config-audit.jsonl logs plaintext secrets in CLI argv

[Belthezar46]

Description

The config tamper detection system (config-audit.jsonl) records full CLI argument vectors when config changes are detected. These argv entries contain plaintext secrets (gateway tokens, bot tokens, API keys) that were passed as command-line arguments or present in the process environment.

A security audit log that leaks credentials is counterproductive.

Steps to Reproduce

1. Have config tamper detection enabled (default behavior)
2. Make any config change that triggers an audit entry
3. Inspect ~/.openclaw/logs/config-audit.jsonl
4. Observe full CLI argv including plaintext tokens in logged entries

Expected Behavior

Audit log entries should:

• Record the SHA-256 hash of config changes (already does this correctly)
• Record suspicious signature detection (already does this correctly)
• NOT include raw CLI argv containing plaintext secrets
• Either omit argv entirely, or scrub known secret patterns before logging

Actual Behavior

Full argv arrays are logged, including values like:

• Gateway auth tokens
• Telegram bot tokens
• Any environment variables passed via CLI

Impact

• Credential exposure at rest — anyone with read access to the logs directory can extract live credentials
• Ironic for a security control — the mechanism designed to detect config tampering is itself a credential leak vector
• Credentials persist in the log file indefinitely unless manually scrubbed

Suggested Fix

1. Strip argv entries from audit log writes, or
2. Apply the same redactSensitive patterns used elsewhere to scrub argv before logging, or
3. Replace literal values with hashes/redaction markers (e.g., --token=[REDACTED:sha256:a1b2...])

Workaround

Manual scrub script that post-processes the log file:

// Replace strings >20 chars matching token/key patterns with [REDACTED]

We wrote one (scrub-config-audit-log.js) but this should be fixed at the source.

Labels

bug, security, logging

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep this open. Current main still persists raw process.argv.slice(0, 8) into config-audit write, observe, and recovery records, and the records are appended without a redaction step. There is now an open unmerged fix PR (#75095) with closing syntax for this issue, so the issue should stay open until that PR or an equivalent fix lands.

Required change / next step:

Do not queue a second repair job: this is security-sensitive credential handling and #75095 is already an open closing PR for the same issue, so the next action is maintainer review, rebase, and landing or closing that PR.

Security review:

Security review needs attention: Current main still has a concrete credential-at-rest exposure because config-audit records persist raw CLI argv without redaction.

Review details

Best possible solution:

Land #75095 or an equivalent focused fix that centralizes config-audit process-info sanitization, or omits argv, before any write, async observe, sync observe, or observe-recovery audit record is appended. The fix should cover --flag value, --flag=value, common token shapes, caller-supplied processInfo, and forced redaction independent of logging.redactSensitive.

Do we have a high-confidence way to reproduce the issue?

Yes. A high-confidence source reproduction is to pass a secret-bearing CLI flag in the first eight argv entries and trigger a config write or observe anomaly; current main copies that argv array directly into the persisted audit JSONL record.

Is this the best way to solve the issue?

Yes, the narrow maintainable solution is to sanitize at the shared config-audit process snapshot boundary, or remove argv entirely, with focused tests for every audit record builder. The current open PR follows that direction but has not merged, so this issue should remain open.

Security concerns:

• [high] Raw argv can persist token-bearing CLI flags — src/config/io.audit.ts:172
  Config write, observe, and recovery audit paths copy process.argv.slice(0, 8) into records, and the append helpers serialize those records directly to config-audit.jsonl. Secret-bearing flags such as tokens or API keys can therefore be stored on disk until a redaction or omission fix lands.
  Confidence: 0.94

What I checked:

• Current main verified: HEAD is the requested current main SHA used for source inspection. (adc20fed0d15)
• Write audit captures raw argv: resolveConfigAuditProcessInfo() snapshots process.argv.slice(0, 8) and createConfigWriteAuditRecordBase() copies that snapshot into config.write records. (src/config/io.audit.ts:172, adc20fed0d15)
• Audit append has no record-level redaction: The async append helper serializes record directly with JSON.stringify(record) before appending to config-audit.jsonl; the sync helper does the same. (src/config/io.audit.ts:316, adc20fed0d15)
• Async observe path captures raw argv: The async config observe anomaly record includes argv: process.argv.slice(0, 8) before calling appendConfigAuditRecord. (src/config/io.ts:719, adc20fed0d15)
• Sync observe path captures raw argv: The sync config observe anomaly record includes argv: process.argv.slice(0, 8) before calling appendConfigAuditRecordSync. (src/config/io.ts:853, adc20fed0d15)
• Observe recovery captures raw argv: createConfigObserveAuditRecord() writes argv: process.argv.slice(0, 8) into recovery/anomaly observe records. (src/config/io.observe-recovery.ts:148, adc20fed0d15)

Likely related people:

• steipete: Recent GitHub commit history for the central audit and recovery files shows repeated config-audit, config recovery, and redaction-adjacent work by this maintainer, including Config: fix audit base record type, fix: recover invalid gateway configs, and fix(config): recover critical config clobbers. (role: current config-audit and config recovery maintainer; confidence: high; commits: ae12aa49c3f2, ffb1628727fd, 7b2c9a6fa3d3; files: src/config/io.audit.ts, src/config/io.ts, src/config/io.observe-recovery.ts)
• shakkernerd: Recent src/config/io.ts history includes several config write and plugin config migration fixes by this contributor, making them a useful adjacent reviewer for write-path interactions even though the audit leak itself is in shared audit fields. (role: recent adjacent config write maintainer; confidence: medium; commits: 5a72378b2797, fd6c9fc7f5f6, 1848d0dd381e; files: src/config/io.ts)
• jalehman: Recent history for src/config/io.observe-recovery.ts includes a recovery-policy fix by this contributor, so they are a relevant secondary reviewer for the observe-recovery side of the audit record flow. (role: recent observe-recovery maintainer; confidence: medium; commits: f369939fedd5; files: src/config/io.observe-recovery.ts)

Remaining risk / open question:

• Closing now would leave a credential-at-rest exposure path for token-bearing CLI arguments in the first eight argv entries of config write, observe, and recovery audit records.
• The open fix PR fix(config-audit): redact CLI argv secrets before persisting to log #75095 is currently unmerged and reported mergeable: false by the GitHub API, so it may need rebase or maintainer review before it can resolve the issue.
• Current tests around src/config/io.audit.test.ts cover audit path and record behavior but do not assert redaction of argv secrets on current main.

Codex review notes: model gpt-5.5, reasoning high; reviewed against adc20fed0d15.