fix(gateway): redact credential-bearing diagnostics

[vincentkoc]

Summary

• Redacts credential-bearing gateway target URLs before they are shown in connection detail messages or plaintext-URL safety errors.
• Redacts Gateway client connect/error/parse diagnostics before they hit debug/error logs, including when logging.redactSensitive is off.
• Preserves non-secret diagnostic suffixes after redacted URL query params, so errors like ?token=... failed with 401 keep the failed with 401 context.

Related

• Related, not closed: [Bug]: logs.tail likely fails to redact several credential formats before returning log lines to operator.read clients. #66832 (logs.tail shared redaction formats; separate surface)
• Related, not closed: fix: add redaction patterns for JWTs, Basic auth, and custom security headers in logs.tail #67041 (candidate fix for [Bug]: logs.tail likely fails to redact several credential formats before returning log lines to operator.read clients. #66832)
• Related, not closed: fix(cli): emit JSON for gateway transport failures #79233 (gateway transport failure output; adjacent but separate)

No closing refs: this patch is a gateway diagnostic redaction reliability pass, not the logs.tail issue fix.

Verification

• node scripts/run-vitest.mjs src/gateway/client.test.ts -- --reporter=verbose -t "connect failure logs"
  • passed: 2 passed, 90 passed
• node scripts/run-vitest.mjs src/gateway/call.test.ts src/gateway/client.test.ts -- --reporter=dot
  • passed: 5 passed, 333 passed
• git diff --check
  • passed
• node scripts/crabbox-wrapper.mjs run -provider blacksmith-testbox -blacksmith-org openclaw -blacksmith-workflow .github/workflows/ci-check-testbox.yml -blacksmith-job check -blacksmith-ref main -idle-timeout 90m -ttl 240m -timing-json -shell -- "CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 OPENCLAW_TESTBOX=1 OPENCLAW_TESTBOX_REMOTE_RUN=1 pnpm check:changed"
  • passed: tbx_01krrwjvepsj3458ybk6bk1k6j, https://github.com/openclaw/openclaw/actions/runs/25968066889

Real behavior proof

Behavior addressed: Gateway diagnostic strings no longer expose credential-bearing target URLs, Authorization bearer values, URL userinfo, or sensitive query params in connection/error logs, while preserving non-secret trailing diagnostic text.

Real environment tested: local Codex worktree for focused Vitest proof, plus Blacksmith Testbox for pnpm check:changed.

Exact steps or command run after this patch: node scripts/run-vitest.mjs src/gateway/call.test.ts src/gateway/client.test.ts -- --reporter=dot; OPENCLAW_TESTBOX=1 ... pnpm check:changed through node scripts/crabbox-wrapper.mjs run -provider blacksmith-testbox ....

Evidence after fix: focused tests assert raw details.url still preserves connection behavior, display/error strings redact user:pass and token=..., connect failure logs redact bearer tokens and URL credentials even with logging.redactSensitive: off, and the regression case preserves failed with 401 after ?token=***.

Observed result after fix: focused gateway tests passed and Testbox check:changed exited 0.

What was not tested: live remote gateway connection against a real credential-bearing URL; the fix is covered at the formatter/connection-details boundary with fake credentials.

[clawsweeper]

ClawSweeper status: review started.

I am starting a fresh review of this pull request: fix(gateway): redact credential-bearing diagnostics This is item 1/1 in the current shard. Shard 0/1.

This placeholder means the worker is alive and reading the current context. I will edit this same comment with the actual review when the claws are done clicking.

Crustacean status: shell secured, claws on keyboard, evidence pebbles being sorted.

[vincentkoc]

Pre-merge verification for this head:

• Source SHA: 6b94001
• node scripts/run-vitest.mjs src/gateway/client.test.ts -- --reporter=verbose -t "connect failure logs": passed (2 passed, 90 passed)
• node scripts/run-vitest.mjs src/gateway/call.test.ts src/gateway/client.test.ts -- --reporter=dot: passed (5 passed, 333 passed)
• git diff --check: passed
• Testbox pnpm check:changed: passed on tbx_01krrwjvepsj3458ybk6bk1k6j, run https://github.com/openclaw/openclaw/actions/runs/25968066889
• codex review --base origin/main: no actionable regressions

Known scope: this lands the gateway diagnostic redaction fix. #66832 / #67041 and #79233 are adjacent linked items and need their own repaired landing path.