vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 19:50:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(plugins): default bundled discovery to allowlist

Browse Source
This commit is contained in:
Peter Steinberger
2026-05-04 22:46:39 +01:00
parent 55df2d4598
commit b2096d19ec
19 changed files with 185 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/gateway/configuration-reference.md
View File

@@ -166,7 +166,7 @@ See [MCP](/cli/mcp#openclaw-as-an-mcp-client-registry) and
plugins: {
enabled: true,
allow: ["voice-call"],
bundledDiscovery: "compat",
bundledDiscovery: "allowlist",
deny: [],
load: {
paths: ["~/Projects/oss/voice-call-plugin"],
@@ -188,9 +188,10 @@ See [MCP](/cli/mcp#openclaw-as-an-mcp-client-registry) and
- Discovery accepts native OpenClaw plugins plus compatible Codex bundles and Claude bundles, including manifestless Claude default-layout bundles.
- **Config changes require a gateway restart.**
- `allow`: optional allowlist (only listed plugins load). `deny` wins.
- `bundledDiscovery`: defaults to `"compat"` for legacy bundled provider activation.
Use `"allowlist"` when a non-empty `plugins.allow` should also gate
bundled provider plugins, including web-search runtime providers.
- `bundledDiscovery`: defaults to `"allowlist"` for new configs, so a non-empty
`plugins.allow` also gates bundled provider plugins, including web-search
runtime providers. Doctor writes `"compat"` for migrated legacy allowlist
configs to preserve existing bundled provider behavior until you opt in.
- `plugins.entries.<id>.apiKey`: plugin-level API key convenience field (when supported by the plugin).
- `plugins.entries.<id>.env`: plugin-scoped env var map.
- `plugins.entries.<id>.hooks.allowPromptInjection`: when `false`, core blocks `before_prompt_build` and ignores prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride`. Applies to native plugin hooks and supported bundle-provided hook directories.

6
docs/gateway/doctor.md
View File

@@ -169,9 +169,9 @@ That stages grounded durable candidates into the short-term dreaming store while
Doctor also warns when `plugins.allow` is non-empty and tool policy uses
wildcard or plugin-owned tool entries. `tools.allow: ["*"]` only matches tools
from plugins that actually load; it does not bypass the exclusive plugin
allowlist. If bundled provider discovery is still in legacy compatibility
mode, doctor also points to the stricter `plugins.bundledDiscovery:
"allowlist"` setting.
allowlist. Doctor writes `plugins.bundledDiscovery: "compat"` for migrated
legacy allowlist configs to preserve existing bundled provider behavior, and
then points to the stricter `"allowlist"` setting.
</Accordion>
<Accordion title="2. Legacy config key migrations">