docs: document doctor legacy repair helpers

This commit is contained in:
Peter Steinberger
2026-06-04 11:41:21 -04:00
parent 7beeedbe73
commit 4fcc7537ff
6 changed files with 24 additions and 0 deletions

View File

@@ -1,3 +1,4 @@
// Doctor checks and repairs for exec safeBins profiles and trusted binary directories.
import { normalizeOptionalLowercaseString } from "@openclaw/normalization-core/string-coerce";
import { sanitizeForLog } from "../../../../packages/terminal-core/src/ansi.js";
import type { OpenClawConfig } from "../../../config/types.openclaw.js";
@@ -15,10 +16,15 @@ import {
import { asObjectRecord } from "./object.js";
export type ExecSafeBinCoverageHit = {
/** Config scope that owns the safeBins entry. */
scopePath: string;
/** Normalized binary name from safeBins. */
bin: string;
/** Missing profile coverage or unsafe semantic shape detected by doctor. */
kind: "missingProfile" | "riskySemantics";
/** True when the missing profile belongs to an interpreter/runtime binary. */
isInterpreter?: boolean;
/** Risk explanation for risky semantic hits. */
warning?: string;
};
@@ -31,8 +37,11 @@ type ExecSafeBinScopeRef = {
};
export type ExecSafeBinTrustedDirHintHit = {
/** Config scope that owns the safeBins entry. */
scopePath: string;
/** Binary name configured in safeBins. */
bin: string;
/** Resolved executable path outside trusted safe-bin directories. */
resolvedPath: string;
};
@@ -112,6 +121,7 @@ function collectExecSafeBinScopes(cfg: OpenClawConfig): ExecSafeBinScopeRef[] {
return scopes;
}
/** Scan configured safeBins for missing profiles and risky low-friction entries. */
export function scanExecSafeBinCoverage(cfg: OpenClawConfig): ExecSafeBinCoverageHit[] {
const hits: ExecSafeBinCoverageHit[] = [];
for (const scope of collectExecSafeBinScopes(cfg)) {
@@ -139,6 +149,7 @@ export function scanExecSafeBinCoverage(cfg: OpenClawConfig): ExecSafeBinCoverag
return hits;
}
/** Scan configured safeBins that resolve outside trusted binary directories. */
export function scanExecSafeBinTrustedDirHints(
cfg: OpenClawConfig,
): ExecSafeBinTrustedDirHintHit[] {
@@ -167,6 +178,7 @@ export function scanExecSafeBinTrustedDirHints(
return hits;
}
/** Format doctor warnings for safeBins profile coverage and risky semantics. */
export function collectExecSafeBinCoverageWarnings(params: {
hits: ExecSafeBinCoverageHit[];
doctorFixCommand: string;
@@ -222,6 +234,7 @@ export function collectExecSafeBinCoverageWarnings(params: {
return lines;
}
/** Format doctor warnings for safeBins resolved outside trusted directories. */
export function collectExecSafeBinTrustedDirHintWarnings(
hits: ExecSafeBinTrustedDirHintHit[],
): string[] {
@@ -243,6 +256,7 @@ export function collectExecSafeBinTrustedDirHintWarnings(
return lines;
}
/** Scaffold missing custom safeBin profiles and warn on interpreter/risky entries. */
export function maybeRepairExecSafeBinProfiles(cfg: OpenClawConfig): {
config: OpenClawConfig;
changes: string[];

View File

@@ -1,3 +1,4 @@
// Doctor repair for configs that reuse Gateway shared-secret auth as hooks.token.
import { normalizeOptionalString } from "@openclaw/normalization-core/string-coerce";
import type { OpenClawConfig } from "../../../config/types.openclaw.js";
import {
@@ -18,6 +19,7 @@ function activeGatewaySharedSecret(auth: ResolvedGatewayAuth): string {
return "";
}
/** Rotate hooks.token when it matches the active Gateway token/password shared secret. */
export function repairHooksTokenReuseGatewayAuth(
cfg: OpenClawConfig,
env: NodeJS.ProcessEnv = process.env,

View File

@@ -1,3 +1,4 @@
// Doctor quarantine for plugin entries whose config fails plugin-aware validation.
import { sanitizeForLog } from "../../../../packages/terminal-core/src/ansi.js";
import type { OpenClawConfig } from "../../../config/types.openclaw.js";
import { validateConfigObjectWithPlugins } from "../../../config/validation.js";
@@ -35,6 +36,7 @@ function scanInvalidPluginConfig(cfg: OpenClawConfig): InvalidPluginConfigHit[]
return hits;
}
/** Disable plugin entries and clear config when plugin validation marks their config invalid. */
export function maybeRepairInvalidPluginConfig(cfg: OpenClawConfig): {
config: OpenClawConfig;
changes: string[];

View File

@@ -1,6 +1,8 @@
// Top-level legacy config migration runner used before full config validation.
import { applyChannelDoctorCompatibilityMigrations } from "./channel-legacy-config-migrate.js";
import { LEGACY_CONFIG_MIGRATIONS } from "./legacy-config-migrations.js";
/** Apply all legacy doctor migrations to raw config, returning null when nothing changed. */
export function applyLegacyDoctorMigrations(raw: unknown): {
next: Record<string, unknown> | null;
changes: string[];

View File

@@ -1,3 +1,4 @@
// Shared base compatibility normalizers reused by core and plugin setup migrations.
import type { OpenClawConfig } from "../../../config/types.openclaw.js";
import {
normalizeLegacyBrowserConfig,
@@ -15,6 +16,7 @@ import { migrateLegacyWebFetchConfig } from "./legacy-web-fetch-migrate.js";
import { migrateLegacyWebSearchConfig } from "./legacy-web-search-migrate.js";
import { migrateLegacyXSearchConfig } from "./legacy-x-search-migrate.js";
/** Run common compatibility migrations before caller-specific setup/channel passes. */
export function normalizeBaseCompatibilityConfigValues(
cfg: OpenClawConfig,
changes: string[],

View File

@@ -1,3 +1,4 @@
// Core doctor compatibility migration pipeline for current config objects.
import type { OpenClawConfig } from "../../../config/types.openclaw.js";
import { runPluginSetupConfigMigrations } from "../../../plugins/setup-registry.js";
import { normalizeAgentId } from "../../../routing/session-key.js";
@@ -42,6 +43,7 @@ function pruneBindingsForMissingAgents(cfg: OpenClawConfig, changes: string[]):
};
}
/** Normalize current config through core, plugin setup, channel, and secret-ref migrations. */
export function normalizeCompatibilityConfigValues(cfg: OpenClawConfig): {
config: OpenClawConfig;
changes: string[];