openclaw
diff --git a/‎docs/.i18n/glossary.zh-CN.json‎
Lines changed: 12 additions & 0 deletions b/‎docs/.i18n/glossary.zh-CN.json‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎docs/cli/config.md‎
Lines changed: 28 additions & 0 deletions b/‎docs/cli/config.md‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎docs/gateway/configuration.md‎
Lines changed: 24 additions & 0 deletions b/‎docs/gateway/configuration.md‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎docs/gateway/troubleshooting.md‎
Lines changed: 57 additions & 0 deletions b/‎docs/gateway/troubleshooting.md‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎docs/help/faq.md‎
Lines changed: 13 additions & 3 deletions b/‎docs/help/faq.md‎
Lines changed: 13 additions & 3 deletions
diff --git a/‎src/config/config.ts‎
Lines changed: 2 additions & 0 deletions b/‎src/config/config.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/config/io.audit.ts‎
Lines changed: 2 additions & 2 deletions b/‎src/config/io.audit.ts‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/config/io.observe-recovery.test.ts‎
Lines changed: 85 additions & 0 deletions b/‎src/config/io.observe-recovery.test.ts‎
Lines changed: 85 additions & 0 deletions
@@ -374,5 +374,17 @@
   {
     "source": "Testing",
     "target": "测试"
+  },
+  {
+    "source": "/gateway/configuration#strict-validation",
+    "target": "/gateway/configuration#strict-validation"
+  },
+  {
+    "source": "/gateway/configuration#config-hot-reload",
+    "target": "/gateway/configuration#config-hot-reload"
+  },
+  {
+    "source": "/cli/config",
+    "target": "/cli/config"
   }
 ]
@@ -336,6 +336,34 @@ If dry-run fails:
 - `Dry run note: skipped <n> exec SecretRef resolvability check(s)`: dry-run skipped exec refs; rerun with `--allow-exec` if you need exec resolvability validation.
 - For batch mode, fix failing entries and rerun `--dry-run` before writing.
 
+## Write safety
+
+`openclaw config set` and other OpenClaw-owned config writers validate the full
+post-change config before committing it to disk. If the new payload fails schema
+validation or looks like a destructive clobber, the active config is left alone
+and the rejected payload is saved beside it as `openclaw.json.rejected.*`.
+
+Prefer CLI writes for small edits:
+
+```bash
+openclaw config set gateway.reload.mode hybrid --dry-run
+openclaw config set gateway.reload.mode hybrid
+openclaw config validate
+```
+
+If a write is rejected, inspect the saved payload and fix the full config shape:
+
+```bash
+CONFIG="$(openclaw config file)"
+ls -lt "$CONFIG".rejected.* 2>/dev/null | head
+openclaw config validate
+```
+
+Direct editor writes are still allowed, but the running Gateway treats them as
+untrusted until they validate. Invalid direct edits can be restored from the
+last-known-good backup during startup or hot reload. See
+[Gateway troubleshooting](/gateway/troubleshooting#gateway-restored-last-known-good-config).
+
 ## Subcommands
 
 - `config file`: Print the active config file path (resolved from `OPENCLAW_CONFIG_PATH` or default location).
 
@@ -96,6 +96,17 @@ When validation fails:
 - Run `openclaw doctor` to see exact issues
 - Run `openclaw doctor --fix` (or `--yes`) to apply repairs
 
+The Gateway also keeps a trusted last-known-good copy after a successful startup. If
+`openclaw.json` is later changed outside OpenClaw and no longer validates, startup
+and hot reload preserve the broken file as a timestamped `.clobbered.*` snapshot,
+restore the last-known-good copy, and log a loud warning with the recovery reason.
+The next main-agent turn also receives a system-event warning telling it that the
+config was restored and must not be blindly rewritten. Last-known-good promotion
+is updated after validated startup and after accepted hot reloads, including
+OpenClaw-owned config writes whose persisted file hash still matches the accepted
+write. Promotion is skipped when the candidate contains redacted secret
+placeholders such as `***` or shortened token values.
+
 ## Common tasks
 
 <AccordionGroup>
@@ -494,6 +505,19 @@ When validation fails:
 
 The Gateway watches `~/.openclaw/openclaw.json` and applies changes automatically — no manual restart needed for most settings.
 
+Direct file edits are treated as untrusted until they validate. The watcher waits
+for editor temp-write/rename churn to settle, reads the final file, and rejects
+invalid external edits by restoring the last-known-good config. OpenClaw-owned
+config writes use the same schema gate before writing; destructive clobbers such
+as dropping `gateway.mode` or shrinking the file by more than half are rejected
+and saved as `.rejected.*` for inspection.
+
+If you see `Config auto-restored from last-known-good` or
+`config reload restored last-known-good config` in logs, inspect the matching
+`.clobbered.*` file next to `openclaw.json`, fix the rejected payload, then run
+`openclaw config validate`. See [Gateway troubleshooting](/gateway/troubleshooting#gateway-restored-last-known-good-config)
+for the recovery checklist.
+
 ### Reload modes
 
 | Mode                   | Behavior                                                                                |
 
@@ -262,6 +262,63 @@ Related:
 - [/gateway/configuration](/gateway/configuration)
 - [/gateway/doctor](/gateway/doctor)
 
+## Gateway restored last-known-good config
+
+Use this when the Gateway starts, but logs say it restored `openclaw.json`.
+
+```bash
+openclaw logs --follow
+openclaw config file
+openclaw config validate
+openclaw doctor
+```
+
+Look for:
+
+- `Config auto-restored from last-known-good`
+- `gateway: invalid config was restored from last-known-good backup`
+- `config reload restored last-known-good config after invalid-config`
+- A timestamped `openclaw.json.clobbered.*` file beside the active config
+- A main-agent system event that starts with `Config recovery warning`
+
+What happened:
+
+- The rejected config did not validate during startup or hot reload.
+- OpenClaw preserved the rejected payload as `.clobbered.*`.
+- The active config was restored from the last validated last-known-good copy.
+- The next main-agent turn is warned not to blindly rewrite the rejected config.
+
+Inspect and repair:
+
+```bash
+CONFIG="$(openclaw config file)"
+ls -lt "$CONFIG".clobbered.* "$CONFIG".rejected.* 2>/dev/null | head
+diff -u "$CONFIG" "$(ls -t "$CONFIG".clobbered.* 2>/dev/null | head -n 1)"
+openclaw config validate
+openclaw doctor
+```
+
+Common signatures:
+
+- `.clobbered.*` exists → an external direct edit or startup read was restored.
+- `.rejected.*` exists → an OpenClaw-owned config write failed schema or clobber checks before commit.
+- `Config write rejected:` → the write tried to drop required shape, shrink the file sharply, or persist invalid config.
+- `Config last-known-good promotion skipped` → the candidate contained redacted secret placeholders such as `***`.
+
+Fix options:
+
+1. Keep the restored active config if it is correct.
+2. Copy only the intended keys from `.clobbered.*` or `.rejected.*`, then apply them with `openclaw config set` or `config.patch`.
+3. Run `openclaw config validate` before restarting.
+4. If you edit by hand, keep the full JSON5 config, not just the partial object you wanted to change.
+
+Related:
+
+- [/gateway/configuration#strict-validation](/gateway/configuration#strict-validation)
+- [/gateway/configuration#config-hot-reload](/gateway/configuration#config-hot-reload)
+- [/cli/config](/cli/config)
+- [/gateway/doctor](/gateway/doctor)
+
 ## Gateway probe warnings
 
 Use this when `openclaw gateway probe` reaches something, but still prints a warning block.
 
@@ -1629,10 +1629,20 @@ for usage/billing and raise limits as needed.
     `config.apply` replaces the **entire config**. If you send a partial object, everything
     else is removed.
 
+    Current OpenClaw protects many accidental clobbers:
+
+    - OpenClaw-owned config writes validate the full post-change config before writing.
+    - Invalid or destructive OpenClaw-owned writes are rejected and saved as `openclaw.json.rejected.*`.
+    - If a direct edit breaks startup or hot reload, the Gateway restores the last-known-good config and saves the rejected file as `openclaw.json.clobbered.*`.
+    - The main agent receives a boot warning after recovery so it does not blindly write the bad config again.
+
     Recover:
 
-    - Restore from backup (git or a copied `~/.openclaw/openclaw.json`).
-    - If you have no backup, re-run `openclaw doctor` and reconfigure channels/models.
+    - Check `openclaw logs --follow` for `Config auto-restored from last-known-good`, `Config write rejected:`, or `config reload restored last-known-good config`.
+    - Inspect the newest `openclaw.json.clobbered.*` or `openclaw.json.rejected.*` beside the active config.
+    - Keep the active restored config if it works, then copy only the intended keys back with `openclaw config set` or `config.patch`.
+    - Run `openclaw config validate` and `openclaw doctor`.
+    - If you have no last-known-good or rejected payload, restore from backup, or re-run `openclaw doctor` and reconfigure channels/models.
     - If this was unexpected, file a bug and include your last known config or any backup.
     - A local coding agent can often reconstruct a working config from logs or history.
 
@@ -1644,7 +1654,7 @@ for usage/billing and raise limits as needed.
     - Use `config.patch` for partial RPC edits; keep `config.apply` for full-config replacement only.
     - If you are using the owner-only `gateway` tool from an agent run, it will still reject writes to `tools.exec.ask` / `tools.exec.security` (including legacy `tools.bash.*` aliases that normalize to the same protected exec paths).
 
-    Docs: [Config](/cli/config), [Configure](/cli/configure), [Doctor](/gateway/doctor).
+    Docs: [Config](/cli/config), [Configure](/cli/configure), [Gateway troubleshooting](/gateway/troubleshooting#gateway-restored-last-known-good-config), [Doctor](/gateway/doctor).
 
   </Accordion>
 
 
@@ -12,10 +12,12 @@ export {
   readBestEffortConfig,
   readSourceConfigBestEffort,
   parseConfigJson5,
+  promoteConfigSnapshotToLastKnownGood,
   readConfigFileSnapshot,
   readConfigFileSnapshotForWrite,
   readSourceConfigSnapshot,
   readSourceConfigSnapshotForWrite,
+  recoverConfigFromLastKnownGood,
   resetConfigRuntimeState,
   resolveConfigSnapshotHash,
   setRuntimeConfigSnapshotRefreshHandler,
 
@@ -3,7 +3,7 @@ import { resolveStateDir } from "./paths.js";
 
 const CONFIG_AUDIT_LOG_FILENAME = "config-audit.jsonl";
 
-export type ConfigWriteAuditResult = "rename" | "copy-fallback" | "failed";
+export type ConfigWriteAuditResult = "rename" | "copy-fallback" | "failed" | "rejected";
 
 export type ConfigWriteAuditRecord = {
   ts: string;
@@ -269,7 +269,7 @@ export function finalizeConfigWriteAuditRecord(params: {
     uid: null,
     gid: null,
   };
-  const success = params.result !== "failed";
+  const success = params.result !== "failed" && params.result !== "rejected";
   return {
     ...params.base,
     result: params.result,
 
@@ -7,8 +7,12 @@ import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
 import {
   maybeRecoverSuspiciousConfigRead,
   maybeRecoverSuspiciousConfigReadSync,
+  promoteConfigSnapshotToLastKnownGood,
+  recoverConfigFromLastKnownGood,
+  resolveLastKnownGoodConfigPath,
   type ObserveRecoveryDeps,
 } from "./io.observe-recovery.js";
+import type { ConfigFileSnapshot } from "./types.js";
 
 describe("config observe recovery", () => {
   let fixtureRoot = "";
@@ -33,6 +37,26 @@ describe("config observe recovery", () => {
     await fsp.writeFile(configPath, `${JSON.stringify(config, null, 2)}\n`, "utf-8");
   }
 
+  async function makeSnapshot(configPath: string, config: Record<string, unknown>) {
+    const raw = `${JSON.stringify(config, null, 2)}\n`;
+    await fsp.mkdir(path.dirname(configPath), { recursive: true });
+    await fsp.writeFile(configPath, raw, "utf-8");
+    return {
+      path: configPath,
+      exists: true,
+      raw,
+      parsed: config,
+      sourceConfig: config,
+      resolved: config,
+      valid: true,
+      runtimeConfig: config,
+      config,
+      issues: [],
+      warnings: [],
+      legacyIssues: [],
+    } satisfies ConfigFileSnapshot;
+  }
+
   function makeDeps(
     home: string,
     warn = vi.fn(),
@@ -158,4 +182,65 @@ describe("config observe recovery", () => {
       expect(observe?.lastKnownGoodIno ?? null).toBeNull();
     });
   });
+
+  it("promotes a valid startup config and restores it after an invalid direct edit", async () => {
+    await withSuiteHome(async (home) => {
+      const { deps, configPath, auditPath, warn } = makeDeps(home);
+      const snapshot = await makeSnapshot(configPath, {
+        gateway: { mode: "local", auth: { mode: "token", token: "secret-token" } },
+        channels: { discord: { enabled: true, dmPolicy: "pairing" } },
+      });
+
+      await expect(
+        promoteConfigSnapshotToLastKnownGood({ deps, snapshot, logger: deps.logger }),
+      ).resolves.toBe(true);
+      await expect(fsp.readFile(resolveLastKnownGoodConfigPath(configPath), "utf-8")).resolves.toBe(
+        snapshot.raw,
+      );
+
+      const brokenRaw = "{ gateway: { mode: 123 } }\n";
+      await fsp.writeFile(configPath, brokenRaw, "utf-8");
+      const restored = await recoverConfigFromLastKnownGood({
+        deps,
+        snapshot: {
+          ...snapshot,
+          raw: brokenRaw,
+          parsed: { gateway: { mode: 123 } },
+          valid: false,
+          issues: [{ path: "gateway.mode", message: "Expected string" }],
+        },
+        reason: "test-invalid-config",
+      });
+
+      expect(restored).toBe(true);
+      await expect(fsp.readFile(configPath, "utf-8")).resolves.toBe(snapshot.raw);
+      expect(warn).toHaveBeenCalledWith(
+        expect.stringContaining("Config auto-restored from last-known-good:"),
+      );
+      const lines = (await fsp.readFile(auditPath, "utf-8")).trim().split("\n").filter(Boolean);
+      const observe = lines
+        .map((line) => JSON.parse(line) as Record<string, unknown>)
+        .findLast((line) => line.event === "config.observe");
+      expect(observe?.restoredFromBackup).toBe(true);
+      expect(observe?.restoredBackupPath).toBe(resolveLastKnownGoodConfigPath(configPath));
+    });
+  });
+
+  it("refuses to promote redacted secret placeholders", async () => {
+    await withSuiteHome(async (home) => {
+      const warn = vi.fn();
+      const { deps, configPath } = makeDeps(home, warn);
+      const snapshot = await makeSnapshot(configPath, {
+        gateway: { mode: "local", auth: { mode: "token", token: "***" } },
+      });
+
+      await expect(
+        promoteConfigSnapshotToLastKnownGood({ deps, snapshot, logger: deps.logger }),
+      ).resolves.toBe(false);
+      await expect(fsp.stat(resolveLastKnownGoodConfigPath(configPath))).rejects.toThrow();
+      expect(warn).toHaveBeenCalledWith(
+        expect.stringContaining("Config last-known-good promotion skipped"),
+      );
+    });
+  });
 });
Original file line number	Diff line number	Diff line change
`@@ -374,5 +374,17 @@`
`374`	`374`	`{`
`375`	`375`	`"source": "Testing",`
`376`	`376`	`"target": "测试"`
	`377`	`+ },`
	`378`	`+ {`
	`379`	`+ "source": "/gateway/configuration#strict-validation",`
	`380`	`+ "target": "/gateway/configuration#strict-validation"`
	`381`	`+ },`
	`382`	`+ {`
	`383`	`+ "source": "/gateway/configuration#config-hot-reload",`
	`384`	`+ "target": "/gateway/configuration#config-hot-reload"`
	`385`	`+ },`
	`386`	`+ {`
	`387`	`+ "source": "/cli/config",`
	`388`	`+ "target": "/cli/config"`
`377`	`389`	`}`
`378`	`390`	`]`