fix: enforce root guard unconditionally on legacy entrypoint

Remove the --help/--version exemption from the legacy entrypoint (src/index.ts). Unlike src/entry.ts which has fast-path exits before startup work, the legacy path always calls runCli() which runs dotenv loading and debug capture initialization before rendering output. The assertNotRoot() error message already shows the OPENCLAW_ALLOW_ROOT=1 escape hatch, so users can still discover the override.
2026-05-18 11:24:47 +00:00 · 2026-04-21 18:10:04 +08:00
parent 690c7aa263
commit 5986c2d013
1 changed files with 7 additions and 5 deletions
--- a/src/index.ts
+++ b/src/index.ts
@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import process from "node:process";
 import { fileURLToPath } from "node:url";
-import { isRootHelpInvocation, isRootVersionInvocation } from "./cli/argv.js";
+
 import { assertNotRoot } from "./cli/root-guard.js";
 import { formatUncaughtError } from "./infra/errors.js";
 import { runFatalErrorHooks } from "./infra/fatal-error-hooks.js";
@@ -52,10 +52,12 @@ export async function runLegacyCliEntry(
  deps?: LegacyCliDeps,
 ): Promise<void> {
  // Block root execution on the legacy path too, matching src/entry.ts.
-  // Allow --help and --version so users can still discover the override env var.
-  if (!isRootHelpInvocation(argv) && !isRootVersionInvocation(argv)) {
-    assertNotRoot();
-  }
+  // Unlike entry.ts (which has fast-path help/version exits before startup),
+  // this path always calls runCli() which runs startup work (dotenv loading,
+  // debug capture init) before rendering help/version output.  Block
+  // unconditionally — the assertNotRoot error message already shows the
+  // OPENCLAW_ALLOW_ROOT=1 escape hatch.
+  assertNotRoot();

  const { runCli } = deps ?? (await loadLegacyCliDeps());
  await runCli(argv);