Bug Report

Version: 2026.2.6-3 (upgraded from 2026.2.3-1)

Summary:
Running openclaw configure (and likely other config-writing commands) in version 2026.2.6-3 writes the security redaction placeholder __OPENCLAW_REDACTED__ to the actual openclaw.json file instead of preserving the real values. This destroys all API keys, tokens, and even numeric configuration values.

Steps to Reproduce

1. Update OpenClaw to 2026.2.6-3
2. Run openclaw configure
3. Check ~/.openclaw/openclaw.json

Expected Behavior

Config file should retain all original API keys, tokens, and configuration values. Security redaction should only apply to:

• API responses (when querying config via gateway)
• Logs and output
• Never to the actual file on disk

Actual Behavior

All sensitive values are replaced with __OPENCLAW_REDACTED__ in the actual config file, including:

• channels.discord.token
• env.vars.BRAVE_API_KEY
• env.vars.DEEPSEEK_API_KEY
• models.providers.deepseek.apiKey
• gateway.auth.token
• tools.web.search.apiKey
• skills.entries.*.apiKey
• Even numeric values like models.providers.*.models[].maxTokens (should be 8192, etc.)

Impact

Critical - This bug will:

• Break Discord connectivity (token destroyed)
• Break all API-based models (DeepSeek, etc.)
• Break web search functionality
• Break all skills requiring API keys
• Corrupt numeric config values
• Require users to manually restore all credentials from backup

Workaround

1. Restore openclaw.json from backup before running configure
2. Avoid running openclaw configure, openclaw doctor --fix, or any command that writes config until fixed
3. Consider rolling back to 2026.2.3-1

Additional Context

• Affected command: openclaw configure (timestamp: 2026-02-07T16:10:54Z)
• Wizard metadata in damaged file shows: "lastRunCommand": "configure", "lastRunVersion": "2026.2.6-3"
• The redaction mechanism appears to be incorrectly applied during config write operations
• User confirmed config file was valid before running configure, damaged after