fix: exclude credentials dir, sanitize ALL json files recursively to fix HF 400 error

scripts/sync_hf.py

@@ -183,10 +183,8 @@ class OpenClawFullSync:
             # Copy the directory, skip symlinks and excluded patterns
             self._copy_for_upload(OPENCLAW_HOME, staging_path)
 
-            # Sanitize openclaw.json in the staging copy
-            config_staged = staging_path / "openclaw.json"
-            if config_staged.exists():
-                self._sanitize_config_file(config_staged)
+            # Sanitize ALL JSON files to redact tokens/keys/secrets
+            self._sanitize_all_json(staging_path)
 
             # Log staging dir size
             total_size = 0
@@ -200,6 +198,10 @@ class OpenClawFullSync:
                     print(f"[SYNC]   staging: {os.path.relpath(fp, staging_path)} ({sz} bytes)")
             print(f"[SYNC] Staging: {file_count} files, {total_size} bytes total")
 
+            if file_count == 0:
+                print("[SYNC] Nothing to upload (staging is empty).")
+                return
+
             # Upload the sanitized staging directory
             self.api.upload_folder(
                 folder_path=str(staging_path),
@@ -234,8 +236,9 @@ class OpenClawFullSync:
     def _copy_for_upload(self, src: Path, dst: Path):
         """Copy directory for upload, skipping symlinks and excluded items."""
         skip_names = {".git", "node_modules", "__pycache__", ".cache",
-                      "extensions", ".DS_Store", "logs", "temp", "tmp"}
-        skip_exts = {".lock", ".tmp", ".socket", ".pid", ".pyc", ".log"}
+                      "extensions", ".DS_Store", "logs", "temp", "tmp",
+                      "credentials"}  # credentials are injected from env at runtime
+        skip_exts = {".lock", ".tmp", ".socket", ".pid", ".pyc", ".log", ".bak"}
         # Skip files larger than 10MB to avoid timeout
         MAX_FILE_SIZE = 10 * 1024 * 1024
 
@@ -260,6 +263,47 @@ class OpenClawFullSync:
             elif item.is_dir():
                 self._copy_for_upload(item, dst / item.name)
 
+    def _sanitize_all_json(self, staging_path: Path):
+        """Sanitize ALL JSON files to redact tokens, keys, secrets."""
+        SECRET_KEYS = {"apiKey", "apikey", "api_key", "token", "secret",
+                       "password", "access_token", "bot_token"}
+        count = 0
+        for json_file in staging_path.rglob("*.json"):
+            try:
+                with open(json_file, "r") as f:
+                    data = json.load(f)
+                changed = self._redact_secrets(data, SECRET_KEYS)
+                if changed:
+                    with open(json_file, "w") as f:
+                        json.dump(data, f, indent=2)
+                    count += 1
+            except Exception:
+                pass
+        if count:
+            print(f"[SYNC] Sanitized {count} JSON files (redacted secrets)")
+
+    def _redact_secrets(self, obj, secret_keys, depth=0):
+        """Recursively redact values of secret-looking keys."""
+        if depth > 10:
+            return False
+        changed = False
+        if isinstance(obj, dict):
+            for key in obj:
+                if key.lower() in {k.lower() for k in secret_keys}:
+                    val = obj[key]
+                    if isinstance(val, str) and len(val) > 3 and not val.startswith("<"):
+                        obj[key] = "<REDACTED>"
+                        changed = True
+                elif isinstance(obj[key], (dict, list)):
+                    if self._redact_secrets(obj[key], secret_keys, depth + 1):
+                        changed = True
+        elif isinstance(obj, list):
+            for item in obj:
+                if isinstance(item, (dict, list)):
+                    if self._redact_secrets(item, secret_keys, depth + 1):
+                        changed = True
+        return changed
+
     def _sanitize_config_file(self, config_path: Path):
         """Sanitize openclaw.json to remove secrets before upload."""
         try: