Mirrors/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-01 15:07:13 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
openclaw/docs/cli/daemon.md
Josh Avant 788f56f30f Secrets: hard-fail unsupported SecretRef policy and fix gateway restart token drift (#58141) 
* Secrets: enforce C2 SecretRef policy and drift resolution

* Tests: add gateway auth startup/reload SecretRef runtime coverage

* Docs: sync C2 SecretRef policy and coverage matrix

* Config: hard-fail parent SecretRef policy writes

* Secrets: centralize unsupported SecretRef policy metadata

* Daemon: test service-env precedence for token drift refs

* Config: keep per-ref dry-run resolvability errors

* Docs: clarify config-set parent-object policy checks

* Gateway: fix drift fallback and schema-key filtering

* Gateway: align drift fallback with credential planner

* changelog

Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com>

---------

Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com>
2026-03-31 02:37:31 -05:00

2.5 KiB
Raw Permalink Blame History

summary, read_when, title
summary read_when title
CLI reference for `openclaw daemon` (legacy alias for gateway service management)
You still use `openclaw daemon ...` in scripts
You need service lifecycle commands (install/start/stop/restart/status)
daemon

openclaw daemon

Legacy alias for Gateway service management commands.

openclaw daemon ... maps to the same service control surface as openclaw gateway ... service commands.

Usage

openclaw daemon status
openclaw daemon install
openclaw daemon start
openclaw daemon stop
openclaw daemon restart
openclaw daemon uninstall

Subcommands

  • status: show service install state and probe Gateway health
  • install: install service (launchd/systemd/schtasks)
  • uninstall: remove service
  • start: start service
  • stop: stop service
  • restart: restart service

Common options

  • status: --url, --token, --password, --timeout, --no-probe, --require-rpc, --deep, --json
  • install: --port, --runtime <node|bun>, --token, --force, --json
  • lifecycle (uninstall|start|stop|restart): --json

Notes:

  • status resolves configured auth SecretRefs for probe auth when possible.
  • If a required auth SecretRef is unresolved in this command path, daemon status --json reports rpc.authWarning when probe connectivity/auth fails; pass --token/--password explicitly or resolve the secret source first.
  • If the probe succeeds, unresolved auth-ref warnings are suppressed to avoid false positives.
  • On Linux systemd installs, status token-drift checks include both Environment= and EnvironmentFile= unit sources.
  • Drift checks resolve gateway.auth.token SecretRefs using merged runtime env (service command env first, then process env fallback).
  • If token auth is not effectively active (explicit gateway.auth.mode of password/none/trusted-proxy, or mode unset where password can win and no token candidate can win), token-drift checks skip config token resolution.
  • When token auth requires a token and gateway.auth.token is SecretRef-managed, install validates that the SecretRef is resolvable but does not persist the resolved token into service environment metadata.
  • If token auth requires a token and the configured token SecretRef is unresolved, install fails closed.
  • If both gateway.auth.token and gateway.auth.password are configured and gateway.auth.mode is unset, install is blocked until mode is set explicitly.

Prefer

Use openclaw gateway for current docs and examples.

Reference in New Issue View Git Blame Copy Permalink