fix(config-audit): redact CLI argv secrets before persisting to log by koshaji · Pull Request #75095 · openclaw/openclaw

koshaji · 2026-04-30T13:36:40Z

What this fixes

Closes #60826. ~/.openclaw/logs/config-audit.jsonl is the persistent record of every config write and observe pass — designed as a tamper-detection control. It captures process.argv.slice(0, 8) raw at four sites, so any secret passed as a CLI flag (gateway tokens, bot tokens, hook tokens, op read-piped tokens, etc.) lands at rest in a mode-0600 file indefinitely. The mechanism designed to detect tampering became the credential-leak vector itself.

Two prior PRs (#60871 and #70468) closed unmerged. ClawSweeper's triage on the issue confirmed the gap is still on main and recommended centralizing process-info sanitization at the snapshot site.

What changed

Centralize the snapshot and redact at the boundary:

src/config/io.audit.ts — new snapshotConfigAuditProcessInfo() wraps the process.* reads. Argv and execArgv pass through a new redactConfigAuditArgv() helper with three layers per element:
1. --flag=value for known secret flag names → mask the value half (--token=***).
2. value following a bare --flag form → emit *** instead of the next arg.
3. fall through to redactToolPayloadText (force-on tools mode using the shared logging.redactPatterns defaults) for the remaining standalone token shapes: sk-, ghp_, xox*, gsk_, AIza*, npm_, Telegram bot tokens (<digits>:<base64>), PEM blocks, Bearer headers, URL query secrets, and KEY=VALUE env-style assignments.
resolveConfigAuditProcessInfo (write-base path) now also redacts a caller-supplied processInfo, so test/non-default callers can't bypass.
Three other inline process.argv.slice(0, 8) sites in src/config/io.ts (sync + async observe) and src/config/io.observe-recovery.ts now spread ...snapshotConfigAuditProcessInfo() instead.

The redaction is force-on — it ignores logging.redactSensitive: "off". That setting is for debug logs the operator opts into; the persistent audit log is a security control that must always redact.

The known secret flag list is conservative and includes both OpenClaw-specific (--gateway-token, --hook-token, --bot-token, --webhook-secret, --op-service-account-token) and generic (--token, --api-key, --secret, --password, --client-secret, etc.) names.

Why this is the best fix

Single source of truth — argv leaves the snapshot site already redacted, so future audit fields can't reintroduce the leak.
Reuses existing redaction patterns — redactToolPayloadText is the same primitive that protects tool output today, with the same DEFAULT_REDACT_PATTERNS library covering token shapes from every major provider in the repo.
Force-on by design — the audit log is a security control. A user who turns off logging.redactSensitive for debug verbosity does not get a credential leak in their persistent audit trail.
Defensive on caller-supplied processInfo — even if a caller (test, future code path) passes a snapshot in directly, redaction still runs.
No new public surface — the only export consumers see is snapshotConfigAuditProcessInfo. redactConfigAuditArgv is also exported but only for the test surface.

Tests

pnpm test src/config/io.audit.test.ts — 11/11 passing (was 6, +5 new):
- secret-flag value redaction with space-separated args (--token VALUE)
- secret-flag value redaction with =-form (--token=VALUE)
- shared-pattern fallback for standalone token shapes (ghp_*, AIza*, Telegram bot tokens)
- non-secret args left untouched
- end-to-end via createConfigWriteAuditRecordBase with a crafted processInfo
pnpm test src/config/io.observe-recovery.test.ts — 11/11 still passing
pnpm test src/config/io.write-config.test.ts src/config/io.write-prepare.test.ts src/config/io.runtime-snapshot-write.test.ts — 43/43 still passing
pnpm tsgo:core — clean
pnpm tsgo:core:test — clean
pnpm exec oxfmt --check on all 5 files — clean

Test plan

Reproduce on main: pass --token=<value> to a gateway invocation, trigger a config write, inspect ~/.openclaw/logs/config-audit.jsonl → see plaintext.
Repro on this branch with same args → see --token=*** in the audit JSONL.
Confirm forensic argv data is still useful: pid/ppid/cwd/non-secret flags survive intact.
Confirm logging.redactSensitive: "off" does NOT re-enable the leak (audit log should redact regardless).
Confirm the four call sites (write, sync observe, async observe, observe-recovery) all emit redacted argv after this change.

Copilot

Pull request overview

This PR fixes a credential-leak in the persistent config tamper-detection audit log by ensuring CLI/process details are snapshotted through a centralized, redacting boundary before being written to ~/.openclaw/logs/config-audit.jsonl.

Changes:

Introduces snapshotConfigAuditProcessInfo() and redactConfigAuditArgv() to redact secrets in argv/execArgv before audit persistence.
Updates config observe / observe-recovery audit write sites to use the centralized snapshot helper instead of inline process.argv.slice(...).
Expands unit tests to cover flag-based and token-shape-based redaction, plus redaction of caller-supplied processInfo.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/config/io.audit.ts	Adds argv/execArgv redaction + centralized process snapshot; ensures caller-supplied processInfo is also redacted
src/config/io.ts	Switches config observe audit writes to `...snapshotConfigAuditProcessInfo()`
src/config/io.observe-recovery.ts	Switches recovery observe audit records to `...snapshotConfigAuditProcessInfo()`
src/config/io.audit.test.ts	Adds coverage for new argv redaction behavior and processInfo redaction path
CHANGELOG.md	Documents the security fix for config-audit secret redaction

clawsweeper · 2026-04-30T13:42:16Z

Codex review: found issues before merge.

What this changes:

The PR adds config-audit argv/execArgv redaction helpers, routes write, observe, and recovery audit records through them, expands regression coverage, and adds a changelog entry for the security fix.

Maintainer follow-up before merge:

This is a security-sensitive PR with a concrete high-severity bypass; a maintainer or author should patch the exact PR head and rerun targeted validation before merge.

Security review:

Security review needs attention: The diff reduces the original audit-log credential exposure but still leaves a concrete argv redaction bypass on the latest PR head.

Review findings:

[P1] Keep scanning chained secret flags — src/config/io.audit.ts:96-99

Review details

Best possible solution:

Keep the centralized config-audit snapshot redaction, but change the argv state machine so a secret-looking flag reached while redacting a previous value also causes its own following value to be redacted; add regression coverage for chained secret flags before merge.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main is source-reproducible because write, observe, and recovery audit paths persist raw argv; the PR-head blocker is source-reproducible with ['openclaw','--token','--api-key','plain-provider-key-12345'].

Is this the best way to solve the issue?

No. Redacting at the config-audit snapshot boundary is the narrow maintainable fix, but the current PR implementation still treats a later secret flag as only the previous flag's value and can expose the later value.

Full review comments:

[P1] Keep scanning chained secret flags — src/config/io.audit.ts:96-99
When redactNext is set, this branch masks the current token and continues before checking whether that token is itself a secret flag. With ['openclaw','--token','--api-key','plain-provider-key-12345'], --api-key is swallowed as the previous value and the following arbitrary key can be persisted because fallback redaction only covers known token shapes. Please detect secret flags in this state and redact their following value too.
Confidence: 0.89

Overall correctness: patch is incorrect
Overall confidence: 0.89

Security concerns:

[high] Chained secret flags can leak later values — src/config/io.audit.ts:96
A later bare secret flag can be consumed as the value for an earlier secret flag, leaving that later flag's arbitrary value to pass through only shape-based fallback redaction before persistence in config-audit.jsonl.
Confidence: 0.89

What I checked:

Current main write audit persists raw argv: On current main, resolveConfigAuditProcessInfo returns caller-supplied processInfo unchanged and otherwise records process.argv.slice(0, 8) and process.execArgv.slice(0, 8) for config.write audit records. (src/config/io.audit.ts:162, 38da2ac6f8ee)
Current main observe paths persist raw argv: The async and sync observe records on current main inline raw process argv/execArgv snapshots before appending config.observe audit records. (src/config/io.ts:719, 38da2ac6f8ee)
Current main observe recovery persists raw argv: createConfigObserveAuditRecord in observe recovery also records process.argv.slice(0, 8) and process.execArgv.slice(0, 8) on current main. (src/config/io.observe-recovery.ts:149, 38da2ac6f8ee)
PR head centralizes redaction: Latest PR head adds redactConfigAuditArgv and snapshotConfigAuditProcessInfo, then routes snapshot argv/execArgv through the redaction helper before persistence. (src/config/io.audit.ts:86, 3dc54de1a82a)
PR head still has chained secret-flag bypass: When redactNext is true, the helper masks the current token and continues before checking whether that token is itself a secret flag, so ['openclaw','--token','--api-key','plain-provider-key-12345'] leaves the final arbitrary value to only shape-based fallback redaction. (src/config/io.audit.ts:96, 3dc54de1a82a)
Fallback redaction is shape-based: The shared fallback patterns cover known token shapes, assignments, URLs, headers, PEM blocks, and selected prefixes; they do not guarantee redaction for an arbitrary standalone provider-key value after a swallowed flag. (src/logging/redact.ts:13, 38da2ac6f8ee)

Likely related people:

steipete: Current blame and GitHub commit metadata show Peter Steinberger introduced the config audit, observe, observe-recovery, and shared redaction files containing the raw argv snapshot behavior in the runtime-mirror hardening commit; older local commits also show config-audit/recovery maintenance by the same author. (role: introduced behavior and config-audit maintainer; confidence: high; commits: eb8e892df96a, ae12aa49c3f2, ffb1628727fd; files: src/config/io.audit.ts, src/config/io.ts, src/config/io.observe-recovery.ts)
amknight: Alex Knight recently merged config observe-recovery validation changes touching the same recovery audit surface and tests, making them a useful adjacent reviewer for this path. (role: recent adjacent maintainer; confidence: medium; commits: aa9db998f7bf; files: src/config/io.observe-recovery.ts, src/config/io.observe-recovery.test.ts)

Remaining risk / open question:

Latest head CI was still unstable/in progress at the API check, so exact-head validation needs to complete again after the security fix.
No local tests were run because this review was constrained to read-only inspection.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 38da2ac6f8ee.

Address PR openclaw#75095 review: - Add a suffix-based heuristic so any `--<...>-(token|secret|password| passwd|api[-_]?key|api[-_]?secret|webhook|credential|bearer|pat)` is treated as a secret flag in addition to the explicit list. This catches `--custom-api-key`, `--alibaba-model-studio-api-key`, plugin-defined `cliFlag` values, and similar flags that ship in OpenClaw + bundled plugins today and were previously falling through to the per-element token-shape fallback (which can miss arbitrary provider keys with no recognizable prefix). - Expand the explicit list with adjacent secret flags surfaced by Copilot (`--app-token`, `--remote-token`, `--push-token`, `--bearer-token`, `--id-token`, `--identity-token`, `--session-token`, `--service-token`, `--pat`, `--personal-access-token`, `--oauth-token`, `--webhook-token`). - Stop masking the next arg when a secret flag is followed by another option (`--token --port 8080` should not mask `--port`). Treat that as a missing value and keep the following arg intact. - Cap caller-supplied processInfo argv/execArgv at 8 entries via a new capArgv helper so a future caller can't bypass the snapshot length bound and persist arbitrarily large argv to the audit log. 4 new tests cover: heuristic flag detection (`--custom-api-key`, `--alibaba-model-studio-api-key`, `--app-token`, `--frobnicate-credential`), no-mask when secret flag is followed by another option, no-mask when secret flag is the final arg without a value, and the slice(0, 8) cap with a long argv that smuggles a sensitive value past index 8 into a confirmed-not-present assertion.

…ery-key, etc.) Addresses clawsweeper P1 on PR openclaw#75095: the prior classifier missed `--private-key` (Nostr setup) and `--recovery-key` (Matrix), letting those values land in config-audit.jsonl. Add explicit names plus a `*-key` suffix family covering private/recovery/signing/encryption/ master/session/gateway/service/hook keys. Tests cover both the explicit flags and the heuristic family.

Address PR openclaw#75095 review: - Add a suffix-based heuristic so any `--<...>-(token|secret|password| passwd|api[-_]?key|api[-_]?secret|webhook|credential|bearer|pat)` is treated as a secret flag in addition to the explicit list. This catches `--custom-api-key`, `--alibaba-model-studio-api-key`, plugin-defined `cliFlag` values, and similar flags that ship in OpenClaw + bundled plugins today and were previously falling through to the per-element token-shape fallback (which can miss arbitrary provider keys with no recognizable prefix). - Expand the explicit list with adjacent secret flags surfaced by Copilot (`--app-token`, `--remote-token`, `--push-token`, `--bearer-token`, `--id-token`, `--identity-token`, `--session-token`, `--service-token`, `--pat`, `--personal-access-token`, `--oauth-token`, `--webhook-token`). - Stop masking the next arg when a secret flag is followed by another option (`--token --port 8080` should not mask `--port`). Treat that as a missing value and keep the following arg intact. - Cap caller-supplied processInfo argv/execArgv at 8 entries via a new capArgv helper so a future caller can't bypass the snapshot length bound and persist arbitrarily large argv to the audit log. 4 new tests cover: heuristic flag detection (`--custom-api-key`, `--alibaba-model-studio-api-key`, `--app-token`, `--frobnicate-credential`), no-mask when secret flag is followed by another option, no-mask when secret flag is the final arg without a value, and the slice(0, 8) cap with a long argv that smuggles a sensitive value past index 8 into a confirmed-not-present assertion.

…ery-key, etc.) Addresses clawsweeper P1 on PR openclaw#75095: the prior classifier missed `--private-key` (Nostr setup) and `--recovery-key` (Matrix), letting those values land in config-audit.jsonl. Add explicit names plus a `*-key` suffix family covering private/recovery/signing/encryption/ master/session/gateway/service/hook keys. Tests cover both the explicit flags and the heuristic family.

Address PR openclaw#75095 review: - Add a suffix-based heuristic so any `--<...>-(token|secret|password| passwd|api[-_]?key|api[-_]?secret|webhook|credential|bearer|pat)` is treated as a secret flag in addition to the explicit list. This catches `--custom-api-key`, `--alibaba-model-studio-api-key`, plugin-defined `cliFlag` values, and similar flags that ship in OpenClaw + bundled plugins today and were previously falling through to the per-element token-shape fallback (which can miss arbitrary provider keys with no recognizable prefix). - Expand the explicit list with adjacent secret flags surfaced by Copilot (`--app-token`, `--remote-token`, `--push-token`, `--bearer-token`, `--id-token`, `--identity-token`, `--session-token`, `--service-token`, `--pat`, `--personal-access-token`, `--oauth-token`, `--webhook-token`). - Stop masking the next arg when a secret flag is followed by another option (`--token --port 8080` should not mask `--port`). Treat that as a missing value and keep the following arg intact. - Cap caller-supplied processInfo argv/execArgv at 8 entries via a new capArgv helper so a future caller can't bypass the snapshot length bound and persist arbitrarily large argv to the audit log. 4 new tests cover: heuristic flag detection (`--custom-api-key`, `--alibaba-model-studio-api-key`, `--app-token`, `--frobnicate-credential`), no-mask when secret flag is followed by another option, no-mask when secret flag is the final arg without a value, and the slice(0, 8) cap with a long argv that smuggles a sensitive value past index 8 into a confirmed-not-present assertion.

…ery-key, etc.) Addresses clawsweeper P1 on PR openclaw#75095: the prior classifier missed `--private-key` (Nostr setup) and `--recovery-key` (Matrix), letting those values land in config-audit.jsonl. Add explicit names plus a `*-key` suffix family covering private/recovery/signing/encryption/ master/session/gateway/service/hook keys. Tests cover both the explicit flags and the heuristic family.

Address PR openclaw#75095 review: - Add a suffix-based heuristic so any `--<...>-(token|secret|password| passwd|api[-_]?key|api[-_]?secret|webhook|credential|bearer|pat)` is treated as a secret flag in addition to the explicit list. This catches `--custom-api-key`, `--alibaba-model-studio-api-key`, plugin-defined `cliFlag` values, and similar flags that ship in OpenClaw + bundled plugins today and were previously falling through to the per-element token-shape fallback (which can miss arbitrary provider keys with no recognizable prefix). - Expand the explicit list with adjacent secret flags surfaced by Copilot (`--app-token`, `--remote-token`, `--push-token`, `--bearer-token`, `--id-token`, `--identity-token`, `--session-token`, `--service-token`, `--pat`, `--personal-access-token`, `--oauth-token`, `--webhook-token`). - Stop masking the next arg when a secret flag is followed by another option (`--token --port 8080` should not mask `--port`). Treat that as a missing value and keep the following arg intact. - Cap caller-supplied processInfo argv/execArgv at 8 entries via a new capArgv helper so a future caller can't bypass the snapshot length bound and persist arbitrarily large argv to the audit log. 4 new tests cover: heuristic flag detection (`--custom-api-key`, `--alibaba-model-studio-api-key`, `--app-token`, `--frobnicate-credential`), no-mask when secret flag is followed by another option, no-mask when secret flag is the final arg without a value, and the slice(0, 8) cap with a long argv that smuggles a sensitive value past index 8 into a confirmed-not-present assertion.

…ery-key, etc.) Addresses clawsweeper P1 on PR openclaw#75095: the prior classifier missed `--private-key` (Nostr setup) and `--recovery-key` (Matrix), letting those values land in config-audit.jsonl. Add explicit names plus a `*-key` suffix family covering private/recovery/signing/encryption/ master/session/gateway/service/hook keys. Tests cover both the explicit flags and the heuristic family.

…penclaw#60826) `config-audit.jsonl` is the persistent record of config writes/observes under `~/.openclaw/logs/`. It captures `process.argv.slice(0, 8)` raw at four sites (write-audit, async observe, sync observe, observe-recovery record builder), so any token passed as a CLI flag (gateway tokens, bot tokens, hook tokens, exec'd `op read`/op-style tokens) lands at rest in a mode-0600 file indefinitely. The mechanism designed to detect config tampering becomes the credential-leak vector itself. Centralize the snapshot and redact at the boundary: - New `snapshotConfigAuditProcessInfo()` in src/config/io.audit.ts wraps the `process.*` reads and routes argv/execArgv through a new `redactConfigAuditArgv()` helper. - redactConfigAuditArgv has three layers per element: 1. `--flag=value` for known secret flag names → mask the value half. 2. value following a bare `--flag` → emit `***`. 3. fall through to redactToolPayloadText (force-on tools mode using the shared logging.redactPatterns defaults) for the remaining standalone token shapes — sk-/ghp_/xox*/gsk_/AIza*/npm_, Telegram bot tokens, PEM blocks, Bearer headers, URL query secrets, `KEY=VALUE` env-style assignments. - `resolveConfigAuditProcessInfo` (write-base path) now also redacts a caller-supplied processInfo, so test/non-default callers can't bypass. - The three other inline `process.argv.slice(0, 8)` sites in io.ts (sync + async observe) and io.observe-recovery.ts now spread `...snapshotConfigAuditProcessInfo()` instead. Five new tests cover: secret-flag value redaction (space-separated and =-form), shared-pattern fallback for standalone token shapes, untouched non-secret args, and end-to-end via createConfigWriteAuditRecordBase with a crafted processInfo. Fixes openclaw#60826

Address PR openclaw#75095 review: - Add a suffix-based heuristic so any `--<...>-(token|secret|password| passwd|api[-_]?key|api[-_]?secret|webhook|credential|bearer|pat)` is treated as a secret flag in addition to the explicit list. This catches `--custom-api-key`, `--alibaba-model-studio-api-key`, plugin-defined `cliFlag` values, and similar flags that ship in OpenClaw + bundled plugins today and were previously falling through to the per-element token-shape fallback (which can miss arbitrary provider keys with no recognizable prefix). - Expand the explicit list with adjacent secret flags surfaced by Copilot (`--app-token`, `--remote-token`, `--push-token`, `--bearer-token`, `--id-token`, `--identity-token`, `--session-token`, `--service-token`, `--pat`, `--personal-access-token`, `--oauth-token`, `--webhook-token`). - Stop masking the next arg when a secret flag is followed by another option (`--token --port 8080` should not mask `--port`). Treat that as a missing value and keep the following arg intact. - Cap caller-supplied processInfo argv/execArgv at 8 entries via a new capArgv helper so a future caller can't bypass the snapshot length bound and persist arbitrarily large argv to the audit log. 4 new tests cover: heuristic flag detection (`--custom-api-key`, `--alibaba-model-studio-api-key`, `--app-token`, `--frobnicate-credential`), no-mask when secret flag is followed by another option, no-mask when secret flag is the final arg without a value, and the slice(0, 8) cap with a long argv that smuggles a sensitive value past index 8 into a confirmed-not-present assertion.

…ery-key, etc.) Addresses clawsweeper P1 on PR openclaw#75095: the prior classifier missed `--private-key` (Nostr setup) and `--recovery-key` (Matrix), letting those values land in config-audit.jsonl. Add explicit names plus a `*-key` suffix family covering private/recovery/signing/encryption/ master/session/gateway/service/hook keys. Tests cover both the explicit flags and the heuristic family.

sallyom · 2026-05-01T02:09:04Z

Merged via squash.

Prepared head SHA: 3dc54de
Merge commit: a853c5e

Thanks @koshaji.

@sallyom

…penclaw#75095) Merged via squash. Prepared head SHA: 3dc54de Co-authored-by: koshaji <[email protected]> Co-authored-by: sallyom <[email protected]> Reviewed-by: @sallyom

Copilot AI review requested due to automatic review settings April 30, 2026 13:36

openclaw-barnacle Bot added the size: M label Apr 30, 2026

Copilot started reviewing on behalf of koshaji April 30, 2026 13:37 View session

Copilot AI reviewed Apr 30, 2026

View reviewed changes

Comment thread src/config/io.audit.ts

Comment thread src/config/io.audit.ts

Comment thread src/config/io.audit.ts

clawsweeper Bot mentioned this pull request Apr 30, 2026

config-audit.jsonl logs plaintext secrets in CLI argv #60826

Closed

koshaji force-pushed the fix/config-audit-redact-argv branch from e80420b to dd881b7 Compare May 1, 2026 00:11

sallyom self-assigned this May 1, 2026

sallyom force-pushed the fix/config-audit-redact-argv branch from f63528a to fedcf08 Compare May 1, 2026 01:22

sallyom force-pushed the fix/config-audit-redact-argv branch from fedcf08 to 365f2a9 Compare May 1, 2026 01:41

koshaji and others added 5 commits April 30, 2026 21:59

chore(changelog): re-add Unreleased entry after rebase onto main

2f9f883

fix(config-audit): fail closed for secret argv values

3dc54de

sallyom force-pushed the fix/config-audit-redact-argv branch from 365f2a9 to 3dc54de Compare May 1, 2026 02:01

sallyom merged commit a853c5e into openclaw:main May 1, 2026
98 checks passed

github-actions Bot mentioned this pull request May 1, 2026

📡 Upstream Digest — 2026-05-01 02:14 UTC curtismercier/openclaw-mods#731

Open

koshaji deleted the fix/config-audit-redact-argv branch May 6, 2026 10:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(config-audit): redact CLI argv secrets before persisting to log#75095

fix(config-audit): redact CLI argv secrets before persisting to log#75095
sallyom merged 5 commits intoopenclaw:mainfrom
koshaji:fix/config-audit-redact-argv

koshaji commented Apr 30, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

clawsweeper Bot commented Apr 30, 2026 •

edited

Loading

Uh oh!

Uh oh!

sallyom commented May 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

koshaji commented Apr 30, 2026

What this fixes

What changed

Why this is the best fix

Tests

Test plan

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

clawsweeper Bot commented Apr 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

sallyom commented May 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

clawsweeper Bot commented Apr 30, 2026 •

edited

Loading