#7874: docs: add public/untrusted agent profile

#7827 ### Summary This PR documents a **public/untrusted agent profile** for group- or publicly-facing agents. The profile is sandboxed by default, denies high-risk tools, and avoids long-lived memory in shared contexts. All changes are additive and opt-in; no existing agent behavior or defaults are modified. ### What’s changed 1. **Security guide: public/untrusted agent profile** - **File:** `docs/gateway/security/index.md` - Adds a new **“Public / untrusted agent profile”** section under per-agent access profiles. - Defines a schema-accurate `agents.list[].public` configuration that: - Uses a dedicated workspace: - `workspace: "~/.openclaw/workspace-public"` - Enforces full sandboxing: - `sandbox.mode: "all"` – all sessions for this agent run in Docker. - `sandbox.scope: "agent"` – per-agent isolation. - `sandbox.workspaceAccess: "none"` – no host workspace mount. - `sandbox.docker.network: "none"` – no outbound network from the sandbox. - Locks down tools via `tools`: - Starts from `profile: "messaging"` as a safe baseline. - Denies high-risk tools with `deny`, including: - Shell/host tools: `exec`, `process`, `gateway`, `nodes`, `cron`. - Web tools: `browser`, `web_search`, `web_fetch`. - Generic mutation tools: `write`, `edit`, `apply_patch`, `fs_write`, `fs_delete`, `image_edit`. - Disables per-agent long-lived memory: - `memorySearch.enabled: false` - `memorySearch.experimental.sessionMemory: false` - The text explains when to use this profile: - Agents that can be contacted by many or unknown users (public group channels, open DMs). - Surfaces where abuse is expected, and tool/data exposure must be minimized. - Cross-links to: - [Sandboxing](/gateway/sandboxing) for `mode`, `scope`, `workspaceAccess`, and `docker` hardening knobs. - [Tools](/tools) and [Multi-Agent Sandbox & Tools](/multi-agent-sandbox-tools) for tool groups and policy mechanics. - [Session Management](/concepts/session) and [Configuration](/gateway/configuration) for history/memory scoping. 2. **Configuration examples: public/untrusted agent example** - **File:** `docs/gateway/configuration-examples.md` - Adds a **“Public / untrusted agent example”** configuration that demonstrates: - A trusted **`main`** agent with a normal workspace. - A **`public`** agent configured with the public/untrusted profile described above. - A Discord guild binding: - `public-bot` channel: - `agent: "public"` - Intended as a public front door, using the sandboxed, tool-limited profile. - `ops` channel: - `agent: "main"` - Private/operations channel with full capabilities. - The example also sets a global `session` configuration: - `session.scope: "per-sender"` – per-sender session isolation. - `session.reset.mode: "idle"` with `idleMinutes: 60` – keep shared histories shallow for public/group contexts. - The snippet is designed to be copy-pasteable and shows how to route untrusted traffic through the hardened agent while keeping a separate trusted agent for owner/ops flows. 3. **Security audit messaging: reference the profile** - **File:** `src/security/audit-extra.ts` - Extends the remediation text for the “small model risk” finding to mention this profile explicitly: - In addition to recommending sandboxing and disabling web tools for small models, the message now suggests: - Routing shared or group-facing rooms through a **public/untrusted agent profile** with: - `sandbox.mode = "all"` - `workspaceAccess = "none"` - `docker.network = "none"` - high-risk tools denied by default. - No audit logic is changed; only the human-readable guidance is updated to match the new documented profile. ### Non-goals - No changes to global defaults: - `agents.defaults`, `sandbox`, `session`, and tool policies remain unchanged. - No automatic migration of existing agents to the public/untrusted profile. - No changes to non-English documentation; translations can adopt the new profile in separate PRs. ### Rationale OpenClaw’s security docs and third-party hardening guides already recommend treating public/group-facing agents as untrusted surfaces: sandbox them, restrict tools, and avoid long-lived memory in shared contexts. This PR consolidates that guidance into a single, schema-correct **public/untrusted agent profile**, plus a concrete configuration example and a pointer from the security audit. Operators get a clear, copy-pasteable profile for public agents without impacting existing deployments or defaults. <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> Adds documentation for a hardened “public / untrusted agent” profile (sandbox all sessions, no host workspace mount, no sandbox egress, deny high-risk tools, disable long-lived memory), plus a copy/paste configuration example showing how to route public Discord channels to that agent while keeping a separate privileged `main` agent. Also extends the small-model security audit remediation text to reference routing shared/group-facing rooms through this hardened profile. These changes fit the existing gateway security docs by providing an explicit per-agent hardening template and linking to the sandbox/tool precedence docs for operators running multi-agent setups. <h3>Confidence Score: 4/5</h3> - This PR is safe to merge; issues are limited to a couple of misleading config/tool identifiers in docs/remediation text. - Changes are documentation plus a single remediation string update. No runtime logic changes. The main concern is correctness of configuration keys/tool IDs for copy/paste examples. - docs/gateway/security/index.md, docs/gateway/configuration-examples.md, src/security/audit-extra.ts <!-- greptile_other_comments_section --> <!-- /greptile_comment -->