs is well-tested via doctor-gateway-auth-token.test.ts.

  2. Static verification of the fix:

    • Before fix: if (gatewayTokenRef) { note("unavailable") } — unconditional warning
    • After fix: if (gatewayTokenRef) { resolve → return if ok → warn if not } — conditional
    • The exec gate prevents the security concern raised in Codex review

  3. Boundary cases covered:

    • gatewayTokenRef.source === "exec" → skips resolution, warns as before ✓
    • gatewayTokenRef.source === "env" or "file" → resolves, suppresses warning on success ✓
    • Resolution throws → catch in resolveConfiguredSecretInputString, returns unresolvedRefReason

A maintainer with a SecretRef-configured setup can verify by running openclaw doctor before/after and confirming the false warning is suppressed.

Fixes #77687

Changed files

  • src/flows/doctor-health-contributions.ts (modified, +21/-1)

Code Example

Gateway token is managed via SecretRef and is currently unavailable.
Doctor will not overwrite gateway.auth.token with a plaintext value.
Resolve/rotate the external secret source, then rerun doctor.

---

Observed evidence:


openclaw secrets audit --allow-exec
Secrets audit: findings. plaintext=2, unresolved=0, shadowed=2, legacy=1.



openclaw doctor
Gateway token is managed via SecretRef and is currently unavailable.
Doctor will not overwrite gateway.auth.token with a plaintext value.
Resolve/rotate the external secret source, then rerun doctor.


Source inspection of the installed build shows the gateway-auth Doctor check calls the normal auth resolver with the raw SecretRef-backed token config. The normal auth resolver ignores SecretRef object values unless they have already been materialized, so token mode has no resolved token and Doctor emits the unavailable-SecretRef warning.
RAW_BUFFERClick to expand / collapse

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

Doctor prints a Gateway auth warning that says the configured gateway token SecretRef is currently unavailable even though the SecretRef resolves successfully and the gateway is reachable with token auth.

Steps to reproduce

  1. Configure local gateway auth in token mode with gateway.auth.token set to an exec SecretRef.
  2. Ensure the SecretRef provider resolves successfully.
  3. Run openclaw secrets audit --allow-exec and confirm unresolved refs are zero.
  4. Run openclaw doctor.

Expected behavior

Doctor should materialize or otherwise recognize the configured gateway.auth.token SecretRef before warning. If the SecretRef resolves, Doctor should not report that it is currently unavailable.

Actual behavior

Doctor prints:

Gateway token is managed via SecretRef and is currently unavailable.
Doctor will not overwrite gateway.auth.token with a plaintext value.
Resolve/rotate the external secret source, then rerun doctor.

The warning disappears if the same resolved token is supplied through OPENCLAW_GATEWAY_TOKEN, which indicates the SecretRef itself is usable and the warning is specific to Doctor’s gateway-auth check path.

OpenClaw version

2026.5.3 (06d46f7)

Operating system

Ubuntu 26.04 LTS

Install method

pnpm

Model

Not model-dependent; reproduced in the Doctor CLI health check.

Provider / routing chain

Not applicable; this is the local Doctor CLI gateway-auth health check.

Additional provider/model setup details

Local gateway token auth using an exec SecretRef for gateway.auth.token. Secret provider identity, paths, and token values are omitted.

Logs, screenshots, and evidence

Observed evidence:


openclaw secrets audit --allow-exec
Secrets audit: findings. plaintext=2, unresolved=0, shadowed=2, legacy=1.



openclaw doctor
Gateway token is managed via SecretRef and is currently unavailable.
Doctor will not overwrite gateway.auth.token with a plaintext value.
Resolve/rotate the external secret source, then rerun doctor.


Source inspection of the installed build shows the gateway-auth Doctor check calls the normal auth resolver with the raw SecretRef-backed token config. The normal auth resolver ignores SecretRef object values unless they have already been materialized, so token mode has no resolved token and Doctor emits the unavailable-SecretRef warning.

Impact and severity

False warning in Doctor for a secure, working SecretRef-backed gateway token. This can lead users toward unnecessary secret rotation or toward weakening the setup by replacing the SecretRef with plaintext config.

Additional information

A native fix would be for Doctor’s gateway-auth health check to materialize gateway.auth.token SecretRefs before calling the normal gateway auth resolver, or to use the same SecretRef-aware path used by commands that need gateway auth.

extent analysis

TL;DR

The Doctor's gateway-auth health check should materialize the gateway.auth.token SecretRef before calling the normal gateway auth resolver to fix the false warning.

Guidance

  • The issue is caused by the normal auth resolver ignoring SecretRef object values unless they have already been materialized.
  • To verify, run openclaw secrets audit --allow-exec and confirm that the SecretRef resolves successfully.
  • A potential workaround is to supply the resolved token through the OPENCLAW_GATEWAY_TOKEN environment variable, which bypasses the Doctor's gateway-auth check path.
  • The native fix would involve modifying the Doctor's gateway-auth health check to materialize gateway.auth.token SecretRefs before calling the normal gateway auth resolver.

Example

No code snippet is provided as the issue does not require a code change, but rather a modification to the Doctor's behavior.

Notes

The issue is specific to the Doctor CLI health check and does not affect other commands that use gateway auth. The false warning can lead to unnecessary secret rotation or weakening of the setup.

Recommendation

Apply a workaround by supplying the resolved token through the OPENCLAW_GATEWAY_TOKEN environment variable, as this allows the Doctor to recognize the configured gateway token without modifying the Doctor's behavior.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

Doctor should materialize or otherwise recognize the configured gateway.auth.token SecretRef before warning. If the SecretRef resolves, Doctor should not report that it is currently unavailable.

#device allocation#model download#tokenizer error#prompt formatting#chain error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - ✅(Solved) Fix [Bug]: Doctor reports Gateway auth SecretRef unavailable even when the SecretRef resolves [1 pull requests, 1 comments, 2 participants]