Gateway: fail closed unresolved local auth SecretRefs#42672
Merged
Conversation
openclaw-barnacle
bot
added
docs
Contributor
Greptile SummaryThis PR adds regression test coverage and documentation alignment for the fail-closed unresolved local auth SecretRef behavior. When Key changes:
The implementation fix was already applied in the base branch; this PR provides test coverage and doc alignment. One test isolation issue exists in Confidence Score: 3/5
Last reviewed commit: 7275a0e |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
openclaw-barnacle
bot
added
app: macos
joshavant
force-pushed
the
fix/local-secretref-fail-closed
branch
from
e7b9897 to
d66d189
Compare
frankekn
pushed a commit
to MoerAI/openclaw
that referenced
this pull request
Mar 11, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix
frankekn
pushed a commit
to Effet/openclaw
that referenced
this pull request
Mar 11, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix
frankekn
pushed a commit
to ImLukeF/openclaw
that referenced
this pull request
Mar 11, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix
Treedy2020
pushed a commit
to Treedy2020/openclaw
that referenced
this pull request
Mar 11, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix
dhoman
pushed a commit
to dhoman/chrono-claw
that referenced
this pull request
Mar 11, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix
ahelpercn
pushed a commit
to ahelpercn/openclaw
that referenced
this pull request
Mar 12, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix
Ruijie-Ysp
pushed a commit
to Ruijie-Ysp/clawdbot
that referenced
this pull request
Mar 12, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix
hellomypastor
pushed a commit
to hellomypastor/openclaw
that referenced
this pull request
Mar 12, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix
leozhengliu-pixel
pushed a commit
to leozhengliu-pixel/openclaw
that referenced
this pull request
Mar 13, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix
plabzzxx
pushed a commit
to plabzzxx/openclaw
that referenced
this pull request
Mar 13, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix
wdskuki
pushed a commit
to wdskuki/openclaw
that referenced
this pull request
Mar 16, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix
Interstellar-code
pushed a commit
to Interstellar-code/operator1
that referenced
this pull request
Mar 16, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix (cherry picked from commit 0125ce1)
Interstellar-code
pushed a commit
to Interstellar-code/operator1
that referenced
this pull request
Mar 16, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix (cherry picked from commit 0125ce1)
senw-developers
pushed a commit
to senw-developers/va-openclaw
that referenced
this pull request
Mar 17, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix
t--becker
pushed a commit
to t--becker/openclaw
that referenced
this pull request
Mar 19, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix
This was referenced Mar 22, 2026
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 23, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix (cherry picked from commit 0125ce1)
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 23, 2026
* Gateway: fail closed unresolved local auth SecretRefs * Docs: align node-host gateway auth precedence * CI: resolve rebase breakages in checks lanes * Tests: isolate LOCAL_REMOTE_FALLBACK_TOKEN env state * Gateway: remove stale remote.enabled auth-surface semantics * Changelog: note gateway SecretRef fail-closed fix (cherry picked from commit 0125ce1)
This was referenced Mar 23, 2026
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 27, 2026
(cherry picked from commit 0125ce1)
alexey-pelykh
added a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 27, 2026
* Gateway: fail closed unresolved local auth SecretRefs (openclaw#42672) (cherry picked from commit 0125ce1) * Infra: block GIT_EXEC_PATH in host env sanitizer (openclaw#43685) (cherry picked from commit 1dcef7b) * fix: preserve talk provider and speaking state (cherry picked from commit 2afd657) * fix(review): preserve talk directive overrides (cherry picked from commit 47e412b) * fix(review): address talk cleanup feedback (cherry picked from commit 4a0341e) * feat(ios): refresh home canvas toolbar (cherry picked from commit 6bcf89b) * Refactor: trim duplicate gateway/onboarding helpers and dead utils (openclaw#43871) (cherry picked from commit 7c889e7) * fix(gateway): harden token fallback/reconnect behavior and docs (openclaw#42507) * fix(gateway): harden token fallback and auth reconnect handling * docs(gateway): clarify auth retry and token-drift recovery * fix(gateway): tighten auth reconnect gating across clients * fix: harden gateway token retry (openclaw#42507) (thanks @joshavant) # Conflicts: # CHANGELOG.md # package.json # src/gateway/client.test.ts # src/gateway/client.ts # src/gateway/server.auth.compat-baseline.test.ts # src/gateway/server/ws-connection/message-handler.ts # ui/src/ui/gateway.node.test.ts * build: bump openclaw to 2026.3.11-beta.1 (cherry picked from commit b125c3b) * build: sync versions to 2026.3.11 (cherry picked from commit ce5dd74) * build(android): add play and third-party release flavors (cherry picked from commit ecec0d5) * build: upload Android native debug symbols (cherry picked from commit 1f9cc64) * build(android): add auto-bump signed aab release script (cherry picked from commit 3fb6292) * build(android): update Gradle tooling (cherry picked from commit 4c60956) * docs: update 2026.3.11 release examples (cherry picked from commit 9648570) * fix(ios): make pairing instructions generic (cherry picked from commit c2e41c5) * build(android): strip unused dnsjava resolver service before R8 (cherry picked from commit f1d9fcd) * build: shrink Android app release bundle (cherry picked from commit f251e7e) * fix: resolve type errors from cherry-pick conflicts - Replace OpenClawConfig → RemoteClawConfig in onboarding helpers and call tests - Add missing vi import and fetchTalkSpeak helper in talk-config test - Fix speechProviders → ttsProviders type alignment --------- Co-authored-by: Josh Avant <[email protected]> Co-authored-by: Vincent Koc <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]> Co-authored-by: Nimrod Gutman <[email protected]> Co-authored-by: Peter Steinberger <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]> Co-authored-by: Nimrod Gutman <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes a fail-open credential precedence bug in local gateway mode and aligns related docs. Thanks to tdjackey for reporting.
Before this change, when
gateway.mode="local"and local auth (gateway.auth.token/gateway.auth.password) was explicitly configured as a SecretRef but unresolved, resolver paths could silently fall back togateway.remote.*credentials.After this change, unresolved active local auth SecretRefs fail closed instead of being masked by remote fallback credentials.
Root cause
In local mode credential resolution, local and remote values were merged before unresolved-local SecretRef checks were enforced. That allowed a truthy remote fallback to satisfy the resolved credential and bypass the local SecretRef failure path.
What changed
Credential resolution
src/gateway/credentials.tsgateway.remote.*from masking unresolvedgateway.auth.*SecretRefs in local mode.Regression tests
src/gateway/credentials.test.tssrc/gateway/connection-auth.test.tssrc/gateway/call.test.tssrc/node-host/runner.credentials.test.tsgateway.remote.*in local mode).Docs alignment
docs/gateway/remote.mddocs/gateway/configuration-reference.mddocs/gateway/security/index.mddocs/help/faq.mddocs/cli/acp.mddocs/channels/discord.mddocs/cli/node.mddocs/nodes/index.mddocs/cli/index.mddocs/gateway/secrets.mdValidation
OPENCLAW_TEST_PROFILE=low OPENCLAW_TEST_SERIAL_GATEWAY=1 pnpm test src/gateway/credentials.test.ts src/gateway/connection-auth.test.ts src/gateway/call.test.ts src/node-host/runner.credentials.test.tsgateway.auth.tokenSecretRef + configuredgateway.remote.tokennow throwsGatewaySecretRefUnavailableErrorforgateway.auth.token.Notes