Skip to content

fix: route all four hardcoded ~/.openclaw paths through OPENCLAW_STATE_DIR#354

Merged
jalehman merged 3 commits into
mainfrom
copilot/fix-hardcoded-openclaw-paths
Apr 10, 2026
Merged

fix: route all four hardcoded ~/.openclaw paths through OPENCLAW_STATE_DIR#354
jalehman merged 3 commits into
mainfrom
copilot/fix-hardcoded-openclaw-paths

Conversation

Copilot AI commented Apr 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Four call sites in engine.ts and plugin/index.ts hardcoded ~/.openclaw/… via homedir(), bypassing OPENCLAW_STATE_DIR. On multi-profile hosts this causes the non-default gateway to open file handles on the default profile's lcm.db, write large-file payloads into the wrong state dir, and silently resolve auth/secrets from the wrong profile.

Changes

src/db/config.ts — new helper + new config field

  • Exports resolveOpenclawStateDir(env): returns env.OPENCLAW_STATE_DIR ?? join(homedir(), ".openclaw")
  • Adds largeFilesDir: string to LcmConfig, resolved as LCM_LARGE_FILES_DIR ?? pc.largeFilesDir ?? join(stateDir, "lcm-files")
  • databasePath fallback now uses resolveOpenclawStateDir(env) instead of bare homedir()

src/engine.ts — large-file storage (worst offender)

  • storeLargeFileContent now writes to this.config.largeFilesDir instead of the hardcoded join(homedir(), ".openclaw", "lcm-files", …)

src/plugin/index.ts — auth & secrets

  • PluginEnvSnapshot gains stateDir (populated via resolveOpenclawStateDir)
  • resolveAuthStorePaths: candidate path uses stateDir instead of join(home, ".openclaw", "agents/main/agent/auth-profiles.json")
  • resolveSecretRef: legacy secrets.json path uses stateDir instead of join(home, ".openclaw", "secrets.json")
  • Startup banner now logs the resolved state dir once ([lcm] State dir: …), making profile mismatches immediately visible in logs

Tests & docs

  • 12 new tests covering resolveOpenclawStateDir precedence and largeFilesDir resolution
  • openclaw.plugin.json schema, docs/configuration.md, and skills/lossless-claw/references/config.md updated with OPENCLAW_STATE_DIR, largeFilesDir, and LCM_LARGE_FILES_DIR

Copilot AI linked an issue Apr 10, 2026 that may be closed by this pull request
Four hardcoded ~/.openclaw paths bypass OPENCLAW_STATE_DIR on multi-profile hosts (cross-profile DB + large-file leakage) #350
Closed
@jalehman
fix: route all four hardcoded ~/.openclaw paths through OPENCLAW_STAT…
fece835 
…E_DIR

- Add resolveOpenclawStateDir(env) helper to src/db/config.ts
- Add largeFilesDir to LcmConfig and resolveLcmConfig (env: LCM_LARGE_FILES_DIR)
- Fix engine.ts storeLargeFileContent to use this.config.largeFilesDir
- Add stateDir to PluginEnvSnapshot in plugin/index.ts
- Fix resolveAuthStorePaths to use stateDir instead of hardcoded ~/.openclaw
- Fix resolveSecretRef to use stateDir instead of hardcoded ~/.openclaw
- Add startup banner log line emitting the resolved state dir
- Add 12 new tests for resolveOpenclawStateDir and largeFilesDir
- Update openclaw.plugin.json with largeFilesDir schema
- Update docs/configuration.md and skills reference with OPENCLAW_STATE_DIR docs

Agent-Logs-Url: https://github.com/Martian-Engineering/lossless-claw/sessions/36f08751-1270-4614-8f71-4ce2e3d0c1a5

Co-authored-by: jalehman <550978+jalehman@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix hardcoded ~/.openclaw paths to respect OPENCLAW_STATE_DIR fix: route all four hardcoded ~/.openclaw paths through OPENCLAW_STATE_DIR Apr 10, 2026
Copilot AI requested a review from jalehman April 10, 2026 01:02
@100yenadmin

100yenadmin commented Apr 10, 2026

Copy link
Copy Markdown
Collaborator

Reviewed locally against current main.

What I verified:

  • targeted tests pass on the branch (test/config.test.ts, test/engine.test.ts)
  • the path resolution is centralized instead of sprinkling more ~/.openclaw call sites
  • large-file storage now follows the active state dir, which is the highest-risk part of the bug report
  • auth-profile and legacy-secret fallbacks stop silently reaching into the default profile on multi-profile hosts

The only diff noise I saw was the expected package version bump in package-lock.json from rebasing across the v0.8.0 release line. The substantive fix itself looks ready for review/merge.

@jalehman
fix: address PR 354 review follow-ups
4dc34d9 
Update state-dir-sensitive database examples in the configuration docs, align manifest database path help text with the OPENCLAW_STATE_DIR default, and add a patch changeset for the multi-profile path isolation fix.

Regeneration-Prompt: |
  Address the review follow-ups on PR 354 without changing the runtime fix itself. Keep the new OPENCLAW_STATE_DIR behavior intact, but make the operator-facing docs and manifest help text consistently describe the state-dir-aware database default, including examples that work for both default and non-default profiles. Because this is a user-visible multi-profile bug fix, add the appropriate patch changeset before pushing back to the PR branch.
@jalehman jalehman marked this pull request as ready for review April 10, 2026 22:30
@jalehman jalehman merged commit b0ad788 into main Apr 10, 2026
2 checks passed
@jalehman jalehman deleted the copilot/fix-hardcoded-openclaw-paths branch April 10, 2026 22:30
@github-actions github-actions Bot mentioned this pull request Apr 10, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jalehman jalehman Awaiting requested review from jalehman

Assignees

@jalehman jalehman

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Four hardcoded ~/.openclaw paths bypass OPENCLAW_STATE_DIR on multi-profile hosts (cross-profile DB + large-file leakage)

3 participants

@100yenadmin @jalehman