Skip to content

feat(setup): inject Windows-node guidance into AGENTS.md after pairing#659

Draft
paulcam206 wants to merge 1 commit into
openclaw:mainfrom
paulcam206:master
Draft

feat(setup): inject Windows-node guidance into AGENTS.md after pairing#659
paulcam206 wants to merge 1 commit into
openclaw:mainfrom
paulcam206:master

Conversation

@paulcam206

Copy link
Copy Markdown
Contributor

Summary

Adds a new setup step (WindowsNodeBootstrapContextStep) that runs after node pairing and injects a managed <!-- BEGIN ... --> / <!-- END ... --> block into the gateway's AGENTS.md. The injected block tells the OpenClaw agent how to use the paired Windows tray node (the nodes tool, exec host=node, tools.exec defaults, etc.) so the agent stops trying to do Windows-only work inside the WSL gateway.

Without this step, the agent has no idea a Windows companion node exists and treats the gateway as the only execution surface.

Behavior

  • Resolves the gateway's agent workspace from openclaw config get agents.defaults.workspace (or a WindowsNodeContext.WorkspacePath override).
  • Creates AGENTS.md if missing; appends the managed block; preserves any existing content above it.
  • Idempotent — re-running replaces the existing block in place, leaving exactly one BEGIN/END pair.
  • Rollback removes the managed block and restores the surrounding content; never touches symlinks.

Implementation notes

1. Pure POSIX shell, no Node.js dependency

The previous internal iteration of this step embedded a Node.js script for the file mutation. That broke at runtime in bare WSL distros: openclaw setup is the Rust CLI, not a Node.js app, so node is not guaranteed to be installed. This PR uses awk + base64 + standard POSIX builtins instead — no node, no embedded JS, no heredocs.

2. Stdin path on RunInWslAsync (new opt-in)

While debugging this step against a fresh Ubuntu-26.04 we re-discovered a long-standing wsl.exe gotcha already half-documented at SetupSteps.cs:937-939:

wsl.exe -- bash -c <script> performs shell-variable expansion on argv before bash sees it, silently dropping any $var reference that isn't defined in the Windows process environment.

So workspace='/home/openclaw/...'; mkdir -p "$workspace" arrives at bash as mkdir -p "" and dies with cannot create directory ''. This PR adds an opt-in inputViaStdin: true parameter to ICommandRunner.RunInWslAsync that pipes the script to bash -s over stdin (which wsl.exe doesn't touch). The new step opts in; existing callers are unchanged.

A new docs/WSL_EXE_ARGV_PITFALL.md documents the pitfall with the empirical reproduction table, ranked fixes, and what does NOT work (single quotes, double quotes, braces, subshells, prefix assignment, -e VAR=val forwarding — all verified). The existing ValidateWslLockdownStep comment is expanded with a cross-reference, and AGENTS.md plus docs/WINDOWS_NODE_TESTING.md get pointers so future agents discover it from the right entry points.

3. Workspace-path consistency

WindowsNodeContext.WorkspacePath overrides like ~/foo or relative paths used to be passed raw to openclaw setup --workspace while the apply script ran against the ExpandLinuxPath-resolved version, which could land setup and injection in different directories. The override is now expanded once and threaded through both invocations.

4. Helper calls that include $PATH

RunOpenclawSetupAsync and ResolveWorkspacePathAsync build their command via ctx.WslPathPrefix, which references $PATH. On the argv path, wsl.exe expands $PATH to the Windows $PATH — usually harmless because the Linux openclaw bin is prepended, but fragile. Both helpers now use the stdin path so the Linux $PATH is preserved.

Validation

  • ./build.ps1
  • OpenClaw.Shared.Tests — 2045 passed / 29 skipped ✅
  • OpenClaw.Tray.Tests — 934 passed ✅
  • OpenClaw.SetupEngine.Tests — 222 passed (added tilde-override regression + per-call stdin-vs-argv assertions) ✅
  • Live smoke against bare Ubuntu-26.04 (no openclaw, no node)
    • Apply to missing file → bootstrap fallback + injection
    • Apply preserves pre-existing content + appends managed block
    • Apply twice → exactly 1 BEGIN marker (idempotent)
    • Rollback removes managed block, leaves surrounding content intact
  • Autoreview (copilot, --mode local): autoreview clean: no accepted/actionable findings reported · patch is correct (0.82)

Files

Area What
src/OpenClaw.SetupEngine/CommandRunner.cs New inputViaStdin parameter; XML docs explaining the pitfall
src/OpenClaw.SetupEngine/SetupSteps.cs WindowsNodeBootstrapContextStep (apply + rollback); expanded existing pitfall comment
src/OpenClaw.SetupEngine/SetupPipeline.cs Registers the new step after PairNodeStep and before VerifyEndToEndStep
src/OpenClaw.SetupEngine/SetupContext.cs WindowsNodeContextConfig (Enabled, WorkspacePath, TimeoutSeconds)
src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs Markers + managed-block payload
src/OpenClaw.SetupEngine/default-config.json Default WindowsNodeContext section
tests/OpenClaw.SetupEngine.Tests/* Tests for config, pipeline ordering, script shape, override expansion, stdin invariants, rollback
docs/WSL_EXE_ARGV_PITFALL.md New permanent footgun reference
docs/WINDOWS_NODE_TESTING.md, docs/ONBOARDING_WIZARD.md, AGENTS.md Cross-references and behavior notes

Add WindowsNodeBootstrapContextStep that runs after node pairing and
injects a managed BEGIN/END block into the gateway's AGENTS.md
(workspace resolved from `openclaw config get agents.defaults.workspace`,
or from a `WindowsNodeContext.WorkspacePath` override). The injected
block tells the running OpenClaw agent how to use the paired Windows
tray node (nodes tool, exec host=node, tools.exec defaults, etc.).

The file mutation is pure POSIX shell + awk + base64 — no Node.js
dependency, no embedded JS, no heredocs. Bare WSL distros (and the
gateway distro) do not have node installed, so the previous
node-based approach failed at runtime.

Scripts that need bash variable handling are piped to `bash -s` via
stdin instead of being passed as argv to `bash -c`, because wsl.exe
performs shell variable expansion on argv before bash sees it and
silently drops user-defined $var references. New
docs/WSL_EXE_ARGV_PITFALL.md documents the footgun, the empirical
reproduction against fresh Ubuntu-26.04, and the ranked fixes.

Notable changes:
* CommandRunner.RunInWslAsync gains opt-in `inputViaStdin: true`
  that switches argv to `bash -s` and pipes the script over stdin
* WindowsNodeBootstrapContextStep computes the absolute workspace
  path once via ExpandLinuxPath and threads it through both
  `openclaw setup --workspace` and the apply script, so `~/foo` or
  relative-path overrides cannot land in different directories
* RunOpenclawSetupAsync and ResolveWorkspacePathAsync use the stdin
  path because their scripts include $PATH via WslPathPrefix
* Apply script is idempotent and handles missing/symlink/malformed
  AGENTS.md; rollback removes the managed block in-place
* Cross-references in AGENTS.md and docs/WINDOWS_NODE_TESTING.md
  surface the pitfall doc from likely discovery points
* Tests cover apply/rollback shape, override expansion, per-call
  stdin-vs-argv invariants, and a tilde-override regression
* Verified end-to-end against bare Ubuntu-26.04 (no openclaw, no
  node): apply-to-missing, apply-preserves-content, idempotency
  (exactly 1 BEGIN marker after second apply), rollback restores
  original content

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@clawsweeper

clawsweeper Bot commented Jun 3, 2026

Copy link
Copy Markdown

Codex review: found issues before merge. Reviewed July 1, 2026, 2:17 AM ET / 06:17 UTC.

Summary
The PR adds a default post-pairing setup step that injects managed Windows-node guidance into the gateway workspace AGENTS.md, plus stdin-based WSL script execution support, config, docs, and SetupEngine tests.

Reproducibility: not applicable. This PR adds a new setup/enrichment feature rather than reporting a broken existing behavior. The relevant checks are source review, PR-head proof, and the linked setup/security discussion.

Review metrics: 2 noteworthy metrics.

  • Diff size: 13 files changed, +906/-10. The PR is a broad setup/docs/tests change that affects default onboarding behavior, not a small wording-only patch.
  • Default setup insertion: 1 new default pipeline step. The new Windows-node context step runs in the normal setup pipeline after node pairing, so failure and policy behavior matter before merge.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🦞 diamond lobster ✨ media proof bonus
Patch quality: 🧂 unranked krab
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Scope the managed AGENTS text to intentional local Windows-node tasks and remote/multi-node contexts.
  • Remove permissive gateway exec recommendations or move them behind explicit maintainer-approved consent/docs.
  • Make AGENTS enrichment non-terminal, refresh the dirty draft branch, and update proof after revision.

Mantis proof suggestion
A live clean-setup proof would materially help after revision because the intended behavior is visible as an agent using the paired Windows node for a desktop task. A maintainer can ask Mantis to capture proof by posting this exact PR comment:

@openclaw-mantis visual task: verify clean local setup injects scoped Windows-node guidance and a notification request uses the paired Windows node.

Risk before merge

  • [P1] Merging as-is would put local Windows-node routing advice into the gateway workspace AGENTS.md for every session, including remote, Telegram-originated, or future multi-node contexts that may not intend to target this Windows machine.
  • [P1] The managed block recommends permissive gateway exec settings from global agent guidance, which conflicts with the prior by-design decision to keep gateway exec policy restrictive unless the user explicitly opts in.
  • [P2] Because the default setup step returns a failed setup result on AGENTS symlinks, malformed markers, missing ready marker, or timeout, optional guidance can become an onboarding availability failure after pairing succeeds.
  • [P1] The PR is currently draft and GitHub reports it as dirty against the base branch, so the exact merge result needs a refreshed branch before final review.

Maintainer options:

  1. Revise scoped, non-blocking guidance (recommended)
    Scope the injected text to tasks intentionally targeting this paired Windows machine, remove permissive exec-default recommendations, make enrichment failures non-terminal, then refresh the branch and proof.
  2. Accept the global guidance risk
    Maintainers can intentionally land global AGENTS guidance only after explicitly owning the remote-session, exec-policy, and setup-failure tradeoffs in the PR discussion.
  3. Replace with a narrower path
    If global AGENTS injection is not the desired product shape, pause or close this PR and track a setup UX, diagnostics, or docs-only opt-in path instead.

Next step before merge

  • [P2] The remaining work requires contributor/maintainer revision of product scope, security posture, non-terminal setup behavior, and a refreshed draft branch rather than a narrow automated repair lane.

Security
Needs attention: The diff injects global agent instructions that recommend loosening gateway command-execution policy, so the security boundary needs maintainer revision before merge.

Review findings

  • [P1] Scope the managed Windows-node guidance — src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs:9
  • [P1] Remove permissive exec defaults from global guidance — src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs:17-20
  • [P1] Do not fail onboarding on optional AGENTS enrichment — src/OpenClaw.SetupEngine/SetupSteps.cs:2354
Review details

Best possible solution:

Keep the Windows-node discovery help, but deliver it as scoped, explicit, non-blocking guidance that avoids permission-relaxing defaults unless a maintainer-approved opt-in path captures user intent.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR adds a new setup/enrichment feature rather than reporting a broken existing behavior. The relevant checks are source review, PR-head proof, and the linked setup/security discussion.

Is this the best way to solve the issue?

No, not as-is. The maintainable path is narrower scoped guidance plus explicit gateway exec consent or documentation, with AGENTS enrichment treated as best-effort after pairing.

Full review comments:

  • [P1] Scope the managed Windows-node guidance — src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs:9
    This payload is injected into the gateway workspace AGENTS.md, so every session in that workspace can see broad instructions to use the local Windows node for Windows/files/browser/notification work. That can misroute remote, Telegram-originated, or future multi-node work; please scope the guidance to tasks that intentionally target this paired Windows machine.
    Confidence: 0.91
  • [P1] Remove permissive exec defaults from global guidance — src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs:17-20
    The managed block tells the agent to suggest tools.exec.ask off and tools.exec.security full. Related discussion closed this direction as by-design unless there is explicit user/developer consent, so injecting it into global AGENTS.md weakens the command-execution boundary.
    Confidence: 0.94
  • [P1] Do not fail onboarding on optional AGENTS enrichment — src/OpenClaw.SetupEngine/SetupSteps.cs:2354
    After pairing succeeds, this default setup step fails the pipeline if the AGENTS mutation fails or the ready marker is missing. Optional guidance should not make onboarding fail for symlinks, malformed existing markers, or a transient timeout; make this best-effort or explicitly recoverable.
    Confidence: 0.88

Overall correctness: patch is incorrect
Overall confidence: 0.9

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 4166e0fd63f8.

Label changes

Label justifications:

  • P2: This is a meaningful setup/onboarding improvement with security-sensitive merge blockers, but it is not an active production outage.
  • merge-risk: 🚨 compatibility: A global managed AGENTS.md block can change behavior for existing gateway workspace sessions and future multi-node or remote setups.
  • merge-risk: 🚨 security-boundary: The PR injects guidance that recommends disabling gateway exec prompts and setting gateway exec security to full from a global agent instruction file.
  • merge-risk: 🚨 availability: The default post-pairing setup step can fail onboarding when optional AGENTS enrichment fails, times out, or encounters malformed managed markers.
  • rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🦞 diamond lobster and patch quality is 🧂 unranked krab.
  • status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (screenshot): The inspected screenshot shows an after-change clean setup conversation routing a notification request through the Windows tray node, but it does not resolve the policy and failure-mode blockers.
  • proof: sufficient: Contributor real behavior proof is sufficient. The inspected screenshot shows an after-change clean setup conversation routing a notification request through the Windows tray node, but it does not resolve the policy and failure-mode blockers.
  • proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The inspected screenshot shows an after-change clean setup conversation routing a notification request through the Windows tray node, but it does not resolve the policy and failure-mode blockers.
Evidence reviewed

Security concerns:

  • [medium] Global guidance weakens exec posture — src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs:17
    The managed AGENTS payload recommends disabling gateway exec prompts and setting gateway exec security to full from a workspace-global instruction file; that conflicts with the prior explicit-consent direction for gateway exec policy.
    Confidence: 0.93

What I checked:

  • Current main lacks this step: Current main runs PairNodeStep directly before VerifyEndToEndStep; there is no WindowsNodeBootstrapContextStep or WindowsNodeContext config on the shipped v0.6.12 main snapshot. (src/OpenClaw.SetupEngine/SetupPipeline.cs:59, 4166e0fd63f8)
  • PR enables a default setup step: The PR inserts WindowsNodeBootstrapContextStep immediately after PairNodeStep in the default setup pipeline, so the new AGENTS enrichment runs for normal local setup unless disabled by config. (src/OpenClaw.SetupEngine/SetupPipeline.cs:60, e028dc07884c)
  • Injected payload is global and permissive: The managed block tells agents to use the Windows node for broad Windows tasks and suggests tools.exec.ask off plus tools.exec.security full from the gateway workspace AGENTS.md. (src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs:9, e028dc07884c)
  • Optional enrichment can fail setup: The apply step returns StepResult.Fail if AGENTS injection exits nonzero or lacks the ready marker, so symlinks, malformed markers, or timeouts can fail onboarding after pairing succeeds. (src/OpenClaw.SetupEngine/SetupSteps.cs:2354, e028dc07884c)
  • Prior product/security direction: Related issue Clarify gateway exec policy required for Windows node execution #632 was closed by design with explicit guidance that setup should not silently apply or broadly recommend permissive gateway exec defaults; future improvement should use docs, diagnostics, or explicit opt-in.
  • Maintainer review context: The PR discussion includes a focused request to scope the generated guidance, remove or soften permissive tools.exec recommendations, and make AGENTS enrichment non-blocking before another review.

Likely related people:

  • ranjeshj: Recent history shows substantial SetupEngine, pairing, and onboarding work, and they authored the related exec-policy issue/previous guidance PR that shaped the current security direction. (role: setup and gateway-policy contributor; confidence: high; commits: ea36b12f9e4c, d4284d43fb6a, 98d0760cb5b6; files: src/OpenClaw.SetupEngine/SetupSteps.cs, src/OpenClaw.SetupEngine/CommandRunner.cs, docs/ONBOARDING_WIZARD.md)
  • shanselman: They left the focused review request on this PR and recent history includes setup-triage changes in the same SetupEngine path. (role: recent area reviewer and setup contributor; confidence: high; commits: ad943b9e6fd8, 4166e0fd63f8, d23f8ca50013; files: src/OpenClaw.SetupEngine/SetupSteps.cs, src/OpenClaw.SetupEngine/SetupPipeline.cs, AGENTS.md)
  • RBrid: Commit history shows recent CommandRunner work and broad Windows companion/node surface changes, which are relevant to the stdin WSL runner and node-routing behavior touched here. (role: recent command-runner and companion-node contributor; confidence: medium; commits: 753828f63e96, 5505a85da7df; files: src/OpenClaw.SetupEngine/CommandRunner.cs, src/OpenClaw.SetupEngine/SetupSteps.cs)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. labels Jun 3, 2026
@paulcam206

Copy link
Copy Markdown
Contributor Author

just as a heads up -- this change is a little wonky in terms of what we're doing... it works, but I wouldn't say that it's elegant.

anyways, here's a completely clean install being asked to pop a notification:
image

@shanselman

Copy link
Copy Markdown
Contributor

@paulcam206 does it only do it if the message is coming in via the Windows app?

@shanselman

Copy link
Copy Markdown
Contributor

Automated Copilot review note from the wide PR triage pass:

I would not treat this as safe to merge at 90% confidence yet, even aside from the current conflict state. The core concern is scope: this PR injects Windows-node guidance into the gateway workspace's global AGENTS.md, so it can affect agent behavior for requests that did not originate from the local Windows tray chat — for example Telegram-originated work, remote/gateway sessions, or future multi-node scenarios.

Two things I think should be tightened before merge:

  1. Scope the guidance to cases where the task explicitly needs this paired Windows machine. The current wording can over-bias the agent toward the local Windows node for broadly described Windows/files/browser/notification work, even when the request came from another channel or another node context.
  2. Avoid putting permission-relaxing config advice in global agent guidance. The suggested openclaw config set tools.exec.ask off and openclaw config set tools.exec.security full commands are especially risky when Telegram/remote messages may influence the agent. If those defaults are needed for setup, they should be handled by explicit setup/config UX with user consent, not broad AGENTS.md instructions.

Separately, because this is post-pairing enrichment, I would prefer injection failures/timeouts/malformed existing markers to be non-terminal or self-healing where possible. Optional guidance should not block onboarding after pairing succeeds.

@shanselman

Copy link
Copy Markdown
Contributor

Thanks for the proof and the implementation here. I don't think this is safe to merge as-is yet because the generated AGENTS.md guidance is workspace-global, so it can influence sessions regardless of where the request originated — local tray, remote gateway, Telegram, or another paired node. It also currently suggests broad tools.exec permission changes, which is risky guidance to inject automatically.

Could you please revise this so the injected guidance is clearly scoped to tasks that intentionally need this paired Windows node, remove or soften the permissive tools.exec config recommendations, and ensure AGENTS enrichment is non-blocking for pairing/onboarding if it times out or fails? After that, this should get another focused review.

@ranjeshj ranjeshj marked this pull request as draft June 18, 2026 05:10
@clawsweeper clawsweeper Bot added proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. and removed rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. labels Jun 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 availability 🚨 Merging this PR could cause crashes, hangs, restart loops, stalls, or process outages. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. proof: sufficient Contributor real behavior proof is sufficient. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants