feat: add sanitized diagnostics log bundle

[christineyan4]

Summary

• Add a sanitized diagnostics bundle export flow for the WinUI tray app, including generated debug summary, connection event timeline, tray log tails, structured diagnostics JSONL, crash log, and setup log tails.
• Shift the privacy boundary toward source-side sanitization before logs/diagnostics are written or recorded, with DiagnosticsExportRedactor kept as defense-in-depth for older/raw export text.
• Refactor export redaction away from a broad regex-only approach: parser-style handling now covers private keys, signed handshakes, DPAPI blobs, agent session keys, command-line secret options, sensitive key/value pairs, GUID-like IDs, and common URL/path/token cleanup.
• Improve diagnostics preview/copy readability by decoding common JSON escape sequences like \u0022 and escaped CRLFs before final redaction, while keeping plain Windows paths stable and guarding control/backslash unicode escapes.
• Add fail-closed sanitizer-timeout handling for log-tail section sanitization and final full-bundle sanitization so a timeout produces [REDACTED_SANITIZER_TIMEOUT] instead of aborting export.
• Preserve the preview-before-copy/save full diagnostics flow and native Win32 Save dialog for the self-hosted WinUI app.
• Add regression coverage for redaction safety, readability, timeout behavior, split-line/nested secrets, missing files, and diagnostics page copy/preview contracts.

Validation

• dotnet test .\tests\OpenClaw.Shared.Tests\OpenClaw.Shared.Tests.csproj --no-restore --filter FullyQualifiedName~DiagnosticsExportRedactorTests
• dotnet test .\tests\OpenClaw.Tray.Tests\OpenClaw.Tray.Tests.csproj --no-restore --filter "FullyQualifiedName~DiagnosticsBundleBuilderTests|FullyQualifiedName~DiagnosticsPageContractTests"
• .\build.ps1
• dotnet test .\tests\OpenClaw.Shared.Tests\OpenClaw.Shared.Tests.csproj --no-restore
• dotnet test .\tests\OpenClaw.Tray.Tests\OpenClaw.Tray.Tests.csproj --no-restore
• dotnet test .\tests\OpenClaw.Connection.Tests\OpenClaw.Connection.Tests.csproj --no-restore
• git diff --check
• Hanselman-style adversarial review completed with Opus + Codex; follow-up fixes added for nested/double-escaped JSON secrets, conservative escape decoding for Windows paths, unicode control/backslash guards, deterministic escaped-CRLF decoding, and additional timeout/readability regression tests.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 26, 2026, 3:00 PM ET / 19:00 UTC.

Summary
The PR adds a sanitized WinUI diagnostics bundle preview/copy/save flow with bounded log tails, connection timeline export, shared export sanitization, source-side log redaction, native save dialog support, localization updates, and regression coverage.

Reproducibility: not applicable. as a bug reproduction: this is a feature PR adding a diagnostics export flow. The relevant check is merge proof and privacy-boundary review, not a current-main failure reproduction.

Review metrics: 2 noteworthy metrics.

• Diff size: 31 files, +2672/-294. The change is broad enough that maintainers should review the privacy, UX, and persistence surfaces rather than treating it as a small redaction patch.
• Proof artifacts: 3 artifacts inspected; 2 full bundles byte-identical, 1 summary bundle. The artifacts support the preview/copy/save flow, but they predate the current head and should be refreshed for merge confidence.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Post refreshed current-head real behavior proof for preview, full copy, save-to-file, and summary-only copy with private details redacted.
• Get maintainer acceptance on the diagnostics privacy boundary and the summary-only direct-copy workflow.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: The linked screenshots/text artifacts show preview, full copy, save-to-file, and summary copy behavior, but they were posted before the latest head commit; the contributor should refresh proof from the current head, redacting private IPs, keys, phone numbers, endpoints, and other private data, then update the PR body to trigger re-review or ask a maintainer for @clawsweeper re-review.

Mantis proof suggestion
A visible desktop proof run would materially help confirm the WinUI preview/copy/save flow and summary-only copy behavior on the current head. A maintainer can ask Mantis to capture proof by posting this exact PR comment:

@openclaw-mantis visual task: verify diagnostics bundle preview opens, copy/save produce sanitized output, and summary copy excludes log tails.

Risk before merge

• [P1] The sanitizer and bundle builder are now a security boundary for credentials, local paths, IPs, device IDs, and session keys, so maintainers should explicitly accept the privacy boundary before merge.
• [P1] The direct debug-bundle copy/deep-link path intentionally becomes summary-only and moves log tails behind preview/save, which can change existing support workflows that expected one-click log tails.
• [P1] The PR touches chat tool-metadata persistence around reset, so merge safety depends on the new cache-dirty tests and maintainer comfort with the session-state behavior.
• [P1] The inspected real behavior proof shows the feature flow, but it was posted before the latest head commit that changed sanitizer and tool-metadata behavior; current-head proof should be refreshed unless a maintainer overrides that gate.

Maintainer options:

1. Refresh proof and privacy review before merge (recommended)
   Have the contributor post current-head proof for preview, full copy, save-to-file, and summary-only copy, then get maintainer acceptance on the diagnostics scrub boundary.
2. Accept the support-workflow change deliberately
   Maintainers may land the summary-only direct copy path if they are comfortable requiring preview/save for log tails in future support workflows.
3. Pause behind the broader PII scrub policy
   If Diagnostics — PII scrubbing #857 should define the final scrub policy first, keep this PR draft or pause it until that boundary is settled.

Next step before merge

• [P1] The remaining action is maintainer privacy/support-workflow judgment plus refreshed contributor proof, not a narrow automated repair.

Security
Needs attention: The diff has no discrete supply-chain issue, but it introduces a sensitive diagnostics-export privacy boundary that needs maintainer review and refreshed current-head proof.

Review details

Best possible solution:

Land a side-effect-free diagnostics export path only after maintainers accept the privacy boundary, the summary-only copy workflow, and refreshed current-head proof for the sanitizer/export behavior.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction: this is a feature PR adding a diagnostics export flow. The relevant check is merge proof and privacy-boundary review, not a current-main failure reproduction.

Is this the best way to solve the issue?

Mostly yes, by source inspection: the latest design is the maintainable direction because it tail-reads bounded sources, keeps export side-effect-free, and centralizes sanitizer use. It still needs maintainer acceptance for the support-workflow and privacy-boundary tradeoffs.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 1c377cb64b65.

Label changes

Label changes:

• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The linked screenshots/text artifacts show preview, full copy, save-to-file, and summary copy behavior, but they were posted before the latest head commit; the contributor should refresh proof from the current head, redacting private IPs, keys, phone numbers, endpoints, and other private data, then update the PR body to trigger re-review or ask a maintainer for @clawsweeper re-review.
• remove proof: sufficient: Current real behavior proof status is insufficient, not sufficient.
• remove rating: 🦐 gold shrimp: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.
• remove status: ⏳ waiting on author: Current PR status label is status: 📣 needs proof.

Label justifications:

• P2: This is a normal-priority privacy and diagnostics-support feature with meaningful but bounded blast radius.
• merge-risk: 🚨 compatibility: The PR changes the existing direct debug-bundle copy behavior to summary-only and requires preview/save for log tails.
• merge-risk: 🚨 session-state: The PR modifies persisted chat tool metadata reset behavior, which can affect restored session/tool labels after upgrade.
• merge-risk: 🚨 security-boundary: The PR creates and relies on a diagnostics redaction boundary for shareable logs containing credentials, paths, IPs, device IDs, and session state.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The linked screenshots/text artifacts show preview, full copy, save-to-file, and summary copy behavior, but they were posted before the latest head commit; the contributor should refresh proof from the current head, redacting private IPs, keys, phone numbers, endpoints, and other private data, then update the PR body to trigger re-review or ask a maintainer for @clawsweeper re-review.

Evidence reviewed

Security concerns:

• [medium] Review the diagnostics privacy boundary before merge — src/OpenClaw.Tray.WinUI/Services/DiagnosticsBundleBuilder.cs:74
  The PR assembles shareable log tails, connection events, crash logs, and setup logs; because this path is responsible for scrubbing credentials, local paths, IPs, device IDs, and session keys before sharing, maintainers should explicitly accept the boundary and current-head proof before merge.
  Confidence: 0.84

What I checked:

• Repository policy read: AGENTS.md was read fully; its validation expectations and tray/connection diagnostics guidance were applied as review context, but no validation commands were run because this was a read-only review. (AGENTS.md:1, 1c377cb64b65)
• PR surface: GitHub reports this draft PR changes 31 files with 2672 additions and 294 deletions at head 802e44a, including diagnostics, redaction, WinUI, localization, and tests. (802e44a680a7)
• Read-only bundle boundary: The PR head bundle builder states the export is read-only, bounds included log tails, lists excluded raw settings/credential/media files, and assembles support summaries, connection timeline, tray logs, diagnostics JSONL, crash log, and setup log tails. (src/OpenClaw.Tray.WinUI/Services/DiagnosticsBundleBuilder.cs:74, 802e44a680a7)
• Bounded export sanitizer path: The PR head tail reader reads bounded tails with FileShare.ReadWrite/Delete, sanitizes with context, and revalidates JSONL lines with a redacted unsafe-line sentinel. (src/OpenClaw.Tray.WinUI/Services/DiagnosticsLogTailReader.cs:110, 802e44a680a7)
• Summary copy remains summary-only: The PR head Debug page routes direct Copy summary debug bundle through CommandCenterTextHelper.BuildDebugBundle, while full log-tail diagnostics remain behind the Create diagnostics bundle preview path. (src/OpenClaw.Tray.WinUI/Pages/DebugPage.xaml.cs:523, 802e44a680a7)
• Regression coverage for prior blockers: The PR head tests assert summary debug bundles omit log tails, export/copy paths use the shared sanitizer, reset-cleared tool metadata is persisted, and prefixed tokens inside JSON strings keep JSON parseable. (tests/OpenClaw.Tray.Tests/DiagnosticsPageContractTests.cs:483, 802e44a680a7)

Likely related people:

• shanselman: Git history introduced privacy-safe diagnostics JSONL, and PR discussion contains detailed privacy/performance review feedback on the diagnostics bundle boundary. (role: introduced diagnostics privacy and reviewer; confidence: high; commits: bd0121478fb3, 088b96d6c032, 0d4fcbd50ad5; files: src/OpenClaw.Tray.WinUI/Services/DiagnosticsJsonlService.cs, src/OpenClaw.Tray.WinUI/Pages/DebugPage.xaml.cs, src/OpenClaw.Tray.WinUI/Helpers/CommandCenterTextHelper.cs)
• Ranjesh Jaganathan: Git history shows this author introduced the connection diagnostics ring buffer and carried substantial diagnostics page/connection status work now touched by the PR. (role: connection and diagnostics UX contributor; confidence: high; commits: 3a098d5d0368, 40d1b9d97224, 429be9ba9368; files: src/OpenClaw.Connection/ConnectionDiagnostics.cs, src/OpenClaw.Tray.WinUI/Pages/DebugPage.xaml.cs, src/OpenClaw.Tray.WinUI/Windows/ConnectionStatusWindow.xaml.cs)
• bkudiess: Git history shows the task-oriented Diagnostics page rebuild and connection timeline popup work in the same WinUI surface this PR extends. (role: diagnostics page redesign contributor; confidence: medium; commits: 84ceee19c03d, 0da3ca5b2101; files: src/OpenClaw.Tray.WinUI/Pages/DebugPage.xaml, src/OpenClaw.Tray.WinUI/Pages/DebugPage.xaml.cs, tests/OpenClaw.Tray.Tests/DiagnosticsPageContractTests.cs)
• kmahone: A collaborator review comment explicitly asked the PR author to move sanitization toward log-time/source-side handling, which is central to the current branch direction. (role: collaborator reviewer; confidence: medium; files: src/OpenClaw.Shared/TokenSanitizer.cs, src/OpenClaw.Tray.WinUI/Services/DiagnosticsBundleBuilder.cs)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[Copilot]

Pull request overview

This PR adds a sanitized “diagnostics bundle” export flow for the WinUI tray app, including robust redaction of secrets/identifiers and expanded bundle contents (log tails + structured diagnostics + crash/setup tails + connection timeline), along with new regression tests and a Win32-native “Save as” dialog for self-hosted WinUI.

Changes:

• Introduce DiagnosticsExportRedactor and apply it to bundle generation and log tail reading (including final “whole-bundle” sanitization).
• Add DiagnosticsBundleBuilder + DiagnosticsLogTailReader and update the debug/diagnostics UI to preview/copy/save the sanitized bundle.
• Add new Shared/Tray tests covering redaction shapes, split-line secrets, missing files behavior, and bundle safety guarantees.

Show a summary per file

File	Description
tests/OpenClaw.Tray.Tests/OpenClaw.Tray.Tests.csproj	Links new WinUI diagnostics services/helpers into Tray test project.
tests/OpenClaw.Tray.Tests/DiagnosticsPageContractTests.cs	Adds contract tests to enforce “summary-only vs full bundle” UX boundaries.
tests/OpenClaw.Tray.Tests/DiagnosticsBundleBuilderTests.cs	Adds tests for bundle contents, missing-file behavior, and split-line redaction.
tests/OpenClaw.Shared.Tests/DiagnosticsExportRedactorTests.cs	Adds broad regression coverage for redaction patterns and context preservation.
src/OpenClaw.Tray.WinUI/Windows/DiagnosticsBundleDialog.xaml.cs	Reworks Save flow to use Win32 picker + deferral so errors surface in UI.
src/OpenClaw.Tray.WinUI/Windows/DiagnosticsBundleDialog.xaml	Replaces InfoBar with a custom “review before sharing” card-style header.
src/OpenClaw.Tray.WinUI/Strings/en-us/Resources.resw	Updates strings for “summary debug bundle” and new dialog header UIDs.
src/OpenClaw.Tray.WinUI/Strings/fr-fr/Resources.resw	Same localization updates as en-us.
src/OpenClaw.Tray.WinUI/Strings/nl-nl/Resources.resw	Same localization updates as en-us.
src/OpenClaw.Tray.WinUI/Strings/zh-cn/Resources.resw	Same localization updates as en-us.
src/OpenClaw.Tray.WinUI/Strings/zh-tw/Resources.resw	Same localization updates as en-us.
src/OpenClaw.Tray.WinUI/Services/DiagnosticsLogTailReader.cs	Adds sanitized + truncated log tail reader for bundle sections.
src/OpenClaw.Tray.WinUI/Services/DiagnosticsClipboardService.cs	Renames “debug bundle” copy label to “summary debug bundle”.
src/OpenClaw.Tray.WinUI/Services/DiagnosticsBundleBuilder.cs	Adds full bundle builder composing summaries, timeline, and sanitized tails.
src/OpenClaw.Tray.WinUI/Pages/DebugPage.xaml.cs	Wires diagnostics bundle preview flow and copy actions.
src/OpenClaw.Tray.WinUI/Pages/DebugPage.xaml	Updates UX copy to “Copy summary debug bundle” with exclusions noted.
src/OpenClaw.Tray.WinUI/Helpers/Win32FilePickerHelper.cs	Adds Win32 Save dialog via COM IFileSaveDialog on STA thread.
src/OpenClaw.Tray.WinUI/App.xaml.cs	Exposes recent connection diagnostic events for bundling.
src/OpenClaw.Shared/DiagnosticsExportRedactor.cs	Adds centralized regex-based redaction for bundles/log exports.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 19/19 changed files
• Comments generated: 9

[christineyan4]

Real behavior proof for diagnostics bundle privacy boundary:

• “Create diagnostics bundle” opens a preview before log-tail diagnostics can be copied or saved.
• Preview shows sanitized diagnostics/log content with useful context preserved.
• “Save to file” opens the native Windows Save dialog.
• Direct “Copy summary debug bundle” is summary-only and explicitly excludes log tails; log-tail diagnostics
  require the preview flow.

[shanselman]

This direction makes sense for a shareable diagnostics bundle, but the redactor is carrying a lot of regex responsibility in one place. I would not block solely because it uses regex — conservative over-redaction is probably right here — but I think it needs a maintainability/perf pass before merge: group the rules by threat class, consider source-generated regexes or clearly named rule objects, and add a worst-case/perf regression test so a long log line or malformed URL/token cannot cause pathological backtracking. The current test coverage for common secret shapes is good; my concern is mostly long-term maintainability and worst-case behavior.

[shanselman]

I took a closer pass on the redaction implementation. The feature is valuable and regex is not inherently the wrong tool for free-form diagnostics, but I think this needs a small reliability/perf cleanup before merge.

Concrete concerns:

1. RegexMatchTimeoutException can abort the whole export. DiagnosticsLogTailReader.BuildSection() calls DiagnosticsExportRedactor.Sanitize(...), but its catch filter only handles IO/unauthorized/not-supported exceptions. If a regex hits the 100ms timeout on a long/malformed log line, the timeout escapes and the diagnostics export fails. Please catch RegexMatchTimeoutException there and around the final full-bundle Sanitize(builder.ToString()) pass in DiagnosticsBundleBuilder.Build() so the bundle can include a sanitization-timeout sentinel instead of failing.

2. SlackSigningSecretPattern looks redundant/dead. It matches exactly 32 hex chars, but HexTokenPattern runs earlier and matches 32+ hex chars, so it should already replace every value that SlackSigningSecretPattern could see. I’d remove the Slack-specific regex and document/test that HexTokenPattern covers that shape.

3. KeyValueSecretPattern has unbounded key-prefix scans before a large alternation. With MaxLineChars = 8000, a long non-matching key can burn work until the timeout. Consider bounding the key prefix/suffix length, or using a small rule pipeline that parses the key and then checks sensitive-key words outside regex.

4. Please add tests for the scary cases: timeout does not abort bundle export, redaction is idempotent, JSON non-string secret values are handled or explicitly documented as a known gap, version strings/IP false positives are documented, and one max-size/perf smoke proves the redactor budget stays reasonable.

Longer-term, because this is net10.0, source-generated regexes ([GeneratedRegex]) or named redaction-rule objects would make this much easier to audit than a flat list of compiled regex fields. I would not block on “regex exists”, but I would block on timeout handling and at least one worst-case/perf regression guard.

[christineyan4]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[christineyan4]

latest proof:
diagnostics bundle preview:
https://github.com/user-attachments/assets/7e912e67-8faa-4d69-ae6e-4200d15fe8d2

full bundle, copy/paste:
OpenClaw Windows Tray Diagnostics pasted.txt

full diagnostics bundle .txt, after clicking "save to file":
openclaw-diagnostics-20260626-134405.txt

summary bundle:
OpenClaw Windows Tray Debug Bundle summary.txt

for local validation: build + shared tests + tray tests passed on the latest commit.