Secrets: hard-fail unsupported SecretRef policy and fix gateway restart token drift

[joshavant]

Summary

• Problem: Gateway service restart drift checks produced false-positive token drift/unavailable warnings when gateway.auth.token used SecretRef, and unsupported runtime-mutable SecretRef surfaces were not consistently hard-failed early.
• Why it matters: operators saw noisy or misleading drift warnings, and invalid SecretRef policy combinations could survive until later runtime paths.
• What changed: implemented service-env-aware SecretRef drift resolution in restart checks, added explicit unsupported SecretRef policy validation for mutable config/auth surfaces, and enforced OAuth + SecretRef hard-fail in auth-profile runtime resolution paths.
• What did NOT change (scope boundary): this PR does not implement/install-path fixes for gateway install --force file/plist SecretRef handling.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: openclaw gateway restart cannot verify gateway.auth.token drift when token is configured via SecretRef env provider, even though the env var is available #55029
• Closes [Bug]: gateway restart false-positive token drift warning with SecretRef-backed gateway.auth.token #57211
• Related Bug: macOS gateway install --force resolves SecretRef values into plaintext LaunchAgent plist and triggers token mismatch loop #53742
• Related gateway install --force fails with file SecretRef on gateway.auth.token #57261
• Related fix(gateway): resolve env-backed SecretRef in restart drift-check (#55029) #55448
• Related fix(gateway): suppress false-positive token drift warning for SecretRef-backed auth tokens #57411
• This PR fixes a bug or regression

C2 Cluster Coverage Matrix

Fully addressed:

• [Bug]: openclaw gateway restart cannot verify gateway.auth.token drift when token is configured via SecretRef env provider, even though the env var is available #55029 (restart drift-check cannot verify env-backed SecretRef token)
  • Addressed by service-env-aware token SecretRef resolution in restart drift check.
• [Bug]: gateway restart false-positive token drift warning with SecretRef-backed gateway.auth.token #57211 (restart false-positive token drift warning for SecretRef token)
  • Addressed by active-mode-aware token resolution and warning suppression when resolved values match.
• fix(gateway): resolve env-backed SecretRef in restart drift-check (#55029) #55448 (open PR in same area)
  • Addressed/superseded by this PR’s restart drift-check fix path and tests.
• fix(gateway): suppress false-positive token drift warning for SecretRef-backed auth tokens #57411 (open PR in same area)
  • Addressed/superseded by this PR’s restart false-positive warning fix path and tests.

Partially addressed:

• Bug: macOS gateway install --force resolves SecretRef values into plaintext LaunchAgent plist and triggers token mismatch loop #53742
  • Addressed: restart/doctor drift-loop symptom caused by SecretRef drift-check resolution behavior.
  • Not addressed: gateway install --force plaintext projection concern in LaunchAgent plist handling.
• gateway install --force fails with file SecretRef on gateway.auth.token #57261
  • Addressed: drift-check SecretRef resolution behavior during restart evaluation.
  • Not addressed: install-path failure behavior for file-backed gateway.auth.token SecretRef.

Additional post-review blocker fix:

• Parent-path bypass in config set policy hard-fail (setting parent objects like hooks/channels.discord with nested unsupported SecretRef values).
  • Addressed by commit 6316fd3584: removed requested-path gating and now runs unsupported SecretRef policy validation unconditionally on post-mutation config before write.
  • Regression coverage: src/cli/config-cli.test.ts
    • fails early when parent-object writes include unsupported SecretRef objects
    • does not duplicate policy errors in --dry-run --json mode for parent-object writes

Root Cause / Regression History (if applicable)

• Root cause: drift-check token resolution used config-only/empty-env paths that did not mirror actual service runtime env inputs for SecretRef-backed tokens.
• Missing detection / guardrail: no restart-focused tests covered merged service command env + SecretRef token resolution and no early policy gate for unsupported mutable SecretRef paths.
• Prior context (git blame, prior PR, issue, or refactor if known): open bug threads [Bug]: openclaw gateway restart cannot verify gateway.auth.token drift when token is configured via SecretRef env provider, even though the env var is available #55029/[Bug]: gateway restart false-positive token drift warning with SecretRef-backed gateway.auth.token #57211 and open PRs fix(gateway): resolve env-backed SecretRef in restart drift-check (#55029) #55448/fix(gateway): suppress false-positive token drift warning for SecretRef-backed auth tokens #57411 identified the restart drift check path.
• Why this regressed now: SecretRef support expansion outpaced drift-check parity and policy hard-fail coverage for runtime-mutable surfaces.
• If unknown, what was ruled out: N/A.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file:
  • src/cli/daemon-cli/gateway-token-drift.test.ts
  • src/cli/daemon-cli/lifecycle-core.test.ts
  • src/config/validation.policy.test.ts
  • src/secrets/runtime-auth-profiles-oauth-policy.test.ts
  • src/secrets/runtime.integration.test.ts
• Scenario the test should lock in: restart drift check resolves SecretRef token using service env and avoids false drift warnings; unsupported mutable SecretRef policy fails early; OAuth + SecretRef profile combinations hard-fail in startup/reload/auth resolution.
• Why this is the smallest reliable guardrail: these tests hit the exact drift and policy seams without unrelated end-to-end harness overhead.
• Existing test that already covers this (if any): updated lifecycle/drift tests now cover merged-env restart behavior.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

• openclaw gateway restart drift checks now resolve gateway.auth.token SecretRefs with merged service+process env inputs and reduce false-positive drift warnings.
• Drift checks skip config token resolution when gateway.auth.mode disables token auth (password, none, trusted-proxy).
• Unsupported runtime-mutable SecretRef assignments fail early with policy guidance in config validation/config-set paths.
• OAuth-mode auth-profile + SecretRef combinations now hard-fail in runtime/auth resolution paths.

Diagram (if applicable)

Before:
[gateway restart] -> [config token drift check with incomplete env] -> [SecretRef unavailable/false drift warning]

After:
[gateway restart] -> [drift check with merged service env + mode-aware token resolution] -> [accurate drift result]

Security Impact (required)

• New permissions/capabilities? (Yes/No): No
• Secrets/tokens handling changed? (Yes/No): Yes
• New/changed network calls? (Yes/No): No
• Command/tool execution surface changed? (Yes/No): No
• Data access scope changed? (Yes/No): No
• If any Yes, explain risk + mitigation:
  • Risk: stricter policy can reject previously accepted-but-invalid SecretRef configs.
  • Mitigation: deterministic error messages + docs updates clarify supported vs unsupported SecretRef surfaces.

Repro + Verification

Environment

• OS: macOS + Linux test fixtures
• Runtime/container: local Node/Bun test harness
• Model/provider: N/A
• Integration/channel (if any): gateway/daemon CLI and auth-profile runtime paths
• Relevant config (redacted): gateway.auth.token SecretRef via env/file provider, auth profile mode combinations

Steps

1. Configure gateway.auth.token as SecretRef and set service env token source.
2. Run restart/drift-check paths.
3. Attempt unsupported mutable SecretRef assignments and OAuth+SecretRef mode combinations.

Expected

• Accurate/noisy-free drift behavior in restart path for resolvable SecretRef token.
• Early hard-fail for unsupported policy combinations.

Actual

• Matches expected in scoped tests.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Scoped verification command (pass):

• pnpm test -- src/config/validation.policy.test.ts src/cli/config-cli.test.ts src/cli/daemon-cli/gateway-token-drift.test.ts src/cli/daemon-cli/lifecycle-core.test.ts src/agents/auth-profiles/oauth.test.ts src/secrets/runtime-auth-profiles-oauth-policy.test.ts src/secrets/runtime.integration.test.ts src/commands/doctor-gateway-services.test.ts src/secrets/target-registry.test.ts

Human Verification (required)

• Verified scenarios: restart drift-check SecretRef resolution, lifecycle drift warning behavior, unsupported mutable SecretRef validation, OAuth+SecretRef hard-fail behavior, docs/matrix sync.
• Edge cases checked: token mode disabled (password), unresolved active refs, reload keeps last-known-good snapshot.
• What you did not verify: full unrelated repo-wide suite (known unrelated skills/test lane failures remain out of this branch scope).

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No): Yes (for valid supported configs)
• Config/env changes? (Yes/No): No
• Migration needed? (Yes/No): No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: stricter policy gating may break previously tolerated but philosophically invalid config shapes.
  • Mitigation: explicit policy errors point to canonical SecretRef surface docs; behavior is intentional hard-fail for unsupported mutable/OAuth combinations.
• Risk: restart drift behavior change could alter warning visibility for edge deployments.
  • Mitigation: added targeted tests for merged env and mode-gated token resolution.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9baed0c580

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[greptile-apps]

Greptile Summary

This PR fixes two related issues: (1) false-positive token drift warnings during gateway restart when gateway.auth.token uses SecretRef (the drift check was not using the merged service command environment), and (2) unsupported runtime-mutable SecretRef configurations were not consistently rejected early. It also adds OAuth + SecretRef hard-fail enforcement across startup, reload, and auth-profile resolution paths.

Key changes:

• resolveGatewayTokenForDriftCheck converted to async and now resolves SecretRef tokens using merged {...process.env, ...command.environment} env (service env takes precedence) and skips resolution when auth mode disables token auth (password, none, trusted-proxy)
• New src/agents/auth-profiles/policy.ts with assertNoOAuthSecretRefPolicyViolations enforces that OAuth-mode profiles cannot combine with SecretRef inputs, wired into both resolveApiKeyForProfile and collectAuthStoreAssignments
• validateConfigObjectRaw now runs collectUnsupportedMutableSecretRefIssues as a pre-pass, surfacing policy-aware errors for hardcoded mutable surfaces (hooks.token, commands.ownerDisplaySecret, Discord webhookToken, WhatsApp creds, etc.) and suppressing the derived Zod schema noise for those same paths
• Documentation, credential matrix, and secretref-credential-surface reference updated to use canonical channels.* namespaced paths

Two minor observations: (1) policyIssues are silently discarded when legacyIssues.length > 0 in validateConfigObjectRaw, meaning simultaneous legacy migration + policy violations only surface legacy issues until the migration is resolved. (2) isObjectSecretRefCandidate calls coerceSecretRef without secrets.defaults, creating a minor inconsistency with the policy.ts variant — partial SecretRef objects relying on global defaults would not be flagged by the mutable-surface check (though they would still fail schema validation).

Confidence Score: 5/5

Safe to merge — all remaining findings are P2 style/UX observations that do not affect runtime correctness.

Both identified issues are P2: (1) policy issues being silently dropped when legacy issues exist is an ergonomic concern only — no data loss, no silent auth bypass, the policy is still enforced via validateConfigObjectRaw at load time; and (2) the coerceSecretRef defaults inconsistency is masked by schema validation in every realistic case. The core fixes — async drift check with merged env, OAuth+SecretRef hard-fail, and mutable-surface policy guard — are correctly implemented, well-tested, and handle the targeted error paths cleanly.

src/config/validation.ts — two minor observations around policyIssues being dropped in the legacyIssues early-return path and the coerceSecretRef defaults inconsistency; neither blocks merge.

Comments Outside Diff (2)

1. src/config/validation.ts, line 1157-1162 (link)

   Policy issues silently dropped when legacy issues exist

   policyIssues is computed at the top of validateConfigObjectRaw but then silently discarded when legacyIssues.length > 0 (the early-return only returns legacyIssues). If a config has both a legacy migration issue and a SecretRef policy violation simultaneously, the user sees only the legacy issues, fixes the migration, re-runs, and only then discovers the policy violation.

   Consider merging the two issue sets (similar to how mergeUnsupportedMutableSecretRefIssues is used for schema issues):

   if (legacyIssues.length > 0) {
     const allLegacyIssues = legacyIssues.map((iss) => ({ path: iss.path, message: iss.message }));
     return {
       ok: false,
       issues: [...allLegacyIssues, ...policyIssues],
     };
   }

   Or at minimum, add a comment documenting the intentional priority ordering so future maintainers know policy issues are deferred when legacy issues are present.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: src/config/validation.ts
   Line: 1157-1162
   
   Comment:
   **Policy issues silently dropped when legacy issues exist**
   
   `policyIssues` is computed at the top of `validateConfigObjectRaw` but then silently discarded when `legacyIssues.length > 0` (the early-return only returns `legacyIssues`). If a config has both a legacy migration issue and a SecretRef policy violation simultaneously, the user sees only the legacy issues, fixes the migration, re-runs, and only then discovers the policy violation.
   
   Consider merging the two issue sets (similar to how `mergeUnsupportedMutableSecretRefIssues` is used for schema issues):
   
   ```ts
   if (legacyIssues.length > 0) {
     const allLegacyIssues = legacyIssues.map((iss) => ({ path: iss.path, message: iss.message }));
     return {
       ok: false,
       issues: [...allLegacyIssues, ...policyIssues],
     };
   }
   ```
   
   Or at minimum, add a comment documenting the intentional priority ordering so future maintainers know policy issues are deferred when legacy issues are present.
   
   How can I resolve this? If you propose a fix, please make it concise.

2. src/config/validation.ts, line 972-977 (link)

   coerceSecretRef called without defaults — inconsistent with policy.ts

   isObjectSecretRefCandidate calls coerceSecretRef(value) without the secrets.defaults context, while the analogous check in policy.ts (collectTypeOAuthSecretRefViolations) calls coerceSecretRef(record[field], params.defaults). A partial SecretRef object that omits source or provider but relies on secrets.defaults to fill them in will return null here (not identified as a SecretRef), so no policy issue is raised for that mutable surface.

   In practice this is masked by schema validation (an incomplete SecretRef object would also fail schema validation), but the inconsistency between the two call sites is worth noting. Consider passing defaults here if the raw config is available, or at least adding a comment explaining why defaults is intentionally omitted in this context.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: src/config/validation.ts
   Line: 972-977
   
   Comment:
   **`coerceSecretRef` called without `defaults` — inconsistent with `policy.ts`**
   
   `isObjectSecretRefCandidate` calls `coerceSecretRef(value)` without the `secrets.defaults` context, while the analogous check in `policy.ts` (`collectTypeOAuthSecretRefViolations`) calls `coerceSecretRef(record[field], params.defaults)`. A partial SecretRef object that omits `source` or `provider` but relies on `secrets.defaults` to fill them in will return `null` here (not identified as a SecretRef), so no policy issue is raised for that mutable surface.
   
   In practice this is masked by schema validation (an incomplete SecretRef object would also fail schema validation), but the inconsistency between the two call sites is worth noting. Consider passing `defaults` here if the raw config is available, or at least adding a comment explaining why `defaults` is intentionally omitted in this context.
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/config/validation.ts
Line: 1157-1162

Comment:
**Policy issues silently dropped when legacy issues exist**

`policyIssues` is computed at the top of `validateConfigObjectRaw` but then silently discarded when `legacyIssues.length > 0` (the early-return only returns `legacyIssues`). If a config has both a legacy migration issue and a SecretRef policy violation simultaneously, the user sees only the legacy issues, fixes the migration, re-runs, and only then discovers the policy violation.

Consider merging the two issue sets (similar to how `mergeUnsupportedMutableSecretRefIssues` is used for schema issues):

```ts
if (legacyIssues.length > 0) {
  const allLegacyIssues = legacyIssues.map((iss) => ({ path: iss.path, message: iss.message }));
  return {
    ok: false,
    issues: [...allLegacyIssues, ...policyIssues],
  };
}
```

Or at minimum, add a comment documenting the intentional priority ordering so future maintainers know policy issues are deferred when legacy issues are present.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/config/validation.ts
Line: 972-977

Comment:
**`coerceSecretRef` called without `defaults` — inconsistent with `policy.ts`**

`isObjectSecretRefCandidate` calls `coerceSecretRef(value)` without the `secrets.defaults` context, while the analogous check in `policy.ts` (`collectTypeOAuthSecretRefViolations`) calls `coerceSecretRef(record[field], params.defaults)`. A partial SecretRef object that omits `source` or `provider` but relies on `secrets.defaults` to fill them in will return `null` here (not identified as a SecretRef), so no policy issue is raised for that mutable surface.

In practice this is masked by schema validation (an incomplete SecretRef object would also fail schema validation), but the inconsistency between the two call sites is worth noting. Consider passing `defaults` here if the raw config is available, or at least adding a comment explaining why `defaults` is intentionally omitted in this context.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "Docs: sync C2 SecretRef policy and cover..." | Re-trigger Greptile}

[joshavant]

Addressed the review feedback in 6316fd3584.

What changed:

1. Blocker fix: parent-path policy bypass

• config set now runs collectUnsupportedSecretRefPolicyIssues(nextConfig) unconditionally before write, instead of gating policy checks by exact leaf request path.
• This closes bypasses where users set parent objects like hooks / channels.discord containing unsupported SecretRef children.

2. Important fix: dry-run JSON duplicate policy errors

• In --dry-run --json mode, manual policy injection now only runs for non-JSON input mode.
• Added explicit dry-run error dedupe by {kind,message} before returning/formatting.

3. Regression tests added

• fails early when parent-object writes include unsupported SecretRef objects
• does not duplicate policy errors in --dry-run --json mode for parent-object writes

Files:

• src/cli/config-cli.ts
• src/cli/config-cli.test.ts

Validation run (pass):

• pnpm test -- src/config/validation.policy.test.ts src/cli/config-cli.test.ts src/cli/daemon-cli/gateway-token-drift.test.ts src/cli/daemon-cli/lifecycle-core.test.ts src/agents/auth-profiles/oauth.test.ts src/secrets/runtime-auth-profiles-oauth-policy.test.ts src/secrets/runtime.integration.test.ts src/commands/doctor-gateway-services.test.ts src/secrets/target-registry.test.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6316fd3584

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4e6077393d

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f996f68c58

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".