Doctor/configure commands re-inject raw API keys into config file

[jasonrcox]

Description

Running openclaw doctor (or processes that trigger doctor internally) can re-inject raw API key values directly into openclaw.json, replacing ${ENV_VAR} references with the resolved plaintext secrets.

Problem

The config file supports environment variable substitution (e.g. ${GOOGLE_API_KEY}), and secrets are intended to live in ~/.openclaw/.env. However, when the doctor process runs — either explicitly or as part of config validation — it can write the resolved (plaintext) values back into the config JSON.

This means:

• Secrets end up in plaintext in openclaw.json
• The config file becomes unsafe to share, back up, or commit
• Users who carefully set up ${VAR} references find them silently replaced with raw keys

Expected Behavior

• Doctor/configure should never resolve ${ENV_VAR} references when writing config back to disk
• If a config value contains an env var reference, it should be preserved as-is in the written file
• Validation should resolve vars in-memory only, not persist the resolved values

Environment

• OpenClaw version: 2026.2.6-3
• OS: macOS (arm64)

Workaround

Avoid running openclaw doctor or openclaw configure if your config uses ${ENV_VAR} references for secrets. If accidentally run, manually restore the env var references from a backup.

[akoscz]

Investigation findings

Confirmed the bug. Here's the flow:

1. readConfigFileSnapshot() in src/config/io.ts reads openclaw.json, resolves $include directives, then calls resolveConfigEnvVars() to substitute ${VAR} references → snapshot.config contains plaintext secrets
2. snapshot.raw (original text) and snapshot.parsed (pre-substitution object) are preserved on the snapshot, but not used when writing back
3. Doctor (src/commands/doctor.ts:287) and configure wizard (src/commands/configure.wizard.ts) both call writeConfigFile(cfg) with the fully-resolved config object
4. writeConfigFile() serializes via JSON.stringify() → ${ANTHROPIC_API_KEY} becomes sk-ant-api03-xxxxx on disk

Affected code paths

• src/commands/doctor.ts:287 — writeConfigFile(cfg) after repair
• src/commands/configure.wizard.ts:251,284 — writeConfigFile(remoteConfig) / writeConfigFile(nextConfig)
• src/commands/doctor-config-flow.ts:216 — baseCfg = snapshot.config (already resolved)

Possible fix approaches

1. Template preservation — track which config values originated from ${VAR} references during substitution, restore them before writing. Would require resolveConfigEnvVars() to return a mapping of paths → original ${VAR} expressions.

2. Merge-on-write — instead of writing the full resolved config, diff the changes doctor/wizard made against the resolved baseline and merge only the changed fields into snapshot.parsed (pre-substitution). This preserves all ${VAR} references that weren't explicitly modified.

3. Raw text patching — for simple cases, use snapshot.raw and do targeted JSON key replacements. Fragile with JSON5/comments but preserves formatting.

Approach 2 (merge-on-write) seems most practical — it naturally handles the common case where doctor changes a few fields but shouldn't touch API keys.

[akoscz]

PR opened: #11560

Fix is at the writeConfigFile level — before serializing, it reads the current file pre-substitution and restores any ${VAR} references whose resolved values match the incoming config. This covers all 50+ write paths (doctor, configure, gateway config handlers, plugins, hooks, etc.) without requiring caller changes.

[sebslight]

Closing as duplicate of #9627. If this is incorrect, comment and we can reopen.