security(cli): redact sensitive values in config get output (#23654)

* security(cli): redact sensitive values in config get output `runConfigGet()` reads raw config values but never applies redaction before printing. When a user runs `openclaw config get gateway.token` the real credential is printed to the terminal, leaking it into shell history, scrollback buffers, and screenshots. Use the existing `redactConfigObject()` (from redact-snapshot.ts, already used by the Web UI path) to scrub sensitive fields before `getAtPath()` resolves the requested key. Fixes #13683 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * CLI/Config: add redaction regression test and changelog --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-02-22 19:37:33 -05:00
parent f0542df9f0
commit 9c87b53c8e
3 changed files with 21 additions and 1 deletions
--- a/src/cli/config-cli.test.ts
+++ b/src/cli/config-cli.test.ts
@@ -143,6 +143,23 @@ describe("config cli", () => {
    });
  });

+  describe("config get", () => {
+    it("redacts sensitive values", async () => {
+      const resolved: OpenClawConfig = {
+        gateway: {
+          auth: {
+            token: "super-secret-token",
+          },
+        },
+      };
+      setSnapshot(resolved, resolved);
+
+      await runConfigCommand(["config", "get", "gateway.auth.token"]);
+
+      expect(mockLog).toHaveBeenCalledWith("__OPENCLAW_REDACTED__");
+    });
+  });
+
  describe("config set parsing flags", () => {
    it("falls back to raw string when parsing fails and strict mode is off", async () => {
      const resolved: OpenClawConfig = { gateway: { port: 18789 } };