gateway config.get returns resolved secrets, injecting them into session context

[jasonrcox]

Description

The gateway config.get tool action returns the full config with all ${ENV_VAR} references resolved to their plaintext secret values. Since tool call results are stored in the conversation session transcript, this means every API key, bot token, and secret ends up persisted in the session JSONL files.

Impact

• Session transcripts contain plaintext secrets — stored in ~/.openclaw/agents/main/sessions/*.jsonl
• Agent context is polluted with secrets — the LLM sees all API keys in its conversation history
• Memory search could surface secrets — if session transcripts are indexed for semantic search
• Compaction summaries could leak secrets — if the model summarizes tool output containing keys
• Any session export, backup, or log review exposes credentials

Reproduction

1. Have a config with ${ENV_VAR} references for secrets (API keys, bot tokens, etc.)
2. Agent calls gateway config.get (or user asks about config)
3. The full resolved config including all plaintext secrets is returned as the tool result
4. This is now permanently in the session transcript

Expected Behavior

• config.get should redact or mask sensitive fields (anything matching common secret patterns: apiKey, token, secret, password)
• Or: return the raw ${ENV_VAR} references without resolving them
• Or: omit sensitive fields entirely from the tool response, with a note that they're configured but redacted

Environment

• OpenClaw version: 2026.2.6-3
• OS: macOS (arm64)

[akoscz]

Validation Report — Fix Confirmed in v2026.2.6+

We independently investigated this issue on our deployment (OpenClaw v2026.2.6-3, Linux) and can confirm the fix is in place.

Fix Details

• Commit: 0c7fa2b0d — security: redact credentials from config.get gateway responses (security: redact credentials from config.get gateway responses #9858)
• First release containing fix: v2026.2.6
• Module: src/config/redact-snapshot.ts

What the fix does

config.get now calls redactConfigSnapshot() before returning results. All fields matching sensitive key patterns (token, apiKey, password, secret) are replaced with a __OPENCLAW_REDACTED__ sentinel value. This applies to both the parsed config object and the raw JSON5 source text. A complementary restoreRedactedValues() function ensures credentials survive write round-trips (e.g. from the Web UI) without corruption.

Our validation

We audited all session transcripts (~/.openclaw/agents/*/sessions/*.jsonl) on a live deployment:

• Sessions created after the fix: config.get results contain __OPENCLAW_REDACTED__ sentinels — no plaintext secrets. ✅
• Sessions created before the fix: 6 older session files still contain the full unredacted config dump from prior config.get calls, including channel bot tokens and API keys. ❌

Remaining concern: historical session data

The fix prevents new leakage, but does not retroactively scrub existing session transcripts. Deployments that ran config.get on affected versions still have plaintext secrets persisted in their JSONL session files. Consider:

1. A built-in openclaw sessions scrub command that applies the redaction patterns from src/logging/redact.ts to existing session files
2. Documentation noting that users upgrading from pre-v2026.2.6 should audit/purge old session logs
3. A doctor check that warns if unredacted secrets are detected in session transcripts

[akoscz]

Proposed: sessions scrub command + doctor check for historical secret leakage

Following up on our earlier comment — we built the sessions scrub command and doctor check we suggested.

Branch: feature/sessions-scrub-doctor (4 commits, 562 lines across 7 files)

What it does

openclaw sessions scrub — Retroactive at-rest scrubbing of session JSONL files using the canonical patterns from src/logging/redact.ts.

• --dry-run to preview, --verbose for per-file details, --no-backup to skip .bak creation
• Reuses redactSensitiveText() directly — no pattern duplication
• Converts sessions to a command group (sessions list + sessions scrub), with openclaw sessions still defaulting to list for backwards compatibility

openclaw doctor check — Scans session files for unredacted secrets and suggests running sessions scrub. Scans all files (or random 200 sample for large deployments).

Documentation — Full docs at docs/cli/sessions-scrub.md covering usage, options, runtime vs at-rest redaction, doctor integration, and examples.

Why

The redactConfigSnapshot() fix (PR #9858, v2026.2.6) prevents new leakage, but anyone upgrading from a pre-fix version still has historical sessions with plaintext secrets from config.get calls. This provides the cleanup tooling.

Files changed

• src/commands/sessions-scrub.ts — Scrub command
• src/commands/doctor-sessions-secrets.ts — Doctor check
• src/gateway/session-utils.fs.ts — Shared findSessionFiles() utility
• src/cli/program/register.status-health-sessions.ts — CLI registration
• src/cli/program/command-registry.ts — Fast-path routing
• src/commands/doctor.ts — Wire in doctor check
• docs/cli/sessions-scrub.md — Documentation

Happy to open a PR if there's interest. Build/typecheck/lint all pass.

[akoscz]

Related PRs and how our changes fit in

We surveyed existing PRs in this space. Here's how everything relates:

PR	Status	What it does	Layer
#9858	✅ Merged (v2026.2.6)	config.get now calls redactConfigSnapshot() before returning	Root cause fix
#8322	Open	Redacts tool results before JSONL persistence (write-time)	Prevention
#10697	Open	Derives isSensitive from Zod schema for credential redaction	Schema-level
Ours (branch)	Proposed	sessions scrub command + doctor check for historical files	Remediation

These are complementary, not overlapping:

• security: redact credentials from config.get gateway responses #9858 fixed the root cause — config.get no longer leaks secrets into new sessions
• fix(security): redact secrets from tool results before JSONL persistence #8322 adds write-time protection — tool results are redacted before hitting .jsonl files
• Our contribution provides retroactive cleanup — scrubs secrets from sessions that were already written before security: redact credentials from config.get gateway responses #9858 and fix(security): redact secrets from tool results before JSONL persistence #8322 existed, plus a doctor check to detect the problem

Together they form a complete defense-in-depth chain: fix root cause → prevent at write → detect and remediate historical leakage. Anyone upgrading from a pre-fix version benefits from all three layers.

Also worth noting:

• docs(security): redaction guidance + quick hardening checklist #5507 (open) adds security/redaction docs — our docs/cli/sessions-scrub.md would complement that
• fix(tts): sanitize API keys from error messages #8103 (open) sanitizes API keys from TTS error messages — narrow fix, different scope

[akoscz]

PR opened: #11544

Adds openclaw sessions scrub CLI command to redact secrets from historical session JSONL files, plus an openclaw doctor check to detect unredacted secrets.

[Foxtr0t1337]

I think #9858 broke gateway dashboard config and macOS OpenClaw.app?
If every response is redacted, then when dashboard try to save, it will also attempt to save "__OPENCLAW_REDACTED__" as is.
Now every time I try to change the config in dashboard, it always says "Error: Invalid Config"

#11268
#11355

[sebslight]

Closing as duplicate of #5995. If this is incorrect, comment and we can reopen.