feat: add sanitized diagnostics log bundle

[christineyan4]

Summary

• Add a diagnostics export redactor for tokens, IDs, paths, cookies, webhooks, provider secrets, command-line secret options, and other share-sensitive values
• Expand Create diagnostics bundle to include sanitized tray log, diagnostics JSONL, crash log, setup log, activity, and connection event tails
• Replace diagnostics Save to file with a native Win32 save dialog for the self-hosted WinUI app
• Add regression tests for redaction coverage, split-line secrets, missing files, and bundle safety

Validation

• .\build.ps1
• dotnet test .\tests\OpenClaw.Shared.Tests\OpenClaw.Shared.Tests.csproj --no-restore -v q
• dotnet test .\tests\OpenClaw.Tray.Tests\OpenClaw.Tray.Tests.csproj --no-restore -v q
• Hanselman-style adversarial review completed; added split-line secret regression test from review finding

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 27, 2026, 4:29 PM ET / 20:29 UTC.

Summary
The branch adds a sanitized diagnostics bundle preview/save flow for tray logs and connection diagnostics, a shared redactor, native Win32 save dialog support, localization updates, and regression tests.

Reproducibility: not applicable. this is a feature PR rather than a bug report. Source inspection and screenshots verify the current branch's preview/save/direct-copy wiring, but no failing current-main bug path exists.

Review metrics: 3 noteworthy metrics.

• Diff surface: 19 files, +1081/-81. The change spans redaction, log collection, Win32 COM save UI, localization, and tests, so privacy and UX review matter beyond compile results.
• Log-tail export surface: 5 file groups plus connection timeline. Tray, archive, diagnostics JSONL, crash, setup logs, and connection events are all newly shareable diagnostic sources.
• Proof artifacts: 3 screenshots. Visible proof now covers the preview dialog, native save dialog, and summary-copy card after the direct-copy fix.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit ✨ media proof bonus
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Wait for the GitHub Actions test and e2e checks to complete.
• Maintainers should explicitly accept the preview-gated log-tail redaction boundary or request one more hardening pass.

Risk before merge

• The new bundle makes tray, diagnostics JSONL, crash, setup, and connection-event tails shareable; even with preview and tests, maintainers need to accept regex redaction plus user review as the privacy boundary.
• Required GitHub test and e2e checks were still in progress at review time, and this read-only review did not run the AGENTS.md validation commands locally.

Maintainer options:

1. Accept the preview-gated export after checks (recommended)
   If maintainers are comfortable with regex redaction plus explicit user review, wait for required checks to pass and merge without broadening direct-copy paths.
2. Harden redaction fixtures first
   Add representative sensitive log-line fixtures, such as command execution and connection failures, before merge if maintainers want stronger assurance around common log shapes.
3. Keep diagnostics summary-only
   If the support value does not justify exporting sanitized log tails, pause this PR and keep the existing generated-summary bundle.

Next step before merge
No repair lane is needed; the remaining work is maintainer risk acceptance plus CI and normal review, not a narrow code defect.

Security
Needs attention: Needs attention: no supply-chain issue was found, but the patch creates a security-sensitive redacted log-tail export boundary that maintainers must explicitly accept.

Review details

Best possible solution:

Land the diagnostics bundle only after maintainers accept the preview-gated log-tail privacy boundary and CI/build validation passes; keep direct copy and deep-link paths summary-only.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a feature PR rather than a bug report. Source inspection and screenshots verify the current branch's preview/save/direct-copy wiring, but no failing current-main bug path exists.

Is this the best way to solve the issue?

Yes, with maintainer acceptance. The current head is a maintainable direction because rich log tails are preview-gated while direct copy remains summary-only; the remaining decision is whether the redaction boundary is acceptable.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against bf21e7b216aa.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR comment includes after-fix screenshots showing the WinUI preview dialog with sanitized bundle text, the native Save dialog, and the summary-only diagnostics copy card.
• add proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The PR comment includes after-fix screenshots showing the WinUI preview dialog with sanitized bundle text, the native Save dialog, and the summary-only diagnostics copy card.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (screenshot): The PR comment includes after-fix screenshots showing the WinUI preview dialog with sanitized bundle text, the native Save dialog, and the summary-only diagnostics copy card.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: ⏳ waiting on author.

Label justifications:

• P2: This is a bounded user-facing diagnostics improvement with privacy-sensitive review needs, not an emergency runtime failure.
• merge-risk: 🚨 security-boundary: Merging this PR intentionally makes sanitized local log tails shareable, so redaction and preview behavior become a sensitive-data boundary.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (screenshot): The PR comment includes after-fix screenshots showing the WinUI preview dialog with sanitized bundle text, the native Save dialog, and the summary-only diagnostics copy card.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR comment includes after-fix screenshots showing the WinUI preview dialog with sanitized bundle text, the native Save dialog, and the summary-only diagnostics copy card.
• proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The PR comment includes after-fix screenshots showing the WinUI preview dialog with sanitized bundle text, the native Save dialog, and the summary-only diagnostics copy card.

Evidence reviewed

Security concerns:

• [medium] Log-tail export relies on redaction boundary — src/OpenClaw.Tray.WinUI/Services/DiagnosticsBundleBuilder.cs:73
  DiagnosticsBundleBuilder appends local log tails and connection events before final sanitization, increasing the shareable sensitive-data surface even though the flow is preview-gated.
  Confidence: 0.84

What I checked:

• Repository policy read: AGENTS.md was read fully; its required validation and diagnostics/connection guidance were applied as review context. (AGENTS.md:1, bf21e7b216aa)
• Current main debug bundle is summary-only: Current main BuildDebugBundle assembles generated support, port, capability, node, channel, activity, and extensibility summaries rather than raw log tails. (src/OpenClaw.Tray.WinUI/Helpers/CommandCenterTextHelper.cs:110, bf21e7b216aa)
• PR adds preview-gated log-tail bundle: At PR head, DiagnosticsBundleBuilder appends generated summaries, connection events, tray/archive/JSONL/crash/setup tails, then applies final sanitization. (src/OpenClaw.Tray.WinUI/Services/DiagnosticsBundleBuilder.cs:73, 81a1d6a4266d)
• Direct page copy stays summary-only after the fix: At PR head, OnCopyDebugBundle calls CommandCenterTextHelper.BuildDebugBundle instead of the new log-tail bundle builder. (src/OpenClaw.Tray.WinUI/Pages/DebugPage.xaml.cs:464, 81a1d6a4266d)
• Regression coverage guards the copy boundary: The PR adds a contract test asserting both deep-link/service and page direct-copy paths use BuildDebugBundle and do not call DiagnosticsBundleBuilder.Build. (tests/OpenClaw.Tray.Tests/DiagnosticsPageContractTests.cs:548, 81a1d6a4266d)
• Real behavior proof inspected: The contributor's three screenshots show the diagnostics preview with sanitized paths, the native Windows Save dialog, and the summary-only copy card after the fix. (81a1d6a4266d)

Likely related people:

• ranjeshj: git blame shows the current Diagnostics page preview/copy handlers, DiagnosticsBundleDialog, and CommandCenterTextHelper support/debug bundle came from the current diagnostics implementation commit. (role: feature-history owner; confidence: high; commits: 6d8541e57008; files: src/OpenClaw.Tray.WinUI/Pages/DebugPage.xaml.cs, src/OpenClaw.Tray.WinUI/Windows/DiagnosticsBundleDialog.xaml.cs, src/OpenClaw.Tray.WinUI/Helpers/CommandCenterTextHelper.cs)
• shanselman: Recent path history shows review-feedback commits over Diagnostics page and contract-test behavior, and the PR timeline requested this review lane. (role: recent diagnostics reviewer; confidence: high; commits: 0afeaca8f87f, 05d8a3929d6a; files: src/OpenClaw.Tray.WinUI/Pages/DebugPage.xaml.cs, tests/OpenClaw.Tray.Tests/DiagnosticsPageContractTests.cs)
• bkudiess: Recent history includes adjacent Diagnostics page layout and WinUI localization changes that overlap this PR's UI/resource surface. (role: adjacent UI/localization contributor; confidence: medium; commits: d8354c49bacb, d4b35d4941c0; files: src/OpenClaw.Tray.WinUI/Pages/DebugPage.xaml, src/OpenClaw.Tray.WinUI/Strings/en-us/Resources.resw)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[Copilot]

Pull request overview

This PR adds a sanitized “diagnostics bundle” export flow for the WinUI tray app, including robust redaction of secrets/identifiers and expanded bundle contents (log tails + structured diagnostics + crash/setup tails + connection timeline), along with new regression tests and a Win32-native “Save as” dialog for self-hosted WinUI.

Changes:

• Introduce DiagnosticsExportRedactor and apply it to bundle generation and log tail reading (including final “whole-bundle” sanitization).
• Add DiagnosticsBundleBuilder + DiagnosticsLogTailReader and update the debug/diagnostics UI to preview/copy/save the sanitized bundle.
• Add new Shared/Tray tests covering redaction shapes, split-line secrets, missing files behavior, and bundle safety guarantees.

Show a summary per file

File	Description
tests/OpenClaw.Tray.Tests/OpenClaw.Tray.Tests.csproj	Links new WinUI diagnostics services/helpers into Tray test project.
tests/OpenClaw.Tray.Tests/DiagnosticsPageContractTests.cs	Adds contract tests to enforce “summary-only vs full bundle” UX boundaries.
tests/OpenClaw.Tray.Tests/DiagnosticsBundleBuilderTests.cs	Adds tests for bundle contents, missing-file behavior, and split-line redaction.
tests/OpenClaw.Shared.Tests/DiagnosticsExportRedactorTests.cs	Adds broad regression coverage for redaction patterns and context preservation.
src/OpenClaw.Tray.WinUI/Windows/DiagnosticsBundleDialog.xaml.cs	Reworks Save flow to use Win32 picker + deferral so errors surface in UI.
src/OpenClaw.Tray.WinUI/Windows/DiagnosticsBundleDialog.xaml	Replaces InfoBar with a custom “review before sharing” card-style header.
src/OpenClaw.Tray.WinUI/Strings/en-us/Resources.resw	Updates strings for “summary debug bundle” and new dialog header UIDs.
src/OpenClaw.Tray.WinUI/Strings/fr-fr/Resources.resw	Same localization updates as en-us.
src/OpenClaw.Tray.WinUI/Strings/nl-nl/Resources.resw	Same localization updates as en-us.
src/OpenClaw.Tray.WinUI/Strings/zh-cn/Resources.resw	Same localization updates as en-us.
src/OpenClaw.Tray.WinUI/Strings/zh-tw/Resources.resw	Same localization updates as en-us.
src/OpenClaw.Tray.WinUI/Services/DiagnosticsLogTailReader.cs	Adds sanitized + truncated log tail reader for bundle sections.
src/OpenClaw.Tray.WinUI/Services/DiagnosticsClipboardService.cs	Renames “debug bundle” copy label to “summary debug bundle”.
src/OpenClaw.Tray.WinUI/Services/DiagnosticsBundleBuilder.cs	Adds full bundle builder composing summaries, timeline, and sanitized tails.
src/OpenClaw.Tray.WinUI/Pages/DebugPage.xaml.cs	Wires diagnostics bundle preview flow and copy actions.
src/OpenClaw.Tray.WinUI/Pages/DebugPage.xaml	Updates UX copy to “Copy summary debug bundle” with exclusions noted.
src/OpenClaw.Tray.WinUI/Helpers/Win32FilePickerHelper.cs	Adds Win32 Save dialog via COM IFileSaveDialog on STA thread.
src/OpenClaw.Tray.WinUI/App.xaml.cs	Exposes recent connection diagnostic events for bundling.
src/OpenClaw.Shared/DiagnosticsExportRedactor.cs	Adds centralized regex-based redaction for bundles/log exports.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 19/19 changed files
• Comments generated: 9

[christineyan4]

Real behavior proof for diagnostics bundle privacy boundary:

• “Create diagnostics bundle” opens a preview before log-tail diagnostics can be copied or saved.
• Preview shows sanitized diagnostics/log content with useful context preserved.
• “Save to file” opens the native Windows Save dialog.
• Direct “Copy summary debug bundle” is summary-only and explicitly excludes log tails; log-tail diagnostics
  require the preview flow.

[shanselman]

This direction makes sense for a shareable diagnostics bundle, but the redactor is carrying a lot of regex responsibility in one place. I would not block solely because it uses regex — conservative over-redaction is probably right here — but I think it needs a maintainability/perf pass before merge: group the rules by threat class, consider source-generated regexes or clearly named rule objects, and add a worst-case/perf regression test so a long log line or malformed URL/token cannot cause pathological backtracking. The current test coverage for common secret shapes is good; my concern is mostly long-term maintainability and worst-case behavior.

[shanselman]

I took a closer pass on the redaction implementation. The feature is valuable and regex is not inherently the wrong tool for free-form diagnostics, but I think this needs a small reliability/perf cleanup before merge.

Concrete concerns:

1. RegexMatchTimeoutException can abort the whole export. DiagnosticsLogTailReader.BuildSection() calls DiagnosticsExportRedactor.Sanitize(...), but its catch filter only handles IO/unauthorized/not-supported exceptions. If a regex hits the 100ms timeout on a long/malformed log line, the timeout escapes and the diagnostics export fails. Please catch RegexMatchTimeoutException there and around the final full-bundle Sanitize(builder.ToString()) pass in DiagnosticsBundleBuilder.Build() so the bundle can include a sanitization-timeout sentinel instead of failing.

2. SlackSigningSecretPattern looks redundant/dead. It matches exactly 32 hex chars, but HexTokenPattern runs earlier and matches 32+ hex chars, so it should already replace every value that SlackSigningSecretPattern could see. I’d remove the Slack-specific regex and document/test that HexTokenPattern covers that shape.

3. KeyValueSecretPattern has unbounded key-prefix scans before a large alternation. With MaxLineChars = 8000, a long non-matching key can burn work until the timeout. Consider bounding the key prefix/suffix length, or using a small rule pipeline that parses the key and then checks sensitive-key words outside regex.

4. Please add tests for the scary cases: timeout does not abort bundle export, redaction is idempotent, JSON non-string secret values are handled or explicitly documented as a known gap, version strings/IP false positives are documented, and one max-size/perf smoke proves the redactor budget stays reasonable.

Longer-term, because this is net10.0, source-generated regexes ([GeneratedRegex]) or named redaction-rule objects would make this much easier to audit than a flat list of compiled regex fields. I would not block on “regex exists”, but I would block on timeout handling and at least one worst-case/perf regression guard.