diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 786b653e5..933ee39df 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "5404bbbb7196db3a31f0f54f4393223c1733a76d", - "syncedAt": "2026-04-26T00:57:28.818Z" + "sha": "57f05128cba9c3cf2e8b0cb52a54ae7daa7a8608", + "syncedAt": "2026-04-26T00:58:04.044Z" } diff --git a/docs/cli/crestodian.md b/docs/cli/crestodian.md index 350b0f018..f0a269261 100644 --- a/docs/cli/crestodian.md +++ b/docs/cli/crestodian.md @@ -239,13 +239,13 @@ Security contract for remote rescue: operation, where the runtime already has unsandboxed local authority. - Require an explicit owner identity. Rescue must not accept wildcard sender rules, open group policy, unauthenticated webhooks, or anonymous channels. -- Owner DMs only by default. Group/channel rescue requires explicit opt-in and - should still route approval prompts to the owner DM. +- Owner DMs only by default. Group/channel rescue requires explicit opt-in. - Remote rescue cannot open the local TUI or switch into an interactive agent session. Use local `openclaw` for agent handoff. - Persistent writes still require approval, even in rescue mode. -- Audit every applied rescue operation, including channel, account, sender, - session key, operation, config hash before, and config hash after. +- Audit every applied rescue operation. Message-channel rescue records channel, + account, sender, and source-address metadata. Config-mutating operations also + record config hashes before and after. - Never echo secrets. SecretRef inspection should report availability, not values. - If the Gateway is alive, prefer Gateway typed operations. If the Gateway is