fix(gateway-status): downgrade SecretRef warning when gateway probe succeeds#45549
Closed
reed1898 wants to merge 1 commit intoopenclaw:mainfrom
Closed
fix(gateway-status): downgrade SecretRef warning when gateway probe succeeds#45549reed1898 wants to merge 1 commit intoopenclaw:mainfrom
reed1898 wants to merge 1 commit intoopenclaw:mainfrom
Conversation
When the gateway probe succeeds, the CLI-side SecretRef resolution diagnostic is misleading — the secret is resolved at runtime but the CLI process cannot read it (e.g. env var only available to the gateway daemon). This commit: - Introduces auth_secretref_cli_only code for healthy-gateway cases - Displays these diagnostics as muted 'Note:' instead of 'Warning:' - Preserves auth_secretref_unresolved for genuinely broken gateways - Adds test coverage for both healthy and unhealthy probe scenarios
Contributor
Greptile SummaryThis PR addresses a false-positive Changes:
Points to consider:
Confidence Score: 4/5
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Comment on lines
235
to
+318
| @@ -304,13 +314,22 @@ export async function gatewayStatusCommand( | |||
| ); | |||
| runtime.log(colorize(rich, theme.muted, `Probe budget: ${overallTimeoutMs}ms`)); | |||
|
|
|||
| if (warnings.length > 0) { | |||
| const actualWarnings = warnings.filter((w) => w.code !== "auth_secretref_cli_only"); | |||
| const infoNotes = warnings.filter((w) => w.code === "auth_secretref_cli_only"); | |||
Contributor
There was a problem hiding this comment.
Magic string "auth_secretref_cli_only" repeated in three places
The string "auth_secretref_cli_only" is hardcoded at line 236 (push), line 317 (filter !==), and line 318 (filter ===). A one-character typo in any of the three will silently break the separation logic — notes would appear as warnings or vice-versa, with no compile-time or runtime error. Extracting it to a local or module-level constant eliminates the risk.
const AUTH_SECRETREF_CLI_ONLY = "auth_secretref_cli_only";
// line ~236
code: AUTH_SECRETREF_CLI_ONLY,
// lines ~317-318
const actualWarnings = warnings.filter((w) => w.code !== AUTH_SECRETREF_CLI_ONLY);
const infoNotes = warnings.filter((w) => w.code === AUTH_SECRETREF_CLI_ONLY);Prompt To Fix With AI
This is a comment left during a code review.
Path: src/commands/gateway-status.ts
Line: 235-318
Comment:
**Magic string `"auth_secretref_cli_only"` repeated in three places**
The string `"auth_secretref_cli_only"` is hardcoded at line 236 (push), line 317 (filter `!==`), and line 318 (filter `===`). A one-character typo in any of the three will silently break the separation logic — notes would appear as warnings or vice-versa, with no compile-time or runtime error. Extracting it to a local or module-level constant eliminates the risk.
```ts
const AUTH_SECRETREF_CLI_ONLY = "auth_secretref_cli_only";
// line ~236
code: AUTH_SECRETREF_CLI_ONLY,
// lines ~317-318
const actualWarnings = warnings.filter((w) => w.code !== AUTH_SECRETREF_CLI_ONLY);
const infoNotes = warnings.filter((w) => w.code === AUTH_SECRETREF_CLI_ONLY);
```
How can I resolve this? If you propose a fix, please make it concise.
20 tasks
Contributor
|
Thanks for the PR, @reed1898. Closing this as superseded by #47794. How it relates to your PR:
Appreciate your contribution and the direction you pushed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When the gateway is running and healthy,
openclaw gateway statusstill shows aWarning:about unresolved SecretRef forgateway.auth.token. This is a false positive — the secret (e.g.,env:GATEWAY_TOKEN) is resolved at gateway runtime but is not readable from the CLI process context (the env var may only be set in the gateway's LaunchAgent/systemd environment).This confuses users into thinking their auth config is broken when everything is actually working fine.
Fix
probe.ok === true), SecretRef diagnostics are downgraded fromauth_secretref_unresolved(Warning) toauth_secretref_cli_only(Note)(gateway is healthy; secrets are resolved at runtime)for clarityauth_secretref_unresolvedwarning is preserved — this is a genuine problemTests
keeps auth_secretref_unresolved code when gateway probe fails— verifies warnings are preserved for unhealthy gatewaysAll 13 gateway-status tests pass locally.