#18022: feat(tools): Structured Config Editor for JSON/YAML/TOML

## Summary Adds a `config_edit` agent tool that provides structured, parse-aware editing of configuration files. Instead of string replacement or temporary scripts, it parses the file into a data structure, performs the mutation, then serializes back — guaranteeing syntactically correct output every time. ## The Problem When agents edit config files (JSON, YAML, TOML) using string manipulation (`sed`, `jq`, Python one-liners), it's error-prone: - Missing commas, unclosed brackets, broken indentation - Encoding issues with special characters - No awareness of the document structure - One bad edit can crash the system (as happened with `openclaw.json`) ## Solution A dedicated tool that understands config file structure: ### Actions | Action | Description | |--------|-------------| | `get` | Read a value at a dot-path | | `set` | Write a value at a dot-path (auto-creates intermediates) | | `delete` | Remove a key at a dot-path | | `merge` | Deep-merge an object at a dot-path (`null` = delete key) | ### Features - **Format auto-detection** by file extension (`.json`, `.yaml`/`.yml`, `.toml`) - **Dot-path navigation**: `agents.defaults.model.primary`, `items.0.name` - **Array index support**: numeric path segments index into arrays - **Auto-creation**: `set` on a non-existent path creates intermediate objects/arrays - **New file creation**: `set`/`merge` on a missing file starts from `{}` - **Lazy-loaded deps**: YAML (`yaml`) and TOML (`smol-toml`) are imported only when needed ### Example Usage ``` // Read a nested value config_edit({ action: "get", file: "config.json", path: "agents.defaults.model" }) // Set a value (creates intermediates if needed) config_edit({ action: "set", file: "config.yaml", path: "server.port", value: "8080" }) // Deep-merge (null deletes keys) config_edit({ action: "merge", file: "config.json", path: "agents", value: "{\"timeout\": 30}" }) // Delete a key config_edit({ action: "delete", file: "settings.toml", path: "deprecated.oldKey" }) ``` ## Design Decisions - **Parse → Mutate → Serialize** instead of regex/string ops: eliminates syntax errors by construction - **Dot-path** over JSONPath/JSONPointer: simpler, covers 95% of use cases, familiar to developers - **Lazy imports** for YAML/TOML: no new hard dependencies, graceful error if package missing - **structuredClone** for immutable operations: original data never mutated in-place ## Files Changed - `src/agents/tools/config-edit-tool.ts` (new file, 280 lines) <!-- greptile_comment --> <h3>Greptile Summary</h3> Introduces a `config_edit` agent tool that provides structured editing of JSON/YAML/TOML configuration files via a parse-mutate-serialize approach. The design is solid in principle — parsing config files before mutation eliminates the class of syntax errors that plague `sed`/`jq`-based approaches. However, the implementation has security and correctness issues that should be addressed before merging: - **No sandbox enforcement on file I/O**: The tool performs raw `fs.readFile`/`fs.writeFile` on agent-supplied paths without calling `assertSandboxPath()` or using `SandboxFsBridge`, which every other file-writing tool in this codebase does. This allows path traversal and symlink escape attacks. - **`parsePath` produces empty segments**: Consecutive, leading, or trailing dots (e.g., `a..b`, `.a.b`) create empty-string path segments that silently create or overwrite `""` properties in config data. - **Not wired into tool registry**: `createConfigEditTool` is exported but never imported or registered in `openclaw-tools.ts`, so the tool is unreachable at runtime. - Several other issues flagged in prior review threads (prototype pollution, null handling in `deleteByPath`, array asymmetry in `setByPath`) remain unaddressed. <h3>Confidence Score: 1/5</h3> - This PR needs security and correctness fixes before it is safe to merge. - Score of 1 reflects missing sandbox path validation (a security gap compared to all other file-I/O tools in this codebase), unresolved prototype pollution vectors, and the tool not being registered for use. The core design is good but the implementation needs another pass. - `src/agents/tools/config-edit-tool.ts` — the only file in this PR — requires sandbox integration for file I/O, parsePath hardening, and registration in `openclaw-tools.ts`. _{Last reviewed commit: a9d4ee2} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->