TopherSlater/openclaw-wiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e0bf634ba27f2a0d0af46bdd06180fde4833498c
openclaw-wiki/sources/personal-knowledge-companion.md

7.0 KiB
Raw Blame History

pageType, id, title, sourceType, sourcePath, ingestedAt, updatedAt, status
pageType id title sourceType sourcePath ingestedAt updatedAt status
source source.personal-knowledge-companion personal-knowledge-companion local-file /home/topher/.openclaw/workspace-crash-bot/projects/personal-knowledge-companion.md 2026-05-02T21:18:06.410Z 2026-05-02T21:18:06.410Z active

personal-knowledge-companion

Source

  • Type: local-file
  • Path: /home/topher/.openclaw/workspace-crash-bot/projects/personal-knowledge-companion.md
  • Bytes: 6419
  • Updated: 2026-05-02T21:18:06.410Z

Content

# Personal Knowledge Companion

**Thread:** #personal-knowledge-companion
**Agent:** crash-bot-public
**Status:** In setup — getting exec + approvals working

## Overview

A public-channel instance of Crash-bot that serves as a personal knowledge companion for the HHS-Hackers crew. Lives in a Discord thread/channel where anyone can interact, but exec is gated through approvals so -topher stays in the loop on what commands actually run.

## Exec & Security Configuration

### The Two-Layer Problem

OpenClaw exec permissions are controlled by **two separate config files** — both must agree:

1. **`openclaw.json`** (agent-level tool policy) — controls which tools the agent can see and base exec defaults
2. **`~/.openclaw/exec-approvals.json`** (host-level approvals) — controls what actually runs on the host, per-agent

The **stricter of the two layers always wins.** If `openclaw.json` says `full` but `exec-approvals.json` says `allowlist`, the allowlist is enforced.

### Current Config (crash-bot-public)

#### openclaw.json — agent tools section

```json5
{
  "id": "crash-bot-public",
  "workspace": "/home/topher/.openclaw/workspace-crash-bot",
  "model": {
    "primary": "ollama/glm-5.1:cloud",
    "fallbacks": ["ollama/minimax-m2.7"]
  },
  "tools": {
    "deny": [
      "process", "nodes", "tts", "image", "canvas",
      "sessions_spawn", "sessions_send", "subagents",
      "session_status", "agents_list", "gateway", "cron",
      "browser", "apply_patch"
    ],
    "allow": [
      "exec",           // ← ADDED 2026-05-02 (was missing)
      "read", "write", "edit",
      "web_search", "web_fetch",
      "memory_search", "memory_get",
      "sessions_list", "sessions_history"
    ],
    "exec": {
      "security": "allowlist",
      "ask": "on-miss"
    }
  }
}
```

**Key points:**
- `exec` must be in both the `allow` array AND have an `exec` config block — missing either one means no shell access
- `process` is still in `deny` — foreground exec only, no background tasks
- `security: "allowlist"` + `ask: "on-miss"` = commands need allowlist match OR approval prompt

#### exec-approvals.json — host-level per-agent

```json5
{
  "version": 1,
  "defaults": {
    "security": "deny",
    "ask": "on-miss",
    "askFallback": "deny",
    "autoAllowSkills": false
  },
  "agents": {
    "crash-bot-public": {
      "security": "allowlist",
      "ask": "on-miss",
      "askFallback": "deny",      // ← PROBLEM: no approval client = everything denied
      "autoAllowSkills": true,
      "allowlist": []              // ← PROBLEM: empty, nothing pre-approved
    },
    "crash-bot": {                 // ← DM instance for comparison (works)
      "security": "full",
      "ask": "off",
      "askFallback": "full",
      "autoAllowSkills": true,
      "allowlist": []
    }
  }
}
```

**Why commands were failing:**
1. Command not on allowlist → triggers approval prompt
2. No approval client (Discord) configured → prompt can't reach -topher
3. Falls back to `askFallback: "deny"` → command blocked

### Fix: Discord Native Approval Client

Add to `openclaw.json` under `channels.discord`:

```json5
"channels": {
  "discord": {
    "execApprovals": {
      "enabled": true,
      "approvers": ["266336985692635139"]   // -topher's Discord ID
    }
  }
}
```

This lets approval prompts show up in Discord so -topher can:
- `/approve <id> allow-once` — run this time only
- `/approve <id> allow-always` — add to allowlist + run
- `/approve <id> deny` — block

### Alternative: Full Trust (DM-instance style)

If you decide the approval flow is too slow for this use case, match crash-bot DM:

**exec-approvals.json:**
```json5
"crash-bot-public": {
  "security": "full",
  "ask": "off",
  "askFallback": "full",
  "autoAllowSkills": true,
  "allowlist": []
}
```

**openclaw.json:**
```json5
"exec": {
  "security": "full",
  "ask": "off"
}
```

This is simpler but removes oversight — any command runs freely.

### Why Approvals Matter Here

This is a **public channel instance**. Crew members (Matt, Kyle, others) can send messages that trigger me. Without approvals:
- Anyone in the channel could get me to run arbitrary commands
- No audit trail on what was executed
- No chance to catch destructive or accidental commands

With approvals:
- -topher vets every non-allowlisted command before it runs
- `allow-always` builds up an allowlist over time for trusted tools
- Safety net for a public-facing agent

## Lessons Learned (2026-05-02)

1. **`exec` in `allow` array is required** — the `exec` config block alone doesn't give you the tool if the tool itself isn't allowed
2. **Two config layers must agree** — `openclaw.json` tool policy AND `exec-approvals.json` host policy; stricter wins
3. **`askFallback` defaults to `deny`** — if no approval client is reachable, everything gets blocked. This is safe but means exec is useless until you wire up an approval channel
4. **Discord native approval client needs explicit config** — it doesn't auto-enable just because Discord is configured as a channel
5. **`process` in deny = no background tasks** — foreground exec only, which is actually good for a public instance
6. **Approval flow IS working** — as of ~15:44 UTC, exec commands now prompt for approval. The `/approve` mechanism is live.
7. **Context window pressure** — smaller models (glm-5.1:cloud) lose track of permission states quickly. A dedicated admin agent on a stronger model makes more sense for infra work.

## Architecture Decision (2026-05-02)

**Public instance (crash-bot-public):** Strip exec access. Channel-facing, no shell. Reads, writes, web search, memory — that's enough.

**Admin/Professor agent (new):** DM-facing only. Full exec, stronger model, handles infra changes, config edits, and anything that touches the system. Personality: Mr. C scaffolding (TBD by -topher).

**Why:** The permission layering (tool allowlist → exec config → host approvals) burned an entire session on config debugging. A smarter model with clear, simple permissions would handle this in minutes. The public/private split is real — lean into it instead of fighting it.

### Status
- **crash-bot-public exec:** Currently enabled with approval flow. Needs to be revoked (remove `exec` from allow, set `security: "deny"`).
- **Professor agent:** Not yet created. -topher has personality scaffolding for Mr. C.

Notes

Related

  • No related pages yet.
Reference in New Issue View Git Blame Copy Permalink