fix(exec): include mode in doctor policy warnings · openclaw/openclaw@13926e6
joshavant
·
2026-05-29
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -453,6 +453,33 @@ describe("noteSecurityWarnings gateway exposure", () => {
|
453 | 453 | expect(message).toContain("stricter side wins"); |
454 | 454 | }); |
455 | 455 | |
| 456 | +it("warns when normalized tools.exec mode is broader than host exec defaults", async () => { |
| 457 | +await withExecApprovalsFile( |
| 458 | +{ |
| 459 | +version: 1, |
| 460 | +defaults: { |
| 461 | +security: "allowlist", |
| 462 | +ask: "on-miss", |
| 463 | +}, |
| 464 | +}, |
| 465 | +async () => { |
| 466 | +await noteSecurityWarnings({ |
| 467 | +tools: { |
| 468 | +exec: { |
| 469 | +mode: "full", |
| 470 | +}, |
| 471 | +}, |
| 472 | +} as OpenClawConfig); |
| 473 | +}, |
| 474 | +); |
| 475 | + |
| 476 | +const message = lastMessage(); |
| 477 | +expect(message).toContain("tools.exec is broader than the host exec policy"); |
| 478 | +expect(message).toContain('tools.exec.mode="full"'); |
| 479 | +expect(message).toContain('defaults.security="allowlist"'); |
| 480 | +expect(message).not.toContain("OpenClaw default"); |
| 481 | +}); |
| 482 | + |
456 | 483 | it("attributes broader host policy warnings to wildcard agent entries", async () => { |
457 | 484 | await expectAgentExecHostPolicyWarning("*"); |
458 | 485 | }); |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -9,7 +9,12 @@ import { resolveGatewayAuthTokenSourceConflict } from "../gateway/auth-token-sou
|
9 | 9 | import { resolveGatewayAuth } from "../gateway/auth.js"; |
10 | 10 | import { isLoopbackHost, resolveGatewayBindHost } from "../gateway/net.js"; |
11 | 11 | import { resolveExecPolicyScopeSnapshot } from "../infra/exec-approvals-effective.js"; |
12 | | -import { loadExecApprovals, type ExecAsk, type ExecSecurity } from "../infra/exec-approvals.js"; |
| 12 | +import { |
| 13 | +loadExecApprovals, |
| 14 | +type ExecAsk, |
| 15 | +type ExecMode, |
| 16 | +type ExecSecurity, |
| 17 | +} from "../infra/exec-approvals.js"; |
13 | 18 | import { isLikelySensitiveModelProviderHeaderName } from "../secrets/model-provider-header-policy.js"; |
14 | 19 | import { hasConfiguredPlaintextSecretValue } from "../secrets/secret-value.js"; |
15 | 20 | import { discoverConfigSecretTargets } from "../secrets/target-registry.js"; |
@@ -89,15 +94,17 @@ function collectExecPolicyConflictWarnings(cfg: OpenClawConfig): string[] {
|
89 | 94 | |
90 | 95 | const maybeWarn = (params: { |
91 | 96 | scopeLabel: string; |
92 | | -scopeExecConfig: { security?: ExecSecurity; ask?: ExecAsk } | undefined; |
93 | | -globalExecConfig?: { security?: ExecSecurity; ask?: ExecAsk } | undefined; |
| 97 | +scopeExecConfig: { mode?: ExecMode; security?: ExecSecurity; ask?: ExecAsk } | undefined; |
| 98 | +globalExecConfig?: { mode?: ExecMode; security?: ExecSecurity; ask?: ExecAsk } | undefined; |
94 | 99 | agentId?: string; |
95 | 100 | }) => { |
96 | 101 | const scopeExecConfig = params.scopeExecConfig; |
97 | 102 | const globalExecConfig = params.globalExecConfig; |
98 | 103 | if ( |
| 104 | +!scopeExecConfig?.mode && |
99 | 105 | !scopeExecConfig?.security && |
100 | 106 | !scopeExecConfig?.ask && |
| 107 | +!globalExecConfig?.mode && |
101 | 108 | !globalExecConfig?.security && |
102 | 109 | !globalExecConfig?.ask |
103 | 110 | ) { |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。