Bug: openclaw doctor clears custom API keys from secrets section

[GusBot69]

Description

Running openclaw doctor --fix or openclaw doctor --repair removes custom API keys from the secrets section of openclaw.json.

Steps to Reproduce

1. Add custom API keys directly under the secrets section:

   "secrets": {
     "brave_news_api_key": "BSACsc...",
     "football_data_api_key": "ac6b2a...",
     "alpha_vantage_api_key": "J22HYYG..."
   }

2. Run openclaw doctor --fix or openclaw doctor --repair
3. Check openclaw.json - the secrets section is now empty: "secrets": {}

Expected Behavior

Custom API keys stored directly under secrets should be preserved during doctor runs.

Root Cause

The SecretsConfigSchema in auth-profiles-CNyDTsy4.js uses .strict() validation which only allows 3 specific keys:

• providers
• defaults
• resolution

When doctor runs with --fix/--repair, it calls stripUnknownConfigKeys() which uses Zod's strict validation. Custom keys like brave_news_api_key are treated as "unrecognized keys" and deleted.

Suggested Fix

Change SecretsConfigSchema from .strict() to .catchall(z.string()) to allow arbitrary key-value pairs.

Environment

• OpenClaw version: 2026.3.2
• Node version: v22.22.0
• OS: Linux (Raspberry Pi)

Workaround

Run openclaw doctor without --fix or --repair flags to avoid key deletion.

[Dingding-leo]

This is a destructive bug - doctor --fix deletes custom API keys from secrets.

Root cause:

// SecretsConfigSchema uses .strict()
const SecretsConfigSchema = z.object({
  providers: ...,
  defaults: ...,
  resolution: ...
}).strict()  // Rejects any extra keys!

Fix:

// Allow arbitrary keys:
const SecretsConfigSchema = z.object({
  providers: ...,
  defaults: ...,
  resolution: ...
}).catchall(z.string())  // Accept any extra keys

Impact:

• Custom API keys are silently deleted
• Users lose their configured secrets
• Workaround: don't use --fix/--repair

This is high severity - doctor is supposed to help, not destroy user configuration.

[byungsker]

I'd like to work on this! 🙋

[mayuegood]

I'm looking into this and plan to submit a PR shortly. The fix using .catchall() approach is clear - I'll implement and test it.

[mayuegood]

Fix Complete ✅

I've implemented the fix for this issue. The problem was that .strict() was rejecting custom API keys and other user-defined fields.

Solution

Replaced .strict() with .catchall(z.unknown()) in three places:

• defaults object (line 164)
• resolution object (line 177)
• Top-level secrets object (line 180)

Changes

-      .strict()
+      .catchall(z.unknown())  // Allow arbitrary extra keys (e.g., custom API keys)

Testing

• Schema parsing test: ✅ Passes
• Existing tests: ✅ Passes
• Manual verification: Custom fields are now preserved

The fix allows arbitrary extra keys to be preserved while still validating known fields. This ensures that doctor --fix won't delete user-defined custom API keys from the secrets configuration.

[Sid-Qin]

Submitted a fix in PR #33711. Changes SecretsConfigSchema from strict() to passthrough() so custom user-defined API keys are preserved during config parsing.