🔒 Aisle Security Analysis

We found 2 potential security issue(s) in this PR:

1. 🔵 Fail-open token resolution when config contains unresolved SecretRef (falls back to env)

Description

Token normalization was changed to use normalizeSecretInputStringTolerant, which suppresses the previous hard failure on unresolved SecretRef values.

Previously, normalizeResolvedSecretInputString called assertSecretInputResolved and threw if a SecretRef was present but the value was not a resolved non-empty string ("unresolved"). See:

• Throw on unresolved refs: [src/config/types.secrets.ts:120-137]
• Enforced by strict normalizer: [src/config/types.secrets.ts:139-151]

Now normalizeDiscordToken uses the tolerant normalizer [src/discord/token.ts:12-18], which returns undefined for SecretRef inputs (instead of throwing). This allows resolveDiscordToken to silently fall through to reading process.env.DISCORD_BOT_TOKEN when channels.discord.token is an unresolved SecretRef:

• Config token attempt then env fallback: [src/discord/token.ts:54-68]

Security impact:

• A configuration that explicitly configured a SecretRef (expecting gateway/runtime secret resolution and fail-closed behavior if not resolved) will now authenticate using an environment variable if present.
• This can hide misconfiguration and may cause the service to run with unintended credentials (e.g., stale/host-level env token), undermining separation between secret-resolution mechanisms and direct env access.

Vulnerable flow:

• input: cfg.channels.discord.token can be a SecretRef object
• normalization: tolerant normalizer returns undefined
• fallback: resolveDiscordToken uses process.env.DISCORD_BOT_TOKEN instead of failing

Recommendation

Fail closed when a SecretRef is configured but unresolved in authentication/token paths.

Options:

1. Revert to strict normalization for tokens (preferred):

import { normalizeResolvedSecretInputString } from "../config/types.secrets.js";

export function normalizeDiscordToken(raw: unknown, path: string): string | undefined {
  const trimmed = normalizeResolvedSecretInputString({ value: raw, path });
  return trimmed?.replace(/^Bot\s+/i, "");
}

2. If fallback is desired only when no SecretRef is configured, make callers distinguish between “missing” and “unresolved ref”. For example, change tolerant API to return a tuple/object:

const { value, hasRef } = normalizeSecretInputStringTolerantWithRefInfo(...);
if (hasRef) throw new Error(`${path}: unresolved SecretRef`);

Also keep/use the path parameter so operators get actionable error messages when misconfigured.

2. 🔵 Slack tokens: unresolved SecretRef now silently ignored, enabling env-var credential fallback

Description

Slack token parsing was changed from strict normalizeResolvedSecretInputString(...path) (throws on unresolved SecretRef) to tolerant normalizeSecretInputStringTolerant (returns undefined). This can cause a fail-open credential source fallback:

• If channels.slack.accounts.<id>.botToken/appToken/userToken is configured as a SecretRef object but not resolved at runtime, resolveSlack*Token() now returns undefined instead of throwing.
• For the default Slack account, resolveSlackAccount() falls back to environment variables when the config-derived token is undefined (configBot ?? envBot). As a result, a misconfigured/unresolved secret reference can silently cause the system to authenticate using SLACK_BOT_TOKEN / SLACK_APP_TOKEN / SLACK_USER_TOKEN from the process environment, rather than the intended secret provider.
• This both reduces observability (no path-specific unresolved SecretRef error) and can enable credential injection via environment variables in deployments where environment variables are less trusted than the config/secret provider.

Vulnerable code (new behavior):

export function resolveSlackBotToken(raw?: unknown, _path?: string): string | undefined {
  return normalizeSecretInputStringTolerant({ value: raw });
}

Security impact example (data flow):

• input: merged.botToken set to a SecretRef object in config
• token resolution now returns undefined (no exception)
• sink: resolveSlackAccount() chooses botToken = configBot ?? envBot, so process.env.SLACK_BOT_TOKEN may be used instead of the configured secret ref

Recommendation

Avoid tolerant normalization for runtime authentication credentials, or explicitly detect unresolved SecretRefs and fail closed.

Option A (recommended): keep strict behavior for Slack tokens

import { normalizeResolvedSecretInputString } from "../config/types.secrets.js";

export function resolveSlackBotToken(raw?: unknown, path = "channels.slack.botToken") {
  return normalizeResolvedSecretInputString({ value: raw, path });
}

Option B: if env fallback is desired, only allow it when the config value is truly absent (not a SecretRef)

import { normalizeSecretInputString, resolveSecretInputRef } from "../config/types.secrets.js";

export function resolveSlackBotToken(raw?: unknown, path = "channels.slack.botToken") {
  const direct = normalizeSecretInputString(raw);
  if (direct) return direct;
  const { ref } = resolveSecretInputRef({ value: raw });
  if (ref) throw new Error(`${path}: unresolved SecretRef`);
  return undefined;
}

This prevents silently switching credential sources when a SecretRef is present but unresolved.

Analyzed PR: #34726 at commit e66c6d9

_{Last updated on: 2026-03-04T17:16:36Z}

Greptile Summary

This PR fixes a crash in openclaw status caused by unresolved SecretRef objects in Telegram, Discord, and Slack token configuration. It introduces normalizeSecretInputStringTolerant, a variant of normalizeResolvedSecretInputString that returns undefined instead of throwing when a SecretRef has not yet been resolved by the gateway. The three channel token files switch to the new tolerant function, and tests are updated accordingly.

The fix is minimal, well-scoped, and backward-compatible. The core logic change is correct: diagnostic/status code paths now degrade gracefully rather than crashing.

• Dead code in normalizeSecretInputStringTolerant (src/config/types.secrets.ts lines 168–176): the resolveSecretInputRef call and the if (ref) check both unconditionally return undefined, making that entire block a no-op. The function could be simplified to a single return normalizeSecretInputString(params.value). The current implementation is misleading for future maintainers.
• _path parameters are retained in normalizeDiscordToken and the Slack helpers for API compatibility — this is correct practice.
• No Slack token test file exists; the Slack token changes are covered only by the shared logic tests for normalizeSecretInputStringTolerant. This is acceptable given the simplicity of the Slack wrappers, but adding a src/slack/token.test.ts analogous to the Telegram/Discord tests would improve coverage parity.

Confidence Score: 4/5

• This PR is safe to merge; it only widens a narrow error path to return undefined instead of throwing, leaving all normal resolved-secret paths unchanged.
• The behavioural change is strictly additive (turns a throw into a graceful undefined), tests cover the new paths for Telegram and Discord, and the affected code is limited to diagnostic/status call sites. The only notable concern is dead code inside normalizeSecretInputStringTolerant which does not affect correctness.
• src/config/types.secrets.ts — contains dead code in the new normalizeSecretInputStringTolerant function that should be cleaned up.

_{Last reviewed commit: e66c6d9}

Thanks for the report and the work here. This was addressed as part of a broader fix in #37023, which consolidated the related read-only SecretRef/status handling work into one implementation.

I’m closing this out as superseded by #37023 so the follow-up history stays in one place.