fix: align apply_patch deny policy docs (#76795) · openclaw/openclaw@7857dfa
steipete
·
2026-05-04
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -28,6 +28,7 @@ Docs: https://docs.openclaw.ai
|
28 | 28 | |
29 | 29 | ### Fixes |
30 | 30 | |
| 31 | +- Agents/tools: stop treating `tools.deny: ["write"]` as an implicit `apply_patch` deny; operators who want to block patch writes should deny `apply_patch` or `group:fs` explicitly. Fixes #76749. (#76795) Thanks @Nek-12 and @hclsys. |
31 | 32 | - Gateway/update: recover an installed-but-unloaded macOS LaunchAgent after package updates, rerun Gateway health/version/channel readiness checks, and print restart, reinstall, and rollback guidance before reporting update failure. (#76790) Thanks @jonathanlindsay. |
32 | 33 | - Google Meet: route stateful CLI session commands through the gateway-owned runtime so joined realtime sessions survive after the starting CLI process exits. Fixes #76344. Thanks @coltonharris-wq. |
33 | 34 | - Memory/status: split builtin sqlite-vec store readiness from embedding-provider readiness in `memory status --deep` and `openclaw status`, so local vector-store failures no longer look like provider failures and provider failures no longer hide a healthy local vector store. |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -54,6 +54,14 @@ Global tool allow/deny policy (deny wins). Case-insensitive, supports `*` wildca
|
54 | 54 | } |
55 | 55 | ``` |
56 | 56 | |
| 57 | +`write` and `apply_patch` are separate tool ids. `allow: ["write"]` also enables `apply_patch` for compatible models, but `deny: ["write"]` does not deny `apply_patch`. To block all file mutation, deny `group:fs` or list each mutating tool explicitly: |
| 58 | + |
| 59 | +```json5 |
| 60 | +{ |
| 61 | + tools: { deny: ["write", "edit", "apply_patch"] }, |
| 62 | +} |
| 63 | +``` |
| 64 | + |
57 | 65 | ### `tools.byProvider` |
58 | 66 | |
59 | 67 | Further restrict tools for specific providers or models. Order: base profile → provider profile → allow/deny. |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -264,6 +264,7 @@ Notes:
|
264 | 264 | |
265 | 265 | - Only available for OpenAI/OpenAI Codex models. |
266 | 266 | - Tool policy still applies; `allow: ["write"]` implicitly allows `apply_patch`. |
| 267 | +- `deny: ["write"]` does not deny `apply_patch`; deny `apply_patch` explicitly or use `deny: ["group:fs"]` when patch writes should also be blocked. |
267 | 268 | - Config lives under `tools.exec.applyPatch`. |
268 | 269 | - `tools.exec.applyPatch.enabled` defaults to `true`; set it to `false` to disable the tool for OpenAI models. |
269 | 270 | - `tools.exec.applyPatch.workspaceOnly` defaults to `true` (workspace-contained). Set it to `false` only if you intentionally want `apply_patch` to write/delete outside the workspace directory. |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -37,8 +37,8 @@ describe("pi-tools.policy", () => {
|
37 | 37 | expect(isToolAllowedByPolicyName("apply_patch", { allow: ["write"] })).toBe(true); |
38 | 38 | }); |
39 | 39 | |
40 | | -it("blocks apply_patch when write is denylisted", () => { |
41 | | -expect(isToolAllowedByPolicyName("apply_patch", { deny: ["write"] })).toBe(false); |
| 40 | +it("keeps apply_patch when write is denylisted", () => { |
| 41 | +expect(isToolAllowedByPolicyName("apply_patch", { deny: ["write"] })).toBe(true); |
42 | 42 | }); |
43 | 43 | }); |
44 | 44 | |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。