[Bug]: doctor --fix redacts live secrets in config file (botToken → __OPENCLAW_REDACTED__)

[kyupark]

Summary

openclaw doctor --fix writes redaction placeholders (__OPENCLAW_REDACTED__) into the actual config file on disk, permanently destroying secrets. It also strips the gateway.auth block entirely. This is not a display issue — the redacted values are persisted and break the gateway on next restart.

Steps to Reproduce

1. Have a working openclaw.json with:
   • channels.telegram.botToken set to a valid Telegram bot token
   • gateway.auth block with mode: "token" and a valid token
2. Run openclaw doctor --fix (or have it run via cron: openclaw update --yes && openclaw doctor --fix && openclaw gateway restart)
3. Check openclaw.json

Actual Result

"channels": {
  "telegram": {
    "botToken": "__OPENCLAW_REDACTED__"
  }
}

• gateway.auth block is completely removed
• Gateway fails on next start: Call to 'getMe' failed! (404: Not Found) and Refusing to bind gateway to lan without auth

Expected Result

doctor --fix should never write redaction placeholders to the config file. Redaction belongs in display/log output only. The gateway.auth block should not be stripped.

Impact

Destructive — silently destroys credentials in the live config. Especially dangerous when run on a schedule (e.g., cron every 3 hours), as it repeatedly breaks the gateway and requires manual secret restoration each time.

Workaround

• Remove --fix from any cron jobs
• Manually restore botToken and gateway.auth after each doctor --fix run

Related

• openclaw doctor --fix overwrites valid config without backup #12858 — doctor --fix overwrites valid config without backup (general case)
• This issue is specifically about writing redaction placeholders to disk, which is a distinct bug from config restructuring

Environment

• macOS (arm64)
• OpenClaw 2026.2.15

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[okuyam2y]

Confirming this is still happening on v2026.3.9 — and the scope is wider than doctor --fix.

The macOS app's config serializer also redacts SecretRef.id fields (not just plaintext secrets) when it writes openclaw.json. This means opening the Mac app once is enough to break standalone gateway startup via openclaw gateway run or launchd, because:

1. Mac app opens → reads config → writes back with __OPENCLAW_REDACTED__ in secrets.providers.*.source, secrets.providers.*.path, and all apiKey.id / botToken.id fields
2. Standalone gateway reads the file directly → schema validation fails ("File secret reference id must be an absolute JSON pointer")
3. openclaw doctor --fix does not repair the damage

The redaction is one-way — the original plaintext values are only recoverable from .bak.* files.

Workaround: store secrets in ~/.openclaw/secrets.json and use SecretRef objects with JSON pointer ids. After the Mac app overwrites the config, a script can restore the id fields without needing the actual secret values.

[newcodebook]

This one is genuinely dangerous in automation: anything that writes __OPENCLAW_REDACTED__ back into the live openclaw.json turns redaction into data loss.

Immediate containment (stop the bleeding):

1. Remove openclaw doctor --fix (and any “config re-serializer” step) from cron / upgrade scripts until this is fixed.
2. Restore secrets from the most recent backup copy.

On macOS/Linux, a quick way to find recoverable backups is:

ls -lt ~/.openclaw/openclaw.json* | head
# then restore the last good one (example)
cp ~/.openclaw/openclaw.json.bak.<TIMESTAMP> ~/.openclaw/openclaw.json
openclaw gateway restart

Hardening (reduce future blast radius):

• Don’t store raw secrets inline in openclaw.json. Prefer env substitution (e.g. "botToken": "${TELEGRAM_BOT_TOKEN}") or split secrets into an included local file (so a serializer can’t “redact and destroy” your only copy).

Recommended reading:

• OpenClaw Configuration Guide: openclaw.json, Models, Gateway, Channels, and Plugins
• OpenClaw Backup and Rollback: How to Use openclaw backup create and verify Safely

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If this is still an issue, please retry on the latest OpenClaw release and share updated details.
If you are absolutely sure it still happens on the latest release, open a new issue with fresh repro steps.