docs(plugins): document fallback opt-out flow

mcaxtr · mcaxtr · commit c31439128bb4 · 2026-05-15T13:53:42.000-03:00
diff --git a/docs/plugins/manifest.md b/docs/plugins/manifest.md
@@ -748,6 +748,53 @@ checks that run before channel runtime loads. Bundled channels can also publish
 the same defaults through `package.json#openclaw.channel.commands` alongside
 their other package-owned channel catalog metadata.
 
+Channel packages can also publish `package.json#openclaw.channel.doctorCapabilities`
+for read-only doctor and transition checks. These fields are metadata, not user
+config. When a channel sets one fallback flag to `false`, `openclaw doctor --fix`
+infers the matching preservation copy from existing DM `allowFrom` entries to the
+canonical explicit allowlist.
+
+Valid fallback metadata fields are:
+
+| Field                                      | Values    |
+| ------------------------------------------ | --------- |
+| `groupAllowFromFallbackToAllowFrom`        | `boolean` |
+| `groupOwnerAllowFromFallbackToAllowFrom`   | `boolean` |
+| `commandGroupAllowFromFallbackToAllowFrom` | `boolean` |
+| `commandAllowFromFallbackToAllowFrom`      | `boolean` |
+| `elevatedAllowFromFallbackToAllowFrom`     | `boolean` |
+
+### Disable fallback in a channel PR
+
+Channel follow-up PRs should disable one fallback family only after the channel
+runtime consumes the matching explicit allowlist. The metadata and runtime flag
+must move together: setting only metadata makes doctor guidance wrong, and
+setting only runtime flags can remove access before `openclaw doctor --fix` can
+preserve it.
+
+Use this table as the channel PR checklist:
+
+| Fallback being removed                                                        | Runtime change in the channel                                                                                                                                            | Doctor capability metadata                        | Doctor copy target                      |
+| ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------- | --------------------------------------- |
+| Normal group sender access falls back from group allowlists to DM `allowFrom` | Pass `policy.groupAllowFromFallbackToAllowFrom: false` to the shared ingress resolver and pass the explicit group sender allowlist the channel will use.                 | `groupAllowFromFallbackToAllowFrom: false`        | `channels.<id>.groupAllowFrom`          |
+| Group command senders fall back to DM or group sender allowlists              | Pass `command.commandGroupAllowFromFallbackToAllowFrom: false` and pass `command.commandGroupAllowFrom` when the channel has a command-specific sender allowlist.        | `commandGroupAllowFromFallbackToAllowFrom: false` | `channels.<id>.commandGroupAllowFrom`   |
+| Group command owners fall back to DM `allowFrom`                              | Pass `command.groupOwnerAllowFromFallbackToAllowFrom: false` and pass `command.groupOwnerAllowFrom` when the channel has a command-owner allowlist.                      | `groupOwnerAllowFromFallbackToAllowFrom: false`   | `channels.<id>.groupOwnerAllowFrom`     |
+| Text command authorization falls back to channel `allowFrom`                  | Make command authorization use explicit `commands.allowFrom` entries for this provider and keep the prepared doctor capability available to the auto-reply command path. | `commandAllowFromFallbackToAllowFrom: false`      | `commands.allowFrom.<channel-id>`       |
+| Elevated authorization falls back to channel `allowFrom`                      | Stop using the channel elevated `allowFromFallback` hook, or let shared elevated auth skip it through the prepared doctor capability.                                    | `elevatedAllowFromFallbackToAllowFrom: false`     | `tools.elevated.allowFrom.<channel-id>` |
+
+Before setting any fallback flag to `false`, verify that:
+
+- the target config key is accepted by that channel schema
+- the channel runtime reads that key on the relevant ingress or command path
+- `openclaw doctor --fix` can preserve existing access without broadening
+  account scope
+- synthetic open-DM wildcards are not being used as the source of the migration
+
+Command-only migrations must target command-specific allowlists:
+`commandGroupAllowFrom`, `groupOwnerAllowFrom`, or provider maps under
+`commands.allowFrom` and `tools.elevated.allowFrom`. Do not use normal group
+sender targets to preserve command authorization fallback.
+
 ```json
 {
   "channelConfigs": {
diff --git a/docs/plugins/sdk-channel-ingress.md b/docs/plugins/sdk-channel-ingress.md
@@ -58,6 +58,44 @@ Do not precompute effective allowlists, command owners, or command groups. The
 resolver derives them from raw allowlists, store callbacks, route descriptors,
 access groups, policy, and conversation kind.
 
+`allowFrom` is the direct-message allowlist. For group conversations, pass
+explicit non-DM targets when the channel has them:
+
+- `groupAllowFrom` controls normal group sender authorization.
+- `command.commandGroupAllowFrom` controls group command senders.
+- `command.groupOwnerAllowFrom` controls group command owners.
+
+`groupAllowFromFallbackToAllowFrom` controls only the shared normal group
+sender fallback. `command.commandGroupAllowFromFallbackToAllowFrom` is a
+separate command-group override; when omitted, it inherits the normal group
+fallback flag. `command.groupOwnerAllowFromFallbackToAllowFrom` controls the
+legacy group command-owner fallback and defaults to enabled for compatibility.
+
+When a channel disables one of these fallbacks, update the runtime resolver
+input and the doctor capability metadata in the same channel PR. Runtime config
+loading does not perform this repair; `openclaw doctor --fix` is the only
+preservation-copy path.
+
+Use these runtime flags before declaring the matching manifest metadata:
+
+| Fallback family               | Runtime input to set                                      | Required explicit input                                                                                              |
+| ----------------------------- | --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- |
+| Normal group sender fallback  | `policy.groupAllowFromFallbackToAllowFrom: false`         | `groupAllowFrom` or a route sender allowlist that replaces the legacy fallback.                                      |
+| Group command-sender fallback | `command.commandGroupAllowFromFallbackToAllowFrom: false` | `command.commandGroupAllowFrom`, unless command authorization is intentionally covered by explicit `groupAllowFrom`. |
+| Group command-owner fallback  | `command.groupOwnerAllowFromFallbackToAllowFrom: false`   | `command.groupOwnerAllowFrom`, or an intentional no-owner mode such as the legacy `"none"` sentinel.                 |
+
+Provider-wide command fallback and elevated fallback are not ingress resolver
+inputs. Those paths read prepared channel capability metadata, so the channel PR
+must ensure the command or elevated authorization path already has an explicit
+target before declaring the fallback disabled.
+
+After the runtime consumes the explicit target, set the corresponding
+`package.json#openclaw.channel.doctorCapabilities` fields described in
+[Plugin manifest](/plugins/manifest#disable-fallback-in-a-channel-pr). Doctor
+infers the copy target from the disabled fallback flag, so channel PRs should
+only set the fallback metadata after the target config key is accepted by that
+channel schema and read by that channel runtime.
+
 ## Result
 
 Bundled plugins should consume modern projections directly:
