Log redacted OpenClaw outbound payload details

server/src/__tests__/openclaw-adapter.test.ts

@@ -256,6 +256,55 @@ describe("openclaw adapter execute", () => {
     ).toBe(true);
   });
 
+  it("logs outbound payload with sensitive fields redacted", async () => {
+    const fetchMock = vi.fn().mockResolvedValue(
+      sseResponse([
+        "event: response.completed\n",
+        'data: {"type":"response.completed","status":"completed"}\n\n',
+      ]),
+    );
+    vi.stubGlobal("fetch", fetchMock);
+
+    const logs: string[] = [];
+    const result = await execute(
+      buildContext(
+        {
+          url: "https://agent.example/sse",
+          method: "POST",
+          headers: {
+            "x-openclaw-auth": "gateway-token",
+          },
+          payloadTemplate: {
+            text: "task prompt",
+            nested: {
+              token: "secret-token",
+              visible: "keep-me",
+            },
+          },
+        },
+        {
+          onLog: async (_stream, chunk) => {
+            logs.push(chunk);
+          },
+        },
+      ),
+    );
+
+    expect(result.exitCode).toBe(0);
+
+    const headerLog = logs.find((line) => line.includes("[openclaw] outbound headers (redacted):"));
+    expect(headerLog).toBeDefined();
+    expect(headerLog).toContain("\"x-openclaw-auth\":\"[redacted");
+    expect(headerLog).toContain("\"authorization\":\"[redacted");
+    expect(headerLog).not.toContain("gateway-token");
+
+    const payloadLog = logs.find((line) => line.includes("[openclaw] outbound payload (redacted):"));
+    expect(payloadLog).toBeDefined();
+    expect(payloadLog).toContain("\"token\":\"[redacted");
+    expect(payloadLog).not.toContain("secret-token");
+    expect(payloadLog).toContain("\"visible\":\"keep-me\"");
+  });
+
   it("derives Authorization header from x-openclaw-auth when webhookAuthHeader is unset", async () => {
     const fetchMock = vi.fn().mockResolvedValue(
       sseResponse([