openclaw - ✅(Solved) Fix [Discord] unresolved SecretRef at runtime despite `secrets audit` showing 0 unresolved [1 pull requests, 1 comments, 2 participants]

openclaw2026-05-01 00:49:50

ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

GitHub issue URL

Helpful · Quick feedback

GitHub stats

openclaw/openclaw#75324•Fetched 2026-05-01 05:35:10

View on GitHub

Comments

Participants

Timeline

Reactions

Author

slideshow-dingo

Participants

clawsweeper[bot]

slideshow-dingo

Timeline (top)

commented ×1cross-referenced ×1

channels.discord.token is configured as a SecretRef pointing to a valid filemain provider key. openclaw secrets audit reports 0 unresolved. But at runtime, Discord channel operations fail with channels.discord.token: unresolved SecretRef "file:filemain:/DISCORD_BOT_TOKEN".

This is a regression/fragility in how the Discord extension resolves the token at runtime vs how the CLI audit resolves it.

Error Message

Error: channels.discord.token: unresolved SecretRef "file:filemain:/DISCORD_BOT_TOKEN". Resolve this command against an active gateway runtime snapshot before reading it.
    at createUnresolvedSecretInputError (types.secrets-BHp0Y_k0.js:68:25)
    at resolveSecretInputString (types.secrets-BHp0Y_k0.js:99:52)
    at normalizeResolvedSecretInputString (types.secrets-BHp0Y_k0.js:110:19)
    at normalizeDiscordToken (token-D-w3Rigl.js:5:18)
    at resolveDiscordToken (token-D-w3Rigl.js:26:22)
    at resolveDiscordAccount (accounts-BKnkNaoA.js:54:26)
    at resolveScopedDiscordActionDiscovery (channel-actions-8bJreMW_.js:22:18)
    at Object.describeDiscordMessageTool [as describeMessageTool] (channel-actions-8bJreMW_.js:34:20)
    at Object.describeMessageTool (channel-CMeIg_K8.js:306:146)
    at describeMessageToolSafely (message-action-discovery-CW9J9hh5.js:60:17)

Root Cause

Root cause hypothesis

Fix Action

Fix / Workaround

Gateway starts successfully and secrets audit is clean
But Discord channel is non-functional at runtime
Workaround: keep Discord token as plaintext (not a SecretRef)

PR fix notes

PR #75424: fix(discord): avoid resolving token during action discovery

Repository: openclaw/openclaw
Author: Conan-Scott
State: open | merged: False
Link: https://github.com/openclaw/openclaw/pull/75424

Description (problem / solution / changelog)

Summary

Fixes Discord message-action handling when channels.discord.token is configured as a SecretRef, e.g. env:default:DISCORD_BOT_TOKEN.

This covers both affected paths:

Discord message-action discovery / schema generation
Actual outbound tools.message execution from agent turns

Closes #75324.

Root cause

There were two related SecretRef handling issues:

Discord action discovery called runtime token resolution while building the message tool schema. With unresolved SecretRefs, this failed before the tool could expose Discord actions.
Agent message-tool execution skipped command-time SecretRef resolution when the tool was constructed with an injected config snapshot. In that case, outbound Discord sends still received the raw SecretRef object and failed at runtime.

Both paths are now covered.

Changes

Update Discord action discovery to use config-only account inspection via inspectDiscordAccount / listDiscordAccountIds.
- Configured SecretRefs count as credentials being present for discovery.
- Discovery no longer reads or resolves the token value.
- Runtime send/auth paths remain strict.
Update createMessageTool execution to always run scoped command-time SecretRef resolution before runMessageAction, including when options.config is supplied.
- Configs with no matching SecretRefs remain a no-op.
- Resolution stays scoped to the selected channel/account via existing getScopedChannelsCommandSecretTargets.
Add regression tests for:
- Top-level Discord token SecretRef during discovery.
- Account-scoped Discord token SecretRef during discovery.
- Message tool constructed with a config snapshot resolving Discord token SecretRefs before outbound execution.

Test plan

Automated:

pnpm test src/agents/tools/message-tool.test.ts extensions/discord/src/channel-actions.test.ts
pnpm check:changed

Live verification against OpenClaw 2026.4.29 environment:

Confirmed live config uses channels.discord.token as env:default:DISCORD_BOT_TOKEN.
Confirmed the gateway process environment contains DISCORD_BOT_TOKEN without printing the token.
Reproduced installed 4.29 discovery failure:
- channels.discord.token: unresolved SecretRef "env:default:DISCORD_BOT_TOKEN"
Verified patched Discord discovery against the same live config:
- describeMessageTool({ cfg }) succeeded.
- Returned 33 Discord actions.
Verified patched message-tool execution path with a non-sending Discord dry-run:
- SecretRef resolved before runMessageAction.
- Token was no longer a SecretRef.
- No secret value was printed.
Applied a temporary wrapper hotpatch in the live pod to load both patched paths and performed a real Discord inbound→outbound smoke test.
- Discord reply succeeded.

Security impact

No new secret surfaces or network permissions.

This change reduces accidental SecretRef exposure/failure risk by ensuring:

Discovery only checks whether Discord credentials are configured; it does not read token values.
Outbound execution resolves secrets through the existing scoped command-secret resolution path.
Runtime Discord token use remains strict and still requires a resolved token.
Tests and live verification avoided printing token values.

User-visible behavior

Discord actions should remain available when the Discord bot token is configured via SecretRef.

Agent replies and tools.message Discord sends should work with channels.discord.token configured as an environment SecretRef, instead of failing with unresolved SecretRef errors.

Changed files

CHANGELOG.md (modified, +1/-0)
extensions/discord/src/channel-actions.test.ts (modified, +52/-0)
extensions/discord/src/channel-actions.ts (modified, +15/-15)
src/agents/tools/message-tool.test.ts (modified, +45/-0)
src/agents/tools/message-tool.ts (modified, +23/-26)

Code Example

"channels": {
  "discord": {
    "enabled": true,
    "token": {
      "source": "file",
      "provider": "filemain",
      "id": "/DISCORD_BOT_TOKEN"
    }
  }
}

"secrets": {
  "providers": {
    "filemain": { "source": "file", "path": "/path/to/secrets.json", "mode": "json" }
  }
}

---

Error: channels.discord.token: unresolved SecretRef "file:filemain:/DISCORD_BOT_TOKEN". Resolve this command against an active gateway runtime snapshot before reading it.
    at createUnresolvedSecretInputError (types.secrets-BHp0Y_k0.js:68:25)
    at resolveSecretInputString (types.secrets-BHp0Y_k0.js:99:52)
    at normalizeResolvedSecretInputString (types.secrets-BHp0Y_k0.js:110:19)
    at normalizeDiscordToken (token-D-w3Rigl.js:5:18)
    at resolveDiscordToken (token-D-w3Rigl.js:26:22)
    at resolveDiscordAccount (accounts-BKnkNaoA.js:54:26)
    at resolveScopedDiscordActionDiscovery (channel-actions-8bJreMW_.js:22:18)
    at Object.describeDiscordMessageTool [as describeMessageTool] (channel-actions-8bJreMW_.js:34:20)
    at Object.describeMessageTool (channel-CMeIg_K8.js:306:146)
    at describeMessageToolSafely (message-action-discovery-CW9J9hh5.js:60:17)

---

OpenClaw 2026.4.29 (a448042)

RAW_BUFFERClick to expand / collapse

Summary

This is a regression/fragility in how the Discord extension resolves the token at runtime vs how the CLI audit resolves it.

Environment

OpenClaw: 2026.4.29 (a448042)
OS: Linux 6.8.0 (Ubuntu/Debian)
Install: npm global
secrets.json mode: json (filemain provider)

Config

"channels": {
  "discord": {
    "enabled": true,
    "token": {
      "source": "file",
      "provider": "filemain",
      "id": "/DISCORD_BOT_TOKEN"
    }
  }
}

"secrets": {
  "providers": {
    "filemain": { "source": "file", "path": "/path/to/secrets.json", "mode": "json" }
  }
}

secrets.json top-level key DISCORD_BOT_TOKEN exists and is valid.

Steps to reproduce

Configure channels.discord.token as a filemain SecretRef ("id": "/DISCORD_BOT_TOKEN")
Confirm openclaw secrets audit reports 0 unresolved
Restart the gateway
Attempt any Discord message action (e.g. openclaw message send, or inbound Discord message)
Observe: channels.discord.token: unresolved SecretRef "file:filemain:/DISCORD_BOT_TOKEN"

Expected vs Actual

Expected: Discord token resolves at gateway startup (as secrets audit confirms), runtime usage works
Actual: Gateway starts clean, Discord operations fail at runtime with unresolved SecretRef

Stack trace

Error: channels.discord.token: unresolved SecretRef "file:filemain:/DISCORD_BOT_TOKEN". Resolve this command against an active gateway runtime snapshot before reading it.
    at createUnresolvedSecretInputError (types.secrets-BHp0Y_k0.js:68:25)
    at resolveSecretInputString (types.secrets-BHp0Y_k0.js:99:52)
    at normalizeResolvedSecretInputString (types.secrets-BHp0Y_k0.js:110:19)
    at normalizeDiscordToken (token-D-w3Rigl.js:5:18)
    at resolveDiscordToken (token-D-w3Rigl.js:26:22)
    at resolveDiscordAccount (accounts-BKnkNaoA.js:54:26)
    at resolveScopedDiscordActionDiscovery (channel-actions-8bJreMW_.js:22:18)
    at Object.describeDiscordMessageTool [as describeMessageTool] (channel-actions-8bJreMW_.js:34:20)
    at Object.describeMessageTool (channel-CMeIg_K8.js:306:146)
    at describeMessageToolSafely (message-action-discovery-CW9J9hh5.js:60:17)

Root cause hypothesis

The describeMessageTool code path calls loadConfig() which re-reads the raw config from disk. The raw config has the unresolved SecretRef object. The already-resolved in-memory token is discarded. This is the same root cause as issue #33573 but in a different code path (describeMessageTool instead of sendMessage).

Impact

Gateway starts successfully and secrets audit is clean
But Discord channel is non-functional at runtime
Workaround: keep Discord token as plaintext (not a SecretRef)

Related issues

#33573 — same root cause for sendMessage path (closed, fix was for send path only)
#65201 — similar doctor false positive for file-backed secrets
#74832 — similar Telegram pattern (SecretRef resolves in audit but not in status/channel ops)

openclaw --version

OpenClaw 2026.4.29 (a448042)

extent analysis

TL;DR

The most likely fix is to update the code to avoid re-reading the raw config from disk in the describeMessageTool code path, ensuring the already-resolved in-memory token is used instead of the unresolved SecretRef object.

Guidance

Review the describeMessageTool code path to identify where the raw config is being re-read from disk and consider caching the resolved token.
Verify that the loadConfig() function is not discarding the already-resolved in-memory token.
Check if the SecretRef resolution is being done correctly in the describeMessageTool code path.
Consider applying a similar fix to the one applied for issue #33573, but for the describeMessageTool code path.

Example

No code snippet is provided as the issue does not contain enough information to create a specific example.

Notes

The root cause of the issue seems to be related to the describeMessageTool code path re-reading the raw config from disk, which discards the already-resolved in-memory token. However, without more information about the code, it's difficult to provide a more specific solution.

Recommendation

Apply a workaround by keeping the Discord token as plaintext (not a SecretRef) until a proper fix can be implemented, as this has been identified as a functional workaround in the issue description.

Vote matrix · Quick signals

Works

Did the solution work? Tap to confirm.

Easy Fix

Was it a quick fix?

Time Saver

Did it save you time?

Blocking

Was it severely blocking?

Common Issue

Are others likely hitting this too?

Flaky / Intermittent

Is it intermittent?

Verified / Reproducible

Can you reproduce it reliably?

#authentication issue #prompt issue #agent setup #task chaining #parallel task

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

openclaw - ✅(Solved) Fix [Discord] unresolved SecretRef at runtime despite `secrets audit` showing 0 unresolved [1 pull requests, 1 comments, 2 participants]

Recommended Tools

GitHub issue graph ai analysis

Error Message

Root Cause

Root cause hypothesis

Fix Action

Fix / Workaround

PR fix notes

PR #75424: fix(discord): avoid resolving token during action discovery

Description (problem / solution / changelog)

Summary

Root cause

Changes

Test plan

Security impact

User-visible behavior

Changed files

Code Example

Summary

Environment

Config

Steps to reproduce

Expected vs Actual

Stack trace

Root cause hypothesis

Impact

Related issues

openclaw --version

extent analysis

TL;DR

Guidance

Example

Notes

Recommendation

Still need to ship something?

RELATED_DISCOVERY

TRENDING