[Bug]: openclaw doctor crashes on exec SecretRef channel credentials (exit 1)

Summary

openclaw doctor (and doctor --non-interactive) exits with code 1 and a fatal error when any channel credential (e.g. channels.telegram.botToken) is configured as an exec-based SecretRef. The gateway resolves these credentials correctly at runtime — openclaw status reports the channel as ON/OK — but the doctor CLI reads config directly without resolving exec SecretRefs against the running gateway, causing a hard failure.

This makes doctor entirely unusable for deployments that follow the recommended security practice of storing channel credentials in external secret managers (sops, 1Password, pass, etc.).

Steps to reproduce

1. Configure a channel credential as an exec SecretRef:

   channels: {
     telegram: {
       botToken: {
         source: "exec",
         command: "sops",
         args: ["decrypt", "--extract", "[\"telegram_token\"]", "~/.openclaw/secrets.enc.json"]
       }
     }
   }

2. Confirm the gateway starts and resolves the token correctly:

   openclaw status
   # → Telegram: ON / OK (token resolved)

3. Run doctor:

   openclaw doctor --non-interactive

Expected behavior

Doctor should either:

• Resolve exec SecretRefs by querying the running gateway's runtime config snapshot (via secrets.resolve, already used by openclaw memory status and openclaw models status), or
• Degrade gracefully on unresolvable exec SecretRefs — log a non-blocking warning and continue remaining checks, exiting 0 if no structural issues are found

Actual behavior

Doctor hard-exits with code 1:

Error: channels.telegram.botToken: unresolved SecretRef "exec:<provider>:value".
Resolve this command against an active gateway runtime snapshot before reading it.

The error message itself names the intended fix ("resolve against an active gateway runtime snapshot") but doctor does not implement it.

Environment

• OpenClaw version: 2026.3.12 (6472949) — also present in 2026.3.11
• OS: Linux 6.18.7 (x64)
• Install method: sudo npm install -g openclaw@latest (system prefix)

Severity / impact

Medium. openclaw doctor is the primary health-check and self-repair tool, but it is completely broken for any deployment that uses exec SecretRefs for channel credentials. This is the recommended way to store bot tokens securely (per the secrets docs), so this failure mode affects exactly the users following best practices.

Practical impact:

• Cannot use doctor for post-update health checks
• Cannot use doctor --fix for automated repairs (e.g. cron delivery normalization migrations)
• Workaround: use openclaw status for channel health; manually verify remaining doctor checks

Additional context

Related issues:

• [Bug]: models status --probe reports "missing or expired" for exec-based SecretRef auth profiles #30311 — models status --probe has the same exec SecretRef resolution gap (auth profiles)
• Memory: handle SecretRef keys in doctor embeddings #36835 — Memory/doctor SecretRef handling: memory-search API keys were fixed to degrade gracefully rather than crash; channel credentials were not included in that fix
• CLI: make read-only SecretRef status flows degrade safely #37023 — CLI: make read-only SecretRef status flows degrade safely: similar class of fix for other CLI status paths; doctor was not covered

The pattern is consistent: the gateway runtime resolves exec SecretRefs correctly, but CLI tooling that reads config directly hits unresolved refs. Each surface has been fixed ad-hoc (#36835, #37023, #30311). A systematic fix would have doctor call secrets.resolve against the gateway snapshot before reading credential fields — which is exactly what the error message already suggests.