security(cli): redact sensitive values in config get output (#23654)

* security(cli): redact sensitive values in config get output `runConfigGet()` reads raw config values but never applies redaction before printing. When a user runs `openclaw config get gateway.token` the real credential is printed to the terminal, leaking it into shell history, scrollback buffers, and screenshots. Use the existing `redactConfigObject()` (from redact-snapshot.ts, already used by the Web UI path) to scrub sensitive fields before `getAtPath()` resolves the requested key. Fixes #13683 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * CLI/Config: add redaction regression test and changelog --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-02-22 19:37:33 -05:00
parent f0542df9f0
commit 9c87b53c8e
3 changed files with 21 additions and 1 deletions
--- a/src/cli/config-cli.ts
+++ b/src/cli/config-cli.ts
@@ -1,6 +1,7 @@
 import type { Command } from "commander";
 import JSON5 from "json5";
 import { readConfigFileSnapshot, writeConfigFile } from "../config/config.js";
+import { redactConfigObject } from "../config/redact-snapshot.js";
 import { danger, info } from "../globals.js";
 import type { RuntimeEnv } from "../runtime.js";
 import { defaultRuntime } from "../runtime.js";
@@ -232,7 +233,8 @@ export async function runConfigGet(opts: { path: string; json?: boolean; runtime
  try {
    const parsedPath = parseRequiredPath(opts.path);
    const snapshot = await loadValidConfig(runtime);
-    const res = getAtPath(snapshot.config, parsedPath);
+    const redacted = redactConfigObject(snapshot.config);
+    const res = getAtPath(redacted, parsedPath);
    if (!res.found) {
      runtime.error(danger(`Config path not found: ${opts.path}`));
      runtime.exit(1);