Bug type
Regression (worked before, now fails)
Summary
The Control UI cannot save any config changes when the config contains source: "exec" SecretRef fields. The gateway API redacts SecretRef id values to OPENCLAW_REDACTED in config.get responses, but 2026.3.11 introduced stricter validation on config.set that rejects OPENCLAW_REDACTED because it starts with , which fails the new regex /^[A-Za-z0-9][A-Za-z0-9.:/-]{0,255}$/. The gateway is rejecting its own redacted sentinel value.
Steps to reproduce
- Configure any channel with a SecretRef for its token (e.g., channels.telegram.botToken with source: "exec")
- Open the Control UI dashboard
- Navigate to any agent (e.g., Agents)
- Make an unrelated change (e.g., change primary model)
- Click Save
- Observe: red error toast — GatewayRequestError: invalid config
Expected behavior: Save should succeed. SecretRef fields the user didn't modify should be preserved transparently.
Expected behavior
Save should succeed. SecretRef fields the user didn't modify should be preserved transparently.
Actual behavior
- config.get returns "id": "OPENCLAW_REDACTED"
- UI reads redacted config into its editor state
- User modifies an unrelated field, clicks Save
- UI sends full config back including "id": "OPENCLAW_REDACTED"
- New SecretRef ID validation rejects it — first char _ fails [A-Za-z0-9]
- Config save rejected
OpenClaw version
2026.3.11 (29dc654)
Operating system
Ubuntu 24.04 LTS
Install method
npm global
Model
anthropic/claude-sonnet-4-6 / anthropic/claude-opus-4-6
Provider / routing chain
openclaw -> anthropic (direct)
Config file / key location
~/.openclaw/openclaw.json ; channels.telegram.botToken ; channels.discord.token
Additional provider/model setup details
bug is in config validation, not model-specific
Logs, screenshots, and evidence
Impact and severity
Medium — All users with SecretRef-based credentials cannot save ANY config changes through the Control UI. UI is effectively read-only. No data loss — saves rejected cleanly.
Additional information
Suggested fixes:
- (Preferred) Gateway recognizes OPENCLAW_REDACTED as sentinel on config.set and preserves the original value
- UI strips/omits redacted fields from the config.set payload
- Change placeholder to pass regex (least preferred)
Workaround: Edit ~/.openclaw/openclaw.json directly instead of using the Control UI.
Note: Users following the security best practice of using SecretRefs are the ones affected — the most security-conscious config pattern breaks the UI.
Bug type
Regression (worked before, now fails)
Summary
The Control UI cannot save any config changes when the config contains source: "exec" SecretRef fields. The gateway API redacts SecretRef id values to OPENCLAW_REDACTED in config.get responses, but 2026.3.11 introduced stricter validation on config.set that rejects OPENCLAW_REDACTED because it starts with , which fails the new regex /^[A-Za-z0-9][A-Za-z0-9.:/-]{0,255}$/. The gateway is rejecting its own redacted sentinel value.
Steps to reproduce
Expected behavior: Save should succeed. SecretRef fields the user didn't modify should be preserved transparently.
Expected behavior
Save should succeed. SecretRef fields the user didn't modify should be preserved transparently.
Actual behavior
OpenClaw version
2026.3.11 (29dc654)
Operating system
Ubuntu 24.04 LTS
Install method
npm global
Model
anthropic/claude-sonnet-4-6 / anthropic/claude-opus-4-6
Provider / routing chain
openclaw -> anthropic (direct)
Config file / key location
~/.openclaw/openclaw.json ; channels.telegram.botToken ; channels.discord.token
Additional provider/model setup details
bug is in config validation, not model-specific
Logs, screenshots, and evidence
Impact and severity
Medium — All users with SecretRef-based credentials cannot save ANY config changes through the Control UI. UI is effectively read-only. No data loss — saves rejected cleanly.
Additional information
Suggested fixes:
Workaround: Edit ~/.openclaw/openclaw.json directly instead of using the Control UI.
Note: Users following the security best practice of using SecretRefs are the ones affected — the most security-conscious config pattern breaks the UI.