openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 67 additions & 50 deletions b/‎CHANGELOG.md‎
Lines changed: 67 additions & 50 deletions
diff --git a/‎docs/gateway/doctor.md‎
Lines changed: 3 additions & 0 deletions b/‎docs/gateway/doctor.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/gateway/openai-http-api.md‎
Lines changed: 12 additions & 0 deletions b/‎docs/gateway/openai-http-api.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎docs/gateway/openresponses-http-api.md‎
Lines changed: 12 additions & 0 deletions b/‎docs/gateway/openresponses-http-api.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎docs/gateway/security/index.md‎
Lines changed: 6 additions & 0 deletions b/‎docs/gateway/security/index.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/nodes/index.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/nodes/index.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/acpx/openclaw.plugin.json‎
Lines changed: 8 additions & 0 deletions b/‎extensions/acpx/openclaw.plugin.json‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎extensions/acpx/src/config.test.ts‎
Lines changed: 23 additions & 0 deletions b/‎extensions/acpx/src/config.test.ts‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎extensions/acpx/src/config.ts‎
Lines changed: 12 additions & 0 deletions b/‎extensions/acpx/src/config.ts‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎extensions/acpx/src/ensure.ts‎
Lines changed: 25 additions & 3 deletions b/‎extensions/acpx/src/ensure.ts‎
Lines changed: 25 additions & 3 deletions
@@ -168,6 +168,9 @@ Doctor checks:
   (`~/Library/Mobile Documents/com~apple~CloudDocs/...`) or
   `~/Library/CloudStorage/...` because sync-backed paths can cause slower I/O
   and lock/sync races.
+- **Linux SD or eMMC state dir**: warns when state resolves to an `mmcblk*`
+  mount source, because SD or eMMC-backed random I/O can be slower and wear
+  faster under session and credential writes.
 - **Session dirs missing**: `sessions/` and the session store directory are
   required to persist history and avoid `ENOENT` crashes.
 - **Transcript mismatch**: warns when recent session entries have missing
 
@@ -28,6 +28,18 @@ Notes:
 - When `gateway.auth.mode="password"`, use `gateway.auth.password` (or `OPENCLAW_GATEWAY_PASSWORD`).
 - If `gateway.auth.rateLimit` is configured and too many auth failures occur, the endpoint returns `429` with `Retry-After`.
 
+## Security boundary (important)
+
+Treat this endpoint as a **full operator-access** surface for the gateway instance.
+
+- HTTP bearer auth here is not a narrow per-user scope model.
+- A valid Gateway token/password for this endpoint should be treated like an owner/operator credential.
+- Requests run through the same control-plane agent path as trusted operator actions.
+- If the target agent policy allows sensitive tools, this endpoint can use them.
+- Keep this endpoint on loopback/tailnet/private ingress only; do not expose it directly to the public internet.
+
+See [Security](/gateway/security) and [Remote access](/gateway/remote).
+
 ## Choosing an agent
 
 No custom headers required: encode the agent id in the OpenAI `model` field:
 
@@ -30,6 +30,18 @@ Notes:
 - When `gateway.auth.mode="password"`, use `gateway.auth.password` (or `OPENCLAW_GATEWAY_PASSWORD`).
 - If `gateway.auth.rateLimit` is configured and too many auth failures occur, the endpoint returns `429` with `Retry-After`.
 
+## Security boundary (important)
+
+Treat this endpoint as a **full operator-access** surface for the gateway instance.
+
+- HTTP bearer auth here is not a narrow per-user scope model.
+- A valid Gateway token/password for this endpoint should be treated like an owner/operator credential.
+- Requests run through the same control-plane agent path as trusted operator actions.
+- If the target agent policy allows sensitive tools, this endpoint can use them.
+- Keep this endpoint on loopback/tailnet/private ingress only; do not expose it directly to the public internet.
+
+See [Security](/gateway/security) and [Remote access](/gateway/remote).
+
 ## Choosing an agent
 
 No custom headers required: encode the agent id in the OpenResponses `model` field:
 
@@ -724,6 +724,12 @@ injected by Tailscale.
 HTTP API endpoints (for example `/v1/*`, `/tools/invoke`, and `/api/channels/*`)
 still require token/password auth.
 
+Important boundary note:
+
+- Gateway HTTP bearer auth is effectively all-or-nothing operator access.
+- Treat credentials that can call `/v1/chat/completions`, `/v1/responses`, `/tools/invoke`, or `/api/channels/*` as full-access operator secrets for that gateway.
+- Do not share these credentials with untrusted callers; prefer separate gateways per trust boundary.
+
 **Trust assumption:** tokenless Serve auth assumes the gateway host is trusted.
 Do not treat this as protection against hostile same-host processes. If untrusted
 local code may run on the gateway host, disable `gateway.auth.allowTailscale`
 
@@ -277,6 +277,7 @@ Notes:
 
 - `system.run` returns stdout/stderr/exit code in the payload.
 - `system.notify` respects notification permission state on the macOS app.
+- Unrecognized node `platform` / `deviceFamily` metadata uses a conservative default allowlist that excludes `system.run` and `system.which`. If you intentionally need those commands for an unknown platform, add them explicitly via `gateway.nodes.allowCommands`.
 - `system.run` supports `--cwd`, `--env KEY=VAL`, `--command-timeout`, and `--needs-screen-recording`.
 - For shell wrappers (`bash|sh|zsh ... -c/-lc`), request-scoped `--env` values are reduced to an explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`).
 - For allow-always decisions in allowlist mode, known dispatch wrappers (`env`, `nice`, `nohup`, `stdbuf`, `timeout`) persist inner executable paths instead of wrapper paths. If unwrapping is not safe, no allowlist entry is persisted automatically.
 
@@ -24,6 +24,9 @@
         "type": "string",
         "enum": ["deny", "fail"]
       },
+      "strictWindowsCmdWrapper": {
+        "type": "boolean"
+      },
       "timeoutSeconds": {
         "type": "number",
         "minimum": 0.001
@@ -55,6 +58,11 @@
       "label": "Non-Interactive Permission Policy",
       "help": "acpx policy when interactive permission prompts are unavailable."
     },
+    "strictWindowsCmdWrapper": {
+      "label": "Strict Windows cmd Wrapper",
+      "help": "When enabled on Windows, reject unresolved .cmd/.bat wrappers instead of shell fallback. Hardening-only; can break non-standard wrappers.",
+      "advanced": true
+    },
     "timeoutSeconds": {
       "label": "Prompt Timeout Seconds",
       "help": "Optional acpx timeout for each runtime turn.",
 
@@ -20,6 +20,7 @@ describe("acpx plugin config parsing", () => {
     expect(resolved.expectedVersion).toBe(ACPX_PINNED_VERSION);
     expect(resolved.allowPluginLocalInstall).toBe(true);
     expect(resolved.cwd).toBe(path.resolve("/tmp/workspace"));
+    expect(resolved.strictWindowsCmdWrapper).toBe(false);
   });
 
   it("accepts command override and disables plugin-local auto-install", () => {
@@ -109,4 +110,26 @@ describe("acpx plugin config parsing", () => {
 
     expect(parsed.success).toBe(false);
   });
+
+  it("accepts strictWindowsCmdWrapper override", () => {
+    const resolved = resolveAcpxPluginConfig({
+      rawConfig: {
+        strictWindowsCmdWrapper: true,
+      },
+      workspaceDir: "/tmp/workspace",
+    });
+
+    expect(resolved.strictWindowsCmdWrapper).toBe(true);
+  });
+
+  it("rejects non-boolean strictWindowsCmdWrapper", () => {
+    expect(() =>
+      resolveAcpxPluginConfig({
+        rawConfig: {
+          strictWindowsCmdWrapper: "yes",
+        },
+        workspaceDir: "/tmp/workspace",
+      }),
+    ).toThrow("strictWindowsCmdWrapper must be a boolean");
+  });
 });
@@ -24,6 +24,7 @@ export type AcpxPluginConfig = {
   cwd?: string;
   permissionMode?: AcpxPermissionMode;
   nonInteractivePermissions?: AcpxNonInteractivePermissionPolicy;
+  strictWindowsCmdWrapper?: boolean;
   timeoutSeconds?: number;
   queueOwnerTtlSeconds?: number;
 };
@@ -36,6 +37,7 @@ export type ResolvedAcpxPluginConfig = {
   cwd: string;
   permissionMode: AcpxPermissionMode;
   nonInteractivePermissions: AcpxNonInteractivePermissionPolicy;
+  strictWindowsCmdWrapper: boolean;
   timeoutSeconds?: number;
   queueOwnerTtlSeconds: number;
 };
@@ -75,6 +77,7 @@ function parseAcpxPluginConfig(value: unknown): ParseResult {
     "cwd",
     "permissionMode",
     "nonInteractivePermissions",
+    "strictWindowsCmdWrapper",
     "timeoutSeconds",
     "queueOwnerTtlSeconds",
   ]);
@@ -133,6 +136,11 @@ function parseAcpxPluginConfig(value: unknown): ParseResult {
     return { ok: false, message: "timeoutSeconds must be a positive number" };
   }
 
+  const strictWindowsCmdWrapper = value.strictWindowsCmdWrapper;
+  if (strictWindowsCmdWrapper !== undefined && typeof strictWindowsCmdWrapper !== "boolean") {
+    return { ok: false, message: "strictWindowsCmdWrapper must be a boolean" };
+  }
+
   const queueOwnerTtlSeconds = value.queueOwnerTtlSeconds;
   if (
     queueOwnerTtlSeconds !== undefined &&
@@ -152,6 +160,8 @@ function parseAcpxPluginConfig(value: unknown): ParseResult {
       permissionMode: typeof permissionMode === "string" ? permissionMode : undefined,
       nonInteractivePermissions:
         typeof nonInteractivePermissions === "string" ? nonInteractivePermissions : undefined,
+      strictWindowsCmdWrapper:
+        typeof strictWindowsCmdWrapper === "boolean" ? strictWindowsCmdWrapper : undefined,
       timeoutSeconds: typeof timeoutSeconds === "number" ? timeoutSeconds : undefined,
       queueOwnerTtlSeconds:
         typeof queueOwnerTtlSeconds === "number" ? queueOwnerTtlSeconds : undefined,
@@ -205,6 +215,7 @@ export function createAcpxPluginConfigSchema(): OpenClawPluginConfigSchema {
           type: "string",
           enum: [...ACPX_NON_INTERACTIVE_POLICIES],
         },
+        strictWindowsCmdWrapper: { type: "boolean" },
         timeoutSeconds: { type: "number", minimum: 0.001 },
         queueOwnerTtlSeconds: { type: "number", minimum: 0 },
       },
@@ -244,6 +255,7 @@ export function resolveAcpxPluginConfig(params: {
     permissionMode: normalized.permissionMode ?? DEFAULT_PERMISSION_MODE,
     nonInteractivePermissions:
       normalized.nonInteractivePermissions ?? DEFAULT_NON_INTERACTIVE_POLICY,
+    strictWindowsCmdWrapper: normalized.strictWindowsCmdWrapper ?? false,
     timeoutSeconds: normalized.timeoutSeconds,
     queueOwnerTtlSeconds: normalized.queueOwnerTtlSeconds ?? DEFAULT_QUEUE_OWNER_TTL_SECONDS,
   };
 
@@ -2,7 +2,11 @@ import fs from "node:fs";
 import path from "node:path";
 import type { PluginLogger } from "openclaw/plugin-sdk";
 import { ACPX_PINNED_VERSION, ACPX_PLUGIN_ROOT, buildAcpxLocalInstallCommand } from "./config.js";
-import { resolveSpawnFailure, spawnAndCollect } from "./runtime-internals/process.js";
+import {
+  resolveSpawnFailure,
+  type SpawnCommandOptions,
+  spawnAndCollect,
+} from "./runtime-internals/process.js";
 
 const SEMVER_PATTERN = /\b\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?\b/;
 
@@ -76,17 +80,32 @@ export async function checkAcpxVersion(params: {
   command: string;
   cwd?: string;
   expectedVersion?: string;
+  spawnOptions?: SpawnCommandOptions;
 }): Promise<AcpxVersionCheckResult> {
   const expectedVersion = params.expectedVersion?.trim() || undefined;
   const installCommand = buildAcpxLocalInstallCommand(expectedVersion ?? ACPX_PINNED_VERSION);
   const cwd = params.cwd ?? ACPX_PLUGIN_ROOT;
   const hasExpectedVersion = isExpectedVersionConfigured(expectedVersion);
   const probeArgs = hasExpectedVersion ? ["--version"] : ["--help"];
-  const result = await spawnAndCollect({
+  const spawnParams = {
     command: params.command,
     args: probeArgs,
     cwd,
-  });
+  };
+  let result: Awaited<ReturnType<typeof spawnAndCollect>>;
+  try {
+    result = params.spawnOptions
+      ? await spawnAndCollect(spawnParams, params.spawnOptions)
+      : await spawnAndCollect(spawnParams);
+  } catch (error) {
+    return {
+      ok: false,
+      reason: "execution-failed",
+      message: error instanceof Error ? error.message : String(error),
+      expectedVersion,
+      installCommand,
+    };
+  }
 
   if (result.error) {
     const spawnFailure = resolveSpawnFailure(result.error, cwd);
@@ -186,6 +205,7 @@ export async function ensureAcpx(params: {
   pluginRoot?: string;
   expectedVersion?: string;
   allowInstall?: boolean;
+  spawnOptions?: SpawnCommandOptions;
 }): Promise<void> {
   if (pendingEnsure) {
     return await pendingEnsure;
@@ -201,6 +221,7 @@ export async function ensureAcpx(params: {
       command: params.command,
       cwd: pluginRoot,
       expectedVersion,
+      spawnOptions: params.spawnOptions,
     });
     if (precheck.ok) {
       return;
@@ -238,6 +259,7 @@ export async function ensureAcpx(params: {
       command: params.command,
       cwd: pluginRoot,
       expectedVersion,
+      spawnOptions: params.spawnOptions,
     });
 
     if (!postcheck.ok) {