



















@@ -18,12 +18,13 @@ report drift through `doctor --lint`. The final conformance signal is a clean
1818instead of creating a separate health gate.
19192020Policy currently manages configured channels, MCP servers, model providers,
21-network SSRF posture, Gateway exposure posture, agent workspace posture,
21+network SSRF posture, ingress/channel access posture, Gateway exposure posture, agent workspace posture,
2222OpenClaw config secret provider/auth profile posture, and governed tool
2323declarations. For example, IT or a workspace operator can record that Telegram
2424is not an approved channel provider, restrict MCP servers and model refs to
2525approved entries, require private-network fetch/browser access to remain
26-disabled, require Gateway bind/auth/HTTP exposure to stay within reviewed
26+disabled, require direct-message session isolation and channel ingress posture
27+to stay within reviewed bounds, require Gateway bind/auth/HTTP exposure to stay within reviewed
2728bounds, require agent workspace access and tool denies to stay in a reviewed
2829posture, require OpenClaw config SecretRefs to use managed providers, require
2930config auth profiles to carry provider/mode metadata, require governed tools to
@@ -49,9 +50,9 @@ arbitrary plugins. The plugin remains enabled if `policy.jsonc` is missing, so
4950doctor can report the missing artifact.
50515152Policy is authored, not generated from the user's current settings. A minimal
52-policy for channels, MCP servers, model providers, network posture, Gateway
53-exposure, agent workspace posture, OpenClaw config secret provider/auth profile
54-posture, and tool metadata looks like this:
53+policy for channels, MCP servers, model providers, network posture, ingress/channel access, Gateway
54+exposure, agent workspace posture, configured sandbox runtime posture, OpenClaw
55+config secret provider/auth profile posture, and tool metadata looks like this:
55565657```jsonc
5758{
@@ -81,6 +82,16 @@ posture, and tool metadata looks like this:
8182"allow": false,
8283 },
8384 },
85+"ingress": {
86+"session": {
87+"requireDmScope": "per-channel-peer",
88+ },
89+"channels": {
90+"allowDmPolicies": ["pairing", "allowlist", "disabled"],
91+"denyOpenGroups": true,
92+"requireMentionInGroups": true,
93+ },
94+ },
8495"gateway": {
8596"exposure": {
8697"allowNonLoopbackBind": false,
@@ -142,8 +153,9 @@ posture, and tool metadata looks like this:
142153The rules are the authority. A category block is only a namespace; checks run
143154when a concrete rule is present. OpenClaw reads current `channels.*` settings
144155`mcp.servers.*`, `models.providers.*`, selected agent model refs, network SSRF
145-settings, Gateway bind/auth/Control UI/Tailscale/remote/HTTP posture, OpenClaw
146-config agent sandbox workspace access and tool deny posture, config secret
156+settings, direct-message session scope, channel DM policy, channel group policy,
157+channel/group mention gates, Gateway bind/auth/Control UI/Tailscale/remote/HTTP
158+posture, OpenClaw config agent sandbox workspace access and tool deny posture, config secret
147159provider and SecretRef provenance, config auth profile metadata, configured
148160global/per-agent tool posture, and `TOOLS.md` declarations as evidence, then
149161reports observed state that does not conform. If a policy denies non-loopback
@@ -180,11 +192,12 @@ its own finding against the same observed config.
180192181193#### Scoped overlays
182194183-Use `scopes.<scopeName>` when one set of agents needs stricter policy than the
184-top-level baseline. Scopes require the `agentIds` selector, which supports
185-`tools.*`, `agents.workspace.*`, and `sandbox.*`. Unsupported sections are
186-rejected instead of being ignored. If an `agentIds` entry is not present in
187-`agents.list[]`, OpenClaw evaluates the scoped rule against inherited
195+Use `scopes.<scopeName>` when one set of agents or channels needs stricter
196+policy than the top-level baseline. Agent-scoped sections use `agentIds`, which
197+supports `tools.*`, `agents.workspace.*`, and `sandbox.*`. Channel-scoped
198+ingress uses `channelIds`, which supports `ingress.channels.*`. Unsupported
199+sections are rejected instead of being ignored. If an `agentIds` entry is not
200+present in `agents.list[]`, OpenClaw evaluates the scoped rule against inherited
188201global/default posture for that runtime agent id.
189202190203```jsonc
@@ -230,6 +243,16 @@ global/default posture for that runtime agent id.
230243 },
231244 },
232245 },
246+"telegram-ingress": {
247+"channelIds": ["telegram"],
248+"ingress": {
249+"channels": {
250+"allowDmPolicies": ["pairing"],
251+"denyOpenGroups": true,
252+"requireMentionInGroups": true,
253+ },
254+ },
255+ },
233256 },
234257}
235258```
@@ -248,9 +271,13 @@ passing. Use separate `agentIds` scopes for agent groups that use different
248271sandbox backends, and leave unsupported container rules unset or false for the
249272groups where those fields cannot be observed.
250273251-| Selector | Supported sections | Use when |
252-| ---------- | ------------------------------------------ | ----------------------------------------------- |
253-| `agentIds` | `tools`, `agents.workspace`, and `sandbox` | One or more runtime agents need stricter rules. |
274+Top-level `ingress.session.requireDmScope` remains global because
275+`session.dmScope` is not channel-attributable evidence.
276+277+| Selector | Supported sections | Use when |
278+| ------------ | ------------------------------------------ | ------------------------------------------------- |
279+| `agentIds` | `tools`, `agents.workspace`, and `sandbox` | One or more runtime agents need stricter rules. |
280+| `channelIds` | `ingress.channels` | One or more channels need stricter ingress rules. |
254281255282Every scope present in `policy.jsonc` must be valid and enforceable.
256283@@ -281,6 +308,15 @@ Every scope present in `policy.jsonc` must be valid and enforceable.
281308| ------------------------------ | ----------------------------------- | ------------------------------------------------------------------ |
282309| `network.privateNetwork.allow` | Private-network SSRF escape hatches | Set to `false` to require private-network access to stay disabled. |
283310311+#### Ingress and channel access
312+313+| Policy field | Observed state | Use when |
314+| ----------------------------------------- | -------------------------------------------------------------- | ------------------------------------------------------------------ |
315+| `ingress.session.requireDmScope` | `session.dmScope` | Require a reviewed direct-message isolation scope. |
316+| `ingress.channels.allowDmPolicies` | `channels.*.dmPolicy` and legacy channel DM policy fields | Allow only reviewed direct-message channel policies. |
317+| `ingress.channels.denyOpenGroups` | Channel, account, and group ingress policy | Deny open group ingress for configured channels and accounts. |
318+| `ingress.channels.requireMentionInGroups` | Channel, account, group, guild, and nested mention gate config | Require mention gates when group ingress is open or mention-gated. |
319+284320#### Gateway
285321286322| Policy field | Observed state | Use when |
@@ -617,6 +653,10 @@ Policy currently verifies:
617653| `policy/models-denied-provider` | A configured model provider or model ref uses a denied provider. |
618654| `policy/models-unapproved-provider` | A configured model provider or model ref is outside the allowlist. |
619655| `policy/network-private-access-enabled` | A private-network SSRF escape hatch is enabled when policy denies it. |
656+| `policy/ingress-dm-policy-unapproved` | A channel DM policy is outside the policy allowlist. |
657+| `policy/ingress-dm-scope-unapproved` | `session.dmScope` does not match the policy-required DM isolation scope. |
658+| `policy/ingress-open-groups-denied` | A channel group policy is `open` while policy denies open group ingress. |
659+| `policy/ingress-group-mention-required` | A channel or group entry disables mention gates while policy requires them. |
620660| `policy/gateway-non-loopback-bind` | Gateway bind posture permits non-loopback exposure when policy denies it. |
621661| `policy/gateway-auth-disabled` | Gateway authentication is disabled when policy requires auth. |
622662| `policy/gateway-rate-limit-missing` | Gateway auth rate-limit posture is not explicit when policy requires it. |
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。