PR #58923: fix(auth): ensure credential key and token fields are strings during store load

• Repository: openclaw/openclaw
• Author: openperf
• State: closed | merged: True
• Link: https://github.com/openclaw/openclaw/pull/58923

Description (problem / solution / changelog)

Summary

• Problem: Agents without ACP runtime crash on every incoming message with TypeError: cred.key?.trim is not a function (file: src/agents/models-config.providers.secrets.ts, line 134). This happens because cred.key can be a SecretRef object if users wrote it into auth-profiles.json instead of keyRef.
• Root Cause: normalizeRawCredentialEntry in src/agents/auth-profiles/store.ts loads credentials from auth-profiles.json but does not validate the type of the key or token fields. If a user writes a SecretRef object into the key field instead of keyRef, the object passes through unchecked. Later, resolveApiKeyFromCredential calls cred.key?.trim(), which throws a TypeError because the object is truthy (so ?. does not short-circuit) but lacks a .trim() method.
• Fix: Updated normalizeRawCredentialEntry to validate the type of key and token at load time. If they are non-string objects, we use coerceSecretRef to migrate them to keyRef/tokenRef (preserving the user's intent) and delete the invalid key/token field. This ensures downstream consumers always receive a string | undefined, preventing the crash.
• What changed:
  • src/agents/auth-profiles/store.ts: Added type validation and SecretRef migration for key and token fields in normalizeRawCredentialEntry.
  • src/agents/auth-profiles.ensureauthprofilestore.test.ts: Added 4 test cases for non-string key handling: SecretRef migration, invalid type cleanup, existing keyRef preservation, and string passthrough.
• What did NOT change (scope boundary): resolveApiKeyFromCredential, resolveApiKeyForProfile, collectApiKeyProfileAssignment, and all other downstream credential consumers remain unchanged. The fix is localized to the store loading normalization phase. No changes to the secrets runtime pipeline, OAuth flow, or gateway startup logic.

Reproduction

1. Have an agent without runtime.type: "acp" configured (e.g., main, myclaw).
2. In auth-profiles.json, set a credential's key to an object: {"source": "env", "provider": "default", "id": "OPENAI_API_KEY"}.
3. Send any message to that agent via any channel (Feishu, Discord, etc.).
4. Observe error in logs: lane task error: ... error="TypeError: cred.key?.trim is not a function".

Risk / Mitigation

• Risk: The normalization might drop user credentials if they were intentionally using non-string formats not anticipated here.
• Mitigation: We specifically use coerceSecretRef to detect and migrate valid SecretRef objects to keyRef rather than blindly dropping them. This preserves the configuration intent. Non-SecretRef non-string values (e.g., numbers, booleans) are safely dropped as they have no valid interpretation. Four targeted tests verify: (1) SecretRef migration works, (2) invalid types are cleaned, (3) existing keyRef is not overwritten, (4) valid string keys are untouched.

Change Type (select all)

• Bug fix

Scope (select all touched areas)

• Gateway

Linked Issue/PR

Fixes #58861

Changed files

• CHANGELOG.md (modified, +1/-0)
• src/agents/auth-profiles.ensureauthprofilestore.test.ts (modified, +249/-1)
• src/agents/auth-profiles/store.ts (modified, +22/-0)