Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix openclaw status (text mode) fails on Mattermost exec:keychain SecretRef — other channels with same pattern work [1 pull requests, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#70942Fetched 2026-04-24 10:37:31
View on GitHub
Comments
0
Participants
1
Timeline
1
Reactions
0
Author
djgeorg3djgeorg3
Participants
djgeorg3djgeorg3
Timeline (top)
cross-referenced ×1

openclaw status (default text mode) crashes while building the channels table when Mattermost is configured with an exec:keychain: SecretRef for botToken. Other channels (Telegram, Discord) use the same SecretRef shape and work fine. Gateway itself is healthy — Mattermost delivers messages normally — only the CLI renderer is affected.

Error Message

[openclaw] Failed to start CLI: Error: channels.mattermost.accounts.default.botToken: unresolved SecretRef "exec:keychain:openclaw/mattermost-bottoken". Resolve this command against an active gateway runtime snapshot before reading it. at createUnresolvedSecretInputError (file:///…/dist/types.secrets-BZ6RGKR0.js:55:25) at resolveSecretInputString (file:///…/dist/types.secrets-BZ6RGKR0.js:86:52) at normalizeResolvedSecretInputString (file:///…/dist/types.secrets-BZ6RGKR0.js:97:19) at resolveMattermostAccount (file:///…/dist/accounts-DsoCYhtx.js:328:102) at Object.resolveAccount (file:///…/dist/channel-config-helpers-DprVFCfq.js:39:29) at Object.resolveAccount (file:///…/dist/channel-config-helpers-DprVFCfq.js:74:18) at resolveInspectedChannelAccount (file:///…/dist/account-inspection-4shU54zH.js:55:75) at async resolveChannelAccountRow (file:///…/dist/status.scan.runtime-PBE84ne9.js:191:43) at async buildChannelsTable (file:///…/dist/status.scan.runtime-PBE84ne9.js:293:61)

Root Cause

openclaw status (default text mode) crashes while building the channels table when Mattermost is configured with an exec:keychain: SecretRef for botToken. Other channels (Telegram, Discord) use the same SecretRef shape and work fine. Gateway itself is healthy — Mattermost delivers messages normally — only the CLI renderer is affected.

Fix Action

Fix / Workaround

Happy to test a patch.

PR fix notes

PR #71024: fix(mattermost): keep status read-only for SecretRef tokens

Description (problem / solution / changelog)

Summary

  • Problem: openclaw status text mode crashed when Mattermost botToken used an unresolved exec:keychain SecretRef.
  • Why it matters: Mattermost could be healthy at runtime, but read-only diagnostics failed before printing the channel table.
  • What changed: Added a Mattermost read-only account inspector that reports configured-but-unavailable credential metadata without dereferencing the secret, and taught status snapshots to preserve that state.
  • What did NOT change (scope boundary): Runtime Mattermost token resolution remains strict; this only changes read-only inspection/status behavior.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor required for the fix
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

  • Closes #70942
  • Related #
  • This PR fixes a bug or regression

Root Cause (if applicable)

  • Root cause: Mattermost had strict runtime account resolution but no read-only inspectAccount path. Status rendering fell back to resolveAccount, which throws on unresolved SecretRefs.
  • Missing detection / guardrail: No Mattermost regression test covered read-only status inspection with an unresolved SecretRef credential.
  • Contributing context (if known): Telegram, Discord, and Slack already had read-only inspectors; Mattermost was missing the equivalent path.

Regression Test Plan (if applicable)

  • Coverage level that should have caught this:
    • Unit test
    • Seam / integration test
    • End-to-end test
    • Existing coverage already sufficient
  • Target test or file:
    • extensions/mattermost/src/mattermost/accounts.test.ts
    • extensions/mattermost/src/channel-actions-setup-status.contract.test.ts
  • Scenario the test should lock in: unresolved Mattermost SecretRef bot tokens are reported as configured/unavailable in read-only inspection without throwing.
  • Why this is the smallest reliable guardrail: It tests the plugin resolver and the status snapshot contract directly without requiring a live Mattermost server.
  • Existing test that already covers this (if any): None.
  • If no new test is added, why not: N/A.

User-visible / Behavior Changes

openclaw status no longer crashes for Mattermost accounts whose bot token is configured as an unresolved SecretRef. It reports degraded credential availability instead.

Diagram (if applicable)

Before:
openclaw status -> Mattermost resolveAccount -> unresolved SecretRef throw -> CLI crash

After:
openclaw status -> Mattermost inspectAccount -> configured_unavailable metadata -> status table renders

Security Impact (required)

  • New permissions/capabilities? (No)
  • Secrets/tokens handling changed? (Yes)
  • New/changed network calls? (No)
  • Command/tool execution surface changed? (No)
  • Data access scope changed? (No)
  • If any Yes, explain risk + mitigation: Read-only status now detects configured SecretRefs without resolving them. It does not expose token values, and runtime resolution remains strict.

Repro + Verification

Environment

  • OS: macOS local checkout
  • Runtime/container: Node 22 / pnpm
  • Model/provider: N/A
  • Integration/channel (if any): Mattermost
  • Relevant config (redacted): channels.mattermost.botToken as exec:keychain SecretRef plus baseUrl

Steps

  1. Configure Mattermost with botToken as an unresolved SecretRef.
  2. Run openclaw status.
  3. Inspect the Mattermost status row.

Expected

  • Status renders and reports Mattermost as configured with unavailable credentials.

Actual

  • Fixed by this PR. Before the fix, status crashed with an unresolved SecretRef error.

Evidence

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Validation:

  • pnpm test extensions/mattermost/src/mattermost/accounts.test.ts extensions/mattermost/src/channel-actions-setup-status.contract.test.ts
  • pnpm check:changed

Human Verification (required)

  • Verified scenarios:
    • Mattermost account inspection preserves unresolved SecretRef state without dereferencing the secret.
    • Mattermost status snapshots include botTokenStatus: configured_unavailable.
    • Changed-lane validation passed.
  • Edge cases checked:
    • Runtime resolveMattermostAccount still throws on unresolved SecretRefs.
    • Read-only inspection treats SecretRef + baseUrl as configured but unavailable.
  • What you did not verify:
    • A live Mattermost server connection.
    • A real exec:keychain secret provider returning a token.

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? (Yes)
  • Config/env changes? (No)
  • Migration needed? (No)
  • If yes, exact upgrade steps: N/A.

Risks and Mitigations

  • Risk: Status may treat a configured-but-unavailable SecretRef as configured even when the command cannot read it.
    • Mitigation: The row is marked with unavailable credential metadata, and runtime token use still requires successful strict resolution.

Changed files

  • extensions/mattermost/src/channel-actions-setup-status.contract.test.ts (modified, +38/-1)
  • extensions/mattermost/src/channel-config-shared.ts (modified, +3/-1)
  • extensions/mattermost/src/channel.ts (modified, +2/-1)
  • extensions/mattermost/src/mattermost/accounts.test.ts (modified, +32/-0)
  • extensions/mattermost/src/mattermost/accounts.ts (modified, +97/-1)

Code Example

"mattermost": {
     "enabled": true,
     "botToken": {
       "source": "exec",
       "provider": "keychain",
       "id": "openclaw/mattermost-bottoken"
     },
     "baseUrl": "https://…",
     "dmPolicy": "allowlist",
     "groupPolicy": "allowlist"
   }

---

[openclaw] Failed to start CLI: Error: channels.mattermost.accounts.default.botToken: unresolved SecretRef "exec:keychain:openclaw/mattermost-bottoken". Resolve this command against an active gateway runtime snapshot before reading it.
    at createUnresolvedSecretInputError (file:///…/dist/types.secrets-BZ6RGKR0.js:55:25)
    at resolveSecretInputString (file:///…/dist/types.secrets-BZ6RGKR0.js:86:52)
    at normalizeResolvedSecretInputString (file:///…/dist/types.secrets-BZ6RGKR0.js:97:19)
    at resolveMattermostAccount (file:///…/dist/accounts-DsoCYhtx.js:328:102)
    at Object.resolveAccount (file:///…/dist/channel-config-helpers-DprVFCfq.js:39:29)
    at Object.resolveAccount (file:///…/dist/channel-config-helpers-DprVFCfq.js:74:18)
    at resolveInspectedChannelAccount (file:///…/dist/account-inspection-4shU54zH.js:55:75)
    at async resolveChannelAccountRow (file:///…/dist/status.scan.runtime-PBE84ne9.js:191:43)
    at async buildChannelsTable (file:///…/dist/status.scan.runtime-PBE84ne9.js:293:61)
RAW_BUFFERClick to expand / collapse

Bug: openclaw status text mode crashes with unresolved Mattermost SecretRef

Version: 2026.4.22 (00bd2cf), macOS (darwin 25.4.0, arm64), Node v22.22.2

Summary

openclaw status (default text mode) crashes while building the channels table when Mattermost is configured with an exec:keychain: SecretRef for botToken. Other channels (Telegram, Discord) use the same SecretRef shape and work fine. Gateway itself is healthy — Mattermost delivers messages normally — only the CLI renderer is affected.

Repro

  1. Configure channels.mattermost.botToken with an exec/keychain SecretRef: 
    "mattermost": {
  "enabled": true,
  "botToken": {
    "source": "exec",
    "provider": "keychain",
    "id": "openclaw/mattermost-bottoken"
  },
  "baseUrl": "https://…",
  "dmPolicy": "allowlist",
  "groupPolicy": "allowlist"
}
  2. Start the gateway normally (openclaw gateway start). Gateway resolves the secret and connects fine.
  3. Run openclaw status.

Expected

Text-mode status prints the channel table including Mattermost, same as --json (which works).

Actual

[openclaw] Failed to start CLI: Error: channels.mattermost.accounts.default.botToken: unresolved SecretRef "exec:keychain:openclaw/mattermost-bottoken". Resolve this command against an active gateway runtime snapshot before reading it.
    at createUnresolvedSecretInputError (file:///…/dist/types.secrets-BZ6RGKR0.js:55:25)
    at resolveSecretInputString (file:///…/dist/types.secrets-BZ6RGKR0.js:86:52)
    at normalizeResolvedSecretInputString (file:///…/dist/types.secrets-BZ6RGKR0.js:97:19)
    at resolveMattermostAccount (file:///…/dist/accounts-DsoCYhtx.js:328:102)
    at Object.resolveAccount (file:///…/dist/channel-config-helpers-DprVFCfq.js:39:29)
    at Object.resolveAccount (file:///…/dist/channel-config-helpers-DprVFCfq.js:74:18)
    at resolveInspectedChannelAccount (file:///…/dist/account-inspection-4shU54zH.js:55:75)
    at async resolveChannelAccountRow (file:///…/dist/status.scan.runtime-PBE84ne9.js:191:43)
    at async buildChannelsTable (file:///…/dist/status.scan.runtime-PBE84ne9.js:293:61)

Notes

  • openclaw status --json works (no channels table built).
  • openclaw status --all also fails with the same error.
  • openclaw doctor and openclaw doctor --fix succeed; Mattermost probe reports ok (@daneel) (193ms).
  • Telegram and Discord use the same exec:keychain SecretRef pattern and do not trigger this in the CLI status renderer — suggests resolveMattermostAccount takes a different, stricter code path than resolveTelegramAccount / resolveDiscordAccount.
  • Config is recognized both as top-level (channels.mattermost.botToken) and under accounts.default.botToken per schema; the error always references the normalized accounts.default path.

Suggested fix

In the CLI status renderer / resolveInspectedChannelAccount path, catch UnresolvedSecretInputError for SecretRef-style values and either:

  1. Render the channel row with secret: pending (from keychain) instead of throwing, or
  2. Fall back to the gateway runtime snapshot the error message already tells the user to use.

Happy to test a patch.

extent analysis

TL;DR

The openclaw status command in text mode crashes when Mattermost is configured with an exec:keychain SecretRef for botToken, likely due to the CLI status renderer not handling unresolved SecretRef values.

Guidance

  • The issue seems to be specific to the resolveMattermostAccount function, which takes a different code path than resolveTelegramAccount and resolveDiscordAccount.
  • To fix this, the resolveInspectedChannelAccount function could catch UnresolvedSecretInputError exceptions and either render the channel row with a placeholder value or fall back to the gateway runtime snapshot.
  • The error message suggests that the gateway runtime snapshot can be used to resolve the SecretRef, so using this snapshot in the CLI status renderer might be a viable workaround.
  • The fact that openclaw status --json works suggests that the issue is specific to the text mode rendering of the channel table.

Example

try {
  // existing code to resolve SecretRef
} catch (error) {
  if (error instanceof UnresolvedSecretInputError) {
    // render channel row with placeholder value, e.g. "secret: pending (from keychain)"
    // or fall back to gateway runtime snapshot
  } else {
    throw error;
  }
}

Notes

The suggested fix assumes that the UnresolvedSecretInputError exception is thrown when the SecretRef cannot be resolved. If this is not the case, additional error handling may be necessary.

Recommendation

Apply a workaround by catching UnresolvedSecretInputError exceptions in the resolveInspectedChannelAccount function and rendering the channel row with a placeholder value or falling back to the gateway runtime snapshot. This should allow the openclaw status command to complete without crashing.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#installation#tensor shape#autograd error#model save/load

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING