openclaw - ✅(Solved) Fix [Bug]: __OPENCLAW_REDACTED__ written to config.json when saving provider config via Control UI [1 pull requests, 1 participants]

S-huNsuke · 2026-04-03T03:00:07Z

[openclaw] When modifying any provider configuration e.g., models.providers.minimax through the Control UI config workspace , the on-disk config.json file is c… When modifying any provider configuration (e.g., `models.providers.minimax`) through the Control UI (config workspace), the on-disk `config.json` file is corrupted: the `apiKey` and `headers` field values are replaced with the literal string `__OPENCLAW_REDACTED__`. After a gateway restart, all provider credentials are invalid. --- # PR #60044: [Bug Fix] writeConfigFile: pass de-redacted nextCfg to hot-reload listeners - Repository: openclaw/openclaw - Author: S-huNsuke - State: open | merged: False - Link: https://github.com/openclaw/openclaw/pull/60044 ## Description (problem / solution / changelog) ## Bug Fix: __OPENCLAW_REDACTED__ written to config.json on config save **Issue:** #60021 ### Problem When saving config via Control UI, sensitive fields are replaced with literal `__OPENCLAW_REDACTED__` in `config.json`. ### Root Cause `writeConfigFile` writes `nextCfg` (de-redacted) to disk, but passes the pre-write redacted `runtimeConfigSnapshot` to `notifyConfigWriteListeners`. The hot-reload subscriber then re-writes the sentinel back to disk. ### Fix ```diff - runtimeConfig: runtimeConfigSnapshot, + runtimeConfig: nextCfg, ``` Testing checklist: - [ ] Save provider config → `config.json` does not contain `__OPENCLAW_REDACTED__` - [ ] Gateway restart → provider auth works ## Changed files - `src/config/io.runtime-snapshot-write.test.ts` (modified, +64/-0) - `src/config/io.ts` (modified, +1/-1) ## Fixed - Fixed by PR: [Bug Fix] writeConfigFile: pass de-redacted nextCfg to hot-reload listeners (https://github.com/openclaw/openclaw/pull/60044) [Bug]: `__OPENCLAW_REDACTED__` written to config.json when saving provider config via Control UI **Severity:** High **OpenClaw version:** 2026.4.1 (also present in 2026.4.2) **Environment:** macOS, gateway running locally --- ### Summary When modifying any provider configuration (e.g., `models.providers.minimax`) through the Control UI (config workspace), the on-disk `config.json` file is corrupted: the `apiKey` and `headers` field values are replaced with the literal string `__OPENCLAW_REDACTED__`. After a gateway restart, all provider credentials are invalid. --- ### Steps to reproduce 1. Install OpenClaw 2026.4.1 with at least one provider (e.g., minimax) already configured with a valid `apiKey`. 2. Open the Control UI → Config workspace. 3. Modify any unrelated setting (e.g., change `models.maxTokens` or toggle a feature flag). 4. Save the config. 5. Observe that `config.json` now contains `"apiKey": "__OPENCLAW_REDACTED__"` for the previously-valid provider entries. 6. Restart the gateway — provider requests fail with authentication errors. --- ### Root cause In `io-CHHRUM9X.js`, the `writeConfigFile` function: 1. Computes `nextCfg` (the correct, de-redacted config) and writes it to disk ✅ 2. But then calls `notifyConfigWriteListeners({ runtimeConfig: runtimeConfigSnapshot, sourceConfig: nextCfg, ... })` passing the **pre-write, still-redacted** `runtimeConfigSnapshot` as `runtimeConfig` The hot-reload subscriber receives this redacted snapshot, stores it as `pendingInProcessConfig`, and a subsequent `applySnapshot(pendingInProcessConfig)` re-writes `__OPENCLAW_REDACTED__` back to disk — overwriting the correct value just written. Relevant code path: - `writeConfigFile` (io-CHHRUM9X.js, ~line 20821) - `notifyConfigWriteListeners` → `subscribeToWrites` callback - `pendingInProcessConfig` set to the redacted snapshot - `applySnapshot(pendingInProcessConfig)` writes `__OPENCLAW_REDACTED__` to disk --- ### Suggested fix In `writeConfigFile`, change the `notifyConfigWriteListeners` call from: ```javascript notifyConfigWriteListeners({ configPath: io.configPath, sourceConfig: nextCfg, runtimeConfig: runtimeConfigSnapshot, // ← bug: should be nextCfg persistedHash: writeResult.persistedHash, writtenAtMs: Date.now() }); ``` to: ```javascript notifyConfigWriteListeners({ configPath: io.configPath, sourceConfig: nextCfg, runtimeConfig: nextCfg, // ← pass the de-redacted config persistedHash: writeResult.persistedHash, writtenAtMs: Date.now() }); ``` --- ### Related issues - PR #58044 (merged March 31) attempted to harden SecretRef round-trip handling in Control UI and RPC writes, but did not cover this `writeConfigFile` → `notifyConfigWriteListeners` code path. - PR #55034 (fixed Discord token `id` field corruption on save)

openclaw2026-04-03 03:00:07

ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

GitHub issue URL

Helpful · Quick feedback

GitHub stats

openclaw/openclaw#60021•Fetched 2026-04-08 02:37:20

View on GitHub

Comments

Participants

Timeline

Reactions

Author

S-huNsuke

Participants

S-huNsuke

Timeline (top)

cross-referenced ×2referenced ×1

When modifying any provider configuration (e.g., models.providers.minimax) through the Control UI (config workspace), the on-disk config.json file is corrupted: the apiKey and headers field values are replaced with the literal string __OPENCLAW_REDACTED__. After a gateway restart, all provider credentials are invalid.

Root Cause

In io-CHHRUM9X.js, the writeConfigFile function:

Computes nextCfg (the correct, de-redacted config) and writes it to disk ✅
But then calls notifyConfigWriteListeners({ runtimeConfig: runtimeConfigSnapshot, sourceConfig: nextCfg, ... }) passing the pre-write, still-redacted runtimeConfigSnapshot as runtimeConfig

The hot-reload subscriber receives this redacted snapshot, stores it as pendingInProcessConfig, and a subsequent applySnapshot(pendingInProcessConfig) re-writes __OPENCLAW_REDACTED__ back to disk — overwriting the correct value just written.

Relevant code path:

writeConfigFile (io-CHHRUM9X.js, ~line 20821)
notifyConfigWriteListeners → subscribeToWrites callback
pendingInProcessConfig set to the redacted snapshot
applySnapshot(pendingInProcessConfig) writes __OPENCLAW_REDACTED__ to disk

Fix Action

Fixed

Fixed by PR: [Bug Fix] writeConfigFile: pass de-redacted nextCfg to hot-reload listeners (https://github.com/openclaw/openclaw/pull/60044)

PR fix notes

PR #60044: [Bug Fix] writeConfigFile: pass de-redacted nextCfg to hot-reload listeners

Repository: openclaw/openclaw
Author: S-huNsuke
State: open | merged: False
Link: https://github.com/openclaw/openclaw/pull/60044

Description (problem / solution / changelog)

Bug Fix: OPENCLAW_REDACTED written to config.json on config save

Issue: #60021

Problem

When saving config via Control UI, sensitive fields are replaced with literal __OPENCLAW_REDACTED__ in config.json.

Root Cause

writeConfigFile writes nextCfg (de-redacted) to disk, but passes the pre-write redacted runtimeConfigSnapshot to notifyConfigWriteListeners. The hot-reload subscriber then re-writes the sentinel back to disk.

Fix

- runtimeConfig: runtimeConfigSnapshot,
+ runtimeConfig: nextCfg,

Testing checklist:

Save provider config → config.json does not contain __OPENCLAW_REDACTED__
Gateway restart → provider auth works

Changed files

src/config/io.runtime-snapshot-write.test.ts (modified, +64/-0)
src/config/io.ts (modified, +1/-1)

Code Example

notifyConfigWriteListeners({
    configPath: io.configPath,
    sourceConfig: nextCfg,
    runtimeConfig: runtimeConfigSnapshot,  // ← bug: should be nextCfg
    persistedHash: writeResult.persistedHash,
    writtenAtMs: Date.now()
});

---

notifyConfigWriteListeners({
    configPath: io.configPath,
    sourceConfig: nextCfg,
    runtimeConfig: nextCfg,  // ← pass the de-redacted config
    persistedHash: writeResult.persistedHash,
    writtenAtMs: Date.now()
});

RAW_BUFFERClick to expand / collapse

[Bug]: __OPENCLAW_REDACTED__ written to config.json when saving provider config via Control UI

Severity: High
OpenClaw version: 2026.4.1 (also present in 2026.4.2)
Environment: macOS, gateway running locally

Summary

Steps to reproduce

Install OpenClaw 2026.4.1 with at least one provider (e.g., minimax) already configured with a valid apiKey.
Open the Control UI → Config workspace.
Modify any unrelated setting (e.g., change models.maxTokens or toggle a feature flag).
Save the config.
Observe that config.json now contains "apiKey": "__OPENCLAW_REDACTED__" for the previously-valid provider entries.
Restart the gateway — provider requests fail with authentication errors.

Root cause

In io-CHHRUM9X.js, the writeConfigFile function:

Computes nextCfg (the correct, de-redacted config) and writes it to disk ✅
But then calls notifyConfigWriteListeners({ runtimeConfig: runtimeConfigSnapshot, sourceConfig: nextCfg, ... }) passing the pre-write, still-redacted runtimeConfigSnapshot as runtimeConfig

Relevant code path:

writeConfigFile (io-CHHRUM9X.js, ~line 20821)
notifyConfigWriteListeners → subscribeToWrites callback
pendingInProcessConfig set to the redacted snapshot
applySnapshot(pendingInProcessConfig) writes __OPENCLAW_REDACTED__ to disk

Suggested fix

In writeConfigFile, change the notifyConfigWriteListeners call from:

notifyConfigWriteListeners({
    configPath: io.configPath,
    sourceConfig: nextCfg,
    runtimeConfig: runtimeConfigSnapshot,  // ← bug: should be nextCfg
    persistedHash: writeResult.persistedHash,
    writtenAtMs: Date.now()
});

to:

notifyConfigWriteListeners({
    configPath: io.configPath,
    sourceConfig: nextCfg,
    runtimeConfig: nextCfg,  // ← pass the de-redacted config
    persistedHash: writeResult.persistedHash,
    writtenAtMs: Date.now()
});

Related issues

PR #58044 (merged March 31) attempted to harden SecretRef round-trip handling in Control UI and RPC writes, but did not cover this writeConfigFile → notifyConfigWriteListeners code path.
PR #55034 (fixed Discord token id field corruption on save)

extent analysis

TL;DR

The most likely fix is to update the notifyConfigWriteListeners call in writeConfigFile to pass the de-redacted nextCfg as runtimeConfig instead of the redacted runtimeConfigSnapshot.

Guidance

Review the writeConfigFile function in io-CHHRUM9X.js to ensure the notifyConfigWriteListeners call is updated to pass nextCfg as runtimeConfig.
Verify that the config.json file is no longer corrupted after saving provider configurations through the Control UI.
Test the fix by modifying a provider configuration, saving the config, and checking that the apiKey and headers field values are not replaced with __OPENCLAW_REDACTED__.
Consider reviewing related issues, such as PR #58044 and PR #55034, to ensure that similar bugs are not present in other code paths.

Example

The suggested fix involves updating the notifyConfigWriteListeners call from:

notifyConfigWriteListeners({
    configPath: io.configPath,
    sourceConfig: nextCfg,
    runtimeConfig: runtimeConfigSnapshot,  
    persistedHash: writeResult.persistedHash,
    writtenAtMs: Date.now()
});

to:

notifyConfigWriteListeners({
    configPath: io.configPath,
    sourceConfig: nextCfg,
    runtimeConfig: nextCfg,  
    persistedHash: writeResult.persistedHash,
    writtenAtMs: Date.now()
});

Notes

This fix assumes that the issue is caused by the notifyConfigWriteListeners call passing the redacted runtimeConfigSnapshot instead of the de-redacted nextCfg. If the issue persists after applying this fix, further investigation may be necessary to identify the root cause.

Recommendation

Apply the suggested fix to update the notifyConfigWriteListeners call in writeConfigFile to pass the de-redacted nextCfg as runtimeConfig. This should prevent the config.json file from being corrupted when saving provider configurations through the Control UI.

Vote matrix · Quick signals

Works

Did the solution work? Tap to confirm.

Easy Fix

Was it a quick fix?

Time Saver

Did it save you time?

Blocking

Was it severely blocking?

Common Issue

Are others likely hitting this too?

Flaky / Intermittent

Is it intermittent?

Verified / Reproducible

Can you reproduce it reliably?

#api #network issue #logging issue #authentication issue #prompt issue

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Data

Security

Network

Code

UI/UX

Text

System

Multimedia

Protocol

API

Engineering

openclaw - ✅(Solved) Fix [Bug]: __OPENCLAW_REDACTED__ written to config.json when saving provider config via Control UI [1 pull requests, 1 participants]

Recommended Tools

GitHub issue graph ai analysis

Root Cause

Fix Action

Fixed

PR fix notes

PR #60044: [Bug Fix] writeConfigFile: pass de-redacted nextCfg to hot-reload listeners

Description (problem / solution / changelog)

Bug Fix: OPENCLAW_REDACTED written to config.json on config save

Problem

Root Cause

Fix

Changed files

Code Example

Summary

Steps to reproduce

Root cause

Suggested fix

Related issues

extent analysis

TL;DR

Guidance

Example

Notes

Recommendation

Still need to ship something?

TRENDING

openclaw - ✅(Solved) Fix [Bug]: __OPENCLAW_REDACTED__ written to config.json when saving provider config via Control UI [1 pull requests, 1 participants]

Recommended Tools

GitHub issue graph ai analysis

Root Cause

Fix Action

Fixed

PR fix notes

PR #60044: [Bug Fix] writeConfigFile: pass de-redacted nextCfg to hot-reload listeners

Description (problem / solution / changelog)

Bug Fix: OPENCLAW_REDACTED written to config.json on config save

Problem

Root Cause

Fix

Changed files

Code Example

Summary

Steps to reproduce

Root cause

Suggested fix

Related issues

extent analysis

TL;DR

Guidance

Example

Notes

Recommendation

Still need to ship something?

RELATED_DISCOVERY

TRENDING