Greptile Summary

This PR fixes a crash in openclaw status when channel credentials use exec-based SecretRefs (e.g. Slack tokens sourced from 1Password). The root cause was that runSecurityAudit() was being called with the raw, unresolved config from loadConfig(), causing downstream code to throw on unresolved SecretRefs.

Key changes:

• Introduces a loadConfig() + resolveCommandSecretRefsViaGateway() call at the top of statusCommand(), before the audit runs, matching the exact pattern established in status-all.ts and message.ts
• Both the --json and non-json audit invocations now receive the resolved config (resolvedCfg)
• The fix is minimal (6 lines) and follows a proven pattern already in production across multiple commands

Confidence Score: 5/5

• This PR is safe to merge — it's a minimal, targeted fix that follows an identical pattern already proven in status-all.ts and other commands.
• The change is small (6 lines of functional code), mechanically equivalent to the status-all.ts implementation, and only affects the statusCommand function at a single entry point before two well-scoped runSecurityAudit calls. No new logic or error paths are introduced; the gateway fallback to local resolution is already handled by resolveCommandSecretRefsViaGateway. Both JSON and non-JSON audit invocations are correctly updated.
• No files require special attention

_{Last reviewed commit: 3af76fd}

Thanks for the report and the work here. This was addressed as part of a broader fix in #37023, which consolidated the related read-only SecretRef/status handling work into one implementation.

I’m closing this out as superseded by #37023 so the follow-up history stays in one place.