Skip to content

Tool subsystem fails to resolve SecretRefs for Discord token (message tool) #51263

Open
Open
Tool subsystem fails to resolve SecretRefs for Discord token (message tool)#51263
@williamschatten

Description

@williamschatten
williamschatten
opened on Mar 20, 2026

Bug Description

The message tool fails to resolve SecretRefs when making proactive Discord API calls from non-Discord sessions (e.g., webchat, cron). The error is:

channels.discord.accounts.default.token: unresolved SecretRef "env:default:DISCORD_TOKEN_DEFAULT". Resolve this command against an active gateway runtime snapshot before reading it.

Environment

  • OpenClaw version: 2026.3.13 (61d171a)
  • OS: macOS (Darwin 25.3.0, arm64)
  • Node: v25.6.1
  • Secrets provider: env (source: ~/.openclaw/.env)

Steps to Reproduce

  1. Configure Discord tokens using SecretRefs with source: "env" in openclaw.json
  2. Ensure env vars exist in ~/.openclaw/.env (e.g., DISCORD_TOKEN_DEFAULT=...)
  3. Start the gateway — Discord bots connect successfully (fetch-bot-identity completes for all accounts)
  4. From a webchat or cron session, call the message tool with action: "channel-list" and channel: "discord"
  5. Observe the unresolved SecretRef error

Expected Behavior

The message tool should read from the gateway runtime snapshot (where secrets are already resolved), not the raw config file.

Actual Behavior

The tool subsystem reads the raw config containing the SecretRef object { source: "env", provider: "default", id: "DISCORD_TOKEN_DEFAULT" } instead of the resolved token value from the runtime snapshot.

Impact

  • Discord inbound works — gateway receives and processes Discord messages normally
  • Discord reply delivery works — the gateway channel layer uses the resolved snapshot
  • Proactive message tool calls from non-Discord sessions fail (channel-list, send, search, etc.)
  • openclaw doctor reports the same error (also does not resolve against runtime snapshot)
  • openclaw secrets audit reports 0 unresolved refs (audit sees the env var exists)
  • openclaw secrets reload completes successfully but does not fix the tool issue

Workaround Attempted

  • Gateway restart (SIGUSR1) — does not fix
  • openclaw secrets reload — does not fix
  • Both confirm the gateway itself resolves secrets fine (bots connect), but the tool path remains broken

Additional Context

All four Discord accounts (default, brick, pixel, quill) are affected. The config uses the standard SecretRef format:

{
  "token": {
    "source": "env",
    "provider": "default",
    "id": "DISCORD_TOKEN_DEFAULT"
  }
}

The secrets provider is configured as:

{
  "secrets": {
    "providers": {
      "default": { "source": "env" }
    }
  }
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions