openclaw
diff --git a/‎.agents/skills/security-triage/SKILL.md‎
Lines changed: 108 additions & 0 deletions b/‎.agents/skills/security-triage/SKILL.md‎
Lines changed: 108 additions & 0 deletions
diff --git a/‎docs/.i18n/glossary.zh-CN.json‎
Lines changed: 60 additions & 0 deletions b/‎docs/.i18n/glossary.zh-CN.json‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎docs/docs.json‎
Lines changed: 12 additions & 0 deletions b/‎docs/docs.json‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎docs/gateway/tools-invoke-http-api.md‎
Lines changed: 9 additions & 1 deletion b/‎docs/gateway/tools-invoke-http-api.md‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎docs/plugins/building-plugins.md‎
Lines changed: 18 additions & 10 deletions b/‎docs/plugins/building-plugins.md‎
Lines changed: 18 additions & 10 deletions
@@ -0,0 +1,108 @@
+---
+name: security-triage
+description: Triage GitHub security advisories for OpenClaw with high-confidence close/keep decisions, exact tag and commit verification, trust-model checks, optional hardening notes, and a final reply ready to post and copy to clipboard.
+---
+
+# Security Triage
+
+Use when reviewing OpenClaw security advisories, drafts, or GHSA reports.
+
+Goal: high-confidence maintainers' triage without over-closing real issues or shipping unnecessary regressions.
+
+## Close Bar
+
+Close only if one of these is true:
+
+- duplicate of an existing advisory or fixed issue
+- invalid against shipped behavior
+- out of scope under `SECURITY.md`
+- fixed before any affected release/tag
+
+Do not close only because `main` is fixed. If latest shipped tag or npm release is affected, keep it open until released or published with the right status.
+
+## Required Reads
+
+Before answering:
+
+1. Read `SECURITY.md`.
+2. Read the GHSA body with `gh api /repos/openclaw/openclaw/security-advisories/<GHSA>`.
+3. Inspect the exact implicated code paths.
+4. Verify shipped state:
+   - `git tag --sort=-creatordate | head`
+   - `npm view openclaw version --userconfig "$(mktemp)"`
+   - `git tag --contains <fix-commit>`
+   - if needed: `git show <tag>:path/to/file`
+5. Search for canonical overlap:
+   - existing published GHSAs
+   - older fixed bugs
+   - same trust-model class already covered in `SECURITY.md`
+
+## Review Method
+
+For each advisory, decide:
+
+- `close`
+- `keep open`
+- `keep open but narrow`
+
+Check in this order:
+
+1. Trust model
+   - Is the prerequisite already inside trusted host/local/plugin/operator state?
+   - Does `SECURITY.md` explicitly call this class out as out of scope or hardening-only?
+2. Shipped behavior
+   - Is the bug present in the latest shipped tag or npm release?
+   - Was it fixed before release?
+3. Exploit path
+   - Does the report show a real boundary bypass, not just prompt injection, local same-user control, or helper-level semantics?
+4. Functional tradeoff
+   - If a hardening change would reduce intended user functionality, call that out before proposing it.
+   - Prefer fixes that preserve user workflows over deny-by-default regressions unless the boundary demands it.
+
+## Response Format
+
+When preparing a maintainer-ready close reply:
+
+1. Print the GHSA URL first.
+2. Then draft a detailed response the maintainer can post.
+3. Include:
+   - exact reason for close
+   - exact code refs
+   - exact shipped tag / release facts
+   - exact fix commit or canonical duplicate GHSA when applicable
+   - optional hardening note only if worthwhile and functionality-preserving
+
+Keep tone firm, specific, non-defensive.
+
+## Clipboard Step
+
+After drafting the final post body, copy it:
+
+```bash
+pbcopy <<'EOF'
+<final response>
+EOF
+```
+
+Tell the user that the clipboard now contains the proposed response.
+
+## Useful Commands
+
+```bash
+gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
+gh api /repos/openclaw/openclaw/security-advisories --paginate
+git tag --sort=-creatordate | head -n 20
+npm view openclaw version --userconfig "$(mktemp)"
+git tag --contains <commit>
+git show <tag>:<path>
+gh search issues --repo openclaw/openclaw --match title,body,comments -- "<terms>"
+gh search prs --repo openclaw/openclaw --match title,body,comments -- "<terms>"
+```
+
+## Decision Notes
+
+- “fixed on main, unreleased” is usually not a close.
+- “needs attacker-controlled trusted local state first” is usually out of scope.
+- “same-host same-user process can already read/write local state” is usually out of scope.
+- “helper function behaves differently than documented config semantics” is usually invalid.
+- If only the severity is wrong but the bug is real, keep it open and narrow the impact in the reply.
@@ -238,5 +238,65 @@
   {
     "source": "env var",
     "target": "环境变量"
+  },
+  {
+    "source": "Plugin SDK",
+    "target": "插件 SDK"
+  },
+  {
+    "source": "Plugin SDK Overview",
+    "target": "插件 SDK 概览"
+  },
+  {
+    "source": "SDK Overview",
+    "target": "SDK 概览"
+  },
+  {
+    "source": "Plugin Entry Points",
+    "target": "插件入口点"
+  },
+  {
+    "source": "Entry Points",
+    "target": "入口点"
+  },
+  {
+    "source": "Plugin Runtime",
+    "target": "插件运行时"
+  },
+  {
+    "source": "Runtime",
+    "target": "运行时"
+  },
+  {
+    "source": "Plugin Setup",
+    "target": "插件设置"
+  },
+  {
+    "source": "Setup",
+    "target": "设置"
+  },
+  {
+    "source": "Channel Plugin SDK",
+    "target": "渠道插件 SDK"
+  },
+  {
+    "source": "Channel Plugins",
+    "target": "渠道插件"
+  },
+  {
+    "source": "Provider Plugin SDK",
+    "target": "提供商插件 SDK"
+  },
+  {
+    "source": "Provider Plugins",
+    "target": "提供商插件"
+  },
+  {
+    "source": "Plugin SDK Testing",
+    "target": "插件 SDK 测试"
+  },
+  {
+    "source": "Testing",
+    "target": "测试"
   }
 ]
@@ -1045,6 +1045,18 @@
                   "plugins/architecture"
                 ]
               },
+              {
+                "group": "Plugin SDK",
+                "pages": [
+                  "plugins/sdk-overview",
+                  "plugins/sdk-entrypoints",
+                  "plugins/sdk-runtime",
+                  "plugins/sdk-setup",
+                  "plugins/sdk-channel-plugins",
+                  "plugins/sdk-provider-plugins",
+                  "plugins/sdk-testing"
+                ]
+              },
               {
                 "group": "Skills",
                 "pages": [
 
@@ -8,7 +8,7 @@ title: "Tools Invoke API"
 
 # Tools Invoke (HTTP)
 
-OpenClaw’s Gateway exposes a simple HTTP endpoint for invoking a single tool directly. It is always enabled, but gated by Gateway auth and tool policy.
+OpenClaw’s Gateway exposes a simple HTTP endpoint for invoking a single tool directly. It is always enabled and uses Gateway auth plus tool policy, but callers that pass Gateway bearer auth are treated as trusted operators for that gateway.
 
 - `POST /tools/invoke`
 - Same port as the Gateway (WS + HTTP multiplex): `http://<gateway-host>:<port>/tools/invoke`
@@ -26,6 +26,7 @@ Notes:
 - When `gateway.auth.mode="token"`, use `gateway.auth.token` (or `OPENCLAW_GATEWAY_TOKEN`).
 - When `gateway.auth.mode="password"`, use `gateway.auth.password` (or `OPENCLAW_GATEWAY_PASSWORD`).
 - If `gateway.auth.rateLimit` is configured and too many auth failures occur, the endpoint returns `429` with `Retry-After`.
+- Treat this credential as a full-access operator secret for that gateway. It is not a scoped API token for a narrower `/tools/invoke` role.
 
 ## Request body
 
@@ -59,8 +60,15 @@ Tool availability is filtered through the same policy chain used by Gateway agen
 
 If a tool is not allowed by policy, the endpoint returns **404**.
 
+Important boundary notes:
+
+- `POST /tools/invoke` is in the same trusted-operator bucket as other Gateway HTTP APIs such as `/v1/chat/completions`, `/v1/responses`, and `/api/channels/*`.
+- Exec approvals are operator guardrails, not a separate authorization boundary for this HTTP endpoint. If a tool is reachable here via Gateway auth + tool policy, `/tools/invoke` does not add an extra per-call approval prompt.
+- Do not share Gateway bearer credentials with untrusted callers. If you need separation across trust boundaries, run separate gateways (and ideally separate OS users/hosts).
+
 Gateway HTTP also applies a hard deny list by default (even if session policy allows the tool):
 
+- `cron`
 - `sessions_spawn`
 - `sessions_send`
 - `gateway`
 
@@ -181,7 +181,7 @@ my-plugin/
     // Correct: focused subpaths
     import { definePluginEntry } from "openclaw/plugin-sdk/plugin-entry";
     import { createPluginRuntimeStore } from "openclaw/plugin-sdk/runtime-store";
-    import { buildOauthProviderAuthResult } from "openclaw/plugin-sdk/provider-oauth";
+    import { buildOauthProviderAuthResult } from "openclaw/plugin-sdk/provider-auth";
 
     // Wrong: monolithic root (lint will reject this)
     import { ... } from "openclaw/plugin-sdk";
@@ -195,22 +195,23 @@ my-plugin/
       | --- | --- |
       | `plugin-sdk/plugin-entry` | Canonical `definePluginEntry` helper + provider/plugin entry types |
       | `plugin-sdk/core` | Channel entry helpers, channel builders, and shared base types |
-      | `plugin-sdk/channel-setup` | Setup wizard adapters |
+      | `plugin-sdk/runtime-store` | Safe module-level runtime storage |
+      | `plugin-sdk/setup` | Shared setup-wizard helpers |
+      | `plugin-sdk/channel-setup` | Channel setup adapters |
       | `plugin-sdk/channel-pairing` | DM pairing primitives |
-      | `plugin-sdk/channel-reply-pipeline` | Reply prefix + typing wiring |
-      | `plugin-sdk/channel-config-schema` | Config schema builders |
-      | `plugin-sdk/channel-policy` | Group/DM policy helpers |
+      | `plugin-sdk/channel-actions` | Shared `message` tool schema helpers |
+      | `plugin-sdk/channel-contract` | Pure channel types |
       | `plugin-sdk/secret-input` | Secret input parsing/helpers |
       | `plugin-sdk/webhook-ingress` | Webhook request/target helpers |
-      | `plugin-sdk/runtime-store` | Persistent plugin storage |
-      | `plugin-sdk/allow-from` | Allowlist resolution |
       | `plugin-sdk/reply-payload` | Message reply types |
-      | `plugin-sdk/provider-oauth` | OAuth login + PKCE helpers |
+      | `plugin-sdk/provider-auth` | Provider auth and OAuth helpers |
       | `plugin-sdk/provider-onboard` | Provider onboarding config patches |
+      | `plugin-sdk/provider-models` | Model catalog helpers |
       | `plugin-sdk/testing` | Test utilities |
     </Accordion>
 
-    Use the narrowest subpath that matches the job.
+    Use the narrowest subpath that matches the job. For the curated map and
+    examples, see [Plugin SDK Overview](/plugins/sdk-overview).
 
   </Step>
 
@@ -266,7 +267,7 @@ my-plugin/
     For unit tests, import test helpers from the testing surface:
 
     ```typescript
-    import { createTestRuntime } from "openclaw/plugin-sdk/testing";
+    import { createWindowsCmdShimFixture } from "openclaw/plugin-sdk/testing";
     ```
 
   </Step>
@@ -370,6 +371,13 @@ patterns is strongly recommended.
 ## Related
 
 - [Plugin SDK Migration](/plugins/sdk-migration) — migrating from deprecated compat surfaces
+- [Plugin SDK Overview](/plugins/sdk-overview) — public SDK map and subpath guidance
+- [Plugin Entry Points](/plugins/sdk-entrypoints) — `definePluginEntry` and `defineChannelPluginEntry`
+- [Plugin Runtime](/plugins/sdk-runtime) — injected runtime and runtime-store
+- [Plugin Setup](/plugins/sdk-setup) — setup, channel setup, and secret input helpers
+- [Channel Plugin SDK](/plugins/sdk-channel-plugins) — channel contracts and actions
+- [Provider Plugin SDK](/plugins/sdk-provider-plugins) — provider auth, onboarding, and catalogs
+- [Plugin SDK Testing](/plugins/sdk-testing) — public test helpers
 - [Plugin Architecture](/plugins/architecture) — internals and capability model
 - [Plugin Manifest](/plugins/manifest) — full manifest schema
 - [Plugin Agent Tools](/plugins/building-plugins#registering-agent-tools) — adding agent tools in a plugin