fix(openclaw): redact secrets and harden session usage

Author: ymkiux

cli.js

@@ -2820,13 +2820,16 @@ function normalizeOpenclawWorkspaceFileName(input) {
 
 function readOpenclawConfigFile() {
     const filePath = OPENCLAW_CONFIG_FILE;
+    const authProfilesByProvider = sanitizeOpenclawAuthProfilesForClient(
+        readOpenclawAuthProfilesSummary().providers
+    );
     if (!fs.existsSync(filePath)) {
         return {
             exists: false,
             path: filePath,
             content: '',
             lineEnding: os.EOL === '\r\n' ? '\r\n' : '\n',
-            authProfilesByProvider: readOpenclawAuthProfilesSummary().providers
+            authProfilesByProvider
         };
     }
 
@@ -2837,7 +2840,7 @@ function readOpenclawConfigFile() {
             path: filePath,
             content: stripUtf8Bom(raw),
             lineEnding: detectLineEnding(raw),
-            authProfilesByProvider: readOpenclawAuthProfilesSummary().providers
+            authProfilesByProvider
         };
     } catch (e) {
         return { error: `读取 OpenClaw 配置失败: ${e.message}` };
@@ -3049,6 +3052,22 @@ function readOpenclawAuthProfilesSummary() {
     };
 }
 
+function sanitizeOpenclawAuthProfilesForClient(providers) {
+    if (!isPlainObject(providers)) {
+        return {};
+    }
+    const sanitized = {};
+    for (const [providerKey, summary] of Object.entries(providers)) {
+        if (!isPlainObject(summary)) {
+            continue;
+        }
+        const normalized = { ...summary };
+        delete normalized.resolvedValue;
+        sanitized[providerKey] = normalized;
+    }
+    return sanitized;
+}
+
 function normalizeOpenclawAuthProfileUpdate(entry) {
     if (!isPlainObject(entry)) return null;
     const profileId = typeof entry.profileId === 'string' ? entry.profileId.trim() : '';
@@ -5756,19 +5775,11 @@ async function listSessionUsage(params = {}) {
     const limit = Number.isFinite(rawLimit)
         ? Math.max(1, Math.min(rawLimit, MAX_SESSION_LIST_SIZE))
         : 200;
-    const sessions = await listAllSessions({
+    return await listAllSessionsData({
         source,
         limit,
         forceRefresh: !!params.forceRefresh
     });
-    return sessions.map((item) => {
-        if (!item || typeof item !== 'object' || Array.isArray(item)) {
-            return item;
-        }
-        const normalized = { ...item };
-        delete normalized.__messageCountExact;
-        return normalized;
-    });
 }
 
 function listSessionPaths(params = {}) {
@@ -11036,12 +11047,16 @@ function createWebServer({ htmlPath, assetsDir, webDir, host, port, openBrowser
                             break;
                         case 'list-sessions-usage':
                             {
-                                const source = typeof params.source === 'string' ? params.source.trim().toLowerCase() : '';
+                                const usageParams = isPlainObject(params) ? params : {};
+                                const source = typeof usageParams.source === 'string' ? usageParams.source.trim().toLowerCase() : '';
                                 if (source && source !== 'codex' && source !== 'claude' && source !== 'all') {
                                     result = { error: 'Invalid source. Must be codex, claude, or all' };
                                 } else {
                                     result = {
-                                        sessions: await listSessionUsage(params || {}),
+                                        sessions: await listSessionUsage({
+                                            ...usageParams,
+                                            source: source || 'all'
+                                        }),
                                         source: source || 'all'
                                     };
                                 }

tests/e2e/test-openclaw.js

@@ -1,13 +1,33 @@
+const fs = require('fs');
+const path = require('path');
 const { assert } = require('./helpers');
 
 module.exports = async function testOpenclaw(ctx) {
-    const { api } = ctx;
+    const { api, tmpHome } = ctx;
+    const authAgentDir = path.join(tmpHome, '.openclaw', 'agents', 'main', 'agent');
+    fs.mkdirSync(authAgentDir, { recursive: true });
+    fs.writeFileSync(path.join(authAgentDir, 'auth-profiles.json'), JSON.stringify({
+        version: 1,
+        profiles: {
+            'openai-codex:default': {
+                provider: 'openai-codex',
+                type: 'oauth',
+                access: 'super-secret-token',
+                displayName: 'OpenAI Codex'
+            }
+        }
+    }, null, 2), 'utf-8');
+    fs.writeFileSync(path.join(authAgentDir, 'auth-state.json'), JSON.stringify({}, null, 2), 'utf-8');
 
     // ========== Get OpenClaw Config Tests ==========
     const openclawReadEmpty = await api('get-openclaw-config');
     assert(openclawReadEmpty.exists === false, 'openclaw config should not exist initially');
     assert(typeof openclawReadEmpty.path === 'string', 'get-openclaw-config missing path');
     assert('lineEnding' in openclawReadEmpty, 'get-openclaw-config missing lineEnding');
+    assert(openclawReadEmpty.authProfilesByProvider && openclawReadEmpty.authProfilesByProvider['openai-codex'], 'get-openclaw-config missing auth profile summary');
+    assert(openclawReadEmpty.authProfilesByProvider['openai-codex'].resolvedValue === undefined, 'get-openclaw-config should not expose resolved auth profile secrets');
+    assert(openclawReadEmpty.authProfilesByProvider['openai-codex'].resolvedField === 'access', 'get-openclaw-config missing auth profile write field');
+    assert(openclawReadEmpty.authProfilesByProvider['openai-codex'].editable === true, 'get-openclaw-config missing editable auth profile flag');
 
     // ========== Apply OpenClaw Config Tests ==========
     const openclawInvalid = await api('apply-openclaw-config', { content: '', lineEnding: '\n' });

tests/e2e/test-sessions.js

@@ -40,6 +40,9 @@ module.exports = async function testSessions(ctx) {
     assert(usageSessions.sessions.some((item) => item.sessionId === sessionId), 'list-sessions-usage missing codex entry');
     assert(usageSessions.sessions.some((item) => item.sessionId === claudeSessionId), 'list-sessions-usage missing claude entry');
     assert(usageSessions.sessions.every((item) => !Object.prototype.hasOwnProperty.call(item, '__messageCountExact')), 'list-sessions-usage should not expose exact hydration markers');
+    const defaultUsageSessions = await api('list-sessions-usage');
+    assert(Array.isArray(defaultUsageSessions.sessions), 'list-sessions-usage without params should still return sessions');
+    assert(defaultUsageSessions.source === 'all', 'list-sessions-usage without params should default source to all');
 
     const usageSessionsInvalid = await api('list-sessions-usage', { source: 'invalid', limit: 50 });
     assert(usageSessionsInvalid.error, 'list-sessions-usage should fail for invalid source');

tests/unit/openclaw-core.test.mjs

@@ -298,7 +298,6 @@ test('fillOpenclawQuickFromConfig uses builtin openai-codex defaults and editabl
                 profileId: 'openai-codex:default',
                 type: 'oauth',
                 display: 'AuthProfile(oauth:openai-codex:default)',
-                resolvedValue: 'access-token-value',
                 resolvedField: 'access',
                 editable: true,
                 valueKind: 'oauth-access'
@@ -328,13 +327,13 @@ test('fillOpenclawQuickFromConfig uses builtin openai-codex defaults and editabl
     assert.strictEqual(context.openclawQuick.baseUrl, 'https://chatgpt.com/backend-api');
     assert.strictEqual(context.openclawQuick.baseUrlDisplayKind, 'builtin-default');
     assert.strictEqual(context.openclawQuick.apiType, 'openai-codex-responses');
-    assert.strictEqual(context.openclawQuick.apiKey, 'access-token-value');
+    assert.strictEqual(context.openclawQuick.apiKey, '');
     assert.strictEqual(context.openclawQuick.apiKeyReadOnly, false);
     assert.strictEqual(context.openclawQuick.apiKeyDisplayKind, 'auth-profile-value');
     assert.strictEqual(context.openclawQuick.apiKeySourceKind, 'auth-profile');
     assert.strictEqual(context.openclawQuick.apiKeySourceProfileId, 'openai-codex:default');
     assert.strictEqual(context.openclawQuick.apiKeySourceWriteField, 'access');
-    assert.strictEqual(context.openclawQuick.apiKeySourceOriginalValue, 'access-token-value');
+    assert.strictEqual(context.openclawQuick.apiKeySourceOriginalValue, '');
     assert.strictEqual(context.openclawQuick.apiKeySourceCredentialType, 'oauth');
 });
 

tests/unit/openclaw-editing.test.mjs

@@ -164,7 +164,6 @@ test('applyOpenclawQuickToText queues auth profile updates instead of inlining e
                 profileId: 'openai-codex:default',
                 type: 'oauth',
                 display: 'AuthProfile(oauth:openai-codex:default)',
-                resolvedValue: 'old-access-token',
                 resolvedField: 'access',
                 editable: true,
                 valueKind: 'oauth-access'
@@ -193,6 +192,7 @@ test('applyOpenclawQuickToText queues auth profile updates instead of inlining e
     context.fillOpenclawQuickFromConfig(config, {
         authProfilesByProvider: context.openclawAuthProfilesByProvider
     });
+    assert.strictEqual(context.openclawQuick.apiKey, '');
     context.openclawQuick.apiKey = 'new-access-token';
     context.openclawQuick.overrideProvider = true;
 

web-ui/modules/app.methods.openclaw-core.mjs

@@ -160,6 +160,19 @@ function readOpenclawAuthProfileDisplayValue(authProfilesByProvider, providerNam
             sourceCredentialType: typeof summary.type === 'string' ? summary.type.trim() : ''
         };
     }
+    const resolvedField = typeof summary.resolvedField === 'string' ? summary.resolvedField.trim() : '';
+    if (summary.editable === true && resolvedField) {
+        return {
+            value: '',
+            readOnly: false,
+            kind: 'auth-profile-value',
+            sourceKind: 'auth-profile',
+            sourceProfileId: typeof summary.profileId === 'string' ? summary.profileId.trim() : '',
+            sourceWriteField: resolvedField,
+            sourceOriginalValue: '',
+            sourceCredentialType: typeof summary.type === 'string' ? summary.type.trim() : ''
+        };
+    }
     if (typeof summary.display !== 'string' || !summary.display.trim()) {
         return {
             value: '',