fix(diagnostics-otel): support preloaded sdk mode

[vincentkoc]

Summary

• support OPENCLAW_OTEL_PRELOADED=1 in diagnostics-otel so hosts with an existing global OpenTelemetry SDK do not get a second plugin-owned NodeSDK
• keep OpenClaw diagnostic event listeners active in preloaded mode, including OTEL spans, metrics instruments, and log export wiring
• document the preload mode and add regression coverage for trace gating when diagnostics.otel.traces is disabled

Extracted from the safe preloaded-SDK portion of #70424 without taking the direct agent-runtime span instrumentation, root dependency, Dockerfile, or preload script changes.

Validation

• pnpm test extensions/diagnostics-otel/src/service.test.ts
• git diff --check HEAD~1..HEAD

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🟡 Medium	Telemetry export policy bypass when OPENCLAW_OTEL_PRELOADED=1 uses global OpenTelemetry providers

1. 🟡 Telemetry export policy bypass when `OPENCLAW_OTEL_PRELOADED=1` uses global OpenTelemetry providers

Property	Value
Severity	Medium
CWE	CWE-201
Location	extensions/diagnostics-otel/src/service.ts:408-476

Description

In diagnostics-otel service startup, setting OPENCLAW_OTEL_PRELOADED=1 causes the plugin to skip creating its own NodeSDK and OTLP trace/metric exporters, but it still emits spans/metrics via the global OpenTelemetry API providers.

Impact:

• The configured diagnostics.otel.endpoint and diagnostics.otel.headers are not applied to traces/metrics in preloaded mode.
• Any globally-registered/preloaded SDK (potentially attacker-controlled in an untrusted host/runtime, or misconfigured via preload hooks) can export OpenClaw telemetry to an arbitrary endpoint.
• Telemetry can include sensitive attributes (e.g., provider/model metadata, trace context, and optionally content attributes when diagnostics.otel.captureContent is enabled), making this a potential data exfiltration vector.

Vulnerable behavior:

const sdkPreloaded = hasPreloadedOtelSdk();
...
if (!sdkPreloaded && (tracesEnabled || metricsEnabled)) {
  ​// configure OTLP exporters with endpoint/headers and start NodeSDK
} else if (sdkPreloaded && (tracesEnabled || metricsEnabled)) {
  ctx.logger.info("diagnostics-otel: using preloaded OpenTelemetry SDK");
}

const meter = metrics.getMeter("openclaw");
const tracer = trace.getTracer("openclaw");

Recommendation

Harden preloaded-SDK mode to prevent unintentional routing of telemetry to untrusted exporters:

• Require an explicit config opt-in in addition to the env var (or instead of it), e.g. diagnostics.otel.allowPreloadedSdk: true.
• When preloaded mode is enabled, emit a prominent warning that endpoint/headers/sampleRate are not enforced for traces/metrics.
• Optionally, validate/allowlist exporter endpoints (when detectable) or disable sensitive content capture in preloaded mode unless explicitly re-enabled.

Example (gating by config):

const sdkPreloaded = process.env.OPENCLAW_OTEL_PRELOADED === "1";
const allowPreloaded = otel.allowPreloadedSdk === true;

if (sdkPreloaded && !allowPreloaded) {
  ctx.logger.warn("diagnostics-otel: preloaded SDK requested but not allowed by config");
  return;
}

---

Analyzed PR: #71450 at commit dad424c

_{Last updated on: 2026-04-25T06:54:16Z}

[greptile-apps]

Greptile Summary

This PR adds OPENCLAW_OTEL_PRELOADED=1 support to the diagnostics-otel plugin so that hosts with an existing global OpenTelemetry SDK can skip plugin-owned NodeSDK startup/shutdown while keeping all diagnostic event listeners (spans, metrics, logs) active. The implementation is clean: a hasPreloadedOtelSdk() guard wraps the NodeSDK construction block, the existing null-check in stopStarted naturally prevents SDK shutdown in preloaded mode, and the plugin-owned LoggerProvider is still created independently when logs is enabled.

Confidence Score: 4/5

PR is safe to merge; only a minor changelog attribution issue was found.

The implementation is correct and test coverage is thorough. The only finding is a P2 style issue: the CHANGELOG entry references the parent PR #70424 rather than this PR #71450.

CHANGELOG.md — wrong PR reference in the new entry.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: CHANGELOG.md
Line: 9

Comment:
**Wrong PR reference in changelog entry**

The CHANGELOG entry credits `#70424` (the original parent PR) rather than this PR (`#71450`). Changelog entries should reference the PR that actually merges the change into the main branch; linking to the parent PR makes it harder to trace the merge history.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(diagnostics-otel): support preloaded..." | Re-trigger Greptile}

[greptile-apps]

Wrong PR reference in changelog entry

The CHANGELOG entry credits #70424 (the original parent PR) rather than this PR (#71450). Changelog entries should reference the PR that actually merges the change into the main branch; linking to the parent PR makes it harder to trace the merge history.

Prompt To Fix With AI

This is a comment left during a code review.
Path: CHANGELOG.md
Line: 9

Comment:
**Wrong PR reference in changelog entry**

The CHANGELOG entry credits `#70424` (the original parent PR) rather than this PR (`#71450`). Changelog entries should reference the PR that actually merges the change into the main branch; linking to the parent PR makes it harder to trace the merge history.

How can I resolve this? If you propose a fix, please make it concise.