vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 07:00:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: clarify Crestodian rescue audit metadata

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-26 01:49:06 +01:00
parent 5404bbbb71
commit 57f05128cb
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/cli/crestodian.md
View File

@@ -239,13 +239,13 @@ Security contract for remote rescue:
operation, where the runtime already has unsandboxed local authority.
- Require an explicit owner identity. Rescue must not accept wildcard sender
rules, open group policy, unauthenticated webhooks, or anonymous channels.
- Owner DMs only by default. Group/channel rescue requires explicit opt-in and
should still route approval prompts to the owner DM.
- Owner DMs only by default. Group/channel rescue requires explicit opt-in.
- Remote rescue cannot open the local TUI or switch into an interactive agent
session. Use local `openclaw` for agent handoff.
- Persistent writes still require approval, even in rescue mode.
- Audit every applied rescue operation, including channel, account, sender,
session key, operation, config hash before, and config hash after.
- Audit every applied rescue operation. Message-channel rescue records channel,
account, sender, and source-address metadata. Config-mutating operations also
record config hashes before and after.
- Never echo secrets. SecretRef inspection should report availability, not
values.
- If the Gateway is alive, prefer Gateway typed operations. If the Gateway is