diff --git a/docs/cli/security.md b/docs/cli/security.md index b68105a91e..6b10fc2678 100644 --- a/docs/cli/security.md +++ b/docs/cli/security.md @@ -22,5 +22,5 @@ openclaw security audit --deep openclaw security audit --fix ``` -The audit warns when multiple DM senders share the main session and recommends `session.dmScope="per-channel-peer"` (or `per-account-channel-peer` for multi-account channels) for shared inboxes. +The audit warns when multiple DM senders share the main session and recommends **secure DM mode**: `session.dmScope="per-channel-peer"` (or `per-account-channel-peer` for multi-account channels) for shared inboxes. It also warns when small models (`<=300B`) are used without sandboxing and with web/browser tools enabled. diff --git a/docs/concepts/session.md b/docs/concepts/session.md index 2e99f50ca8..6d4afc7e46 100644 --- a/docs/concepts/session.md +++ b/docs/concepts/session.md @@ -17,6 +17,26 @@ Use `session.dmScope` to control how **direct messages** are grouped: - `per-account-channel-peer`: isolate by account + channel + sender (recommended for multi-account inboxes). Use `session.identityLinks` to map provider-prefixed peer ids to a canonical identity so the same person shares a DM session across channels when using `per-peer`, `per-channel-peer`, or `per-account-channel-peer`. +### Secure DM mode (recommended) + +If your agent can receive DMs from **multiple people** (pairing approvals for more than one sender, a DM allowlist with multiple entries, or `dmPolicy: "open"`), enable **secure DM mode** to avoid cross-user context leakage: + +```json5 +// ~/.openclaw/openclaw.json +{ + session: { + // Secure DM mode: isolate DM context per channel + sender. + dmScope: "per-channel-peer", + }, +} +``` + +Notes: + +- Default is `dmScope: "main"` for continuity (all DMs share the main session). +- For multi-account inboxes on the same channel, prefer `per-account-channel-peer`. +- If the same person contacts you on multiple channels, use `session.identityLinks` to collapse their DM sessions into one canonical identity. + ## Gateway is the source of truth All session state is **owned by the gateway** (the “master” OpenClaw). UI clients (macOS app, WebChat, etc.) must query the gateway for session lists and token counts instead of reading local files. diff --git a/docs/gateway/configuration-examples.md b/docs/gateway/configuration-examples.md index 8a2061bada..6924bc5366 100644 --- a/docs/gateway/configuration-examples.md +++ b/docs/gateway/configuration-examples.md @@ -446,6 +446,32 @@ Save to `~/.openclaw/openclaw.json` and you can DM the bot from that number. } ``` +### Secure DM mode (shared inbox / multi-user DMs) + +If more than one person can DM your bot (multiple entries in `allowFrom`, pairing approvals for multiple people, or `dmPolicy: "open"`), enable **secure DM mode** so DMs from different senders don’t share one context by default: + +```json5 +{ + // Secure DM mode (recommended for multi-user or sensitive DM agents) + session: { dmScope: "per-channel-peer" }, + + channels: { + // Example: WhatsApp multi-user inbox + whatsapp: { + dmPolicy: "allowlist", + allowFrom: ["+15555550123", "+15555550124"], + }, + + // Example: Discord multi-user inbox + discord: { + enabled: true, + token: "YOUR_DISCORD_BOT_TOKEN", + dm: { enabled: true, allowFrom: ["alice", "bob"] }, + }, + }, +} +``` + ### OAuth with API key failover ```json5 diff --git a/docs/gateway/configuration.md b/docs/gateway/configuration.md index a7b528b62e..75cd808771 100644 --- a/docs/gateway/configuration.md +++ b/docs/gateway/configuration.md @@ -2766,6 +2766,7 @@ Fields: - `per-peer`: isolate DMs by sender id across channels. - `per-channel-peer`: isolate DMs per channel + sender (recommended for multi-user inboxes). - `per-account-channel-peer`: isolate DMs per account + channel + sender (recommended for multi-account inboxes). + - Secure DM mode (recommended): set `session.dmScope: "per-channel-peer"` when multiple people can DM the bot (shared inboxes, multi-person allowlists, or `dmPolicy: "open"`). - `identityLinks`: map canonical ids to provider-prefixed peers so the same person shares a DM session across channels when using `per-peer`, `per-channel-peer`, or `per-account-channel-peer`. - Example: `alice: ["telegram:123456789", "discord:987654321012345678"]`. - `reset`: primary reset policy. Defaults to daily resets at 4:00 AM local time on the gateway host. diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index 6194507529..f9f9fe2daf 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -205,7 +205,16 @@ By default, OpenClaw routes **all DMs into the main session** so your assistant } ``` -This prevents cross-user context leakage while keeping group chats isolated. If you run multiple accounts on the same channel, use `per-account-channel-peer` instead. If the same person contacts you on multiple channels, use `session.identityLinks` to collapse those DM sessions into one canonical identity. See [Session Management](/concepts/session) and [Configuration](/gateway/configuration). +This prevents cross-user context leakage while keeping group chats isolated. + +### Secure DM mode (recommended) + +Treat the snippet above as **secure DM mode**: + +- Default: `session.dmScope: "main"` (all DMs share one session for continuity). +- Secure DM mode: `session.dmScope: "per-channel-peer"` (each channel+sender pair gets an isolated DM context). + +If you run multiple accounts on the same channel, use `per-account-channel-peer` instead. If the same person contacts you on multiple channels, use `session.identityLinks` to collapse those DM sessions into one canonical identity. See [Session Management](/concepts/session) and [Configuration](/gateway/configuration). ## Allowlists (DM + groups) — terminology