fix(backup): preserve OpenClaw openclaw.json settings across rebuild

[yimoj]

Summary

nemoclaw backup-all (which drives the rebuild snapshot machinery) did not capture OpenClaw's core openclaw.json config, so model/provider settings, MCP servers, custom agents, and channel account blocks were lost after nemoclaw <name> rebuild. This declares openclaw.json as a durable state file and hardens the backup credential sanitizer so the restored config is both safe and usable.

Related Issue

Fixes #5027

Changes

• agents/openclaw/manifest.yaml — declare openclaw.json as a state_files entry (copy strategy) so backup-all/rebuild preserve core OpenClaw settings the state dirs don't cover (model/provider, MCP servers, custom agents, channel blocks).
• src/lib/security/credential-filter.ts — harden sanitization now that the full config is backed up:
  • Broaden credential-key detection: OpenClaw channel tokens (botToken/appToken), SCREAMING_SNAKE env secrets in MCP env blocks (GITHUB_TOKEN, BRAVE_API_KEY, bare TOKEN/SECRET/…), and HTTP auth header names (Authorization, X-API-Key, X-*-Token/-Auth).
  • Add a value-level backstop that scrubs raw secrets by shape (sk-/ghp_/xoxb-/Bearer …) under any key — including array elements and MCP CLI args passed as --api-key <secret> / --api-key=<secret>.
  • Preserve non-secret OpenShell resolve:env/unused placeholders (and the Bearer <placeholder> header form) so the restored config keeps routing through proxy-injected credentials instead of a dead marker.
• src/lib/actions/sandbox/snapshot.ts — after the standalone snapshot restore writes openclaw.json, run the posture-aware repairMutableConfigPerms so the always-on gateway keeps the setgid/group-writable config contract ([All Platforms][Sandbox] NemoClaw mutable sandbox breaks group-writable openclaw.json contract after openclaw doctor --fix (gateway cannot persist config) #4538). Rebuild already does this in its post-restore sequence; the onboard recreate-restore path re-establishes it via nemoclaw-start.sh on the next gateway start.
• Tests: manifest assertion (defs.test.ts), credential-filter unit coverage (placeholders preserved, channel/env/header/array/flag secrets scrubbed, benign settings untouched), and an end-to-end OpenClaw openclaw.json backup→restore round-trip in snapshot.test.ts (settings survive, secrets stripped, gateway block dropped).

Type of Change

• Code change (feature, bug fix, or refactor)

Verification

• npm test passes (targeted: snapshot, credential-filter, agent defs, mutable-config-perms, snapshot command, config-set, secret-redaction — all green on this host; full cli project includes slow CLI-spawn integration tests gated by NEMOCLAW_TEST_TIMEOUT)
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Reproduced the bug and verified the fix end-to-end through the real compiled backup/restore code path (backup omitted openclaw.json before; after the fix it is captured, sanitized, and restored with settings intact)

Reviewed scope

Scoped to the reporter's workflow (backup-all → rebuild), which is fully correct: rebuild recreates the gateway (regenerating the gateway block) and repairs config perms. Two adversarial-review edge cases on adjacent paths are intentionally left as follow-ups: preserving the live gateway block on a same-sandbox snapshot restore (the block regenerates at startup), and perms on onboard recreate-restore (self-heals via nemoclaw-start.sh).

---

Signed-off-by: Yimo Jiang yimoj@nvidia.com

Summary by CodeRabbit

• Bug Fixes
  • Backups and restores now include the OpenClaw durable config so essential settings (provider/MCP/channel/account/custom-agent) are preserved.
• New Features
  • Post-restore permission repair runs for restored OpenClaw configs to ensure correct access and emits targeted warnings on issues.
• Security
  • Expanded credential detection and scrubbing to better identify and redact secret-like values while preserving safe placeholders.
• Tests
  • Added tests verifying OpenClaw config backup/restore and enhanced credential-sanitization behavior.

[coderabbitai]

Warning

Review limit reached

@yimoj, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 1 minute and 54 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1e47c9d5-27c5-47af-8686-809d4d618895

📥 Commits

Reviewing files that changed from the base of the PR and between 8a68166 and d8bb13c.

📒 Files selected for processing (6)

• agents/openclaw/manifest.yaml
• src/lib/actions/sandbox/snapshot.ts
• src/lib/agent/defs.test.ts
• src/lib/security/credential-filter.test.ts
• src/lib/security/credential-filter.ts
• test/snapshot.test.ts

📝 Walkthrough

Walkthrough

Declares openclaw.json as durable state, broadens credential detection (name and value), preserves resolve-style placeholders during sanitization, runs a post-restore permission repair when openclaw.json is restored, and adds tests for sanitization and end-to-end backup/restore.

Changes

OpenClaw Durable Config Backup & Restore

Layer / File(s)	Summary
Manifest declaration for durable state agents/openclaw/manifest.yaml	OpenClaw manifest explicitly declares openclaw.json as a top-level durable state file with { path: openclaw.json } to ensure backup tooling preserves the configuration.
Enhanced credential detection and sanitization src/lib/security/credential-filter.ts	Adds valueLooksLikeSecret and isSafeCredentialPlaceholder, broadens isCredentialField to name patterns (env-style, headers, camelCase) and value patterns, and refactors stripCredentials to scrub secret-shaped values while preserving safe resolve placeholders and handling CLI-array context.
Post-restore configuration permission repair src/lib/actions/sandbox/snapshot.ts	After restore, if openclaw.json was restored, call shields.repairMutableConfigPerms(targetSandbox), log success or warnings, and swallow unexpected errors to avoid failing the restore.
Comprehensive test coverage for backup/restore cycle src/lib/agent/defs.test.ts, src/lib/security/credential-filter.test.ts, test/snapshot.test.ts	Adds assertion that openclaw.json is declared durable, expands credential-filter tests (field names, value patterns, placeholder preservation), updates stubs, and adds end-to-end snapshot tests that verify sanitized backup and correct restore repopulation.

sequenceDiagram
  participant Sandbox as Sandbox State
  participant Manifest as Manifest Declaration
  participant Filter as Credential Filter
  participant Backup as Backup Store
  participant Restore as Restore Process
  participant Repair as Permission Repair

  Sandbox->>Manifest: declare openclaw.json in state_files
  Manifest->>Backup: backup reads state_files
  Sandbox->>Filter: sanitizeConfigFile(openclaw.json)
  Filter->>Backup: store sanitized openclaw.json
  Backup->>Restore: restore openclaw.json
  Restore->>Repair: if restored -> repairMutableConfigPerms(targetSandbox)
  Repair-->>Restore: success/warning
  Restore->>Sandbox: write final openclaw.json

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

area: sandbox, bug-fix, v0.0.63

Poem

🐰 A config once lost in rebuild's night,
Now listed, scrubbed, and kept safe from sight.
Placeholders stay, raw secrets take flight,
Permissions mended after restore's light.
Backup and restore hop home — all right!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main objective: preserving OpenClaw openclaw.json settings across rebuild, which directly addresses the core problem described in the changeset.
Linked Issues check	✅ Passed	The PR fully addresses issue #5027 by: (1) declaring openclaw.json as a durable state file so backup-all captures it, (2) sanitizing credentials while preserving placeholders for safe restoration, and (3) verifying the round-trip with tests and end-to-end validation.
Out of Scope Changes check	✅ Passed	All changes are in scope: manifest declaration, credential-filter hardening for safe sanitization, post-restore permission repair, and comprehensive tests validating the backup-restore workflow—all directly supporting the #5027 objective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/security/credential-filter.ts`:
- Around line 118-131: The current regexes CREDENTIAL_FIELD_PATTERN and
ENV_SECRET_FIELD_PATTERN incorrectly match publicKey/PUBLIC_KEY; update them to
exclude public keys by adding a negative condition so fields with the literal
"public" prefix (e.g., "publicKey", "PUBLIC_KEY") are not matched as secrets.
Concretely, modify CREDENTIAL_FIELD_PATTERN to reject identifiers that start
with "public" (or contain the segment "public" immediately before the secret
suffix) and update ENV_SECRET_FIELD_PATTERN to not match when the uppercase name
contains "PUBLIC" as the token before the secret suffix; adjust the patterns or
add explicit negative lookaheads/alternatives so verification fields like
publicKey/PUBLIC_KEY remain preserved. Ensure the updates reference the existing
constants CREDENTIAL_FIELD_PATTERN and ENV_SECRET_FIELD_PATTERN and include
tests that confirm publicKey and PUBLIC_KEY are not stripped while other secret
patterns still match.
- Around line 195-215: The function isSafeCredentialPlaceholder fails to treat
values like "Bearer unused" as safe because SAFE_CREDENTIAL_PLACEHOLDER_LITERALS
only matches the bare literal; update isSafeCredentialPlaceholder to also accept
values that begin with the "Bearer " scheme followed by a literal in
SAFE_CREDENTIAL_PLACEHOLDER_LITERALS (case-insensitive for the "Bearer" prefix
and trim whitespace) in addition to the existing regex patterns; reference
SAFE_CREDENTIAL_PLACEHOLDER_LITERALS, SAFE_CREDENTIAL_PLACEHOLDER_PATTERNS, and
isSafeCredentialPlaceholder to implement this check so proxy-injected
Authorization headers such as "Bearer unused" are preserved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5ef2b412-d678-4603-8e2d-40acf3061985

📥 Commits

Reviewing files that changed from the base of the PR and between 75eaa81 and 8a68166.

📒 Files selected for processing (6)

• agents/openclaw/manifest.yaml
• src/lib/actions/sandbox/snapshot.ts
• src/lib/agent/defs.test.ts
• src/lib/security/credential-filter.test.ts
• src/lib/security/credential-filter.ts
• test/snapshot.test.ts

🚧 Files skipped from review as they are similar to previous changes (5)

• src/lib/agent/defs.test.ts
• agents/openclaw/manifest.yaml
• test/snapshot.test.ts
• src/lib/actions/sandbox/snapshot.ts
• src/lib/security/credential-filter.test.ts

[yimoj]

Both CodeRabbit findings are addressed in the latest push (commit d8bb13c):

• publicKey / PUBLIC_KEY — added a PUBLIC_KEY_FIELD_PATTERN guard checked first in isCredentialField, so publicKey, PUBLIC_KEY, public-key, X-Public-Key, and GITHUB_PUBLIC_KEY are preserved while privateKey/PRIVATE_KEY/apiKey still strip. Tests added.
• Bearer unused — isSafeCredentialPlaceholder now strips an optional case-insensitive Bearer scheme before matching the safe-literal set, so Bearer unused / Bearer [STRIPPED_BY_MIGRATION] are preserved (a real Bearer <secret> is still scrubbed). Tests added.

@coderabbitai review

[coderabbitai]

@yimoj Thanks for the detailed summary of the fixes! Both the PUBLIC_KEY_FIELD_PATTERN guard and the Bearer unused safe-placeholder handling look well-reasoned. Kicking off a fresh review now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[wscurran]

✨ Thanks for the proposed fix declaring openclaw.json as a durable state file in the OpenClaw manifest. This proposes a way to preserve model/provider settings, MCP servers, custom agents, and channel blocks across nemoclaw rebuild operations.

---

Related open issues:

• #5027 "nemoclaw backup-all" is not backuping any openclaw settings, agents etc.
• #4538 [All Platforms][Sandbox] NemoClaw mutable sandbox breaks group-writable openclaw.json contract after openclaw doctor --fix (gateway cannot persist config)

[prekshivyas]

Reviewed (code + security checklist). Declares OpenClaw's openclaw.json as a durable state_file so backup-all/rebuild preserve core settings (model/provider, MCP servers, custom agents, channel blocks) previously lost (#5027), hardens the credential sanitizer to scrub the newly-backed-up config's secrets while preserving non-secret resolve:env placeholders, and adds a posture-aware perms-repair after standalone snapshot restore.

✅ Approve. Solid defense-in-depth. Path-traversal is rejected (normalizeStateFilePath blocks absolute/../null-byte), so the declared file can't be weaponized to exfiltrate ../-relative paths; backups are written 0600; auth-profiles.json/auth.json excluded entirely; the PUBLIC_KEY exemption is checked first and correctly scoped. The new perms-repair is posture-aware — it refuses to weaken permissions under shields-up (locked) or unreadable state, so it can't downgrade a locked config. Placeholder preservation correctly distinguishes resolve:env markers from raw secrets (no credential bake-in). Security: all categories pass.

Non-blocking nits:

• An opaque secret under a benign key (no recognizable prefix/credential-shaped key) still survives — unchanged prior behavior; the shape backstop is intentionally additive. A one-line comment acknowledging the residual gap would help.
• HEADER_CREDENTIAL_PATTERN would also match a hypothetical *-key/*-token setting (fail-closed → [STRIPPED_BY_MIGRATION]); acceptable trade-off.

Tests thorough: manifest assertion, 7 credential-filter cases (placeholder preservation, per-channel/env/header/array scrubbing, public-key exemption, raw-secret-under-preserved-sibling), and a full backup→restore round-trip.