From 5986c2d013417a992d31586af8cc808fff63b9c8 Mon Sep 17 00:00:00 2001 From: Jerry-Xin Date: Tue, 21 Apr 2026 18:10:04 +0800 Subject: [PATCH] fix: enforce root guard unconditionally on legacy entrypoint Remove the --help/--version exemption from the legacy entrypoint (src/index.ts). Unlike src/entry.ts which has fast-path exits before startup work, the legacy path always calls runCli() which runs dotenv loading and debug capture initialization before rendering output. The assertNotRoot() error message already shows the OPENCLAW_ALLOW_ROOT=1 escape hatch, so users can still discover the override. --- src/index.ts | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/index.ts b/src/index.ts index 2a714f47c39..00f89758418 100644 --- a/src/index.ts +++ b/src/index.ts @@ -1,7 +1,7 @@ #!/usr/bin/env node import process from "node:process"; import { fileURLToPath } from "node:url"; -import { isRootHelpInvocation, isRootVersionInvocation } from "./cli/argv.js"; + import { assertNotRoot } from "./cli/root-guard.js"; import { formatUncaughtError } from "./infra/errors.js"; import { runFatalErrorHooks } from "./infra/fatal-error-hooks.js"; @@ -52,10 +52,12 @@ export async function runLegacyCliEntry( deps?: LegacyCliDeps, ): Promise { // Block root execution on the legacy path too, matching src/entry.ts. - // Allow --help and --version so users can still discover the override env var. - if (!isRootHelpInvocation(argv) && !isRootVersionInvocation(argv)) { - assertNotRoot(); - } + // Unlike entry.ts (which has fast-path help/version exits before startup), + // this path always calls runCli() which runs startup work (dotenv loading, + // debug capture init) before rendering help/version output. Block + // unconditionally — the assertNotRoot error message already shows the + // OPENCLAW_ALLOW_ROOT=1 escape hatch. + assertNotRoot(); const { runCli } = deps ?? (await loadLegacyCliDeps()); await runCli(argv);