Merge pull request #239 from peg/staging

feat: v0.9.7 — bug fixes, exec patch, port fix, allow-always improvements

Author: peg

CHANGELOG.md

@@ -7,6 +7,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.9.7] - 2026-03-20
+
+### Added
+
+- **Native OpenClaw exec approval integration**: The bridge now correctly receives `exec.approval.requested` events. Root cause: the gateway silently stripped `operator.approvals` scope from clients connecting without a device identity (`clearUnboundScopes()`). Fixed by loading OpenClaw's existing `~/.openclaw/identity/device.json` and including a signed V3 device auth payload in the connect handshake. The bridge now intercepts all exec approvals, evaluates against Rampart policy, and resolves allow/deny decisions before the Discord/Telegram UI shows buttons.
+- **"Always Allow" writes to `user-overrides.yaml`**: When a user clicks "Always Allow" on an exec approval, the bridge captures the `exec.approval.resolved` event and writes a persistent rule to `~/.rampart/policies/user-overrides.yaml`. This file is never overwritten by upgrades or `rampart setup`.
+- **`patchExecInDist()`**: `rampart setup openclaw --patch-tools` now also patches the exec tool in OpenClaw dist files, adding a Rampart pre-check before OpenClaw's own allowlist evaluation for human-initiated execs.
+- **`rampart doctor` improvements**: Granular per-tool patch detection (web_fetch, browser, message, exec checked individually). `--fix` flag auto-applies missing patches without requiring the full setup command. Fixed detection for modern OpenClaw dist format (`auth-profiles-*.js`).
+- **`persisted` field in approval poll responses**: `GET /v1/approvals/{id}` now returns `persisted: true` when the resolution was an allow-always decision that wrote a persistent rule.
+
+### Fixed
+
+- **MCP-style input bypass**: `domain_matches` policies were not evaluated for MCP-style `{"input":{"url":"..."}}` requests — `enrichParams()` only processed `req.Params`, not `req.Input`. Now enriches both and promotes fields into `req.Params`.
+- **`policy explain` URL params**: `rampart policy explain --tool web_fetch "https://..."` always returned ALLOW because the CLI hardcoded `command=arg` instead of parsing the URL. Now correctly sets domain/scheme/path for URL-based tools.
+- **ngrok.io bare domain**: `ngrok.io` was not in the `block-exfil-domains` blocklist (only `*.ngrok.io` was covered). Added `ngrok.io` and `ngrok-free.app` bare domains.
+- **allow-always glob pattern**: `GeneralizeCommand` appended `" *"` (space before glob) so commands like `shred /tmp/file` were generalized to `"shred /tmp/file *"`, which didn't match the exact command without extra args. Fixed to `"shred /tmp/file*"`.
+- **Startup migration for old glob patterns**: `rampart serve` now automatically migrates existing `auto-allowed.yaml` rules from the old `"cmd arg *"` format to the correct `"cmd arg*"` format on first start after upgrading.
+- **Default port consistency**: `rampart setup --port` flag, `rampart status` port probe, service file generation, shim URL, and dist patches all now consistently use port 9090 (was 19090 in some places).
+- **`approvalRequestParams` struct**: The bridge was parsing `exec.approval.requested` payloads with a flat struct — command/agentId were nested under `request:{}` in the actual gateway payload, causing the bridge to evaluate empty commands (and auto-allow everything). Fixed with correct nested struct.
+- **`rampart doctor` dist detection**: `openclawUsesBundledDist()` only checked for `pi-embedded-*.js` (older OpenClaw) and missed `auth-profiles-*.js` (newer OpenClaw), causing incorrect "not patched" warnings on modern installations.
+
+## [0.9.6] - 2026-03-18
+
 ## [0.9.5] - 2026-03-17
 
 ### Added

README.md

@@ -53,20 +53,47 @@ const hintSep = "\n  💡 "
 
 func newDoctorCmd() *cobra.Command {
 	var jsonOut bool
+	var fix bool
 
 	cmd := &cobra.Command{
 		Use:   "doctor",
 		Short: "Check Rampart installation health",
 		Long:  "Run diagnostic checks on your Rampart installation and report any issues.",
 		RunE: func(cmd *cobra.Command, _ []string) error {
+			if fix {
+				return runDoctorFix(cmd)
+			}
 			return runDoctor(cmd.OutOrStdout(), jsonOut)
 		},
 	}
 
 	cmd.Flags().BoolVar(&jsonOut, "json", false, "Output results as JSON")
+	cmd.Flags().BoolVar(&fix, "fix", false, "Automatically apply fixes for detected issues (re-runs patch-tools if needed)")
 	return cmd
 }
 
+// runDoctorFix checks for missing patches and applies them automatically.
+func runDoctorFix(cmd *cobra.Command) error {
+	needsPatch := !openclawWebFetchPatched() || !openclawBrowserPatched() ||
+		!openclawMessagePatched() || !openclawExecPatched() || !openclawDistPatched()
+
+	if !needsPatch {
+		fmt.Fprintln(cmd.OutOrStdout(), "✓ All patches already applied — nothing to fix.")
+		return nil
+	}
+
+	fmt.Fprintln(cmd.OutOrStdout(), "Applying missing patches...")
+	_, err := patchOpenClawDistTools(cmd, fmt.Sprintf("http://127.0.0.1:%d", defaultServePort), "")
+	if err != nil {
+		// May need sudo — tell the user
+		fmt.Fprintf(cmd.ErrOrStderr(), "⚠ Auto-fix failed (may need sudo): %v\n", err)
+		fmt.Fprintf(cmd.ErrOrStderr(), "  Run manually: sudo rampart setup openclaw --patch-tools --force\n")
+		return err
+	}
+	fmt.Fprintln(cmd.OutOrStdout(), "✓ Patches applied. Restart OpenClaw for changes to take effect.")
+	return nil
+}
+
 func runDoctor(w io.Writer, jsonOut bool) error {
 	var results []checkResult
 	collect := jsonOut // only accumulate when --json is set
@@ -798,19 +825,54 @@ func doctorPreload(emit emitFn) (warnings int) {
 func doctorFileToolPatches(emit emitFn) (warnings int) {
 	// Check if OpenClaw uses bundled dist files (#204).
 	if openclawUsesBundledDist() {
-		// Check if dist files are patched
-		if openclawDistPatched() {
-			msg := "OpenClaw dist files patched (read + write/edit)"
-			if openclawWebFetchPatched() {
-				msg = "OpenClaw dist files patched (read + write/edit + web_fetch)"
-			}
-			emit("File tools", "ok", msg)
+		distPatched := openclawDistPatched()
+		webFetchPatched := openclawWebFetchPatched()
+		browserPatched := openclawBrowserPatched()
+		messagePatched := openclawMessagePatched()
+		execPatched := openclawExecPatched()
+
+		if distPatched && webFetchPatched && browserPatched && messagePatched && execPatched {
+			emit("Tool patches", "ok", "All OpenClaw tools patched (read/write/edit + web_fetch + browser + message + exec)")
 			return 0
 		}
-		emit("File tools", "warn",
-			"OpenClaw uses bundled dist files — file tools not policy-checked"+
-				hintSep+"sudo rampart setup openclaw --patch-tools --force")
-		return 1
+
+		// Report each unpatched tool separately so users know exactly what to fix.
+		if !distPatched {
+			emit("Tool patches", "warn",
+				"OpenClaw dist files not patched — read/write/edit not policy-checked"+
+					hintSep+"sudo rampart setup openclaw --patch-tools --force")
+			warnings++
+		} else {
+			emit("Tool patches", "ok", "OpenClaw dist files patched (read + write/edit)")
+		}
+		if !webFetchPatched {
+			emit("web_fetch patch", "warn",
+				"OpenClaw web_fetch not patched — URL fetch requests not policy-checked"+
+					hintSep+"sudo rampart setup openclaw --patch-tools --force")
+			warnings++
+		}
+		if !browserPatched {
+			emit("browser patch", "warn",
+				"OpenClaw browser tool not patched — navigate/open not policy-checked"+
+					hintSep+"sudo rampart setup openclaw --patch-tools --force")
+			warnings++
+		}
+		if !messagePatched {
+			emit("message patch", "warn",
+				"OpenClaw message tool not patched — outbound sends not policy-checked"+
+					hintSep+"sudo rampart setup openclaw --patch-tools --force")
+			warnings++
+		}
+		if !execPatched {
+			emit("exec patch", "warn",
+				"OpenClaw exec tool not patched — human-initiated execs bypass pre-check"+
+					hintSep+"sudo rampart setup openclaw --patch-tools --force")
+			warnings++
+		}
+		if warnings > 0 {
+			return warnings
+		}
+		return 0
 	}
 
 	candidates := openclawToolsCandidates()
@@ -861,7 +923,10 @@ func openclawUsesBundledDist() bool {
 	}
 
 	for _, distDir := range candidates {
-		matches, _ := filepath.Glob(filepath.Join(distDir, "pi-embedded-*.js"))
+		// Check for pi-embedded-*.js (older OpenClaw) or auth-profiles-*.js (newer OpenClaw)
+		piMatches, _ := filepath.Glob(filepath.Join(distDir, "pi-embedded-*.js"))
+		authMatches, _ := filepath.Glob(filepath.Join(distDir, "auth-profiles-*.js"))
+		matches := append(piMatches, authMatches...)
 		if len(matches) > 0 {
 			// Bundled dist exists. Check if the bundle contains tool definitions
 			// (confirming tools are compiled in, not loaded from node_modules).
@@ -870,7 +935,8 @@ func openclawUsesBundledDist() bool {
 				if err != nil {
 					continue
 				}
-				if strings.Contains(string(data), "createReadTool") || strings.Contains(string(data), "readTool") {
+				if strings.Contains(string(data), "createReadTool") || strings.Contains(string(data), "readTool") ||
+					strings.Contains(string(data), "processGatewayAllowlist") || strings.Contains(string(data), "runMessageAction") {
 					return true
 				}
 			}
@@ -880,20 +946,9 @@ func openclawUsesBundledDist() bool {
 }
 
 // openclawDistPatched checks if the bundled dist files have been patched with Rampart checks.
+// Checks both pi-embedded-*.js (older OpenClaw) and auth-profiles-*.js (newer OpenClaw).
 func openclawDistPatched() bool {
-	for _, d := range openclawDistCandidates() {
-		matches, _ := filepath.Glob(filepath.Join(d, "pi-embedded-*.js"))
-		for _, m := range matches {
-			data, err := os.ReadFile(m)
-			if err != nil {
-				continue
-			}
-			if strings.Contains(string(data), "RAMPART_DIST_CHECK") {
-				return true
-			}
-		}
-	}
-	return false
+	return openclawDistCheckPatched("RAMPART_DIST_CHECK")
 }
 
 // openclawWebFetchPatched checks if any dist *.js files have the web_fetch Rampart patch.
@@ -911,6 +966,11 @@ func openclawMessagePatched() bool {
 	return openclawDistCheckPatched("RAMPART_DIST_CHECK_MESSAGE")
 }
 
+// openclawExecPatched checks if the exec tool is patched.
+func openclawExecPatched() bool {
+	return openclawDistCheckPatched("RAMPART_DIST_CHECK_EXEC")
+}
+
 // openclawDistCheckPatched returns true if any dist *.js file contains the given marker.
 func openclawDistCheckPatched(marker string) bool {
 	for _, d := range openclawDistCandidates() {

cmd/rampart/cli/doctor.go

@@ -74,8 +74,8 @@ func TestInitFromAudit_BasicGeneration(t *testing.T) {
 	data, err := os.ReadFile(outputPath)
 	require.NoError(t, err)
 	content := string(data)
-	assert.Contains(t, content, "npm install *")
-	assert.Contains(t, content, "git push *")
+	assert.Contains(t, content, "npm install*")
+	assert.Contains(t, content, "git push*")
 }
 
 func TestInitFromAudit_DeniedEventsSkipped(t *testing.T) {
@@ -121,7 +121,7 @@ func TestInitFromAudit_Deduplication(t *testing.T) {
 	require.NoError(t, err)
 
 	output := buf.String()
-	// All three should deduplicate to "npm install *"
+	// All three should deduplicate to "npm install*"
 	assert.Contains(t, output, "1 patterns")
 }
 
@@ -231,5 +231,5 @@ func TestInitFromAudit_Directory(t *testing.T) {
 	require.NoError(t, err)
 	content := string(data)
 	assert.Contains(t, content, "git status")
-	assert.Contains(t, content, "go test *")
+	assert.Contains(t, content, "go test*")
 }

cmd/rampart/cli/init_from_audit_test.go

@@ -16,6 +16,7 @@ package cli
 import (
 	"encoding/json"
 	"fmt"
+	"net/url"
 	"os"
 	"path/filepath"
 	"sort"
@@ -190,10 +191,21 @@ func newPolicyExplainCmd(opts *rootOptions) *cobra.Command {
 				return fmt.Errorf("policy: create engine: %w", err)
 			}
 
+			params := map[string]any{"command": command}
+			// For URL-based tools, parse the argument as a URL and enrich params
+			// so domain_matches and url_matches policies evaluate correctly.
+			if tool == "web_fetch" || tool == "fetch" || tool == "http" || tool == "browser" {
+				params = map[string]any{"url": command}
+				if parsed, err := url.Parse(command); err == nil && parsed.Host != "" {
+					params["domain"] = parsed.Hostname()
+					params["scheme"] = parsed.Scheme
+					params["path"] = parsed.Path
+				}
+			}
 			call := engine.ToolCall{
 				Agent:     normalizeAgent(agent),
 				Tool:      tool,
-				Params:    map[string]any{"command": command},
+				Params:    params,
 				Timestamp: time.Now().UTC(),
 			}
 			decision := eng.Evaluate(call)

cmd/rampart/cli/policy.go

@@ -228,6 +228,15 @@ func newServeCmd(opts *rootOptions, deps *serveDeps) *cobra.Command {
 				store = engine.NewFileStore(opts.configPath)
 			}
 
+			// Migrate old-format allow-always rules (space before glob: "cmd *" → "cmd*").
+			// Safe to run on every startup — no-ops if already migrated.
+			autoAllowedPath := engine.DefaultAutoAllowedPath()
+			if n, mErr := engine.MigrateAllowRuleGlobs(autoAllowedPath); mErr != nil {
+				logger.Warn("serve: auto-allowed glob migration failed", "error", mErr)
+			} else if n > 0 {
+				logger.Info("serve: migrated allow-always glob patterns", "count", n, "path", autoAllowedPath)
+			}
+
 			eng, err := engine.New(store, logger)
 			if err != nil {
 				return fmt.Errorf("serve: create engine: %w", err)