Doctor: warn on implicit heartbeat directPolicy (#36789)

* Changelog: note heartbeat directPolicy doctor warning * Tests: cover heartbeat directPolicy doctor warning * Doctor: warn on implicit heartbeat directPolicy * Tests: cover per-agent heartbeat directPolicy warning * Update CHANGELOG.md
2026-05-10 13:05:01 +00:00 · 2026-03-05 23:22:39 -05:00
parent 87e38da826
commit e5481ac79f
3 changed files with 104 additions and 0 deletions
--- a/src/commands/doctor-security.test.ts
+++ b/src/commands/doctor-security.test.ts
@@ -135,4 +135,66 @@ describe("noteSecurityWarnings gateway exposure", () => {
    expect(message).toContain("exec-approvals.json");
    expect(message).toContain("openclaw approvals get --gateway");
  });
+
+  it("warns when heartbeat delivery relies on implicit directPolicy defaults", async () => {
+    const cfg = {
+      agents: {
+        defaults: {
+          heartbeat: {
+            target: "last",
+          },
+        },
+      },
+    } as OpenClawConfig;
+    await noteSecurityWarnings(cfg);
+    const message = lastMessage();
+    expect(message).toContain("Heartbeat defaults");
+    expect(message).toContain("agents.defaults.heartbeat.directPolicy");
+    expect(message).toContain("direct/DM targets by default");
+  });
+
+  it("warns when a per-agent heartbeat relies on implicit directPolicy", async () => {
+    const cfg = {
+      agents: {
+        list: [
+          {
+            id: "ops",
+            heartbeat: {
+              target: "last",
+            },
+          },
+        ],
+      },
+    } as OpenClawConfig;
+    await noteSecurityWarnings(cfg);
+    const message = lastMessage();
+    expect(message).toContain('Heartbeat agent "ops"');
+    expect(message).toContain('heartbeat.directPolicy for agent "ops"');
+    expect(message).toContain("direct/DM targets by default");
+  });
+
+  it("skips heartbeat directPolicy warning when delivery is internal-only or explicit", async () => {
+    const cfg = {
+      agents: {
+        defaults: {
+          heartbeat: {
+            target: "none",
+          },
+        },
+        list: [
+          {
+            id: "ops",
+            heartbeat: {
+              target: "last",
+              directPolicy: "block",
+            },
+          },
+        ],
+      },
+    } as OpenClawConfig;
+    await noteSecurityWarnings(cfg);
+    const message = lastMessage();
+    expect(message).not.toContain("Heartbeat defaults");
+    expect(message).not.toContain('Heartbeat agent "ops"');
+  });
 });