From 797cfb179150b7b8283c5dab8e036fc52a86de1f Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Wed, 22 Apr 2026 22:45:53 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@46fba1d8145e145ec82e79c779c10476d129ba92 --- .openclaw-sync/source.json | 4 ++-- docs/cli/config.md | 5 ++++- docs/gateway/configuration.md | 4 ++++ docs/gateway/security/index.md | 2 +- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 97d24c6aa..93c9b33d9 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "2cd3164a0fc349286268d1d967cc195d2376e045", - "syncedAt": "2026-04-22T22:37:07.942Z" + "sha": "46fba1d8145e145ec82e79c779c10476d129ba92", + "syncedAt": "2026-04-22T22:45:53.029Z" } diff --git a/docs/cli/config.md b/docs/cli/config.md index 99a691896..15e5923a8 100644 --- a/docs/cli/config.md +++ b/docs/cli/config.md @@ -359,6 +359,9 @@ If dry-run fails: post-change config before committing it to disk. If the new payload fails schema validation or looks like a destructive clobber, the active config is left alone and the rejected payload is saved beside it as `openclaw.json.rejected.*`. +The active config path must be a regular file. Symlinked `openclaw.json` +layouts are unsupported for writes; use `OPENCLAW_CONFIG_PATH` to point directly +at the real file instead. Prefer CLI writes for small edits: @@ -383,7 +386,7 @@ last-known-good backup during startup or hot reload. See ## Subcommands -- `config file`: Print the active config file path (resolved from `OPENCLAW_CONFIG_PATH` or default location). +- `config file`: Print the active config file path (resolved from `OPENCLAW_CONFIG_PATH` or default location). The path should name a regular file, not a symlink. Restart the gateway after edits. diff --git a/docs/gateway/configuration.md b/docs/gateway/configuration.md index 7b6409652..72a4d54c8 100644 --- a/docs/gateway/configuration.md +++ b/docs/gateway/configuration.md @@ -10,6 +10,10 @@ title: "Configuration" # Configuration OpenClaw reads an optional **JSON5** config from `~/.openclaw/openclaw.json`. +The active config path must be a regular file. Symlinked `openclaw.json` +layouts are unsupported for OpenClaw-owned writes; an atomic write may replace +the path instead of preserving the symlink. If you keep config outside the +default state directory, point `OPENCLAW_CONFIG_PATH` directly at the real file. If the file is missing, OpenClaw uses safe defaults. Common reasons to add a config: diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index 71f472172..2b202b24a 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -247,7 +247,7 @@ High-signal `checkId` values you will most likely see in real deployments (not e | `fs.state_dir.perms_readable` | warn | State dir is readable by others | filesystem perms on `~/.openclaw` | yes | | `fs.state_dir.symlink` | warn | State dir target becomes another trust boundary | state dir filesystem layout | no | | `fs.config.perms_writable` | critical | Others can change auth/tool policy/config | filesystem perms on `~/.openclaw/openclaw.json` | yes | -| `fs.config.symlink` | warn | Config target becomes another trust boundary | config file filesystem layout | no | +| `fs.config.symlink` | warn | Symlinked config files are unsupported for writes and add another trust boundary | replace with a regular config file or point `OPENCLAW_CONFIG_PATH` at the real file | no | | `fs.config.perms_group_readable` | warn | Group users can read config tokens/settings | filesystem perms on config file | yes | | `fs.config.perms_world_readable` | critical | Config can expose tokens/settings | filesystem perms on config file | yes | | `fs.config_include.perms_writable` | critical | Config include file can be modified by others | include-file perms referenced from `openclaw.json` | yes |