Summary

openclaw models status --probe reports auth profile credentials as "missing or expired" when profiles use keyRef/tokenRef with source: "exec" SecretRefs. The credentials resolve and authenticate correctly at runtime — the probe display is wrong.

Steps to reproduce

1. Set up an exec-based SecretRef provider

{
  "secrets": {
    "providers": {
      "keychain": {
        "source": "exec",
        "command": "/path/to/keychain-resolver.sh",
        "jsonOnly": true,
        "passEnv": ["PATH"]
      }
    }
  }
}

2. Configure auth-profiles.json with exec-based refs

{
  "profiles": {
    "anthropic:default": {
      "type": "api_key",
      "provider": "anthropic",
      "keyRef": {
        "source": "exec",
        "provider": "keychain",
        "id": "openclaw-anthropic-default"
      }
    },
    "anthropic:claude-oauth-token": {
      "type": "token",
      "provider": "anthropic",
      "tokenRef": {
        "source": "exec",
        "provider": "keychain",
        "id": "openclaw-anthropic-oauth"
      }
    }
  }
}

3. Verify secrets resolve correctly

openclaw secrets reload
# Output: Secrets reloaded.

openclaw secrets audit --check
# Output: Secrets audit: clean. plaintext=0, unresolved=0, shadowed=0, legacy=0.

4. Run probe

openclaw models status --probe --probe-provider anthropic

Expected behavior

Probe should show credentials as available/ok, since:

• secrets reload succeeds
• secrets audit is clean
• Gateway started successfully (fail-fast would block on unresolved refs)
• The model is actively in use and authenticating

Actual behavior

┌────────────────────────┬─────────────────────────────────┬──────────────────────────────────────────────────────────┐
│ Model                  │ Profile                         │ Status                                                   │
├────────────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ anthropic/claude-      │ anthropic:claude-oauth-token    │ unknown · -                                              │
│ sonnet-4-6             │ (token)                         │ ↳ Auth profile credentials are missing or expired.       │
│ anthropic/claude-      │ anthropic:default (api_key)     │ unknown · -                                              │
│ sonnet-4-6             │                                 │ ↳ Auth profile credentials are missing or expired.       │
└────────────────────────┴─────────────────────────────────┴──────────────────────────────────────────────────────────┘

This also affects other providers with exec-based keyRef. For example, moonshot reports:

│ moonshot/kimi-k2.5     │ moonshot:default (api_key)      │ unknown · 16ms                                          │
│                        │                                 │ ↳ Auth profile "moonshot:default" is not configured      │
│                        │                                 │   for moonshot.                                          │

OpenClaw version

2026.2.26

Operating system

macOS (arm64)

Install method

No response

Logs, screenshots, and evidence

Impact and severity

Cosmetic/operational — no runtime impact. Credentials work correctly for actual API calls.

• Makes it difficult for operators to verify auth health after migrating to SecretRefs
• Could cause confusion during secrets migration when operators expect probe to confirm credentials are working

Additional information

Context

This bug was introduced by the external secrets management feature landed in PR #26155 (feat(security): add external secrets management), merged 3 days ago. That PR introduced provider-based SecretRefs (env, file, exec) for static credentials, including auth-profiles.api_key.key and auth-profiles.token.token as initial targets.

PR #29580 (feat(secrets): expand SecretRef coverage across user-supplied credentials) is currently in progress, expanding coverage from the initial 6 credential targets to 64. Neither PR appears to update the models status --probe command to resolve credentials through the SecretRef runtime — the probe still checks for plaintext fields only.

This means any operator who migrates from plaintext to exec-based SecretRefs — the recommended upgrade path — will see false "missing or expired" warnings from the probe command.

Related Issues / PRs

• feat(security): add external secrets management #26155 — feat(security): add external secrets management (merged) — introduced the SecretRef system and exec provider
• feat(secrets): expand SecretRef coverage across user-supplied credentials #29580 — feat(secrets): expand SecretRef coverage across user-supplied credentials (open) — expanding to 64 credential targets
• Secrets: expand SecretRef scope to channel credentials (botToken, webhookSecret) #28306 — Secrets: expand SecretRef scope to channel credentials (open) — further scope expansion

Likely Cause

The probe command checks for plaintext key/token/access fields in auth-profiles.json directly, rather than resolving through the SecretRef → secrets runtime snapshot path. Profiles that only have keyRef/tokenRef (no plaintext) are reported as "missing."

The probe's credential check predates the SecretRef system (#26155) and was not updated when exec-based providers were introduced.

Workaround

Verify credentials manually:

• openclaw secrets audit --check (confirms refs resolve)
• openclaw secrets reload (confirms runtime snapshot is valid)
• Direct API calls to the provider (confirms authentication works)