openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/agents/auth-profiles.ensureauthprofilestore.test.ts‎
Lines changed: 13 additions & 4 deletions b/‎src/agents/auth-profiles.ensureauthprofilestore.test.ts‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎src/agents/auth-profiles/external-cli-sync.ts‎
Lines changed: 12 additions & 6 deletions b/‎src/agents/auth-profiles/external-cli-sync.ts‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎src/agents/auth-profiles/external-oauth.test.ts‎
Lines changed: 40 additions & 1 deletion b/‎src/agents/auth-profiles/external-oauth.test.ts‎
Lines changed: 40 additions & 1 deletion
diff --git a/‎src/agents/auth-profiles/oauth.adopt-identity.test.ts‎
Lines changed: 20 additions & 18 deletions b/‎src/agents/auth-profiles/oauth.adopt-identity.test.ts‎
Lines changed: 20 additions & 18 deletions
diff --git a/‎src/agents/auth-profiles/oauth.mirror-refresh.test.ts‎
Lines changed: 45 additions & 20 deletions b/‎src/agents/auth-profiles/oauth.mirror-refresh.test.ts‎
Lines changed: 45 additions & 20 deletions
@@ -48,6 +48,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- Redact persisted secret-shaped payloads [AI]. (#79006) Thanks @pgondhi987.
 - OpenAI Codex: surface browser OAuth and device-code login failures instead of treating failed logins as empty successful auth results. Refs #80363.
 - CLI agents: carry runtime-only current-turn sender/reply context into CLI model prompts while keeping prompt-build hook input and transcript text clean.
 - fix(matrix): gate name-based allowlist resolution [AI]. (#79007) Thanks @pgondhi987.
 
@@ -816,14 +816,23 @@ describe("ensureAuthProfileStore", () => {
       const persisted = JSON.parse(
         fs.readFileSync(path.join(agentDir, "auth-profiles.json"), "utf8"),
       ) as {
-        profiles: Record<string, unknown>;
+        profiles: Record<string, Record<string, unknown>>;
       };
-      expectRecordFields(persisted.profiles["openai-codex:default"], {
+      const persistedProfile = persisted.profiles["openai-codex:default"];
+      expect(persistedProfile).toMatchObject({
         type: "oauth",
         provider: "openai-codex",
-        access: "access-token",
-        refresh: "refresh-token",
+        oauthRef: {
+          source: "openclaw-credentials",
+          provider: "openai-codex",
+          id: expect.any(String),
+        },
       });
+      expect(persistedProfile).not.toHaveProperty("access");
+      expect(persistedProfile).not.toHaveProperty("refresh");
+      expect(persistedProfile).not.toHaveProperty("idToken");
+      expect(JSON.stringify(persisted)).not.toContain("access-token");
+      expect(JSON.stringify(persisted)).not.toContain("refresh-token");
     } finally {
       clearRuntimeAuthProfileStoreSnapshots();
       restoreEnvValue("OPENCLAW_STATE_DIR", previousStateDir);
 
@@ -145,6 +145,12 @@ function resolveExternalCliSyncProvider(params: {
   return provider;
 }
 
+function hasInlineOAuthTokenMaterial(credential: OAuthCredential): boolean {
+  return [credential.access, credential.refresh, credential.idToken].some(
+    (value) => typeof value === "string" && value.trim().length > 0,
+  );
+}
+
 export function readExternalCliBootstrapCredential(params: {
   profileId: string;
   credential: OAuthCredential;
@@ -153,11 +159,7 @@ export function readExternalCliBootstrapCredential(params: {
   if (!provider) {
     return null;
   }
-  // bootstrapOnly providers must not replace an existing local credential
-  // during runtime refresh. The oauth-manager only calls this hook when a
-  // local credential is already present, so returning null here keeps the
-  // locally stored refresh token canonical.
-  if (provider.bootstrapOnly) {
+  if (provider.bootstrapOnly && hasInlineOAuthTokenMaterial(params.credential)) {
     return null;
   }
   return provider.readCredentials();
@@ -248,7 +250,11 @@ export function resolveExternalCliAuthProfiles(
       });
       continue;
     }
-    if (providerConfig.bootstrapOnly && existingOAuth) {
+    if (
+      providerConfig.bootstrapOnly &&
+      existingOAuth &&
+      hasInlineOAuthTokenMaterial(existingOAuth)
+    ) {
       log.debug("kept local oauth over external cli bootstrap-only provider", {
         profileId: providerConfig.profileId,
         provider: providerConfig.provider,
 
@@ -5,6 +5,7 @@ import {
   overlayExternalOAuthProfiles,
   shouldPersistExternalOAuthProfile,
 } from "./external-auth.js";
+import { readManagedExternalCliCredential } from "./external-cli-sync.js";
 import type { AuthProfileStore, OAuthCredential } from "./types.js";
 
 const resolveExternalAuthProfilesWithPluginsMock = vi.fn<
@@ -158,7 +159,7 @@ describe("auth external oauth helpers", () => {
     expect(shouldPersist).toBe(true);
   });
 
-  it("does not use Codex CLI OAuth as a runtime overlay source", () => {
+  it("keeps Codex CLI OAuth from replacing stored inline token material", () => {
     readCodexCliCredentialsCachedMock.mockReturnValue(
       createCredential({
         access: "fresh-cli-access-token",
@@ -185,6 +186,44 @@ describe("auth external oauth helpers", () => {
     expect(profile.accountId).toBe("acct-cli");
   });
 
+  it("uses Codex CLI OAuth when the stored Codex profile has no inline token material", () => {
+    const cliCredential = createCredential({
+      access: "fresh-cli-access-token",
+      refresh: "fresh-cli-refresh-token",
+      expires: createUsableOAuthExpiry(),
+      accountId: "acct-cli",
+    });
+    const tokenlessCredential = {
+      type: "oauth",
+      provider: "openai-codex",
+      expires: Date.now() - 60_000,
+      accountId: "acct-cli",
+    } as OAuthCredential;
+    readCodexCliCredentialsCachedMock.mockReturnValue(cliCredential);
+
+    const overlaid = overlayExternalOAuthProfiles(
+      createStore({
+        "openai-codex:default": tokenlessCredential,
+      }),
+    );
+
+    expect(overlaid.profiles["openai-codex:default"]).toMatchObject({
+      access: "fresh-cli-access-token",
+      refresh: "fresh-cli-refresh-token",
+      accountId: "acct-cli",
+    });
+    expect(
+      readManagedExternalCliCredential({
+        profileId: "openai-codex:default",
+        credential: tokenlessCredential,
+      }),
+    ).toMatchObject({
+      access: "fresh-cli-access-token",
+      refresh: "fresh-cli-refresh-token",
+      accountId: "acct-cli",
+    });
+  });
+
   it("keeps healthy local oauth even when external cli has a fresher token", () => {
     readCodexCliCredentialsCachedMock.mockReturnValue(
       createCredential({
 
@@ -29,18 +29,18 @@ const {
   formatProviderAuthProfileApiKeyWithPluginMock,
 } = getOAuthProviderRuntimeMocks();
 
-function expectOAuthProfileFields(
-  store: AuthProfileStore,
-  profileId: string,
-  params: { access: string; accountId: string },
-) {
-  const credential = store.profiles[profileId];
-  expect(credential?.type).toBe("oauth");
-  if (credential?.type !== "oauth") {
-    throw new Error(`Expected OAuth credential for ${profileId}`);
-  }
-  expect(credential.access).toBe(params.access);
-  expect(credential.accountId).toBe(params.accountId);
+function expectPersistedOpenAICodexProfileWithoutInlineTokens(
+  credential: AuthProfileStore["profiles"][string],
+  metadata: Record<string, unknown> = {},
+): void {
+  expect(credential).toMatchObject({
+    type: "oauth",
+    provider: "openai-codex",
+    ...metadata,
+  });
+  expect(credential).not.toHaveProperty("access");
+  expect(credential).not.toHaveProperty("refresh");
+  expect(credential).not.toHaveProperty("idToken");
 }
 
 // Cross-account-leak defense-in-depth: each adopt site in oauth.ts calls the
@@ -138,10 +138,11 @@ describe("OAuth credential adoption is identity-gated", () => {
     const subRaw = JSON.parse(
       await fs.readFile(path.join(subAgentDir, "auth-profiles.json"), "utf8"),
     ) as AuthProfileStore;
-    expectOAuthProfileFields(subRaw, profileId, {
-      access: "sub-own-access",
+    expectPersistedOpenAICodexProfileWithoutInlineTokens(subRaw.profiles[profileId], {
       accountId: "acct-sub",
+      expires: subExpiry,
     });
+    expect(JSON.stringify(subRaw)).not.toContain("sub-own-access");
   });
 
   it("inside-the-lock main adoption refuses across accountId mismatch and proceeds to own refresh", async () => {
@@ -210,10 +211,11 @@ describe("OAuth credential adoption is identity-gated", () => {
     const mainRaw = JSON.parse(
       await fs.readFile(path.join(mainAgentDir, "auth-profiles.json"), "utf8"),
     ) as AuthProfileStore;
-    expectOAuthProfileFields(mainRaw, profileId, {
-      access: "main-foreign-access",
+    expectPersistedOpenAICodexProfileWithoutInlineTokens(mainRaw.profiles[profileId], {
       accountId: "acct-other",
+      expires: freshExpiry,
     });
+    expect(JSON.stringify(mainRaw)).not.toContain("main-foreign-access");
   });
 
   it("catch-block main-inherit refuses across accountId mismatch and surfaces the original error", async () => {
@@ -286,9 +288,9 @@ describe("OAuth credential adoption is identity-gated", () => {
     const subRaw = JSON.parse(
       await fs.readFile(path.join(subAgentDir, "auth-profiles.json"), "utf8"),
     ) as AuthProfileStore;
-    expectOAuthProfileFields(subRaw, profileId, {
-      access: "sub-stale",
+    expectPersistedOpenAICodexProfileWithoutInlineTokens(subRaw.profiles[profileId], {
       accountId: "acct-sub",
     });
+    expect(JSON.stringify(subRaw)).not.toContain("sub-stale");
   });
 });
@@ -28,6 +28,20 @@ const {
   formatProviderAuthProfileApiKeyWithPluginMock,
 } = getOAuthProviderRuntimeMocks();
 
+function expectPersistedOpenAICodexProfileWithoutInlineTokens(
+  credential: AuthProfileStore["profiles"][string],
+  metadata: Record<string, unknown> = {},
+): void {
+  expect(credential).toMatchObject({
+    type: "oauth",
+    provider: "openai-codex",
+    ...metadata,
+  });
+  expect(credential).not.toHaveProperty("access");
+  expect(credential).not.toHaveProperty("refresh");
+  expect(credential).not.toHaveProperty("idToken");
+}
+
 function requireOAuthCredential(store: AuthProfileStore, profileId: string): OAuthCredential {
   const profile = store.profiles[profileId];
   if (!profile || profile.type !== "oauth") {
@@ -36,7 +50,7 @@ function requireOAuthCredential(store: AuthProfileStore, profileId: string): OAu
   return profile;
 }
 
-vi.mock("@earendil-works/pi-ai/oauth", () => ({
+vi.mock("@mariozechner/pi-ai/oauth", () => ({
   getOAuthProviders: () => [{ id: "anthropic" }, { id: "openai-codex" }],
   getOAuthApiKey: vi.fn(async (provider: string, credentials: Record<string, OAuthCredential>) => {
     const credential = credentials[provider];
@@ -85,7 +99,7 @@ describe("resolveApiKeyForProfile OAuth refresh mirror-to-main (#26322)", () =>
     await removeOAuthTestTempRoot(tempRoot);
   });
 
-  it("mirrors refreshed credentials into the main store so peers skip refresh", async () => {
+  it("mirrors refreshed Codex OAuth metadata into the main store without inline tokens", async () => {
     const profileId = "openai-codex:default";
     const provider = "openai-codex";
     const accountId = "acct-shared";
@@ -116,15 +130,17 @@ describe("resolveApiKeyForProfile OAuth refresh mirror-to-main (#26322)", () =>
 
     expect(result?.apiKey).toBe("sub-refreshed-access");
 
-    // Main store should now carry the refreshed credential, so a peer agent
-    // starting fresh will adopt rather than race.
+    // Main store should now carry refreshed metadata, so a peer agent
+    // starting fresh can resolve the runtime credential without token races.
     const mainRaw = JSON.parse(
       await fs.readFile(path.join(mainAgentDir, "auth-profiles.json"), "utf8"),
     ) as AuthProfileStore;
-    const mainCredential = requireOAuthCredential(mainRaw, profileId);
-    expect(mainCredential.access).toBe("sub-refreshed-access");
-    expect(mainCredential.refresh).toBe("sub-refreshed-refresh");
-    expect(mainCredential.expires).toBe(freshExpiry);
+    expectPersistedOpenAICodexProfileWithoutInlineTokens(mainRaw.profiles[profileId], {
+      expires: freshExpiry,
+      accountId,
+    });
+    expect(JSON.stringify(mainRaw)).not.toContain("sub-refreshed-access");
+    expect(JSON.stringify(mainRaw)).not.toContain("sub-refreshed-refresh");
   });
 
   it("does not mirror when refresh was performed from the main agent itself", async () => {
@@ -161,10 +177,11 @@ describe("resolveApiKeyForProfile OAuth refresh mirror-to-main (#26322)", () =>
     const mainRaw = JSON.parse(
       await fs.readFile(path.join(mainAgentDir, "auth-profiles.json"), "utf8"),
     ) as AuthProfileStore;
-    const mainCredential = requireOAuthCredential(mainRaw, profileId);
-    expect(mainCredential.access).toBe("main-refreshed-access");
-    expect(mainCredential.refresh).toBe("main-refreshed-refresh");
-    expect(mainCredential.expires).toBe(freshExpiry);
+    expectPersistedOpenAICodexProfileWithoutInlineTokens(mainRaw.profiles[profileId], {
+      expires: freshExpiry,
+    });
+    expect(JSON.stringify(mainRaw)).not.toContain("main-refreshed-access");
+    expect(JSON.stringify(mainRaw)).not.toContain("main-refreshed-refresh");
     expect(refreshProviderOAuthCredentialWithPluginMock).toHaveBeenCalledTimes(1);
   });
 
@@ -332,17 +349,22 @@ describe("resolveApiKeyForProfile OAuth refresh mirror-to-main (#26322)", () =>
     const subRaw = JSON.parse(
       await fs.readFile(path.join(subAgentDir, "auth-profiles.json"), "utf8"),
     ) as AuthProfileStore;
-    const subCredential = requireOAuthCredential(subRaw, profileId);
-    expect(subCredential.access).toBe("local-stale-access");
-    expect(subCredential.refresh).toBe("local-stale-refresh");
+    expectPersistedOpenAICodexProfileWithoutInlineTokens(subRaw.profiles[profileId], {
+      expires: now - 120_000,
+      accountId,
+    });
+    expect(JSON.stringify(subRaw)).not.toContain("local-stale-access");
+    expect(JSON.stringify(subRaw)).not.toContain("local-stale-refresh");
 
     const mainRaw = JSON.parse(
       await fs.readFile(path.join(mainAgentDir, "auth-profiles.json"), "utf8"),
     ) as AuthProfileStore;
-    const mainCredential = requireOAuthCredential(mainRaw, profileId);
-    expect(mainCredential.access).toBe("main-owner-refreshed-access");
-    expect(mainCredential.refresh).toBe("main-owner-refreshed-refresh");
-    expect(mainCredential.expires).toBe(freshExpiry);
+    expectPersistedOpenAICodexProfileWithoutInlineTokens(mainRaw.profiles[profileId], {
+      expires: freshExpiry,
+      accountId,
+    });
+    expect(JSON.stringify(mainRaw)).not.toContain("main-owner-refreshed-access");
+    expect(JSON.stringify(mainRaw)).not.toContain("main-owner-refreshed-refresh");
   });
 
   it("inherits main-agent credentials via the catch-block fallback when refresh throws after main becomes fresh", async () => {
@@ -410,7 +432,10 @@ describe("resolveApiKeyForProfile OAuth refresh mirror-to-main (#26322)", () =>
     const subRaw = JSON.parse(
       await fs.readFile(path.join(subAgentDir, "auth-profiles.json"), "utf8"),
     ) as AuthProfileStore;
-    expect(requireOAuthCredential(subRaw, profileId).access).toBe("cached-access-token");
+    expectPersistedOpenAICodexProfileWithoutInlineTokens(subRaw.profiles[profileId], {
+      accountId: "acct-shared",
+    });
+    expect(JSON.stringify(subRaw)).not.toContain("cached-access-token");
   });
 
   it("mirrors refreshed credentials produced by the plugin-refresh path", async () => {