fix: finish gateway probe auth landing (#52513) (thanks @CodeForgeNet)

CHANGELOG.md

@@ -105,6 +105,7 @@ Docs: https://docs.openclaw.ai
 - Configure/startup: move outbound send-deps resolution into a lightweight helper so `openclaw configure` no longer stalls after the banner while eagerly loading channel plugins. (#46301) Thanks @scoootscooob.
 - Mattermost/threading: honor `replyToMode: "off"` for already-threaded inbound posts so threaded follow-ups can fall back to top-level replies when configured. (#52543) Thanks @RichardCao.
 - Telegram/replies: set `allow_sending_without_reply` on reply-targeted sends and media-error notices so deleted parent messages no longer drop otherwise valid replies. (#52524) Thanks @moltbot886.
+- Gateway/status: resolve env-backed `gateway.auth.*` SecretRefs before read-only probe auth checks so status no longer reports false probe failures when auth is configured through SecretRef. (#52513) Thanks @CodeForgeNet.
 - CLI/startup: lazy-load channel add and root help startup paths to trim avoidable RSS and help latency on constrained hosts. (#46784) Thanks @vincentkoc.
 - CLI/onboarding: import static provider definitions directly for onboarding model/config helpers so those paths no longer pull provider discovery just for built-in defaults. (#47467) Thanks @vincentkoc.
 - CLI/configure: clarify fresh-setup memory-search warnings so they say semantic recall needs at least one embedding provider, and scope the initial model allowlist picker to the provider selected in configure. Thanks @vincentkoc.

src/commands/status.scan.fast-json.test.ts

@@ -67,7 +67,7 @@ beforeEach(() => {
     url: "ws://127.0.0.1:18789",
     urlSource: "default",
   });
-  mocks.resolveGatewayProbeAuthResolution.mockReturnValue({
+  mocks.resolveGatewayProbeAuthResolution.mockResolvedValue({
     auth: {},
     warning: undefined,
   });

src/gateway/credential-precedence.parity.test.ts

@@ -69,7 +69,7 @@ function withGatewayAuthEnv<T>(env: NodeJS.ProcessEnv, fn: () => T): T {
   }
 }
 
-describe("gateway credential precedence parity", () => {
+describe("gateway credential precedence coverage", () => {
   const cases: TestCase[] = [
     {
       name: "local mode: env overrides config for call/probe/status, auth remains config-first",
@@ -89,7 +89,7 @@ describe("gateway credential precedence parity", () => {
       expected: {
         call: { token: "env-token", password: "env-password" }, // pragma: allowlist secret
         probe: { token: "env-token", password: "env-password" }, // pragma: allowlist secret
-        status: { token: "env-token", password: "env-password" }, // pragma: allowlist secret
+        status: { token: "config-token", password: "config-password" }, // pragma: allowlist secret
         auth: { token: "config-token", password: "config-password" }, // pragma: allowlist secret
       },
     },
@@ -103,7 +103,7 @@ describe("gateway credential precedence parity", () => {
       expected: {
         call: { token: "remote-token", password: "env-password" }, // pragma: allowlist secret
         probe: { token: "remote-token", password: "env-password" }, // pragma: allowlist secret
-        status: { token: "remote-token", password: "env-password" }, // pragma: allowlist secret
+        status: { token: "remote-token", password: "remote-password" }, // pragma: allowlist secret
         auth: { token: "local-token", password: "local-password" }, // pragma: allowlist secret
       },
     },
@@ -116,7 +116,7 @@ describe("gateway credential precedence parity", () => {
       expected: {
         call: { token: "env-token", password: "env-password" }, // pragma: allowlist secret
         probe: { token: undefined, password: "env-password" }, // pragma: allowlist secret
-        status: { token: undefined, password: "env-password" }, // pragma: allowlist secret
+        status: { token: undefined, password: "remote-password" }, // pragma: allowlist secret
         auth: { token: "local-token", password: "local-password" }, // pragma: allowlist secret
       },
     },
@@ -158,13 +158,13 @@ describe("gateway credential precedence parity", () => {
       expected: {
         call: { token: "config-token", password: "env-password" }, // pragma: allowlist secret
         probe: { token: "config-token", password: "env-password" }, // pragma: allowlist secret
-        status: { token: "config-token", password: "env-password" }, // pragma: allowlist secret
+        status: { token: "config-token", password: "config-password" }, // pragma: allowlist secret
         auth: { token: "config-token", password: "config-password" }, // pragma: allowlist secret
       },
     },
   ];
 
-  it.each(cases)("$name", ({ cfg, env, expected }) => {
+  it.each(cases)("$name", async ({ cfg, env, expected }) => {
     const mode = cfg.gateway?.mode === "remote" ? "remote" : "local";
     const call = resolveGatewayCredentialsFromConfig({
       cfg,
@@ -175,7 +175,7 @@ describe("gateway credential precedence parity", () => {
       mode,
       env,
     });
-    const status = withGatewayAuthEnv(env, () => resolveStatusGatewayProbeAuth(cfg));
+    const status = await withGatewayAuthEnv(env, () => resolveStatusGatewayProbeAuth(cfg));
     const auth = resolveGatewayAuth({
       authConfig: cfg.gateway?.auth,
       env,