* fix(gateway): guard dangerous config alias
* fix(gateway): ignore reordered dangerous flags
* fix(gateway): use id-based mapping identity and honor legacy alias baseline
* fix(gateway): tighten dangerous config matching
* fix(gateway): strip IPv6 brackets in isRemoteGatewayTarget hostname check
* fix(gateway): detect tunneled remote targets
* fix(gateway): match id-less hook mappings by fingerprint, not index
* fix(gateway): detect env-selected remote targets
* fix(gateway): resolve remote-target guard from live config, not captured opts
* fix(gateway): resolve remote-target guard from live config, not captured opts
* fix(gateway): treat loopback OPENCLAW_GATEWAY_URL as local when mode is not remote
* fix(gateway): preserve legacy dangerous hook edits
* fix(gateway): block dangerous plugin reactivation
* fix(gateway): handle dotted plugin IDs in dangerous-flag checks
* fix(gateway): honor plugin policy activation
* fix(gateway): block remote plugin activation changes via allow/deny/enabled
* fix(gateway): broaden loopback url detection
* fix(gateway): resolve plugin IDs by longest-prefix match
* fix(gateway): block remote slot activation
* fix(gateway): preserve legacy mapping identity during id+field transitions
* fix(gateway): block remote load-path and channel activation changes
* test(gateway): fix remote config mock typing
* fix(gateway): guard auto-enabled dangerous plugins
* fix(gateway): address P1 review comments on remote gateway mutation guards
- Treat all OPENCLAW_GATEWAY_URL targets as remote for mutation guards to prevent SSH tunnel bypasses
- Always load config fresh in isRemoteGatewayTargetForAgentTools to detect session changes
- Expand remote activation guard to cover auto-enable paths (auth.profiles, models.providers, agents.defaults, agents.list, tools.web.fetch.provider)
- Respect plugins.deny in manifest-missing fallback to prevent false negatives
- Fix hook mapping identity matching to properly handle id-less mappings by fingerprint
- Update tests to reflect new secure behavior for env-sourced gateway URLs
* fix(gateway): prevent hook mapping swap attacks via fingerprint-only matching
When both current and next tokens have fingerprints, match ONLY by fingerprint.
This prevents replacing one dangerous hook mapping with a different one at the
same array index from being incorrectly treated as 'already present'.
The previous fallback to index-based matching allowed bypasses where an attacker
could swap dangerous mappings at the same index without triggering the guard.
* fix(gateway): honor allowlist in fallback guard
* fix(gateway): treat empty plugin allowlist as unrestricted in manifest-missing fallback
* docs: update USER.md worklog for empty-allowlist fix
* fix(gateway): resolve review comments — type safety, auto-enable resilience, remote hardening edits
* docs: update USER.md worklog for review comment resolution
* fix(gateway): block remaining remote setup auto-enable paths
* fix(gateway): simplify dangerous config mutation guard to set-diff approach
Replace 400+ lines of hook fingerprinting, remote gateway detection,
plugin activation tracking, and auto-enable enumeration with a simple
set-diff against collectEnabledInsecureOrDangerousFlags — the same
enumeration openclaw security audit already uses.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: remove USER.md audit log from PR
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* changelog: note gateway-tool dangerous config mutation guard (#62006)
---------
Co-authored-by: Devin Robison <drobison@nvidia.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
