[Security]: session transcript persistence path missing redaction gate

[Ziy1-Tan]

Summary

One of the remaining gaps under #64046 where message payloads reach disk storage without passing through the standard redaction pipeline.

Scope

Session transcript write paths (appendSessionTranscriptMessage call sites) in core session management, CLI attempt execution, gateway inject, and bundled extension mirror surfaces.

Approach taken

Rather than applying guard infrastructure at each bare entry point, redaction is centralised at the single write layer in appendSessionTranscriptMessage (in src/config/sessions/transcript-append.ts). The four redact helpers previously local to session-tool-result-guard-wrapper.ts are extracted into a new shared module src/agents/transcript-redact.ts and called unconditionally before the JSONL entry is built. This makes redaction always-on regardless of which callsite triggers the write, with a safe fallback to DEFAULT_REDACT_MODE + DEFAULT_REDACT_PATTERNS when no config is provided.

---

Note: This is a tracking sub-issue scoped to one specific sink family. See #64046 for the full umbrella.
Addressed by #73563.

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Current main now implements the scoped transcript append redaction fix: the append sink applies config-aware redaction before JSONL persistence and the session, gateway, and Telegram update paths use the redacted appended message. The fix landed through the merged repair PR and is not in the latest stable release yet, so this can close as current-main-only implemented.

I found the merged PR that appears to have closed this: #79645: fix(security): inline redact into appendSessionTranscriptMessage.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review details

Best possible solution:

Close this focused sink-family issue against the current-main fix, while keeping the broader sensitive-data umbrella at #64046 and the separate local-provider trust-boundary follow-up at #80379 open.

Do we have a high-confidence way to reproduce the issue?

Yes for the original issue: source inspection and the linked repair PR proof showed direct append paths could persist unredacted transcript payloads. On current main, the same paths now redact at the append sink and tests assert redacted disk and update behavior.

Is this the best way to solve the issue?

Yes. Centralizing redaction in appendSessionTranscriptMessage, threading OpenClawConfig, and emitting the redacted appended message is the narrow maintainable fix for this scoped persistence sink.

Security review:

Security review cleared: Current main closes the specific security gap for session transcript append persistence and redacted transcript-update payloads.

What I checked:

• Central append sink now redacts before persistence: appendSessionTranscriptMessage accepts OpenClawConfig, computes finalMessage with redactTranscriptMessage for agent messages or redactSecrets for other payloads, writes that final message to JSONL, and returns the redacted message. (src/config/sessions/transcript-append.ts:298, 6a41a5421265)
• Shared transcript redaction helper exists: redactTranscriptMessage recursively redacts transcript message strings, structured fields, arrays, and plain objects while honoring logging.redactSensitive: "off" and configured/default patterns. (src/agents/transcript-redact.ts:103, 6a41a5421265)
• Inline session updates use the redacted appended message: appendExactAssistantMessageToSessionTranscript destructures message: appendedMessage from the append helper and emits that redacted payload for inline transcript updates. (src/config/sessions/transcript.ts:310, 6a41a5421265)
• Gateway transcript injection uses the redacted appended message: appendInjectedAssistantMessageToTranscript now emits and returns the appendedMessage returned by the append helper instead of the original pre-redaction body. (src/gateway/server-methods/chat-transcript-inject.ts:106, 6a41a5421265)
• Telegram mirror uses the redacted appended message: The Telegram delivery mirror appends through appendSessionTranscriptMessage with config and emits appendedMessage in transcript updates. (extensions/telegram/src/bot-message-dispatch.ts:340, 6a41a5421265)
• Regression coverage proves disk and update redaction: Tests assert secrets are absent from on-disk JSONL, default/configured patterns apply, redactSensitive: "off" is honored, inline updates equal the redacted disk message, and gateway/Telegram updates emit redacted payloads. (src/config/sessions/transcript-append-redact.test.ts:45, 6a41a5421265)

Likely related people:

• Ziy1-Tan: Opened the focused security issue, authored the source PR with real behavior proof, and appears as an author on the carried-forward transcript redaction commits in the merged repair PR. (role: source fix contributor and reporter; confidence: high; commits: 342984795cc8, 4aff9490abc1, e869237847e5; files: src/config/sessions/transcript-append.ts, src/agents/transcript-redact.ts, src/config/sessions/transcript-append-redact.test.ts)
• hxy91819: Merged the repair PR and authored several follow-up commits in the same branch for recursive redaction, default-pattern merging, Telegram transcript updates, mirror dedupe, and final rebase fallout. (role: recent repair contributor and merger; confidence: high; commits: 5cb7c4d2301e, 0e9264aeaa93, 1ee6ab7b6187; files: src/agents/transcript-redact.ts, src/config/sessions/transcript.ts, extensions/telegram/src/bot-message-dispatch.ts)
• vincentkoc: Git history shows the adjacent fix(logging): redact persisted transcript text commit, which established earlier persisted transcript redaction behavior in the guarded session path and docs. (role: adjacent redaction behavior contributor; confidence: medium; commits: 406ae72fd278; files: src/agents/session-tool-result-guard-wrapper.ts, docs/gateway/logging.md)
• steipete: Git history shows recent transcript append and session-adjacent work, including serialized concurrent transcript appends near the same append helper. (role: recent transcript/session area contributor; confidence: medium; commits: 3f6b481464bf, c6249e4809cf; files: src/config/sessions/transcript-append.ts, src/config/sessions/transcript.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6a41a5421265; fix evidence: merged PR #79645, commit faaa7efef050, main fix timestamp 2026-05-13T08:31:04Z.