openclaw - 💡(How to fix) Fix config unset missing --dry-run flag (parity with config set / config patch)

Version

OpenClaw 2026.5.7 (eeef486)

Summary

openclaw config unset has no --dry-run flag, while its sibling subcommands openclaw config set and openclaw config patch both support --dry-run for schema-validating an edit before writing openclaw.json. This parity gap makes risk-aware unset operations require backup-restore-revert cycles instead of pre-flight validation.

Reproduction

$ openclaw --version
OpenClaw 2026.5.7 (eeef486)

$ openclaw config set --help | grep -- --dry-run
      --dry-run                     Validate the assignment without writing
                                    openclaw.json (default: false)

$ openclaw config patch --help | grep -- --dry-run
      --dry-run              Validate changes without writing openclaw.json
                             (checks schema and SecretRef resolvability; exec
                             SecretRefs are skipped unless --allow-exec is set)
                             (default: false)

$ openclaw config unset --help
Usage: openclaw config unset [options] <path>

Remove a config value by dot path

Arguments:
  path        Config path (dot or bracket notation)

Options:
  -h, --help  Display help for command

config unset only exposes -h/--help. There is no way to validate an unset operation against the schema before writing.

Expected behaviour

openclaw config unset --dry-run <path> should:

• Validate the resulting config (after removing the target path) against the JSON schema
• Refuse to proceed if removal would invalidate the config (e.g., removing a required field, dangling SecretRef, protected entry)
• Print what would be removed without writing openclaw.json
• Mirror the validation semantics already implemented for config set --dry-run and config patch --dry-run

Why this matters

Operational example from today (2026-05-11): a fleet recovery operation involved unsetting agents.list[N].agentRuntime on 18 dormant agents to restore canonical agent shape after #79440 doctor damage. Each unset operation had to be applied directly to live config because --dry-run is not available. A schema-validating dry-run would have caught any path typos pre-write rather than requiring a backup-restore-revert pattern on first failure.

Today's recovery worked because the unset path was simple. For more complex unsets (removing protected map/list entries, dangling SecretRef paths, anything with downstream dependencies), the lack of --dry-run parity is a meaningful operational gap.

Suggested fix

Add --dry-run option to config unset subcommand. Mirror validation semantics of config set --dry-run: do not write openclaw.json, report what would be removed, return non-zero if removal would invalidate the resulting config against schema.

Related

• Sister parity issues being filed separately:
  • config patch --merge error references a flag that does not appear in subcommand help (needs reproduction work, not filed yet)
  • openclaw config set "Restart the gateway to apply" warning is misleading for active agents without agentRuntime override (config hot-loads on next invocation; restart only required for dormant agents with agentRuntime.id=codex)