config.patch persists a redaction-truncated array from config.get → silent data loss of bindings[]

[aarcher4]

Summary

A config.get whose response is redaction-truncated for a large array can be round-tripped into a destructive config.patch: the truncated array is persisted over the full one, silently destroying every element that the read omitted. We hit this on bindings[] and lost almost all routing bindings from a single innocuous edit.

Version: OpenClaw 2026.3.13 (61d171a)
Component: gateway config tool (gateway actions config.get / config.patch) + the config redaction layer.

What happens

1. A client (in our case an agent with the gateway tool) calls config.get to add one entry to bindings[].
2. The gateway's redaction layer truncates the bindings[] array in the returned config. Observed log line:

   [config/redaction] Redacted config array key bindings[] has been truncated
   

3. The client appends its new entry to the truncated array it received and calls config.patch with changedPaths=bindings.
4. The gateway persists that truncated array verbatim:

   [gateway] config.patch write actor=gateway-client changedPaths=bindings restartReason=config.patch
   Config overwrite: .../openclaw.json (sha256 A -> B, backup=.../openclaw.json.bak)
   

5. Result: bindings[] collapsed from 82 entries to 2. 80 routing bindings were destroyed by an edit that intended to add one.

Impact

For multi-agent routing this is severe: with most bindings gone, unbound peers fall through to a single catch-all agent, so messages are answered by the wrong agent (a cross-tenant data exposure in our deployment). A redaction feature meant to protect a read became a silent write-side data-loss bug. The auto-backup (openclaw.json.bak) is what allowed recovery.

Expected

A redacted/truncated value must never be writable back over the full value. Any of:

• config.get should not truncate arrays that callers may patch (or should return full data when the caller has write intent / for round-trip use); or
• the redaction layer should tag a response as truncated, and config.patch should reject (or require an explicit override for) a write of a key whose source read was truncated; or
• config.patch for array keys should be merge/diff-based rather than wholesale-replace, so a short array can't clobber a long one.

Repro sketch

1. Have a config whose bindings[] (or any array) is long enough to trigger redaction truncation on config.get.
2. gateway config.get, observe the bindings[] has been truncated log and the shortened array in the response.
3. gateway config.patch with changedPaths=bindings, sending back the array from step 2 (plus one appended item).
4. Inspect the on-disk config: the array is now the truncated set, not the original.

Happy to provide more detail or test a fix.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 5, 2026, 12:15 AM ET / 04:15 UTC.

Summary
Keep open. Current main partially mitigates the reported agent-facing path by blocking model-driven gateway config.patch writes outside a narrow allowlist, but the direct config.patch path still accepts a shorter bindings array, logs the truncation warning, validates it, and can persist it as a full-array replacement.

Reproducibility: yes. by source inspection: submit a config.patch whose bindings array is shorter than the current config, and current main logs the redaction truncation warning but can still validate and write the shorter array. I did not run a live repro because this review was constrained to read-only inspection.

Next step
A fix is likely worthwhile, but the remaining behavior crosses the direct config.patch array-replacement contract and needs maintainer API/product judgment before an autonomous PR should choose the permanent semantics.

Security
Needs attention: The issue is security-sensitive because config data loss can misroute messages across tenant or agent boundaries.

Review details

Best possible solution:

Define a write-side config contract that prevents truncated read snapshots from clobbering array state while keeping an explicit, auditable operator path for intentional full-array replacement or deletion.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection: submit a config.patch whose bindings array is shorter than the current config, and current main logs the redaction truncation warning but can still validate and write the shorter array. I did not run a live repro because this review was constrained to read-only inspection.

Is this the best way to solve the issue?

Unclear. The issue lists plausible fixes, but the best fix needs a maintainer decision because direct config.patch currently documents array replacement while the reported data-loss guard likely needs an explicit truncated-read or full-array-replace contract.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• Current main blocks the reported model-facing gateway tool from changing bindings[], so maintainers should decide whether the remaining direct operator RPC behavior is still a product bug or an intentional full-array replacement contract.
• A blanket rejection of all shorter arrays would break intentional array deletions and the documented direct config.patch array replacement semantics.

Codex review notes: model gpt-5.5, reasoning high; reviewed against cb5bb9b936bb.

Label changes

Label changes:

• add P1: The report describes silent loss of routing config and wrong-agent message handling in a real deployment, but current main has at least a partial agent-tool mitigation.
• add impact:data-loss: The reported failure overwrites a persisted bindings[] array with a truncated version, losing user routing configuration.
• add impact:security: The reporter describes cross-tenant exposure when messages fall through to the wrong catch-all agent after bindings are lost.
• add impact:message-loss: The affected routing bindings can misroute channel messages to the wrong agent after the config is clobbered.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P1: The report describes silent loss of routing config and wrong-agent message handling in a real deployment, but current main has at least a partial agent-tool mitigation.
• impact:data-loss: The reported failure overwrites a persisted bindings[] array with a truncated version, losing user routing configuration.
• impact:security: The reporter describes cross-tenant exposure when messages fall through to the wrong catch-all agent after bindings are lost.
• impact:message-loss: The affected routing bindings can misroute channel messages to the wrong agent after the config is clobbered.

Evidence reviewed

Security concerns:

• [high] Prevent config clobbering from causing cross-tenant routing — src/gateway/server-methods/config.ts:703
  A truncated bindings[] write can collapse routing to a catch-all agent, which the reporter says exposed messages to the wrong agent in their deployment.
  Confidence: 0.78

Acceptance criteria:

• Add focused coverage around config.patch with a longer current bindings[] array and a shorter submitted bindings array.
• Cover the intended full-array replacement/deletion path if maintainers keep one.
• Run the focused gateway/config and merge-patch tests selected for the touched files.

What I checked:

• Reported behavior: The issue reports OpenClaw 2026.3.13 losing most bindings[] entries after a client round-tripped a truncated config.get result through config.patch, causing routing to collapse to the wrong agent.
• Current config.patch write path: config.patch applies the submitted merge patch, restores redacted values, validates the resulting config, then writes validated.config; there is no rejection for a shorter array before commitGatewayConfigWrite. (src/gateway/server-methods/config.ts:627, cb5bb9b936bb)
• Redaction truncation is warning-only: When an incoming array is shorter than the original, mapRedactedArray logs Redacted config array key ... has been truncated but still returns the shorter incoming array mapped by index. (src/config/redact-snapshot.ts:626, cb5bb9b936bb)
• Array patch semantics remain replacement for non-id arrays: applyMergePatch only merges arrays when the base and patch are id-keyed object arrays; otherwise the patch value replaces the existing array, which applies to bindings[] entries that do not have stable id fields. (src/config/merge-patch.ts:88, cb5bb9b936bb)
• Agent-facing mitigation on current main: The model-facing gateway tool computes changed paths and rejects writes outside ALLOWED_GATEWAY_CONFIG_PATHS; that allowlist does not include bindings, so the old agent-driven bindings[] patch route is blocked before the direct RPC call. (src/agents/tools/gateway-tool.ts:47, cb5bb9b936bb)
• Documented direct RPC contract: Gateway configuration docs still describe config.patch as JSON merge patch where objects merge, null deletes, and arrays replace, so a write-side fix needs to preserve or explicitly revise that operator-facing contract. Public docs: docs/gateway/configuration.md. (docs/gateway/configuration.md:603, cb5bb9b936bb)

Likely related people:

• Peter Steinberger: Recent current-main history and blame touch the gateway config/redaction files, including the redacted restore refactor that carries the truncation warning path. (role: recent area contributor; confidence: medium; commits: 14690904f033, b7446a0c65ba; files: src/config/redact-snapshot.ts, src/gateway/server-methods/config.ts, src/agents/tools/gateway-tool.ts)
• Agustin Rivera: Added recent dangerous/protected gateway config mutation guards around the same model-facing config.patch path. (role: recent gateway-tool guard contributor; confidence: medium; commits: 29f206243b2d, b9e972e17495; files: src/agents/tools/gateway-tool.ts)
• Jacob Tomlinson: Introduced earlier protected gateway config write checks that are part of the mitigation history for agent-driven config patches. (role: gateway-tool guard introducer; confidence: medium; commits: 76411b2afc4a; files: src/agents/tools/gateway-tool.ts)
• Vignesh Natarajan: Added the merge-by-id config patch behavior that current config.patch uses before redaction restoration and validation. (role: config patch array behavior contributor; confidence: medium; commits: 8ec0ef586660, b6d6cfd8d90d; files: src/config/merge-patch.ts, src/config/merge-patch.test.ts)
• sebslight: Recently hardened the object-array merge fallback used by config.patch, adjacent to the remaining non-id array replacement behavior. (role: config patch array behavior contributor; confidence: medium; commits: f4b2fd00bc90; files: src/config/merge-patch.ts, src/config/merge-patch.test.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[joshavant]

Thanks for the detailed report, @aarcher4. The repro and impact description were clear and helped us pin this down as a write-boundary data-loss bug rather than just a client-side usage issue.

This is fixed by #91551, merged as 9f48254.

What was happening: config.get could return a redaction-truncated array, and a later config.patch could persist that shorter array as a full replacement. For arrays like bindings[], that meant an intended partial edit could silently remove most existing routing entries.

The fix changes the config.patch contract so destructive array replacement is no longer implicit. If a patch would remove existing array entries, Gateway now rejects it unless the caller explicitly confirms the affected array path with replacePaths. Intentional full-config replacement still belongs to config.apply, and intentional array replacement through config.patch remains available with explicit replacePaths.

We also updated the agent Gateway tool, protocol schema, docs, generated clients, iOS skill editing, Matrix/QA callers, and focused tests. The fix was proven with a live AWS Crabbox Gateway/WebSocket/disk repro: an unconfirmed patch from 82 bindings entries down to 2 was rejected with the on-disk config hash unchanged, and the same replacement succeeded only when sent with replacePaths: ["bindings"].

Closing as fixed. Thanks again for reporting this.