Skip to content

feat(external): support macOS desktop credentials#983

Open
MuduiClaw wants to merge 24 commits into
openclaw:mainfrom
MuduiClaw:codex/kin-1161-macfleet-provider
Open

feat(external): support macOS desktop credentials#983
MuduiClaw wants to merge 24 commits into
openclaw:mainfrom
MuduiClaw:codex/kin-1161-macfleet-provider

Conversation

@MuduiClaw

@MuduiClaw MuduiClaw commented Jul 6, 2026

Copy link
Copy Markdown

Replaces #976 after its stack base merged into main.

Summary

  • allow the generic external provider to preserve Linux, macOS, native Windows, and WSL2 targets, including ARM64 hosts
  • persist target and Windows-mode routing so later lease commands restore the captured platform without overriding explicit target flags
  • add source-bound external desktop credentials via username plus password environment-variable name
  • use provider credentials consistently for WebVNC, screenshots, input, native VNC handoff, daemon children, and routed leases
  • authenticate macOS ARD or legacy VNC locally, then expose an already-authenticated RFB stream without sending the desktop password to the coordinator
  • add authenticated webvnc --preflight, including RFB 3.3, 3.7, 3.8, and accepted alias-banner handling
  • validate native-Windows work roots against drive roots, user profiles, protected directories, traversal/ambiguous components, short names, ADS, and reserved device aliases
  • document macOS credentials, native-Windows work-root requirements, preflight, and routing behavior

Maintainer hardening

  • rebased onto current main and resolved the WebVNC/RFB stack against the one-time portal handoff architecture
  • preserved legacy Parallels password-only VNC while using ARD accounts for provider-supplied macOS credentials
  • kept registered static macOS endpoints host-managed and preserved two macOS WebVNC slots for controller plus observer
  • made a configured-but-missing desktop password environment variable fail closed instead of falling back to an unrelated remote password file
  • kept webvnc status usable without loading desktop secrets
  • added a changelog entry thanking @MuduiClaw

Verification

Exact head: 09c89fe190de5631b75f9757df0d6d4565926b2f

  • go vet ./...
  • go test -race ./...
  • ./scripts/check-docs.sh
  • .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main --parallel-tests "go test -race ./internal/providers/external ./internal/cli -run 'External|external|WebVNC|VNC|RFB|MacOSDesktop|ValidateProviderTarget' -count=1" --stream-engine-output
    • clean: no accepted/actionable findings
  • focused RFB tests cover ARD, VNC, no-auth rejection, RFB 3.3, RFB 3.7, RFB 3.8, and accepted alias banners
  • focused External tests cover persisted target restoration, environment override routing, ARM64 targets, and safe native-Windows work roots

Live end-to-end External macOS proof remains credential-bound: no approved test endpoint currently exposes both SSH and Screen Sharing with a task-scoped credential. No endpoint security settings were changed. This PR is code-review and CI ready, but should retain the live-proof decision gate until such an endpoint is available or maintainers explicitly waive it.

Security and configuration

The desktop password value is never stored in Crabbox config, routing state, argv, or portal handoff. Config and daemon routing carry only the environment-variable name. The Crabbox process reads the value when an authenticated desktop operation starts, preserves it as opaque data, and fails closed if the configured variable is absent or empty.

For macOS WebVNC, Crabbox authenticates to ARD/VNC locally and gives the browser/coordinator only an already-authenticated RFB stream. Repository config cannot redirect an inherited desktop credential reference without a matching trusted or explicit override.

@MuduiClaw

Copy link
Copy Markdown
Author

Rebased this work onto current main after #972 landed.

Current head: 6f64b1e35811dd44798948615dcda86b73d32376

Verification run locally:

  • go test ./internal/providers/external ./internal/providers/all
  • go test ./internal/cli -run 'Test(ExternalDesktopCredentialsEnv|WebVNCCredentialsPreferProviderHook|IsMacOSDesktopProviderOnlyDedicatedMacOS|GuardMacOSDirectWebVNC|WebVNCBridgeArgsPreserveProviderRouting|WebVNCResetRemoteCommandHandlesWaylandAndX11)' -count=1
  • bash scripts/check-docs.sh
  • node scripts/generate-provider-matrix.mjs --check
  • git diff --check origin/main...HEAD

Security note: the desktop password value is never stored in config or passed on argv; only the environment variable name is configured.

@clawsweeper

clawsweeper Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs real behavior proof before merge. Reviewed July 9, 2026, 7:30 AM ET / 11:30 UTC.

Summary
The branch adds External provider macOS/Windows targets, desktop username/passwordEnv credential config, persisted target routing, macOS WebVNC/preflight/native VNC credential handling, Windows work-root validation, tests, and docs.

Reproducibility: yes. for the review finding from source inspection: the PR head passes real ARD credentials into the local bridge, the handoff fetches /credentials, and the handler returns username/password. I did not run a live External macOS WebVNC endpoint.

Review metrics: 2 noteworthy metrics.

  • Diff surface: 31 files, +2216/-145. The branch spans provider config, credential provenance, WebVNC/RFB code, docs, and tests, so maintainer review has a broad surface.
  • Live External macOS proof: 0 artifacts. The discussion provides tests and CI, but no redacted live run shows the new External macOS desktop credential path.

Root-cause cluster
Relationship: canonical
Canonical: #983
Summary: This PR is the canonical open branch for External macOS desktop credentials; related PRs are prerequisites, superseded branches, or adjacent WebVNC work rather than replacements.

Members:

Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🧂 unranked krab
Result: blocked until real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • [P1] Fix ARD mode so the generated viewer cannot retrieve desktop credentials after the Go relay authenticates locally.
  • [P1] Add redacted live External macOS WebVNC/preflight proof using the configured passwordEnv path.
  • [P1] After proof and the security fix, get maintainer acceptance for the new External desktop credential surface.

Proof guidance:

  • [P1] Needs real behavior proof before merge: Tests, CI, and maintainer regression notes are present, but no redacted live External macOS WebVNC/preflight/portal handoff output or recording shows the new credential path; redact private details before posting proof. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

  • [P1] Merging the current head would broaden the desktop credential boundary because ARD credentials remain retrievable by the generated local viewer despite local Go-side authentication.
  • [P1] No redacted live External macOS WebVNC/preflight/portal handoff proof shows the configured passwordEnv path working end to end.
  • [P1] The new External target and desktop credential configuration surface needs maintainer product acceptance before merge.
  • [P1] GitHub reports the current head as conflicting, so any final review needs to happen after conflicts are resolved.

Maintainer options:

  1. Keep ARD secrets in the relay (recommended)
    Change ARD mode so the generated viewer cannot retrieve desktop credentials and add focused coverage for the no-credential viewer path.
  2. Accept viewer credential exposure
    Maintainers could intentionally redefine the boundary to allow local viewer access to ARD credentials, but that should be documented and explicit.
  3. Pause until proof exists
    Keep the PR paused until an approved External macOS endpoint can produce redacted live WebVNC/preflight proof.

Next step before merge

  • [P1] Human review remains required because missing live External macOS proof, product-surface acceptance, merge conflicts, and the ARD credential-boundary bug cannot be resolved by cleanup closing.

Maintainer decision needed

  • Question: After the ARD viewer credential exposure is fixed and live proof exists or is explicitly waived, should Crabbox accept External macOS/Windows desktop credentials and WebVNC/preflight support as core External provider surface?
  • Rationale: The PR adds new provider targets, credential config, routing behavior, and desktop workflows; automation can identify the security bug but cannot approve the product boundary or waive live proof.
  • Likely owner: steipete — They own the strongest recent history across External credential boundaries and macOS WebVNC behavior.
  • Options:
    • Fix, prove, and consider landing (recommended): Require the ARD viewer credential fix plus redacted live External macOS WebVNC/preflight evidence before deciding whether to merge the full feature.
    • Narrow the feature: Keep only target/routing improvements and defer desktop credential handoff until the provider contract is explicitly designed.
    • Pause or close direction: Pause this PR if maintainers do not want this credential surface in the generic External provider now.

Security
Needs attention: ARD credentials still reach the generated local viewer even though the intended boundary is a locally authenticated RFB stream.

Review findings

  • [P1] Stop exposing ARD credentials through the local viewer — internal/cli/macos_webvnc.go:91-93
Review details

Best possible solution:

Land this only after ARD mode keeps desktop credentials inside the Go relay, live External macOS proof is added or explicitly waived, conflicts are resolved, and maintainers accept the new External desktop configuration surface.

Do we have a high-confidence way to reproduce the issue?

Yes for the review finding from source inspection: the PR head passes real ARD credentials into the local bridge, the handoff fetches /credentials, and the handler returns username/password. I did not run a live External macOS WebVNC endpoint.

Is this the best way to solve the issue?

No: the provider-hook direction fits the repository boundary, but the implementation must keep ARD credentials out of the browser/local viewer and still needs live proof plus maintainer acceptance.

Full review comments:

  • [P1] Stop exposing ARD credentials through the local viewer — internal/cli/macos_webvnc.go:91-93
    This call still passes the real desktop credentials into serveLocalWebVNCBridge while authMode can be ARD. That bridge always serves /credentials, and the generated handoff fetches it before connecting, so the browser can receive the ARD username/password even though the Go relay has already authenticated and then offers no-auth RFB to the viewer. Pass empty viewer credentials or disable the credential endpoint for ARD-local relay mode while preserving legacy VNC mode.
    Confidence: 0.9

Overall correctness: patch is incorrect
Overall confidence: 0.9

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 0d768f6f5438.

Label changes

Label justifications:

  • P2: This is an unmerged feature PR with a security-boundary blocker and limited blast radius unless maintainers choose to land it.
  • merge-risk: 🚨 security-boundary: The diff adds desktop credential env references and still exposes ARD credentials to the generated viewer despite local relay authentication.
  • rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🧂 unranked krab.
  • status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: Tests, CI, and maintainer regression notes are present, but no redacted live External macOS WebVNC/preflight/portal handoff output or recording shows the new credential path; redact private details before posting proof. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.
Evidence reviewed

Security concerns:

  • [high] ARD credentials still reach local viewer — internal/cli/macos_webvnc.go:91
    In ARD mode the Go relay authenticates to Screen Sharing locally, but the handoff still exposes a token-gated /credentials endpoint that returns the desktop username/password to the browser.
    Confidence: 0.9

What I checked:

  • Repository policy read: The full AGENTS.md was read and applied, especially the credential-handling, provider-boundary, and generic Crabbox positioning guidance. (AGENTS.md:1, 0d768f6f5438)
  • Current main lacks the central feature: Current main's External provider spec still advertises only linux and has no External desktop credential resolver, so the PR is not already implemented on main. (internal/providers/external/provider.go:25, 0d768f6f5438)
  • PR adds External desktop target and credential surface: At PR head, the External provider advertises linux, macos, windows/normal, and windows/wsl2 targets and resolves desktop credentials from a configured environment-variable reference. (internal/providers/external/provider.go:27, 09c89fe190de)
  • ARD credentials still reach the local viewer path: macOSWebVNCBridge passes the real credentials into serveLocalWebVNCBridge while authMode can be ARD, even though the Go relay authenticates locally. (internal/cli/macos_webvnc.go:91, 09c89fe190de)
  • Viewer credential endpoint returns username and password: The generated handoff fetches /credentials and macOSWebVNCCredentialsHandler returns the supplied username/password JSON after token validation. (internal/cli/macos_webvnc.go:321, 09c89fe190de)
  • PR discussion confirms missing live proof: The PR body and maintainer comments list tests, CI, and Apple VM regression work, but explicitly say live External macOS/WebVNC behavior proof remains credential-bound and still required or must be waived. (09c89fe190de)

Likely related people:

  • steipete: They authored the merged External credential-boundary work, the recent macOS WebVNC portal work, and most hardening commits on this PR branch. (role: recent area contributor and likely follow-up owner; confidence: high; commits: cb305ed2624d, 84c52338284d, 819d051d9b84; files: internal/cli/credential_provenance.go, internal/cli/macos_webvnc.go, internal/cli/webvnc.go)
  • anagnorisis2peripeteia: They introduced the original Tart desktop and secure WebVNC support that the current macOS bridge extends. (role: introduced macOS desktop behavior; confidence: medium; commits: 4e47e9877543; files: internal/cli/macos_webvnc.go, internal/cli/webvnc.go, docs/providers/tart.md)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (9 earlier review cycles; latest 8 shown)
  • reviewed 2026-07-06T19:58:54.517Z sha 52f8f25 :: needs real behavior proof before merge. :: [P1] Bind desktop passwordEnv to trusted provenance
  • reviewed 2026-07-06T22:06:56.587Z sha 52f8f25 :: needs real behavior proof before merge. :: [P1] Bind desktop passwordEnv to trusted provenance
  • reviewed 2026-07-06T22:17:11.854Z sha 52f8f25 :: needs real behavior proof before merge. :: [P1] Bind desktop passwordEnv to trusted provenance
  • reviewed 2026-07-07T04:50:31.537Z sha 8b7ac02 :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-07T05:02:33.673Z sha 8b7ac02 :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-07T07:13:12.212Z sha 8b7ac02 :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-09T10:46:26.446Z sha f2d2857 :: needs real behavior proof before merge. :: [P1] Stop handing ARD credentials to the viewer
  • reviewed 2026-07-09T11:20:08.428Z sha 09c89fe :: needs real behavior proof before merge. :: [P1] Stop exposing ARD credentials through the local viewer

@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P1 Urgent regression or broken agent/channel workflow affecting real users now. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. labels Jul 6, 2026
@steipete

steipete commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Maintainer repair pushed in 8b7ac021.

Fixed the P1 credential-boundary finding: external.connection.desktop.passwordEnv now carries config provenance. Repository config cannot select an inherited process secret unless the exact environment-variable reference is approved in trusted user config; explicit environment and CLI flag overrides remain allowed. Regression coverage includes repository rejection, exact trusted approval, and explicit environment override.

Verification:

  • go test -race ./internal/cli ./internal/providers/external -run 'Test(RepositorySSHDestinationsRejectInheritedOrAmbientAuthentication|ExternalDesktopPasswordEnvRequiresTrustedApproval|ExternalDesktopCredentialsEnv|FlagsOverrideDesktopCredentials|DesktopCredentialsUseEnvReference)' -count=1
  • go test ./internal/providers/external ./internal/providers/all ./internal/cli -count=1
  • go vet ./internal/providers/external ./internal/cli
  • Live Crabbox Apple VM: hydrated through https://github.com/openclaw/crabbox/actions/runs/28841777794, synced this dirty PR checkout, and reran the focused regression command successfully on lease cbx_ab2aa6daab45.
  • .agents/skills/autoreview/scripts/autoreview --mode local --stream-engine-output: clean, no accepted/actionable findings; correctness confidence 0.93.

Remaining merge gate: this repairs the source-bound credential bug, but does not claim the still-requested live macOS External/WebVNC behavior proof.

@steipete

steipete commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@clawsweeper clawsweeper Bot added P2 Normal priority bug or improvement with limited blast radius. and removed P1 Urgent regression or broken agent/channel workflow affecting real users now. labels Jul 7, 2026
@steipete

steipete commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

CI follow-up for 8b7ac021: all 9 checks are green, including the full Go race/modules/coverage gate, connector lifecycles, Apple VM, Worker, docs/scripts, release snapshot, and Socket checks. CI run: https://github.com/openclaw/crabbox/actions/runs/28842057791.

The completed ClawSweeper re-review confirms no concrete security bug remains and rates patch quality platinum. The PR remains intentionally unmerged because real macOS External/WebVNC behavior proof and maintainer acceptance of the feature surface are still required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants