fix: protect global agent config defaults [AI]

[pgondhi987]

Summary

• Removes global agent prompt overlays and global default model selection from the agent-facing gateway config mutation allowlist.
• Keeps bounded agent runtime tuning, per-agent model selection, mention gating, and visible-reply settings available through the existing guard.
• Updates the gateway security docs so the public trust-boundary description matches the runtime guard.
• Adds regression coverage for both config.patch and config.apply attempts to rewrite global prompt/model defaults.

Linked context

Which issue does this close?

No public issue linked.

Which issues, PRs, or discussions are related?

Related: maintainer security hardening request

Was this requested by a maintainer or owner?

Yes, via maintainer-directed security hardening intake.

Real behavior proof (required for external PRs)

• Behavior or issue addressed: Agent-facing gateway config writes can no longer persistently rewrite global prompt overlays or the global default model.
• Real environment tested: Local source checkout plus a real temporary openclaw gateway run process with isolated OPENCLAW_HOME, OPENCLAW_STATE_DIR, and OPENCLAW_CONFIG_PATH.
• Exact steps or command run after this patch: OPENCLAW_HOME="$tmp_root/home" OPENCLAW_STATE_DIR="$tmp_root/state" OPENCLAW_CONFIG_PATH="$tmp_root/state/openclaw.json" pnpm openclaw gateway run --dev --reset --port 18879 --auth none --allow-unconfigured --ws-log compact
• Exact steps or command run after this patch: OPENCLAW_HOME="$tmp_root/home" OPENCLAW_STATE_DIR="$tmp_root/state" OPENCLAW_CONFIG_PATH="$tmp_root/state/openclaw.json" OPENCLAW_GATEWAY_PORT=18879 pnpm tsx --eval '<createGatewayTool proof script>'
• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output): global_prompt_overlays: REJECTED gateway config.patch cannot change protected config paths: agents.defaults.promptOverlays.gpt5.personality
• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output): global_default_model: REJECTED gateway config.patch cannot change protected config paths: agents.defaults.model.primary
• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output): allowed_reasoning_default: ALLOWED ok
• Observed result after fix: The real gateway tool path rejects global prompt/model default mutations before forwarding the write, while a valid bounded tuning path still succeeds.
• What was not tested: No external chat/channel UI was used; the proof invoked the agent-facing gateway tool directly against a real local gateway process.
• Proof limitations or environment constraints: The gateway used auth-none in an isolated temp state dir with a dummy explicit gatewayToken only to satisfy the agent tool's explicit URL override contract; no real credentials were used.
• Before evidence (optional but encouraged): Existing guard coverage asserted these global paths were present in the allowlist.

Tests and validation

Which commands did you run?

node scripts/run-vitest.mjs src/agents/tools/gateway-tool-guard-coverage.test.ts

OPENCLAW_HOME="$tmp_root/home" OPENCLAW_STATE_DIR="$tmp_root/state" OPENCLAW_CONFIG_PATH="$tmp_root/state/openclaw.json" pnpm openclaw gateway run --dev --reset --port 18879 --auth none --allow-unconfigured --ws-log compact

OPENCLAW_HOME="$tmp_root/home" OPENCLAW_STATE_DIR="$tmp_root/state" OPENCLAW_CONFIG_PATH="$tmp_root/state/openclaw.json" OPENCLAW_GATEWAY_PORT=18879 pnpm tsx --eval '<createGatewayTool proof script>'

What regression coverage was added or updated?

Updated gateway mutation guard coverage to assert global prompt overlays and global default model paths are not allowlisted, plus new blocked config.patch and config.apply cases.

What failed before this fix, if known?

Before this change, the allowlist coverage expected agents.defaults.promptOverlays and agents.defaults.model to be agent-tunable.

If no test was added, why not?

Not applicable; focused regression tests were added.

Risk checklist

Did user-visible behavior change? (Yes/No)

Yes. Agent-driven gateway config.patch and gateway config.apply calls that target global prompt overlays or global default model settings now fail as protected config changes.

Did config, environment, or migration behavior change? (Yes/No)

No config shape, environment variable, or migration behavior changed.

Did security, auth, secrets, network, or tool execution behavior change? (Yes/No)

Yes. The agent-facing gateway tool boundary is stricter for persistent global prompt/model config writes; auth, secrets, network, sandbox, plugin, channel, provider, and tool execution behavior are otherwise unchanged.

What is the highest-risk area?

Compatibility for workflows that asked the model to persist global default model or prompt overlay changes through the gateway tool.

How is that risk mitigated?

The stricter behavior is limited to the model-facing gateway mutation guard; trusted operators can still edit those settings through operator-controlled config surfaces.

Current review state

What is the next action?

Await ClawSweeper re-review and GitHub CI completion.

What is still waiting on author, maintainer, CI, or external proof?

GitHub CI and maintainer review are still pending.

Which bot or reviewer comments were addressed?

Addressed ClawSweeper proof feedback by adding real temporary gateway proof for blocked global prompt/model writes and one allowed bounded tuning write.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 4, 2026, 12:00 AM ET / 04:00 UTC.

Summary
The PR removes global prompt overlays and global default model selection from the agent-facing gateway config mutation allowlist, updates guard coverage, and aligns gateway security docs.

PR surface: Source -2, Tests +37, Docs +1. Total +36 across 3 files.

Reproducibility: yes. Current main source shows the two global default prefixes in the agent-facing allowlist, and the PR body reports a real gateway run where those same writes are rejected after the patch.

Review metrics: 1 noteworthy metric.

• Agent-tunable default surfaces: 2 removed from allowlist. Removing global prompt overlays and global default model from model-facing writes is a compatibility-sensitive security-boundary change.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Maintainer should explicitly accept the compatibility tradeoff for existing model-facing global default writes before merge.

Risk before merge

• [P1] Existing workflows that ask the model-facing gateway tool to persist global prompt overlay or global default model changes will now fail with protected-config-path errors; maintainers need to accept that compatibility tradeoff before merge.

Maintainer options:

1. Confirm the protected-default boundary (recommended)
   A maintainer can accept the stricter model-facing boundary if agent-driven global prompt/model writes are intentionally no longer supported.
2. Add upgrade-facing release context
   If maintainers want extra discoverability, require PR-body or squash-message release-note context that points users to operator-controlled config surfaces for global defaults.
3. Pause if self-tuning defaults are required
   If agent-driven global default tuning is still a supported product workflow, pause this PR and design a narrower explicit operator-approved path instead.

Next step before merge

• Human maintainer review remains because the PR has a protected maintainer label and intentionally changes compatibility-sensitive gateway config behavior; no automated repair is indicated.

Security
Cleared: The diff tightens an agent-facing config-write boundary and does not add dependency, workflow, secret, or code-execution surface.

Review details

Best possible solution:

Land the stricter allowlist only after maintainer confirmation that global prompt/model defaults are operator-controlled settings, with CLI/UI config remaining the supported edit path.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main source shows the two global default prefixes in the agent-facing allowlist, and the PR body reports a real gateway run where those same writes are rejected after the patch.

Is this the best way to solve the issue?

Yes, conditional on maintainer acceptance of the compatibility break. Removing the two prefixes at the existing fail-closed allowlist is the narrowest owner-boundary fix and leaves trusted operator config surfaces intact.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 32282418eb88.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body now includes copied live output from a real temporary gateway process showing both global default writes rejected and a bounded tuning write allowed.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body now includes copied live output from a real temporary gateway process showing both global default writes rejected and a bounded tuning write allowed.
• remove rating: 🦪 silver shellfish: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P1: The PR changes an agent-facing gateway security boundary for persistent config writes, which is urgent but still scoped to gateway config mutation behavior.
• merge-risk: 🚨 compatibility: Merging makes existing model-facing config.patch or config.apply workflows for global prompt/model defaults fail closed.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body now includes copied live output from a real temporary gateway process showing both global default writes rejected and a bounded tuning write allowed.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body now includes copied live output from a real temporary gateway process showing both global default writes rejected and a bounded tuning write allowed.

Evidence reviewed

PR surface:

Source -2, Tests +37, Docs +1. Total +36 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	1	3	-2
Tests	1	39	2	+37
Docs	1	4	3	+1
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	44	8	+36

What I checked:

• Changed allowlist: At the PR head, ALLOWED_GATEWAY_CONFIG_PATHS no longer includes agents.defaults.promptOverlays or agents.defaults.model, while per-agent model and bounded runtime tuning paths remain allowed. (src/agents/tools/gateway-tool.ts:43, 92286108b12c)
• Regression coverage: The PR head asserts the two global default prefixes are absent from the test allowlist and adds blocked config.patch cases for global prompt overlay and model default edits. (src/agents/tools/gateway-tool-guard-coverage.test.ts:61, 92286108b12c)
• Apply coverage: The PR head adds a config.apply replacement case that blocks changing global prompt/model defaults while also changing an otherwise allowed reasoning default. (src/agents/tools/gateway-tool-guard-coverage.test.ts:563, 92286108b12c)
• Runtime entry point: The gateway tool fetches the current config, runs assertGatewayConfigMutationAllowed, and only then forwards config.apply or config.patch to the gateway RPC path. (src/agents/tools/gateway-tool.ts:503, 32282418eb88)
• Docs alignment: The PR head updates the public gateway security docs to say global model defaults and prompt overlays stay operator-controlled. Public docs: docs/gateway/security/index.md. (docs/gateway/security/index.md:515, 92286108b12c)
• Feature history: The fail-closed gateway config mutation allowlist was introduced by the merged security-hardening work in commit bceda6089aa7b3695cc7696b43c61ae3d01bb0ec. (src/agents/tools/gateway-tool.ts:42, bceda6089aa7)

Likely related people:

• steipete: Current main blame for the gateway allowlist and security doc wording points to Peter Steinberger, with additional recent gateway-tool history in the same file. (role: recent area contributor; confidence: high; commits: 003bb8546db7, 32282418eb88; files: src/agents/tools/gateway-tool.ts, docs/gateway/security/index.md)
• drobison00: The related merged fail-closed gateway config mutation allowlist work was authored by Devin Robison in the linked security hardening PR. (role: feature owner; confidence: high; commits: bceda6089aa7; files: src/agents/tools/gateway-tool.ts, src/agents/tools/gateway-tool-guard-coverage.test.ts)
• Agustin Rivera: Recent history shows Agustin Rivera authored adjacent dangerous gateway config mutation and exec approval protection commits in the same gateway tool path. (role: adjacent owner; confidence: medium; commits: 29f206243b2d, b9e972e17495; files: src/agents/tools/gateway-tool.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[pgondhi987]

@clawsweeper re-review\n\nAdded real temporary gateway proof to the PR body: both global default config.patch attempts are rejected by the agent-facing gateway tool, and a valid bounded reasoningDefault patch succeeds.

[clawsweeper]

🦞👀
ClawSweeper assist is taking a look at your question.

I queued a lightweight read-only assist pass. It will post a separate answer comment and will not edit the durable ClawSweeper review comment or trigger close, merge, repair, label, or branch changes.

Request: review\n\nProof-only feedback has been addressed in the PR body; please run the full correctness/security re-review on the current head.

[clawsweeper]

ClawSweeper assist: The PR body now includes the requested real temporary gateway proof, so the prior “needs proof” concern appears addressed from the supplied context. A full correctness/security re-review still needs @clawsweeper review.

Evidence:

• PR body now reports a real openclaw gateway run process with isolated OPENCLAW_HOME, OPENCLAW_STATE_DIR, and OPENCLAW_CONFIG_PATH.
• Reported live tool results show agents.defaults.promptOverlays.gpt5.personality rejected and agents.defaults.model.primary rejected via config.patch.
• Reported live tool result shows allowed bounded tuning still works: allowed_reasoning_default: ALLOWED ok.
• Previous ClawSweeper review at fix: protect global agent config defaults [AI] #90145 (comment) specifically asked for real gateway-session proof.
• The PR still has compatibility/security-boundary risk labels and pending CI/maintainer review per the PR body.

Suggested next action: Use @clawsweeper review for a full re-review of correctness and residual compatibility risk.

---

Source: #90145 (comment)
Assist model: gpt-5.5, reasoning low.

[pgondhi987]

@clawsweeper review\n\nProof-only feedback has been addressed in the PR body; please run the full correctness/security re-review on the current head.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

[clawsweeper]

ClawSweeper assist: This needs the full review lane, not assist. The request is specifically for a correctness/security re-review on current head, so use @clawsweeper review.

Evidence:

• Source comment requests @clawsweeper review for full correctness/security re-review: fix: protect global agent config defaults [AI] #90145 (comment)
• Current PR head is 92286108b12c5d02de9e5457a1a6bf272b777af3.
• Prior review only blocked on real behavior proof, and the PR body now reports real gateway proof for rejected global prompt/model writes plus allowed bounded tuning.
• PR still carries compatibility/security-boundary labels including merge-risk: 🚨 compatibility and status: 📣 needs proof.

Suggested next action: Run @clawsweeper review for the full correctness/security re-review on the current head.

---

Source: #90145 (comment)
Assist model: gpt-5.5, reasoning low.

[pgondhi987]

@clawsweeper review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26929443608
• Updated: 2026-06-04T04:00:39.123Z

[clawsweeper]

ClawSweeper assist: The added PR-body proof addresses the prior proof-only blocker from the supplied context, but a full correctness/security re-review still belongs to the review lane.

Evidence:

• PR body now reports a real temporary openclaw gateway run process with isolated OPENCLAW_HOME, OPENCLAW_STATE_DIR, and OPENCLAW_CONFIG_PATH.
• Reported live gateway-tool output shows global prompt overlay and global default model config.patch attempts rejected.
• Reported live gateway-tool output shows bounded reasoningDefault still allowed: allowed_reasoning_default: ALLOWED ok.
• Previous ClawSweeper review at fix: protect global agent config defaults [AI] #90145 (comment) asked for real gateway-session proof.
• The current head is 92286108b12c5d02de9e5457a1a6bf272b777af3.

Suggested next action: Use @clawsweeper review for the full correctness/security re-review on the current head.

---

Source: #90145 (comment)
Assist model: gpt-5.5, reasoning low.

[pgondhi987]

Verification before merge:

Behavior addressed: Agent-facing gateway config.patch / config.apply can no longer persistently rewrite global prompt overlays or the global default model.
Real environment tested: Local source checkout, isolated temporary local gateway process, GitHub Actions PR CI. No delegated remote provider was used.
Exact steps or command run after this patch:

• node scripts/run-vitest.mjs src/agents/tools/gateway-tool-guard-coverage.test.ts
• scripts/pr review-tests 90145 src/agents/tools/gateway-tool-guard-coverage.test.ts
• timeout 1800 .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
• OPENCLAW_HOME="$tmp_root/home" OPENCLAW_STATE_DIR="$tmp_root/state" OPENCLAW_CONFIG_PATH="$tmp_root/state/openclaw.json" pnpm openclaw gateway run --dev --reset --port 18879 --auth none --allow-unconfigured --ws-log compact
• OPENCLAW_HOME="$tmp_root/home" OPENCLAW_STATE_DIR="$tmp_root/state" OPENCLAW_CONFIG_PATH="$tmp_root/state/openclaw.json" OPENCLAW_GATEWAY_PORT=18879 pnpm tsx --eval '<createGatewayTool proof script>'
• auto-pr.sh issue 719 --run-stage ghsa_dry_run
• auto-pr.sh issue 719 --run-stage ghsa_real_gate
  Evidence after fix:
• Head verified: 92286108b12c5d02de9e5457a1a6bf272b777af3.
• Focused Vitest passed: 1 file, 44 tests.
• Real gateway proof: global prompt overlay and global default model patches rejected as protected paths; bounded reasoningDefault patch returned ALLOWED ok.
• review-pr: passed, READY FOR /prepare-pr, 0 findings; autoreview: passed, no accepted/actionable findings.
• GHSA dry-run: passed; GHSA real gate: passed; CI: no pending/failing checks at the verified head.
  Observed result after fix: The model-facing gateway tool fails closed for global prompt/model defaults while preserving bounded runtime tuning through the existing guard.
  What was not tested: No external chat/channel UI was used; the live proof invoked the agent-facing gateway tool directly against a real local gateway.

Regression Risk:
Medium. This intentionally changes the agent-facing config write boundary: workflows relying on model-driven global prompt/model default edits will now fail closed. Auth, secrets, sandboxing, storage, migrations, provider/plugin/channel behavior, dependency contracts, and existing config shape/defaults are unchanged.

Best fix verdict: Best targeted fix. Removing the two global defaults from the existing fail-closed allowlist addresses the owner-boundary issue without adding runtime shims, new config, or dangerous-flag special cases.

User behavior change:
Before, an agent with the gateway tool could persist changes under agents.defaults.promptOverlays and agents.defaults.model. After, those global settings stay operator-controlled; trusted operators can still edit config through operator surfaces, and allowed bounded tuning paths remain available.

[clawsweeper]

ClawSweeper assist: This request needs the full review lane, not assist. The maintainer explicitly asked for a correctness/security re-review on current head, so use @clawsweeper review.

Evidence:

• Source comment requests full re-review: fix: protect global agent config defaults [AI] #90145 (comment)
• Current head is 92286108b12c5d02de9e5457a1a6bf272b777af3.
• Prior proof blocker appears addressed: the PR body reports real gateway proof rejecting global prompt overlay and global default model writes, while allowing bounded reasoningDefault.
• ClawSweeper later marked proof: sufficient and updated status to status: 👀 ready for maintainer look.

Suggested next action: Run @clawsweeper review for the full correctness/security re-review on the current head.

---

Source: #90145 (comment)
Assist model: gpt-5.5, reasoning low.

[clawsweeper]

🦞👀
ClawSweeper could not start a freeform assist pass for this item.

Reason: freeform assist requires an open issue or PR.

Request: re-review\n\nAdded real temporary gateway proof to the PR body: both global default config.patch attempts are rejected by the agent-facing gateway tool, and a valid bounded reasoningDefault patch succeeds.