Warn on plaintext secret config in doctor

[lukaIvanic]

Summary

• Add a doctor security warning when openclaw.json contains plaintext secret-bearing fields such as models.providers.<id>.apiKey and sensitive provider headers like Authorization.
• Skip the warning for SecretRef-backed values so migrated configs stay quiet.
• Point users to openclaw secrets configure / openclaw secrets apply and openclaw secrets audit --check.

Why

Issue #11829 tracks API key exposure to agents. The current secrets tooling can already audit and migrate plaintext values, but a normal openclaw doctor run can still look healthy while openclaw.json stores agent-readable API keys/tokens. This change makes that risk visible in the security warning surface users already run.

This does not claim to replace the broader secret-isolation architecture. It closes a practical visibility gap and helps users migrate away from plaintext config secrets before agents or workspace tools read them directly.

Test

node scripts/run-vitest.mjs run --config test/vitest/vitest.commands.config.ts src/commands/doctor-security.test.ts
node scripts/run-vitest.mjs run src/secrets/audit.test.ts
git diff --check
pnpm check:test-types

Result: doctor security test passed 1 file / 32 tests; secrets audit test passed 1 file / 24 tests; git diff --check passed; pnpm check:test-types passed.

Real behavior proof

Behavior or issue addressed: openclaw doctor --non-interactive now surfaces plaintext secret-bearing model provider config in openclaw.json, including models.providers.openai.apiKey and models.providers.openai.headers.Authorization.

Real environment tested: Local OpenClaw checkout after this patch, running node openclaw.mjs doctor --non-interactive against a real temporary config file at /Users/lukaivanic/projects/organization/llm_money_making_experiment/folder_2/proof/openclaw-doctor-plaintext/openclaw.json. The config contained redacted plaintext values in models.providers.openai.apiKey and models.providers.openai.headers.Authorization.

Exact steps or command run after this patch:

OPENCLAW_CONFIG_PATH=/Users/lukaivanic/projects/organization/llm_money_making_experiment/folder_2/proof/openclaw-doctor-plaintext/openclaw.json \
OPENCLAW_HOME=/Users/lukaivanic/projects/organization/llm_money_making_experiment/folder_2/proof/openclaw-doctor-plaintext/home \
node openclaw.mjs doctor --non-interactive

Evidence after fix: Terminal output from the real CLI command above included this live output excerpt:

◇  Security

  - WARNING: openclaw.json contains plaintext secret-bearing config
    fields.
    Paths: models.providers.openai.apiKey,
    models.providers.openai.headers.Authorization
    Agents or workspace tools that can read config files may see these
    API keys/tokens.
    Migrate them to SecretRefs with openclaw secrets configure or
    openclaw secrets apply, then verify with openclaw secrets audit
    --check.

Observed result after fix: The live doctor run printed a Security warning for both plaintext config paths: models.providers.openai.apiKey and models.providers.openai.headers.Authorization, and it pointed the user to SecretRefs plus openclaw secrets audit --check.

What was not tested: No additional gaps.

Refs #11829

[clawsweeper]

Codex review: passed.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Adds a doctor security warning for plaintext secret-bearing openclaw.json fields by reusing the secrets target registry and shared model-provider header sensitivity policy.

Reproducibility: yes. for source-level behavior: current main has plaintext secret audit coverage but no doctor collector for those config targets, and the PR body includes live patched CLI output showing the new warning.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: Strong live CLI proof plus a focused shared-policy patch make this a normal good PR ready for exact-head gates.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (live_output): The PR body includes copied live CLI output from a patched doctor --non-interactive run showing the new plaintext config warning and affected paths.

Next step before merge
No repair lane is needed; the PR has no actionable review findings and should proceed through the existing automerge/check gates.

Security
Cleared: The diff adds a security warning without printing secret values, adding dependencies, changing workflows, or changing secret resolution behavior.

Review details

Best possible solution:

Land the shared-policy doctor warning after exact-head checks and automerge gates complete, while leaving the broader secret-isolation roadmap tracked separately.

Do we have a high-confidence way to reproduce the issue?

Yes for source-level behavior: current main has plaintext secret audit coverage but no doctor collector for those config targets, and the PR body includes live patched CLI output showing the new warning.

Is this the best way to solve the issue?

Yes: the PR keeps doctor aligned with the existing secrets registry, SecretRef detection, plaintext-value helper, and model-provider header policy instead of inventing a second target list.

Label changes:

• add status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (live_output): The PR body includes copied live CLI output from a patched doctor --non-interactive run showing the new plaintext config warning and affected paths.
• remove status: 👀 ready for maintainer look: Current PR status label is status: 🚀 automerge armed.

Label justifications:

• P2: This is a focused security-diagnostic improvement with limited blast radius, targeted tests, and real CLI proof.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and Strong live CLI proof plus a focused shared-policy patch make this a normal good PR ready for exact-head gates.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (live_output): The PR body includes copied live CLI output from a patched doctor --non-interactive run showing the new plaintext config warning and affected paths.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes copied live CLI output from a patched doctor --non-interactive run showing the new plaintext config warning and affected paths.

What I checked:

• Current main lacks the doctor warning: On current main, collectSecurityWarnings collects existing approval, exec-filesystem, and durable approval warnings, but has no plaintext config-secret collector before gateway/channel checks. (src/commands/doctor-security.ts:197, 5c4c6a42071c)
• Existing secrets audit already owns the target semantics: Current main collectConfigSecrets scans discovered config secret targets, skips SecretRefs, reports plaintext, and already special-cases non-sensitive models.providers.*.headers.* names. (src/secrets/audit.ts:216, 5c4c6a42071c)
• Registry includes the affected model-provider paths: The current registry marks models.providers.*.apiKey, models.providers.*.headers.*, and models.providers.*.request.headers.* as auditable openclaw.json secret-input targets. (src/secrets/target-registry-data.ts:236, 5c4c6a42071c)
• PR implements the warning through shared policy: The PR adds collectPlaintextConfigSecretWarnings, reuses discoverConfigSecretTargets, skips SecretRefs via resolveSecretInputRef, keeps the audit header sensitivity split, and prints only paths plus migration commands. (src/commands/doctor-security.ts:186, 31f83aae194f)
• PR shares the sensitive header classifier: The PR moves model-provider header-name sensitivity into src/secrets/model-provider-header-policy.ts, preserving the existing exact names and fragments used by audit. (src/secrets/model-provider-header-policy.ts:1, 31f83aae194f)
• PR adds focused regression coverage: The PR adds doctor tests for plaintext provider API keys, sensitive headers, non-sensitive header suppression, request-header alignment, and SecretRef suppression. (src/commands/doctor-security.test.ts:335, 31f83aae194f)

Likely related people:

• joshavant: GitHub file history shows major SecretRef/audit work, including broad credential target coverage and read-only SecretRef audit hardening, across the same secrets audit and registry surfaces. (role: feature-history owner; confidence: high; commits: 806803b7efe2, a2cb81199e22, 36d2ae2a2235; files: src/secrets/audit.ts, src/secrets/target-registry-data.ts, docs/cli/secrets.md)
• steipete: Recent history on target-registry and doctor-adjacent files shows repeated secrets/doctor maintenance and cleanup around the same code paths. (role: recent area contributor; confidence: medium; commits: e3a248585e66, fe680e47cece, bd8e986bb2eb; files: src/secrets/target-registry-data.ts, src/commands/doctor-security.test.ts, src/commands/doctor-security.ts)
• giodl73-repo: GitHub file history shows recent read-only doctor health-check conversion touching src/commands/doctor-security.ts, the main file this PR extends. (role: recent doctor contributor; confidence: medium; commits: 94abfa76e21f; files: src/commands/doctor-security.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5c4c6a42071c.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Pearl Test Hopper

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: watches the merge queue.
Image traits: location green-check meadow; accessory review stamp; palette sunrise gold and clean white; mood focused; pose nestled inside a glowing shell; shell brushed metal shell; lighting clean product lighting; background delicate sparkle particles.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Pearl Test Hopper in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[lukaIvanic]

@clawsweeper re-review

Real behavior proof fields have been updated in the PR body, and the latest Real behavior proof check is green on head 03c8d7c8.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26195245177
• Updated: 2026-05-20T23:16:30.753Z

[lukaIvanic]

@clawsweeper re-review

Addressed the author-wait finding by moving the model-provider header sensitivity policy into shared secrets code and using it from both src/secrets/audit.ts and src/commands/doctor-security.ts. Doctor now preserves the audit split between models.providers.*.headers.* and models.providers.*.request.headers.*.

Verification passed after the update:

• node scripts/run-vitest.mjs run --config test/vitest/vitest.commands.config.ts src/commands/doctor-security.test.ts (32 tests)
• node scripts/run-vitest.mjs run src/secrets/audit.test.ts (24 tests)
• git diff --check
• pnpm check:test-types

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=31f83aae194fdb43a636d8056c3713216648fdd7)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-21T01:27:35Z
Merge commit: 9cdf8a1e2f9f

What merged:

• Adds a doctor security warning for plaintext secret-bearing openclaw.json fields by reusing the secrets target registry and shared model-provider header sensitivity policy.
• Reproducibility: yes. for source-level behavior: current main has plaintext secret audit coverage but no doc ... llector for those config targets, and the PR body includes live patched CLI output showing the new warning.

Automerge notes:

• PR branch already contained follow-up commit before automerge: Warn on plaintext secret config in doctor

The automerge loop is complete.

Automerge progress:

• 2026-05-21 00:04:39 UTC review queued 720fb5ad9bf1 (queued)

• 2026-05-21 00:06:48 UTC repair queued 720fb5ad9bf1 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26197290696

• 2026-05-21 00:09:29 UTC repair started (running) in 0s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197290696 automerge-openclaw-openclaw-84718

• 2026-05-21 00:09:41 UTC validation plan (passed) in 13s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197290696 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-21 00:09:59 UTC Codex write preflight (passed) in 31s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197290696 danger-full-access

• 2026-05-21 00:15:07 UTC Codex edit 1 8c2e534e5ce0 (complete) in 5m 38s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197290696 exit 0

• 2026-05-21 00:18:08 UTC validation and review 1 31f83aae194f (complete) in 8m 40s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197290696 already-current

• 2026-05-21 00:18:14 UTC repair completed 31f83aae194f (branch updated) in 8m 45s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197290696 initial automerge rebase is delegated to Codex repair

• 2026-05-21 00:18:13 UTC review queued 31f83aae194f (after repair)

• 2026-05-21 00:28:17 UTC automerge wait 31f83aae194f (waiting) in 18m 49s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197290696 waiting for GitHub checks: auto-response:IN_PROGRESS

• 2026-05-21 00:24:50 UTC review passed 31f83aae194f (structured ClawSweeper verdict: pass (sha=31f83aae194fdb43a636d8056c3713216648f...)

• 2026-05-21 00:28:19 UTC repair finished 31f83aae194f (pushed) in 18m 50s Run: https://github.com/openclaw/clawsweeper/actions/runs/26197290696 repair_contributor_branch

• 2026-05-21 01:26:12 UTC review queued 31f83aae194f (queued)

• 2026-05-21 01:27:37 UTC merged 31f83aae194f (merged by ClawSweeper automerge)

[lukaIvanic]

Thanks for merging this. One administrative follow-up: this PR was also submitted against TaskBounty task 623bb359-6405-4142-a1c5-f06ce4b9779c as submission 4e72a63a-44f7-40bd-8c57-03449e4272ec.

I am not treating it as paid/accepted unless TaskBounty or a maintainer explicitly marks or confirms an award, but leaving the merged upstream evidence here in case it helps the bounty review.