
























@@ -856,12 +856,9 @@ Set a token so **all** WS clients must authenticate:
856856857857Doctor can generate one for you: `openclaw doctor --generate-gateway-token`.
858858859-Note: `gateway.remote.token` / `.password` are client credential sources. They
860-do **not** protect local WS access by themselves.
861-Local call paths can use `gateway.remote.*` as fallback only when `gateway.auth.*`
862-is unset.
863-If `gateway.auth.token` / `gateway.auth.password` is explicitly configured via
864-SecretRef and unresolved, resolution fails closed (no remote fallback masking).
859+<Note>
860+`gateway.remote.token` and `gateway.remote.password` are client credential sources. They do **not** protect local WS access by themselves. Local call paths can use `gateway.remote.*` as fallback only when `gateway.auth.*` is unset. If `gateway.auth.token` or `gateway.auth.password` is explicitly configured via SecretRef and unresolved, resolution fails closed (no remote fallback masking).
861+</Note>
865862Optional: pin remote TLS with `gateway.remote.tlsFingerprint` when using `wss://`.
866863Plaintext `ws://` is loopback-only by default. For trusted private-network
867864paths, set `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` on the client process as
@@ -1092,9 +1089,9 @@ Two complementary approaches:
10921089- **Run the full Gateway in Docker** (container boundary): [Docker](/install/docker)
10931090- **Tool sandbox** (`agents.defaults.sandbox`, host gateway + sandbox-isolated tools; Docker is the default backend): [Sandboxing](/gateway/sandboxing)
109410911095-Note: to prevent cross-agent access, keep `agents.defaults.sandbox.scope` at `"agent"` (default)
1096-or `"session"` for stricter per-session isolation. `scope: "shared"` uses a
1097-single container/workspace.
1092+<Note>
1093+To prevent cross-agent access, keep `agents.defaults.sandbox.scope` at `"agent"` (default) or `"session"` for stricter per-session isolation. `scope: "shared"` uses a single container or workspace.
1094+</Note>
1098109510991096Also consider agent workspace access inside the sandbox:
11001097@@ -1103,7 +1100,9 @@ Also consider agent workspace access inside the sandbox:
11031100- `agents.defaults.sandbox.workspaceAccess: "rw"` mounts the agent workspace read/write at `/workspace`
11041101- Extra `sandbox.docker.binds` are validated against normalized and canonicalized source paths. Parent-symlink tricks and canonical home aliases still fail closed if they resolve into blocked roots such as `/etc`, `/var/run`, or credential directories under the OS home.
110511021106-Important: `tools.elevated` is the global baseline escape hatch that runs exec outside the sandbox. The effective host is `gateway` by default, or `node` when the exec target is configured to `node`. Keep `tools.elevated.allowFrom` tight and don’t enable it for strangers. You can further restrict elevated per agent via `agents.list[].tools.elevated`. See [Elevated Mode](/tools/elevated).
1103+<Warning>
1104+`tools.elevated` is the global baseline escape hatch that runs exec outside the sandbox. The effective host is `gateway` by default, or `node` when the exec target is configured to `node`. Keep `tools.elevated.allowFrom` tight and do not enable it for strangers. You can further restrict elevated per agent via `agents.list[].tools.elevated`. See [Elevated mode](/tools/elevated).
1105+</Warning>
1107110611081107### Sub-agent delegation guardrail
11091108此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。