fix(logging): redact http client secrets

[liaoandi]

Summary

• extend default secret redaction to quoted HTTP client config fields such as appSecret/app_secret/client_secret and quoted auth/cookie headers
• cover formatted Error cause chains so provider HTTP failures do not leak request secrets after formatErrorMessage()
• preserve existing env, URL query, payment credential, and token redaction behavior with regression coverage

Related #71211
Related #65623

Real behavior proof

• Behavior or issue addressed: Provider HTTP/client error output can include quoted request config fields such as appSecret, app_secret, client_secret, authorization, and cookie; this patch redacts those secrets in tool/log text and formatted error cause chains without regressing existing token and payment credential redaction.
• Real environment tested: Local OpenClaw checkout on macOS, PR branch head 18121edf6, Node v25.9.0, pnpm 10.33.2. Used an isolated temporary OpenClaw home/config and imported the real src/logging/redact.ts and src/infra/errors.ts modules from this checkout.
• Exact steps or command run after the patch:

  OPENCLAW_HOME=/private/tmp/openclaw-pr75033-home \
  OPENCLAW_CONFIG_PATH=/private/tmp/openclaw-pr75033-home/openclaw.json \
  PATH=/private/tmp/openclaw-pnpm-shim:$PATH \
  corepack pnpm exec tsx /private/tmp/pr75033-proof.ts
  
  PATH=/private/tmp/openclaw-pnpm-shim:$PATH \
  corepack pnpm test src/logging/redact.test.ts src/infra/errors.test.ts
  
  PATH=/private/tmp/openclaw-pnpm-shim:$PATH \
  corepack pnpm exec oxfmt --check --threads=1 \
    src/logging/redact.ts src/logging/redact.test.ts src/infra/errors.test.ts
  
  git diff --check upstream/main...HEAD

• Evidence after fix: Terminal capture from the real module proof:

  redacted payload: config: { appSecret: 'feishu…7890', headers: { authorization: 'Bearer…3456' } }
  formatted error: POST /auth/v3/tenant_access_token failed | config: { appSecret: 'feishu…7890', headers: { authorization: 'Bearer…3456' } }
  leaked app secret: false
  leaked tenant token: false
  

  Supplemental targeted verification:

  [test] passed 2 Vitest shards in 5.78s
  Test Files  2 passed (2)
  Tests  63 passed (63)
  oxfmt --check completed without formatting changes.
  git diff --check upstream/main...HEAD completed without whitespace errors.
  

• Observed result after fix: The actual redaction and error-formatting modules redacted the HTTP client secret fields and bearer token in both direct payload text and formatted error cause output; the original secret strings were not present in the output.
• What was not tested: Did not run a live provider API failure against an external service; the proof uses the real OpenClaw modules with a representative HTTP client error payload to avoid sending live credentials.

Test plan

• corepack pnpm test src/logging/redact.test.ts src/infra/errors.test.ts
• corepack pnpm exec oxfmt --check --threads=1 src/logging/redact.ts src/logging/redact.test.ts src/infra/errors.test.ts
• git diff --check

[clawsweeper]

Codex review: passed.

Summary
The branch expands shared logging redaction for quoted HTTP client secret and auth-header fields, adds redaction/error-chain regression tests, and adds an Unreleased changelog entry.

Reproducibility: yes. at source level. Current main routes formatted Error.cause text through shared redaction, and the current default patterns do not match the quoted HTTP client secret/auth fields covered by this PR.

Real behavior proof
Sufficient (terminal): The PR body includes terminal proof from real OpenClaw modules showing after-fix redaction of representative HTTP client payload and formatted error output.

Next step before merge
No ClawSweeper repair job is needed; the exact-head PR is clean, approved, has sufficient proof, and can continue through automerge gates.

Security
Cleared: The diff is security-positive and limited to redaction logic, regression tests, and changelog text, with no dependency, CI, workflow, package-resolution, permission, publishing, or secret-loading changes.

Review details

Best possible solution:

Land this focused shared redaction patch through the exact-head automerge path, while keeping the broader linked secret-exposure issues tracked separately.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. Current main routes formatted Error.cause text through shared redaction, and the current default patterns do not match the quoted HTTP client secret/auth fields covered by this PR.

Is this the best way to solve the issue?

Yes. Extending the shared default redaction helper is the narrowest maintainable fix because logs, tool payload text, structured field redaction, and formatted errors already depend on that surface.

What I checked:

• Current main redaction gap: Current main redacts env assignments, URL query credentials, JSON token fields, CLI flags, bearer strings, standalone assignments, PEM blocks, and token prefixes, but it does not cover quoted appSecret/app_secret fields or quoted auth/cookie object-inspection fields targeted by this PR. (src/logging/redact.ts:16, 877b860093a9)
• Error cause chain uses shared redaction: formatErrorMessage appends nested Error.cause messages and returns redactSensitiveText(formatted), so HTTP client diagnostic text in nested errors reaches the shared default redaction patterns. (src/infra/errors.ts:68, 877b860093a9)
• PR implementation is narrow: The PR head adds authToken/appSecret/app_secret coverage to structured field matching and default patterns for quoted HTTP client config and auth/cookie headers. (src/logging/redact.ts:17, fcd308be718b)
• Regression coverage added: The PR head adds tests for JSON/object-inspection HTTP client secrets, quoted auth/cookie headers, and formatted Error.cause chains that contain HTTP client config text. (src/logging/redact.test.ts:113, fcd308be718b)
• Error regression coverage added: The PR head verifies formatErrorMessage keeps the HTTP failure context while removing both the app secret and tenant token from the formatted cause-chain output. (src/infra/errors.test.ts:98, fcd308be718b)
• Changelog present: The PR head includes a user-facing Unreleased changelog entry for shared log and formatted error output redaction of quoted HTTP client secrets and auth/cookie headers. (CHANGELOG.md:10, fcd308be718b)

Likely related people:

• steipete: Recent history shows repeated work on URL-query credential redaction, bounded regex redaction, and security hardening in the shared logging redaction helper. (role: shared redaction maintainer; confidence: medium; commits: a0023f4978a8, e7432ae01d7d, 9a68590385ce; files: src/logging/redact.ts, src/logging/redact.test.ts)
• stainlu: Recent merged work added payment credential redaction patterns, docs, tests, and changelog coverage in the same shared redaction surface. (role: recent adjacent security redaction maintainer; confidence: medium; commits: 84920fad4e6b; files: src/logging/redact.ts, src/logging/redact.test.ts, docs/logging.md)
• chinar-amrutkar: The Error.cause traversal used by formatted provider failures appears in the merged Telegram retry/error-helper work touching the same infra error helper and tests. (role: introduced related error-cause behavior; confidence: medium; commits: 3f67581e50a3; files: src/infra/errors.ts, src/infra/errors.test.ts)

Remaining risk / open question:

• This focused PR should not be treated as fully resolving the broader linked exec-output and config-show secret exposure reports, which remain separate open surfaces.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 877b860093a9.

[jesse-merhi]

Looks good to me. This is a focused expansion of the shared redaction patterns for quoted HTTP client secret fields and auth/cookie headers, with regression coverage for both direct redaction and formatted error chains.

[jesse-merhi]

/clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=fcd308be718ba7f19d3852ec7f9be49c98e5d21d)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-09T03:54:00Z
Merge commit: 21d758c644b0

What merged:

• The branch expands shared logging redaction for quoted HTTP client secret and auth-header fields, adds redaction/error-chain regression tests, and adds an Unreleased changelog entry.
• Reproducibility: yes. at source level. Current main routes formatted Error.cause text through shared redaction, and the current default patterns do not match the quoted HTTP client secret/auth fields covered by this PR.

Automerge notes:

• No ClawSweeper repair was needed after automerge opt-in.

The automerge loop is complete.

Automerge progress:

• 2026-05-09 03:46:28 UTC review queued fcd308be718b (queued)

• 2026-05-09 03:53:47 UTC review passed fcd308be718b (structured ClawSweeper verdict: pass (sha=fcd308be718ba7f19d3852ec7f9be49c98e5d...)

• 2026-05-09 03:54:02 UTC merged fcd308be718b (merged by ClawSweeper automerge)