openclaw configure in 2026.2.6-3 writes redacted placeholder values to config file, destroying API keys

[jsquared71]

Bug Report

Version: 2026.2.6-3 (upgraded from 2026.2.3-1)

Summary:
Running openclaw configure (and likely other config-writing commands) in version 2026.2.6-3 writes the security redaction placeholder __OPENCLAW_REDACTED__ to the actual openclaw.json file instead of preserving the real values. This destroys all API keys, tokens, and even numeric configuration values.

Steps to Reproduce

1. Update OpenClaw to 2026.2.6-3
2. Run openclaw configure
3. Check ~/.openclaw/openclaw.json

Expected Behavior

Config file should retain all original API keys, tokens, and configuration values. Security redaction should only apply to:

• API responses (when querying config via gateway)
• Logs and output
• Never to the actual file on disk

Actual Behavior

All sensitive values are replaced with __OPENCLAW_REDACTED__ in the actual config file, including:

• channels.discord.token
• env.vars.BRAVE_API_KEY
• env.vars.DEEPSEEK_API_KEY
• models.providers.deepseek.apiKey
• gateway.auth.token
• tools.web.search.apiKey
• skills.entries.*.apiKey
• Even numeric values like models.providers.*.models[].maxTokens (should be 8192, etc.)

Impact

Critical - This bug will:

• Break Discord connectivity (token destroyed)
• Break all API-based models (DeepSeek, etc.)
• Break web search functionality
• Break all skills requiring API keys
• Corrupt numeric config values
• Require users to manually restore all credentials from backup

Workaround

1. Restore openclaw.json from backup before running configure
2. Avoid running openclaw configure, openclaw doctor --fix, or any command that writes config until fixed
3. Consider rolling back to 2026.2.3-1

Additional Context

• Affected command: openclaw configure (timestamp: 2026-02-07T16:10:54Z)
• Wizard metadata in damaged file shows: "lastRunCommand": "configure", "lastRunVersion": "2026.2.6-3"
• The redaction mechanism appears to be incorrectly applied during config write operations
• User confirmed config file was valid before running configure, damaged after

[jsquared71]

Update: Attempted to reproduce immediately after filing this issue (same system, same version 2026.2.6-3) by running openclaw configure again, and the bug did not reproduce - config file remained intact with all real values.

This suggests the bug may be:

• Specific to the initial post-update flow (first configure or doctor run after upgrading)
• Related to some transient state during the update process
• A race condition or timing issue

The bug definitely occurred the first time (confirmed with backup file showing damage), but was not reproducible on subsequent attempts.

[Cinerar]

Definitely smth happens with configs, when i change my openclaw docker-image to 2026.2.6-3 my ollama connection breaks, if i change back to 2025.2.3, everything is working again with same config.

[jsquared71]

IMPORTANT UPDATE - Root Cause Identified:

The bug is not from the CLI openclaw configure command. The actual culprit is the macOS menu bar panel's Config UI.

Actual Trigger

1. User opens the Config tab in the Mac menu bar app
2. Makes changes (or clicks Save)
3. The panel reads config via gateway API (which correctly returns redacted values for security)
4. But then writes that redacted response back to the file instead of preserving real values

Why the CLI didn't reproduce

The second openclaw configure attempt via CLI worked fine because the CLI is not affected by this bug - only the Mac app's config save logic is broken.

Timeline clarification

• User updated OpenClaw to 2026.2.6-3
• Installed Mac menu bar panel (build 9039)
• Used panel's Config UI to check that models were enabled
• Config file got corrupted at that moment (not from CLI)

Impact

Anyone using the Mac menu bar panel to edit config will have their API keys and numeric values destroyed on save.

Fix needed

The Mac app's config save logic needs to:

1. Read current config from disk (not via API) to preserve real values
2. Merge user changes
3. Write back with real values intact
4. OR: use a dedicated write endpoint that accepts unredacted values

[rayseling]

same bug，can't launch macOS app

[isfinne]

same question

[lloyd094]

Same bug on my end.

[Foxtr0t1337]

I think the web dashboard is also broken?
Those fields are empty in dashboard, and can't save config on gateway dashboard.

[echobb8]

I just ran into this issue on the latest version of OpenClaw. Totally broke everything. Thankfully I had backups. Totally nuked the values for maxTokens, contextTokens and API keys.

[youzaiooo]

I encountered the same problem, the macOS application of openclaw cannot be used at all, otherwise it will change openclaw.json.