[Meta] Feature request bundle: 11 platform gaps from intensive daily use

[smonett]

OpenClaw Feature Requests — Consolidated & Audited

Author: @smonett (intensive daily user since 2026.2)
Audited against: OpenClaw 2026.4.15 (April 17, 2026) · Refined 2026-04-19 after deeper package audit
Context: Every item below is backed by a working workaround script we actively run in production. Happy to share cleaned reference implementations. This is a user's-eye view; where we've spotted probable design intent, it's called out explicitly.

Previously filed as 11 individual issues (#65812–#65823), now consolidated here after auditing against 2026.4.15. 2026-04-19 refinement: tightened claims after reading relevant package internals, flagged items where maintainer design intent seems plausible.

---

Tier 1 — Critical (real user impact daily)

1. Silent model fallback + no system-prompt re-injection (was #65812)

• What exists in 4.15: buildFallbackNotice emits ↪️ Model Fallback: <active> as a lifecycle-stream event on transition, plus fallback_cleared on recovery. Surfaced to the user only when verbose is enabled.
• Remaining gaps:
  • Non-verbose users see nothing. A mid-session switch from Opus to Gemini is invisible on default settings. We understand the verbose gate is probably a deliberate UX choice to avoid noise — a lightweight "one-line, non-verbose" notice (or opt-in via agents.defaults.fallback.notify) would bridge this for users who want awareness without full verbose output.
  • No workspace-context re-injection. The fallback model inherits conversation history but not the SOUL.md / AGENTS.md bootstrap. This is the root of the "session suddenly feels different" class of incident, where the new model is tonally/behaviorally misaligned with the workspace persona.
  • No event type for user hooks. Our custom model-fallback-alert hook can't fire because there's no externally-exposed model:fallback event in the hooks system.
• Workaround: Manual behavioral-drift monitoring. No automated alerting possible.
• Impact: Highest. Every "my agent changed personalities" report we've seen traces back to the re-injection gap.

2. Automatic config rollback on gateway failure (was #65814)

• Problem: config.apply / config.patch writes have no pre-apply backup, no post-write health check, no rollback on failure. Bad config → gateway down → manual recovery from a command line the user may not have handy.
• Gap in 4.15: No changes. backup-create exists but is a manual command, not an auto-safeguard around config writes.
• Workaround: oc-config-safe — 120-line bash wrapper that backs up, validates, applies, health-checks, auto-rollbacks on failure.

3. Graduated crash recovery ladder (was #65815)

• Problem: Gateway crash-loops with only the KeepAlive restarter. No escalation through config revert → reinstall → version rollback.
• Gap in 4.15: No changes.
• Workaround: oc-crash-guard — 200-line script with 3-tier recovery ladder, running every 5 min via launchd.

---

Tier 2 — High Value (defensive patterns validated in production)

4. Content-based prompt injection scanning on tool output (was #65816)

• Context: THREAT-MODEL-ATLAS.md rates indirect prompt injection (T-EXEC-002) as High residual risk; current mitigation is XML wrapping of tool output.
• Acknowledged trade-off: Robust content scanning is genuinely hard to do without false positives — we recognize this may be a deliberate deferral rather than an oversight. Our workaround is conservative and narrow precisely because of that difficulty.
• 4.15 progress: Tool trust anchoring tightened (client tools no longer inherit built-in local-media trust). Good security fix, orthogonal to content scanning.
• Workaround: cc-taint-check.py — regex scanner with Unicode normalization, blocks high-severity injection patterns. Happy to share if useful as a reference.

5. Sub-agent cascade circuit breaker (was #65817)

• Problem: Failed sub-agents retried indefinitely with no guardrail. Burns tokens on repeated failures.
• Distinct from existing protections: maxSpawnDepth (default 1) and maxConcurrent (default 8) limit vertical stack depth and horizontal fan-out. Neither limits "same sub-agent re-spawned N times after failures," which is the actual failure mode.
• Gap in 4.15: Unknown-tool stream guard enabled by default — catches hallucinated tool names but not repeated real-tool failures.
• Workaround: cc-failure-guard.py — file-based circuit breaker blocking re-spawn after N failures.

6. Doctor dry-run / diff mode (was #65818)

• Problem: doctor --fix applies changes without preview. sessions cleanup has --dry-run; doctor does not. Has silently stripped custom config fields in the past.
• Gap in 4.15: No changes.
• Workaround: oc-doctor-safe — creates backup, shows diff, requires confirmation, supports rollback.

7. Per-path file access deny list for all tools (was #65820, reframed)

• Problem as originally filed: MCP tools bypass deny lists that Read/Write respect.
• Refined understanding after reading the code: There's no per-path deny list for any tool — native or MCP. tools.deny blocks tools wholesale (e.g. deny browser), but there's no way to say "Read is allowed, but not on ~/.ssh/ or .env files." So MCP isn't the outlier; the gap is broader.
• Request: Per-path file access deny list applied uniformly to Read, Write, Edit, and MCP file tools — covering credential files, SSH keys, .env, etc. by default or via config.
• Workaround: cc-mcp-guard.py — hook-based path filter (narrower than ideal).

---

Tier 3 — Nice to Have

8. Post-update hook system (was #65819)

• Internal post-update logic exists but no user-facing hook. Local dist patches (we run a handful) are lost on every openclaw update.
• Request: ~/.openclaw/hooks/post-update.d/ or equivalent config entry.
• Workaround: oc-post-update-patches run manually after each update.

9. Quality gate hooks on file writes (was #65821)

• Acknowledged: OpenClaw has a rich incoming-hooks system (hooks.mappings for external events → sessions). It does not currently expose a tool-use hook surface (pre/post file-write). That may be a deliberate product decision to stay distinct from Claude-Code-style hook proliferation.
• If it fits your philosophy: PreToolUse / PostToolUse hooks running linters/formatters/security scanners on agent-written files would be valuable. Not a bug — a feature request we'd defer to your judgment on scope.
• Workaround: External file watcher running ruff+bandit on workspace writes.

10. Per-binary exec trust (path or hash) (was #65822)

• Problem: safeBinTrustedDirs grants trust at directory granularity. audit.nondeep already flags risky mutable dirs (/tmp, ~/Downloads, etc.) — the maintainers are clearly aware of the coarseness — but there's no path-or-hash-level alternative.
• Request: safeBinTrustedBinaries config accepting per-binary trust by absolute path (or optional SHA-256 pin).
• Workaround: 7 pinned wrapper scripts in a trusted dir.

---

Dropped / deferred

• Multi-agent output provenance tracking (was [Feature] Multi-agent output provenance tracking #65823) — research-grade, removed for focus.
• Model alias versioning hygiene (drafted 2026-04-19, not filed) — after reading register.runtime-DmIHMeUp.js and model-definitions-ASgg9Ved.js, the alias tables are tightly coupled to OpenClaw's per-model qualification system (per-model cost, context window, modality, reasoning levels, template inheritance for new releases). What looked like "alias rot" is part of a coordinated release gating pattern. Flagging here so the maintainers know we looked and concluded there's no bug to file.
• Pre-call budget gate and periodic model health polling (added in earlier comments) — still relevant but lower priority than the above.

---

Notes

• All items audited against 2026.4.15 and refined on 2026-04-19 after reading relevant package internals.
• We run OpenClaw daily on macOS with a 4-provider fallback chain (Anthropic → Google → OpenAI → xAI), 9 configured agents, cron jobs, hooks, and MCP tools.
• Not trying to be pushy — we know maintainer bandwidth is finite. Goal here is to give the team a high-signal list with honest confidence levels. Happy to share any workaround scripts (cleaned of private paths) as reference implementations.

[smonett]

Consolidated and audited against 2026.4.15.

Closed the 11 individual issues (#65812–#65823) and merged everything into this single meta issue. Each item now includes 4.15 audit notes showing what has been partially addressed and what remains open.

Dropped multi-agent provenance tracking (research-grade, low daily impact) to keep the list focused on production gaps. Down to 10 items, tiered by real-world severity.

Items 4 and 5 note partial progress from 4.15 (tool trust anchoring and unknown-tool stream guard). The rest are unchanged.

Happy to share any of our workaround scripts as reference implementations — just say the word.

[smonett]

Cleanup update: the 11 individual issues (#65812, #65814–#65823) are now actually closed with back-references. Earlier comment stated they were closed but GitHub didn't apply the state change — fixed now.

Net: everything's consolidated here. Dropping #65823 (multi-agent provenance) for scope. 10 active items remain, all with workaround scripts in production. Happy to share any as reference implementations.

Also just completed a separate deep audit of the model manager vs. what we built in our research pipeline. Three concrete improvements stood out (per-provider cooldown seeding from published docs, pre-call budget gates, periodic health polling) — not filing separately unless there's interest, since we'd rather see traction on the existing list first.

[smonett]

Two additional gaps from continued intensive use, both broadly applicable across user configurations:

11. Pre-call budget gate
OpenClaw has per-model pricing internally (resolveModelCostConfig) and post-hoc /usage cost aggregation, but no pre-call enforcement. A single runaway sub-agent loop can burn significant spend before anyone notices — this isn't a power-user edge case, it affects anyone running Opus/GPT-5.4-pro/similar frontier models when an agent gets stuck in a retry pattern.

Config surface suggestion:

{
  "agents": {
    "defaults": {
      "budget": {
        "perSessionUsd": 5.00,
        "perDayUsd": 50.00,
        "warnAtPercent": 80
      }
    }
  }
}

Soft warning at 80%, hard abort at 100%, per-agent overrides allowed. Computation already exists in resolveModelCostConfig / estimateUsageCost — this is primarily a pre-dispatch gate hook, not new accounting logic.

12. Periodic model health polling with cooldown-aware routing
openclaw models status --probe already exists and works, but only runs on demand. A scheduled health check (configurable cadence, default hourly) that marks failed models as temporarily unhealthy in the fallback chain would stop users from burning tokens on known-down providers during outages.

Config surface suggestion:

{
  "agents": {
    "defaults": {
      "healthCheck": {
        "enabled": true,
        "intervalMinutes": 60,
        "probeTimeoutMs": 5000,
        "failClosedOnUnknown": false
      }
    }
  }
}

Reuses existing per-provider ping code. When a model fails its scheduled probe, skip it in the candidate chain until the next successful probe. failClosedOnUnknown: true for strict operators (our preference in research contexts), default false for graceful degradation.

Both items came out of a recent deep audit of the model manager against a more governed catalog-based system we run separately. Not filing as standalone issues — keeping everything consolidated here.