Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix [Bug]: Slash commands crash with SecretRef resolution error in command authorization [1 pull requests, 5 comments, 3 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#52790Fetched 2026-04-08 01:19:22
View on GitHub
Comments
5
Participants
3
Timeline
11
Reactions
0
Author
LukavyiLukavyi
Participants
aaajiaoaaajiaoHollychou924Hollychou924LukavyiLukavyi
Timeline (top)
commented ×5cross-referenced ×2closed ×1locked ×1

When a user sends a slash command (e.g. /status) via Telegram (or any channel using SecretRef-based credentials), the gateway crashes with a SecretRef resolution error during command authorization.

Error Message

Error: channels.telegram.accounts.<account>.botToken: *** SecretRef "exec:doppler:...".
Resolve this command against an active gateway runtime snapshot before reading it.
    at assertSecretInputResolved
    at normalizeResolvedSecretInputString
    at resolveTelegramToken
    at Object.resolve [as resolvePrimary]
    at resolveAccountWithDefaultFallback
    at resolveTelegramAccount
    at Object.resolveAccount
    at Object.resolveAccount (channel-config-helpers)
    at Object.resolveAllowFrom (channel-config-helpers)
    at resolveCommandAuthorization

Root Cause

resolveCommandAuthorization in src/auto-reply/command-auth.ts calls plugin.config.resolveAllowFrom(), which internally calls resolveAccount(). For channels like Telegram, resolveAccount requires fully resolved secrets (e.g. bot tokens via SecretRef). In the command-authorization code path, secrets may not yet be resolved against the active gateway runtime snapshot.

The same issue exists in resolveProviderFromContext which iterates all channel plugins and calls resolveAllowFrom on each.

Fix Action

Fixed

PR fix notes

PR #52791: fix(command-auth): handle unresolved SecretRef in resolveAllowFrom

Description (problem / solution / changelog)

Summary

Fixes #52790 — Slash commands crash with SecretRef resolution error during command authorization.

Problem

resolveCommandAuthorization() and resolveProviderFromContext() in command-auth.ts call plugin.config.resolveAllowFrom(), which internally invokes resolveAccount(). For channels using SecretRef-based credentials (e.g. Telegram with exec:doppler: token refs), resolveAccount() throws because secrets are not yet resolved against the active gateway runtime snapshot at command-authorization time.

Fix

Wrap both resolveAllowFrom call sites in command-auth.ts with try/catch:

  1. resolveCommandAuthorization — catches the error and falls back to resolveFallbackAllowFrom() (config-only path that does not require secret resolution)
  2. resolveProviderFromContext — catches the error and skips the plugin (returns null for that channel)

This is channel-agnostic — no changes needed in individual channel adapters.

Testing

  • pnpm check
  • pnpm build

AI Disclosure

  • AI-assisted (Claude via OpenClaw)
  • Lightly tested (build + type-check, not full test suite)
  • I understand what the code does

Changed files

  • src/auto-reply/command-auth.ts (modified, +77/-19)
  • src/auto-reply/command-control.test.ts (modified, +94/-0)

Code Example

Error: channels.telegram.accounts.<account>.botToken: *** SecretRef "exec:doppler:...".
Resolve this command against an active gateway runtime snapshot before reading it.
    at assertSecretInputResolved
    at normalizeResolvedSecretInputString
    at resolveTelegramToken
    at Object.resolve [as resolvePrimary]
    at resolveAccountWithDefaultFallback
    at resolveTelegramAccount
    at Object.resolveAccount
    at Object.resolveAccount (channel-config-helpers)
    at Object.resolveAllowFrom (channel-config-helpers)
    at resolveCommandAuthorization
RAW_BUFFERClick to expand / collapse

Description

When a user sends a slash command (e.g. /status) via Telegram (or any channel using SecretRef-based credentials), the gateway crashes with a SecretRef resolution error during command authorization.

Stack Trace

Error: channels.telegram.accounts.<account>.botToken: *** SecretRef "exec:doppler:...".
Resolve this command against an active gateway runtime snapshot before reading it.
    at assertSecretInputResolved
    at normalizeResolvedSecretInputString
    at resolveTelegramToken
    at Object.resolve [as resolvePrimary]
    at resolveAccountWithDefaultFallback
    at resolveTelegramAccount
    at Object.resolveAccount
    at Object.resolveAccount (channel-config-helpers)
    at Object.resolveAllowFrom (channel-config-helpers)
    at resolveCommandAuthorization

Root Cause

resolveCommandAuthorization in src/auto-reply/command-auth.ts calls plugin.config.resolveAllowFrom(), which internally calls resolveAccount(). For channels like Telegram, resolveAccount requires fully resolved secrets (e.g. bot tokens via SecretRef). In the command-authorization code path, secrets may not yet be resolved against the active gateway runtime snapshot.

The same issue exists in resolveProviderFromContext which iterates all channel plugins and calls resolveAllowFrom on each.

Affected Versions

2026.3.14+

Affected Channels

Any channel using SecretRef-based credentials (Telegram with exec:doppler: refs, etc.)

Expected Behavior

Slash commands should work regardless of whether secrets are resolved at the command-authorization stage. The command-auth path only needs the allowlist configuration, not the full resolved account with credentials.

Proposed Fix

Wrap resolveAllowFrom calls in command-auth.ts with try/catch, falling back to the config-only resolveFallbackAllowFrom path when secret resolution fails. This is the safest approach as it handles all channels generically without requiring channel-specific changes.

extent analysis

Fix Plan

To resolve the SecretRef resolution error during command authorization, we will modify the command-auth.ts file to handle secret resolution failures.

Here are the steps:

  • Wrap resolveAllowFrom calls in a try/catch block.
  • In the catch block, fall back to the resolveFallbackAllowFrom path when secret resolution fails.

Example Code

// In command-auth.ts
try {
  const allowFrom = await plugin.config.resolveAllowFrom();
  // ... rest of the code ...
} catch (error) {
  if (error.message.includes('SecretRef')) {
    // Fall back to config-only allowlist resolution
    const allowFrom = await resolveFallbackAllowFrom();
    // ... rest of the code ...
  } else {
    throw error;
  }
}

Verification

To verify the fix, test the slash command functionality with a Telegram account using SecretRef-based credentials. The command should now work without crashing the gateway due to secret resolution errors.

Extra Tips

  • Ensure that the resolveFallbackAllowFrom function is correctly implemented to handle the allowlist configuration without requiring resolved secrets.
  • Consider adding additional logging to monitor and debug any further issues related to secret resolution.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#container setup#orchestration issue#cache issue#memory leak#API versioning

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING