PR #75095 added `redactConfigAuditArgv` so newly-written entries in
`~/.openclaw/logs/config-audit.jsonl` mask token-shaped values, but the
audit log has no rotation, retention, or one-shot scrub. Users who ran
`openclaw config set <path> <secret-value>` between commit `748d6821d2`
(audit added 2026-02-14) and `a853c5e8c2` (redactor merged 2026-05-01)
still have plaintext Slack, Telegram, gateway, etc. tokens sitting in
`config-audit.jsonl` at rest after upgrading.
Add `scrubConfigAuditLog` in `src/config/io.audit.ts` that reads the
audit log, rewrites every record's `argv` / `execArgv` fields through
the existing forward redactor, and writes the file back atomically
(`*.scrub.tmp` + rename, mode 0o600). Idempotent — already-masked
entries pass through unchanged. Malformed lines are preserved verbatim
and counted as `skipped` so the scrub never destroys forensic content
it cannot understand. Concurrent-append guard: re-stat the audit log
immediately before rename and abort (no on-disk change) if the file
grew during the scrub, so a parallel appendConfigAuditRecord call is
never overwritten by the rename swap. Wire into the doctor health flow
as `runConfigAuditScrubHealth`: scan-only on a normal `openclaw doctor`
(prints the count and suggests `--fix`); rewrite atomically on
`openclaw doctor --fix` with a "rotate any credentials" note; print a
"stop the gateway and rerun" hint on the abort path. No plaintext
backup file is produced; file mode and parent dir mode are preserved.
Per repo CLAUDE.md ("Legacy config repair: doctor/fix paths, not
startup/load-time core migrations") the scrub is gated to `--fix`
and runs only when the user opts in.
Verified:
- pnpm install --frozen-lockfile
- pnpm test src/config/io.audit.test.ts
- pnpm test src/commands/doctor-config-flow.test.ts
- pnpm tsgo:core:test
- pnpm exec oxfmt --check --threads=1 src/config/io.audit.ts src/config/io.audit.test.ts src/commands/doctor-config-audit-scrub.ts src/flows/doctor-health-contributions.ts
Closes#80777
Add a post-install seam so the wizard can prompt the user to import their
existing Codex CLI state (skills, archived config/hooks, advisory cached
plugins) through the existing `openclaw migrate codex` flow once the
harness plugin is in place. Fires on both fresh installs and repair runs;
the user can decline at any time.
Trigger sites, both routing through one helper:
- src/plugins/provider-auth-choice.ts: after
`ensureCodexRuntimePluginForModelSelection` reports `installed: true`,
dynamically import `offerPostInstallMigrations` and call it before the
wizard moves on.
- src/commands/onboard-non-interactive/local/auth-choice.plugin-providers.ts:
same call shape with `nonInteractive: true`, so the helper emits a hint
line only and never mutates state.
Helper (src/wizard/setup.post-install-migration.ts) is generic, not
Codex-hardcoded — it resolves migration providers via the manifest
`migrationProviders` contract, filters to providers owned by plugins the
caller flags as installed in this onboarding step, runs `provider.detect`,
and on TTY hands accepted runs to `migrateDefaultCommand`. All detect,
prompt, and migrate failures are swallowed so onboarding never aborts on
this optional offer.
Also harden the Codex app-server subprocess lifecycle now that `detect()`
runs from a hotter onboarding path: isolate the plugin-install
`plugin/read` call (extensions/codex/src/migration/apply.ts) and have the
isolated request wait for child exit with a SIGKILL fallback
(extensions/codex/src/app-server/request.ts) so parents are not held open
by an orphaned codex binary.
Tests:
- src/wizard/setup.post-install-migration.test.ts (new, 10 cases)
- src/commands/onboard-non-interactive/local/auth-choice.plugin-providers.test.ts
extended with hint-call assertions and a not-required-no-offer case.
