docs: clarify Crestodian rescue audit metadata · openclaw/openclaw@57f0512
steipete
·
2026-04-26
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -239,13 +239,13 @@ Security contract for remote rescue:
|
239 | 239 | operation, where the runtime already has unsandboxed local authority. |
240 | 240 | - Require an explicit owner identity. Rescue must not accept wildcard sender |
241 | 241 | rules, open group policy, unauthenticated webhooks, or anonymous channels. |
242 | | -- Owner DMs only by default. Group/channel rescue requires explicit opt-in and |
243 | | - should still route approval prompts to the owner DM. |
| 242 | +- Owner DMs only by default. Group/channel rescue requires explicit opt-in. |
244 | 243 | - Remote rescue cannot open the local TUI or switch into an interactive agent |
245 | 244 | session. Use local `openclaw` for agent handoff. |
246 | 245 | - Persistent writes still require approval, even in rescue mode. |
247 | | -- Audit every applied rescue operation, including channel, account, sender, |
248 | | - session key, operation, config hash before, and config hash after. |
| 246 | +- Audit every applied rescue operation. Message-channel rescue records channel, |
| 247 | + account, sender, and source-address metadata. Config-mutating operations also |
| 248 | + record config hashes before and after. |
249 | 249 | - Never echo secrets. SecretRef inspection should report availability, not |
250 | 250 | values. |
251 | 251 | - If the Gateway is alive, prefer Gateway typed operations. If the Gateway is |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。