openclaw - 💡(How to fix) Fix [Bug]: `openclaw configure` (upgrade wizard) writes __OPENCLAW_REDACTED__ literals into openclaw.json, corrupting all API keys [1 comments, 2 participants]

Summary

When running openclaw configure during an upgrade from 2026.4.2 to 2026.4.5, the wizard rewrites openclaw.json with literal __OPENCLAW_REDACTED__ strings replacing actual API keys. After the upgrade crashes/fails and the user rolls back to 2026.4.2, the config file is left with corrupted credentials, causing all services to fail silently.

Related Issues

• #60021 — Same root cause via Control UI config save
• #44357 — Same pattern with SecretRef fields (closed)
• #11355 — Same pattern with macOS app (closed)

This appears to be a recurring regression. The redaction-on-read mechanism is leaking into write paths.

Environment

• OpenClaw version: 2026.4.2 (rolled back from 2026.4.5)
• OS: macOS 15.3.0 (arm64), Mac mini M4 Pro
• Install method: npm global
• Trigger: openclaw configure wizard during upgrade to 2026.4.5

Steps to Reproduce

1. Running OpenClaw 2026.4.2 with multiple providers configured (Dashscope, Volcengine, SiliconFlow, Brave, etc.)
2. Run upgrade to 2026.4.5 — upgrade wizard (openclaw configure) runs automatically
3. Upgrade crashes/fails mid-process
4. Roll back to 2026.4.2
5. Observe: openclaw.json now contains "apiKey": "__OPENCLAW_REDACTED__" for multiple providers

Affected Config Paths

The following fields were corrupted (replaced with literal __OPENCLAW_REDACTED__):

• models.providers.volccodingplan.apiKey
• agents.defaults.memorySearch.remote.apiKey
• plugins.entries.brave.config.webSearch.apiKey
• gateway.remote.password

Fields That Were NOT Affected

• models.providers.bailian.apiKey (survived intact)
• channels.feishu.appSecret (survived intact)
• channels.telegram.accounts.main.botToken (survived intact)
• channels.telegram.accounts.programming.botToken (survived intact)
• gateway.auth.token (survived intact)

This inconsistency suggests the wizard selectively re-serializes some fields through the redaction layer while preserving others.

Impact

• All affected API providers fail silently — no error message indicates the config is corrupted
• memory_search returns 401 — embedding provider key corrupted
• config.patch refuses to work — rejects its own __OPENCLAW_REDACTED__ sentinel: Reserved redaction sentinel "__OPENCLAW_REDACTED__" is not valid config data
• Manual JSON editing required — users must hand-edit openclaw.json to restore keys
• Version mismatch warning loop — meta.lastTouchedVersion is set to the failed upgrade version (2026.4.5) while running 2026.4.2

Expected Behavior

openclaw configure should never write __OPENCLAW_REDACTED__ literals to disk. The write path should either:

1. Preserve original values for fields the user did not modify, OR
2. Re-read secrets from the source of truth before writing

Workaround

Manually edit ~/.openclaw/openclaw.json to replace all __OPENCLAW_REDACTED__ strings with actual API keys. Cannot use config.patch as it also rejects the sentinel.

Additional Context

The meta.lastTouchedVersion and wizard.lastRunVersion fields were set to 2026.4.5 even though the upgrade failed, causing persistent "Config was last written by a newer OpenClaw" warnings on every command.

The config file also retained stale plugin entries (e.g., comfy) that existed in the pre-upgrade config but whose plugins were removed in the target version, adding to the confusion during troubleshooting.