fix(auto-reply): redact secrets in config show output

[jason-allen-oneal]

Summary

• Redact /config show chat output through the shared schema-aware config redaction path.
• Apply the same redacted snapshot to both full-config and path-specific /config show rendering.
• Add regression coverage for fake token/password/apiKey canaries and browser.cdpUrl URLs carrying token/apiKey query secrets.

Review update

Addressed ClawSweeper feedback by replacing the local key-name-only redactor with redactConfigSnapshot(snapshot, loadGatewayRuntimeConfigSchema().uiHints), matching the gateway config redaction contract.

Behavior addressed

/config show previously rendered plaintext secret values from config into chat-visible command output.

Before fix

A focused local regression test seeded config with fake canaries:

• OPENCLAW_CONFIG_SHOW_CANARY_TOKEN_65623
• OPENCLAW_CONFIG_SHOW_CANARY_PASSWORD_65623
• OPENCLAW_CONFIG_SHOW_CANARY_API_KEY_65623
• OPENCLAW_CONFIG_SHOW_CANARY_CDP_TOKEN_65623
• OPENCLAW_CONFIG_SHOW_CANARY_CDP_API_KEY_65623

The unpatched command-output path included raw canary values in rendered /config show responses.

After fix

The command redacts the parsed config snapshot with the shared schema-aware redaction contract before rendering chat-visible text. Full /config show and /config show <path> now both see the redacted snapshot.

Real behavior proof

• Behavior addressed: /config show should not return plaintext config secrets, including sensitive URL query credentials, in chat-visible command output.
• Real environment tested: Local OpenClaw checkout at HEAD b06ad3c59c1291153e49dc7b0e23667dcf7c6f15, Node v24.15.0, temp config file supplied through OPENCLAW_CONFIG_PATH and read by the real readConfigFileSnapshot() path.
• Exact steps or command run after fix: Seeded /tmp/openclaw-pr65623-live-*/openclaw.json with fake canary values under gateway.auth.token, gateway.auth.password, models.providers.openai.apiKey, and browser.cdpUrl query parameters, then ran OPENCLAW_CONFIG_PATH="$config" node --import tsx - to invoke the real /config show command handler with an owner text-command context.
• Evidence after fix: Terminal output from the local OpenClaw command-runtime smoke:

--- /config show ---
⚙️ Config (raw):
```json
{
  "gateway": {
    "auth": {
      "mode": "token",
      "token": "__OPENCLAW_REDACTED__",
      "password": "__OPENCLAW_REDACTED__"
    },
    "bind": "loopback",
    "port": 3210
  },
  "models": {
    "providers": {
      "openai": {
        "apiKey": "__OPENCLAW_REDACTED__",
        "baseUrl": "https://api.example.test"
      }
    }
  },
  "browser": {
    "cdpUrl": "__OPENCLAW_REDACTED__"
  }
}
```
raw token present: false
raw password present: false
raw api key present: false
raw cdp token present: false
raw cdp api key present: false
--- /config show browser.cdpUrl ---
⚙️ Config browser.cdpUrl:
```json
"__OPENCLAW_REDACTED__"
```
raw cdp token present: false
raw cdp api key present: false

• Observed result after fix: Full /config show and /config show browser.cdpUrl both returned chat-formatted config text with the seeded secret values replaced by __OPENCLAW_REDACTED__; no raw canary strings appeared.
• What was not tested: No external WhatsApp/Slack/Discord delivery was sent; this proof exercises the real OpenClaw config-read and command-rendering path locally before transport delivery.

Validation

HEAD: b06ad3c59c1291153e49dc7b0e23667dcf7c6f15

• pnpm test src/auto-reply/reply/commands-gating.test.ts pass: 1 file, 18 tests
• pnpm test src/auto-reply/reply/commands-parse.test.ts src/auto-reply/reply/commands-slash-parse.test.ts src/auto-reply/command-control.test.ts pass: 3 files, 58 tests across 2 shards
• pnpm exec oxfmt --check --threads=1 src/auto-reply/reply/commands-config.ts src/auto-reply/reply/commands-gating.test.ts pass
• git diff --check pass

Proof log: /tmp/openclaw-pr65623-proof.log
Validation log: /tmp/openclaw-pr65623-validation.log

Reviewer note

This patch intentionally redacts only the user-visible /config show command output. It does not alter config storage, config loading, SecretRef resolution, or internal diagnostic state.

Fixes #65623

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 31, 2026, 4:29 AM ET / 08:29 UTC.

Summary
The PR routes chat-visible /config show and /config set output through shared schema-aware config redaction and adds regression coverage for secret canaries.

PR surface: Source +23, Tests +172. Total +195 across 2 files.

Reproducibility: yes. source-level reproduction is high confidence: current main reads raw snapshot.parsed and serializes it into /config show replies. I did not run a mutable local command because this review is read-only.

Review metrics: 1 noteworthy metric.

• Config reply surfaces: 3 redacted. The diff covers full /config show, path-specific /config show, and /config set acknowledgement output, which are all chat-visible secret surfaces.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦐 gold shrimp
Patch quality: 🦞 diamond lobster
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Update the PR body with current-head real behavior proof for /config set gateway.auth.token=... showing the acknowledgement contains only the redaction sentinel.
• Keep or refresh the /config show canary proof in the same current-head run so maintainers can compare all changed chat-visible outputs.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: Terminal proof exists for /config show at an older head, but current head adds /config set acknowledgement redaction and needs updated after-fix terminal/live output; redact private data before posting, then update the PR body for automatic re-review.

Risk before merge

• [P1] Current-head proof trails the code: the posted terminal proof covers /config show at an older head, while the latest head also changes /config set acknowledgement output.
• [P1] Because this is a chat-visible secret-redaction boundary, maintainers should see current-head after-fix output before merge.

Maintainer options:

1. Decide the mitigation before merge
   Land this after current-head proof covers both /config show and /config set acknowledgement redaction through the shared schema-aware redaction path.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P1] No ClawSweeper repair lane is needed because the branch already contains the candidate fix; the blocker is updated current-head real behavior proof and maintainer security review.

Security
Cleared: The diff narrows chat-visible secret exposure by reusing the existing config redaction path and introduces no dependency, workflow, or supply-chain change.

Review details

Best possible solution:

Land this after current-head proof covers both /config show and /config set acknowledgement redaction through the shared schema-aware redaction path.

Do we have a high-confidence way to reproduce the issue?

Yes, source-level reproduction is high confidence: current main reads raw snapshot.parsed and serializes it into /config show replies. I did not run a mutable local command because this review is read-only.

Is this the best way to solve the issue?

Yes, the proposed direction is the narrow maintainable fix: reuse the existing schema-aware config redaction contract instead of adding a new local redactor. The remaining issue is updated current-head real behavior proof, not a different implementation path.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 15ae2deb3067.

Label changes

Label justifications:

• P1: The linked bug exposes plaintext config secrets in chat-visible command output, which is an urgent security boundary issue for real deployments.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦐 gold shrimp and patch quality is 🦞 diamond lobster.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: Terminal proof exists for /config show at an older head, but current head adds /config set acknowledgement redaction and needs updated after-fix terminal/live output; redact private data before posting, then update the PR body for automatic re-review.

Evidence reviewed

PR surface:

Source +23, Tests +172. Total +195 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	29	6	+23
Tests	1	172	0	+172
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	201	6	+195

What I checked:

• Repository policy applied: Root policy was read fully; the config/security guidance and real-behavior-proof gate affected this review. (AGENTS.md:16, 15ae2deb3067)
• Current main leaks raw parsed config in chat output: Current main clones snapshot.parsed and serializes full and path-specific /config show replies without a redaction call. (src/auto-reply/reply/commands-config.ts:112, 15ae2deb3067)
• Shared config endpoint redaction contract: The gateway config.get path already responds with redactConfigSnapshot(snapshot, schema.uiHints), which is the contract the PR reuses for chat output. (src/gateway/server-methods/config.ts:406, 15ae2deb3067)
• PR head uses shared redaction helpers: At PR head, /config show redacts the snapshot before rendering, and /config set acknowledgement labels are generated from a schema-redacted preview object. (src/auto-reply/reply/commands-config.ts:33, 8c64bb994ceb)
• Regression tests cover the fixed surfaces: The PR adds focused tests for full /config show, path-specific secret paths, sensitive browser.cdpUrl query values, and /config set acknowledgement redaction. (src/auto-reply/reply/commands-gating.test.ts:354, 8c64bb994ceb)
• Feature history provenance: Blame ties the current unredacted /config command rendering path to commit 7595d52 on current main. (src/auto-reply/reply/commands-config.ts:103, 7595d52e56c4)

Likely related people:

• steipete: Git blame and log show Peter Steinberger introduced the current /config command rendering path and the shared redaction helpers on current main; the latest PR head also adds the /config set acknowledgement redaction commit. (role: recent area contributor; confidence: high; commits: 7595d52e56c4, 8c64bb994ceb; files: src/auto-reply/reply/commands-config.ts, src/config/redact-snapshot.ts, src/gateway/server-methods/config.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[jason-allen-oneal]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26700588281
• Updated: 2026-05-31T02:06:32.950Z

[jason-allen-oneal]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26701158297
• Updated: 2026-05-31T02:37:18.248Z

[steipete]

Behavior addressed: /config show and /config show <path> now render through the config redaction layer before chat output. Maintainer fixup also redacts /config set acknowledgement values for sensitive config paths, so the chat response does not echo a secret-shaped value back to the channel.

Real environment tested: local checkout on fix/65623-config-show-chat-redaction, head 8c64bb994ceb5f211661365422c3d8d23983e791, Node v26.0.0; GitHub Actions head 8c64bb994ceb5f211661365422c3d8d23983e791.

Exact steps or command run after this patch:

• pnpm install
• pnpm test src/auto-reply/reply/commands-gating.test.ts
• pnpm exec oxfmt --check --threads=1 src/auto-reply/reply/commands-config.ts src/auto-reply/reply/commands-gating.test.ts
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main --parallel-tests "pnpm test src/auto-reply/reply/commands-gating.test.ts"

Evidence after fix: focused local test passed with 1 file / 19 tests. Autoreview reported clean with no accepted/actionable findings. PR-specific CI passed: checks-node-auto-reply-reply-commands (run 26707641778, job 78712000333), Scan changed paths (precise) (run 26707641784, job 78711856545), Real behavior proof (run 26707641334, job 78711855130), and Opengrep OSS (run 78712003367).

Observed result after fix: /config show output and /config set acknowledgement rendering use redacted config values for sensitive paths; the regression test asserts the canary token is absent and the redaction sentinel is present.

What was not tested: no external chat-channel delivery was exercised manually. The broad CI run 26707641778 has current-main failures outside this PR's two-file diff, primarily extensions/copilot/**, extensions/sms/**, lint in extensions/**, and unrelated agent/channel shards; the PR diff is limited to src/auto-reply/reply/commands-config.ts and src/auto-reply/reply/commands-gating.test.ts.