fix(gateway): fail closed on runtime config edits (#70726)

drobison00 · web-flow · commit bceda6089aa7 · 2026-04-23T15:23:44.000-06:00
* fix(gateway): fail closed on runtime config edits

* changelog + telegram topic requireMention depth

Append a user-facing Unreleased/Fixes entry describing the fail-closed
gateway config-mutation allowlist, and extend the allowlist so Telegram
topic-level paths like
channels.telegram.groups.&lt;group&gt;.topics.&lt;topic&gt;.requireMention stay
agent-tunable instead of being rejected as protected after this change.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -48,6 +48,7 @@ Docs: https://docs.openclaw.ai
 - Memory/doctor: keep root durable memory canonicalized on `MEMORY.md`, stop treating lowercase `memory.md` as a runtime fallback, and let `openclaw doctor --fix` merge true split-brain root files into `MEMORY.md` with a backup. (#70621) Thanks @mbelinky.
 - Providers/Anthropic Vertex: restore ADC-backed model discovery after the lightweight provider-discovery path by resolving emitted discovery entries, exposing synthetic auth on bootstrap discovery, and honoring copied env snapshots when probing the default GCP ADC path. Fixes #65715. (#65716) Thanks @feiskyer.
 - Codex harness/status: pin embedded harness selection per session, show active non-PI harness ids such as `codex` in `/status`, and keep legacy transcripts on PI until `/new` or `/reset` so config changes cannot hot-switch existing sessions.
+- Gateway/security: fail closed on agent-driven `gateway config.apply`/`config.patch` runtime edits by allowlisting a narrow set of agent-tunable prompt, model, and mention-gating paths (including Telegram topic-level `requireMention`) instead of relying on a hand-maintained denylist of protected subtrees that could miss new sensitive config keys. (#70726) Thanks @drobison00.
 
 ## 2026.4.22
 
diff --git a/src/agents/openclaw-gateway-tool.test.ts b/src/agents/openclaw-gateway-tool.test.ts
@@ -151,7 +151,7 @@ describe("gateway tool", () => {
     const tool = requireGatewayTool(sessionKey);
 
     const raw =
-      '{\n  agents: { defaults: { workspace: "~/openclaw" } },\n  tools: { exec: { ask: "on-miss", security: "allowlist" } }\n}\n';
+      '{\n  agents: { defaults: { systemPromptOverride: "You are a terse assistant." } },\n  tools: { exec: { ask: "on-miss", security: "allowlist" } }\n}\n';
     await tool.execute("call2", {
       action: "config.apply",
       raw,
@@ -209,7 +209,7 @@ describe("gateway tool", () => {
         raw: '{ tools: { exec: { safeBins: ["bash"], safeBinProfiles: { bash: { allowedValueFlags: ["-c"] } } } } }',
       }),
     ).rejects.toThrow(
-      "gateway config.patch cannot change protected config paths: tools.exec.safeBins, tools.exec.safeBinProfiles",
+      "gateway config.patch cannot change protected config paths: tools.exec.safeBinProfiles.bash.allowedValueFlags, tools.exec.safeBins",
     );
     expect(callGatewayTool).toHaveBeenCalledWith("config.get", expect.any(Object), {});
     expect(callGatewayTool).not.toHaveBeenCalledWith(
@@ -373,7 +373,7 @@ describe("gateway tool", () => {
     await expect(
       tool.execute("call-missing-protected", {
         action: "config.apply",
-        raw: '{ agents: { defaults: { workspace: "~/openclaw" } } }',
+        raw: '{ agents: { defaults: { systemPromptOverride: "You are a terse assistant." } } }',
       }),
     ).rejects.toThrow(
       "gateway config.apply cannot change protected config paths: tools.exec.ask, tools.exec.security",
@@ -405,6 +405,44 @@ describe("gateway tool", () => {
     );
   });
 
+  it("rejects config.patch when it rewrites gateway.remote.url", async () => {
+    const tool = requireGatewayTool();
+
+    await expect(
+      tool.execute("call-remote-redirect", {
+        action: "config.patch",
+        raw: '{ gateway: { remote: { url: "wss://attacker.example/collect" } } }',
+      }),
+    ).rejects.toThrow(
+      "gateway config.patch cannot change protected config paths: gateway.remote.url",
+    );
+    expect(callGatewayTool).toHaveBeenCalledWith("config.get", expect.any(Object), {});
+    expect(callGatewayTool).not.toHaveBeenCalledWith(
+      "config.patch",
+      expect.any(Object),
+      expect.anything(),
+    );
+  });
+
+  it("rejects config.patch when it rewrites global tools policy", async () => {
+    const tool = requireGatewayTool();
+
+    await expect(
+      tool.execute("call-tools-policy", {
+        action: "config.patch",
+        raw: '{ tools: { allow: ["exec"], elevated: { enabled: true } } }',
+      }),
+    ).rejects.toThrow(
+      "gateway config.patch cannot change protected config paths: tools.allow, tools.elevated.enabled",
+    );
+    expect(callGatewayTool).toHaveBeenCalledWith("config.get", expect.any(Object), {});
+    expect(callGatewayTool).not.toHaveBeenCalledWith(
+      "config.patch",
+      expect.any(Object),
+      expect.anything(),
+    );
+  });
+
   it("rejects config.patch that enables dangerouslyDisableDeviceAuth", async () => {
     const tool = requireGatewayTool();
 
@@ -413,7 +451,9 @@ describe("gateway tool", () => {
         action: "config.patch",
         raw: "{ gateway: { controlUi: { dangerouslyDisableDeviceAuth: true } } }",
       }),
-    ).rejects.toThrow("cannot enable dangerous config flags");
+    ).rejects.toThrow(
+      "gateway config.patch cannot change protected config paths: gateway.controlUi.dangerouslyDisableDeviceAuth",
+    );
     expect(callGatewayTool).not.toHaveBeenCalledWith(
       "config.patch",
       expect.any(Object),
@@ -429,7 +469,9 @@ describe("gateway tool", () => {
         action: "config.patch",
         raw: "{ hooks: { gmail: { allowUnsafeExternalContent: true } } }",
       }),
-    ).rejects.toThrow("cannot enable dangerous config flags");
+    ).rejects.toThrow(
+      "gateway config.patch cannot change protected config paths: hooks.gmail.allowUnsafeExternalContent",
+    );
     expect(callGatewayTool).not.toHaveBeenCalledWith(
       "config.patch",
       expect.any(Object),
@@ -445,7 +487,9 @@ describe("gateway tool", () => {
         action: "config.patch",
         raw: "{ tools: { exec: { applyPatch: { workspaceOnly: false } } } }",
       }),
-    ).rejects.toThrow("cannot enable dangerous config flags");
+    ).rejects.toThrow(
+      "gateway config.patch cannot change protected config paths: tools.exec.applyPatch.workspaceOnly",
+    );
     expect(callGatewayTool).not.toHaveBeenCalledWith(
       "config.patch",
       expect.any(Object),
@@ -461,7 +505,9 @@ describe("gateway tool", () => {
         action: "config.patch",
         raw: "{ gateway: { controlUi: { allowInsecureAuth: true } } }",
       }),
-    ).rejects.toThrow("cannot enable dangerous config flags");
+    ).rejects.toThrow(
+      "gateway config.patch cannot change protected config paths: gateway.controlUi.allowInsecureAuth",
+    );
     expect(callGatewayTool).not.toHaveBeenCalledWith(
       "config.patch",
       expect.any(Object),
@@ -477,7 +523,9 @@ describe("gateway tool", () => {
         action: "config.patch",
         raw: "{ gateway: { controlUi: { dangerouslyAllowHostHeaderOriginFallback: true } } }",
       }),
-    ).rejects.toThrow("cannot enable dangerous config flags");
+    ).rejects.toThrow(
+      "gateway config.patch cannot change protected config paths: gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback",
+    );
     expect(callGatewayTool).not.toHaveBeenCalledWith(
       "config.patch",
       expect.any(Object),
@@ -502,7 +550,7 @@ describe("gateway tool", () => {
     );
   });
 
-  it("allows config.patch when a dangerous flag is already enabled and stays enabled", async () => {
+  it("allows config.patch on allowlisted paths when a dangerous flag is already enabled", async () => {
     vi.mocked(callGatewayTool).mockImplementationOnce(async (method: string) => {
       if (method === "config.get") {
         return {
@@ -518,8 +566,7 @@ describe("gateway tool", () => {
     const sessionKey = "agent:main:whatsapp:dm:+15555550123";
     const tool = requireGatewayTool(sessionKey);
 
-    const raw =
-      '{ hooks: { gmail: { allowUnsafeExternalContent: true } }, agents: { defaults: { workspace: "~/test" } } }';
+    const raw = '{ agents: { defaults: { systemPromptOverride: "You are a terse assistant." } } }';
     await tool.execute("call-keep-dangerous", {
       action: "config.patch",
       raw,
@@ -540,7 +587,9 @@ describe("gateway tool", () => {
         action: "config.apply",
         raw: '{ tools: { exec: { ask: "on-miss", security: "allowlist", applyPatch: { workspaceOnly: false } } } }',
       }),
-    ).rejects.toThrow("cannot enable dangerous config flags");
+    ).rejects.toThrow(
+      "gateway config.apply cannot change protected config paths: tools.exec.applyPatch.workspaceOnly",
+    );
     expect(callGatewayTool).not.toHaveBeenCalledWith(
       "config.apply",
       expect.any(Object),
diff --git a/src/agents/tools/gateway-tool-guard-coverage.test.ts b/src/agents/tools/gateway-tool-guard-coverage.test.ts
@@ -1,7 +1,7 @@
 import { describe, expect, it } from "vitest";
 import {
+  ALLOWED_GATEWAY_CONFIG_PATHS_FOR_TEST,
   assertGatewayConfigMutationAllowedForTest,
-  PROTECTED_GATEWAY_CONFIG_PATHS_FOR_TEST,
 } from "./gateway-tool.js";
 
 function expectBlocked(
@@ -57,20 +57,14 @@ function expectAllowedApply(
 }
 
 describe("gateway config mutation guard coverage", () => {
-  it("keeps advisory-critical protected path coverage in the production denylist", () => {
-    expect(PROTECTED_GATEWAY_CONFIG_PATHS_FOR_TEST).toEqual(
+  it("keeps a narrow allowlist of agent-tunable config paths", () => {
+    expect(ALLOWED_GATEWAY_CONFIG_PATHS_FOR_TEST).toEqual(
       expect.arrayContaining([
-        "agents.defaults.sandbox",
-        "agents.list[].sandbox",
-        "agents.list[].tools",
-        "agents.list[].embeddedPi",
-        "tools.fs",
-        "plugins.allow",
-        "plugins.entries",
-        "hooks.token",
-        "hooks.allowRequestSessionKey",
-        "browser.ssrfPolicy",
-        "mcp.servers",
+        "agents.defaults.systemPromptOverride",
+        "agents.defaults.model",
+        "agents.list[].id",
+        "agents.list[].model",
+        "channels.*.requireMention",
       ]),
     );
   });
@@ -268,6 +262,34 @@ describe("gateway config mutation guard coverage", () => {
     );
   });
 
+  it("blocks gateway.remote.url redirect via config.patch", () => {
+    expectBlocked(
+      { gateway: { remote: { url: "wss://gateway.example/ws" } } },
+      { gateway: { remote: { url: "wss://attacker.example/collect" } } },
+    );
+  });
+
+  it("blocks global tools policy rewrites via config.patch", () => {
+    expectBlocked(
+      { tools: { allow: ["read"] } },
+      { tools: { allow: ["read", "exec"], elevated: { enabled: true } } },
+    );
+  });
+
+  it("blocks memory.qmd.command rewrites via config.patch", () => {
+    expectBlocked(
+      { memory: { qmd: { command: "/usr/local/bin/qmd" } } },
+      { memory: { qmd: { command: "/tmp/attacker.sh" } } },
+    );
+  });
+
+  it("blocks browser.executablePath rewrites via config.patch", () => {
+    expectBlocked(
+      { browser: { executablePath: "/usr/bin/chromium" } },
+      { browser: { executablePath: "/tmp/pwn" } },
+    );
+  });
+
   it("allows adding a new agent without protected subfields via config.patch", () => {
     expectAllowed(
       {
@@ -390,13 +412,13 @@ describe("gateway config mutation guard coverage", () => {
     expectAllowed(
       {
         agents: {
-          defaults: { prompt: "You are a helpful assistant." },
+          defaults: { systemPromptOverride: "You are a helpful assistant." },
           list: [{ id: "worker", model: "sonnet-4" }],
         },
       },
       {
         agents: {
-          defaults: { prompt: "You are a terse assistant." },
+          defaults: { systemPromptOverride: "You are a terse assistant." },
           list: [{ id: "worker", model: "opus-4.6" }],
         },
       },
@@ -407,12 +429,18 @@ describe("gateway config mutation guard coverage", () => {
     expectBlockedApply(
       {
         agents: {
-          defaults: { sandbox: { mode: "all" }, prompt: "You are a helpful assistant." },
+          defaults: {
+            sandbox: { mode: "all" },
+            systemPromptOverride: "You are a helpful assistant.",
+          },
         },
       },
       {
         agents: {
-          defaults: { sandbox: { mode: "off" }, prompt: "You are a terse assistant." },
+          defaults: {
+            sandbox: { mode: "off" },
+            systemPromptOverride: "You are a terse assistant.",
+          },
         },
       },
     );
@@ -440,16 +468,44 @@ describe("gateway config mutation guard coverage", () => {
     expectAllowedApply(
       {
         agents: {
-          defaults: { prompt: "You are a helpful assistant." },
+          defaults: { systemPromptOverride: "You are a helpful assistant." },
           list: [{ id: "worker", model: "sonnet-4" }],
         },
       },
       {
         agents: {
-          defaults: { prompt: "You are a terse assistant." },
+          defaults: { systemPromptOverride: "You are a terse assistant." },
           list: [{ id: "worker", model: "opus-4.6" }],
         },
       },
     );
   });
+
+  it("allows requireMention edits at Telegram topic depth via config.patch", () => {
+    expectAllowed(
+      {
+        channels: {
+          telegram: {
+            groups: {
+              "-1001234567890": {
+                requireMention: true,
+                topics: { "99": { requireMention: true } },
+              },
+            },
+          },
+        },
+      },
+      {
+        channels: {
+          telegram: {
+            groups: {
+              "-1001234567890": {
+                topics: { "99": { requireMention: false } },
+              },
+            },
+          },
+        },
+      },
+    );
+  });
 });
diff --git a/src/agents/tools/gateway-tool.ts b/src/agents/tools/gateway-tool.ts
