dilim/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-06-30 19:59:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: bump OpenClaw to 2026.5.26

Browse Source
This commit is contained in:
Peter Steinberger
2026-05-26 01:25:45 +01:00
parent 321f06ad0e
commit d00d0a21c2
165 changed files with 316 additions and 339 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
docs/plugins/reference/policy.md
View File

@@ -18,39 +18,6 @@ Adds policy-backed doctor checks for workspace conformance.
plugin
## Behavior
The Policy plugin contributes doctor health checks for policy-managed OpenClaw
settings and governed workspace declarations. Policy currently covers channel
conformance, governed tool metadata, MCP server posture, model-provider posture,
private-network access posture, Gateway exposure posture, agent workspace/tool
posture, configured global/per-agent tool posture, and OpenClaw config secret
provider/auth profile posture.
Policy stores authored requirements in `policy.jsonc`, observes existing
OpenClaw settings and workspace declarations as evidence, and reports drift
through `openclaw policy check` and `openclaw doctor --lint`. A clean policy
check emits policy, evidence, findings, and attestation hashes that operators
can record for audit.
Tool posture rules can require approved profiles, workspace-only filesystem
tools, bounded exec security/ask/host settings, disabled elevated mode, exact
`alsoAllow` entries, and required tool deny entries. The evidence records
additive `alsoAllow` entries because they can widen effective tool posture.
These checks observe config conformance only; they do not read runtime approval
state or add runtime enforcement.
Named agent policy scopes under `scopes.<scopeName>` can add stricter
normal policy sections for the runtime agent ids listed in `agentIds`. The
initial scoped sections are `tools` and `agents.workspace`; future sections such
as sandbox or ingress can join the same container after their evidence carries
agent identity. Every scope present in `policy.jsonc` must be valid and
enforceable for its selector. Overlay rules are additional claims, so they do
not weaken top-level policy and can produce their own findings when the same
observed config violates both scopes. Runtime agent ids that are not explicitly
listed in `agents.list[]` are checked against inherited global/default posture
rather than silently passing with no evidence.
## Related docs
- [policy](/cli/policy)