openclaw - 💡(How to fix) Fix Allow agent config.patch to harden plugins.bundledDiscovery to allowlist

Summary

openclaw doctor can recommend tightening bundled plugin discovery by setting plugins.bundledDiscovery from legacy "compat" mode to "allowlist" when plugins.allow is restrictive. The agent-facing gateway config tool currently cannot apply that hardening recommendation, even though the schema advertises the field as hot-reloadable.

The attempted agent-side patch fails before the gateway RPC is called:

gateway config.patch cannot change protected config paths: plugins.bundledDiscovery

That leaves agents able to identify the recommended hardening change, but unable to apply it without manual config-file editing.

Affected Behavior

This affects installations with a restrictive plugin allowlist while bundled plugin discovery is still in legacy compatibility mode:

{
  "plugins": {
    "allow": ["codex", "openai", "memory-core", "browser", "telegram"],
    "bundledDiscovery": "compat"
  }
}

In that state, doctor warns that omitted bundled providers may still be discoverable through legacy bundled discovery behavior and recommends switching to "allowlist".

Reproduction

Using OpenClaw 2026.5.22 or current main with a restrictive plugins.allow and plugins.bundledDiscovery: "compat":

1. Run gateway config.schema.lookup for plugins.bundledDiscovery.
2. Observe the schema reports:
   • enum: ["compat", "allowlist"]
   • reloadKind: "hot"
3. Run agent-facing gateway config.patch with:

{
  "plugins": {
    "bundledDiscovery": "allowlist"
  }
}

Actual Result

The agent-facing config guard rejects the patch as a protected config path:

gateway config.patch cannot change protected config paths: plugins.bundledDiscovery

The operator has to edit the config manually to complete the doctor-recommended hardening.

Expected Result

The agent-facing guard should allow only the hardening direction:

• allow plugins.bundledDiscovery: "allowlist"
• continue blocking plugins.bundledDiscovery: "compat" through the agent-facing tool
• continue blocking unrelated protected config paths

This preserves the security boundary while letting agents complete a doctor-recommended tightening step.

Root Cause

The agent gateway tool computes changed config paths, compares them against ALLOWED_GATEWAY_CONFIG_PATHS, and rejects any path outside that set before forwarding the config mutation. plugins.bundledDiscovery is absent from that allowlist, so both the security-positive transition to "allowlist" and the security-negative transition back to "compat" are blocked identically.

Behavior Proof

Before:

schema lookup:
path: plugins.bundledDiscovery
enum: ["compat", "allowlist"]
reloadKind: hot

doctor recommendation:
set plugins.bundledDiscovery to "allowlist" when plugins.allow is restrictive

agent-facing patch:
{"plugins":{"bundledDiscovery":"allowlist"}}

result:
gateway config.patch cannot change protected config paths: plugins.bundledDiscovery

After manual local workaround on the same installation:

plugins.bundledDiscovery: allowlist
openclaw doctor --non-interactive
=> bundledDiscovery/plugin allowlist warning cleared
gateway service state after restart: active (running)

This confirms the value is the correct operational hardening target; the bug is specifically that the agent-facing guard cannot apply it safely.

Proposed Fix

Add a narrow one-way exception for plugins.bundledDiscovery:

• include the path in the agent-facing allowed config paths
• add an explicit value guard that permits only "allowlist"
• reject attempts to set "compat" through the agent-facing tool

Linked implementation: https://github.com/openclaw/openclaw/pull/86138

Privacy / Sanitization

This report intentionally excludes tokens, chat IDs, private channel names, personal data, local usernames, private hostnames, and user content. The config snippet is reduced to the minimal generic fields needed to reproduce the behavior.