@@ -18,15 +18,17 @@ report drift through `doctor --lint`. The final conformance signal is a clean
1818instead of creating a separate health gate.
19192020Policy currently manages configured channels, MCP servers, model providers,
21-network SSRF posture, Gateway exposure posture, OpenClaw config secret
22-provider/auth profile posture, and governed tool declarations. For example, IT
23-or a workspace operator can record that Telegram is not an approved channel
24-provider, restrict MCP servers and model refs to approved entries, require
25-private-network fetch/browser access to remain disabled, require Gateway
26-bind/auth/HTTP exposure to stay within reviewed bounds, require OpenClaw config
27-SecretRefs to use managed providers, require config auth profiles to carry
28-provider/mode metadata, require governed tools to carry risk and sensitivity
29-metadata, then use `doctor --lint` as the shared conformance gate.
21+network SSRF posture, Gateway exposure posture, agent workspace posture,
22+OpenClaw config secret provider/auth profile posture, and governed tool
23+declarations. For example, IT or a workspace operator can record that Telegram
24+is not an approved channel provider, restrict MCP servers and model refs to
25+approved entries, require private-network fetch/browser access to remain
26+disabled, require Gateway bind/auth/HTTP exposure to stay within reviewed
27+bounds, require agent workspace access and tool denies to stay in a reviewed
28+posture, require OpenClaw config SecretRefs to use managed providers, require
29+config auth profiles to carry provider/mode metadata, require governed tools to
30+carry risk and sensitivity metadata, then use `doctor --lint` as the shared
31+conformance gate.
30323133Use policy when a workspace needs a durable statement such as "these channels
3234must not be enabled" or "governed tools must declare approval metadata" and a
@@ -48,8 +50,8 @@ doctor can report the missing artifact.
48504951Policy is authored, not generated from the user's current settings. A minimal
5052policy for channels, MCP servers, model providers, network posture, Gateway
51-exposure, OpenClaw config secret provider/auth profile posture, and tool
52-metadata looks like this:
53+exposure, agent workspace posture, OpenClaw config secret provider/auth profile
54+posture, and tool metadata looks like this:
53555456```jsonc
5557{
@@ -99,6 +101,12 @@ metadata looks like this:
99101"requireUrlAllowlists": true,
100102 },
101103 },
104+"agents": {
105+"workspace": {
106+"allowedAccess": ["none", "ro"],
107+"denyTools": ["exec", "process", "write", "edit", "apply_patch"],
108+ },
109+ },
102110"secrets": {
103111"requireManagedProviders": true,
104112"denySources": ["exec"],
@@ -120,11 +128,17 @@ The rules are the authority. A category block is only a namespace; checks run
120128when a concrete rule is present. OpenClaw reads current `channels.*` settings
121129`mcp.servers.*`, `models.providers.*`, selected agent model refs, network SSRF
122130settings, Gateway bind/auth/Control UI/Tailscale/remote/HTTP posture, OpenClaw
123-config secret provider and SecretRef provenance, config auth profile metadata,
124-and `TOOLS.md` declarations as evidence, then reports observed state that does
125-not conform. If a policy denies non-loopback Gateway binds, omit `gateway.bind`
126-only when you are willing to review the runtime default; set
127-`gateway.bind=loopback` for strict config conformance. Secret evidence records
131+config agent sandbox workspace access and tool deny posture, config secret
132+provider and SecretRef provenance, config auth profile metadata, and `TOOLS.md`
133+declarations as evidence, then reports observed state that does not conform. If
134+a policy denies non-loopback Gateway binds, omit `gateway.bind` only when you
135+are willing to review the runtime default; set `gateway.bind=loopback` for
136+strict config conformance. For read-only agent posture, configure sandbox mode
137+on the applicable defaults or agent and set `workspaceAccess` to `none` or
138+`ro`; omitted or `off` sandbox mode does not satisfy a read-only/no-write
139+policy. `agents.workspace.denyTools` supports `exec`, `process`, `write`,
140+`edit`, and `apply_patch`; OpenClaw config `group:fs` covers file mutation tools
141+and `group:runtime` covers shell/process tools. Secret evidence records
128142provider/source posture and SecretRef metadata, never raw secret values. Policy
129143does not read or attest per-agent credential stores such as `auth-profiles.json`;
130144those stores remain owned by the existing auth and credential flows.
@@ -270,6 +284,28 @@ Example JSON output:
270284"explicit": true
271285 }
272286 ],
287+"agentWorkspace": [
288+ {
289+"id": "agents-defaults-workspace-access",
290+"kind": "workspaceAccess",
291+"source": "oc://openclaw.config/agents/defaults/sandbox/workspaceAccess",
292+"scope": "defaults",
293+"value": "ro",
294+"sandboxMode": "all",
295+"sandboxModeSource": "oc://openclaw.config/agents/defaults/sandbox/mode",
296+"sandboxEnabled": true,
297+"explicit": true
298+ },
299+ {
300+"id": "agents-defaults-tool-exec",
301+"kind": "toolDeny",
302+"source": "oc://openclaw.config/tools/deny",
303+"scope": "defaults",
304+"tool": "exec",
305+"denied": true,
306+"explicit": true
307+ }
308+ ],
273309"secrets": [
274310 {
275311"id": "vault",
@@ -306,7 +342,7 @@ Example JSON output:
306342 }
307343 ]
308344 },
309-"checksRun": 28,
345+"checksRun": 30,
310346"checksSkipped": 0,
311347"findings": []
312348}
@@ -339,6 +375,10 @@ If policy rules change intentionally, update both accepted hashes from a clean
339375check. If workspace settings change intentionally but policy stays the same,
340376only `expectedAttestationHash` usually changes.
341377378+Enabling or upgrading `agents.workspace` rules adds `agentWorkspace` evidence to
379+the workspace hash and attestation hash. Operators should review the new
380+evidence and refresh accepted attestation hashes after enabling these rules.
381+342382`openclaw policy watch` runs the same check repeatedly and reports when the
343383current evidence no longer matches `expectedAttestationHash`:
344384@@ -374,6 +414,8 @@ Policy currently verifies:
374414| `policy/gateway-remote-enabled` | Gateway remote mode is active when policy denies it. |
375415| `policy/gateway-http-endpoint-enabled` | A Gateway HTTP API endpoint is enabled while denied by policy. |
376416| `policy/gateway-http-url-fetch-unrestricted` | Gateway HTTP URL-fetch input lacks a required URL allowlist. |
417+| `policy/agents-workspace-access-denied` | Agent sandbox mode or workspace access is outside the policy allowlist. |
418+| `policy/agents-tool-not-denied` | An agent or default config does not deny a tool required by policy. |
377419| `policy/secrets-unmanaged-provider` | A config SecretRef references a provider not declared under `secrets.providers`. |
378420| `policy/secrets-denied-provider-source` | A config secret provider or SecretRef uses a source denied by policy. |
379421| `policy/secrets-insecure-provider` | A secret provider opts into insecure posture when policy denies it. |
@@ -483,6 +525,21 @@ Example Gateway exposure finding:
483525}
484526```
485527528+Example agent workspace finding:
529+530+```json
531+{
532+"checkId": "policy/agents-workspace-access-denied",
533+"severity": "error",
534+"message": "agents.defaults sandbox workspaceAccess 'rw' is not allowed by policy.",
535+"source": "policy",
536+"path": "openclaw config",
537+"ocPath": "oc://openclaw.config/agents/defaults/sandbox/workspaceAccess",
538+"target": "oc://openclaw.config/agents/defaults/sandbox/workspaceAccess",
539+"requirement": "oc://policy.jsonc/agents/workspace/allowedAccess"
540+}
541+```
542+486543## Repair
487544488545`doctor --lint` and `policy check` are read-only.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。