fix(security): redact resolved secrets from models.json

Bartok Moltbot · Bartok Moltbot · commit 9f66d33d10f1 · 2026-03-06T04:37:30.000-05:00
When the gateway resolves secrets at startup (env vars, SecretRef with Vault/exec/file providers), the resolved plaintext values were being written to agents/*/agent/models.json files on disk. This undermined the security benefits of centralized secret management. This change adds a redaction step before writing to models.json that: - Preserves env var names (UPPER_SNAKE_CASE patterns like OPENAI_API_KEY) - Preserves special markers (ollama-local, aws-sdk) - Strips resolved secret values that look like actual API keys The file permissions on models.json are already set to 0o600 (owner-only), but this change ensures secrets don't end up on disk at all. Fixes #37512
diff --git a/src/agents/models-config.redact-secrets.test.ts b/src/agents/models-config.redact-secrets.test.ts
@@ -0,0 +1,179 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { ensureOpenClawModelsJson } from "./models-config.js";
+
+vi.mock("../config/config.js", () => ({
+  loadConfig: vi.fn(() => ({})),
+}));
+
+vi.mock("./models-config.providers.js", async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    resolveImplicitProviders: vi.fn(async () => ({})),
+    resolveImplicitBedrockProvider: vi.fn(async () => null),
+    resolveImplicitCopilotProvider: vi.fn(async () => null),
+  };
+});
+
+describe("models-config secret redaction", () => {
+  let agentDir: string;
+
+  beforeEach(async () => {
+    agentDir = await fs.mkdtemp(path.join("/tmp", "openclaw-redact-test-"));
+  });
+
+  afterEach(async () => {
+    await fs.rm(agentDir, { recursive: true, force: true });
+  });
+
+  it("preserves env var names in apiKey fields", async () => {
+    const config = {
+      models: {
+        providers: {
+          openai: {
+            apiKey: "OPENAI_API_KEY",
+            models: [{ id: "gpt-4" }],
+          },
+          anthropic: {
+            apiKey: "ANTHROPIC_API_KEY",
+            models: [{ id: "claude-3" }],
+          },
+        },
+      },
+    };
+
+    await ensureOpenClawModelsJson(config, agentDir);
+
+    const modelsJson = await fs.readFile(path.join(agentDir, "models.json"), "utf8");
+    const parsed = JSON.parse(modelsJson);
+
+    expect(parsed.providers.openai?.apiKey).toBe("OPENAI_API_KEY");
+    expect(parsed.providers.anthropic?.apiKey).toBe("ANTHROPIC_API_KEY");
+  });
+
+  it("strips resolved secret values that look like API keys", async () => {
+    const config = {
+      models: {
+        providers: {
+          openai: {
+            // Looks like a resolved OpenAI key
+            apiKey: "sk-1234567890abcdefghijklmnop",
+            models: [{ id: "gpt-4" }],
+          },
+          anthropic: {
+            // Looks like a resolved Anthropic key
+            apiKey: "sk-ant-1234567890abcdefghijklmnop",
+            models: [{ id: "claude-3" }],
+          },
+          xai: {
+            // Looks like a resolved xAI key
+            apiKey: "xai-1234567890abcdefghijklmnop",
+            models: [{ id: "grok-2" }],
+          },
+        },
+      },
+    };
+
+    await ensureOpenClawModelsJson(config, agentDir);
+
+    const modelsJson = await fs.readFile(path.join(agentDir, "models.json"), "utf8");
+    const parsed = JSON.parse(modelsJson);
+
+    // Resolved secrets should be stripped
+    expect(parsed.providers.openai?.apiKey).toBeUndefined();
+    expect(parsed.providers.anthropic?.apiKey).toBeUndefined();
+    expect(parsed.providers.xai?.apiKey).toBeUndefined();
+
+    // But the rest of the provider config should be preserved
+    expect(parsed.providers.openai?.models).toEqual([{ id: "gpt-4" }]);
+    expect(parsed.providers.anthropic?.models).toEqual([{ id: "claude-3" }]);
+    expect(parsed.providers.xai?.models).toEqual([{ id: "grok-2" }]);
+  });
+
+  it("preserves special marker values like ollama-local", async () => {
+    const config = {
+      models: {
+        providers: {
+          ollama: {
+            apiKey: "ollama-local",
+            baseUrl: "http://localhost:11434",
+            models: [{ id: "llama3" }],
+          },
+        },
+      },
+    };
+
+    await ensureOpenClawModelsJson(config, agentDir);
+
+    const modelsJson = await fs.readFile(path.join(agentDir, "models.json"), "utf8");
+    const parsed = JSON.parse(modelsJson);
+
+    expect(parsed.providers.ollama?.apiKey).toBe("ollama-local");
+  });
+
+  it("strips mixed-case resolved secrets", async () => {
+    const config = {
+      models: {
+        providers: {
+          custom: {
+            // Mixed case = resolved secret, not env var name
+            apiKey: "Bearer_Token_12345",
+            models: [{ id: "custom-model" }],
+          },
+        },
+      },
+    };
+
+    await ensureOpenClawModelsJson(config, agentDir);
+
+    const modelsJson = await fs.readFile(path.join(agentDir, "models.json"), "utf8");
+    const parsed = JSON.parse(modelsJson);
+
+    expect(parsed.providers.custom?.apiKey).toBeUndefined();
+    expect(parsed.providers.custom?.models).toEqual([{ id: "custom-model" }]);
+  });
+
+  it("handles providers with aws-sdk auth (apiKey set to env var name)", async () => {
+    const config = {
+      models: {
+        providers: {
+          "amazon-bedrock": {
+            auth: "aws-sdk",
+            baseUrl: "https://bedrock-runtime.us-east-1.amazonaws.com",
+            models: [{ id: "anthropic.claude-v2" }],
+          },
+        },
+      },
+    };
+
+    await ensureOpenClawModelsJson(config, agentDir);
+
+    const modelsJson = await fs.readFile(path.join(agentDir, "models.json"), "utf8");
+    const parsed = JSON.parse(modelsJson);
+
+    expect(parsed.providers["amazon-bedrock"]?.auth).toBe("aws-sdk");
+    // AWS SDK auth uses AWS_PROFILE env var name - this should be preserved
+    expect(parsed.providers["amazon-bedrock"]?.apiKey).toBe("AWS_PROFILE");
+  });
+
+  it("sets restrictive file permissions on models.json", async () => {
+    const config = {
+      models: {
+        providers: {
+          openai: {
+            apiKey: "OPENAI_API_KEY",
+            models: [{ id: "gpt-4" }],
+          },
+        },
+      },
+    };
+
+    await ensureOpenClawModelsJson(config, agentDir);
+
+    const stats = await fs.stat(path.join(agentDir, "models.json"));
+    // 0o600 = owner read/write only
+    expect(stats.mode & 0o777).toBe(0o600);
+  });
+});
diff --git a/src/agents/models-config.ts b/src/agents/models-config.ts
@@ -14,6 +14,67 @@ import {
 
 type ModelsConfig = NonNullable<OpenClawConfig["models"]>;
 
+/**
+ * Check if a string looks like an environment variable name rather than a
+ * resolved secret value. Env var names are UPPER_SNAKE_CASE. Resolved secrets
+ * are typically longer and contain mixed-case alphanumeric characters, dashes,
+ * underscores in non-UPPER_SNAKE_CASE patterns.
+ *
+ * Special cases:
+ * - "ollama-local" and similar synthetic markers are preserved
+ * - "aws-sdk" auth mode markers are preserved
+ */
+function isEnvVarNameOrMarker(value: string): boolean {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return false;
+  }
+
+  // Synthetic local provider markers (e.g., "ollama-local")
+  if (trimmed === "ollama-local") {
+    return true;
+  }
+
+  // AWS SDK auth marker
+  if (trimmed === "aws-sdk") {
+    return true;
+  }
+
+  // Environment variable name pattern: UPPER_SNAKE_CASE
+  // Must start with letter, contain only uppercase letters, digits, underscores
+  // Examples: OPENAI_API_KEY, ANTHROPIC_API_KEY, AWS_ACCESS_KEY_ID
+  return /^[A-Z][A-Z0-9_]*$/.test(trimmed);
+}
+
+/**
+ * Redact resolved secret values from provider configs before writing to disk.
+ * Preserves env var names (UPPER_SNAKE_CASE) and special markers, but strips
+ * actual resolved API keys to prevent plaintext secrets in models.json.
+ */
+function redactResolvedSecrets(
+  providers: Record<string, ProviderConfig>,
+): Record<string, ProviderConfig> {
+  const redacted: Record<string, ProviderConfig> = {};
+
+  for (const [key, provider] of Object.entries(providers)) {
+    const { apiKey, ...rest } = provider;
+
+    // If apiKey is undefined or empty, or looks like an env var name/marker, preserve it
+    if (
+      apiKey === undefined ||
+      apiKey === "" ||
+      (typeof apiKey === "string" && isEnvVarNameOrMarker(apiKey))
+    ) {
+      redacted[key] = provider;
+    } else {
+      // apiKey looks like a resolved secret - strip it
+      redacted[key] = rest as ProviderConfig;
+    }
+  }
+
+  return redacted;
+}
+
 const DEFAULT_MODE: NonNullable<ModelsConfig["mode"]> = "merge";
 
 function resolvePreferredTokenLimit(explicitValue: number, implicitValue: number): number {
@@ -231,7 +292,13 @@ export async function ensureOpenClawModelsJson(
     providers: mergedProviders,
     agentDir,
   });
-  const next = `${JSON.stringify({ providers: normalizedProviders }, null, 2)}\n`;
+
+  // Redact resolved secrets before writing to disk. This ensures that
+  // regardless of how secrets were resolved (env vars, SecretRef providers,
+  // etc.), only env var names are persisted, not plaintext API keys.
+  // See: https://github.com/OpenClaw/openclaw/issues/37512
+  const safeProviders = redactResolvedSecrets(normalizedProviders);
+  const next = `${JSON.stringify({ providers: safeProviders }, null, 2)}\n`;
   const existingRaw = await readRawFile(targetPath);
 
   if (existingRaw === next) {
