feat(setup): inject Windows-node guidance into AGENTS.md after pairing

[paulcam206]

Summary

Adds a new setup step (WindowsNodeBootstrapContextStep) that runs after node pairing and injects a managed <!-- BEGIN ... --> / <!-- END ... --> block into the gateway's AGENTS.md. The injected block tells the OpenClaw agent how to use the paired Windows tray node (the nodes tool, exec host=node, tools.exec defaults, etc.) so the agent stops trying to do Windows-only work inside the WSL gateway.

Without this step, the agent has no idea a Windows companion node exists and treats the gateway as the only execution surface.

Behavior

• Resolves the gateway's agent workspace from openclaw config get agents.defaults.workspace (or a WindowsNodeContext.WorkspacePath override).
• Creates AGENTS.md if missing; appends the managed block; preserves any existing content above it.
• Idempotent — re-running replaces the existing block in place, leaving exactly one BEGIN/END pair.
• Rollback removes the managed block and restores the surrounding content; never touches symlinks.

Implementation notes

1. Pure POSIX shell, no Node.js dependency

The previous internal iteration of this step embedded a Node.js script for the file mutation. That broke at runtime in bare WSL distros: openclaw setup is the Rust CLI, not a Node.js app, so node is not guaranteed to be installed. This PR uses awk + base64 + standard POSIX builtins instead — no node, no embedded JS, no heredocs.

2. Stdin path on RunInWslAsync (new opt-in)

While debugging this step against a fresh Ubuntu-26.04 we re-discovered a long-standing wsl.exe gotcha already half-documented at SetupSteps.cs:937-939:

wsl.exe -- bash -c <script> performs shell-variable expansion on argv before bash sees it, silently dropping any $var reference that isn't defined in the Windows process environment.

So workspace='/home/openclaw/...'; mkdir -p "$workspace" arrives at bash as mkdir -p "" and dies with cannot create directory ''. This PR adds an opt-in inputViaStdin: true parameter to ICommandRunner.RunInWslAsync that pipes the script to bash -s over stdin (which wsl.exe doesn't touch). The new step opts in; existing callers are unchanged.

A new docs/WSL_EXE_ARGV_PITFALL.md documents the pitfall with the empirical reproduction table, ranked fixes, and what does NOT work (single quotes, double quotes, braces, subshells, prefix assignment, -e VAR=val forwarding — all verified). The existing ValidateWslLockdownStep comment is expanded with a cross-reference, and AGENTS.md plus docs/WINDOWS_NODE_TESTING.md get pointers so future agents discover it from the right entry points.

3. Workspace-path consistency

WindowsNodeContext.WorkspacePath overrides like ~/foo or relative paths used to be passed raw to openclaw setup --workspace while the apply script ran against the ExpandLinuxPath-resolved version, which could land setup and injection in different directories. The override is now expanded once and threaded through both invocations.

4. Helper calls that include $PATH

RunOpenclawSetupAsync and ResolveWorkspacePathAsync build their command via ctx.WslPathPrefix, which references $PATH. On the argv path, wsl.exe expands $PATH to the Windows $PATH — usually harmless because the Linux openclaw bin is prepended, but fragile. Both helpers now use the stdin path so the Linux $PATH is preserved.

Validation

• ./build.ps1 ✅
• OpenClaw.Shared.Tests — 2045 passed / 29 skipped ✅
• OpenClaw.Tray.Tests — 934 passed ✅
• OpenClaw.SetupEngine.Tests — 222 passed (added tilde-override regression + per-call stdin-vs-argv assertions) ✅
• Live smoke against bare Ubuntu-26.04 (no openclaw, no node) ✅
  • Apply to missing file → bootstrap fallback + injection
  • Apply preserves pre-existing content + appends managed block
  • Apply twice → exactly 1 BEGIN marker (idempotent)
  • Rollback removes managed block, leaves surrounding content intact
• Autoreview (copilot, --mode local): autoreview clean: no accepted/actionable findings reported · patch is correct (0.82) ✅

Files

Area	What
src/OpenClaw.SetupEngine/CommandRunner.cs	New inputViaStdin parameter; XML docs explaining the pitfall
src/OpenClaw.SetupEngine/SetupSteps.cs	WindowsNodeBootstrapContextStep (apply + rollback); expanded existing pitfall comment
src/OpenClaw.SetupEngine/SetupPipeline.cs	Registers the new step after PairNodeStep and before VerifyEndToEndStep
src/OpenClaw.SetupEngine/SetupContext.cs	WindowsNodeContextConfig (Enabled, WorkspacePath, TimeoutSeconds)
src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs	Markers + managed-block payload
src/OpenClaw.SetupEngine/default-config.json	Default WindowsNodeContext section
tests/OpenClaw.SetupEngine.Tests/*	Tests for config, pipeline ordering, script shape, override expansion, stdin invariants, rollback
docs/WSL_EXE_ARGV_PITFALL.md	New permanent footgun reference
docs/WINDOWS_NODE_TESTING.md, docs/ONBOARDING_WIZARD.md, AGENTS.md	Cross-references and behavior notes

[clawsweeper]

Codex review: found issues before merge. Reviewed June 18, 2026, 3:26 AM ET / 07:26 UTC.

Summary
The branch adds a default post-pairing setup step that seeds the WSL workspace and injects a managed Windows-node AGENTS.md block, plus stdin-based WSL command execution, config, docs, and setup tests.

Reproducibility: not applicable. This PR adds new setup behavior rather than fixing a reproduced current-main bug. Review confidence comes from source/diff inspection, PR discussion, and the contributor's live smoke proof.

Review metrics: 3 noteworthy metrics.

• Diff size: 13 files, +906/-10. The PR spans setup code, config, docs, and tests, so it needs setup-flow and upgrade-policy review rather than a narrow code-only pass.
• Default setup steps: 1 added. A new default setup step can change fresh onboarding behavior and failure modes for every local WSL setup.
• Managed guidance blocks: 1 workspace-global AGENTS.md block added. Workspace-global agent instructions can affect channel routing and command-execution behavior outside the initial Windows tray chat.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🦞 diamond lobster ✨ media proof bonus
Patch quality: 🧂 unranked krab
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Revise the injected AGENTS.md payload to be explicitly scoped to intentional paired Windows-node work.
• Remove or move permissive tools.exec guidance behind explicit consent, diagnostics, or documentation.
• Make AGENTS.md enrichment failures non-blocking and refresh the draft/conflicting branch.

Risk before merge

• [P1] Merging as-is would inject workspace-global guidance that can affect non-local sessions such as remote gateway, Telegram-originated work, or future multi-node contexts.
• [P1] The managed AGENTS.md payload advises tools.exec.ask off and tools.exec.security full, which can weaken gateway command-execution posture if followed from global agent guidance.
• [P1] The new setup step is enabled by default and can fail onboarding after pairing if AGENTS.md is a symlink, markers are malformed, or the enrichment script times out or fails.
• [P1] The PR is currently draft and GitHub reports it as conflicting, so maintainers need a refreshed branch before any final merge decision.

Maintainer options:

1. Revise the setup guidance before merge (recommended)
   Narrow the managed AGENTS.md text to intentional paired-node tasks, remove the permissive tools.exec commands from automatic guidance, and downgrade enrichment failures to a warning or skip.
2. Accept the global guidance policy explicitly
   Maintainers could choose to keep the global AGENTS.md injection and fail-closed behavior, but that should be an explicit product/security decision in the PR discussion.
3. Pause until the direction is settled
   Because the PR is draft and conflicting, maintainers can keep it paused or close it if the desired path is documentation or explicit setup UX instead of automatic AGENTS.md mutation.

Next step before merge

• [P2] The PR is draft, conflicting, and needs maintainer/contributor revision of setup guidance policy and failure behavior rather than a narrow automated repair lane.

Security
Needs attention: The diff adds no dependency or workflow supply-chain risk, but the managed AGENTS.md block creates a command-execution security concern by recommending permissive gateway exec settings globally.

Review findings

• [P1] Scope the managed Windows-node guidance — src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs:9
• [P1] Remove permissive exec defaults from managed guidance — src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs:17-19
• [P1] Do not fail onboarding on optional AGENTS enrichment — src/OpenClaw.SetupEngine/SetupSteps.cs:2353-2354

Review details

Best possible solution:

Land only after the managed guidance is scoped to intentional use of this paired Windows node, permissive gateway exec recommendations are removed or moved behind explicit consent/docs, and AGENTS enrichment becomes non-blocking after pairing.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR adds new setup behavior rather than fixing a reproduced current-main bug. Review confidence comes from source/diff inspection, PR discussion, and the contributor's live smoke proof.

Is this the best way to solve the issue?

No, not as-is: the stdin WSL execution and managed-marker mechanics are useful, but the global guidance content and fail-closed enrichment behavior need revision before this is the maintainable solution.

Full review comments:

• [P1] Scope the managed Windows-node guidance — src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs:9
  This text is injected into the workspace-global AGENTS.md, so it can bias sessions that did not originate from the local tray, including remote gateway, Telegram, or future multi-node work. Please scope it to tasks that intentionally need this paired Windows node.
  Confidence: 0.87
• [P1] Remove permissive exec defaults from managed guidance — src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs:17-19
  The managed block tells the agent to suggest tools.exec.ask off and tools.exec.security full. A related policy discussion explicitly says permissive gateway exec defaults need visible consent or docs, not automatic global guidance, so this should be removed or gated before merge.
  Confidence: 0.92
• [P1] Do not fail onboarding on optional AGENTS enrichment — src/OpenClaw.SetupEngine/SetupSteps.cs:2353-2354
  When the apply script does not emit WINDOWS_NODE_CONTEXT_READY, this default post-pairing step returns StepResult.Fail, which fails the setup pipeline even though pairing already succeeded. Make symlink, malformed marker, timeout, and injection failures non-blocking or self-healing as requested in review.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.88

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 234fa8ff097f.

Label changes

Label changes:

• add merge-risk: 🚨 security-boundary: The injected global guidance suggests disabling gateway exec prompts and using permissive gateway exec security settings.
• add merge-risk: 🚨 availability: Optional post-pairing enrichment currently returns setup failure when the AGENTS.md mutation fails, which can block onboarding.
• add proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The PR body reports after-fix live smoke on a bare Ubuntu-26.04 WSL setup, and the attached screenshot shows a real tray-node notification task succeeding; the remaining blockers are policy and merge-readiness, not absent proof.
• add rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🦞 diamond lobster and patch quality is 🧂 unranked krab.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (screenshot): The PR body reports after-fix live smoke on a bare Ubuntu-26.04 WSL setup, and the attached screenshot shows a real tray-node notification task succeeding; the remaining blockers are policy and merge-readiness, not absent proof.
• remove rating: 🐚 platinum hermit: Current PR rating is rating: 🧂 unranked krab, so this older rating label is no longer current.
• remove status: 👀 ready for maintainer look: Current PR status label is status: ⏳ waiting on author.

Label justifications:

• P2: This is a normal-priority setup improvement with bounded but real onboarding, compatibility, and command-execution-policy impact.
• merge-risk: 🚨 compatibility: The PR changes default setup behavior by writing a managed AGENTS.md block and failing on some existing workspace AGENTS.md shapes.
• merge-risk: 🚨 security-boundary: The injected global guidance suggests disabling gateway exec prompts and using permissive gateway exec security settings.
• merge-risk: 🚨 availability: Optional post-pairing enrichment currently returns setup failure when the AGENTS.md mutation fails, which can block onboarding.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🦞 diamond lobster and patch quality is 🧂 unranked krab.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (screenshot): The PR body reports after-fix live smoke on a bare Ubuntu-26.04 WSL setup, and the attached screenshot shows a real tray-node notification task succeeding; the remaining blockers are policy and merge-readiness, not absent proof.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body reports after-fix live smoke on a bare Ubuntu-26.04 WSL setup, and the attached screenshot shows a real tray-node notification task succeeding; the remaining blockers are policy and merge-readiness, not absent proof.
• proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The PR body reports after-fix live smoke on a bare Ubuntu-26.04 WSL setup, and the attached screenshot shows a real tray-node notification task succeeding; the remaining blockers are policy and merge-readiness, not absent proof.

Evidence reviewed

Security concerns:

• [medium] Permissive exec settings in global guidance — src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs:17
  The injected workspace-global guidance recommends disabling gateway exec prompts and setting gateway exec security to full; this can weaken the command-execution boundary if followed outside an explicit user/developer consent flow.
  Confidence: 0.9

What I checked:

• Repository policy read: AGENTS.md was read fully; its setup, pairing, node, MCP, tray UX, and validation guidance shaped the review, while validation commands were not run because this cleanup review is read-only. (AGENTS.md:1, 234fa8ff097f)
• Current main lacks the requested implementation: A current-main search found no WindowsNodeBootstrapContext, WindowsNodeContext, WSL_EXE_ARGV doc, managed marker, or tools.exec guidance injection in setup/docs/tests. (234fa8ff097f)
• Current main setup pipeline has no post-pairing context step: Current main runs PairNodeStep directly before VerifyEndToEndStep, so this PR is not obsolete on main. (src/OpenClaw.SetupEngine/SetupPipeline.cs:59, 234fa8ff097f)
• PR adds the new default setup step: The PR inserts WindowsNodeBootstrapContextStep after PairNodeStep and before VerifyEndToEndStep. (src/OpenClaw.SetupEngine/SetupPipeline.cs:60, e028dc07884c)
• Managed guidance is workspace-global and includes permissive exec advice: The injected AGENTS.md payload tells agents to target the Windows node for Windows work and suggests tools.exec.ask off plus tools.exec.security full. (src/OpenClaw.SetupEngine/WindowsNodeContextSection.cs:9, e028dc07884c)
• Optional enrichment currently fails setup: ExecuteAsync returns StepResult.Fail when the apply script exits non-zero or lacks the READY marker; the apply script exits on symlinked AGENTS.md and malformed markers. (src/OpenClaw.SetupEngine/SetupSteps.cs:2353, e028dc07884c)

Likely related people:

• ranjeshj: Recent history touches setup pairing hardening in SetupSteps, and the related gateway exec policy issue was closed with the security/product direction this PR must respect. (role: recent setup contributor and policy decision participant; confidence: high; commits: ea36b12f9e4c, d4284d43fb6a; files: src/OpenClaw.SetupEngine/SetupSteps.cs, tests/OpenClaw.SetupEngine.Tests/SetupStepsTests.cs)
• AlexAlves87: Current-main blame for SetupStepFactory, SetupSteps, and setup tests points to the large setup-engine introduction commit available in this checkout. (role: introduced available setup-engine snapshot; confidence: medium; commits: d5543b904507; files: src/OpenClaw.SetupEngine/SetupPipeline.cs, src/OpenClaw.SetupEngine/SetupSteps.cs, tests/OpenClaw.SetupEngine.Tests/SetupStepsTests.cs)
• shanselman: The PR discussion contains direct review guidance from this account, and current history includes adjacent setup hardening in SetupSteps. (role: reviewer in PR discussion and adjacent setup contributor; confidence: medium; commits: d23f8ca50013; files: src/OpenClaw.SetupEngine/SetupSteps.cs)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[paulcam206]

just as a heads up -- this change is a little wonky in terms of what we're doing... it works, but I wouldn't say that it's elegant.

anyways, here's a completely clean install being asked to pop a notification:

[shanselman]

@paulcam206 does it only do it if the message is coming in via the Windows app?

[shanselman]

Automated Copilot review note from the wide PR triage pass:

I would not treat this as safe to merge at 90% confidence yet, even aside from the current conflict state. The core concern is scope: this PR injects Windows-node guidance into the gateway workspace's global AGENTS.md, so it can affect agent behavior for requests that did not originate from the local Windows tray chat — for example Telegram-originated work, remote/gateway sessions, or future multi-node scenarios.

Two things I think should be tightened before merge:

1. Scope the guidance to cases where the task explicitly needs this paired Windows machine. The current wording can over-bias the agent toward the local Windows node for broadly described Windows/files/browser/notification work, even when the request came from another channel or another node context.
2. Avoid putting permission-relaxing config advice in global agent guidance. The suggested openclaw config set tools.exec.ask off and openclaw config set tools.exec.security full commands are especially risky when Telegram/remote messages may influence the agent. If those defaults are needed for setup, they should be handled by explicit setup/config UX with user consent, not broad AGENTS.md instructions.

Separately, because this is post-pairing enrichment, I would prefer injection failures/timeouts/malformed existing markers to be non-terminal or self-healing where possible. Optional guidance should not block onboarding after pairing succeeds.

[shanselman]

Thanks for the proof and the implementation here. I don't think this is safe to merge as-is yet because the generated AGENTS.md guidance is workspace-global, so it can influence sessions regardless of where the request originated — local tray, remote gateway, Telegram, or another paired node. It also currently suggests broad tools.exec permission changes, which is risky guidance to inject automatically.

Could you please revise this so the injected guidance is clearly scoped to tasks that intentionally need this paired Windows node, remove or soften the permissive tools.exec config recommendations, and ensure AGENTS enrichment is non-blocking for pairing/onboarding if it times out or fails? After that, this should get another focused review.