openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/bluebubbles/src/monitor.ts‎
Lines changed: 2 additions & 1 deletion b/‎extensions/bluebubbles/src/monitor.ts‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎extensions/bluebubbles/src/monitor.webhook-auth.test.ts‎
Lines changed: 10 additions & 0 deletions b/‎extensions/bluebubbles/src/monitor.webhook-auth.test.ts‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎extensions/discord/src/setup-account-state.test.ts‎
Lines changed: 22 additions & 0 deletions b/‎extensions/discord/src/setup-account-state.test.ts‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎extensions/telegram/src/accounts.test.ts‎
Lines changed: 22 additions & 0 deletions b/‎extensions/telegram/src/accounts.test.ts‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎extensions/telegram/src/accounts.ts‎
Lines changed: 6 additions & 2 deletions b/‎extensions/telegram/src/accounts.ts‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎src/agents/tools/web-search.ts‎
Lines changed: 5 additions & 1 deletion b/‎src/agents/tools/web-search.ts‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎src/agents/tools/web-tools.enabled-defaults.test.ts‎
Lines changed: 14 additions & 1 deletion b/‎src/agents/tools/web-tools.enabled-defaults.test.ts‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎src/cli/command-secret-targets.ts‎
Lines changed: 15 additions & 0 deletions b/‎src/cli/command-secret-targets.ts‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎src/secrets/channel-contract-api.external.test.ts‎
Lines changed: 116 additions & 0 deletions b/‎src/secrets/channel-contract-api.external.test.ts‎
Lines changed: 116 additions & 0 deletions
@@ -18,6 +18,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- Channels/secrets: resolve SecretRef-backed channel credentials through external plugin secret contracts after the plugin split, covering runtime startup, target discovery, webhook auth, disabled-account enumeration, and late-bound web_search config. (#76449) Thanks @joshavant.
 - Docker/Gateway: pass Docker setup `.env` values into gateway and CLI containers and preserve exec SecretRef `passEnv` keys in managed service plans, so 1Password Connect-backed Discord tokens keep resolving after doctor or plugin repair. Thanks @vincentkoc.
 - Control UI/WebChat: explain compaction boundaries in chat history and link directly to session checkpoint controls so pre-compaction turns no longer look silently lost after refresh. Fixes #76415. Thanks @BunsDev.
 - Gateway/sessions: keep async `sessions.list` title and preview hydration bounded to transcript head/tail reads so Control UI polling cannot full-scan large session transcripts every refresh. Thanks @vincentkoc.
 
@@ -23,6 +23,7 @@ import {
 } from "./monitor-shared.js";
 import { fetchBlueBubblesServerInfo } from "./probe.js";
 import { getBlueBubblesRuntime } from "./runtime.js";
+import { normalizeSecretInputString } from "./secret-input.js";
 import {
   WEBHOOK_RATE_LIMIT_DEFAULTS,
   createFixedWindowRateLimiter,
@@ -193,7 +194,7 @@ export async function handleBlueBubblesWebhookRequest(
         targets,
         res,
         isMatch: (target) => {
-          const token = target.account.config.password?.trim() ?? "";
+          const token = normalizeSecretInputString(target.account.config.password) ?? "";
           return safeEqualAuthToken(guid, token);
         },
       });
 
@@ -432,6 +432,16 @@ describe("BlueBubbles webhook monitor", () => {
       );
     });
 
+    it("rejects unresolved SecretRef webhook passwords without crashing", async () => {
+      setupWebhookTarget({
+        account: createMockAccount({
+          password: { source: "exec", provider: "vault", id: "bluebubbles/webhook" } as never,
+        }),
+      });
+
+      await expectProtectedPasswordQueryRequestStatus(401);
+    });
+
     it("rate limits repeated invalid password guesses from the same client", async () => {
       setupWebhookTarget({
         account: createMockAccount({
 
@@ -88,4 +88,26 @@ describe("discord setup account state", () => {
     expect(inspected.tokenStatus).toBe("missing");
     expect(inspected.configured).toBe(false);
   });
+
+  it("reports unresolved SecretRef account tokens as configured but unavailable", () => {
+    const inspected = inspectDiscordSetupAccount({
+      cfg: {
+        channels: {
+          discord: {
+            accounts: {
+              work: {
+                token: { source: "exec", provider: "vault", id: "discord/work" },
+              },
+            },
+          },
+        },
+      },
+      accountId: "work",
+    });
+
+    expect(inspected.token).toBe("");
+    expect(inspected.tokenSource).toBe("config");
+    expect(inspected.tokenStatus).toBe("configured_unavailable");
+    expect(inspected.configured).toBe(true);
+  });
 });
@@ -4,6 +4,7 @@ import { withEnv } from "openclaw/plugin-sdk/test-env";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import {
   createTelegramActionGate,
+  listEnabledTelegramAccounts,
   listTelegramAccountIds,
   mergeTelegramAccountConfig,
   resolveTelegramMediaRuntimeOptions,
@@ -123,6 +124,27 @@ describe("resolveTelegramAccount", () => {
     expect(lines).toContain("listTelegramAccountIds [ 'work' ]");
     expect(lines).toContain("resolve { accountId: 'work', enabled: true, tokenSource: 'config' }");
   });
+
+  it("does not resolve disabled account tokens when listing enabled accounts", () => {
+    const cfg = {
+      channels: {
+        telegram: {
+          accounts: {
+            disabled: {
+              enabled: false,
+              botToken: { source: "exec", provider: "vault", id: "telegram/disabled" },
+            },
+            work: { botToken: "tok-work" },
+          },
+        },
+      },
+    } as unknown as OpenClawConfig;
+
+    const accounts = listEnabledTelegramAccounts(cfg);
+
+    expect(accounts.map((account) => account.accountId)).toEqual(["work"]);
+    expect(accounts[0]?.token).toBe("tok-work");
+  });
 });
 
 describe("resolveDefaultTelegramAccountId", () => {
 
@@ -177,7 +177,11 @@ export function resolveTelegramAccount(params: {
 }
 
 export function listEnabledTelegramAccounts(cfg: OpenClawConfig): ResolvedTelegramAccount[] {
+  const baseEnabled = cfg.channels?.telegram?.enabled !== false;
+  if (!baseEnabled) {
+    return [];
+  }
   return listTelegramAccountIds(cfg)
-    .map((accountId) => resolveTelegramAccount({ cfg, accountId }))
-    .filter((account) => account.enabled);
+    .filter((accountId) => mergeTelegramAccountConfig(cfg, accountId).enabled !== false)
+    .map((accountId) => resolveTelegramAccount({ cfg, accountId }));
 }
@@ -2,6 +2,7 @@ import type { OpenClawConfig } from "../../config/types.openclaw.js";
 import { resolveManifestContractOwnerPluginId } from "../../plugins/plugin-registry.js";
 import { getActiveRuntimeWebToolsMetadata } from "../../secrets/runtime-web-tools-state.js";
 import type { RuntimeWebSearchMetadata } from "../../secrets/runtime-web-tools.types.js";
+import { getActiveSecretsRuntimeSnapshot } from "../../secrets/runtime.js";
 import { resolveWebSearchProviderId, runWebSearch } from "../../web-search/runtime.js";
 import type { AnyAgentTool } from "./common.js";
 import { asToolParamsRecord, jsonResult } from "./common.js";
@@ -92,7 +93,10 @@ export function createWebSearchTool(options?: {
           : options?.runtimeWebSearch;
       const runtimeProviderId =
         runtimeWebSearch?.selectedProvider ?? runtimeWebSearch?.providerConfigured;
-      const config = options?.lateBindRuntimeConfig === true ? undefined : options?.config;
+      const config =
+        options?.lateBindRuntimeConfig === true
+          ? (getActiveSecretsRuntimeSnapshot()?.config ?? options?.config)
+          : options?.config;
       const preferRuntimeProviders =
         Boolean(runtimeProviderId) &&
         !resolveManifestContractOwnerPluginId({
 
@@ -10,6 +10,13 @@ import { createWebFetchTool, createWebSearchTool } from "./web-tools.js";
 const runWebSearchCalls = vi.hoisted(
   () => [] as Array<{ config?: unknown; runtimeWebSearch?: unknown }>,
 );
+const activeSecretsRuntimeSnapshot = vi.hoisted(() => ({
+  current: null as null | { config: unknown },
+}));
+
+vi.mock("../../secrets/runtime.js", () => ({
+  getActiveSecretsRuntimeSnapshot: () => activeSecretsRuntimeSnapshot.current,
+}));
 
 vi.mock("../../web-search/runtime.js", async () => {
   const { getActivePluginRegistry } = await import("../../plugins/runtime.js");
@@ -68,12 +75,14 @@ vi.mock("../../web-search/runtime.js", async () => {
 beforeEach(() => {
   setActivePluginRegistry(createEmptyPluginRegistry());
   clearActiveRuntimeWebToolsMetadata();
+  activeSecretsRuntimeSnapshot.current = null;
   runWebSearchCalls.length = 0;
 });
 
 afterEach(() => {
   setActivePluginRegistry(createEmptyPluginRegistry());
   clearActiveRuntimeWebToolsMetadata();
+  activeSecretsRuntimeSnapshot.current = null;
 });
 
 describe("web tools defaults", () => {
@@ -196,6 +205,10 @@ describe("web tools defaults", () => {
       },
       diagnostics: [],
     });
+    const runtimeConfig = {
+      tools: { web: { search: { provider: "fresh", fresh: { apiKey: "runtime-key" } } } },
+    };
+    activeSecretsRuntimeSnapshot.current = { config: runtimeConfig };
 
     const tool = createWebSearchTool({
       config: { tools: { web: { search: { provider: "stale" } } } },
@@ -214,7 +227,7 @@ describe("web tools defaults", () => {
 
     expect(result?.details).toMatchObject({ provider: "fresh" });
     expect(runWebSearchCalls).toHaveLength(1);
-    expect(runWebSearchCalls[0]?.config).toBeUndefined();
+    expect(runWebSearchCalls[0]?.config).toBe(runtimeConfig);
     expect(runWebSearchCalls[0]?.runtimeWebSearch).toMatchObject({
       selectedProvider: "fresh",
     });
 
@@ -1,6 +1,7 @@
 import { listReadOnlyChannelPluginsForConfig } from "../channels/plugins/read-only.js";
 import type { OpenClawConfig } from "../config/types.openclaw.js";
 import { normalizeOptionalAccountId } from "../routing/session-key.js";
+import { loadChannelSecretContractApi } from "../secrets/channel-contract-api.js";
 import {
   discoverConfigSecretTargetsByIds,
   listSecretTargetRegistryEntries,
@@ -115,6 +116,20 @@ function getConfiguredChannelSecretTargetIds(
   env: NodeJS.ProcessEnv = process.env,
 ): string[] {
   const targetIds = new Set<string>();
+  const channels = config.channels;
+  if (channels && typeof channels === "object" && !Array.isArray(channels)) {
+    for (const channelId of Object.keys(channels)) {
+      if (channelId === "defaults") {
+        continue;
+      }
+      const contract = loadChannelSecretContractApi({ channelId, config, env });
+      for (const entry of contract?.secretTargetRegistryEntries ?? []) {
+        if (isScopedChannelSecretTargetEntry({ entry, pluginChannelId: channelId })) {
+          targetIds.add(entry.id);
+        }
+      }
+    }
+  }
   for (const plugin of listReadOnlyChannelPluginsForConfig(config, {
     env,
     includePersistedAuthState: false,
 
@@ -0,0 +1,116 @@
+import fs from "node:fs";
+import path from "node:path";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { cleanupTrackedTempDirs, makeTrackedTempDir } from "../plugins/test-helpers/fs-fixtures.js";
+
+const tempDirs: string[] = [];
+
+const { loadPluginMetadataSnapshotMock, loadBundledPluginPublicArtifactModuleSyncMock } =
+  vi.hoisted(() => ({
+    loadPluginMetadataSnapshotMock: vi.fn(),
+    loadBundledPluginPublicArtifactModuleSyncMock: vi.fn(() => {
+      throw new Error(
+        "Unable to resolve bundled plugin public surface discord/secret-contract-api.js",
+      );
+    }),
+  }));
+
+vi.mock("../plugins/plugin-metadata-snapshot.js", () => ({
+  loadPluginMetadataSnapshot: loadPluginMetadataSnapshotMock,
+}));
+
+vi.mock("../plugins/public-surface-loader.js", () => ({
+  loadBundledPluginPublicArtifactModuleSync: loadBundledPluginPublicArtifactModuleSyncMock,
+}));
+
+import { loadChannelSecretContractApi } from "./channel-contract-api.js";
+
+function writeExternalChannelPlugin(params: { pluginId: string; channelId: string }) {
+  const rootDir = makeTrackedTempDir("openclaw-channel-secret-contract", tempDirs);
+  fs.writeFileSync(
+    path.join(rootDir, "secret-contract-api.cjs"),
+    `
+module.exports = {
+  secretTargetRegistryEntries: [
+    {
+      id: "channels.${params.channelId}.token",
+      targetType: "channels.${params.channelId}.token",
+      configFile: "openclaw.json",
+      pathPattern: "channels.${params.channelId}.token",
+      secretShape: "secret_input",
+      expectedResolvedValue: "string",
+      includeInPlan: true,
+      includeInConfigure: true,
+      includeInAudit: true
+    }
+  ],
+  collectRuntimeConfigAssignments(params) {
+    params.context.assignments.push({
+      path: "channels.${params.channelId}.token",
+      ref: { source: "env", provider: "default", id: "DISCORD_BOT_TOKEN" },
+      expected: "string",
+      apply() {}
+    });
+  }
+};
+`,
+    "utf8",
+  );
+  return {
+    id: params.pluginId,
+    origin: "global",
+    channels: [params.channelId],
+    channelConfigs: {},
+    rootDir,
+  };
+}
+
+describe("external channel secret contract api", () => {
+  beforeEach(() => {
+    loadPluginMetadataSnapshotMock.mockReset();
+    loadBundledPluginPublicArtifactModuleSyncMock.mockClear();
+  });
+
+  afterEach(() => {
+    cleanupTrackedTempDirs(tempDirs);
+  });
+
+  it("loads root secret-contract-api sidecars for external channel plugins", () => {
+    const record = writeExternalChannelPlugin({ pluginId: "discord", channelId: "discord" });
+    loadPluginMetadataSnapshotMock.mockReturnValue({
+      plugins: [record],
+    });
+
+    const api = loadChannelSecretContractApi({
+      channelId: "discord",
+      config: { channels: { discord: {} } },
+      env: {},
+      loadablePluginOrigins: new Map([["discord", "global"]]),
+    });
+
+    expect(api?.secretTargetRegistryEntries).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({
+          id: "channels.discord.token",
+        }),
+      ]),
+    );
+    expect(api?.collectRuntimeConfigAssignments).toBeTypeOf("function");
+  });
+
+  it("skips external channel records outside the loadable plugin origin set", () => {
+    const record = writeExternalChannelPlugin({ pluginId: "discord", channelId: "discord" });
+    loadPluginMetadataSnapshotMock.mockReturnValue({
+      plugins: [record],
+    });
+
+    const api = loadChannelSecretContractApi({
+      channelId: "discord",
+      config: { channels: { discord: {} } },
+      env: {},
+      loadablePluginOrigins: new Map([["other", "global"]]),
+    });
+
+    expect(api).toBeUndefined();
+  });
+});
Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,11 @@ export function resolveTelegramAccount(params: {`
`177`	`177`	`}`
`178`	`178`
`179`	`179`	`export function listEnabledTelegramAccounts(cfg: OpenClawConfig): ResolvedTelegramAccount[] {`
	`180`	`+ const baseEnabled = cfg.channels?.telegram?.enabled !== false;`
	`181`	`+ if (!baseEnabled) {`
	`182`	`+ return [];`
	`183`	`+ }`
`180`	`184`	`return listTelegramAccountIds(cfg)`
`181`		`- .map((accountId) => resolveTelegramAccount({ cfg, accountId }))`
`182`		`- .filter((account) => account.enabled);`
	`185`	`+ .filter((accountId) => mergeTelegramAccountConfig(cfg, accountId).enabled !== false)`
	`186`	`+ .map((accountId) => resolveTelegramAccount({ cfg, accountId }));`
`183`	`187`	`}`