Need documented config keys for disabling plugin/tool/channel/owner-elevated surfaces for proposal-only mode

[torbisoc]

Environment

• Windows
• OpenClaw 2026.5.7
• OpenClaw dashboard endpoint: [local loopback OpenClaw dashboard endpoint]
• LM Studio provider (OpenAI-compatible)
• LM Studio endpoint: [local LM Studio OpenAI-compatible endpoint]
• Model google/gemma-3-4b
• API adapter openai-responses

Goal

Run OpenClaw in proposal-only mode with no file/system/tool/channel/automation authority.

What Works

• Dashboard works after LM Studio context increase.
• Proposal-only prompt passes.
• tools.web.search.enabled was disabled.
• LM Studio provider works using openai-responses.
• Thinking default is low.

Prior Blocker Fixed

• n_keep around 29k exceeded n_ctx 4096.
• Reloading LM Studio with larger context fixed dashboard response.

Current Blocker

• Exact config key paths for disabling remaining plugin/tool/channel/owner-elevated surfaces are unclear.
• Codex safely stopped instead of guessing config keys.

Surfaces Needing Authoritative Key Mapping

• browser
• device-pair
• file-transfer
• memory-core
• phone-control
• talk-voice
• channels
• cron/automation
• MCP
• hooks
• apps
• owner-only commands
• exec approvals
• dangerous action approvals

Safety Requirements

• no guessing config keys
• backup-first edits only
• no read-only mode until surfaces are locked down
• no tools/hooks/MCP/apps/channels/automation
• no file/system authority
• Codex validates any execution

Maintainer Questions

1. What exact config keys disable each listed surface?
2. Is there a native proposal-only/no-tools mode?
3. Is there a native read-only mode?
4. How do we disable owner-elevated commands and approvals?
5. How do we disable or isolate browser/file/phone/voice/plugin sidecars?
6. How do we prevent doctor from auto-enabling plugins or shrinking config?
7. How do we validate no tools/channels/automation are active?
8. Which surfaces are mandatory for dashboard-only chat?
9. Which surfaces can be safely disabled without breaking dashboard chat?

Redacted Evidence Summary

• No tokens, API keys, bearer values, cookies, or session IDs included.
• No full raw local config included.
• OpenClaw dashboard and proposal-only checks pass under current provider state.
• Remaining blocker is authoritative key mapping for capability lockdown fields.

What We Need Before Proceeding

• authoritative config key map
• second lockdown execute plan
• second lockdown execution
• dashboard retest
• proposal-only retest
• read-only manual test plan after lockdown

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 26, 2026, 12:50 AM ET / 04:50 UTC.

Summary
Keep open: current main now documents policy-backed conformance checks and several hardening knobs, but it still does not provide a maintainer-approved proposal-only/runtime lockdown guarantee or a complete authoritative map for every requested authority surface.

Reproducibility: not applicable. as a product/docs/security-boundary request rather than a reproducible bug. Source review shows current main has policy and tool hardening controls, but no single supported proposal-only mode to reproduce against.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.
• Include redacted logs or terminal output.

Next step
This should stay with maintainers because the unresolved work is defining supported security semantics, not applying a narrow known code or docs repair.

Security
Needs attention: This issue is itself security-sensitive because it asks OpenClaw to define and document an authority-lockdown boundary.

Review details

Best possible solution:

Maintain a supported lockdown story only after maintainers choose the product/security boundary: either document a clearly limited policy-backed hardening recipe with validation commands and non-guarantees, or add a native proposal-only/read-only mode that enforces the boundary.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a product/docs/security-boundary request rather than a reproducible bug. Source review shows current main has policy and tool hardening controls, but no single supported proposal-only mode to reproduce against.

Is this the best way to solve the issue?

No, a bare config-key map is not yet the best standalone fix. The safer solution is maintainer-approved lockdown semantics or a native mode, because current policy checks do not enforce runtime calls or runtime/operator approval state.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• Publishing a simple key map without maintainer security review could overpromise runtime safety because current Policy is a reporting/conformance layer, not a universal enforcement boundary.
• The requested surface list spans plugin loading, channel startup, MCP, hooks, tools, owner commands, sidecars, approvals, and apps, so a narrow docs-only change could miss a live authority path.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 711e963723b4.

Label changes

Label changes:

• remove clawsweeper:fix-shape-clear: Current issue advisory state no longer selects this label.

Label justifications:

• P2: This is a normal-priority security-hardening/product documentation request with meaningful operator impact but no confirmed active exploit or regression.
• impact:security: The issue is about disabling authority surfaces, owner-elevated commands, approvals, sidecars, channels, and tools for a safer operating mode.

Evidence reviewed

Security concerns:

• [medium] Proposal-only boundary is not yet a supported guarantee — docs/cli/policy.md:161
  Current main has conformance and hardening knobs, but policy docs explicitly do not make policy a runtime enforcement layer or cover runtime/operator approval state, so maintainers need to approve the security boundary before documenting it as supported.
  Confidence: 0.86

What I checked:

• Current policy docs cover many requested surfaces but frame policy as conformance: The policy CLI docs say Policy manages channels, MCP, model providers, network, gateway exposure, agent workspace posture, secrets/auth profile posture, and tool declarations, and give example keys for these categories. Public docs: docs/cli/policy.md. (docs/cli/policy.md:20, 711e963723b4)
• Policy is explicitly not runtime enforcement: The same docs state Policy reports drift from existing config/workspace metadata and does not rewrite runtime behavior unless an explicit repair path exists; they also say tool posture policy does not read runtime/operator approval state and does not enforce tool calls at runtime. Public docs: docs/cli/policy.md. (docs/cli/policy.md:161, 711e963723b4)
• Policy plugin config is narrow: The bundled policy plugin exposes only enabled, workspaceRepairs, expectedHash, expectedAttestationHash, and path under its config schema, so there is no single native proposal-only switch in this plugin surface. (extensions/policy/openclaw.plugin.json:15, 711e963723b4)
• Tool docs document read-only building blocks, not a full proposal-only mode: Security docs describe building read-only posture by combining sandbox workspace access with tool allow/deny lists, while tool docs define groups and elevated controls that still require careful composition. Public docs: docs/gateway/security/index.md. (docs/gateway/security/index.md:1135, 711e963723b4)
• Owner/tool boundary remains security-sensitive: The Tools invoke API docs treat direct tool invocation as a full operator-access surface and note that exec approvals are guardrails, not a separate authorization boundary for that endpoint. Public docs: docs/gateway/tools-invoke-http-api.md. (docs/gateway/tools-invoke-http-api.md:43, 711e963723b4)
• Policy feature history: The policy conformance system was introduced by merged pull request Policy: add conformance system with channel checks #80407, which explicitly scoped the initial work to conformance rather than runtime enforcement. (cbf72e5e26ee)

Likely related people:

• giodl73-repo: Merged policy pull request Policy: add conformance system with channel checks #80407 added the bundled policy plugin, policy CLI docs, attestations, and channel conformance checks that partially address this issue. (role: introduced policy conformance feature; confidence: high; commits: cbf72e5e26ee; files: extensions/policy, docs/cli/policy.md)
• Peter Steinberger: Recent current-main history and blame show broad updates to policy docs and policy source around the current documented lockdown/conformance behavior. (role: recent area contributor; confidence: medium; commits: 321f06ad0ef5; files: docs/cli/policy.md, extensions/policy/src/doctor/register.ts, extensions/policy/src/policy-state.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[torbisoc]

Issue 80081 Follow-Up Draft

Draft only. Not authority to execute.
Last updated: 2026-05-10
Mission: openclaw_20260509_prepare_maintainer_followup_packet_draft_only

Short Comment Draft

Maintainers: could you share the exact authoritative config key paths, along with the locked or disabled values, needed to complete OpenClaw second lockdown for proposal-only mode? OpenClaw is being kept in proposal-only / pasted-text mode until those keys are confirmed. This draft is for Charles review only and must not be posted without approval.

Unresolved Surfaces Needing Key Paths

• browser
• device-pair
• file-transfer
• memory-core
• phone-control
• talk-voice
• channels
• cron/automation
• MCP
• hooks
• apps
• owner-only commands
• exec approvals
• dangerous action approvals

Request

• Please provide the exact authoritative config key paths for each surface.
• Please include the locked or disabled values expected for proposal-only mode.
• Please confirm whether any listed surface is unsupported, unavailable, or controlled elsewhere.

Safety Note

• OpenClaw stays proposal-only / pasted-text only until the keys are confirmed.
• This packet is draft-only and must not be posted without Charles approval.

Routing Note

• No GitHub comment has been posted.
• The real blocker remains issue 80081.
• The next real mission remains openclaw_20260509_wait_for_maintainer_keys unless Charles explicitly approves posting this follow-up.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.