fix(status): resolve only selected probe-auth branch and fix plain status path

Address two Codex P1/P2 issues: 1. (P1) Plain 'openclaw status' and 'openclaw status --json' still went through the sync resolveGatewayProbeAuthSafe path in status.gateway-probe.ts, which cannot expand SecretRef objects. Switched to async resolveGatewayProbeAuthSafeWithSecretInputs. 2. (P2) status-all.ts was eagerly resolving both local and remote probe auth before deciding which to use. A stale SecretRef in the unused branch could abort the command. Collapsed to a single resolution call using the correct mode upfront. Updated status.scan.test.ts to use mockResolvedValue since resolveGatewayProbeAuthResolution is now async.
2026-03-24 08:21:39 +00:00 · 2026-03-23 06:00:25 +05:30
parent 3595ecba45
commit 52acc57a61
3 changed files with 21 additions and 26 deletions
--- a/src/commands/status-all.ts
+++ b/src/commands/status-all.ts
@@ -124,18 +124,11 @@ export async function statusAllCommand(
    const remoteUrlMissing = isRemoteMode && !remoteUrlRaw;
    const gatewayMode = isRemoteMode ? "remote" : "local";

-    const localProbeAuthResolution = await resolveGatewayProbeAuthSafeWithSecretInputs({
+    const probeAuthResolution = await resolveGatewayProbeAuthSafeWithSecretInputs({
      cfg,
-      mode: "local",
+      mode: isRemoteMode && !remoteUrlMissing ? "remote" : "local",
      env: process.env,
    });
-    const remoteProbeAuthResolution = await resolveGatewayProbeAuthSafeWithSecretInputs({
-      cfg,
-      mode: "remote",
-      env: process.env,
-    });
-    const probeAuthResolution =
-      isRemoteMode && !remoteUrlMissing ? remoteProbeAuthResolution : localProbeAuthResolution;
    const probeAuth = probeAuthResolution.auth;

    const gatewayProbe = await probeGateway({
@@ -196,8 +189,8 @@ export async function statusAllCommand(
    const callOverrides = remoteUrlMissing
      ? {
          url: connection.url,
-          token: localProbeAuthResolution.auth.token,
-          password: localProbeAuthResolution.auth.password,
+          token: probeAuthResolution.auth.token,
+          password: probeAuthResolution.auth.password,
        }
      : {};

--- a/src/commands/status.gateway-probe.ts
+++ b/src/commands/status.gateway-probe.ts
@@ -1,24 +1,26 @@
 import type { loadConfig } from "../config/config.js";
-import { resolveGatewayProbeAuthSafe } from "../gateway/probe-auth.js";
+import { resolveGatewayProbeAuthSafeWithSecretInputs } from "../gateway/probe-auth.js";
 export { pickGatewaySelfPresence } from "./gateway-presence.js";

-export function resolveGatewayProbeAuthResolution(cfg: ReturnType<typeof loadConfig>): {
+export async function resolveGatewayProbeAuthResolution(
+  cfg: ReturnType<typeof loadConfig>,
+): Promise<{
  auth: {
    token?: string;
    password?: string;
  };
  warning?: string;
-} {
-  return resolveGatewayProbeAuthSafe({
+}> {
+  return resolveGatewayProbeAuthSafeWithSecretInputs({
    cfg,
    mode: cfg.gateway?.mode === "remote" ? "remote" : "local",
    env: process.env,
  });
 }

-export function resolveGatewayProbeAuth(cfg: ReturnType<typeof loadConfig>): {
+export async function resolveGatewayProbeAuth(cfg: ReturnType<typeof loadConfig>): Promise<{
  token?: string;
  password?: string;
-} {
-  return resolveGatewayProbeAuthResolution(cfg).auth;
+}> {
+  return (await resolveGatewayProbeAuthResolution(cfg)).auth;
 }
--- a/src/commands/status.scan.test.ts
+++ b/src/commands/status.scan.test.ts
@@ -141,7 +141,7 @@ describe("scanStatus", () => {
      url: "ws://127.0.0.1:18789",
      urlSource: "default",
    });
-    mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+    mocks.resolveGatewayProbeAuthResolution.mockResolvedValue({
      auth: {},
      warning: undefined,
    });
@@ -202,7 +202,7 @@ describe("scanStatus", () => {
      url: "ws://127.0.0.1:18789",
      urlSource: "default",
    });
-    mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+    mocks.resolveGatewayProbeAuthResolution.mockResolvedValue({
      auth: {},
      warning: undefined,
    });
@@ -254,7 +254,7 @@ describe("scanStatus", () => {
      url: "ws://127.0.0.1:18789",
      urlSource: "default",
    });
-    mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+    mocks.resolveGatewayProbeAuthResolution.mockResolvedValue({
      auth: {},
      warning: undefined,
    });
@@ -301,7 +301,7 @@ describe("scanStatus", () => {
      url: "ws://127.0.0.1:18789",
      urlSource: "default",
    });
-    mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+    mocks.resolveGatewayProbeAuthResolution.mockResolvedValue({
      auth: {},
      warning: undefined,
    });
@@ -342,7 +342,7 @@ describe("scanStatus", () => {
      url: "ws://127.0.0.1:18789",
      urlSource: "default",
    });
-    mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+    mocks.resolveGatewayProbeAuthResolution.mockResolvedValue({
      auth: {},
      warning: undefined,
    });
@@ -410,7 +410,7 @@ describe("scanStatus", () => {
      url: "ws://127.0.0.1:18789",
      urlSource: "default",
    });
-    mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+    mocks.resolveGatewayProbeAuthResolution.mockResolvedValue({
      auth: {},
      warning: undefined,
    });
@@ -482,7 +482,7 @@ describe("scanStatus", () => {
      url: "ws://127.0.0.1:18789",
      urlSource: "default",
    });
-    mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+    mocks.resolveGatewayProbeAuthResolution.mockResolvedValue({
      auth: {},
      warning: undefined,
    });
@@ -545,7 +545,7 @@ describe("scanStatus", () => {
      url: "ws://127.0.0.1:18789",
      urlSource: "default",
    });
-    mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+    mocks.resolveGatewayProbeAuthResolution.mockResolvedValue({
      auth: {},
      warning: undefined,
    });