mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-14 15:36:07 +00:00
* refactor(sessions): migrate runtime storage to sqlite * test(sessions): fix sqlite CI regressions * test(sessions): align remaining sqlite fixtures * fix(codex): require sqlite trajectory recorder * test(sessions): align orphan recovery sqlite fixture * test(sessions): align sqlite rebase fixtures * fix(sessions): finish current-main integration of the sqlite flip Resolve the whole-store SDK removal across its owner boundary: drop the loadSessionStore re-export and the registry whole-store wrappers, wire hasTrackedActiveSessionRun into gateway chat, complete the preserveLockedHarnessIds cleanup contract, flip the codex thread-history import to storePath targets, and port remaining main-side tests from file-store helpers to session accessor reads. * chore: drop committed pebbles log, revert plugin-inspector bump, refresh generated docs Remove the 1.8k-line .pebbles/events.jsonl work log from the branch, restore the plugin-inspector advisory lane to main's pinned 0.3.10 so the supply-chain bump gets its own review, and regenerate docs_map, the plugin SDK API baseline, and the export-surface ratchet for the merged tree. * feat(sessions): keep archived transcripts by default with zstd cold storage Codex-style retention: deleting or resetting a session archives its transcript as a zstd-compressed JSONL artifact (plain when the runtime lacks node:zlib zstd) and keeps it until the disk budget evicts oldest first. resetArchiveRetention now governs both deleted and reset archives and defaults to keep; maxDiskBytes defaults to 2gb so retention stays bounded, with archives evicted before live sessions. The cron reaper follows the same knob instead of deleting archives on its own timer. * fix(state): converge agent DB migration lineages and bound database growth Merge coherence: run both structure-gated legacy memory-schema repairs (flip-lineage drop, main-lineage identity rebuild) before the flip migration so pre-flip v1/v2 and pre-merge flip v1/v4 databases all converge, and hoist foreign_keys=OFF outside the schema transaction where the pragma was silently ignored and the v1 sessions rebuild cascade-deleted session_entries. Growth guards: fresh agent DBs enable auto_vacuum=INCREMENTAL, WAL maintenance releases freed pages in bounded passes (never a blocking full VACUUM), and doctor reports state/agent DB bloat from freelist stats. * fix(codex): resolve the store path for thread-history import via the SDK The supervision catalog passed the legacy sessionFile locator to the storePath-targeted transcript mirror; resolve the agent store path with the session-store SDK helper instead of a runtime-object seam so test fakes and headless callers need no extra surface. Drop the obsolete missing-session-id preprocessing case: sessions rows are NOT NULL on session_id and upsert repairs id-less patches at write time. * fix(sessions): fail safe on malformed disk-budget config and doctor stat errors A malformed explicit maxDiskBytes disables the budget instead of falling back to the destructive 2gb default the user never chose, and the doctor bloat check skips databases whose paths stat-fail instead of aborting doctor. * fix(sessions): complete sqlite conflict translations * test(sqlite): align hardening checks with maintenance * test(sessions): inspect compressed transcript archives * fix(tests): await session seeds and drop unused helpers flagged by CI lint The five unawaited writeSessionStoreSeed calls raced their SQLite seeds against the assertions, failing compact shards; the bloat probe drops a useless initializer and the merged tests drop now-unused helpers. * test(sessions): type legacy proof events directly * test(sessions): align hardening contracts * perf(sessions): read usage transcript sizes from SQL aggregates Usage/cost scans walked every session and materialized every transcript event just to re-stringify it for a byte estimate — the #86718 stall class reborn on the DB. readTranscriptStatsSync sums stored JSON bytes in SQLite without loading a single row. * fix(sessions): re-root foreign-root transcript paths onto the current sessions dir Restored backups, moved OPENCLAW_STATE_DIR, and rehearsal copies carry absolute sessionFile paths from the old root; the containment fallback kept those foreign paths, so migration read (and would archive) files in the original root and reported local copies missing. Re-root the canonical agents/<id>/sessions suffix onto the current dir when the file exists there; genuine cross-root layouts still fall through unchanged. * test(agents): seed harness admission through sqlite * fix(sqlite): close agent db on pragma setup failure * fix(doctor): compact and retrofit incremental auto-vacuum after session import The migration is the sanctioned offline window: post-import compact reclaims import churn and applies auto_vacuum=INCREMENTAL to databases created before the fresh-DB pragma existed, so runtime maintenance can release pages in bounded passes on every install. --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
142 lines
7.8 KiB
Markdown
142 lines
7.8 KiB
Markdown
---
|
|
summary: "CLI reference for `openclaw security` (audit and fix common security footguns)"
|
|
read_when:
|
|
- You want to run a quick security audit on config/state
|
|
- You want to apply safe "fix" suggestions (permissions, tighten defaults)
|
|
title: "Security"
|
|
---
|
|
|
|
# `openclaw security`
|
|
|
|
Security tools: audit plus optional safe fixes. Related: [Security](/gateway/security).
|
|
|
|
```bash
|
|
openclaw security audit
|
|
openclaw security audit --deep
|
|
openclaw security audit --deep --password <password>
|
|
openclaw security audit --deep --token <token>
|
|
openclaw security audit --auth password --password <password>
|
|
openclaw security audit --fix
|
|
openclaw security audit --json
|
|
```
|
|
|
|
## Audit modes
|
|
|
|
Plain `security audit` stays on the cold config/filesystem/read-only path: it does not discover plugin runtime security collectors, so routine audits do not load every installed plugin runtime. `--deep` adds best-effort live Gateway probes and plugin-owned security audit collectors (explicit internal callers may also opt into those collectors when they already have an appropriate runtime scope).
|
|
|
|
If Gateway password auth is supplied only at startup, pass the same value with `--auth password --password <password>` so the audit can check it against `hooks.token`.
|
|
|
|
## What it checks
|
|
|
|
**DM/trust model**
|
|
|
|
- Warns when multiple DM senders share the main session and recommends secure DM mode: `session.dmScope="per-channel-peer"` (or `per-account-channel-peer` for multi-account channels) for shared inboxes. This is cooperative/shared-inbox hardening, not isolation for mutually untrusted operators; split trust boundaries with separate gateways (or separate OS users/hosts) for that.
|
|
- Emits `security.trust_model.multi_user_heuristic` when config suggests likely shared-user ingress (for example open DM/group policy, configured group targets, or wildcard sender rules) — OpenClaw's default trust model is personal-assistant (one operator), not hostile multi-tenant isolation. For intentional shared-user setups: sandbox all sessions, keep filesystem access workspace-scoped, and keep personal/private identities or credentials off that runtime.
|
|
- Warns when small models (`<=300B` parameters) are used without sandboxing and with web/browser tools enabled.
|
|
|
|
**Webhook/hooks**
|
|
|
|
Startup logs a non-fatal security warning, and audit flags `hooks.token` reuse of active Gateway shared-secret auth values (`gateway.auth.token` / `OPENCLAW_GATEWAY_TOKEN`, `gateway.auth.password` / `OPENCLAW_GATEWAY_PASSWORD`). Also warns when:
|
|
|
|
- `hooks.token` is short
|
|
- `hooks.path="/"`
|
|
- `hooks.defaultSessionKey` is unset
|
|
- `hooks.allowedAgentIds` is unrestricted
|
|
- request `sessionKey` overrides are enabled
|
|
- overrides are enabled without `hooks.allowedSessionKeyPrefixes`
|
|
|
|
Run `openclaw doctor --fix` to rotate a persisted reused `hooks.token`, then update external hook senders to use the new token.
|
|
|
|
**Sandbox/tools**
|
|
|
|
- Warns when sandbox Docker settings are configured while sandbox mode is off.
|
|
- Warns when `gateway.nodes.denyCommands` uses ineffective pattern-like/unknown entries (matching is exact node command-name only, not shell-text filtering).
|
|
- Warns when `gateway.nodes.allowCommands` explicitly enables dangerous node commands.
|
|
- Warns when global `tools.profile="minimal"` is overridden by agent tool profiles.
|
|
- Warns when write/edit tools are disabled but `exec` is still available without a constraining sandbox filesystem boundary.
|
|
- Warns when open DMs or groups expose runtime/filesystem tools without sandbox/workspace guards.
|
|
- Warns when installed plugin tools may be reachable under permissive tool policy.
|
|
|
|
**Sandbox browser**
|
|
|
|
- Warns when sandbox browser uses Docker `bridge` network without `sandbox.browser.cdpSourceRange`.
|
|
- Flags dangerous sandbox Docker network modes, including `host` and `container:*` namespace joins.
|
|
- Warns when existing sandbox browser Docker containers have missing/stale hash labels (for example pre-migration containers missing `openclaw.browserConfigEpoch`) and recommends `openclaw sandbox recreate --browser --all`.
|
|
|
|
**Network/discovery**
|
|
|
|
- Flags `gateway.allowRealIpFallback=true` (header-spoofing risk if proxies are misconfigured).
|
|
- Flags `discovery.mdns.mode="full"` (metadata leakage via mDNS TXT records).
|
|
- Warns when `gateway.auth.mode="none"` leaves Gateway HTTP APIs reachable without a shared secret (`/tools/invoke` plus any enabled `/v1/*` endpoint).
|
|
|
|
**Plugins/channels**
|
|
|
|
- Warns when npm-based plugin/hook install records are unpinned, missing integrity metadata, or drift from currently installed package versions.
|
|
- Warns when channel allowlists rely on mutable names/emails/tags instead of stable IDs (Discord, Slack, Google Chat, Microsoft Teams, Mattermost, IRC scopes where applicable).
|
|
|
|
Settings prefixed with `dangerous`/`dangerously` are explicit break-glass operator overrides; enabling one is not, by itself, a security vulnerability report. For the complete dangerous-parameter inventory, see "Insecure or dangerous flags summary" in [Security](/gateway/security).
|
|
|
|
## SecretRef behavior
|
|
|
|
`security audit` resolves supported SecretRefs in read-only mode for its targeted paths. If a SecretRef is unavailable in the current command path, audit continues and reports `secretDiagnostics` instead of crashing. `--token` and `--password` only override deep-probe auth for that command invocation; they do not rewrite config or SecretRef mappings.
|
|
|
|
## Suppressions
|
|
|
|
Accept intentional standing findings with `security.audit.suppressions`. Each suppression matches an exact `checkId` and can be narrowed with case-insensitive `titleIncludes` and/or `detailIncludes` substrings:
|
|
|
|
```json
|
|
{
|
|
"security": {
|
|
"audit": {
|
|
"suppressions": [
|
|
{
|
|
"checkId": "plugins.tools_reachable_permissive_policy",
|
|
"detailIncludes": "Enabled extension plugins: gbrain",
|
|
"reason": "trusted local operator plugin"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
Suppressed findings are removed from the active `summary` and `findings` list. JSON output keeps them under `suppressedFindings` for auditability. When suppressions are configured, active output also keeps an unsuppressible `security.audit.suppressions.active` info finding so readers can tell the audit was filtered. Dangerous config flags are emitted one flag per finding, so accepting one dangerous flag does not hide other enabled flags that share the same `config.insecure_or_dangerous_flags` checkId.
|
|
|
|
Because suppressions can hide standing risk, adding or removing them through agent-run shell commands requires exec approval unless exec is already running with `security="full"` and `ask="off"` for trusted local automation.
|
|
|
|
## JSON output
|
|
|
|
```bash
|
|
openclaw security audit --json | jq '.summary'
|
|
openclaw security audit --deep --json | jq '.findings[] | select(.severity=="critical") | .checkId'
|
|
```
|
|
|
|
With `--fix --json`, output includes both fix actions and the final report:
|
|
|
|
```bash
|
|
openclaw security audit --fix --json | jq '{fix: .fix.ok, summary: .report.summary}'
|
|
```
|
|
|
|
## What `--fix` changes
|
|
|
|
Applies safe, deterministic remediations:
|
|
|
|
- flips common `groupPolicy="open"` to `groupPolicy="allowlist"` (including account variants in supported channels)
|
|
- when WhatsApp group policy flips to `allowlist`, seeds `groupAllowFrom` from the stored `allowFrom` file when that list exists and config does not already define `allowFrom`
|
|
- sets `logging.redactSensitive` from `"off"` to `"tools"`
|
|
- tightens permissions for state/config and common sensitive files (`credentials/*.json`, `auth-profiles.json`, `openclaw-agent.sqlite`, and legacy session artifacts)
|
|
- also tightens config include files referenced from `openclaw.json`
|
|
- uses `chmod` on POSIX hosts and `icacls` resets on Windows
|
|
|
|
`--fix` does **not**:
|
|
|
|
- rotate tokens/passwords/API keys
|
|
- disable tools (`gateway`, `cron`, `exec`, etc.)
|
|
- change gateway bind/auth/network exposure choices
|
|
- remove or rewrite plugins/skills
|
|
|
|
## Related
|
|
|
|
- [CLI reference](/cli)
|
|
- [Security audit](/gateway/security)
|