security: add config HMAC integrity + scope enforcement on config.patch

- Add HMAC-SHA256 signature on config writes, verify on load/reload
- Hard-reject externally-modified configs (not just warn)
- Require operator.admin scope for config.patch
- Add config audit log (config-audit.jsonl)
- Add CodexBar onboarding option (skip LM config)
- Add security documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 2 people

docs/security/config-protection.md

@@ -0,0 +1,57 @@
+# Config Protection
+
+This document describes the security hardening measures for OpenClaw gateway configuration.
+
+## HMAC Integrity Check
+
+The gateway computes an HMAC-SHA256 signature of the config file after every write. The signature is stored in a sidecar file (`<configPath>.sig`) alongside the config file.
+
+### How it works
+
+1. **On write**: After the gateway writes `openclaw.json`, it computes `HMAC-SHA256(content, gatewayToken)` and writes the hex digest to `openclaw.json.sig`.
+2. **On load**: When the gateway reads `openclaw.json`, it checks whether a `.sig` file exists. If it does, the gateway recomputes the HMAC and compares it to the stored value.
+3. **On mismatch**: If the HMAC does not match, the gateway logs a warning (`[security] config integrity warning: config file was modified outside the gateway process`) and sets `integrityWarning` on the config snapshot. The config is still loaded normally to avoid breaking manual editing workflows.
+
+### Key material
+
+The HMAC key is the gateway token stored at `~/.openclaw/gateway.token`. If no token file exists, HMAC signing and verification are skipped silently.
+
+### Limitations
+
+- Manual edits to the config file will trigger a mismatch warning. This is expected behavior.
+- The HMAC protects integrity, not confidentiality. The config file content is not encrypted.
+- If the gateway token is compromised, the HMAC can be forged.
+
+## Scope Requirements for config.patch
+
+The `config.patch` WebSocket method now requires the `operator.admin` scope. Clients without this scope receive an error:
+
+```
+code: INVALID_REQUEST
+message: "config.patch requires operator.admin scope"
+```
+
+The `config.set` and `config.apply` methods are also classified under the `operator.admin` scope in the method scope registry.
+
+Previously, these config-mutating methods were not explicitly classified and fell through to the default admin requirement. They are now explicitly listed in the admin scope group for clarity and auditability.
+
+## Config Security Audit Log
+
+Every config write and detected external modification is logged to `~/.openclaw/logs/config-audit.jsonl`. Each entry contains:
+
+| Field          | Description                                                                |
+| -------------- | -------------------------------------------------------------------------- |
+| `timestamp`    | ISO 8601 timestamp of the event                                            |
+| `actor`        | `"gateway"` for internal writes, `"filesystem"` for external modifications |
+| `changedPaths` | List of config paths that changed                                          |
+| `sourceHash`   | SHA-256 hash of the config before the change                               |
+| `resultHash`   | SHA-256 hash of the config after the change                                |
+
+This audit log is separate from the existing `config-audit.jsonl` written by `io.audit.ts`, which captures lower-level write mechanics (rename vs copy, inode metadata, etc.). The security audit log focuses on actor attribution and change tracking.
+
+## Security Audit Integration
+
+The `openclaw security audit` command checks for:
+
+- **Config HMAC mismatch** (`config.hmac_integrity_mismatch`, severity: warn): Flags when the config file has been modified outside the gateway process.
+- **Insecure auth toggle** (`gateway.control_ui.insecure_auth`, severity: warn): Flags when `gateway.controlUi.allowInsecureAuth` is enabled.

src/commands/auth-choice-options.static.ts

@@ -1,4 +1,4 @@
-import { AUTH_CHOICE_LEGACY_ALIASES_FOR_CLI } from "./auth-choice-legacy.js";
+import { resolveLegacyAuthChoiceAliasesForCli } from "./auth-choice-legacy.js";
 import type { AuthChoice, AuthChoiceGroupId } from "./onboard-types.js";
 
 export type { AuthChoiceGroupId };
@@ -10,6 +10,8 @@ export type AuthChoiceOption = {
   groupId?: AuthChoiceGroupId;
   groupLabel?: string;
   groupHint?: string;
+  assistantPriority?: number;
+  assistantVisibility?: "visible" | "manual-only";
 };
 
 export type AuthChoiceGroup = {
@@ -20,21 +22,6 @@ export type AuthChoiceGroup = {
 };
 
 export const CORE_AUTH_CHOICE_OPTIONS: ReadonlyArray<AuthChoiceOption> = [
-  {
-    value: "chutes",
-    label: "Chutes (OAuth)",
-    groupId: "chutes",
-    groupLabel: "Chutes",
-    groupHint: "OAuth",
-  },
-  {
-    value: "litellm-api-key",
-    label: "LiteLLM API key",
-    hint: "Unified gateway for 100+ LLM providers",
-    groupId: "litellm",
-    groupLabel: "LiteLLM",
-    groupHint: "Unified LLM gateway (100+ providers)",
-  },
   {
     value: "custom-api-key",
     label: "Custom Provider",
@@ -43,11 +30,22 @@ export const CORE_AUTH_CHOICE_OPTIONS: ReadonlyArray<AuthChoiceOption> = [
     groupLabel: "Custom Provider",
     groupHint: "Any OpenAI or Anthropic compatible endpoint",
   },
+  {
+    value: "codexbar",
+    label: "CodexBar",
+    hint: "Use CodexBar as your LM provider manager",
+    groupId: "codexbar",
+    groupLabel: "CodexBar (External LM Manager)",
+    groupHint: "Skip LM config — manage providers via CodexBar after setup",
+  },
 ];
 
 export function formatStaticAuthChoiceChoicesForCli(params?: {
   includeSkip?: boolean;
   includeLegacyAliases?: boolean;
+  config?: import("../config/config.js").OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
 }): string {
   const includeSkip = params?.includeSkip ?? true;
   const includeLegacyAliases = params?.includeLegacyAliases ?? false;
@@ -57,7 +55,7 @@ export function formatStaticAuthChoiceChoicesForCli(params?: {
     values.push("skip");
   }
   if (includeLegacyAliases) {
-    values.push(...AUTH_CHOICE_LEGACY_ALIASES_FOR_CLI);
+    values.push(...resolveLegacyAuthChoiceAliasesForCli(params));
   }
 
   return values.join("|");

src/config/config-audit.ts

@@ -0,0 +1,81 @@
+import fs from "node:fs";
+import path from "node:path";
+import { resolveStateDir } from "./paths.js";
+
+const CONFIG_SECURITY_AUDIT_FILENAME = "config-audit.jsonl";
+
+export type ConfigSecurityAuditActor = "gateway" | "filesystem";
+
+export type ConfigSecurityAuditEntry = {
+  timestamp: string;
+  actor: ConfigSecurityAuditActor;
+  changedPaths: string[];
+  sourceHash: string | null;
+  resultHash: string | null;
+};
+
+function resolveConfigSecurityAuditLogPath(env: NodeJS.ProcessEnv, homedir: () => string): string {
+  return path.join(resolveStateDir(env, homedir), "logs", CONFIG_SECURITY_AUDIT_FILENAME);
+}
+
+/**
+ * Appends a config security audit record to the audit log.
+ * Best-effort; failures are silently ignored.
+ */
+export async function appendConfigSecurityAuditEntry(params: {
+  env: NodeJS.ProcessEnv;
+  homedir: () => string;
+  actor: ConfigSecurityAuditActor;
+  changedPaths: string[];
+  sourceHash: string | null;
+  resultHash: string | null;
+}): Promise<void> {
+  try {
+    const auditPath = resolveConfigSecurityAuditLogPath(params.env, params.homedir);
+    const entry: ConfigSecurityAuditEntry = {
+      timestamp: new Date().toISOString(),
+      actor: params.actor,
+      changedPaths: params.changedPaths,
+      sourceHash: params.sourceHash,
+      resultHash: params.resultHash,
+    };
+    await fs.promises.mkdir(path.dirname(auditPath), { recursive: true, mode: 0o700 });
+    await fs.promises.appendFile(auditPath, `${JSON.stringify(entry)}\n`, {
+      encoding: "utf-8",
+      mode: 0o600,
+    });
+  } catch {
+    // best-effort
+  }
+}
+
+/**
+ * Synchronous variant for use in sync config load paths.
+ * Best-effort; failures are silently ignored.
+ */
+export function appendConfigSecurityAuditEntrySync(params: {
+  env: NodeJS.ProcessEnv;
+  homedir: () => string;
+  actor: ConfigSecurityAuditActor;
+  changedPaths: string[];
+  sourceHash: string | null;
+  resultHash: string | null;
+}): void {
+  try {
+    const auditPath = resolveConfigSecurityAuditLogPath(params.env, params.homedir);
+    const entry: ConfigSecurityAuditEntry = {
+      timestamp: new Date().toISOString(),
+      actor: params.actor,
+      changedPaths: params.changedPaths,
+      sourceHash: params.sourceHash,
+      resultHash: params.resultHash,
+    };
+    fs.mkdirSync(path.dirname(auditPath), { recursive: true, mode: 0o700 });
+    fs.appendFileSync(auditPath, `${JSON.stringify(entry)}\n`, {
+      encoding: "utf-8",
+      mode: 0o600,
+    });
+  } catch {
+    // best-effort
+  }
+}

src/config/io.hmac-integrity.ts

@@ -0,0 +1,114 @@
+import crypto from "node:crypto";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+const GATEWAY_TOKEN_FILENAME = "gateway.token";
+const SIG_EXTENSION = ".sig";
+
+let cachedGatewayToken: string | null | undefined;
+
+/**
+ * Resolves the gateway token path at ~/.openclaw/gateway.token.
+ */
+function resolveGatewayTokenPath(): string {
+  return path.join(os.homedir(), ".openclaw", GATEWAY_TOKEN_FILENAME);
+}
+
+/**
+ * Reads and caches the gateway token from ~/.openclaw/gateway.token.
+ * Returns null if the file does not exist or cannot be read.
+ */
+export function readGatewayToken(): string | null {
+  if (cachedGatewayToken !== undefined) {
+    return cachedGatewayToken;
+  }
+  try {
+    const tokenPath = resolveGatewayTokenPath();
+    const raw = fs.readFileSync(tokenPath, "utf-8").trim();
+    cachedGatewayToken = raw.length > 0 ? raw : null;
+  } catch {
+    cachedGatewayToken = null;
+  }
+  return cachedGatewayToken;
+}
+
+/**
+ * Computes HMAC-SHA256 of config content using the gateway token.
+ */
+export function computeConfigHmac(content: string, token: string): string {
+  return crypto.createHmac("sha256", token).update(content).digest("hex");
+}
+
+/**
+ * Resolves the sidecar HMAC signature file path for a config path.
+ */
+export function resolveConfigSigPath(configPath: string): string {
+  return `${configPath}${SIG_EXTENSION}`;
+}
+
+/**
+ * Writes the HMAC signature sidecar file after a config write.
+ * Best-effort; failures are silently ignored.
+ */
+export async function writeConfigHmacSig(configPath: string, configContent: string): Promise<void> {
+  const token = readGatewayToken();
+  if (!token) {
+    return;
+  }
+  try {
+    const hmac = computeConfigHmac(configContent, token);
+    const sigPath = resolveConfigSigPath(configPath);
+    await fs.promises.writeFile(sigPath, hmac, { encoding: "utf-8", mode: 0o600 });
+  } catch {
+    // best-effort
+  }
+}
+
+export type ConfigHmacVerifyResult =
+  | { status: "ok" }
+  | { status: "no-token" }
+  | { status: "no-sig" }
+  | { status: "mismatch" }
+  | { status: "error"; detail: string };
+
+/**
+ * Verifies the HMAC signature sidecar file against config content.
+ * Returns a discriminated result indicating the verification outcome.
+ */
+export function verifyConfigHmac(
+  configPath: string,
+  configContent: string,
+): ConfigHmacVerifyResult {
+  const token = readGatewayToken();
+  if (!token) {
+    return { status: "no-token" };
+  }
+  const sigPath = resolveConfigSigPath(configPath);
+  let storedHmac: string;
+  try {
+    storedHmac = fs.readFileSync(sigPath, "utf-8").trim();
+  } catch {
+    return { status: "no-sig" };
+  }
+  if (storedHmac.length === 0) {
+    return { status: "no-sig" };
+  }
+  try {
+    const expectedHmac = computeConfigHmac(configContent, token);
+    if (storedHmac === expectedHmac) {
+      return { status: "ok" };
+    }
+    return { status: "mismatch" };
+  } catch (err: unknown) {
+    const detail = err instanceof Error ? err.message : "unknown error during HMAC verification";
+    return { status: "error", detail };
+  }
+}
+
+/**
+ * Clears the cached gateway token. Useful for testing.
+ */
+export function clearGatewayTokenCache(): void {
+  cachedGatewayToken = undefined;
+}