Option value truncated when it contains '=' characters

[davinci282828]

Severity: medium / Confidence: high / Category: bug
Triage: confirmed-bug
Detected against: openclaw v2026.5.18 (latest stable at time of scan, 2026-05-18)
Tooling: clawpatch 0.3.0 + acpx/claude-sonnet-4-5 via Brad Mills protocol

Evidence

• src/cli/root-option-value.ts:6-8 (takeCliRootOptionValue)

const [, value] = raw.split("=", 2);
    const trimmed = (value ?? "").trim();

Reasoning

Array destructuring with split("=", 2) limits the split result to 2 elements, so any characters after the second = in the raw token are silently discarded. For example, --token=abc=def yields value "abc" instead of "abc=def". API tokens and secrets frequently include base64-padding = characters; URLs with query parameters also contain =. The caller receives a silently corrupted value with no error or warning.

Reproduction

Pass any root option whose value contains =: e.g. openclaw --some-option=base64pad==. The resolved value will be "base64pad" instead of "base64pad==".

Recommendation

Replace raw.split("=", 2) with an index-based slice:

const eqIndex = raw.indexOf("=");
const value = raw.slice(eqIndex + 1);

This preserves all characters after the first =.

Why existing tests miss this

No tests are listed for src/cli/root-option-value.ts; the bug surface (option values with embedded =) is easy to overlook.

Suggested regression test

Add a Vitest test in a colocated root-option-value.test.ts that asserts takeCliRootOptionValue("--opt=abc=def", undefined).value === "abc=def" and likewise for base64 padding ("abc==").

Minimum fix scope

Single-line change in src/cli/root-option-value.ts replacing raw.split("=", 2) with index-slice logic.

---

Standardized clawpatch finding. Persistent in v2026.5.18 (not resolved by upgrading from v2026.5.12). Finding ID: fnd_sig-feat-cli-command-0c37e1d71a-_71ed7d37a6.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main still truncates inline root option values at the second =, and the affected helper is used by root CLI option parsing with no embedded-equals regression coverage.

Reproducibility: yes. from source inspection: current main still uses raw.split("=", 2), and the exact expression drops later = characters. I did not run the full CLI path because this review is read-only and avoids artifact-producing tests.

Next step
This is a small, source-proven CLI parser defect with a clear helper boundary and focused regression-test path.

Review details

Best possible solution:

Preserve the full substring after the first = in the shared root option helper and add focused regression coverage for embedded = values.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: current main still uses raw.split("=", 2), and the exact expression drops later = characters. I did not run the full CLI path because this review is read-only and avoids artifact-producing tests.

Is this the best way to solve the issue?

Yes: an index-based slice in takeCliRootOptionValue is the narrow maintainable fix because that helper already owns inline root-option value extraction. Regression coverage should pin embedded = preservation and the profile case that should not silently become a different valid profile.

Label justifications:

• P2: This is a narrow CLI parsing bug that can silently use the wrong root option value.

Acceptance criteria:

• node scripts/run-vitest.mjs src/cli/root-option-value.test.ts src/cli/container-target.test.ts src/cli/profile.test.ts

What I checked:

• Current parser truncates embedded equals: takeCliRootOptionValue still enters the inline-value branch for any raw token containing = and uses raw.split("=", 2), so later = characters are dropped before trimming. (src/cli/root-option-value.ts:10, e9989f3a92e5)
• Source-level reproduction of the exact expression: A focused Node probe of the same expression prints base64pad for --container=base64pad==, matching the reported truncation behavior. (src/cli/root-option-value.ts:11, e9989f3a92e5)
• Affected call sites use the shared helper: parseCliProfileArgs and parseCliContainerArgs both call takeCliRootOptionValue for inline root options, so the helper controls the parsed value before profile validation or container routing. (src/cli/profile.ts:54, e9989f3a92e5)
• Current tests cover equals form but not embedded equals: Existing container/profile tests cover ordinary --container=demo and --profile parsing, but I found no assertion for an inline value containing additional = characters. (src/cli/container-target.test.ts:30, e9989f3a92e5)
• History provenance: git blame and git log -S tie the current helper and raw.split("=", 2) line to commit c92ebd6a4104af7805ecd9eca9f694985fe8913e, which introduced the root option helper on 2026-05-18. (src/cli/root-option-value.ts:11, c92ebd6a4104)
• Latest release still has the same parser: The v2026.5.18 tag contains the same raw.split("=", 2) implementation, matching the issue's stable-release claim. (src/cli/root-option-value.ts:11, 50a2481652b6)

Likely related people:

• Tak Hoffman: git blame, git log -S, and git show identify this person as the author of the commit that added src/cli/root-option-value.ts, the inline split branch, and the adjacent root option parsing files. (role: introduced behavior; confidence: high; commits: c92ebd6a4104; files: src/cli/root-option-value.ts, src/cli/profile.ts, src/cli/container-target.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against e9989f3a92e5.