205 lines
7.0 KiB
Markdown
205 lines
7.0 KiB
Markdown
---
|
|
pageType: source
|
|
id: source.personal-knowledge-companion
|
|
title: personal-knowledge-companion
|
|
sourceType: local-file
|
|
sourcePath: /home/topher/.openclaw/workspace-crash-bot/projects/personal-knowledge-companion.md
|
|
ingestedAt: 2026-05-02T21:18:06.410Z
|
|
updatedAt: 2026-05-02T21:18:06.410Z
|
|
status: active
|
|
---
|
|
|
|
# personal-knowledge-companion
|
|
|
|
## Source
|
|
- Type: `local-file`
|
|
- Path: `/home/topher/.openclaw/workspace-crash-bot/projects/personal-knowledge-companion.md`
|
|
- Bytes: 6419
|
|
- Updated: 2026-05-02T21:18:06.410Z
|
|
|
|
## Content
|
|
````text
|
|
# Personal Knowledge Companion
|
|
|
|
**Thread:** #personal-knowledge-companion
|
|
**Agent:** crash-bot-public
|
|
**Status:** In setup — getting exec + approvals working
|
|
|
|
## Overview
|
|
|
|
A public-channel instance of Crash-bot that serves as a personal knowledge companion for the HHS-Hackers crew. Lives in a Discord thread/channel where anyone can interact, but exec is gated through approvals so -topher stays in the loop on what commands actually run.
|
|
|
|
## Exec & Security Configuration
|
|
|
|
### The Two-Layer Problem
|
|
|
|
OpenClaw exec permissions are controlled by **two separate config files** — both must agree:
|
|
|
|
1. **`openclaw.json`** (agent-level tool policy) — controls which tools the agent can see and base exec defaults
|
|
2. **`~/.openclaw/exec-approvals.json`** (host-level approvals) — controls what actually runs on the host, per-agent
|
|
|
|
The **stricter of the two layers always wins.** If `openclaw.json` says `full` but `exec-approvals.json` says `allowlist`, the allowlist is enforced.
|
|
|
|
### Current Config (crash-bot-public)
|
|
|
|
#### openclaw.json — agent tools section
|
|
|
|
```json5
|
|
{
|
|
"id": "crash-bot-public",
|
|
"workspace": "/home/topher/.openclaw/workspace-crash-bot",
|
|
"model": {
|
|
"primary": "ollama/glm-5.1:cloud",
|
|
"fallbacks": ["ollama/minimax-m2.7"]
|
|
},
|
|
"tools": {
|
|
"deny": [
|
|
"process", "nodes", "tts", "image", "canvas",
|
|
"sessions_spawn", "sessions_send", "subagents",
|
|
"session_status", "agents_list", "gateway", "cron",
|
|
"browser", "apply_patch"
|
|
],
|
|
"allow": [
|
|
"exec", // ← ADDED 2026-05-02 (was missing)
|
|
"read", "write", "edit",
|
|
"web_search", "web_fetch",
|
|
"memory_search", "memory_get",
|
|
"sessions_list", "sessions_history"
|
|
],
|
|
"exec": {
|
|
"security": "allowlist",
|
|
"ask": "on-miss"
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
**Key points:**
|
|
- `exec` must be in both the `allow` array AND have an `exec` config block — missing either one means no shell access
|
|
- `process` is still in `deny` — foreground exec only, no background tasks
|
|
- `security: "allowlist"` + `ask: "on-miss"` = commands need allowlist match OR approval prompt
|
|
|
|
#### exec-approvals.json — host-level per-agent
|
|
|
|
```json5
|
|
{
|
|
"version": 1,
|
|
"defaults": {
|
|
"security": "deny",
|
|
"ask": "on-miss",
|
|
"askFallback": "deny",
|
|
"autoAllowSkills": false
|
|
},
|
|
"agents": {
|
|
"crash-bot-public": {
|
|
"security": "allowlist",
|
|
"ask": "on-miss",
|
|
"askFallback": "deny", // ← PROBLEM: no approval client = everything denied
|
|
"autoAllowSkills": true,
|
|
"allowlist": [] // ← PROBLEM: empty, nothing pre-approved
|
|
},
|
|
"crash-bot": { // ← DM instance for comparison (works)
|
|
"security": "full",
|
|
"ask": "off",
|
|
"askFallback": "full",
|
|
"autoAllowSkills": true,
|
|
"allowlist": []
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
**Why commands were failing:**
|
|
1. Command not on allowlist → triggers approval prompt
|
|
2. No approval client (Discord) configured → prompt can't reach -topher
|
|
3. Falls back to `askFallback: "deny"` → command blocked
|
|
|
|
### Fix: Discord Native Approval Client
|
|
|
|
Add to `openclaw.json` under `channels.discord`:
|
|
|
|
```json5
|
|
"channels": {
|
|
"discord": {
|
|
"execApprovals": {
|
|
"enabled": true,
|
|
"approvers": ["266336985692635139"] // -topher's Discord ID
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
This lets approval prompts show up in Discord so -topher can:
|
|
- `/approve <id> allow-once` — run this time only
|
|
- `/approve <id> allow-always` — add to allowlist + run
|
|
- `/approve <id> deny` — block
|
|
|
|
### Alternative: Full Trust (DM-instance style)
|
|
|
|
If you decide the approval flow is too slow for this use case, match crash-bot DM:
|
|
|
|
**exec-approvals.json:**
|
|
```json5
|
|
"crash-bot-public": {
|
|
"security": "full",
|
|
"ask": "off",
|
|
"askFallback": "full",
|
|
"autoAllowSkills": true,
|
|
"allowlist": []
|
|
}
|
|
```
|
|
|
|
**openclaw.json:**
|
|
```json5
|
|
"exec": {
|
|
"security": "full",
|
|
"ask": "off"
|
|
}
|
|
```
|
|
|
|
This is simpler but removes oversight — any command runs freely.
|
|
|
|
### Why Approvals Matter Here
|
|
|
|
This is a **public channel instance**. Crew members (Matt, Kyle, others) can send messages that trigger me. Without approvals:
|
|
- Anyone in the channel could get me to run arbitrary commands
|
|
- No audit trail on what was executed
|
|
- No chance to catch destructive or accidental commands
|
|
|
|
With approvals:
|
|
- -topher vets every non-allowlisted command before it runs
|
|
- `allow-always` builds up an allowlist over time for trusted tools
|
|
- Safety net for a public-facing agent
|
|
|
|
## Lessons Learned (2026-05-02)
|
|
|
|
1. **`exec` in `allow` array is required** — the `exec` config block alone doesn't give you the tool if the tool itself isn't allowed
|
|
2. **Two config layers must agree** — `openclaw.json` tool policy AND `exec-approvals.json` host policy; stricter wins
|
|
3. **`askFallback` defaults to `deny`** — if no approval client is reachable, everything gets blocked. This is safe but means exec is useless until you wire up an approval channel
|
|
4. **Discord native approval client needs explicit config** — it doesn't auto-enable just because Discord is configured as a channel
|
|
5. **`process` in deny = no background tasks** — foreground exec only, which is actually good for a public instance
|
|
6. **Approval flow IS working** — as of ~15:44 UTC, exec commands now prompt for approval. The `/approve` mechanism is live.
|
|
7. **Context window pressure** — smaller models (glm-5.1:cloud) lose track of permission states quickly. A dedicated admin agent on a stronger model makes more sense for infra work.
|
|
|
|
## Architecture Decision (2026-05-02)
|
|
|
|
**Public instance (crash-bot-public):** Strip exec access. Channel-facing, no shell. Reads, writes, web search, memory — that's enough.
|
|
|
|
**Admin/Professor agent (new):** DM-facing only. Full exec, stronger model, handles infra changes, config edits, and anything that touches the system. Personality: Mr. C scaffolding (TBD by -topher).
|
|
|
|
**Why:** The permission layering (tool allowlist → exec config → host approvals) burned an entire session on config debugging. A smarter model with clear, simple permissions would handle this in minutes. The public/private split is real — lean into it instead of fighting it.
|
|
|
|
### Status
|
|
- **crash-bot-public exec:** Currently enabled with approval flow. Needs to be revoked (remove `exec` from allow, set `security: "deny"`).
|
|
- **Professor agent:** Not yet created. -topher has personality scaffolding for Mr. C.
|
|
````
|
|
|
|
## Notes
|
|
<!-- openclaw:human:start -->
|
|
<!-- openclaw:human:end -->
|
|
|
|
## Related
|
|
<!-- openclaw:wiki:related:start -->
|
|
- No related pages yet.
|
|
<!-- openclaw:wiki:related:end -->
|