Skip to content

Commit d912909

Browse files
liuhao1024liuhao1024
authored
docs(nodes): add node config example
Add a Nodes overview `openclaw.json` example for node pairing, command allow/deny policy, node exec routing, and per-agent node pinning. Also clarifies exact `denyCommands` matching and links readers to the config reference for pairing and command-policy field details. Fixes #92662. Thanks @liuhao1024 for the fix and @ZengWen-DT for the parallel docs wording on exact node command policy.
1 parent e6ffcf7 commit d912909

1 file changed

Lines changed: 53 additions & 0 deletions

File tree

docs/nodes/index.md

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -214,6 +214,59 @@ permission boundary. Dangerous plugin node commands still require explicit
214214
After a node changes its declared command list, reject the old device pairing
215215
and approve the new request so the gateway stores the updated command snapshot.
216216

217+
## Config (`openclaw.json`)
218+
219+
Node-related settings live under `gateway.nodes` and `tools.exec`:
220+
221+
```json5
222+
{
223+
gateway: {
224+
nodes: {
225+
// Auto-approve first-time node pairing from trusted networks (CIDR list).
226+
// Disabled when unset. Only applies to first-time role:node requests
227+
// with no requested scopes; does not auto-approve upgrades.
228+
pairing: {
229+
autoApproveCidrs: ["192.168.1.0/24"],
230+
},
231+
// Opt into dangerous/privacy-heavy node commands (camera.snap, etc.).
232+
allowCommands: ["camera.snap", "screen.record"],
233+
// Block exact command names even if defaults or allowCommands include them.
234+
denyCommands: ["camera.clip"],
235+
},
236+
},
237+
tools: {
238+
exec: {
239+
// Default exec host: "node" routes all exec calls to a paired node.
240+
host: "node",
241+
// Security mode for node exec: allow only approved/allowlisted commands.
242+
security: "allowlist",
243+
// Pin exec to a specific node (id or name). Omit to allow any node.
244+
node: "build-node",
245+
},
246+
},
247+
}
248+
```
249+
250+
Use exact node command names. `denyCommands` removes a command even when a
251+
platform default or `allowCommands` entry would otherwise allow it. See
252+
[Gateway configuration reference](/gateway/configuration-reference#gateway-field-details)
253+
for gateway node pairing and command-policy field details.
254+
255+
Per-agent exec node override:
256+
257+
```json5
258+
{
259+
agents: {
260+
list: [
261+
{
262+
id: "main",
263+
tools: { exec: { node: "build-node" } },
264+
},
265+
],
266+
},
267+
}
268+
```
269+
217270
## Screenshots (canvas snapshots)
218271

219272
If the node is showing the Canvas (WebView), `canvas.snapshot` returns `{ format, base64 }`.

0 commit comments

Comments
 (0)